10.1 - 10.4 Securing Data and Applications
10.2.3 Section Quiz
CIST 1601
10.3.16 Section Quiz
CIST 1601
Network DLP
> A software or hardware solution that is typically installed near the network perimeter > Analyzes network traffic in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies
Digital rights management (DRM)
> File-level management applied to rich media like music, videos, and software that are sold to consumers > Utilizes security technologies - encryption - permissions - product keys - limited install applications - persistent online authentication to prevent: - editing - sharing - unauthorized copying
Static data masking
> Helpful for data at rest in a database and can be specified by field or columns > Good to use when making copies of a database for testing, development, or reporting > Original data is made irretrievable through reverse-engineering. A mask copy is made rather than masking the original database
File-Level DLP
> Used to identify sensitive files in a file system > Embeds the organization's security policy within the file > Travels with the file when it is moved or copied
Cache
A cache is storage location for information that will be used again, such as images, sounds, web pages, and even usernames and passwords used on websites. In addition to taking up space, data in the cache could be retrieved by someone with access to the computer. To provide some level of protection, you should clear the web browser cache whenever you use a public computer to access the internet, especially when you have accessed sites for retrieving personal data.
Driver Manipulation
A device driver is a small piece of software that provides an interface between the operating system and a hardware device such as a printer, keyboard, or network card. Attackers can manipulate a driver by adding malicious logic. Driver manipulation attacks often happen as a result of a web application attack such as a drive-by download or through social engineering or phishing. The goal is to replace a good driver with one that is malevolent or to add software that comes between a good driver and the operating system. Common driver manipulation attacks include:
Memory Leak
A memory leak happens when dynamic memory is allocated in a program, but no pointers are connected to it. This causes it to never be returned when requested. Programmers often create temporary memory allocations. This becomes a problem when they are not deleted after use. Whether unintentionally leftover from a project or intentionally created by an attacker, memory leaks can result in:Resource exhaustionDoSExploitation of other areas affected by low-memory conditions To mitigate these attacks: Delete unneeded memory allocations when finished with a project Ensure that pointers are properly connected to memory values
Cloud DLP
A software solution that analyzes traffic to and from cloud systems in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies.
Race Conditions
Another web application vulnerability is a time-of-check to time-of-use bug, or (TOCTTOU) bug. This happens when a system is programmed to run with certain processes dependent on a sequence of events or race conditions. Can happen when an attacker schedules an execution of operation between a time of check and a time of use and forces the user's process to pause or send an error. For example, in the moment between authenticating to a system and utilizing the system, the attacker can jump into the process and act as the authenticated user, leading to privilege escalation. To mitigate:Ensure your operating system's file system state is not allowed to change between two system callsUse file system calls that run on file handles instead of file names when possibleLock single files before the check
Application Programming Interface (API) Attacks
Application programming interfaces (APIs) are the way businesses transfer information between systems within their organization or how a business communicates information to another organization. This is also a means of information transfer between companies and their customers as APIs are the way most applications communicate with websites. Many APIs are openly published to promote customer usage and make interactions easy. But they do create an opportunity for a malicious user to exploit the interface to gain access to internal data and infrastructure. For example, an e-commerce site may use its API for product catalog pages on their website, in their mobile app, for a third-party reseller, and for search engine bots that bring customers to their website. To mitigate potential API problems: Implement rate limiting. This limits the number of calls from a client within a time limit Use security logs to detect and analyze unauthorized access attempts Look for SQL injections. These happen when a SQL statement is entered in a data field and gets executed in the database Make sure that program notifications are sent when there is an excess of error messages
10.1 Data Transmission Security
As you study this section, answer the following questions: > How does SSL verify authentication credentials? > What protocol is the successor to SSL 3.0? > How can you tell that a session with a web server is using SSL? > What is the difference between HTTPS and S-HTTP? > What does it mean when HTTPS is stateful? > What is the difference between IPsec tunnel mode and transport mode? In this section, you will learn to: > Add SSL to a website. > Allow SSL connections. > Require IPsec for communications.
10.2 Data Loss Prevention
As you study this section, answer the following questions: > What is the purpose of a DLP system? > How can DLP be implemented? > Why is endpoint DLP important? > What is an example of file-level DLP? In this section, you will learn to: > Understand DLP, masking, encryption, tokenization, and rights management
IPsec includes two protocols:
Authentication Header (AH) Encapsulating Security Payload (ESP)
Which of the following attacks is a form of software exploitation that transmits or submits a longer stream of data than the input variable is designed to handle?
Buffer overflow attack A buffer overflow occurs when software code receives more input than it was designed to handle. This normally occurs because the programmer of that code failed to include input validation checks. When a buffer overflow occurs, the extra data is pushed into the execution stack and processed with the security context of the system itself. In other words, a buffer overflow attack often allows the attacker to perform any operation on a system. A time-of-check to time-of-use (TOCTOU) attack occurs when the results of an attack are realized or initiated after the attack itself is perpetrated. Data diddling is the purposeful altering of data. A smurf attack is a form of distributed-reflective denial of service.
Having poor software development practices and failing to program input validation checks during development of custom software can result in a system vulnerable to which type of attack?
Buffer overflow attack Poor software development practices and failing to program input validation checks can leave a system vulnerable to buffer overflow attacks. A buffer overflow occurs when software code receives more input than it was designed to handle because the programmer of that code failed to include input validation checks. When a buffer overflow occurs, the extra data is pushed into the execution stack and processed with the security context of the system itself. In other words, a buffer overflow attack often allows the attacker to perform any operation on a system. Denial-of-service attacks exploit vulnerabilities in implementation and coding errors. Dictionary attacks are waged against logon prompts or stolen copies of a security account's database. Superzapping attacks are specific attacks that use a specialized utility named superzap to bypass the security of IBM mainframes to perform system alterations.
Which type of attack is the act of exploiting a software program's free acceptance of input in order to execute arbitrary code on a target?
Buffer overflow attack The act of exploiting a software program's free acceptance of input in order to execute arbitrary code on a target is called a buffer overflow. Data diddling is the change or corruption of data. TOC/TOU is a logon session replay attack. Covert channel exploitation is the use of timing or storage mechanisms to bypass security controls in order to leak information out of a secured environment.
Buffer Overflows
Buffer overflow important facts: A buffer is a temporary data storage area with limited space Overflows occur when more data is attempting to be stored than the program was written for Can allow hackers to cause data to flow to other memory areas that may not be protectedAttackers may now access database files or system files and can replace executable code with malicious code. This is called arbitrary code execution. Can cause DoS attacks by crashing the programCan occur in routers, IoT devices, and firewalls
Endpoint DLP
DLP Software that runs on end-user workstations and servers.
File-level DLP
DLP software that is used to identify sensitive files in a file system and then to embed the organization's security policy within the file so that it travels with the a moved or copied file.
Which rights management category is applied to music, videos, and software that is sold to consumers?
DRM Digital Rights Management (DRM) is file-level management applied to rich media like music, videos, and software. This strategy uses security technologies such as encryption, permissions, product keys, limited install applications, and persistent online authentication to prevent editing, sharing, and unauthorized copying. Dynamic data masking replaces original information with a mask that mimics the original in form and function, making it useful for data that is in use or processing. Static data masking is helpful for data at rest in a database. Masking this way can be specified by field or column. Information Rights Management (IRM) focuses on business-to-business transfers for files such as documents, emails, spreadsheets, and financial data.
Pointer/Object Dereference
Dereferencing a pointer is retrieving the value stored in memory. Some important facts: A pointer stores a memory address All operating systems embed the kernel in the user's workspaceThe kernel is the operating system's core program that controls everything in the system Page protections protect the kernel from user access but can be exploited through by a DoS attack through a NULL pointer dereference If a DMA driver module doesn't have enough enough security protections in place, it can release user pages that are pinned to a pointer with a NULL value. This happens when:An app dereferences an object that comes back NULL instead of validNull is exploited as a constant built in to evaluate to 0 in the C languageAn x86 system has a valid 0 address in the kernel address space
Encapsulating Security Payload (ESP)
ESP provides all the security of AH plus confidentiality. ESP: > Is the most commonly used IPsec protocol. > Provides data encryption. > Uses IP Protocol 50.
Which of the following DLP implementations can be used to monitor and control access to physical devices on workstations or servers?
Endpoint DLP Endpoint data loss prevention (DLP) runs on end user workstations and servers. Endpoint DLP is also referred to as a Chinese Wall solution. This could be something as simple as restricting the use of USB devices. Many endpoint-based systems also provide application controls to prevent confidential information transmission and also provide some type of immediate feedback to the user. Giving feedback to the user is based on the concept that not all data leakage incidents are malicious. The employee might not realize that the security-policy violation is inappropriate. The intent is to deter the employee from a similar action in the future.
An attacker inserts SQL database commands into a data input field of an order form used by a web-based application. When submitted, these commands are executed on the remote database server, causing customer contact information from the database to be sent to the malicious user's web browser. Which practice would have prevented this exploit?
Implementing client-side validation Client-side validation should have been used on the local system to identify input errors in the order form before the data was ever sent to the server. In this example, if the user entered SQL commands in an order form field, the error would have been immediately detected and blocked before the data was submitted to the server. Using the latest browser version and patch level, installing anti-malware software, and using a script blocker are valuable security measures. But these would not have prevented the exploit in this scenario.
While using a web-based order form, an attacker enters an unusually large value in the Quantity field. The value he or she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the web application processes the order as a return instead of a purchase, and the attacker's account is credited with a large sum of money. Which practices would have prevented this exploit? (Select two.)
Implementing client-side validation Implementing server-side validation Client-side validation and server-side validation should have been used to identify input errors in the order form. In this example, if the user entered an invalid quantity in an order form field, client-side validation would have detected and blocked the error before the data was submitted to the server. Server-side validation should have also been used after the data was sent to the server to detect errors. Experienced attackers can circumvent client-side validation techniques by sending data to the server from outside the application's standard user interface, bypassing any input validation measures that may have been implemented on the client. Using the latest browser version and patch level, installing the latest operating system updates, and using a script blocker are valuable security measures, but they would not have prevented the exploit in this scenario.
Error Handling
Improper error handling can create vulnerabilities in a system by revealing information that attackers can use to exploit the system. This display of too much information can result from coding practices that are not in alignment with security policies. Some examples are: An attacker may use a SQL injection attack that fails initially. But the error message discloses the malformed query, which could show the query logic or other sensitive data, like passwords. The attacker can use the new information from the error message to gain access to the system. The disclosure of the full pathname in an error message that is generated from a path-transversal weakness exploit attempt. To mitigate, be sure to program the error message with minimal information that's only useful to the intended audience
Improper Input Handling
Improper input handling refers to lack of validation, sanitization, filtering, decoding input data, or encoding input data. Processing of untrustworthy input data can lead to: Buffer overflows XSS Directory transversal NULL byte injections SQL injection Uncontrolled format string DoS OS commanding To mitigate: Set specific parameters for acceptable data forms and types Accurately define data restrictions Sanitizing, validate, and filter properly
Which of the following functions does a single quote (') perform in an SQL injection?
Indicates that data has ended and a command is beginning A single quote (') indicates that data has ended and a command is beginning. The double dashes (--) indicate that code is ending and a comment is being entered. Comments are code that a program does not execute and are usually used for explanations or reminders for the coder. Applications know to ignore the comments.
Which of the following is specifically meant to ensure that a program operates on clean, correct, and useful data?
Input validation Input validation is the process of ensuring that a program operates on clean, correct, and useful data. Input validation uses routines (also called validation rules or check routines) that check for correctness, meaningfulness, and secureness in data input to the system. Application hardening is the process of preventing vulnerability exploitation in software applications. Error and exception handling is a programming language construct designed to handle the occurrence of exceptions (which are special conditions that change the normal flow of program execution). Process spawning is the creation of a new process (also called a child process) by an existing process (also called a parent process).
Shimming
Like refactoring, shimming is usually beneficial. As operating systems and other software libraries are updated, their application programming interface (API) may change. The API specifies how other programs should interact with the software library or operating system. If the API is updated with new specification, other programs using older API specifications may not work. To remedy this, a shim can be used. A shim is software that is placed between the newer API and software that conforms to the older API. The shim intercepts calls to the older API, translate them, and pass them to the newer API. In some cases, they can redirect the API calls elsewhere to complete the expected operation called for in the older API. Attackers can modify existing shims by injecting malicious code. They can also create a shim that intercepts valid API calls. However, the shim executes malicious code before it passes the valid calls through to the API.
Privilege Escalation
Most attacks are some form of privilege escalation. There are two types:
Pass the Hash
Pass the hash is so dangerous to an organization because once an attacker gains access, the whole organization can be compromised very quickly. How it works: 1, An attacker gains access to an individual computer through malware or other techniques The attacker accesses the memory in the workstation to find stored hashes of other users that have used the workstation The attacker uses the stored hashes to gain access to other workstations in search of a station that grants privilege escalation To mitigate: Use direct networking to prevent standard users and local admin users from having access to other user's workstations Use Group Policy Object (GPO) Editor to disable Remote Desktop Connections in an Active Directory network Limit domain admins access to only workstations with the same level of privileges Create separate standard user level accounts for admins to use when accessing lower-level privilege machines
10.3.14 Web Application Attack Facts
People today connect, learn, shop, provide services and information, and do business over the internet. All of this is made possible through web browsers and web applications. There are literally thousands of applications that are used in our everyday lives. With so many options, there are many ways that attackers have found to exploit them. This lesson covers the following topics: > Privilege escalation > Pointer/object dereference > Buffer overflows > Resource exhaustion > Memory leaks > Race conditions > Error handling > Improper input handling > Replay attacks > Pass the hash > Application programming interface (API) attacks > Secure Sockets Layer (SSL) stripping > Driver manipulation
As you browse the internet, you notice that when you go to some sites, multiple additional windows are opened automatically. Many of these windows contain advertisements for products that are inappropriate for your family to view. Which tool can you implement to prevent these windows from showing?
Pop-up blocker Use a pop-up blocker to prevent windows from automatically opening when you visit a web site. Pop-up blockers typically do not block pop-ups that show when you click a button or a link, but they do prevent the pop-up windows that open automatically as you navigate to other sites. Use antivirus software to scan attachments, downloads, or your system for malicious programs. Use anti-adware and anti-spyware software to prevent software that tracks your browsing history. While removing adware might prevent some pop-ups, it does not prevent all pop-ups unless the anti-adware software includes a pop-up blocker. Use a phishing filter to remove phishing emails or to prevent navigating to links that are disguised as legitimate links.
Replay Attack
Replay attacks happen when network traffic is intercepted by an unauthorized person who then delays or replays the communication to its original receiver, acting as the original sender. The original sender is unaware of this occurrence. Also known as session replay attacks They are a type of man-in-the-middle attack To mitigate, implement: Strong digital signatures with timestamps Session keys that are time-bound and process-bound Sequence numbers Program authentication systems to accept network packets that have valid timestamps and sequence numbers
Resource Exhaustion
Resource exhaustion is a form of attack that focuses on depleting the resources of a network to create a denial of service to legitimate users. Resource exhaustion attacks can be focused on memory, file system storage, database-connection pool entries, or the CPU. When allocation of these resources is requested but the size of the resource or number is not controlled, a denial of service results from lack of resources. This attack can be done through:
You have a website that accepts input from users for creating customer accounts. Input on the form is passed to a database server where the user account information is stored. An attacker is able to insert database commands in the input fields and have those commands execute on the server. Which type of attack has occurred?
SQL injection A SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. The injection attack succeeds if the server does not properly validate the input to restrict entry of characters that could end and begin a database command. SQL injection attacks are prevented by proper programming methods that prevent commands from occurring within form data or that filter data to prevent such attacks. A buffer overflow occurs when an operating system or application does not properly enforce boundaries for how much and which type of data can be inputted. Hackers submit data beyond the size reserved for the data in the memory buffer, and the extra data overwrites adjacent memory locations. The extra data sent by the attacker could include executable code that might then be able to execute in privileged mode. Cross-site scripting (XSS) is an attack that injects scripts into web pages. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions. A DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application and executes malicious code included with the injected DLL.
Secure Sockets Layer (SSL) Stripping
SSL stripping is an attack that focuses on stripping the security from HTTPS-enabled websites. This is how it works: 1. An attacker intercepts the initial request a user sends to a website. The attacker establishes a secure connection with the intended server and an unsecure HTTP connection with the user where all communication goes through him or her. The attacker can intercept the initial request when it comes through a 302 redirect or through a non-SSL site that provides a link to a proxy that looks like the intended site. To mitigate: Encrypt all elements of your site with an SSL certificate. Add your domain to the HSTS preload list. This lets browsers know that your site is secure.
Slow post attacks:
Send HTTP POST body very slowly. This is done through forms, logins, and feedback input fields Can be prevented by setting a maximum body size for each form and setting the web server setting with a max total transfer time
Slow header attacks:
Send HTTP headers so slowly it prevents other users from accessing the site Can be prevented with HTTP header timeouts
Refactoring
Software or code refactoring is usually considered a beneficial practice. The external behavior of refactored software code does not change. Internally, the code is modified to improve readability, reduce complexity, or improve efficiency. Attackers refactor device drivers so that their external behavior does not change. The printer, keyboard, network card, or hardware controlled by the driver still function properly. This makes it hard to detect any problems. Internally, the refactored driver now has hidden functions that benefit the attacker.
To mitigate:
Use the latest browser version and patch level. Verify that the operating system is at the latest patch level. Install antivirus, anti-spyware, pop-up blocking, and firewall software. Use input validation when programming services.Client-side validation should first be used on the local system to identify input errors before the data is ever sent to the server.For example, if the user enters an invalid value in an email address field, the error can be detected before the data is submitted.Server-side validation should be used for error detection after the data is sent to the server. Experienced attackers can circumvent client-side validation techniques to send malicious information to the server.For example, an attacker could send data to the server from outside the application's standard user interface, bypassing any input validation measures that may have been implemented on the client. It is unwise to rely solely on client-side input validation techniques. Implement DNS Security Extensions, or DNSSEC. This is a security measure that only allows connection to your computer from servers that have previously been given a digital certificate. Use HTTPS. This transfer protocol encrypts the HTTP over Transport Layer Security (TLS) or over Secure Socket Layer (SSL), protecting your browser against threats. Use add-ons to increase the security of browsing activities:NoScript blocks all active content except from sites you trust.Adblock Plus blocks advertisements and ad banners (which could contain malicious code) on the internet. Train users to log out of websites when finished. Users should never allow applications to remember their authentication information.
Which of the following is an attack that injects malicious scripts into web pages to redirect users to fake websites to gather personal information?
XSS Cross-site scripting (XSS) is an attack that injects scripts into web pages. When a user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions. XSS often relies on social engineering or phishing to entice users to click on links to web pages that contain the malicious scripts. Some scripts redirect users to legitimate websites, but run in the background to capture information sent to the legitimate site. Scripts can be written to read (steal) cookies that contain identity information (such as session information). Scripts can also be designed to run under the security context of the current user. For example, scripts might execute with full privileges on the local system, or the scripts might run using the credentials used on a financial website. A drive-by download is an attack where software or malware is downloaded and installed without explicit consent from the user. An SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. A DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application, and executes malicious code included with the injected DLL.
10.3.10 Clear the Browser Cache
You use Google Chrome as your web browser on the desktop computer in your dorm room. You are concerned about privacy and security while surfing the web. You are also concerned about exploits that harvest data from your Google Chrome browsing history. In this lab, your task is to delete the following items from your Google Chrome browser history for all time: > Browsing history > Download history > Cookies and other site data > Cached images and files > Hosted app data Complete this lab as follows: 1. Delete all items from your Google Chrome history. a. From the Windows taskbar, select Google Chrome. b. In the upper right, select the ellipsis (three dots) and then select History > History. c. Maximize the window for easier viewing. d. Select Clear browsing data. e. Select Advanced. f. For the Time range field, use the drop-down menu to select All time. g. Make sure the following items are checked: Browsing history Download history Cookies and other site data Cached images and files Hosted app data h. Select Clear data.
Horizontal
This is when an attacker gains data that belongs to another user with the same privilege level as themselves (like a co-worker).
Vertical
This is when an attacker uses a system vulnerabilities to escalate privileges to gain administrative access.
IPsec Modes of Operation
Whether you use AH or ESP, there are two modes of operation that can be implemented with IPsec:
Enhancing Browser Privacy
You can use the following browser settings and guidelines to enhance browsing privacy and security. These may be named and implemented differently in different browsers, but the general ideas are the same.
Secure Shell (SSH)
A protocol that allows for secure interactive control of remote systems.
Rights Management
Another data protection tool is rights management. > Data is protected at the file level > Identifies sensitive files and embeds them with your security policies > Security policy travels with the specific file, even when copied or moved > Allows continued control access to the file even when it's no longer in your system Rights management has two categories:
Masking
Masking works by replacing sensitive data with realistic fictional data. There are different types of masking.
Cloud DLP
> Software solution that is typically on cloud-based systems > Analyzes traffic to and from cloud systems in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies
HTTPS and S-HTTP
A common unsecured protocol is HyperText Transfer Protocol (HTTP). HTTP is used for exchanging web content and passes data in cleartext. HTTP uses TCP port 80 and is stateless, which means by default it doesn't keep track of clients. To solve this problem, cookies can be used to keep track of the client's behavior. To secure HTTP, use one of the following protocols:
API attacks
A malicious use of an API (application programming interface).
Authentication Header (AH)
A protocol within IPsec that provides authenticity, non-repudiation, and integrity.
Race conditions
A sequence of events with dependencies that a system is programmed to run in a certain order which can lead to a time-of-check to time-of-use bug vulnerability.
Internet Protocol Security (IPsec)
A set of protocols that provides secure data transmission over unprotected TCP/IP networks.
Data loss prevention (DLP)
A system that attempts to detect and stop breaches of sensitive data within an organization.
Add-ons
An add-on, also known as a plug-in or browser extension, is a program that adds functionality and features to a web browser, including extra toolbars and interactive web content. Over time, a browser collects add-ons, some of which could have malicious intent. Secure the browser by reviewing add-ons and uninstalling items that are not appropriate for the environment. Disabling an add-on disables it for the current user. This allows users to enable or disable add-ons based on their own needs. Deleting an add-on removes it from the system and prevents any user from using it.
10.3 Web Application Attacks
As you study this section, answer the following questions: > What are the common forms of web application attacks? > How do you mitigate replay attacks? > What are some methods to prevent driver manipulation? > How does SSL stripping work? In this section, you will learn to: > Perform an SQL injection attack. > Prevent cross-site scripting. > Exploit SQL on a webpage.
10.1.9 Section Quiz
CIST 1601
DLP
Data loss prevention (DLP) is a system that attempts to detect and stop breaches of sensitive data within an organization. Sensitive data is monitored by the DLP system in four different states: > While in use on endpoint systems > While in motion as it is transmitted over the network > While at rest on a storage medium > While being transmitted to or from cloud-based systems Accordingly, there are many ways in which DLP can be implemented. Be familiar with the following:
Your organization is having a third party come in and perform an audit on the financial records. You want to ensure that the auditor has access to the data they need while keeping the customers' data secure. To accomplish this goal, you plan to implement a mask that replaces the client names and account numbers with fictional data. Which masking method are you implementing?
Dynamic Dynamic data masking replaces original information with a mask that mimics the original in form and function, making it useful for data that is in use or processing. Tokenization replaces actual data with a randomly generated alphanumeric character set called a token. Static data masking is helpful for data at rest in a database. Masking this way can be specified by field or column. Encryption happens when plaintext data is changed into unreadable ciphertext using an algorithm.
General
General information for web browser security includes: Use the Always ask me where to save files option to avoid having files download without your knowledge. By using this option, you will always know when a file is being downloaded to the system. Enable the Block Pop-up windows option. Turn off Remember search and form history. Data you enter into forms, such as your banking account number, will be stored if this option is on. Turn off Accept third-party cookies or accept cookies and specify ask me every time so you will know when third-party cookies are created.
HTTPS
HyperText Transfer Protocol Secure is a secure form of HTTP that uses either SSL or TLS to encrypt sensitive data before it is transmitted. HTTPS: Is stateful, which means that it keeps track of the client. To do this, the client must communicate with the same HTTPS server for the duration of the session. Load balancing is not possible during the connection and is available only to initially determine which server will handle the client's session. Requires TCP port 443 inbound on the web server to be open. Can be identified by verifying that the URL starts with https:// or by looking for a lock symbol in the browser. Double-clicking on the lock icon displays the certificate.
IPsec Protocols
IP security (IPsec) provides secure data transmission over unprotected TCP/IP networks, such as the internet. IPsec operates on OSI Layer 3, or the Network layer. It provides mutual authentication, integrity, non-repudiation, and confidentiality.
Improper input handling
The lack of validation, sanitization, filtering, decoding, or encoding of input data.
Dynamic data masking
> Replaces original information with a mask that mimics the original in form and function, making it useful for data which is in use or processing. For example, someone's name would be replaced with another random name, or credit card numbers would be replaced with a random number that contains the same number of characters > Can be used to control which users can see the actual data > Original data can be retrieved
Endpoint DLP
> Runs on end-user workstations and servers > Also referred to as a Chinese Wall solution > Could be something as simple as restricting the use of USB devices
Information rights management (IRM)
> Sometimes called enterprise rights management > Focused on business-to-business file transfers such as: - documents - spreadsheets - financial data - emails > Utilizes encryption and permissions to create rules for files to allow or deny: - copying and pasting - editing - forwarding - printing of documents
Internet Key Exchange (IKE)
A Security Association (SA) is the establishment of shared security information between two network entities to support secure communications. An SA may include algorithm selection, cryptographic keys, and/or digital certificates. A security association can be established manually or automatically through a protocol called Internet Key Exchange (IKE). IKE helps to establish automatic Security Association. IKE: > Helps the two endpoints set up a secure tunnel by providing a secure exchange of shared keys before a full IPsec transmission begins. > Uses a Diffie-Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. > Uses mutual authentication that is provided by either pre-shared keys on both endpoints or certificates issued by a CA. > Can be implemented to automate the selection of the best security association for each connection. > Uses UDP port 500.
Memory leak
A leak that happens when dynamic memory is allocated in a program, but no pointers are connected to it causing it to never be returned when requested.
Secure Sockets Layer (SSL)
A protocol that secures messages being transmitted on the internet.
Transport Layer Security (TLS)
A protocol that secures messages being transmitted on the internet. It is the successor to SSL 3.0.
Encapsulating Security Payload (ESP)
A protocol within IPsec that provides all the security of AH plus confidentiality.
Hyper Text Transfer Protocol Secure (HTTPS)
A secure form of HTTP that uses either SSL or TLS to encrypt sensitive data before it is transmitted.
Network DLP
A software or hardware solution that is typically installed near the network perimeter that analyzes network traffic in an attempt to detect transmission of sensitive data in violation of an organization's security policies.
Rights management
A system of data protection at the file level that uses various forms of permissions, rules, and security policies.
Manage Browser Datac
A web browser is an application for retrieving and displaying information on the internet. Web browsers present the possibility of security breaches into an organization's network. There are general actions and browser-specific actions you can take to help harden the network against attacks from the internet. When using a browser, the following might indicate an unsecured connection or an attack. > A web document with a URL that contains a new or different domain name than the site you intended to visit. > A menu bar that includes new commands or is missing common commands. > The status line of the browser displays an unlocked symbol when SSL should be in use. Regardless of the browser you are using, clear your private data regularly. Private data can be cleared based on the data's age. You can clear data from the last few hours, the last few weeks, or all time. The type of browser you are using and the types of sites you have visited, will determine the type of data that can be cleared. Most browsers let you clear the following data: > Browsing history > Download history > Cookies and other site data > Cached images and files > Passwords > Autofill form data > Site permissions > Hosted app data The following table lists steps for each browser to clear data.
IPsec is implemented through two separate protocols. What are these protocols called? (Select two.)
AH ESP IPsec is implemented through two separate protocols, which are IP Authentication Header and IPsec Encapsulating Security Payload. IPsec AH provides authentication and non-repudiation services to verify that the sender is genuine and data has not been modified in transit. IPsec ESP provides data encryption services for the data within the packet. IPsec SSL and IPsec EPS are not protocols associated with IPsec.
Authentication Header (AH)
AH provides authenticity, non-repudiation, and integrity. AH: > Does not provide confidentiality because the data in the packet is not encrypted. Provides protection against replay and man-in the-middle attacks. > Uses a keyed hash based on all the bytes in the packet for the authentication information. > Authenticates packets by digitally signing them. > Uses IP Protocol 51.
Secure Hypertext Transfer Protocol (S-HTTP)
An alternate protocol that is not widely used because it is not as secure as HTTPS.
Pass the hash
An attack in which an attacker obtains a hashed password and uses it to gain unauthorized access.
Buffer overflow
An attack that exploits an operating system or an application that does not properly enforce boundaries for inputting data such as the amount of data or the type of data.
Resource exhaustion
An attack that focuses on depleting the resources of a network to create a denial of service to legitimate users.
Driver manipulation
An attack that focuses on device drivers. The attack uses refactoring or shimming.
SSL stripping
An attack that focuses on stripping the security from HTTPS-enabled websites.
Replay attack
An attack that happens when network traffic is intercepted by an unauthorized person who then delays or replays the communication to its original receiver, acting as the original sender. The original sender is unaware of this occurrence.
Pointer/object dereferencing
An attack that retrieves a value stored in memory that can be exploited through a NULL pointer dereference.
IPsec Facts
Be aware of the following: > IPsec is included in Windows Firewall with Advanced Security and is named Connection Security Rules. > Network Address Translation (NAT) can cause communication errors with an IPsec VPN tunnel because it makes changes to IP headers, such as changing source and destination IP addresses and ports. NAT-Traversal (NAT-T) is a new method designed to allow IPsec to function properly through a NAT device. > IPsec tunnels are established in two phases, which are main mode and quick mode. > IPsec is most commonly used with L2TP VPNs.
Cookies
Cookies are text files that save information about preferences, browser settings, and web page preferences. They identify you (or your browser) to websites. Be aware of the following facts about cookies: > Cookies aren't inherently malicious and are often necessary for e-commerce websites. The use of cookies can constitute a privacy violation because cookies can retain personal information. A hacker could gain access to this information. Cookies can be misused by malware to collect and report your web surfing activities. First-party cookies are cookies used by the site you are visiting. Third-party cookies are cookies placed by sites linked to the site you are visiting. For example, banner ads on a website might place cookies on the machine to identify ads already seen or ads opened. Secured environments should restrict the use of cookies on all web browsers and other internet service utilities. Cookies can usually be found in the user profile in the file system.
What is the primary function of the IKE Protocol used with IPsec?
Create a security association between communicating partners. Internet Key Exchange (IKE) Protocol is used with IPsec to create a security association between communicating partners. It controls the negotiation of encryption methods, identifies how keys are exchanged, and sets up other parameters that control communications. Encapsulating Security Payload (ESP) provides both authentication and encryption, while Authentication Header (AH) provides authentication only.
Which of the following is a technology that tries to detect and stop sensitive data breaches, or data leakage incidents, in an organization?
Data loss prevention Data loss prevention (DLP) is a technology that tries to detect and stop sensitive data breaches, or data leakage incidents, in an organization. DLP is used to prevent sensitive data from being disclosed to an unauthorized person, whether it is deliberate or accidental. Data transmission security is the use of secure protocols to encrypt data when it is transmitted. Hashing takes a variable-length string (message) and compresses and transforms it into a fixed-length value. When received, a hash is decrypted into the actual output so the recipient can understand the message. Public key infrastructure uses certificates, which are electronic documents that use a digital signature, to bind a public key with an identity.
Security
Enable the following options to increase security:Warn me when sites try to install add-ons.Block reported attack sites.Block reported web forgeries. It is best practice to always enter passwords and to not have the browser remember them. Do not select the Remember passwords for sites option. Do not select the Use a master password option. When you select this option, all passwords saved on the system are encrypted. You create a master password that retrieves and unencrypts passwords for individual sites.
Encryption
Encryption is an essential tool in data loss prevention specifically for data in motion and at rest. > Happens when plaintext data is changed through an algorithm into unreadable ciphertext > The encryption algorithm has a variable that is called a key > The authorized user that receives the encrypted data can decrypt it through the cipher key
Transport mode
Encrypts only the payload (data).
Tunnel mode
Encrypts the entire packet. Both the data inside the packet and the IP headers are encrypted. The entire packet is encapsulated in a new packet.
10.2.2 DLP Facts
Every business has sensitive data in its system and keeping it protected is a high priority. Data leakage happens when sensitive data like credit card numbers, intellectual property, financial information, or proprietary company information is disclosed to an unauthorized person. This lesson will look at five approaches to data security, including data loss prevention, masking, encryption, tokenization, and rights management. This lesson covers the following topics: > DLP > Masking > Encryption > Tokenization > Rights management
DLP can be used to identify sensitive files in a file system and then embed the organization's security policy within the file. Which of the following DLP implementations travels with sensitive data files when they are moved or copied?
File-level DLP File-level DLP is used to identify sensitive files in a file system and then to embed the organization's security policy within the file. This way, the policy travels with the file when it is moved or copied. Since the security policy travels with that file if it's moved or copied, you can continue to control access to the file. For example, you can restrict who it can be transmitted to, even when the file is no longer on your system.
Which TCP/IP protocol is a secure form of HTTP that uses SSL as a sub-layer for security?
HTTPS HTTPS is a secure form of HTTP that uses SSL as a sub-layer for security. SMTP is used to route electronic mail through the internetwork. SSH allows secure interactive control of remote systems. DNS is a system that is distributed throughout the internetwork to provide address/name resolution.
Which of the following protocols uses port 443?
HTTPS Hyper Text Transfer Protocol Secure (HTTPS) is a secure form of HTTP that uses either SSL or TLS to encrypt sensitive data before it is transmitted. HTTPS uses port 443. Secure Hypertext Transfer Protocol (S-HTTP) supports a wide variety of encryption methods, but it does not use port 443. SSH uses port 22. S/MIME is a method for encrypting emails. S/MIME does not communicate over a specific port number.
You have been offered a position as a security analyst for Acme, Inc. The position will be remote. Acme Inc. has sent you your employment contract using a system that only allows you to open and digitally sign the contract. Which rights management method is being used?
IRM Information Rights Management (IRM) focuses on business-to-business transfers for files such as documents, emails, spreadsheets, and financial data. Information rights management utilizes encryption and permissions to create rules for the files. These rules could allow or deny copying and pasting, editing, forwarding, and printing. Digital Rights Management (DRM) is file-level management applied to rich media like music, videos, and software. Dynamic data masking replaces original information with a mask that mimics the original in form and function, making it useful for data that is in use or processing. Static data masking is helpful for data at rest in a database. This type of masking can be specified by field or column.
Which of the following BEST describes dynamic data masking? (Select two.)
It replaces original information with a mask that mimics the original in form and function. It can be used to control which users can see the actual data. Dynamic data masking: > Replaces original information with a mask that mimics the original in form and function, making it useful for data that is in use or processing. For example, someone's name would be replaced with another random name, or credit card numbers would be replaced with random numbers that contain the same number of characters. > Can be used to control which users can see the actual data. > Allows original data to be retrieved. Static data masking: > Is helpful for data at rest in a database and can be specified by field or column. > Is good to use when making copies of a database for testing, development, or reporting. > Makes original data irretrievable through reverse-engineering. A mask copy is made rather than masking the original database.
10.1.3 Secure Protocol Facts
Many protocols created in the past were designed with few to no security controls. An unsecured protocol is one that does not provide authentication or encryption, or one that uses plaintext for passing authentication information or data. Newer protocols with security controls include Secure Socket Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH), HyperText Transfer Protocol (HTTP), and HyperText Transfer Protocol Secure (HTTPs). This lesson covers the following topics: > SSL, TSL, and SSH > HTTPS and S-HTTP
Which DLP method works by replacing sensitive data with realistic fictional data?
Masking Masking works by replacing sensitive data with realistic fictional data. The two types of masking are dynamic data masking and static data masking. Tokenization replaces actual data with a randomly generated alphanumeric character set called a token. File-level DLP is used to identify sensitive files in a file system and then to embed the organization's security policy within the file. This way, the policy travels with the file when it is moved or copied. Encryption happens when plaintext data is changed through an algorithm into unreadable ciphertext.
DLP can be implemented as a software or hardware solution that analyzes traffic in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies. Which of the following DLP implementations analyzes traffic for data containing such things as financial documents, social security numbers, or key words used in proprietary intellectual property?
Network DLP Network DLP is a software or hardware solution that is typically installed near the network perimeter. Network DLP analyzes network traffic in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies.
Which of the following protocols can TLS use for key exchange? (Select two.)
RSA Diffie-Hellman TLS uses Diffie-Hellman or RSA to exchange session keys. SSL uses RSA or Key Exchange Protocol (KEA) for key exchange. IPsec uses IKE for key exchange. ECC (elliptic curve cryptography) is a method that can be used in key exchange.
Tokenization is another effective tool in data loss prevention. Tokenization does which of the following? (Select two.)
Replaces actual data with a randomly generated alphanumeric character set Protects data on its server with authentication and authorization protocols Tokenization is another effective tool in data loss prevention. Tokenization does the following: > Replaces actual data with a randomly generated alphanumeric character set called a token > Stores original data on a server > Protects data on its server with authentication and authorization protocols > Allows authorization only when the correct token is presented Another data protection tool is rights management. Rights management does the following: > Protects data at the file level > Identifies sensitive files and embeds them within your security policies > Allows a security policy to travel with a specific file, even when copied or moved > Allows continued control access to a file, even when it's no longer in your system
As a network administrator, you are asked to recommend a secure method for transferring data between hosts on a network. Which of the following protocols would you recommend? (Select two.)
SFTP SCP The Secure File Transfer Protocol (SFTP) is a file transfer protocol that uses Secure Shell (SSH) to secure data transfers. SSH ensures that SFTP transmissions use encrypted commands and data, which prevents data from being transmitted over the network in cleartext. The Secure Copy (SCP) protocol is associated with Unix/Linux networks and is used to transfer files between systems. Like SFTP, SCP relies on SSH to ensure that data and passwords are not transmitted over the network in clear text. The Remote Copy Protocol (RCP) and the File Transfer Protocol (FTP) are used to transfer files between computers. However, both are unsecure protocols and transmit data over the network in cleartext. Data and passwords sent over the network in clear text are in danger of being tampered with or read during transmission, making them inappropriate for many network applications.
SFTP uses which mechanism to provide security for authentication and data transfer?
SSH SSH File Transfer Protocol uses Secure Shell (SSH) to provide security for authentication and data transfer. FTPS uses SSL to secure FTP traffic. You can also secure FTP traffic by establishing an IPsec tunnel between the client and the server, but IPsec is established independently of FTP in this case.
Which of the following tools allow remote management of servers? (Select two.)
SSH Telnet Both Telnet and SSH are tools for remote server management. POP3 is for retrieving email from a remote server, and FTP is for transferring files. Secure Socket Layer (SSL) secures messages being transmitted on the internet.
Secure Shell
SSH allows for secure interactive control of remote systems. SSH uses RSA public key cryptography for both connection and authentication. SSH uses the IDEA algorithm for encryption by default. However, it is able to use Blowfish and DES. SSH is a secure and acceptable alternative to Telnet. SSH is used by unsecured protocols to establish a secure channel. For example, SFTP and SCP are secure file copy protocols that use SSH.
S-HTTP
Secure HyperText Transfer Protocol (S-HTTP) is an alternate protocol that is not widely used because it is not as secure as HTTPS. S-HTTP :Is connectionless, unlike SSL, which is connection oriented.Provides only message security, unlike HTTPS, which provides a full secure channel for all messages.Does not use port 443.
Secure Sockets Layer
Secure Socket Layer secures messages being transmitted on the internet. SSL: > Uses the SSL Handshake Protocol to establish a secure channel. > Requires the server to have a certificate issued by a CA and uses asymmetric encryption. The handshake process is as follows: - The client checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period. - The client compares the name on the certificate with the name on the URL. - The client verifies that the issuing Certificate Authority (CA) is on its list of trusted CAs. - The client uses the CA's public key to validate the CA's digital signature on the server certificate. > If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA. - A session key is used between the client and the server for the duration of the SSL session. - To protect against man-in-the-middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate. - If all checks are successful, the client continues with the SSL handshake process. > Uses RSA or the Key Exchange Protocol (KEA) for secure exchanging of encryption keys. > Operates at the Session layer (Layer 5) of the OSI model. > Uses port 443 for encrypted traffic. Most firewalls allow port 443 traffic even when other traffic is blocked. For this reason, technologies that can use SSL are more likely to be allowed through firewalls than technologies that require other ports to be opened. > Has different versions. Later versions are more secure. Secure Sockets Layer (SSL) 3.0 was the final SSL version. > Employs session keys in 40-bit, 56-bit, 128-bit, and 256-bit lengths. > Provides an end-to-end encrypted tunnel that is almost impossible to monitor, scan, or sniff. - The advantage is that it increases security. - The disadvantages are that: - Security software cannot detect embedded attacks in transit. - Internal users can use SSL to bypass proxy servers or internet content-filtering systems that have been set up by organizations to control internet usage and content.SSL inspection uses security software on a proxy server. > The proxy server intercepts and inspects traffic between a client and web server. This is similar to a man-in-the middle attack but for positive use. In SSL inspection: - The client establishes an SSL tunnel with the proxy server, which then decrypts the SSL session, scans the content, repackages the SSL session, and sends the transmission to the web server via an SSL tunnel. - The process is reversed when the web server establishes an SSL tunnel with the proxy server that decrypts, scans, and repackages the SSL session before sending the transmission to the client. - The proxy server blocks the transmission of inappropriate or unauthorized content in either direction. > Can be used to secure LDAP (LDAPS) and FTP (FTPS).
SSL, TSL, and SSH
Security services (authentication and encryption) are often added to new or existing protocols using one of the following secure protocols:
Google Chrome
Steps for the Google Chrome browser are: Select the ellipses (three dots) button on the menu bar. Go to History > History. Select Clear browsing data.
Internet Explorer
Steps for the Internet Explorer browser are Select the Tools (gear) icon from the menu bar. Select Internet Options. Go to Browsing history. Select Delete.
Microsoft Edge
Steps for the Microsoft Edge browser are: Select the ellipses (three dots) button on the menu bar. Go to History. Select Clear Browsing Data.
Which of the following protocols are often added to other protocols to provide secure transmission of data? (Select two.)
TLS SSL Both Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols that are used with other protocols to add security. In addition, Secure Shell (SSH) can be used to add security when using unsecure protocols. HTTPS is the secure form of HTTP that uses SSL. SMTP is used for sending email. SNMP is a network management protocol.
When using SSL authentication, what does the client verify first when checking a server's identity?
The current date and time must fall within the server's certificate-validity period. An SSL client first checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period. SSL clients verify a server's identity using the following steps: 1. The client checks the server's certificate-validity period. The authentication process stops if the current date and time fall outside of the validity period. 2. The client verifies that the issuing certificate authority (CA) is on its list of trusted CAs. 3. The client uses the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA. 4. To protect against man-in-the-middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate.
Security Association (SA)
The establishment of shared security information between two network entities to support secure communications.
Privilege escalation
The exploitation of a misconfiguration, a bug, or design flaw to gain unauthorized access to resources.
Error handling
The procedures in a program that respond to irregular input or conditions.
Encryption
The process of changing plain text through an algorithm into unreadable ciphertext.
Tokenization
The process of replacing original data with a randomly generated alphanumeric character set called a token.
Masking
The process of replacing sensitive data with realistic fictional data.
10.1.7 IPsec Facts
This lesson covers the following topics: > IPsec protocols > IPsec modes of operation > Internet Key Exchange (IKE) > IPsec facts
10.3.9 Web Browser Security Facts
This lesson covers the following topics: > Manage browser data > Enhance browser privacy
Tokenization
Tokenization is another effective tool in data loss prevention. Tokenization does the following: > Replaces actual data with a randomly generated alphanumeric character set called a token > Stores original data on a server > Protects data on its server with authentication and authorization protocols > Allows authorization only when correct token is presented
Transport Layer Security
Transport Layer Security is the successor to SSL 3.0. TLS and SSL are similar but not interoperable, although most applications can use both SSL and TLS. Applications that can use both SSL and TLS negotiate which protocol to use during the handshake process.An SSL session begins when the client sends a client hello message to the server.The client hello message specifies the highest SSL/TSL version that the client supports.The message also contains a random number, a list of ciphers, and suggested compression methods.The server responds with a server hello message.The server hello message specifies the protocol version, a different random number, and the selected cipher and compression method.The server sends a certificate message followed by a server hello done message.The client responds with a client key-exchange message.The random numbers exchanged earlier are used to compute the master secret.All further key data for the connection is derived from the master secret.The client then sends a change cipher spec message which indicates that further communication will be encrypted.The client then sends a finished message.The finished message contains a hash and a MAC.The server attempts to decrypt the finished message and verify the hash and MAC.If the server fails to decrypt the message, the connection is ended.If the server succeeds in decrypting the message, the server sends the client a change cipher spec message indicating that further transmission will be encrypted.The server then sends a finished message to the client.The finished message contains a hash and a MAC.The client attempts to decrypt the finished message and verify the hash and MAC.If the client fails to decrypt the message, the connection is ended.If the client succeeds, the handshake is considered complete. Many secure connections that are described as using SSL might actually be using TLS instead. TLS uses Diffie-Hellman or RSA to exchange session keys. TLS is implemented through two protocols:TLS Record provides connection security with encryption (with DES for example).TLS Handshake provides mutual authentication and choice of encryption method.
10.1.5 Allow SSL Connections
You are the IT security administrator for a small corporate network. You currently run a website on the CorpWeb server. You want to allow SSL connections to this website. In this lab, your task is to add a binding to the CorpNet website using the following settings: Website: www.corpnet.xyz Protocol: HTTPS Port: 443 SSL certificate: www.corpnet.xyz Complete this lab as follows: 1. Open the IIS Manager to the CorpNet.xyz site. a. From the Server Manager's menu bar, select Tools > Internet Information Services (IIS) Manager. b. Expand CorpWeb(CorpNet.com\Administrator) > Sites. c. Select CorpNet.xyz. 2. Add a binding to the CorpNet website. a. From the Actions pane (far right), select Bindings. b. Select Add. c. Using the Type drop-down menu, select HTTPS. d. Make sure the port is set to 443. e. Using the SSL certificate drop-down menu, select www.CorpNet.xyz and then select OK. f. Select Close.