I Cybersecurity Midterm
Shannon's Maxim
"The enemy knows the system"
Transitive Trust
BASIC PRINCIPLE If A trusts B and B trusts C then A trusts C
Least Privilege
BASIC PRINCIPLE Restrict what people may do to an asset Provide the minimum privileges required Example: key opens my store but not yours
Deny by Default
BASIC PRINCIPLE We always start by granting no access We add access rights This makes it easier to assign the right permissions and achieve Least Privilege
islands
A process can only use resources brought into its RAM Can't modify anything else
security patch race
A race begins when a security problem arises The software developer races to develop a fix to eliminate the problem Attackers race to write software that exploits the problem and lets them attack computers Attack software is called an exploit
access matrix
A way to specify access permissions Rows for resources or RAM Columns for active entities or processes
Chain of Control
BASIC PRINCIPLE We must never run programs that violate or bypass our security policy. To avoid this, we: Start the computer using a BIOS that maintains our security policy If the software we start (i.e. the OS) can start other software, then the other software either Complies with the security policy, OR Is constrained from violating the policy via access restrictions or other mechanisms
Open Design
BASIC PRINCIPLE We open our systems for third-party analysis to help ensure their effectiveness We withhold changeable, secret information Kerckhoff Shannon
transmission state
Being moved from one place to another "Data in motion"
processing state
Being used by an active process Usually stored in RAM
Weakest Link
ALL components must work or an attack will succeed
preventative
Access controls are ____ - they try to block and attack from happening
SCADA: Kantianism
Actions are ethical only if they can be generalized to apply to everyone
Ropeswing Model
Always know the context before analyzing The idea of risk changes as dofferent knowledge is gained Risk depends on time and context
ambiguity
Can Tina read a file with these permissions: Owner: Bob - RWX Group: Survey (Bob and Tina) - no access World: R— Answer: depends on the operating system On OpenVMS: YES Permissions are combined, then checked On Unix: NO Applies the list that applies closest to Tina: the group permissions
Java Overflow
Compilers in Java programs written in C. Applications can incorrectly handle ArrayOutofBounds exceptions
CIA triad
Confidentiality Integrity Availability
control sections
Contain instructions to execute Contain unchanging data
data sections
Contain variables that change Contain "free form" RAM Buffers, Stacks
executable files
Files that contain applications or other executable programs "Binary executables" are stored in a control section and executed by the CPU "Scripts" contain text interpreted by a programming language interpreter
cryptolocker
First documented September 2013 Distributed via botnets in U.S. (60% of infections), UK, Canada, Australia 155,000 systems infected within the first month Roughly 50,000 per month thereafter Variants include CryptoWall, CoinVault
Kill Chain
For a weapon to succeed, a number of steps must all succeed
SCADA: Utilitarianism
Greatest good for the greatest number (most of the time)
execute access rights
Helps distinguish data files from programs Must have the "Execute" right to execute a file containing a program
path name
Identifies the directory entries to follow to find the file
Risk Assessment Steps
Identifying risks Step 1: Identify assets Step 2: Identify threat agents and attacks Prioritizing risks Step 3: estimate the likelihood of attacks Step 4: estimate the impact of attacks Step 5: Calculate their relative significance Establish requirements Step 6: Write requirements to address the highest-priority risks
data execution prevention (DEP)
If the computer has____, it only executes instructions in a control section prevents from jumping to own shell code
Binary Large Object (BLOB)
Lump of raw data It's ignored by MS Word, but can be read in by the exploit later on...it contains Shell code A malware program installed by the shell code A decoy document (keeps Word from crashing if it detects a security vulnerability exploit) Masquerade
administrative groups
Many systems have a separate "Admin" group User IDs who are part of the group may perform administrative tasks Restrict access to administrative functions by blocking the right to execute the programs Windows also associates other privileges with user groups, including administrative rights If a user is in the "Admin" group, they automatically have access to administrative functions
tailored policies
Modify rights for specific sets of files Specific tailorings Privacy - block some files from sharing Shared reading - share some blocked files Shared updating - full rights for some users
detective
Monitoring is ____ - it detects the attack without necessarily blocking it (often provided through logs)
Continuous Improvement
Never ends at final step. Any step in the process may suggest a change that will improve the result.
Impact
Not applicable Low = noticeable impact Moderate High = major damage
Writing a security requirement
Number each requirement Use the word shall Each requirement should be testable Each statement identifies the risks it addresses Phrase the requirement in a positive and specific form
vulnerabilities
Openings in the boundary are ____
Kerckhoff's Principle
Rely on a changeable secret, but make the rest of the design public and open to review
storage state
Stored in a computer, not being processed "Data at rest"
Return Oriented Programming (ROP)
Stringing together a list of code fragments in executable memory (such as systems DLL) and sending control off to them one at a time MS Word
SCADA
Supervisory Control And Data Acquisition Runs electric power generation, nuclear plants, water treatment, sewage systems, oil and gas refineries, dams/hydroelectric, and other ICS systems What is ICS ? Industrial Control Systems (these use industrial Ethernet switches, which have their own vulnerabilities) SCADA standard says that these systems should never have public Internet access
Availability
Support ongoing operations Avoid DOS
Access Control Lists (ACLs)
The general-purpose technique cluster access rights by row (by resource, by file) Simple permission flags require a small, fixed amount of storage for each file ACLs may be arbitrarily long Poses a challenge for the OS An alternative to User Groups We simply keep a list of individuals with the right to access a particular file or folder Efficient if each file needs its own tailored list
threat agents
Think about the people who actually perform attacks We can use published information to produce written profiles of specific groups that represent threat agents implements an attack
Disclosure
an attack on confidentiality
risk
an attack that is likely to happen
Dynamic Linked Library (DLL)
an executable file that allows Windows to share code libraries and other resources (MS Word)
global policies
applied to all users by default Isolation Policy - keep users separate Sharing Policy - let users share their files
defaults
apply same access rights to all new file
inheritance
apply the access rights based on the enclosing directories
physcial theft
availability attack
Denial of Service
availabilty attack Overflow of traffic stops operations
Requirements-based decisions
based on systematic analysis of the security situation ex: Risk management framework
Forgery
bogus messages given to computers
Comprehensive Security
closing all avenues of attack
Access Matrix
contains two dimensions A full matrix is too large for practical use We can organize access rights by clustering in one dimension or the other Cluster by Column = Capability-Based Security We associate rights with users, processes, or other active entities A key-ring is a set of capabilities: ownership grants access to the locked items Tickets provide capabilities
written permission
difference between ethical hacker and an attacker is ____
monitoring
effective security requires ____
Morris Worm
first major Internet worm 1988 - disabled about 10% of Internet computers Used several attacks Buffer overflow vulnerability A program fails to keep track of its input The input data modifies RAM that it shouldn't Attacker can take over the computer if the wrong RAM gets modified
program
group of instructions
Confidentiality
keep information secret avoid disclosure vulns
Risk
likelihood of an undesired event Risk = Threat * Vulnerability
Address Space Layout Randomization (ASLR)
loads DLLs into slightly different memory locations whenever you start an application or re-boot
Rule-based decisions
made for us by external circumstances or established widely accepted guidlelines ex: car ignition locks, we follow someone else's rule
vulnerability
makes an attack possible
attack scenario
may study potential or actual attacks elements are all based on recorded attacks
file system
modern computers keep files in a hierarchy of folders and directories
Subversion
modify a system to work for the threat agent
patterns
photo IDs anti-virus biometrics false positives?
dispatcheer
procedure in the operating system (OS) switches running processes
control section
programs execute in the ____
Integrity
programs or data suffers undesired or unintended modifications avoid forgery, subversion, masquerade
attack case studies
report actual attacks a scenario that includes threat agent data
Common Vulnerability Enumeration (CVE)
reports are tracked by ____
finger
retrieved info about users
process
running program
vaults
safe deposit box access control on a computer least privilege a process can retrieve a file or print data if granted the right permissions
SHODAN
search engine for IOT; reconnaissance before attack
puzzles
security through obscurity cryptography Kerckhoff/Shannon Protect data by presenting a puzzle
file name
selects the right file in the final directory in the path
Defense in Depth
several countermeasures arranged in a series attack is stopped if ANY countermeasure succeeds
Masquerade
system works on behalf of wrong user
file permission flags
taditional unix uses ___ to indicate access rights Owner-Group-World rwxrwxrwx
Computer Emergency Response Team (CERT)
the Morris worm helped create ____
data section
the stack is in the ____
window of vulnerability
time during which an exploit exists but computers aren't patched
Relativistic decisions
try to outdo others who are faced with similar security problems ex: someone else does it, so i do too; hunters dilemma
Defense in Depth
We improve security by providing layers of defense Attackers must breach a series of defenses to reach our most valuable assets
Kill Chain
What do we call the relationship between ASLR and DEP ?
least privilege
____ would have helped stop the worm; the finger process had root access, which it did not need
Threat
a person or thing likely to cause damage or danger
Vulnerability
a weakness which allows an attacker to reduce the system's information assurance
Threat agent, attacker, attack
A ____ or ____ tries to ____ assets
defense, safeguard, countermeasure
A ____, ____, or ____ protects the assets
botnet
A compromised system on a network, all controlled by a single attacker is a ____
compromised system
An attacked system that is unsafe to use is a ____
authorized analysis
Analyst has written authorization from the authority responsible for the system Analyst uses appropriate tools The analyst knows how to use the tools Tools should provide the most information while posing the lowest risk of interfering with or damaging the system Analyst protects the results Keeps the data confidential Issues report only to the appropriate authority
boundary
Assets are protected by a ____
ways to stop MS Word attack
DEFENSE IN DEPTH Don't open suspicious attachments Keep your patches current Keep your anti-virus current Toshliph launches 3 malicious processes, you might catch one of them in action before it's too late
generic risks
Denial of service Subversion Masquerade Disclosure Forgery
Risk Management Framework (RMF)
Establish system and security goals Select security goals Implement security goals Assess security controls Authorize the information system Monitor security controls
