I Cybersecurity Midterm

Shannon's Maxim

"The enemy knows the system"

Transitive Trust

BASIC PRINCIPLE If A trusts B and B trusts C then A trusts C

Least Privilege

BASIC PRINCIPLE Restrict what people may do to an asset Provide the minimum privileges required Example: key opens my store but not yours

Deny by Default

BASIC PRINCIPLE We always start by granting no access We add access rights This makes it easier to assign the right permissions and achieve Least Privilege

islands

A process can only use resources brought into its RAM Can't modify anything else

security patch race

A race begins when a security problem arises The software developer races to develop a fix to eliminate the problem Attackers race to write software that exploits the problem and lets them attack computers Attack software is called an exploit

access matrix

A way to specify access permissions Rows for resources or RAM Columns for active entities or processes

Chain of Control

BASIC PRINCIPLE We must never run programs that violate or bypass our security policy. To avoid this, we: Start the computer using a BIOS that maintains our security policy If the software we start (i.e. the OS) can start other software, then the other software either Complies with the security policy, OR Is constrained from violating the policy via access restrictions or other mechanisms

Open Design

BASIC PRINCIPLE We open our systems for third-party analysis to help ensure their effectiveness We withhold changeable, secret information Kerckhoff Shannon

transmission state

Being moved from one place to another "Data in motion"

processing state

Being used by an active process Usually stored in RAM

Weakest Link

ALL components must work or an attack will succeed

preventative

Access controls are ____ - they try to block and attack from happening

SCADA: Kantianism

Actions are ethical only if they can be generalized to apply to everyone

Ropeswing Model

Always know the context before analyzing The idea of risk changes as dofferent knowledge is gained Risk depends on time and context

ambiguity

Can Tina read a file with these permissions: Owner: Bob - RWX Group: Survey (Bob and Tina) - no access World: R— Answer: depends on the operating system On OpenVMS: YES Permissions are combined, then checked On Unix: NO Applies the list that applies closest to Tina: the group permissions

Java Overflow

Compilers in Java programs written in C. Applications can incorrectly handle ArrayOutofBounds exceptions

CIA triad

Confidentiality Integrity Availability

control sections

Contain instructions to execute Contain unchanging data

data sections

Contain variables that change Contain "free form" RAM Buffers, Stacks

executable files

Files that contain applications or other executable programs "Binary executables" are stored in a control section and executed by the CPU "Scripts" contain text interpreted by a programming language interpreter

cryptolocker

First documented September 2013 Distributed via botnets in U.S. (60% of infections), UK, Canada, Australia 155,000 systems infected within the first month Roughly 50,000 per month thereafter Variants include CryptoWall, CoinVault

Kill Chain

For a weapon to succeed, a number of steps must all succeed

SCADA: Utilitarianism

Greatest good for the greatest number (most of the time)

execute access rights

Helps distinguish data files from programs Must have the "Execute" right to execute a file containing a program

path name

Identifies the directory entries to follow to find the file

Risk Assessment Steps

Identifying risks Step 1: Identify assets Step 2: Identify threat agents and attacks Prioritizing risks Step 3: estimate the likelihood of attacks Step 4: estimate the impact of attacks Step 5: Calculate their relative significance Establish requirements Step 6: Write requirements to address the highest-priority risks

data execution prevention (DEP)

If the computer has____, it only executes instructions in a control section prevents from jumping to own shell code

Binary Large Object (BLOB)

Lump of raw data It's ignored by MS Word, but can be read in by the exploit later on...it contains Shell code A malware program installed by the shell code A decoy document (keeps Word from crashing if it detects a security vulnerability exploit) Masquerade

administrative groups

Many systems have a separate "Admin" group User IDs who are part of the group may perform administrative tasks Restrict access to administrative functions by blocking the right to execute the programs Windows also associates other privileges with user groups, including administrative rights If a user is in the "Admin" group, they automatically have access to administrative functions

tailored policies

Modify rights for specific sets of files Specific tailorings Privacy - block some files from sharing Shared reading - share some blocked files Shared updating - full rights for some users

detective

Monitoring is ____ - it detects the attack without necessarily blocking it (often provided through logs)

Continuous Improvement

Never ends at final step. Any step in the process may suggest a change that will improve the result.

Impact

Not applicable Low = noticeable impact Moderate High = major damage

Writing a security requirement

Number each requirement Use the word shall Each requirement should be testable Each statement identifies the risks it addresses Phrase the requirement in a positive and specific form

vulnerabilities

Openings in the boundary are ____

Kerckhoff's Principle

Rely on a changeable secret, but make the rest of the design public and open to review

storage state

Stored in a computer, not being processed "Data at rest"

Return Oriented Programming (ROP)

Stringing together a list of code fragments in executable memory (such as systems DLL) and sending control off to them one at a time MS Word

SCADA

Supervisory Control And Data Acquisition Runs electric power generation, nuclear plants, water treatment, sewage systems, oil and gas refineries, dams/hydroelectric, and other ICS systems What is ICS ? Industrial Control Systems(these use industrial Ethernet switches,which have their own vulnerabilities) SCADA standard says that these systems should never have public Internet access

Availability

Support ongoing operations Avoid DOS

Access Control Lists (ACLs)

The general-purpose technique cluster access rights by row (by resource, by file) Simple permission flags require a small, fixed amount of storage for each file ACLs may be arbitrarily long Poses a challenge for the OS An alternative to User Groups We simply keep a list of individuals with the right to access a particular file or folder Efficient if each file needs its own tailored list

threat agents

Think about the people who actually perform attacks We can use published information to produce written profiles of specific groups that represent threat agents implements an attack

Disclosure

an attack on confidentiality

risk

an attack that is likely to happen

Dynamic Linked Library (DLL)

an executable file that allows Windows to share code libraries and other resources (MS Word)

global policies

applied to all users by default Isolation Policy - keep users separate Sharing Policy - let users share their files

defaults

apply same access rights to all new file

inheritance

apply the access rights based on the enclosing directories

physcial theft

availability attack

Denial of Service

availabilty attack Overflow of traffic stops operations

Requirements-based decisions

based on systematic analysis of the security situation ex: Risk management framework

Forgery

bogus messages given to computers

Comprehensive Security

closing all avenues of attack

Access Matrix

contains two dimensions A full matrix is too large for practical use We can organize access rights by clustering in one dimension or the other Cluster by Column = Capability-Based Security We associate rights with users, processes, or other active entities A key-ring is a set of capabilities: ownership grants access to the locked items Tickets provide capabilities

written permission

difference between ethical hacker and an attacker is ____

monitoring

effective security requires ____

Morris Worm

first major Internet worm 1988 - disabled about 10% of Internet computers Used several attacks Buffer overflow vulnerability A program fails to keep track of its input The input data modifies RAM that it shouldn't Attacker can take over the computer if the wrong RAM gets modified

program

group of instructions

Confidentiality

keep information secret avoid disclosure vulns

Risk

likelihood of an undesired event Risk = Threat * Vulnerability

Address Space Layout Randomization (ASLR)

loads DLLs into slightly different memory locations whenever you start an application or re-boot

Rule-based decisions

made for us by external circumstances or established widely accepted guidlelines ex: car ignition locks, we follow someone else's rule

vulnerability

makes an attack possible

attack scenario

may study potential or actual attacks elements are all based on recorded attacks

file system

modern computers keep files in a hierarchy of folders and directories

Subversion

modify a system to work for the threat agent

patterns

photo IDs anti-virus biometrics false positives?

dispatcheer

procedure in the operating system (OS) switches running processes

control section

programs execute in the ____

Integrity

programs or data suffers undesired or unintended modifications avoid forgery, subversion, masquerade

attack case studies

report actual attacks a scenario that includes threat agent data

Common Vulnerability Enumeration (CVE)

reports are tracked by ____

finger

retrieved info about users

process

running program

vaults

safe deposit box access control on a computer least privilege a process can retrieve a file or print data if granted the right permissions

SHODAN

search engine for IOT; reconnaissance before attack

puzzles

security through obscurity cryptography Kerckhoff/Shannon Protect data by presenting a puzzle

file name

selects the right file in the final directory in the path

Defense in Depth

several countermeasures arranged in a series attack is stopped if ANY countermeasure succeeds

Masquerade

system works on behalf of wrong user

file permission flags

taditional unix uses ___ to indicate access rights Owner-Group-World rwxrwxrwx

Computer Emergency Response Team (CERT)

the Morris worm helped create ____

data section

the stack is in the ____

window of vulnerability

time during which an exploit exists but computers aren't patched

Relativistic decisions

try to outdo others who are faced with similar security problems ex: someone else does it, so i do too; hunters dilemma

Defense in Depth

We improve security by providing layers of defense Attackers must breach a series of defenses to reach our most valuable assets

Kill Chain

What do we call the relationship between ASLR and DEP ?

least privilege

____ would have helped stop the worm; the finger process had root access, which it did not need

Threat

a person or thing likely to cause damage or danger

Vulnerability

a weakness which allows an attacker to reduce the system's information assurance

Threat agent, attacker, attack

A ____ or ____ tries to ____ assets

defense, safeguard, countermeasure

A ____, ____, or ____ protects the assets

botnet

A compromised system on a network, all controlled by a single attacker is a ____

compromised system

An attacked system that is unsafe to use is a ____

authorized analysis

Analyst has written authorization from the authority responsible for the system Analyst uses appropriate tools The analyst knows how to use the tools Tools should provide the most information while posing the lowest risk of interfering with or damaging the system Analyst protects the results Keeps the data confidential Issues report only to the appropriate authority

boundary

Assets are protected by a ____

ways to stop MS Word attack

DEFENSE IN DEPTH Don't open suspicious attachments Keep your patches current Keep your anti-virus current Toshliph launches 3 malicious processes, you might catch one of them in action before it's too late

generic risks

Denial of service Subversion Masquerade Disclosure Forgery

Risk Management Framework (RMF)

Establish system and security goals Select security goals Implement security goals Assess security controls Authorize the information system Monitor security controls