Chapter 1 - Essential Knowledge
Compensating Controls
Compensating controls are alternative controls used instead of a primary control. As an example, an organization might require employees to use smart cards when authenticating on a system. However, it might take time for new employees to receive their smart card. To allow new employees to access the network and still maintain a high level of security, the organization might choose to implement a Time-based One-Time Password (TOTP) as a compensating control. The compensating control still provides a strong authentication solution.
Corrective Controls
Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Corrective controls: - IPS - Backups and system recovery
Control Objects for Information and Related Technology (COBIT)
Created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI), COBIT is (from ISACA's own website) "an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development, good practice, and emphasizes regulatory compliance." It does so in part by categorizing control objectives into the following domains: • Planning and organization • Acquisition and implementation • Delivery and support • Monitoring and evaluation
Application Flaws (Vuln. Type)
Flaws inherit to the application coding or function itself.
Operating system (OS) attacks (Attack Types)
Generally speaking, these attacks target the common mistake many people make when installing operating systems—accepting and leaving all the defaults. Administrator accounts with no passwords, all ports left open, and guest accounts (the list could go on forever) are examples of settings the installer may forget about. Additionally, operating systems are never released fully secure—they can't be, if you ever plan on releasing them within a time frame of actual use—so the potential for an old vulnerability in newly installed operating systems is always a plus for the ethical hacker.
Guidelines
Guidelines are flexible, recommended actions users are to take in the event there is no standard to follow.
ISO/IEC 27001:2013
It provides requirements for creating, maintaining, and improving organizational IS (Information Security) systems. The standard addresses issues such as ensuring compliance with laws as well as formulating internal security requirements and objectives.
Default passwords (Vuln. Type)
Leaving a default password in place on a system is asking for trouble.
Missing Patches (Unpatched Servers) (Vuln. Type)
Many systems are not patched for a variety of reasons, leaving them vulnerable to attacks.
Internet
Outside the the boundary and uncontrolled. You don't apply security policies to the Internet. Governments try to all the time, but your organization cannot.
Passive reconnaissance
Passive reconnaissance involves gathering information about your target without their knowledge
Confidentiality
Prevents the unauthorized disclosure of data. Authorized personnel can access the data, but unauthorized personnel cannot access the data.
paranoid policy
a paranoid policy locks everything down, not even allowing the user to open so much as an Internet browser.
permissive policy
a permissive policy blocks only things that are known to be dangerous.
Hash
A hash is simply a number created by executing a hashing algorithm against data, such as a file or message. By comparing hashes created at two different times, you can determine if the original data is still the same.
Misconfiguration (Vuln. Type)
A misconfiguration of the service or application settings.
Open Systems Interconnection (OSI) model
A network architecture framework developed by ISO that describes the communications process between two systems across the Internet in seven distinct layers.
penetration test
A penetration test is a clearly defined, full-scale test of the security controls of a system or network in order to identify security risks and vulnerabilities and has three major phases.
Protection profile (PP)
A set of security requirements specifically for the type of product being tested
Production Network Zone
A very restricted zone that strictly controls direct access from uncontrolled zones. The PNZ does not hold users.
ALE = Single Loss Expectancy (SLE) x Annualized Rate of Occurance (ARO)
ALE (Annualized Loss Expectancy) = Single Loss Expectancy (SLE) x Annualized Rate of Occurance (ARO)
Access Control Models
Access control ensures that only authenticated and authorized entities can access resources. • Subjects. Subjects are typically users or groups that access an object. Occasionally, the subject may be a service that is using a service account to access an object. • Objects. Objects are items such as files, folders, shares, and printers that subjects access. For example, users access files and printers. The access control helps determine how a system grants authorization to objects. Or, said another way, the access control model determines how a system grants users access to files and other resources.
Administrative Controls
Administrative controls (operational/management controls) use methods mandated by organizational policies or other guidelines. For example, management may require personnel to periodically complete assessments and tests to reduce and manage risk. Many of these assessments provide an ongoing review of an organization's risk management capabilities. Administrative Controls: - Risk assessments - Vulnerability assessments - Penetration tests
Attribute-Based Access Control
An attribute-based access control (ABAC) evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy.
Intranet
An intranet is an internal network. People use the intranet to communicate and share content with each other.
Baselines
Baselines provide the minimum security level necessary.
Buffer Overflow (Vuln. Type)
Buffer overflows are flaws in execution that allowing an attack to take advantage of result of bad coding.
Detective Controls
Detective controls attempt to detect when vulnerabilities have been exploited, resulting in a security incident. An important point is that detective controls discover the event after it's occurred. Detective Controls: - Log monitoring - Trend analysis - Security audit - Video surveillance - Motion detection
Deterrent Controls
Deterrent controls attempt to discourage a threat. Some deterrent controls attempt to discourage potential attackers from attacking, and others attempt to discourage employees from violating a security policy. (You can often describe many deterrent controls as preventive controls. For example, imagine an organization hires a security guard to control access to a restricted area of a building. This guard will deter most people from trying to sneak in simply by discouraging them from even trying. This deterrence prevents security incidents related to unauthorized access.) Physical security controls used to deter threats: - Cable locks - Hardware locks
promiscuous policy
EC-Council also looks at policy through the prism of how tough it is on users. A promiscuous policy is basically wide open
Preventive Controls
Ideally, an organization won't have any security incidents and that is the primary goal of preventive controls—to prevent security incidents. Preventive Controls: - Hardening - Security awareness and training - Security guards - Change management - Account disablement policy
Discretionary Access Control (DAC)
In the discretionary access control (DAC) model, every object (such as files and folders) has an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most Unix-based systems, use the DAC model.
White-box testing
In this type, pen testers have full knowledge of the network, system, and infrastructure they're targeting. This, quite obviously, makes the test much quicker, easier, and less expensive, and it is designed to simulate a knowledgeable internal threat, such as a disgruntled network admin or other trusted user.
Availability
Indicates that data and services are available when needed. Organizations commonly implement redundancy and fault-tolerant methods to ensure high levels of availability for key systems.
Integrity
Integrity provides assurances that data has not changed. This includes ensuring that no one has modified, tampered with, or corrupted the data.
Common Criteria for Information Technology Security Evaluation (Common Criteria, or CC)
It provided a way for vendors to make claims about their in-place security by following a set standard of controls and testing methods, resulting in something called an Evaluation Assurance Level (EAL). Common Criteria is, basically, a testing standard designed to reduce or remove vulnerabilities from a product before it is released.
Redundancy
Redundancy adds duplication to critical systems and provides fault tolerance.
Role-Based Access Control (Role-BAC)
Role-based access control (role-BAC) uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions. An administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users). When an administrator adds a user to a role, the user has all the rights and permissions of that role.
Rule-Based Access Control (rule-BAC)
Rule-based access control (rule-BAC) uses rules. The most common example is with rules in routers or firewalls. However, more advanced implementations cause rules to trigger within applications, too.
Sarbanes-Oxley (SOX) Act
SOX was created to make corporate disclosures more accurate and reliable in order to protect the public and investors from shady behavior. There are 11 titles within SOX that handle everything from what financials should be reported and what should go in them, to protecting against auditor conflicts of interest and enforcement for accountability.
Encryption
Scrambles data to make it unreadable by unauthorized personnel. Authorized personnel can decrypt the data to access it, but encryption techniques make it extremely difficult for unauthorized personnel to access encrypted data.
scanning and enumeration (Second Phase)
Security professionals take the information they gathered in recon and actively apply tools and techniques to gather more in-depth information on the targets. This can be something as simple as running a ping sweep or a network mapper to see what systems are on the network, or as complex as running a vulnerability scanner to determine which ports may be open on a particular system.
Open Services (Vuln. Type)
Services that are not actively used on the system but are open anyway can be targets.
E-mail Policy
Sometimes also called the E-mail Security Policy, this addresses the proper use of the company e-mail system.
Default Installation (Vuln. Type)
Sometimes the installation of an application or service using the default locations and settings opens a vulnerability.
Standards
Standards are mandatory rules used to achieve consistency.
Control Goals
Technical and administrative controls categorize the controls based on how they are implemented. Another way of classifying security controls is based on their goals in relationship to security incidents. Some common classifications are preventive, detective, corrective, deterrent, and compensating.
Technical Controls
Technical controls use technology to reduce vulnerabilities. An administrator installs and configures a technical control, and the technical control then provides the protection automatically. Throughout this book, you'll come across several examples of technical controls. Technical Controls: - Encryption - Antivirus software - IDSs, and IPSs - Firewalls - Least privilege
Payment Card Industry Data Security Standard (PCI-DSS)
The Payment Card Industry Data Security Standard (PCI-DSS) is a security standard for organizations handling credit cards, ATM cards, and other point-of-sales cards. The standards apply to all groups and organizations involved in the entirety of the payment process—from card issuers, to merchants, to those storing and transmitting card information—and consist of 12 requirements: • Requirement 1: Install and maintain firewall configuration to protect data. • Requirement 2: Remove vendor-supplied default passwords and other default security features. • Requirement 3: Protect stored data. • Requirement 4: Encrypt transmission of cardholder data. • Requirement 5: Install, use, and update AV (antivirus). • Requirement 6: Develop secure systems and applications. • Requirement 7: Use "need to know" as a guideline to restrict access to data. • Requirement 8: Assign a unique ID to each stakeholder in the process (with computer access). • Requirement 9: Restrict any physical access to the data. • Requirement 10: Monitor all access to data and network resources holding, transmitting, or protecting it. • Requirement 11: Test security procedures and systems regularly. • Requirement 12: Create and maintain an information security policy.
assessment phase
The assessment phase (sometimes also known as the security evaluation phase or the conduct phase) is exactly what it sounds like—the actual assaults on the security controls are conducted during this time.
demilitarized zone
The demilitarized zone (DMZ) is a buffered zone between a private network and the Internet. This technique is typically used on parts of the network that must remain open to the public (web servers) but must also access trusted resources (such as a database). The point is to allow the inside firewall component, guarding the internal trusted resources, to make certain assumptions about the impossibility of outsiders forging DMZ addresses.
Security target (ST)
The documentation describing the TOE and security requirements
gray-box testing
The last type, gray-box testing, is also known as partial knowledge testing. What makes this different from black-box testing is the assumed level of elevated privileges the tester has. Whereas black-box testing is generally done from the network administration level, gray-box testing assumes only that the attacker is an insider. Because most attacks do originate from inside a network, this type of testing is valuable and can demonstrate privilege escalation from a trusted employee.
Mandatory Access Control
The mandatory access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access.
preparation (phase)
The preparation phase defines the time period during which the actual contract is hammered out. The scope of the test, the types of attacks allowed, and the individuals assigned to perform the activity are all agreed upon in this phase.
Application-level attacks (Attack Types)
These are attacks on the actual programming code and software logic of an application. Although most people are cognizant of securing their OS and network, it's amazing how often they discount the applications running on their OS and network. Many applications on a network aren't tested for vulnerabilities as part of their creation and, as such, have many vulnerabilities built into them. Applications on a network are a gold mine for most hackers.
Operating System flaws
These are flaws in a specific operating system (Windows or Linux or MacOS or etc)
Design Flaws (Vuln. Type)
These are flaws universal to all operating systems - things like encryption, data validation, logic flaws and so on.
Misconfiguration attacks (Attack Types)
These attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security. Remember the triangle earlier and the maxim "As security increases, ease of use and functionality decrease"? This type of attack takes advantage of the administrator who simply wants to make things as easy as possible for the users. Perhaps to do so, the admin will leave security settings at the lowest possible level, enable every service, and open all firewall ports. It's easier for the users but creates another gold mine for the hacker.
Shrink-wrap code attacks (Attack Types)
These attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. The old refrain "Why reinvent the wheel?" is often used to describe this attack type. Why spend time writing code to attack something when you can buy it already "shrink-wrapped"? These scripts and code pieces are designed to make installation and administration easier but can lead to vulnerabilities if not managed appropriately.
Password Policy
This defines everything imaginable about passwords within the organization, including length, complexity, maximum and minimum age, and reuse.
Information Protection Policy
This defines information sensitivity levels and who has access to those levels. It also addresses how data is stored, transmitted, and destroyed.
Information Audit Policy
This defines the framework for auditing security within the organization. When, where, how, how often, and sometimes even who conducts information security audits are described here.
Access Control Policy
This identifies the resources that need protection and the rules in place to control access to those resources.
Information Security Policy
This identifies to employees what company systems may be used for, what they cannot be used for, and what the consequences are for breaking the rules. Generally employees are required to sign a copy before accessing resources. Versions of this policy are also known as an Acceptable Use Policy.
Management Network Zone
Usually an area you'd find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.
Target of evaluation (TOE)
What is being tested
active reconnaissance
active reconnaissance uses tools and techniques that may or may not be discovered but put your activities as a hacker at more risk of discovery. Another way of thinking about it is from a network perspective: active is that which purposefully puts packets, or specific communications, on a wire to your target, whereas passive does not.
Operational Controls
any administrative controls are also known as operational or management controls. They help ensure that day-to-day operations of an organization comply with the organization's overall security plan. People (not technology) implement these controls. Operational Controls: - Awareness and training - Configuration and change management - Contingency planning - Media protection - Physical and environmental protection
covering tracks (fifth/final phase)
attackers attempt to conceal their success and avoid detection by security professionals. Steps taken here consist of removing or altering log files, hiding files with hidden attributes or directories, and even using tunneling protocols to communicate with the system. If auditing is turned on and monitored, and often it is not, log files are an indicator of attacks on a machine. Clearing the log file completely is just as big an indicator to the security administrator watching the machine, so sometimes selective editing is your best bet.
Health Insurance Portability and Accountability Act (HIPAA)
developed by the U.S. Department of Health and Human Services to address privacy standards with regard to medical information. The law sets privacy standards to protect patient medical records and health information, which, by design, are provided and shared to doctors, hospitals, and insurance providers. HIPAA has five subsections that are fairly self-explanatory (Electronic Transaction and Code Sets, Privacy Rule, Security Rule, National Identifier Requirements, and Enforcement) and may show up on your exam.
maintaining access (forth phase)
hackers attempt to ensure they have a way back into the machine or system they've already compromised. Back doors are left open by the attacker for future use, especially if the system in question has been turned into a zombie (a machine used to launch further attacks from) or if the system is used for further information gathering—for example, a sniffer can be placed on a compromised machine to watch traffic on a specific subnet. Access can be maintained through the use of Trojans, rootkits, or any number of other methods.
Physical Controls
hysical controls are any controls that you can physically touch. Some examples include lighting, signs, fences, security guards, and more. CompTIA has placed a lot more emphasis on physical security controls, including environmental controls such as hot and cold aisles and fire suppression. However, it's important to realize that many of these are also technical controls. For example, a fire suppression system is a physical security control because you can touch it. However, it's also a technical control because it uses technologies to detect, suppress, or extinguish fires.
procedures
procedures are detailed step-by-step instructions for accomplishing a task or goal.
prudent policy
provides maximum security but allows some potentially and known dangerous services because of business needs
conclusion (or post-assessment) phase
the conclusion (or post-assessment) phase defines the time when final reports are prepared for the customer, detailing the findings of the tests (including the types of tests performed) and many times even providing recommendations to improve security.
black-box testing
the ethical hacker has absolutely no knowledge of the TOE.
Reconnaissance (First phase)
the steps taken to gather evidence and information on the targets you want to attack. It can be passive in nature or active.
Gaining access (Third Phase)
true attacks are leveled against the targets enumerated in the second phase. These attacks can be as simple as accessing an open and non-secured wireless access point and then manipulating it for whatever purpose, or as complex as writing and delivering a buffer overflow or SQL injection against a web application. The attacks and techniques used in the phase will be discussed throughout the remainder of this study guide. Privelege escalation is also done here if necessary but only if necessary should it be.
Security Control Types
• Technical controls use technology. • Administrative controls use administrative or management methods. • Physical controls refer to controls you can physically touch. • Preventive controls attempt to prevent an incident from occurring. • Detective controls attempt to detect incidents after they have occurred. • Corrective controls attempt to reverse the impact of an incident. • Deterrent controls attempt to discourage individuals from causing an incident. • Compensating controls are alternative controls used when a primary control is not feasible.
