Module 6 and 7: Security Assessment and Testing and Security Operations

Software-Defined Networks (SDNs)

Decouple the control plane from forwarding plane. Controller handles traffic-routing using simpler network devices; eliminates some complexity related to to traditional networking protocols.

Virtual Storage Area Networks (VSANs)

A dedicated high speed network that hosts multiple storage devices virtually. Historically expensive, virtualization helps bypass complexities of past hardware requirements.

Darknet

A portion of allocated IP addresses within a network that are not used. Traffic on these is not legitimate.

Intrusion Prevention System (IPS)

A special type of IDS that attempts to detect and block attacks before they reach target systems. Biggest difference is that all traffic must pass through these before reaching the target.

Fuzz Testing

A specialized dynamic testing technique, provides many different types of input to software to stress its limits and find previously undetected flaws.

Attacking

Actual penetration of target. Goal is to escalate privileges and get SU, root kits, etc. Allows for continued access, then cover tracks by using log scrubbers and trojan programs.

Response

After detecting and verifying an incident. Varies depending on severity of incident, but orgs have dedicated teams to this.

Recovery

After investigators collect all evidence from a system, goal is to return it to a fully functioning state. May be as simple as rebooting a system, or rebuilding one entirely.

RAID-1

Also called Mirroring, Uses two disks which both hold the same data. If one disk fails, the other is there for redundancy.

RAID-5

Also called striping with parity. Uses three or more disks with the equivalent of one disk holding parity info. If any disk fails, the array will continue to operate. But will be slower.

RAID-0

Also called striping, uses two or more disks and improves the disks subsystem performance, but does NOT provide fault tolerance

RAID-10

Also known as a stripe of Mirrors, configured as two or more RAID-1s in a RAID-0 configuration. Has at least 4 disks, and mirror sets.

Zero-Day exploit

An attack on a system exploiting a vulnerability that is unknown to others.

Ping of Death

Attack that sends an oversized ping packet, which is bigger than the system can handle. Rarely successful today.

Teardrop attack

Attacker fragments traffic in such a way that a system is unable to put data packets back together. Current systems aren't susceptible to these.

Land Attack

Attacker sends spoofed SYN packets to a victim using the victim's IP address as both the source IP and destination IP.

Mitigation

Attempt to contain an incident, the primary goal of a response team. Team tries to isolate the problem host/network/etc. to contain the incident.

Penetration Testing Requirements

Basic requirements: Meet with Sr. Mgmt. to determine goal of the assessment, Document rules of engagement, get sign of from Sr. Mgmt. Determine effectiveness of current security measures and areas of improvement.

Generational (Intelligent) Fuzzing

DEvelops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

Rules of Engagement Document

Document that specifically outlines what can be tested and penetrated. Ex: Specific IP ranges, acceptable techniques of attack, points of contact, given info to testing team.

Dynamic Testing

Evaluates security of software in a runtime environment. Often the only option for Orgs deploying applications written by someone else. Testers often do not have access to underlying source code. Uses synthetic transactions.

Static Testing

Evaluates security of software without running it by analyzing source code or the compiled application. Generally involves use of automated tools that look for common software flaws.

Host-Based Intrusion Detection System (HIDS)

Examines the operations of a single computer independently. Examines events more in detail. Expensive to manage and use throughout the org. Can read encrypted data. Uses lots of local CPU/Memory.

Pseudo Flaws

False vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to lure attackers.

Ping Flood attack

Floods a victim with a bevy of ping requests, very effective with use of botnets. Common defense is to block ICMP traffic.

Footprinting (step 2)

Goal is to discover the essential features of the target. Nmap the network, ICMP ping sweeps, DNS zone transfers, etc.

Behavior-based (Statistical) IDS

IDS looks for traffic behavior that it considers outside the normal baseline traffic. Can possible detect Zero-days, and non-technical attacks; lots of false positives which most go ignored. requires skill analyst to sift through all matches.

Network-based Intrustion Detection System (NIDS)

IDS that watches entire network and all associated network machines. Looks for DoS, port scans, malicious content and can watch the internal network for policy violations. Is easier to deploy and manage, but cannot read encrypted data.

Active Response

IDSs that have ability to modify the environment using several different methods.

Fingerprinting (step 3)

Identify host information, start port scanning, etc.

Vulnerability Assessment (step 4)

Identify the weak points in system configurations. Discover software that needs patches.

Honeypot

Individual computers created as a trap for intruders. Look and act like real systems, but do not host any real data of any real value. Configured with vulnerabilities to tempt intruders into attacking them. Goal is to keep attention away from real network resources.

Software-as-a-Service (SaaS)

Models that provide fully functional applications typically over the web/cloud, like Gmail. CSP is responsible for all maintenance or services; consumers do not manage any cloud-based assets.

TCP Connect Scanning

Opens a full connection to remote system on specified port; used when user does not have necessary permissions to run a half-open scan.

Reconnaissance (step 1)

Part of Attack methodology. Looking at public information, Whols DB, social media to gleam additional info that could be useful.

Padded Cell

Performs intrusion isolation by automatically transferring the intruder to a simulated environment that offers fake data to retain an intruder.

Remediation

Personnel look at the incident and attempt to identify what allowed it to occur. Team does a root cause analysis

Lessons Learned

Personnel reflect on incident and the response process and how they can improve in the future.

POP3 Port

Port 110

NTP Port

Port 123

SQL Port

Port 1433

Oracle Port

Port 1521

FTP Port

Port 21

SSH Port

Port 22

Telnet Port

Port 23

SMTP port

Port 25

HTTPS Port

Port 443

DNS Port

Port 53

HTTP Port

Port 80

Vulnerability Scanning

Process of identifying holes within a target. Active hosts, ports, devices, applications, OS, reconfigured settings. Goal is to establish a foundation/direction for penetration testing.

Infrastructure-as-a-Service (IaaS)

Provides basic computing resources to consumers, like storage, servers, and sometimes networking resources. Consumers install OSs and applications and perform maintenance on them; CSP maintains cloud-based infrastructure, ensuring availability to customers.

Platform-as-a-Service (PaaS)

Provides consumers with a computing platform, including hardware, OSs, and applications. Consumers manage their applications and some configuration settings on the host, but CSP is responsible for maintenance of host and underlying infrastructure.

Warm Site

Recovery site that contains the equipment necessary to rapidly establish operations, but does not have any copies of primary client's data and must be moved over.

Hot Site

Recovery site that is maintained in constant working order, ready to assume primary responsibilities. Cost is extremely high.

Reporting

Refers to communicating within the organization and sometimes outside of the organization the incident at hand. Many places have laws to require this.

Virtual Machines (VM)

Run as guest operating systems on physical servers. The physical servers include extra processing power, memory, and disk storage to handle the VM.

TCP ACK Scanning

Sends packet with ACK flag set, indicating it is part of an open connection.

Xmas Scanning

Sends packet with FIN, PSH, and URG flags set.

TCP SYN Scanning

Sends single packet to each scanned port with SYN flag set, requesting to open a new connection. If scanner gets a SYN/ACK response, indicates port is open. AKA Half-Open Scanning.

Fraggle Attack

Similar to Smurf attacks, but uses UDP packets instead of ICMP or SYN.

Hypervisor

Software component that manages things like VMs, VSANs and other virtual network components. Represents an additional attack target.

Cold Site

Standby facilities for recovery. Has no computing abilities pre-installed and no active broadband links. Low cost to maintain but time to activate takes weeks.

Full Backups

Store a complete copy of the data contained on the protected device. Duplicate every file on the system.

Differential Backups

Stores all files that have been modified since the time of the most recent full backup. This process does not change the archive bit.

Incremental Backups

Stores only those files that have been modified since the time of the most recent full/incremental backup. Only files with archive bit on are duplicated.

Mutation (Dumb) Fuzzing

Takes previous input values from actual operation of the software and manipulates it to create fuzzed input

Incident Response: Detection

The means of identifying and verifying an incident, using IDSs or Anti-malware, etc.

Zero Knowledge (Black Box)

The penetration testing team comes in with no information about the system and must collect the information which is part of the testing process. The next step is to simulate an attack by a would-be hacker that has no prior knowledge of the information system.

Partial Knowledge (Gray Box)

The penetration testing team has knowledge that might have relevance to a specific type of attack.

Full Knowledge (White Box)

The penetration testing team has the most extensive knowledge possible about the system to be tested. This test will replicate a certain attack that might be tried by an informed employee of an organization. Has access to internal code.

Zzuf

Tool that automates the process of mutation fuzzing by manipulating input according to user specifications.

Nmap

Tool used for network discovery scanning. Identifies current state of each network port, provides status of ports as Open, Closed, or Filtered.

Honeynet

Two or more networked honeypots used ti simulate a network.

SYN Flood attack

Type of DoS attack. Disrupts the TCP 3-way handshake, making the victim allocate resources and overwhelm it, unable to respond to legitimate requests.

Smurf attack

Type of DoS attack. Floods the victim with ICMP echo packets, as a spoofed broadcast ping is sent out to the rest of the network, and the victim is flooded with responses.

Signature-based (Pattern Matching) IDS

Uses a database of known attacks developed by the IDS vendor; real-time traffic is match against the database and raises alerts if it finds a match. Downside is only effective against known attack methods and not zero-day attacks. Must keep database updated.

Passive Response

When IDSs detect an event, they can send notifications via email, text, etc. help ensure admins respond quickly.