Module 6 and 7: Security Assessment and Testing and Security Operations
Software-Defined Networks (SDNs)
Decouple the control plane from forwarding plane. Controller handles traffic-routing using simpler network devices; eliminates some complexity related to to traditional networking protocols.
Virtual Storage Area Networks (VSANs)
A dedicated high speed network that hosts multiple storage devices virtually. Historically expensive, virtualization helps bypass complexities of past hardware requirements.
Darknet
A portion of allocated IP addresses within a network that are not used. Traffic on these is not legitimate.
Intrusion Prevention System (IPS)
A special type of IDS that attempts to detect and block attacks before they reach target systems. Biggest difference is that all traffic must pass through these before reaching the target.
Fuzz Testing
A specialized dynamic testing technique, provides many different types of input to software to stress its limits and find previously undetected flaws.
Attacking
Actual penetration of target. Goal is to escalate privileges and get SU, root kits, etc. Allows for continued access, then cover tracks by using log scrubbers and trojan programs.
Response
After detecting and verifying an incident. Varies depending on severity of incident, but orgs have dedicated teams to this.
Recovery
After investigators collect all evidence from a system, goal is to return it to a fully functioning state. May be as simple as rebooting a system, or rebuilding one entirely.
RAID-1
Also called Mirroring, Uses two disks which both hold the same data. If one disk fails, the other is there for redundancy.
RAID-5
Also called striping with parity. Uses three or more disks with the equivalent of one disk holding parity info. If any disk fails, the array will continue to operate. But will be slower.
RAID-0
Also called striping, uses two or more disks and improves the disks subsystem performance, but does NOT provide fault tolerance
RAID-10
Also known as a stripe of Mirrors, configured as two or more RAID-1s in a RAID-0 configuration. Has at least 4 disks, and mirror sets.
Zero-Day exploit
An attack on a system exploiting a vulnerability that is unknown to others.
Ping of Death
Attack that sends an oversized ping packet, which is bigger than the system can handle. Rarely successful today.
Teardrop attack
Attacker fragments traffic in such a way that a system is unable to put data packets back together. Current systems aren't susceptible to these.
Land Attack
Attacker sends spoofed SYN packets to a victim using the victim's IP address as both the source IP and destination IP.
Mitigation
Attempt to contain an incident, the primary goal of a response team. Team tries to isolate the problem host/network/etc. to contain the incident.
Penetration Testing Requirements
Basic requirements: Meet with Sr. Mgmt. to determine goal of the assessment, Document rules of engagement, get sign of from Sr. Mgmt. Determine effectiveness of current security measures and areas of improvement.
Generational (Intelligent) Fuzzing
DEvelops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
Rules of Engagement Document
Document that specifically outlines what can be tested and penetrated. Ex: Specific IP ranges, acceptable techniques of attack, points of contact, given info to testing team.
Dynamic Testing
Evaluates security of software in a runtime environment. Often the only option for Orgs deploying applications written by someone else. Testers often do not have access to underlying source code. Uses synthetic transactions.
Static Testing
Evaluates security of software without running it by analyzing source code or the compiled application. Generally involves use of automated tools that look for common software flaws.
Host-Based Intrusion Detection System (HIDS)
Examines the operations of a single computer independently. Examines events more in detail. Expensive to manage and use throughout the org. Can read encrypted data. Uses lots of local CPU/Memory.
Pseudo Flaws
False vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to lure attackers.
Ping Flood attack
Floods a victim with a bevy of ping requests, very effective with use of botnets. Common defense is to block ICMP traffic.
Footprinting (step 2)
Goal is to discover the essential features of the target. Nmap the network, ICMP ping sweeps, DNS zone transfers, etc.
Behavior-based (Statistical) IDS
IDS looks for traffic behavior that it considers outside the normal baseline traffic. Can possible detect Zero-days, and non-technical attacks; lots of false positives which most go ignored. requires skill analyst to sift through all matches.
Network-based Intrustion Detection System (NIDS)
IDS that watches entire network and all associated network machines. Looks for DoS, port scans, malicious content and can watch the internal network for policy violations. Is easier to deploy and manage, but cannot read encrypted data.
Active Response
IDSs that have ability to modify the environment using several different methods.
Fingerprinting (step 3)
Identify host information, start port scanning, etc.
Vulnerability Assessment (step 4)
Identify the weak points in system configurations. Discover software that needs patches.
Honeypot
Individual computers created as a trap for intruders. Look and act like real systems, but do not host any real data of any real value. Configured with vulnerabilities to tempt intruders into attacking them. Goal is to keep attention away from real network resources.
Software-as-a-Service (SaaS)
Models that provide fully functional applications typically over the web/cloud, like Gmail. CSP is responsible for all maintenance or services; consumers do not manage any cloud-based assets.
TCP Connect Scanning
Opens a full connection to remote system on specified port; used when user does not have necessary permissions to run a half-open scan.
Reconnaissance (step 1)
Part of Attack methodology. Looking at public information, Whols DB, social media to gleam additional info that could be useful.
Padded Cell
Performs intrusion isolation by automatically transferring the intruder to a simulated environment that offers fake data to retain an intruder.
Remediation
Personnel look at the incident and attempt to identify what allowed it to occur. Team does a root cause analysis
Lessons Learned
Personnel reflect on incident and the response process and how they can improve in the future.
POP3 Port
Port 110
NTP Port
Port 123
SQL Port
Port 1433
Oracle Port
Port 1521
FTP Port
Port 21
SSH Port
Port 22
Telnet Port
Port 23
SMTP port
Port 25
HTTPS Port
Port 443
DNS Port
Port 53
HTTP Port
Port 80
Vulnerability Scanning
Process of identifying holes within a target. Active hosts, ports, devices, applications, OS, reconfigured settings. Goal is to establish a foundation/direction for penetration testing.
Infrastructure-as-a-Service (IaaS)
Provides basic computing resources to consumers, like storage, servers, and sometimes networking resources. Consumers install OSs and applications and perform maintenance on them; CSP maintains cloud-based infrastructure, ensuring availability to customers.
Platform-as-a-Service (PaaS)
Provides consumers with a computing platform, including hardware, OSs, and applications. Consumers manage their applications and some configuration settings on the host, but CSP is responsible for maintenance of host and underlying infrastructure.
Warm Site
Recovery site that contains the equipment necessary to rapidly establish operations, but does not have any copies of primary client's data and must be moved over.
Hot Site
Recovery site that is maintained in constant working order, ready to assume primary responsibilities. Cost is extremely high.
Reporting
Refers to communicating within the organization and sometimes outside of the organization the incident at hand. Many places have laws to require this.
Virtual Machines (VM)
Run as guest operating systems on physical servers. The physical servers include extra processing power, memory, and disk storage to handle the VM.
TCP ACK Scanning
Sends packet with ACK flag set, indicating it is part of an open connection.
Xmas Scanning
Sends packet with FIN, PSH, and URG flags set.
TCP SYN Scanning
Sends single packet to each scanned port with SYN flag set, requesting to open a new connection. If scanner gets a SYN/ACK response, indicates port is open. AKA Half-Open Scanning.
Fraggle Attack
Similar to Smurf attacks, but uses UDP packets instead of ICMP or SYN.
Hypervisor
Software component that manages things like VMs, VSANs and other virtual network components. Represents an additional attack target.
Cold Site
Standby facilities for recovery. Has no computing abilities pre-installed and no active broadband links. Low cost to maintain but time to activate takes weeks.
Full Backups
Store a complete copy of the data contained on the protected device. Duplicate every file on the system.
Differential Backups
Stores all files that have been modified since the time of the most recent full backup. This process does not change the archive bit.
Incremental Backups
Stores only those files that have been modified since the time of the most recent full/incremental backup. Only files with archive bit on are duplicated.
Mutation (Dumb) Fuzzing
Takes previous input values from actual operation of the software and manipulates it to create fuzzed input
Incident Response: Detection
The means of identifying and verifying an incident, using IDSs or Anti-malware, etc.
Zero Knowledge (Black Box)
The penetration testing team comes in with no information about the system and must collect the information which is part of the testing process. The next step is to simulate an attack by a would-be hacker that has no prior knowledge of the information system.
Partial Knowledge (Gray Box)
The penetration testing team has knowledge that might have relevance to a specific type of attack.
Full Knowledge (White Box)
The penetration testing team has the most extensive knowledge possible about the system to be tested. This test will replicate a certain attack that might be tried by an informed employee of an organization. Has access to internal code.
Zzuf
Tool that automates the process of mutation fuzzing by manipulating input according to user specifications.
Nmap
Tool used for network discovery scanning. Identifies current state of each network port, provides status of ports as Open, Closed, or Filtered.
Honeynet
Two or more networked honeypots used ti simulate a network.
SYN Flood attack
Type of DoS attack. Disrupts the TCP 3-way handshake, making the victim allocate resources and overwhelm it, unable to respond to legitimate requests.
Smurf attack
Type of DoS attack. Floods the victim with ICMP echo packets, as a spoofed broadcast ping is sent out to the rest of the network, and the victim is flooded with responses.
Signature-based (Pattern Matching) IDS
Uses a database of known attacks developed by the IDS vendor; real-time traffic is match against the database and raises alerts if it finds a match. Downside is only effective against known attack methods and not zero-day attacks. Must keep database updated.
Passive Response
When IDSs detect an event, they can send notifications via email, text, etc. help ensure admins respond quickly.