GIAC
GSECtitle
Crashstyle
Course
Click to edit
Master
Michael J. Shannon
CISSP
Cisco CCNP R&S and CCNP Security
Palo Alto Networks Certified
Network Security Engineer (PNCSE7)
GIAC GSEC and Security+
ITIL 4 Managing Professional (MP)
OpenFAIR Foundation
AWS SysOps Administrator Associate
1
Introduction
Click to edit Master title style
• Welcome to the GSEC Challenge – that’s exactly what you are officially
doing if you attempt a GIAC exam without the official SANS 5-6 day class.
• Is the SANS GSEC $7000 worth the price?
• It’s an open book exam - All tools are free and open-source
• Here is what I’m giving you in this crash course
•
•
•
•
Slides in PDF – print them
An index of the course
Cheat sheets
YouTube videos for tools
2
Setting up Learning Labs
Click to edit Master title style
• You have several options for lab environments
• A powerful workstation/laptop
• VM Workstation Pro or VirtualBox 6
• Kali Linux + Metasploitable + Windows 10
• Virtual networks at AWS, GCP, IBM Cloud, or Azure
• Cisco Modeling Labs 2.0
https://www.virtualbox.org/
https://www.kali.org/downloads/
https://github.com/rapid7/metasploitable3
https://www.cisco.com/c/en/us/products/cloud-systems-management/modelinglabs/index.html
3
The OSI Reference Model
Click to edit Master title style
Number
Name
Description
7
Application
To accomplish a networked user task
6
Presentation
Expressing and translating data formats
5
Session
To accommodate multiple session connections
4
Transport
Connecting multiple programs on same system
3
Network (or
Internetwork)
Facilitate multihop communications across potentially different link
networks
2
Link
Communication across a single link including media access control
1
Physical
Specifies connectors, data rates, and encoding bits
4
The OSI Reference Model
Click to edit Master title style
Number
Name
Example
7
Application
HTTP, FTP, SMTP, DNS, TELNET
6
Presentation
ASCII, PNG, MPEG, AVI, MIDI
5
Session
SSL/TLS, SQL, RPC, NFS
4
Transport
TCP, UDP, SPX, AppleTalk
3
Network (or
Internetwork)
IP, IPX, ICMP, ARP, BGP, OSPF
2
Link
PPP/SLIP, Ethernet, Frame Relay, ATM
1
Physical
Binary transmission, encoding, bit rates, voltages
5
The TCP/IP Reference Model
Click to edit Master title style
Number
OSI Name
TCP/IP Model
7
Application
6
Presentation
5
Session
4
Transport
Transport
3
Network (or
Internetwork)
Internet
2
Data Link
1
Physical
Application
Network
6
OSI Model Mnemonics
Click to edit Master title style
• All People Seem To Need Data Processing
• All Proper Suitors Tell No Devious Phrase
_____________
• Please Do Not Throw Sausage Pizza Away
• Please Do Not Tell Secret Passwords Anytime
• Physical Data Networks Transport Session Presentation
Applications
7
Hexadecimal Math
Click to edit Master title style
• Hexadecimal is Base-16 math
• Digits are 0-9, A, B, C, D, E, F (16 elements)
Hexadecimal: 0 1 2 3 4 5 6 7 8 9 A
Decimal:
B
C D E F
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
There are 16 Hexadecimal digits. They are the same as the decimal digits up to 9, but
then there are the letters A, B, C, D, E and F in place of the decimal numbers 10 to 15
8
Hexadecimal Math
Click to edit Master title style
A
2
F
7
163
162
161
160
10 X 163
= 40960
2 X 162
= 512
15 X 161
= 240
7 X 160
=7
40960 + 512 + 240 + 7 = 41719
Just like 2^0 power is one in binary, 16 ^ 0 = 1 in hex -- 7 x 1 = 7
16 ^ 1 is 16 x 1 = 16 -- 15 x 16 = 240
16 ^ 2 is 16 x 16 =256 -- 2 x 256 = 512
16 ^ 3 is 16 x 16 x 6 = 4096 -- 10 x 4096 = 40960
40960 + 512 + 240 + 7 – 41719. Notice how we can now express a much larger
number with only 4 characters?
9
Hex to Decimal
Click to edit Master title style
10
Hexadecimal Addresses
Click to edit Master title style
MAC addresses and IPv6 addresses both use Hexadecimal numbers
11
Logical (Virtual) MAC addresses
Click to edit Master title style
AWS uses Elastic Network Interfaces (ENI). We just call them Network Interfaces. It is
a virtual NIC vNIC and is eth0 of the instance by default.
12
Internet Protocol (IP)
Click to edit Master title style
•
•
•
•
IP is the core protocol of the TCP/IP suite and the key
protocol of the Network (internetwork) layer
Its main purpose is to provide internetwork datagram
delivery services to layer 4 protocols like TCP and UDP
Often uses layer 3 devices like routers, multilayer
switches, load balancers, and firewall appliances to
forward datagrams (packets)
Exam Tip: The Time To Live (TTL) field designates
the number of hops a packet can take before it
reaches its destination.
13
Key Characteristics of IP
Click to edit Master title style
• Universal addressing
o Defines addressing mechanism
• Protocol independence
o Works with both the Ethernet and the 802.11 wireless family
• Connectionless delivery
o No handshake setup before transmission to remote host
• Unreliable and unacknowledged delivery - no tracking of
datagrams
• Fragmentation – to break up datagram into smaller packets
for a neighbor router that supports a smaller max
transmission unit (MTU)
14
Address Resolution Protocol (ARP)
Click to edit Master title style
• A technique used by a host to find the MAC address of
another host and map it to an IP address
• A protocol and a utility to view the cache
• Described in RFC 829
• IPv6 does not use ARP – uses ICMPv6 instead
• ARP request = “Who has 10.10.10.33?; tell 192.168.10.45”
15
Main IP Protocol Versions
Click to edit Master title style
• The functions of IP were planned and designed well before
the protocol suite was defined
• The original Transmission Control Program was divided into
Transmission Control Protocol (TCP) and Internet Protocol (IP)
• There were three previous versions of the original TCP; so
when split, IP was called version 4
• There were never IP versions 1, 2 or 3
16
RFC 1918 Private Addresses
Click to edit Master title style
• The Internet Assigned Numbers Authority (IANA)
reserved these three blocks of the IP space for
private internets address space:
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Hosts within enterprises that use IP can be partitioned into three categories:
Category 1: hosts that need network layer access outside the enterprise (provided via
IP connectivity); hosts in this category require IP addresses that are globally
unambiguous.
Category 2: hosts that do not require access to hosts in other enterprises or the
Internet at large; hosts within this category may use IP addresses that are
unambiguous within an enterprise - but may be ambiguous between enterprises.
Category 3: hosts that need access to a limited set of outside services (e.g., E-mail,
FTP, remote login) which can be handled by mediating gateways (e.g., application
layer gateways). For many hosts in this category an unrestricted external access
(provided via IP connectivity) may be unnecessary and even undesirable for
privacy/security reasons. Such hosts may use IP addresses that are unambiguous
within an enterprise - but may be ambiguous between enterprises.
17
IP version 6
Click to edit Master title style
• IPv6 was intended to replace the widely used IPv4 that is
considered the backbone of the modern Internet
• IPv6 is often referred to as the "next generation Internet"
because of its expanded capabilities and its growth through
recent large-scale deployments
18
IPv4 vs. IPv6
Click to edit Master title style
Version 4
Version 6
232 address space
2128 address space
Dotted decimal format
Hexadecimal notation
DHCP dynamic addressing
SLAAC and DHCPv6
Header has 20 bytes and 13 fields
Header has 40 bytes and 8 fields
Variable header length
Fixed header length
Header options (obsolete)
Header extensions
Header checksum
No header checksum
19
IPv4 vs. IPv6
Click to edit Master title style
Version 4
Version 6
Packet size: 576 bytes required,
fragmentation optional
Packet size: 1280 bytes required
without fragmentation
Packet fragmentation: Routers and
sending hosts
Packet fragmentation: Sending hosts
only
IPv4 was never designed to be secure
Has native encryption and
authentication
IPsec optional
IPsec mandatory
Non-equal geographical distribution
(>50% USA)
No geographic limitations
IPv4 has the lack of security. IPv4 was never designed to be secure. It was originally
designed for an isolated military network, then adapted for a public educational &
research networks.
20
Assigning IPv6 Addresses
Click to edit Master title style
There are three methods for assigning IPv6 addresses:
• Manual
• Stateful Autoconfiguration (using a DHCPv6 server)
• Stateless Autoconfiguration (SLAAC)
21
Stateless Autoconfiguration
Click to edit Master title style
• Uses ICMP version 6 neighbor discovery to find routers and
then dynamically create IPv6 addresses
• You must connect the host to a network that uses at least one
IPv6-capable router that will send advertisement messages to
the link
• The connected IPv6 nodes can self-configure with an IPv6
address and routing parameters without further human
intervention (RFC 2462)
Stateless autoconfiguration uses neighbor discovery mechanisms to find routers and
dynamically create IPv6 addresses. To use this method for an IPv6 node, it is
important to connect the IPv6 node to a network that uses at least one IPv6 router.
The router transmits router advertisements to the link. These announcements can
allow the on-link connected IPv6 nodes to configure themselves with an IPv6 address
and routing parameters, as specified in RFC 2462, without further human
intervention.
22
Stateless Autoconfiguration
Click to edit Master title style
• The node can automatically configure its
global IPv6 address by appending its
interface identifier (64 bits) to the prefix
(64 bits) that is included in the router
advertisement messages
• This is an important feature for allowing
the rollout of new devices on the
Internet, such as mobile phones,
wireless devices, home appliances, IoT
devices, networks and more
A node on the link can automatically configure its global IPv6 address by appending
its interface identifier (64 bits) to the prefix (64 bits) that is included in the router
advertisement messages. Stateless autoconfiguration enables "plug and play," which
connects devices to the network without any configuration and without any stateful
servers (such as DHCP servers). It is an important feature for enabling the deployment
of new devices on the Internet, such as cell phones, wireless devices, home
appliances, and networks.
Note: A router announcement can even tell hosts that more configuration
parameters are available using stateful configuration (DHCPv6). These would be
other services like DNS, NTP, IP extensions, and so on.
23
IPv6 Neighbor Discovery
Click to edit Master title style
• The ICMPv6 provides the same diagnostic services as ICMPv4
o Error and informational messages
• It extends the functionality for some specific IPv6 functions
that did not exist in IPv4:
o Router solicitation and advertisement
o Neighbor solicitation and advertisement
o Redirection of nodes to the best gateway (router)
Neighbor solicitation and advertisement involves acquiring the data link layer
addresses for IPv6 neighbors
24
The IPv6 Header
Click to edit Master title style
Test Tip: The Version field is 4 bits
Traffic Class: Source host uses this field to mark the priority of outbound packets.
The IPv6 header has 40 octets (320-bits), instead of 20 octets (160-bits) as in IPv4.
The IPv6 header has fewer fields, and the header is aligned on 64-bit boundaries
Traffic Class: This 8-bit field is similar to the ToS field in IPv4. The source host uses
this field to mark the priority of outbound packets.
Next Header: The value of this field determines the type of information that follows
the basic IPv6 header. For example, the critically important ICMPv6 packet is
identified as 58 in the Next Header field.
25
IPv6 Extension Headers
Click to edit Master title style
•
IPv6 uses two distinct types of headers: The regular IPv6 Header
and IPv6 Extension Headers
• The extension headers, if there are any, follow the original 8 fields
• The number of extension headers is not fixed, so the total length of
the extension header chain is variable
IPv6 is using two distinct types of headers: Main/Regular IPv6 Header and IPv6
Extension Headers. The main IPv6 header is equivalent to the basic IPv4 one despite
some field differences that are the result of lessons learned from operating IPv4.
The options field in the IPv4 header (go back and show slide 5) is used to convey
additional information on the packet or on the way it should be processed. Routers,
unless configured otherwise, must process the options in the IPv4 header. The
processing of most header options pushes the packet into the slow path leading to a
forwarding performance hit. The options field has also been used as a vector for a
variety of network attacks as well.
Regardless, the IPv4 Options perform a key role in the IP protocol operation so the
functionality had to be preserved in IPv6. On the other hand, the impact of IPv4
Options on performance was taken into consideration in the development of IPv6. So
the functionality of options is removed from the main header and implemented
through a set of additional headers called extension headers. The main header
remains fixed in size (40 bytes) while customized EHs are added as needed.
26
IPv6 Extension Headers
Click to edit Master title style
Extension headers are an intrinsic part of the IPv6 protocol and they support some
basic functions and certain services.
27
Common Use Cases for EH
Click to edit Master title style
•
•
•
•
•
•
•
Hop-by-Hop EH is used for the support of Jumbo-grams
Destination EH is used in IPv6 Mobility
Routing EH is used in IPv6 Mobility and in Source Routing
Fragmentation EH is critical
Mobility EH is used in support of Mobile IPv6 service
Authentication EH and Encapsulating Security Payload EH
Hop-by-Hop EH is used for the support of Jumbo-grams or, with the Router Alert
option, it is an integral part in the operation of MLD. Router Alert is an integral
part in the operations of IPv6 Multicast through Multicast Listener Discovery (MLD)
and RSVP for IPv6.
• Destination EH is used in IPv6 Mobility as well as support of certain applications.
• Routing EH is used in IPv6 Mobility and in Source Routing. It may be necessary to
disable "IPv6 source routing" on routers to protect against DDoS.
• Fragmentation EH is critical in support of communication using fragmented packets
(in IPv6, the traffic source must do fragmentation-routers do not perform
fragmentation of the packets they forward)
• Mobility EH is used in support of Mobile IPv6 service
• Authentication EH is similar in format and use to the IPv4 authentication header
defined in RFC2402
28
• Encapsulating Security Payload EH is similar in format and use to the IPv4 ESP
header defined in RFC2406. All information following the Encapsulating Security
Header (ESH) is encrypted and for that reason, it is inaccessible to intermediary
network devices. The ESH can be followed by an additional Destination Options EH
and the upper layer datagram.
28
Internet Control Message Protocol (ICMP)
Click to edit Master title style
• IP is unreliable and doesn't guarantee
delivery, so ICMP is the feedback
mechanism offering feedback about
network problems
• IP also doesn’t offer a direct method
for collecting diagnostic information
• It resides somewhere between the
Transport and Network layers
• ICMP provides error messages and
informational messages
Even though IP is unreliable and doesn't guarantee delivery, it is important to notify
the sender when something goes wrong. The Internet Control Message Protocol
(ICMP) is the mechanism used to give feedback about network problems that are
preventing packet delivery. Upper protocols, like TCP, will be able to realize that
packets aren't getting through, but ICMP provides a method for discovering more
serious issues such as "TTL exceeded" and "need more fragments."
Uncommon problems like the IP checksum being in error, will not be reported by
ICMP.
ICMP messages are typically acted on by the IP layer, TCP or UDP, or even by some
web-enabled applications.
29
ICMP Characteristics
Click to edit Master title style
• ICMP will affect network operations in both positive and
negative ways
• Many border routers and firewalls will block most, if not all,
ICMP messages
• However, if blocked, diagnostic tools like ping and traceroute
will not work
• There are a number of Types and Codes and only a few are
commonly used
30
Common ICMPv4 Messages
Click to edit Master title style
Name
Type
E/I
Description
Echo Reply
0
I
Ping reply that returns data
Destination
Unreachable
3
E
Unreachable host/protocol
Redirect
5
E
Alternate gateway should be used
Echo
8
I
Ping request (data optional)
Time Exceeded
11
E
Resource exhausted (TTL decremented)
Parameter
Problem
12
E
Malformed packet or header
All of the Types and Codes are on the SANS cheat sheet
31
TCP Functionality
Click to edit Master title style
•
•
•
•
•
Addressing and multiplexing
Connection handling
Packaging and managing data
Transferring data
Providing reliability and
transmission quality
• Providing flow control
• Congestion avoidance
- Many applications use TCP for transport and multiplexing the data is accomplished
using the underlying network protocol (IP, IPX, AppleTalk, etc,) and is identified
using ports. EXAMPLE: Lets say I open up a Chrome browser session, an Internet
Explorer browser session and a Mozilla Firefox session. Each one has a different
default Home page: Google for Chrome, Bing for IE, and Yahoo for the Firefox. I
also open up my company email through Outlook On The Web in a TOR browser
and a Mozilla Thunderbird email client for my POP3 email account -- different
ephemeral source ports and different server sockets etc.
- Has processes for negotiating, establishing, managing, and terminating
connections
- Packages upper layer data with a header of valuable metadata
- TCP stack on participating node transfers the packaged segments to the TCP
process on the other node
- Maintains reliability and transmission quality
- Flow control and congestion avoidance
32
TCP Characteristics
Click to edit Master title style
•
•
•
•
•
•
•
Connection-oriented
Stream-oriented
Bidirectional transport
Allows multiple connections
Reliable and acknowledged
Unstructured data
Managed data flow
Unstructured – multiple messages are sent using TCP, the applications must offer a
method for differentiating one message (data element, database record, etc.) from
another
33
TCP Operations
Click to edit Master title style
• TCP takes the bytes from upper layers and sends it on to the
network layer protocol (IP)
• Bytes are divided into segments (a discrete piece of a stream)
• IP places them into datagrams and passes the encapsulated
packet to the link layer to be “framed” with a header and
trailer
• TCP Session Closing:
• Graceful = FIN > FIN-ACK> ACK
• Abrupt = RST/ACK
Look for wireshark output that shows a graceful TCP closing
34
TCP Operations
Click to edit Master title style
•
•
•
•
•
•
•
Since TCP is reliable, it tracks each byte of data with a sequence
number applied to blocks
Sequence numbers are used to make sure the segmented data can
be reassembled and retransmitted if necessary
To provide reliability and flow control, TCP uses a sliding window
acknowledgement system
Each node’s TCP stack uses a retransmission queue
Each sent segment is placed in the queue and a retransmission
timer is started
When an ACK is received, the data is removed from the queue
If the timer expires, the segment is retransmitted
The sliding window mechanism is very complicated yet at the heart of TCP operations
35
TCP Operations
Click to edit Master title style
TCP takes the bytes from upper layers and sends it on to the network layer protocol
(IP)
Bytes are divided into segments (a discrete piece of a stream)
IP places them into datagrams and passes the encapsulated packet to the link layer to
be “framed” with a header and trailer
36
tcpdump
Click to edit Master title style
•
•
•
Network packet sniffer that uses libpcap capture library
Simply a sniffer and not a protocol analyzer
You must be familiar with this tool and what the output looks like
on the exam
TCP has to use IPsec or SSL/TLS to get security services
TCP sends data as a continuous stream of segments instead of as discrete messages –
the application decides where one message begins and ends
37
TCP Handshake
Click to edit Master title style
38
TCP Header
Click to edit Master title style
39
TCP Control Bits
Click to edit Master title style
Subfield
Name*
Description
URG
Indicates priority data transfer feature for this segment
ACK
Indicates that segment is carrying acknowledgement
PSH
Push feature requests that data be pushed to receiving
application immediately
RST
Sender has encountered problem and needs to reset the
connection
SYN
A request to synchronize sequence numbers to establish a
connection
FIN
The sender is requesting to terminate the connection
*Each Control Flag’s subfield is 1 bit in size
40
Comparing UDP to TCP
Click to edit Master title style
•
•
•
•
•
•
UDP does not ensure data delivery
If TCP is used, the transport layer
has those additional responsibilities
UDP does not provide
segmentation services
Behavior is best-effort and
connectionless
No sequencing of segments
Best for video, audio, conferencing,
and content streams
•
Use UDP when…
• you need a rapid response from a
server (DNS query)
• the response comes back in a
single packet
• Connection costs are too high for
TCP
• you can afford to lose some data
(stock ticker, weather data,
gaming data, audio, video)
• it can be multicasted to more than
one host
Both TCP and UDP protocols manage the communication of multiple applications and
provide communication services directly to the application process on the host.
The basic service that the transport layer provides is tracking individual
communication between applications on the source and destination hosts. This
service is called session multiplexing, and it is performed by both UDP and TCP.
A major difference between TCP and UDP is that TCP can ensure that the data is
delivered, while UDP does not.
UDP provides applications with best-effort delivery and does not need to maintain
state information about previously sent data. As a benefit, UDP does not need to
establish any connection with the receiver and is termed connectionless.
Multiple communications often happen simultaneously; for instance, you may be
searching the web and using FTP to transfer a file at the same time from one laptop
host. The transport tracks these communications and keeps them separate. This
tracking is provided by both UDP and TCP. To pass data to the proper applications, the
transport layer must identify the target application. If TCP is used, the transport layer
has the additional responsibilities of establishing end-to-end operations, segmenting
41
data and managing each piece, reassembling the segments into streams of
application data, managing flow control, and applying reliability mechanisms.
UDP does not provide segmentation services - instead it expects the application
process to perform any necessary segmentation and supply it with data chunks that
do not exceed the MTU of lower layers. The MTU of the IP protocol is 1500 bytes.
Larger MTUs are possible, but 1500 bytes is the normal size.
The terms reliable and best effort are terms that describe two types of connections
between computers. TCP is a connection-oriented protocol that is designed to ensure
reliable transport, flow control, and guaranteed delivery of IP packets. For this
reason, it is labeled a "reliable" protocol. UDP is a connectionless protocol that relies
on the application layer for sequencing and detection of dropped packets and is
considered "best effort." Each protocol has strengths that make them useful for
particular applications.
41
Common UDP Services
Click to edit Master title style
•
•
•
•
•
•
•
DNS queries
Simple Network Management Protocol (SNMP)
Routing Information Protocol (RIP)
Dynamic Host Configuration Protocol (DHCP)
Datagram TLS (DTLS)
Real-time audio and video streaming protocols
Business applications
Numerous key Internet applications use UDP, including: the Domain Name System
(DNS), where queries must be fast and only consist of a single request followed by a
single reply packet, the Simple Network Management Protocol (SNMP), the Routing
Information Protocol (RIP)[1] and the Dynamic Host Configuration Protocol (DHCP).
Voice and video traffic is generally transmitted using UDP. Real-time video and audio
streaming protocols are designed to handle occasional lost packets, so only slight
degradation in quality occurs, rather than large delays if lost packets were
retransmitted. Because both TCP and UDP run over the same network, many
businesses are finding that a recent increase in UDP traffic from these real-time
applications is hindering the performance of applications using TCP, such as point of
sale, accounting, and database systems. When TCP detects packet loss, it will throttle
back its data rate usage. Since both real-time and business applications are important
to businesses, developing quality of service solutions is seen as crucial by some.
Some VPN systems such as OpenVPN may use UDP while implementing reliable
connections and error checking at the application level.
42
The CIA Triad
Click to edit Master title style
Confidentiality
CIA Triad
Integrity
Availability
43
Confidentiality
Click to edit Master title style
• Confidentiality is the act of preserving authorized restrictions
on information access and disclosure, including means for
protecting personal privacy and proprietary information
using:
• Cryptosystems
• Compartmentalization
• Encapsulation
44
Integrity and Availability
Click to edit Master title style
• Integrity involves guarding against improper information
modification or destruction and ensuring information nonrepudiation and authenticity using:
• Cryptographic hashing
• Digital signatures
• Availability – ensuring timely and reliable access to and use of
information using
•
•
•
•
Backups and snapshots
Redundancy and failover
Availability zones
Business Continuity Planning
45
Categories of Controls
Click to edit Master title style
• Administrative/Managerial Controls are activities that
enforce the guidance, risk treatment, and policy directives of
an organization
• Examples: acceptable use policies, no piggybacking or tailgating
directives, security awareness training
• Technical Controls are combinations of software and
hardware to achieve confidentiality, integrity, and availability
• Examples: firewalls, routers, endpoint protections, web
application firewalls, cloud-based threat modeling
46
Categories of Controls
Click to edit Master title style
• Operational/Physical Controls deal with
the effectiveness of your controls
combined with the protection of
personnel, data, hardware and the
facility from physical threats that could
harm, damage, or disrupt business
operations
• Examples: IAM, SSO, gates, etc.
47
Types of Controls
Click to edit Master title style
• Directive Controls are managerial or administrative measures
to advise personnel on the proper behavior and handling of
systems, applications, services, and physical components
• Examples: AUPs, written policies, guidelines, best practices, etc.
• Preventative Controls are physical, technical, and
administrative measures to preclude activities that may
violate policy or increase risk to resources and assets
• Examples: firewalls, IPS, security guards, biometrics, fences and
gates, locks, mantraps, etc.
48
Types of Controls
Click to edit Master title style
• Deterrent controls include implementing warnings and
forewarnings of consequences to security violations
• Examples: signage, bollards, banners, guards, dogs, lighting,
video Surveillance, alarms, etc.
• Corrective (compensating) controls leverage all control
categories to respond to the detection of an event or incident
to eliminate or reduce any unwanted consequences
• Examples: software and firmware updates to applications and
systems, policy enforcement, privilege removal, etc.
49
Types of Controls
Click to edit Master title style
• Recovery controls are triggered
once an incident compromises
confidentiality, integrity, or
availability to restore systems
back to an acceptable state
• Examples: BCP, DRP, offsite
facilities, snapshots and backups
50
Enterprise Architecture
Click to edit Master title style
“Enterprise architecture is a well-defined security architecture that links
all necessary security controls to a combination of design, baseline
administrative controls, business drivers, legal requirements, and threat
scenarios. It ensures that all the necessary physical, administrative, and
technical safeguards are in place and in sync with each other and with the
overall IT architecture and business culture.“
- Ken Cutler, CISSP, CISA, Managing Director of Information Security
Institute
51
NIST Enterprise Security Architecture
Click to edit Master title style
52
The Center for Internet Security (CIS®)
Click to edit Master title style
•
The CIS® (Center for Internet Security, Inc.) is a progressive, nonprofit organization that leverages a global IT community to defend
private and public organizations against cyber threat actors and
their exploits and malware
• The CIS offers four popular services:
• The CIS Controls®
• CIS Benchmarks™
• CIS Hardened Images®
• The Multi-State Information Sharing and Analysis Center® (MSISAC®)
• Make sure you are familiar with the CIS on the exam
53
The CIS Controls®
Click to edit Master title style
• The CIS Controls® are a prioritized collection of activities and
controls to protect the enterprise, systems, applications, and
data from known cyber attack vectors
• There are 20 controls and resources in three categories:
• Basic
• Foundational
• Organizational
54
Sample CIS Control Countermeasures
Click to edit Master title style
• Inventory of Authorized and Unauthorized Software
• Devise a list of authorized software monitored with file-integrity
checking tools
• Deploy application whitelisting on firewalls from layer 3 to layer
7 of OSI model
• Deploy software inventory tools to track operating systems and
applications in a CMDB
• Virtual machines, containerization, and air-gapped systems
should be used as often as feasible
55
CIS Benchmarks™
Click to edit Master title style
• CIS Benchmarks™ are best practices to securely configure
various systems
• The benchmarks are available for more than 140 technologies
• They were established using an exclusive technique built from a
consensus of global cybersecurity professionals and subject
matter experts around the world
• CIS Benchmarks™ are security configuration guides created by
government, business, industry, and academia
56
CIS Hardened Images®
Click to edit Master title style
• CIS provides virtual images that are hardened using CIS
Benchmarks™ secure configuration guidelines
• CIS Hardened Images™ offer a secure, on-demand, scalable
computing environment
• They are available from the leading cloud computing providers AWS, Azure, and Google Cloud Platform
57
The MS-ISAC®
Click to edit Master title style
• The Multi-State Information Sharing and Analysis Center® (MSISAC®) has the mission of improving the total cybersecurity
stance of the nation's state, local, tribal and territorial
governments using concentrated cyber threat prevention,
protection, response, and recovery techniques
58
The MS-ISAC®
Click to edit Master title style
• 24/7 Security Operation Center
• Incident Response Services
• Cybersecurity Advisories and
Notifications
• Access to Secure Portals for
Communication and Document
Sharing
• Cyber Alert Map
• Malicious Code Analysis
Platform (MCAP)
•
Weekly Top Malicious Domains/IP
Report
• Monthly Members-only Webcasts
• Access to Cybersecurity Table-top
Exercises
• Vulnerability Management
Program (VMP)
• Nationwide Cyber Security
Review (NCSR)
• Awareness and Education
Materials
59
Assurance Standards Mapping
Click to edit Master title style
Assurance Standard
References
NIST 800-53 rev. 4
CA-7: Continuous Monitoring
CM-2: Baseline Configuration
CM-8: Information System Component Inventory
CM-10: Software Usage Restrictions
CM-11: User-Installed Software
SA-4: Acquisition Process
SC-18: Mobile Code
SC-34: Non-Modifiable Executable Programs
SI-4: Information System Monitoring
PM-5: Information System Inventory
NIST Core Framework (2014)
ID.AM-2: Asset Management
PR.DS-6: Data Security
ISO 27002:2013 Annex A
A.12.5.1: Installation of software on operational
systems
A.12.6.2: Restrictions on software installation
There are a number of parallels between the CIS Controls and various NIST and ISO
controls as seen in this table. This is just a sampling, and although the mappings are
not necessarily a one-to-one match, the concepts overlap quite effectively
60
Access Control Concepts
Click to edit Master title style
• Access management and control must
always be driven by the Least Privilege
principle
• There are a variety of models that can be
used depending on the organization type
and sensitivity of the subjects and objects
involved
• Data classification is critical and is the
responsibility of the data owner
61
Data Classification
Click to edit Master title style
• Common government
classifications:
• Top Secret
• Secret
• Secret but unclassified
• Confidential
• Unclassified
• Common private sector or
commercial classifications:
• Confidential
• Private
• Sensitive
• Public
Top secret is the highest level of sensitivity and should garner the most mission
critical protection controls
Secret is very important, and exposure could harm agency, governmental unit, or
even national security
SBU – is not classified but should be protected as the unauthorized release could
jeopardize confidence in the organization or cause embarrassment and loss of
goodwill with other entities
Confidential data should be well-protected and might be a threat to subjects if
compromised – usually personnel files, PII, PHI, and IP
Unclassified – some or all of this information could be released under the right
circumstances. There may be some redaction to maintain confidential or SBU
information
62
Data Classification Process
Click to edit Master title style
1.
2.
3.
4.
5.
6.
Identify roles such as owner, custodian, steward, and user
Classify and label (tag) data
Identify exceptions based on review board
Designate controls
Identify processes for de-classification, transfer, and disposition of
data
Conduct ongoing awareness and continual improvement
The owner is responsible for classifying the data and determining the sensitivity level
in the model or architecture
A data custodian is accountable for data assets from a technical perspective such as
granting temporary access through tickets or assertions.
A data steward is accountable for data assets from a business perspective.
The user us responsible for working with the data within the permission set and
acceptable use policies
63
Key Terms
Click to edit Master title style
• Identity is claiming to be a certain entity
• Authentication is the process of proving who you are using
various factors
• Something you have, know, are, or reside
• Authorization dictates actions
• Accounting is for auditing and/or billing purposes
64
Key Principles
Click to edit Master title style
• Least Privilege is giving just the right amount of access
• Need to Know relates to mandatory access controls that use
sensitivity levels and lattices
• Separation of duties divides critical tasks or systems to be
operated by one or more subjects
• Rotation of Duties involves a revolving job role for personnel
to mitigate against theft, fraud, or a single point of failure
• Mediated Access uses proxies
Separation of duties is called Dual Operator when 2 high-level parties are involved
Rotation of duties can also include the “forced vacation” principle
65
Access Control Models
Click to edit Master title style
•
Discretionary Access Control (DAC)
• Managed by the owner of object and can grant permissions to
other entities
• Mandatory Access Control (MAC)
• Uses a strict set of established sensitivity levels and access
controls for integrity and confidentiality based on classifications
• Role-based Access Control (RBAC)
• Based on group or role assignments from directory, org chart,
functions, etc.
66
Access Control Models
Click to edit Master title style
•
Rule-based (ruleset) Access Control
• A set of rules processed in a certain order and applied to users,
data, or traffic common with firewalls and access control lists
• Attribute-based Access Control (ABAC)
• Dynamic controls based on different variables and user
behavior
• Token-based Access Control
• Temporary access granted by assertions made using federated
services like Single Sign-On
Token-based: SAML 2.0 assertions, AWS Security Token Service (STS), Microsoft
Kerberos tickets, Azure shared access signature (SAS) token, or JSON Web Token
(JWT) used in OAUTH 2.0
67
Password Management
Click to edit Master title style
• Passwords are still widely used
credentials for access even though they
represent a continuous vulnerability due
to human error
• They should always be part of a multifactor authentication if used
• Consider password managers and SSO
solutions
68
Single Sign-On with AWS SSO
On-Premise AD
Click to edit Master title style
SSO
SSO
Custom
SAML 2.0
Applications
SSO
Cloud Business
Applications
OU
Dev
OU
Prod
AWS Organization
69
Single Sign-On Considerations
Click to edit Master title style
• Advantages of SSO:
•
•
•
•
•
•
Can reduce security risks
Simplifies management
Reduces password fatigue
Protects identities
Improves productivity
Reduces workloads for
helpdesk and service desk
• Establishes solutions are readily
available
•
Challenges of SSO:
• Passwords must be long and
strong
• Single point of failure
• Can be cumbersome to deploy
(SAML for example)
• Risky on multi-user systems
• Social network use enhances
organizational risk
• Data can be sold to thirdparties
70
Irreversible Cryptosystems and Hashing
Click to edit Master title style
• In many organizations,
passwords are the only security
control used for authentication
and authorization of access
• Irreversible encryption and
hashing algorithms are
commonly used by operating
systems to store passwords
• Common for servers to store
hashes on backend databases
Computer systems store only the hashed passwords and not the original password on
disk. When a user tries to authenticate, the system applies a hash algorithm to the
user-supplied password to see if it matches the one in storage.
Also common for web servers to store password hashes in a backend SQL or NoSQL
database
71
Cryptographic Hashing of Passwords
Click to edit Master title style
72
Password Cracking
Click to edit Master title style
•
•
•
•
•
The technique to determine or guess plaintext passwords
The algorithm is not broken
Each guess is hashed and compared to a stored value
Can be an online or offline operation
There a many standalone tools and module in exploit kits
available on the web
• The tools are often combined with various published lists
73
Password Hash Cracking
Click to edit Master title style
74
Password Cracking
Click to edit Master title style
1. Locate a valid username or ID
2. Determine the algorithm
used
3. Get the hashed password
4. Create or download a
wordlist
5. Hash each password in the
list
6. Find a match
• Brute Force – attempting
every possibility in keyspace
• Dictionary – using a word file
or dictionary of feasible
passwords
• Pre-computation – using
Rainbow tables of precomputed hash values
• Hybrid – a combination of
techniques in succession
75
Password Attack Countermeasures
Click to edit Master title style
•
•
•
•
Strong password policies
Avoid common patterns
Use mnemonic techniques
Add additional factors
•
•
•
•
OTP token/card
TOTP soft tokens
Challenge/response
Biometrics (fingerprint, facial, retina, iris, voice, etc.)
Common patterns: dictionary words and jargon, birthdays, names, common numbers,
environment attributes, qwerty key patterns
76
Network Types
Click to edit Master title style
• Personal Area Network (PAN)
• Bluetooth, Infrared, Tethered Wi-Fi
• Local Area Network (LAN)
• Ethernet, fiber, wireless
• Campus Area Network (CAN)
• Fiber, wireless mesh
• Metropolitan Area Network (MAN)
• FDDI ring, fiber, wireless mesh
• Wide Area Network (WAN)
77
Network Topologies
Click to edit Master title style
•
•
•
•
•
•
Bus topology
Ring topology
Star topology
Tree topology
Hybrid topology
Mesh topology
78
Physical Star Topology
Click to edit Master title style
79
Logical Star Topology
Click to edit Master title style
80
Mesh Networks
Click to edit Master title style
This type of network offers the greatest fault tolerance
81
Network Zones
Click to edit Master title style
• Zoning is used to counter the risk of an open network by
partitioning infrastructure services into logical groupings that
have the same communication security policies and security
requirements
• Zoning is a logical design approach used to manage and
govern access and data communication flows according to
security policies
• A zone is defined by a logical grouping of services under the
same policy constraints, driven by business requirements
82
Network Zones
Click to edit Master title style
• Every zone contains one or more separate, routable networks
• Every separate, routable network is contained within a single
zone
• Every zone connects to another zone via a perimeter that
contains zone interface points (firewalls and load balancers)
• The only zone that may connect to the public zone is the
public access zone or subnet (DMZ)
83
Network Zones
Click to edit Master title style
Uncontrolled
Zones
Internet
Controlled
Zones
DMZ
Perimeter
Web Tier
Perimeter
Perimeter
DB Tier
Perimeter
Perimeter
Directory
Services
MGMT
VLAN or
Other
Restricted
Tier
Perimeter
Describe on-premises vs. AWS scenario
84
Network Zones
Click to edit Master title style
Jump
Jump
85
Network Hubs and Taps
Click to edit Master title style
• Hubs (micro hubs)
• Traditional Ethernet hubs have become virtually obsolete and
replaced with switches or USB micro hubs
• Network Taps
• A Network Tap (Terminal Access Point) is used by administrators
and attackers to capture packets inline to analyze a network
• Has A, B, and C ports
These are OSI layer 1 devices
86
Packet Sniffers can use Taps
Click to edit Master title style
87
Secure Access Switches
Click to edit Master title style
• Security Switches or L2 data plane control is part of a trend to
move security closer to the endpoints
• Security Switches offer a variety of services to secure frames
to and from endpoints and between switches
• There should be an established secure setup baseline
88
Securing a Cisco 3550 switch
Click to edit Master title style
89
Switch Security Features
Click to edit Master title style
• IEEE 802.1x (PNAC) and RADIUS/DIAMETER
• IEEE 802.1AE MACsec with AES-GCM-128/256
• DHCP Snooping Database
• IP-ADDR + MAC-ADDR + VLAN-ID + PORT-ID
• Supports Dynamic ARP Inspection (DAI)
• Supports IP Source Guard (PACLs)
• Ethertype ACLs
90
802.1X (PNAC)
Click to edit Master title style
91
802.1AE MACsec
Click to edit Master title style
AES-128-GCM with GMAC
or
AES-256-GCM with GMAC
92
Wireless APs and Controllers
Click to edit Master title style
Wireless Analysis
IAM
IDS/IPS
Rogue Detection
802.1X
802.11w – MFP
WPA3 Enterprise
93
Secure Routers
Click to edit Master title style
Routers are primarily layer 3 devices although they can function as Layer 2 (bridged or
transparent mode) through Layer 5/7 (Application layer gateways – deep packet
inspection) devices. They physically and logically separate broadcast domains or
VLANs. Typically route IPv4 and IPv6 traffic although other routed protocols like
AppleTalk and IS-IS (Intermediate System-to-Intermediate System protocol) can be
supported depending on the environment. IS-IS is still used at the core of some ISP
networks.
Routers require knowledge of all of the LANs in their domain to decide which
destination packets will be forwarded. If the destination does not exist in the router's
routing table, the packet should be dropped. Routers use static routing or dynamic
routing protocols such as RIPv2, OSPF, EIGRP, BGP, and others.
Security Services: (modular and/or integrated into O/S) Firewall services, IDS/IPS, VPN
gateways and concentrators; NAT and PAT translation; URL filtering; Proxy services;
Inspection of traffic layer 2-7 (DPI,AIC)
94
Secure Routers
Click to edit Master title style
• Primary roles of a router
• Packet forwarding on the data
plane and VRF
• Inter-area and AS routing
• QoS and traffic engineering
• Static packet filtering
(Infrastructure ACL)
• VoIP and Wireless gateways
or bridging
• Security roles of a router:
• Firewall services
• IDS/IPS
• VPN gateways and
concentrators
• NAT and PAT translation
• URL filtering and proxies
• Inspection of traffic layer 2-7
(DPI,AIC)
Security Services of a router: (modular and/or integrated into O/S)
95
CSP Elastic Load Balancing
Click to edit Master title style
• Elastic Load Balancing (ELB) automatically distributes
incoming application traffic across multiple targets, such as
Amazon EC2 instances, containers, and IP addresses
• It can handle the varying load of your network (TCP, UDP) or
application (HTTP/HTTPS) traffic in a single Availability Zone
or across multiple zones (failover)
• Can also perform flow logging, TLS 1.2/3 gateway services
(Listener), certificate services, web application firewall (WAF),
health checks, offload to HSM or SSL accelerator
96
ELBs and Auto-scaling
Click to edit Master title style
Internet
97
Firewalls
Click to edit Master title style
• A firewall is a metaphor representing an integrated security
system combining hardware (physical or virtual) and software
and/or on-premise and cloud-based solutions
• Firewalls should be placed between all domains, zones,
networks and subnets (VLANs) in order to “prevent the fire from
spreading”
• Linux builds have a native stateful firewall called iptables
iptables –A INPUT –p tcp –dport ssh –j ACCEPT
Append this rule to the input chain to view ingress traffic; look for TCP (-p tcp); if so,
does it go to the destination SSH port?; if yes, then permit the traffic (-j ACCEPT)
98
Firewalls
Click to edit Master title style
•
•
•
•
•
Physical vs. virtual
Stateless (NACLs) vs. stateful
Whitelisting only
Restrictive vs. permissive
Web Application Firewall
(ALG/AIC/AVC/DPI/Layer 5-7)
• Proxy services (mediated access)
for NAT, authentication, IPS, and
more
99
Next Generation Firewalls
Click to edit Master title style
• URL and reputation filtering
• Application Visibility and Control
(WAF)
• Content Security
• Intrusion prevention (IDS/IPS)
• Advanced malware protection with
cloud correlation
• VPN gateway with inspection
• Integration with directories
• Machine Learning
URL Filtering: cloud server-based web site reputation scores
Application Visibility and Control: For example, applications like Skype and
Webex or P2P file sharing that can hop from one port to another can be
recognized. Another example is only whitelisting Facebook without features
like gaming. IM without web cam or sending files.
Context Awareness: Who is connecting, to what, from where, using what
device, at what time?
Intrusion Prevention System:
Advanced Malware Protection with Cloud correlation
100
NG Application Visibility and Control
Click to edit Master title style
101
NG Application Visibility and Control
Click to edit Master title style
102
NG Application Visibility and Control
Click to edit Master title style
103
Web Application Firewall (WAF)
Click to edit Master title style
• Generate or leverage WebACLs that match on:
•
•
•
•
IP addresses of originating requests
Country that requests originate from
Values in request headers (e.g. User-Agent, Content-Type)
Literal or regex string patterns that appear in requests
(e.g. [cC][mM][dD].[eE][xX][eE])
• Length of requests (buffer overflows)
• Presence of SQL injection code that is likely to be malicious
• Presence of a malicious cross-site scripting attack
104
Automating WAF at AWS
Click to edit Master title style
@aws.amazon.com
105
IDS and IPS
Click to edit Master title style
• Today we typically just use the term IPS for intrusion
detection and prevention services depending on the mode of
operation
• IPS will begin in a passive/monitor (IDS) mode
• Traditional sensors are Signature/Rule/Anomaly based
• Anomaly-based based builds a knowledge base over several
hours and then looks for deviations from the baseline
• NGIPS uses cloud-based heuristics and machine learning
• Heuristic analysis uses rules and estimation engines to
discover anomalies
106
IPS Deployment Options
Click to edit Master title style
•
•
•
•
NIPS or HIPS
Switch SPAN port or a network tap (GIGAMON or VIAVI nTap)
Between VLANs on multi-layer switch or hypervisor
As a multiport bridge or routing appliance with multiple
interfaces
• Cloud-based MSSP solution
107
IPS Deployment Options
Click to edit Master title style
•
•
•
•
•
•
IPS sensor is in fail-open or fail-closed modes
Tuning and optimization is critical before deploying
True positive = correct + action
True negative = correct + no action
False positive = error + action
False negative = error + no action
True positives: The security control, such as an IPS sensor, acted as a consequence of
malicious activity. This represents normal and optimal operation.
True negatives: The security control has not acted, because there was no malicious
activity. This represents normal and optimal operation.
False positives: The security control acted as a consequence of non-malicious activity.
This represents an error, generally caused by too tight proactive controls (which do
not permit all legitimate traffic) or too relaxed reactive controls (with too broad
descriptions of the attack).
False negatives: The security control has not acted, even though there was malicious
activity. This represents an error, generally caused by too relaxed proactive controls
(which permit more than just minimal legitimate traffic) or too specific reactive
controls.
108
Cisco IPS Sensor
Click to edit Master title style
109
Snort is an Open-source IDS
Click to edit Master title style
•
•
•
•
Excellent lightweight NIDS with a good reputation since 1998
Low-cost or free versions
Can identify several attack variants with flexible ruleset
Administrators can create custom pattern matching rules for
zero-days, new worms, and exploits
110
A Basic Snort Rule
Click to edit Master title style
Snort 101 and Snort Rules
https://www.youtube.com/watch?v=W1pb9DFCXLw
https://www.youtube.com/watch?v=RUmYojxy3Xw
111
IEEE 802.11 Wireless
Click to edit Master title style
• 802.11 was created in 1997 and ratified by IEEE in 1999
• .11b in 1999 offered max bandwidth of 11 Mbps in the 2.4 GHz
frequency
• .11a in 1999 with max BW of 54 Mbps in 5 GHz range
• .11g in 2003 with max BW of 54 Mbps in 2.4 GHz range
• These were all officially incorporated in 2007
• 802.11n came in 2009 and offered BW from 100 – 600 Mbps
• Enhanced performance due to Multiple Input Multiple Output
(MIMO) and signal reflection
• Operates in both 2.4 GHz and 5 GHz ranges
• Standardized in 2012
112
802.11ac and .11ax Wireless
Click to edit Master title style
• 802.11ac is the most recent standard
ratified in 2016
• Aggregate BW of 1 Gbps with some
deployments to 6.77 Gbps
• Utilizes multiple radios and
bandwidth aggregation in the
5 GHz range
• Newest, non-ratified draft is
802.11ax in ranges below 6 GHz with
speeds up to 11 Gbps using
aggregated bandwidths
113
Evolution of Wireless Security
Click to edit Master title style
• Wi-Fi Protected Access 1 (WPA-2003) was a temporary
fix to the first WEP security mechanism
• Used TKIP to generate “better” keys for underlying RC4
encryption
• Used a Message Integrity Check (MIC) to thwart forgery
and replay
• Both protocols had issues so WPA 2 was introduced
afterwards
• Remember that Kismet is a popular wireless network
sniffer and wireless IDS
WEP has been deprecated due to the following reasons:
Hackers can easily obtain challenge phrase and encrypted response to crack the WEP
key
Crackers have decrypted captured data traffic
Provides only weak encryption of data
The initialization vector (IV) is a clear-text 24-bit field – a pseudo-random number
used along with the secret key for data encryption
The small space guarantees the re-use of the same key stream
The weakness is NOT with the RC4 protocol per se
Temporal Key Integrity Protocol - TKIP
114
Evolution of Wireless Security
Click to edit Master title style
• WPA2 was the replacement for
WPA in 2004 and devices required
testing and certification from Wi-Fi
Alliance by 2006
• Based on IEEE 802.11i
• Supports PSK and Enterprise
authentication
• In October 2017, the major KRACK
attack targeted the 4-way
handshake
Temporal Key Integrity Protocol - TKIP
115
Evolution of Wireless Security
Click to edit Master title style
•
WPA2-PSK (personal)
• Shared secret key is used
• Manually configured on devices and AP
• Local access controls
• AES-128 used for encryption
• WPA2-Enterprise (802.1X)
• Authentication server is required
• Centralized RADIUS used for authentication and key
distribution
• AES-128 used for encryption
• Management Frame Protection (PMF or MFP) was
introduced in WPA 2
116
Protected Management Frames (PMF)
Click to edit Master title style
• Wi-Fi uses three different frame types: Management, Control,
and Data
• Management frames like authentication,
de-authentication, association, disassociation, beacons, and
probe frames are used by wireless stations to locate and
connect wireless networks
• They also manage the client connection after a successful
association
117
Protected Management Frames (PMF)
Click to edit Master title style
• To keep your Wi-Fi infrastructure safe from attack, you should
implement Management Frame Protection (MFP) features
• The management frames sent between APs and clients are
protected, so that both APs and clients can detect and drop
invalid or spoofed management frames
• APs can be set up to not emit certain broadcast management
frames like disassociation, deauthentication, or action frames
118
Protected Management Frames (PMF)
Click to edit Master title style
• Based on IEEE 802.11w, PMF offers integrity protection for
both unicast and broadcast management frames
• It also encrypts unicast management frames in the same way
as data to ensure data confidentiality
• Protected Management Frames are intended to stop a variety
of wireless attacks such as disconnect, honeypot, and evil
twin
• Device vendors and security administrator should make sure
that Protected Management Frames are configured
automatically
119
WPA3
Click to edit Master title style
• WPA3 adds new mechanisms to streamline wireless security,
support more robust authentication schemes, and deliver
increased cryptographic strength for sensitive data
• All WPA3 networks will utilize the latest security techniques
while prohibiting outdated protocols
• WPA3 requires the use of Protected Management Frames
(PMF) to preserve the resiliency of mission critical wireless
networks
120
WPA3-Personal
Click to edit Master title style
• Use for SO/HO environments or when devices can’t support
802.1X authentication
• WPA3-Personal provides the Simultaneous Authentication of
Equals (SAE)
• SAE is a secure key establishment protocol between wireless
nodes to provide strong protections against third-party
password guessing tools
121
WPA3-Personal
Click to edit Master title style
• The Wi-Fi Alliance said in a past statement: “Recently
published research identified vulnerabilities in a limited
number of early implementations of WPA3 Personal, where
those devices allow collection of side channel information on
a device running an attacker’s software, do not properly
implement certain cryptographic operations, or use
unsuitable cryptographic elements.”
This relates to the Dragonfly handshake, which forms the core of WPA3, and is also
used on certain Wi-Fi networks that require a username and password for access
control: the EAP-pwd protocol.
122
WPA3-Enterprise
Click to edit Master title style
• WPA3-Enterprise offers a new 192-bit security level based on
the NSA’s ‘Suite B’ Cryptography for environments needing
stronger security
• It allows fewer EAP types to be used:
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(mandatory)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (optional)
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (optional)
• It only allows GCMP-256 encryption
123
Personal Area Networks (PAN)
Click to edit Master title style
•
•
The primary PAN technology in use today is Bluetooth
Bluejacking is a legacy Bluetooth prank that takes advantage of
sending contact information automatically without authentication
or authorization
• The cracker creates an address book object and a contact in the
contact list then spoof a name to appear on your phone
• Bluesnarfing is much more dangerous as it can steal data from a
wireless device over the Bluetooth connection
• Often conducted between iPhones, Android phones, iPods, iPads,
laptops, and assorted PDAs
• Bluesnarfing can access contact lists, calendars, emails, and text
messages
124
Personal Area Networks (PAN)
Click to edit Master title style
• Zigbee is a low-power solution that
can even run on batteries
• A collection of automation
standards
• Based on IEEE 802.15.4
• Less expensive and easier to deploy
PAN alternative to Bluetooth
125
Near Field Communications (NFC)
Click to edit Master title style
• NFC technologies let you harness the benefits of rapid and
contactless payments
• They facilitate entry and exit from transit systems without
long waiting times
• The advantages of RFID/NFC for travelers and shoppers are
abundant and the technology will only expand in the future
126
NFC Threats and Vulnerabilities
Click to edit Master title style
• Cloning and emulating Point-of
Sale (POS) devices
• Sniffing, spoofing, and replay attacks
• Man-in-the-middle attacks
• Denial of service
• RFID malware
127
NFC Threats and Vulnerabilities
Click to edit Master title style
• NFC and RFID blocker tags and
jammers can mitigate
• Special blocking wallets
• RFID zapper
• Disposable cameras that disable
RFID chips
128
5G
Click to edit Master title style
• 5G offers bigger channels to speed data transfer, lower
latency, and the ability to connect to many devices
simultaneously
• Low-band 5G operates in frequencies below 2GH - the oldest
cellular and TV frequencies
• Mid-band 5G is in the 2-10GHz range. That covers most current
cellular and Wi-Fi frequencies, as well as frequencies slightly
above those
Low-band can go great distances, but there aren't very wide channels available, and
many of those channels are being used for 4G. So low-band 5G is slow. It acts and
feels like 4G, for now. Low-band 5G channels are from 5MHz in width (for AT&T) up to
20MHz (for T-Mobile), so you can see they aren't roomier than 4G. Complicating
things, AT&T and T-Mobile low-band phones sometimes show 5G icons when they
aren't even using 5G, making it hard to tell any difference.
Mid-band 5G is in the 2-10GHz range. That covers most current cellular and Wi-Fi
frequencies, as well as frequencies slightly above those. These networks have decent
range from their towers, often about half a mile, so in most other countries, these are
the workhorse networks carrying most 5G traffic. Most other countries have offered
around 100MHz to each of their carriers for mid-band 5G. Here in the US, New TMobile will use Sprint's spectrum for a mid-band network, using up to 120MHz per
city. AT&T and Verizon will shave off little bits of their 4G spectrum using DSS for midband 5G, 10MHz here and 10 there.
129
5G
Click to edit Master title style
• High-band 5G is also called millimeter-wave
• So far, it is mostly airwaves in the 20-100GHz range that
haven't been used for consumer applications before
• They are very short range with 800-foot distances from
towers
• Can provide very fast speeds using up to 800MHz at a time
• Verizon relies extensively on high-band, which it calls “ultra
wideband”
130
5G
Click to edit Master title style
• With current phones in low- and mid-bands, you can combine
two 100MHz channels, for 200MHz usage and you can also
stack three more 20MHz 4G channels on top of that
• In high-band 5G, you can use up to eight 100MHz channels
• Dynamic spectrum sharing (DSS) allows carriers (like AT&T
and Verizon) to dynamically split channels between 4G and
5G based on demand with DSS-compatible phones
• Studies are not definitive on the dangers to people and
animals from high-band
Many devices: sensors, smart devices, IoT.
The great speeds 5G carriers promise are just about leveraging more airwaves at
once. But if you don't have the airwaves available, you don't get the speeds.
131
Attacks: Replay
Click to edit Master title style
• On a wireless network, it is easier to gather the data
necessary for a replay attack
• WEP and WPA are vulnerable to ARP replay attacks, among
others, as there are many tools available that will crack their
encryption keys (AirSnort and AirCrack are classics)
• Ettercap and dsniff are two popular man-in-the-middle attack
tools that use Wireshark to modify the data in transit
132
Attacks: Rogue APs
Click to edit Master title style
• Honeypots and Evil Twins are
malicious rogue APs tricking users
to associate
• Can be a wireless man-in-themiddle attack or DHCP starvation
• An evil twin AP replaces an existing
network so users will connect to
the fake one instead of the real one
• Evil twins spoofing a public hotspot
can also be a serious concern
Modern managed APs and controllers can detect other APs over the air, and if not
known it is classified as a rogue
The location of the rogues can be plotted on a floor-plan map
If the found AP is determined to be a known internal AP, it can be marked accordingly
If the AP is found to be a neighboring wireless LAN, such as in a hotspot or adjacent
business, then it can be marked as a known external
133
Attacks: Jamming
Click to edit Master title style
• Jamming is a form of wireless DoS attack that floods the RF
with interference or excessive traffic so that wireless links
cannot be sustained
• Exploit kits have several jamming modules and scripts
included for hard and soft APs
• Some DoS attacks may not be due to malicious activity, but
rather poorly written drivers on endpoint Wireless NICs
134
Attacks: Disassociation
Click to edit Master title style
• Wireless clients use authentication, deauthentication,
association, disassociation, beacons, and probe frames to find
an AP and initiate a network session
• Attacker spoofs the AP MAC address and sends management
frames, usually deauthentication or disassociation messages,
to valid clients
• The goal is typically to perform a DoS attack against the
network or to force the client to reauthenticate
Wireless clients use control and management frames, such as authentication and
deauthentication, association and disassociation, beacons, and probes, to choose an
AP and initiate a session for network service
AP impersonation is a common attack against wireless networks where the attacker
spoofs the AP MAC address and sends management frames, usually deauthentication
or disassociation messages, to valid clients
The goal is typically to perform a DoS attack against the network or to force the client
to reauthenticate
135
Attacks: Wi-Fi Protected Setup (WPS)
Click to edit Master title style
•
•
•
•
Originally called “Wi-Fi Simple Config”
Attacks on the PIN generated by the AP entered on the device
Online and offline brute-force attacks are possible
Captured packets determine PIN and gain unauthorized
access
• If the device does not allow the pin to be changed,
unauthorized access is possible
• If the AP is accessible by anyone, just push the button
PIN is printed on device or listed in configuration menu
136
Attacks: WPA2 KRACK
Click to edit Master title style
•
•
•
•
Key reinstallation attacks (KRACK) are a form of cyberattack that
exploits a vulnerability in WPA2 resulting in stolen data transmitted
over networks
An encrypted WPA2 connection is initiated with a four-way
handshake sequence, but the entire sequence is not required for a
reconnect - only the third part of the four-way handshake needs to
be retransmitted
When a user reconnects to a familiar Wi-Fi network, the network
resends the third part of the handshake sequence and this
resending can occur multiple times to ensure the connection
succeeds
This repeatable step is the vulnerability that can be exploited by a
man-in-the-middle evil twin or rogue AP
An encrypted WPA2 connection is initiated with a four-way handshake sequence,
although the entire sequence isn’t required for a reconnect. In order to enable faster
reconnections, only the third part of the four-way handshake needs to be
retransmitted. When a user reconnects to a familiar WiFi network, the WiFi network
resends them the third part of the handshake sequence; this resending can occur
multiple times to ensure the connection succeeds. This repeatable step is the
vulnerability that can be exploited.
137
Attacks: WPA3
Click to edit Master title style
• In July 2019 two security researchers disclosed information
regarding several vulnerabilities (known as Dragonblood) in
the Wi-Fi Alliance's WPA3 Wi-Fi security and authentication
standard
• Three main attack categories:
• Downgrading to WPA2
• Offline password cracking through side-channel attack
• Denial of service
Dragonfly is the key exchange mechanism through which users authenticate on a
WPA3 router or access point. In April, Vanhoef and Ronen found that Dragonfly key
exchanges that relied on P-521 elliptic curves could be downgraded to use the
weaker P-256. As a result, the WiFi Alliance recommended that vendors use the
stronger Brainpool curves as part of the Dragonfly algorithms. However, we found
that using Brainpool curves introduces a second class of side-channel leaks in the
Dragonfly handshake of WPA3.
138
Common Social Engineering Attacks
Click to edit Master title style
•
•
•
•
Tailgating and piggybacking
Scams, fraud, and hoaxes
Dumpster diving
Shoulder surfing
• Watering hole
• Influence campaigns
• Trolling organizational
social media sites
Eliciting information and reconnaissance, hoaxes, Identity fraud, Impersonation and
pretending, Invoice scams, Credential harvesting
Influence campaigns are also called misinformation operations and influence
operations:
To Launch propaganda or disinformation initiative – and - Gain a competitive
advantage or confuse adversary or competitor
139
Phishing Attacks and Variants
Click to edit Master title style
• Phishing is a cyber attack that
uses disguised email and
webmail as a delivery method
• The goal is to hoax the
recipient into accepting it as a
real message
• Attackers request reply,
clicking a hyperlink or
downloading an attachment
• Spear phishing targets specific
roles and responsibilities
• Whaling targets high-profile,
highly privileged, or C-suite
• Vishing attacks telephones,
cell phones, and VoIP systems
• Smishing uses SMS texting as
the vector
140
Indicators of Phishing
Click to edit Master title style
•
•
•
•
•
•
•
•
Vague salutations – "Dear valued customer"
Suspicious display names or domains
Entity name is farther down the URL path
Wrong information or suspicious IP addresses when you
hover over links
Awkward grammar and misspelled words
Subject line has urgent or intimidating phrases
Lack of legitimate contact information
Spoofed headers, graphics and logos
141
Business Email Compromise (BEC)
Click to edit Master title style
• Business Email Compromise (BEC) is a type of special attack
that targets entities who outsource, conduct wire transfers,
and have suppliers abroad, and more
• Corporate email accounts of high-level employees are either
spoofed or compromised through keyloggers or phishing
attacks, in order to perform fraudulent transfers
142
Typosquatting
Click to edit Master title style
• Typosquatting involves sitting on sites under someone else's
brand or copyright and targeting Internet users who
erroneously type a web site address into their browser
address bar
• Examples: gooogle, facebooj, amaxon, insdagram
• Other terms are URL hijacking, sting sites, or fake URL
143
Common Malware Payloads
Click to edit Master title style
•
•
•
•
•
•
Trojans and RATs
Polymorphic worms
DDoS Bots
Spyware and adware
Keyloggers
Ransomware
Potentially unwanted programs (PUPs) will show up as red flags in anti-virus/antimalware tools
Malvertisments
144
Remote Access Trojans
Click to edit Master title style
Command and Control Server (C&C-C2)
Act as client
Act as server
Attacker
Capture webcam
Keystrokes logging
Remote shell
Update RAT version
Download file
Upload file
RAT-infected PC
145
Complex Malware Types
Click to edit Master title style
• Rootkits
• Backdoors
• File-less/memory-only
viruses
• Logic bombs
• Stegomalware
• Polymorphic packers
• Multipartite
A rootkit is a category of malicious software intended to advance administrator-level
or root level control over a computer system without being detected by authorized
users. The term is a combination of the words "root", which represents the root user
in a UNIX/Linux system or the administrator in a Windows system and "kit", meaning
software toolkit. Typically, the goal of a rootkit is to execute malicious activities on a
target system at a later time without the knowledge of the users of that computer.
This malicious software can target the BIOS, boot loader, kernel, system files, and
much more. Rootkits are difficult to detect since they are initiated before the
operating system has fully booted. It might install hidden files, processes, and hidden
user accounts. Because rootkits can be installed in firmware or software, they can
even intercept data from network connections, keyboard input and output,
among others.
146
Injection Attacks
Click to edit Master title style
• DLL Injection
• Malicious code forces itself to run in place of other benign code
• This "injected" code is usually code written by a third-party
developer, designed to perform some malicious function
• SQLi
• Involves inserting a SQL query through input data from client to
server application and can allow for several exploits
• Read sensitive database data (SELECT FROM)
• Change database data (INSERT, UPDATE, DELETE)
• Defend with input validation and length limits
The injection attack is often the result of MITM exploit or RAT attack. Malware can
inject false MAC or IP addresses.
147
Injection Attacks
Click to edit Master title style
• LDAP Injection
• The web server accepts input from the client for additional
processing
• The attacker exploits the data not being properly sanitized or
data/commands being sent directly to a back-end database
• The attacks can render sensitive user information or change
information in the LDAP directory
148
Yersinia for Layer 2 – 7 Injection
Click to edit Master title style
149
Cross-site Scripting (XSS)
Click to edit Master title style
•
DOM-Based: (Local XSS or Type 0)
•
•
Reflected XSS (Nonpersistent/Type 1)
•
•
Insecurely written HTML page on end
user's system or local gadgets and
widgets
An input trust vulnerability where the
app expects input like a query string,
but the attacker sends something the
developer did not expect
Stored XSS (Persistent or Type 2)
•
A variant of type 1 where, rather
than reflecting the input, the web
server persists the input
DOM-Based: Also called Local XSS or Type 0, Does not involve vulnerable web servers,
Insecurely written HTML page on end user's system or local gadgets and widgets
(Widgets – Apple, Nokia, Yahoo; Gadgets – Microsoft and Google; Also have similar
code in GNOME and KDE (stock tickers, RSS feeds, sports scores, clocks, mini-games,
social networking tools, notifications, etc, and much more)
Allows the attacker to manipulate the DOM through untrusted input and they can
render input that might lead to other XSS vulnerabilities
Reflected XSS (Nonpersistent or Type 1): A classic input trust vulnerability where the
application is expecting some input (i.e. a query string) and the attacker sends
something developer did not expect. Example: attacker provides a JavaScript code
fragment as the querystring and the victim clicks on the link. Prevalent since it's not
feasible to turn off all scripting in browsers.
Stored XSS (Persistent or Type 2): A variant of type 1 where, rather than reflecting the
input, the web server persists the input. The user is served up later to unsuspecting
victims. Difference is an intermediate phase where the untrusted input is stored in a
file or a database before unloading on the victim. Often found in blogs and
review/feedback web applications.
150
Cross-site Request Forgery (CSRF)
Click to edit Master title style
• CSRF occurs when a malicious web site, blog, email, instant
message, or program causes a web client to do unsolicited actions
on a trusted site for which a user (preferably an administrator) is
presently authenticated
• An effective CSRF/XSRF attack can force users to perform exploits
like changing passwords and email addresses to conducting
transactions such as funds transfers
• If the victim is an administrative or root account, the attack can
affect the entire web site application
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious
web site, email, blog, instant message, or program causes a user’s web browser to
perform an unwanted action on a trusted site for which the user is currently
authenticated.
151
Common Application Attacks
Click to edit Master title style
• Cookie storage and transmission
• Buffer overflow and integer overflows
• Memory leaks
• Short lived user-land application
• Long lived user-land application
• Kernel-land process
• Race conditions and TOC/TOU
• The result of an unexpected ordering of events – poor code
design
Cookies typically don’t hold confidential info, but attackers can still use them to
develop well-crafted attacks. For example they can extract a users regular visits to a
banking or brokerage site to support a spear phishing or pharming attack. Cookies
should be securely stored using encryption. Sensitive cookies should be stored
securely on the web server will pointers on the clients.
Buffer overflows take advantage of poorly written applications or operating system
code. Injection of malicious code can be accomplished with a DoS to memory buffers
and addresses or even SQL injection methods. They cause errors or command shells
and programs to run in order to further launch the exploit or deliver the malware.
One example is a packet holding a long string of NOP – no-operation instructions
followed by a command (NOP Slide) that forces the processor to locate where a
command can actually be executed. This can be mitigated with proper input
validation and regular vendor patches and updates.
OWASP = “Arithmetic operations cause a number to either grow too large to be
represented in the number of bits allocated to it, or too small. This could cause a
positive number to become negative or a negative number to become positive,
152
resulting in unexpected/dangerous behavior.” SOLUTION: Never perform arithmetic
operations on numeric primitives without strict checking for overflow/underflow
conditions. Static analysis can be helpful in checking for possible overflow/underflow
conditions. Some runtime environments automatically check for overflow/underflow
and trigger exceptions, but no mainstream language runtimes used for web
application development currently do this except for some flavors of Python.
A memory leak is unintentional memory consumption where the programmer fails to
free an allocated block of memory when it’s no longer needed. Consider the
following general three cases:
• Short Lived User-land Application: Little if any noticeable effect. Modern operating
system recollects lost memory after program termination.
• Long Lived User-land Application: Potentially dangerous. These applications
continue to waste memory over time, eventually consuming all RAM resources.
Leads to abnormal system behavior
• Kernel-land Process: Very dangerous. Memory leaks in the kernel level lead to
serious system stability issues. Kernel memory is very limited compared to user
land memory and should be handled cautiously.
Race Conditions happen when a piece of code doesn’t function as designed. They are
the result of an unexpected ordering of events, which can lead to the finite state
machine of the code transitioning to a undefined state. It can also cause contention
of more than one thread of execution over the same resource. Multiple threads of
execution acting or manipulating the same area in memory or persisted data which
gives rise to integrity issues. FIX: programmers have to test for race conditions or use
something like OWASP ZAP to test for vulnerabilities.
Time of Check/Time of Use = (OWASP) Time-of-check, time-of-use race conditions
occur when between the time in which a given resource is checked, and the time that
resource is used, a change happens in the resource to invalidate the results of the
check.
Consequences:
• Access control: The attacker can gain access to otherwise unauthorized resources.
• Authorization: race conditions such as this kind may be employed to gain read or
write access to resources which are not normally readable or writable by the user
in question.
• Integrity: The resource in question, or other resources (through the corrupted
one), may be changed in undesirable ways by a malicious user.
• Accountability: If a file or other resource is written in this method, as opposed to
in a valid way, logging of the activity may not occur.
• Non-repudiation: In some cases it may be possible to delete files a malicious user
152
might not otherwise have access to, such as log files.
Related Controls:
• Design: Ensure that some environmental locking mechanism can be used to
protect resources effectively.
• Implementation: Ensure that locking occurs before the check, as opposed to
afterwards, such that the resource, as checked, is the same as it is when in use.
The most common result of resource exhaustion exploits is denial of service. The
software may slow down, crash due to unhandled errors, or lock out legitimate users.
In some situations, it may be possible to force the software to "fail open" in the event
of resource exhaustion. The state of the software - and possibly the security
functionality - may then be compromised. The aforementioned memory leaks are
forms of RE.
152
Firmware Vulnerabilities
Click to edit Master title style
• Embedded systems increasingly use software-driven lowpower microprocessors for security-critical settings
• Firmware programs are often written in the C language so
existing source-code analysis tools do not work well for this
• Intel, Apple, and Android still fight this battle among many
other manufacturers and vendors
• Rootkits and tools can modify a computer’s UEFI (Unified
Extensible Firmware Interface) so that it silently reinstalls its
surveillance tool even if the hard drive is wiped clean or
replaced
UEFI is a replacement for the traditional BIOS (Basic Input/Output System) and is
meant to standardize modern computer firmware through a reference specification.
But there are multiple companies that develop UEFI firmware, and there can be
significant differences between the implementations used by PC manufactures.
153
CryptoMalware
Click to edit Master title style
• CryptoMalware technically applies to any malicious code that
involves encryption and/ decryption during the lifecycle
•
•
•
•
Rogue cryptomining (cryptojacking)
Ransomware
Crypto DDOS
Steganography
The goal of a cryptojacking crypto-malware isn’t to steal data – it is to remain in place
for as long as possible, quietly mining in the background.
Crypto-malware can also impact the DDoS market. Instead of botnet CPUs being used
to generate packets to blackmail the victim, who may or may not pay the ransom, the
DDoS botnet could be repurposed to mine cryptocurrencies, guaranteeing a payoff
for the criminal.
154
Ransomware Lifecycle
Click to edit Master title style
1. INSTALL
Crypto-ransomware
installs itself after
bootup
2. CONTACT HQ
The installed
malware contacts
a server belonging
to an attacker or
group (C&C)
3. HANDSHAKE
AND KEYS
The ransomware
client and server
"handshake" and the
server generates two
cryptographic keys
4. ENCRYPT
The ransomware
starts encrypting
every file it finds
with common file
extensions
5. EXTORT
A screen displays
giving a time limit to
pay up before the
criminals destroy the
key to decrypt the
files
155
Ransomware
Click to edit Master title style
156
Cryptolocker Infection Chain
Click to edit Master title style
This is a Cryptolocker infection chain
157
Stegomalware
Click to edit Master title style
• Stegomalware uses steganography to
avoid detection
• Steganography is a method of hiding
concealing files, messages, images, or
videos within another file, message,
image, video or network traffic
• Cryptography offers confidentiality – not
steganography
158
Samples and Case Studies
Click to edit Master title style
•
•
•
•
Rig EK Exploit Toolkit
Facebook Compromise of 2013
WannaCry Ransomware of 2017
Marriot Data Breach of 2018
159
Rig EK Exploit Toolkit
Click to edit Master title style
• Rig Exploit Kit (EK) is one of the best-known malware and
exploit tools to attack popular applications
• It has been used more recently to launch cryptojacking
campaigns
• Fallout EK, GrandSoft EK, Magnitude EK, Underminer EK,
GreenFlash Sundown EK
160
Facebook Compromise of 2013
Click to edit Master title style
• Internal Facebook workstations were attacked in 1/2013 due
to insecure Java builds
• Developers went to mobile development site that hosted an
Oracle Java exploit
• Apple and Microsoft were also affected around the same
time
161
WannaCry Ransomware of 2017
Click to edit Master title style
•
•
•
•
CIA attack spread over 150 nations and over 200,000 devices
Banks, schools, hospitals, municipalities and more
Many organizations decided to pay the $3 - $600+ ransom
Began on 5/12/2017 in Asia using a U.S. born kit (NSA) on
mostly Microsoft systems
162
WannaCry Ransomware of 2017
Click to edit Master title style
• Multi-layered attack used Eternal Blue against SMBv1 and
DoublePulsar trojan backdoor
• Ping first did diagnostics
• Kill terminated running processes
• Exec loaded ransomware on the victim system
163
Common WannaCry Characteristics
Click to edit Master title style
• The system could be reached from the Internet
• Security flags and alerts from scanning and enumeration were
ignored
• Exploited unpatched known vulnerabilities
• Systems used weak and long-term credentials
164
Marriot Data Breach of 2018
Click to edit Master title style
• A data breach of 8.6 million credit cards and over 25 million
passports
• Timeline of breach:
• First active in Q3 of 2014
• Marriot discovered 9/8/18
• Breach reported 11/30/18
• 380 - 500+ records affected and full impact TBD
Marriot implemented:
Free Web Watcher enrollment for customers with free credit monitoring
Created new call centers to deal with calls
Millions spent on new security technology
Thousands of people hours to find root of attack – still ongoing
165
Internet of Things (IoT)
Click to edit Master title style
• This is the most rapidly emerging global vulnerabilities
• There will soon be billions of IPv4 and IPv6 devices in homes,
offices, retail sites, factories, utility companies, hospitals,
cars, and many other places
• With the explosion of Internet-connected devices, you must
find solutions to connect them and collect, store, analyze, and
secure the device and data
166
Internet of Things (IoT)
Click to edit Master title style
• IoT developers are building industrial IoT applications for
predictive quality and maintenance as well as the remote
monitoring of operations
• They build connected home applications for automation,
security, monitoring, and home networking
• Some IoT developers are building commercial applications for
traffic monitoring, public safety, and health monitoring
• Eventually everything will be identified with a unique IPv6
address for global end-to-end connectivity
167
Example: AWS IoT Defender
Click to edit Master title style
AWS IoT Device Defender is a fully managed service that helps you secure your fleet
of IoT devices. AWS IoT Device Defender continuously audits your IoT configurations
to make sure that they aren’t deviating from security best practices. A configuration is
a set of technical controls you set to help keep information secure when devices are
communicating with each other and the cloud. AWS IoT Device Defender makes it
easy to maintain and enforce IoT configurations, such as ensuring device identity,
authenticating and authorizing devices, and encrypting device data. AWS IoT Device
Defender continuously audits the IoT configurations on your devices against a set of
predefined security best practices. AWS IoT Device Defender sends an alert if there
are any gaps in your IoT configuration that might create a security risk, such as
identity certificates being shared across multiple devices or a device with a revoked
identity certificate trying to connect to AWS IoT Core.
168
Defense in Depth
Click to edit Master title style
• Defense in depth involves
implementing multiple layers of
security to defend property,
facilities, systems, applications,
and data
• Can be physical, logical or
virtual
• The goal is to protect CIA and
beyond (prevent D.A.D.)
• Security is a continuous
balancing act
•
According to the SANS institute,
there are four fundamental
approaches to DiD, based on risk
treatment:
• Uniform protection
• Protected zoning
• Information-centric
• Analyze threat vectors
Confidentiality vs. Disclosure; Integrity vs. Alteration; Availability vs. Destruction is
often quoted. However, this isn’t the most accurate as the opposite of destruction
would be “Durability”.
169
Uniform Protection
Click to edit Master title style
• Involves identical controls for all systems
which are deemed to be of equal value
• Assets are not considered to be missioncritical
• A very traditional and common approach at
least as the starting point in the lifecycle
• “Drinking the firewall Kool-Aid”
170
Protected Zoning
Click to edit Master title style
• Creates logical and physical security domains or zones
• Software-defined-networking using VLANs and PVLANs is a
modern example
• There are interface points between all zones and mediated
access from any public zones (Internet)
• Can also be a secure enclave on a mobile or embedded
device
171
Zoning
Click to edit Master title style
172
172
Cloud Service Provider Zoning DiD
Click to edit Master title style
173
Data or Information-Centric DiD
Click to edit Master title style
Network
Endpoint
Application
Data
At the center is data and information in this model: IP, PII, PHI. But it could be things
stored in a walk-in safe or highly secure room such as where safe deposits boxes are
in a bank. Or perhaps it is an HSM storing Private Keys and Access Keys.
This process involves asset assessment, valuation, labeling (tags), classification, and
handling = risk management.
Could involve elaborate DLP systems and Digital Rights Management solutions
174
Vector-oriented DiD
Click to edit Master title style
• Identifying all ingress and egress points and all probable
threat agents and specific vectors
• Disable USB fobs
• Block email attachments
• Use DLP engines for IP leakage
• Leverage the threat matrices and risk registers
• Conduct vulnerability and risk assessment with a quantitative
analysis focus
• OpenFAIR is an emerging taxonomy to identify vulnerability and
handle subjectively
175
NIST Security Strategy
Click to edit Master title style
176
Understand the Physical Architecture
Click to edit Master title style
• Where is the defensible property boundary?
• Work back to the location of core mission-critical assets
•
•
•
•
•
•
•
Gates and fences
Guards
Lighting and sensors
Bollards
Locks and cameras
All entry/exit points
Service provider junctions and demarcation
177
Understand the Physical Architecture
Click to edit Master title style
• Diagram the physical topology of the campus with graphical
tools
• Include wireless analysis and topologies
• Document all cable runs and distribution frames
• Map the physical topologies to the logical networking flow
178
Recognize All Communication Flows
Click to edit Master title style
• Identify all information flows with all possible technologies
•
•
•
•
•
Corporate edge
Email and webmail
Messaging and social media
Telephony and cellular
Bluetooth, RFID, NFC, etc.
• Information flow may also be governed by mandatory access
control architectures
179
Identify Critical Data
Click to edit Master title style
•
•
•
•
•
Data at rest, in transit, in use
Understand the SAN, NAS solutions
Evaluate all database and storage systems
Abstract data whenever possible
Strict access controls and mediated access
180
What is Active Defense?
Click to edit Master title style
• Active defense involves an offensive approach to security
defense
• Involves understanding more about how the attack is
performed
• Takes the point of view of the attacker
• Enhances existing technologies
Enhance and augment – not replace technologies
181
Active Defense Lifecycle
Click to edit Master title style
Phase 1 - Identify Critical Internal Assets
Phase 2 – Provide Environmental Context
Phase 3 – Classify Threat Agents
Phase 4 – Launch Active Threat Campaigns
182
Spectrum of Attacks and Defenses
Click to edit Master title style
@ Defense Science Board
183
Main Types of Active Defense
Click to edit Master title style
Deception
Attribution
Counterattack
184
Deception as Active Defense
Click to edit Master title style
• Slows down or redirects the attacker
• Presents false information
•
•
•
•
Honeypots and honeynets
Evil twin WAPs
Server decoys
DNS fabrication
• Has the lowest impact from a legal perspective but can affect
scanning and pentesting
185
Attribution as Active Defense
Click to edit Master title style
• Attribution discovers information about the attacker(s) and
their goals or targets
• It is a valuable activity for incident response team members
• It may be ineffective since source addresses are likely spoofed
• It actively uses trace back tools and beaconing software
186
Counterattack as Active Defense
Click to edit Master title style
• This strategy involves:
• Information gathering
• Seek and disrupt
• Seek and destroy
• Attack back involves the most
negative legal issues
• It has a high degree of risk and
consequences
187
Honeypots
Click to edit Master title style
• Honeyfiles are bait files strategically placed for attackers to
access (passwords.txt)
• They usually reside on a file server, which will trigger an alert
when read
• These also include honeytokens, honeycreds, honeynets
188
Tarpits
Click to edit Master title style
•
A Tarpit is a network security technique of delaying inbound
connections to intentionally slow down scanning attacks and spam
• This method can often restrict and discourage spammers from
sending bulk messages towards you
• Tarpits are applied to:
• Networks
• Email (ESMTP)
• Authentication
(Teergube in German). To avoid being tarpitted, a spammer may send bulk emails in
short batches over a relatively longer period than normal.
189
Decoys
Click to edit Master title style
• Decoys can be honeycreds representing fake privileged
accounts
• They are also decoy IP addresses and honeynets
• Routers and firewalls
• Virtual machines
• They can be TCP and UDP ports on a gateway or server
190
Jailed Environments
Click to edit Master title style
• A jailed environment is a subcomponent of a host
environment that allows all attackers in
• The authentic environment allows authorized access while
attackers are redirected to the jailed environment for active
defense measures
• This can also be an evil twin wireless environment
191
Fake DNS Records
Click to edit Master title style
• DNS is a common recon action by attackers
• Bogus DNS records can redirect attackers to honeypot
databases or domain controllers in a jailed subnet
• Often used in combination with other active defense
measures such as decoys
192
False Headers
Click to edit Master title style
• Various TCP/IP services will offer metadata in headers
• HTTP response, SMTP, and FTP headers are common vectors
• As a countermeasure, remove header data or insert false
information into header
• Example: declare that a web server is running IIS when it is
really running Apache
Service banners are often used by system administrators for inventory taking of
systems and services on the network. The service banners identify the running
service and often the version number too. Banner grabbing is a technique to retrieve
this information about a particular service on an open port and can be used during a
penetration test for performing a vulnerability assessment. When using Netcat for
banner grabbing you actually make a raw connection to the specified host on the
specified port. When a banner is available, it is printed to the console.
193
Making a Raw Connection with Netcat
Click to edit Master title style
Example: To demonstrate how a raw connection works we issue some FTP commands after
we’re connected to the target host on the FTP service. Let’s then see if anonymous access is
allowed on this FTP server by issuing the USER and PASS command followed by anonymous.
Netcat is the Swiss army knife of networking tools and it can be run standalone or in
Kali Linux as seen here. The most common cracking uses for Netcat are setting up
reverse and bind shells, piping and redirecting network traffic, port listening,
debugging programs and scripts and banner grabbing by making a raw connection to
an FTP or Web server.
https://www.hackingtutorials.org/networking/hacking-with-netcat-part-3-advancedtechniques/
To demonstrate how a raw connection works we will issue some FTP commands after
we’re connected to the target host on the FTP service. Let’s see if anonymous access
is allowed on this FTP server by issuing the USER and PASS command followed by
anonymous.
194
NIST on User Responsibility
Click to edit Master title style
According to NIST:
"The responsibilities and accountability of owners, providers,
and users of computer systems and other parties concerned
with the security of computer systems should be explicit.
The assignment of responsibilities may be internal to an
organization or may extend across organizational boundaries.
Depending on the size of the organization, the program may be
large or small, even a collateral duty of another management
official."
Enhance and augment – not replace technologies
195
NIST on User Responsibility
Click to edit Master title style
According to NIST (continued):
"However, even small organizations can prepare a document
that states organization policy and makes explicit computer
security responsibilities.
This element does not specify that individual accountability must
be provided for on all systems.
For example, many information dissemination systems do not
require user identification and, therefore, cannot hold users
accountable."
Enhance and augment – not replace technologies
196
Acceptable Use Policies (AUP)
Click to edit Master title style
• The most important aspect of the written security policy from
the endpoint perspective is the Acceptable Use Policy (AUP)
• It should be a dynamic published document updated for new
technologies (augmented reality, TikTok, mobile solutions,
etc.)
197
Endpoint Physical Security
Click to edit Master title style
•
•
•
•
•
•
Computer and laptop locks
Clean desk policies
Visibility screens
Disable unused peripheral ports
Removable device policy
MDM onboarding and offboarding
• Geofencing
• Geotagging
• Remote-wipe
Clean desk = locked drawers, cabinets, and safes
198
Endpoint Physical Security
Click to edit Master title style
•
•
•
•
•
Use hardware and software multi-factor authentication
Consider biometric authentication
Disconnect and/or remove unused computers
Use client-side and full disk encryption
Employ SSO and/or password managers
Use smart cards and tokens according to AUP
199
Update Personal Endpoints
Click to edit Master title style
• Update and upgrade the most secure browsers and clients
• Auto-update with digitally signed patches (Java, Adobe,
Zoom, etc.)
• Update and upgrade all anti-x software
• Install manufacturer firmware updates
200
Browser Best Practices
Click to edit Master title style
• Be certain browser software is
updated
• Manage and disable
unnecessary/malicious plugins
• Always connect using HTTPS
and TLS1.2 or 1.3
• Choose EV validated sites if
possible
• Clear browser histories
automatically
• Use strong passwords and
password managers
• Never store passwords in a
browser
• Disable popups (install
AdBlock)
• Use VPNs and Proxy servers
(Cisco Umbrella)
• Make use of browser security
configurations
201
Web Safaris for Endpoint Protection
Click to edit Master title style
https://www.sans.org/securityresources/policies/general/pdf/acceptable-use-policy
https://www.quest.com/kace/
https://resources.infosecinstitute.com/best-practices-webbrowser-security/
https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
https://www.quest.com/kace/
https://resources.infosecinstitute.com/best-practices-web-browser-security/
202
Host-Based IDS
Click to edit Master title style
• Host-based IDS monitors the host system infrastructure
through an installed agent to analyze traffic and log
suspicious and malicious behavior
• HIDS should provide deep visibility into critical systems and
files to detect and respond when anomalous activities are
discovered
• HIDS often works in conjunction with SIEM systems and other
advanced threat intelligence – often using Sec-as-a-Service
(MSSP)
203
Common HIDS Activities
Click to edit Master title style
• Detect attempts at unauthorized access
• Identify anomalous activities
• Enumerate access and changes to critical files with File
Integrity Monitoring (FIM)
• Protect integrity of data and other host-based assets
• Conduct continuous threat intelligence
• Integrate with other agents (VPN, .1X, OpenDNS, etc.)
204
Snort – a network IDS
Click to edit Master title style
• Since the late 90’s it has been an open-source solution
• Has a powerful rule language
• New patterns can be used from the community
Alert tcp any any -> 10.10.10.0/24 80 (msg
“inbound HTTP Traffic”;
sid: 3251022;)
205
Intrusion Prevention Defined
Click to edit Master title style
• Intrusion Prevention Systems (IPS) are proactive inline
systems that have the ability to drop packets and block
attackers before the payload enters the network or host
•
•
•
•
•
Signature-based
Anomaly-based
Heuristic and UBA
Machine-learning
Cloud-based
206
Host-based IPS
Click to edit Master title style
• A host-based intrusion
prevention system (HIPS) is a
program that is usually
installed on a single host
• It often complements
traditional fingerprint-based
and heuristic antivirus
detection applications as part
of an integrated endpoint
security suite
• When malware or some other
exploit attempts to alter the
system or software, HIPS can
prohibit the action
automatically or alert the end
user to grant permission
• Most endpoint protection
systems are actually IPS
sensors installed on hosts that
can be deployed in IDS or IPS
modes
207
IPS Tuning
Click to edit Master title style
• True Positive
• Accurate + alarm fires
• True Negative
• Accurate + alarm does not fire
• False Positive
• Error + alarm fires
• False Negative
• Error + alarm does not fire
True positives: The security control, such as an IPS sensor, acted as a consequence of
malicious activity. This represents normal and optimal operation.
True negatives: The security control has not acted, because there was no malicious
activity. This represents normal and optimal operation.
False positives: The security control acted as a consequence of non-malicious activity.
This represents an error, generally caused by too tight proactive controls (which do
not permit all legitimate traffic) or too relaxed reactive controls (with too broad
descriptions of the attack).
False negatives: The security control has not acted, even though there was malicious
activity. This represents an error, generally caused by too relaxed proactive controls
(which permit more than just minimal legitimate traffic) or too specific reactive
controls (with too specific descriptions of the attack).
208
IEEE 802.1X (PNAC)
Click to edit Master title style
• The 802.1X framework delivers
authentication and authorization
of endpoints attempting to get
network access
• VLAN assignment - the
authentication server can
associate a VLAN with a specific
user or group and instruct the
switch to dynamically assign the
authenticated user into that
VLAN
VLANs = wired, wireless, Guest, Restricted until remediation, full access with
additional EAP (like EAP-TLS using PKI certificates), leverage SSO with directory
service as Identity Provider (OpenLDAP, AD)
209
IEEE 802.1X (PNAC)
Click to edit Master title style
•
•
•
ACL assignment - the authentication server associates an ACL with a
specific user or group and commands the NAD to dynamically
assign the ACL to the session of the user
Time-based access - the authentication server can control the times
at which the user can connect to the network
Security group access - security group access provides topologyindependent, scalable access control
• The ingress switches classify data traffic for a specific role and label
the traffic with security group tags
• The egress network devices read the security group tags and
perform filtering by applying the appropriate security group ACLs
to the packets
210
IEEE 802.1X (PNAC)
Click to edit Master title style
Supplicant
Authentication server
Authenticator
EAPOL-Start
EAP-Request/Identity
RADIUS Access-Request
EAP-Response/Identity
RADIUS Access-Challenge
EAP-Request/OTP
EAP-Response/OTP
RADIUS Access-Request
EAP-Success
RADIUS Access -Accept
Port authorizes
EAPOL-Logoff
Port unauthorized
211
IEEE 802.1AE (MACsec)
Click to edit Master title style
Guest user without
MACsec supplicant
AES-GCM-128 with GMAC or AES-GCM-256 with GMAC
212
Endpoint Detection and Response (EDR)
Click to edit Master title style
• Endpoint Detection and Response (EDR) are tools that are
mainly dedicated to detection and investigation of suspicious
activities and indicators of compromise (IoCs) on
hosts/endpoints
• EDR tools monitor endpoint and network events and send
information to a SIEM system or centralized database so
further analysis, investigation, and reporting can take place
213
Endpoint Detection and Response (EDR)
Click to edit Master title style
• A software agent installed on the host system often provides
the basis for event monitoring and reporting
• EDR systems are more modern than traditional HIDS/HIPS
solutions but considered legacy software compared to newer
next-generation endpoint protection
214
Key EDR Features
Click to edit Master title style
• Filtering - better solutions excel at filtering out false positives
which can lead to alert fatigue and increasing the possibility
for real threats to go unnoticed
• Advanced Threat Blocking -preventing threats as soon as
detected and throughout the lifecycle of the attack
• Incident Response Capabilities - threat hunting and incident
response can help avert full-scale data breaches to augment
DLP
• Multiple Threat Protection - advanced attacks can overwhelm
endpoints if the installed security solution is not prepared to
handle multiple types of threats simultaneously
Advanced Threat Blocking: Prevent threats as soon as detected and throughout the
lifecycle of the attack. Persistent attacks could eventually overcome security
measures on products with weaker offerings.
Multiple Threat Protection - advanced attacks, or multiple different attacks at once,
can overwhelm endpoints unless the installed security solution is prepared to handle
multiple types of threats at the same time (i.e. ransomware, malware, suspicious
data movements).
215
Next-generation Endpoint Protection
Click to edit Master title style
• IT hygiene
• Next-generation Antivirus
• Offers verifiable vendor claims
• Doesn’t focus exclusively on IoCs
• Looks for indicators of attack (IoA)
• Managed hunting service
• Threat intelligence
• Cloud-based architecture
IT Hygiene - allows you to identify and close gaps in your environment by offering the
visibility and information your security teams need to implement preemptive actions
and make sure you’re as prepared as possible to face today’s sophisticated threats.
Out-of-date and unpatched applications, credential abuse and employing stolen
credentials are key attack vectors. The ability to discover, patch and update
vulnerable applications and monitor login activities is critical.
Next-Generation Antivirus (NGAV)
Traditional antivirus (AV) solutions boast of up to 99 percent effectiveness, but a gap
of just one percent means 100% probability of a breach by adversaries using either
known or unknown malware. That’s why NGAV can be an important tool, though
finding the right solution can be challenging. A recent blog on this topic outlines the
four steps to choosing the right AV replacement. Among those steps is verifying
vendor claims. Organizations should be wary that some vendors claiming to have
behavioral analytics capabilities offer solutions that focus exclusively on indicators of
compromise (IOCs), which are only present after an attack has occurred. Effective
NGAV must also look for indicators of attack (IOAs) that identify active attacks and
allow you to stop an event before damage is done. This gives you a tremendous
advantage over attackers.
216
Managed Hunting
At the end of the day, attackers are people and as such, they can be adaptive and
creative — relying on technology alone to thwart them is simply not enough. To be
truly next-gen, a cybersecurity platform should include a managed hunting service.
An elite team can find things your automated response systems may miss. It can learn
from incidents that have taken place, aggregating crowdsourced data and providing
response guidance when malicious activity is discovered. Having expert hunters
working 24/7 on your behalf matches the ingenuity of determined attackers like no
automated technology can.
Threat Intelligence
Because sophisticated adversaries can move so quickly and stealthily, security teams
must receive intelligence that ensures your defenses are automatically and precisely
instrumented throughout your enterprise to stop breaches with minimum impact and
maximum protection. Such threat intelligence needs to provide more than the
tactical advantage of understanding and resolving incidents faster; it must also offer
the proactive alerts and reports that security experts need in order to prioritize their
resources at an operational level.
Cloud-Based Architecture
Delivering these crucial elements can only be accomplished via purpose-built cloud
architecture. The older on-premises model simply isn’t capable of performing the
tasks required of a true next-gen EPP solution, such as collecting a massive, rich data
set in real time, storing it for long periods and thoroughly analyzing it in a timely
manner to prevent breaches. With the cloud, it is possible to store and instantly
search petabytes of data, gaining historical context on any activity running on any
managed system. Many vendors claiming to have a cloud-based solution actually are
still relying on older architectures developed primarily for on-premises systems,
though perhaps retrofitted with some newer "cloud-enabled" features. Such a "bolton" model can never match the performance of a purpose-built, cloud-native
solution.
216
Endpoint Protection Suites
Click to edit Master title style
• These are all-in-one, full-scale security packages that offer a
single, integrated solution
• There is only one vendor to get the upgrades and updates
from
• Depending on the security vendor, the suite may also include
a two-way firewall, parental control system, a local spam
filter, VPN to protect your data in transit, online backup, and
dedicated ransomware protection
217
Endpoint Protection Suites
Click to edit Master title style
218
Endpoint Encryption Products
Click to edit Master title style
219
Endpoint Encryption Products
Click to edit Master title style
220
System Logging
Click to edit Master title style
• There are many sources of
system logs in the enterprise:
• Infrastructure devices
• Windows server system,
application, and security logs
• Web, Email, and Unified
Communications services
• Firewalls, IDS/IPS, WAF, and
specialty appliances
• Database and storage
•
•
•
•
•
•
•
•
Messages
Alerts
Traps
Log files
Debugging
Traces
Devices
Log servers
221
System Logging Concepts
Click to edit Master title style
• Log output can be overwhelming in the beginning
• Filtering and tuning is critical to gathering meaningful metrics
(events and information)
• There are too many standards!
• Some use the Syslog RFC as a standard
Cisco, Microsoft, Juniper, AWS flow logs, Linux builds
222
Syslog
Click to edit Master title style
• Syslog is a standard defined in IETF RFCs 3164 then 5424
• Messages include:
•
•
•
•
•
•
Time stamps
Event messages
Severity level (0-7)
Host IP addresses
Diagnostics
And more
Syslog is a standard for sending and receiving notification messages–in a particular
format–from various network devices. The messages include time stamps, event
messages, severity, host IP addresses, diagnostics and more. In terms of its built-in
severity level, it can communicate a range between level 0, an Emergency, level 5, a
Warning, System Unstable, critical and level 6 and 7 which are Informational and
Debugging.
Moreover, Syslog is open-ended. Syslog was designed to monitor network devices
and systems to send out notification messages if there are any issues with
functioning–it also sends out alerts for pre-notified events and monitors suspicious
activity via the change log/event log of participating network devices.
The Syslog protocol was initially written by Eric Allman and is defined in RFC 3164.
The messages are sent across IP networks to the event message collectors or syslog
servers. Syslog uses the User Datagram Protocol (UDP), port 514, to communicate.
Although, syslog servers do not send back an acknowledgment of receipt of the
messages. Since 2009, syslog has been standardized by the IETF in RFC 5424.
223
Syslog on a Cisco Device
Click to edit Master title style
224
Syslog on a Cisco Device
Click to edit Master title style
225
Syslog on a Cisco Device
Click to edit Master title style
226
Syslog on a Cisco Device
Click to edit Master title style
227
Syslog on a Cisco Device
Click to edit Master title style
228
Syslog on a Cisco Device
Click to edit Master title style
229
Log Distinctives to Remember
Click to edit Master title style
• Logs are critical records for metrics, indicators,
documentation, reporting, and governance
• Servers should be in a high-availability or cluster solution
• Logging may be a component of larger SIEM system or cloudbased analysis tool
230
Build a Basic Linux Log Server
Click to edit Master title style
1. Build a Linux server on a network, virtual environment, or
cloud service provider virtual network (AWS VPC)
2. Place in the same VLAN as devices generating logs
3. Allow SSH (TCP 22) and Syslog (TCP/UDP 514) access only
4. Forward syslog logs to the server IP address from Linux
source devices by modifying /etc/syslog.conf files
5. On Syslog server, change syslog.conf to send logs to files or
backend storage
6. Configure logrotate.conf on server to retain logs
231
Key Log Reporting Activity
Click to edit Master title style
• Authentication and
authorization
• Failures and critical errors
• Malware activities (IoC/IoA)
• Modification and change
reports
• Network activity
• Resource access
• Never Before Seen (NBS)
analytics reporting
232
Common NBS Activities
Click to edit Master title style
•
•
•
•
•
•
•
•
•
Log message types/event types
Users authenticating successfully
Sources connected to systems using privileged
accounts
Internal system connecting to external system
External IP addresses connecting to new entry
points
Ports accessed on internal systems
HTTP requests and methods
Downloaded and uploaded content types
Query types on databases
233
Basic Logging Analysis
Click to edit Master title style
• Phase 1: Log Collection
• Kiwi, syslog-ng, LASSO
• Phase 2: Log Storage
• MySQL, PostgreSQL
• Phase 3: Log Analysis
• Splunk, grep, LogParser
• Phase 4: Log Correlation and Alerting
• SEC, OSSEC, OSSIM, CSPs
234
Organizational Logging Challenges
Click to edit Master title style
•
•
•
•
•
•
•
Siloed corporate environments
Geographical and jurisdictional boundaries
Access to remote systems
In-house built custom applications
Mandates and regulations
Outsourcing issues
Unclear data retention policies
235
Security Incident and Event Monitoring
Click to edit Master title style
• SIEM has evolved from separate security event and security
information monitoring
• It is the primary centralized log correlation, aggregation, and
normalization solution
• SolarWinds Security Event Manager, ManageEngine EventLog
Analyzer, Splunk Enterprise Security, OSSEC, LogRhythm
NextGen SIEM Platform, Splunk, AlienVault, and QRadar
236
Vulnerability Management
Click to edit Master title style
• Vulnerability Management begins with assessment and
prioritization of assets
• Determine the Return on Security Investment (ROSI)
• Start building the risk register (log or ledger) based on semiquantitative or quantitative approach (OpenFAIR)
• Through visibility and analysis you should deliver calibrated
estimates of the most likely threat agents, scenarios, and
magnitude of impact against each asset or asset class
• Decision-makers (C-suite and stakeholders) should be given
results with modern visibility reporting and real numbers
ROSI is more specific than ROI.
237
Indications (Indicators) of Compromise (IoCs)
Click to edit Master title style
• IOCs are remnants, artifacts, and traces of a breach or
attack on a system, network, application, or hosts
• Can be precursors of a fully successful attack with all
phases not being activated yet
• Some practitioners call these indicators cyber
observables or malware observances
• The presence of malware, signatures, exploits,
vulnerabilities and IP addresses are characteristic of
evidence left behind when an exploit has happened
According to Symantec, there are really only 2 main ways that most attackers drop
the malware on your system: 1) Drive-by web surfing downloads 2) Email spam,
attachments, phishing (e.g. fake invoice with Word document [macro] from
financial/ransomware hackers)
The presence of malware, signatures, exploits, vulnerabilities and IP addresses are
typical of the evidence left behind when a breach has occurred.
In the case of an information breach, IOCs might include a variety of electronic
evidence left behind, such as an MD5 hash, a C2 domain or hardcoded IP address, a
registry key, filename, etc. These IOCs are constantly changing, however, making a
proactive approach to securing the enterprise impossible. Because IOCs represent a
reactive method of tracking the bad guys, by the time you find an IOC, there is a high
probability that you have already been compromised.
238
Indications (Indicators) of Compromise (IoCs)
Click to edit Master title style
• IOCs are commonly an MD5
hash, a C&C URL or domain,
hardcoded IP address,
registry keys, anomalous files
and filenames
• IOCs are persistently varying,
which makes proactive
security of the enterprise
difficult
239
Indications (Indicators) of Compromise (IoCs)
Click to edit Master title style
• IOCs epitomize a reactive approach to tracking exploits
so that when they are found there is high probability
that the breach has occurred
• Focusing on IOCs is much like relying on an IDS
240
Indicators of Attack (IoAs)
Click to edit Master title style
• Takes an early, proactive stance looking for:
•
•
•
•
•
Stealth behavior
Persistence
Code execution
Lateral movement
C2 server connections
• Not focused on tools being used but rather steps taken
• Trying to detect and stop specific tools is a losing battle
IOAs, on the other hand, represent a proactive stance, in which defenders are looking
for early warning signs that an attack may be underway, such as code execution,
persistence, stealth, command control and lateral movement within a network.
IOAs are concerned with the execution of these steps, which expose the intent of the
adversary and the outcomes they are trying to achieve. IOAs are not focused on the
specific tools criminals use to accomplish the objectives, and are thus more
adaptable to the ever-changing tactics they employ to accomplish their goals. By
monitoring these execution points, gathering the indicators and analyzing them, we
can determine how a threat agent successfully gains access to the network, and we
can infer intent. No advance knowledge of the specific tools or malware (IOCs) is
required to stop the attack while it’s still in progress. In fact, IOAs can detect attacks
where no malware is present.
241
Key Indicators Abuse and Access of Data
Click to edit Master title style
•
•
•
•
•
•
Abuse of service accounts
Accessing data outside of normal days/hours
Excessive logon failures
Disproportionate file or data access
Suspicious access of application data
Takeover of systems
Data is the one thing that can most easily be monetized and commoditized by the
malicious hacker
Using service accounts to access data
A human user touching data base tables that are typically only used by applications
Disproportionate access based on behavioral analytics and peer group comparisons
242
Identifying Malicious Code
Click to edit Master title style
MONITOR
LEARN & DETECT
UBA
on
SIEM
Systems
Deception
Technologies
throughout
Management
stations
BIG DATA
ANALYSIS
BLOCK /
QUARANTINE
Contain and
investigate
Talk about when you I managed a bookstore and suspected Asst. Manager of taking
money from till and marking a shortage – put extra $20 in the till as I left the store.
Next morning no overage.
Many enterprises are implementing UBA – User Behavior Analytics that run on top
of their SIEM solutions.
Also some large companies are using Deception Technologies on internal network:
Honey Pots and Honey Nets are still being used – these are resource intensive and
not effective.
Deception (honey tokens) Tokens across enterprise – fake clues placed on endpoints
– tokens are pointers to internal data, trap accounts, configuration files, passwords,
cookies, authentication tokens; Mock internal web apps, databases records, and files
on servers. Placed on systems in reasonable locations but not where the average end
user would find them. No affect on productivity. Wait for attacker to use the token:
fewer false positives (Advanced/Power users could find them but not use them);
learn about steps being taken (Indicators of Attack).
243
Critical to determine the source, scope, and process of bad internal user/privileged
insider without “tipping them off” to the fact that they are operating on deception
tokens. Taking action against an internal user is much more complex: HR, Legal,
compliance, regulations.
Malicious insider OR Compromised insider – there is a difference.
243
We call this saccadic movements – jumping longer distances across screen
244
There’s a great quote by a guy named Steven Few who says “Save the pie for desert”.
IOW, there is a whole slew of analysts that feel there is always a better way to present
data besides a pie chart. Man, what I wouldn’t give for a piece of apple pie a la mode
right this moment.
245
Scanners
Click to edit Master title style
• Vertical scans
Port scan that broadly scans ports on a host – easy to detect
• Horizontal scans
Targets the same port(s) on several hosts looking for exploit vector
– fairly effective
• Block scans
Combines the first two methods for large sweep of networks
• Stealth scans
Designed to go undetected by auditing tools
There are four main types of scans that a malicious user would typically use against a
server environment: vertical scans, horizontal scans, block scans, and stealth scans.
1.Vertical Scans – A vertical scan is a port scan that will in essence target numerous
destination ports on a singular host running SharePoint. This is an extremely broad
scan and is typically easy to detect because only local detection mechanisms (those
that will directly exist on the target server) are necessary in order to build up proper
alerts and begin to mitigate threats from such a scan. The amount of valuable
information that a malicious user gathers from a vertical scan can be defined as the
size of the return packet from a particular probe. Vertical scans tend to predominate
port scanning activity, mostly because when an exploit is made public it tends to
arose the community.
2.Horizontal Scans (also called a block scan) – A horizontal scan is a port scan that
targets the same port on several hosts, effectively looking for a universal exploit that
may exist. This is a fairly common when the attacker is privy to certain vulnerability
information and seeks out within an arbitrary network susceptible host machines.
The amount of valuable information that a malicious user gathers from a horizontal
scan on a target can be defined as the amount of destination sets that the user
receives.
3.Block Scans – It is feasible to combine the above two methods to derive a new
246
method which will, in essence, compose a large sweep of a network for either type of
derived exploits, this is common when producing assets for future exploitations.
246
Scanning Methods
Click to edit Master title style
• Bounce scans
Looks for systems to bounce their attacks through (FTP)
• UDP scanning
These also implement retransmission of packets that appear to be
lost
• ICMP scanning
Not port scanning, but useful for finding hosts
• The big three scanners: SAINT, nmap (Zenmap), and Nessus
The ability to hide their tracks is important to attackers. Therefore, attackers scour
the Internet looking for systems they can bounce their attacks through.
FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. It
requires support for proxy ftp connections. This bouncing through an FTP server
hides where the attacker comes from. This technique is similar to IP spoofing in that
it hides where the attacker comes from. For example, bad.com establishes a control
connection to the FTP server-PI (protocol interpreter) of equifax.com. (Let’s pick on
them since they deserve it for allowing that huge data breach that probably will end
up affecting most of us). Then request that the server-PI initiate an active server data
transfer process to send a file anywhere on the Internet.
247
Zenmap – The GUI Nmap Tool
Click to edit Master title style
Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux,
Windows, Mac OS X, BSD, etc.) free and open source application which aims to make
Nmap easy for beginners to use while providing advanced features for experienced
Nmap users. Frequently used scans can be saved as profiles to make them easy to run
repeatedly. A command creator allows interactive creation of Nmap command lines.
Scan results can be saved and viewed later. Saved scan results can be compared with
one another to see how they differ. The results of recent scans are stored in a
searchable database.
248
Zenmap
Click to edit Master title style
249
Zenmap
Click to edit Master title style
250
Vulnerability Scanners
Click to edit Master title style
@softwsp.com
Nessus is a powerful vulnerability scanner for professionals and Red/Blue Teams:
Vulnerability scanning = Assess systems, networks and applications for weaknesses
Configuration auditing = Ensure that IT assets are compliant with policy and standards
Compliance checks = Audit system configurations and content against standards
Malware detection = Detect malware as well as potentially unwanted and
unmanaged software
Web application scanning = Discover web server and services weaknesses and
OWASP vulnerabilities
Sensitive data searches = Identify private information on systems or in documents
Control system auditing = Scan SCADA systems, embedded devices and ICS
applications
Cloud support = Assess configuration weaknesses in Amazon Web Services, Microsoft
Azure and Rackspace public clouds
High-speed asset discovery and scanning = Network devices including next generation
firewalls, operating systems, databases, web applications, virtual and cloud
environments and more
Scan multiple networks = Scan on IPv4, IPv6 and hybrid networks
Credentialed / non-credentialed = Flexible scanning options to meet different needs
251
Scan scheduling = Set up scans to run when and how often you want
Selective host re-scanning = After a scan, re-scan all or a subsection of previously
scanned hosts
Automatic scan analysis = Remediation action priority and scan tuning
recommendations
Agent-based scanning = Increase scan coverage with Nessus Agents
Multi-scanner support = Manage and share scan resources from a central console
251
Security Content Automation Protocol
Click to edit Master title style
• Methodology for using exact standards to allow for
automated vulnerability management, measurement, and
policy compliance evaluation of systems FISMA compliance
• The National Vulnerability Database (NVD) is the U.S.
government content repository for SCAP
• Security Content Automation Protocol Validated Products and
Modules @ https://nvd.nist.gov/scap/validated-tools
• Rapid7 (Metasploit), SPAWAR, Tenable (Nessus), IBM,
ThreatGuard, Intel, CIS, SAINT, and more
e.g. Brio is using SCAP for one of our clients who needs FISMA compliance.
Methodology for using exact standards to allow for automated vulnerability
management, measurement, and policy compliance evaluation of systems FISMA
compliance
The National Vulnerability Database (NVD) is the U.S. government content repository
for SCAP
Security Content Automation Protocol Validated Products and Modules @
https://nvd.nist.gov/scap/validated-tools
Rapid7 (Metasploit), SPAWAR, Tenable (Nessus), IBM, ThreatGuard, Intel, CIS, SAINT,
and more
252
Introduction to Penetration Testing
Click to edit Master title style
• Penetration testing can include vulnerability assessment, but
they are two different activities
• Vulnerability scanning is typically planned, automated and
shorter timed
• Pentesting can be white, black, or white box and is more
manual and longer timed
253
Why Do Pentesting?
Click to edit Master title style
•
•
•
•
•
•
Security vulnerabilities or loopholes may be present in a system,
service or application
Clients need to assess the business impact of successful attacks
Customers must implement effective organizational security
strategy
PII, financial, health, or other sensitive critical data must be secured
while at rest or in transit
Clients are asking for pentesting as part of a software release cycle
The client needs assurance that user data is secure or meets other
information security regulations
254
Pentesting Lifecycle
Click to edit Master title style
Scope the
Test
Exploit
Enumerate
Gather
Information
Scan
Scoping involves Pre-engagement activities – W,B, or G box; agreements (NDA);
exceptions; parameters; credentialed? Passive or active? Time of day…
255
Reconnaissance & Fingerprinting
Click to edit Master title style
• Reconnaissance is information gathering
• Fingerprinting (footprinting) is identification of network
attributes, hosts, O/S, running services and applications
• May involve internal and/or external recon teams
• Passive or Active methodologies
• Numerous free and commercial tools are available
In footprinting , the attacker may utilize “whois”, nslookup, traceroute, enumerators,
pinging, social engineering, , or other tools to ascertain information about the
network, such as: key personnel, topology, protocols used, IDS / IPS in use, IPs of
machines on the network, ports, shares and services that are vulnerable , et cetera.
OSINT - Whois - Nslookup - Foca - Theharvester - Shodan - Maltego - Recon-NG Censys
In fingerprinting, the attacker will direct specially crafted packets at the target, which
will elicit a signature response from the device. This response will tell the attacker
what OS, service, version et cetera, the node is using, as a result the attacker is able
to fine-tune their assault.
These acts of remote fingerprinting can be either active or passive. When the
fingerprinting is passive, the attacker is monitoring for traffic that is occurring
between the device, and other nodes. When there is active fingerprinting, the
attacker is sending uniquely constructed packets to the device, and monitors the
response.
256
Fingerprinting can be mitigated against by using "scrubbers", which will "normalize"
the packets, and remove the unique identifying traits that the attacker is seeking.
There are also “personality” strategies, such as the use of IP Personality, which will
alter packets, and cause responses from the device to appear as if it was from a
another device, with different characteristics. Additionally, firewalls may be deployed
to block traffic with abnormal combinations of IPs, and ports.
256
Social Engineering
Click to edit Master title style
•
•
•
•
•
•
•
•
Phone calls
SMS texting
Email phishing and whaling
Pharming
Watering hole
Hoaxing
Shoulder surfing
Dumpster diving
257
Exploitation: Pivoting
Click to edit Master title style
• Pivoting is a technique of using
an instance (aka ‘plant’ or
‘foothold’) to be moved
around inside of a network
• Using the first compromise to
assist in vertical or horizontal
(N/S or E/W) movement to aid
in the compromise of other
otherwise unreachable
systems
Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or
‘foothold’) to be able to “move” around inside a network. Basically using the first
compromise to allow and even aid in the compromise of other otherwise inaccessible
systems. In this scenario we will be using it for routing traffic from a normally nonroutable network.
258
Pivoting
Click to edit Master title style
Pivoting is an extremely powerful feature and is a critical capability to have on
penetration tests. Metasploit Meterpreter is a common exploit tool to accomplish a
pivot attack
For example, we grab the company directory from a server. We then target a user in
the target IT department. We call up the user and say that you are from a vendor and
we need them like them to visit our website in order to download a new security
patch. We know they use IE, so at the URL we are pointing them to, we run an
Explorer exploit.
When the victim visits our malicious URL, a meterpreter session in Metasploit is
opened for us giving full access their system. When we connect to our meterpreter
session, we run ipconfig and see that the exploited system is dual-homed, a common
configuration with IT staff. We want to leverage this newly discovered information
and attack this other network. Metasploit has an autoroute meterpreter script that
will let us attack this second network through the first compromised machine.
Now that we have added our additional route, we will escalate to SYSTEM directory,
dump the password hashes, and put our meterpreter session in the background by
259
pressing Ctrl-z. Now we need to determine if there are other systems on this second
network we have discovered. We will use a basic TCP port scanner to look for ports
139 and 445. We have discovered an additional machine on this network with ports
139 and 445 open so we will try to re-use our gathered password hash with the
psexec exploit module. Since many companies use imaging software, the local
Administrator password is frequently the same across the entire enterprise.
259
Exploitation: Privilege Escalation
Click to edit Master title style
• Privilege escalation launches from info gathered from the
enumeration phase
• It leverages configuration errors, poor patching, programming
errors and system design flaws
• It can be vertical or horizontal
• The goal of this exploit is to become a root or administrative
user, level 15 user on a switch or router, exec user, Domain
Admin group member, etc.
Leverages programming errors and system design flaws to give an attacker elevated
access to the network and related systems, data, and applications
Privilege escalation can occur during the attack kill chain or as part of penetration
testing
Can be vertical vs. horizontal
Advanced Persistent Threats (APTs) often attempt an escalation of access privileges
soon after the initial compromise phase
The goal is to become a root or administrative user, level 15 user on a switch or
router, exec user, Domain Admin group member, etc.
The higher the level, the broader the access, and the more potential there is to
damage or exfiltrate critical data
260
Basic Linux Privilege Escalation
Click to edit Master title style
1.
2.
3.
4.
5.
Check the OS release of the vulnerable system
View its kernel version
Check the available users and the current user privileges
List the SUID files
View the installed packages, programs, and running services
(outdated versions may be vulnerable)
SUID (Set owner User ID up on execution) is a special type of file permissions given to
a file. Normally in Linux/Unix when a program runs, it inherits access permissions
from the logged in user. SUID is defined as giving temporary permissions to a user to
run a program/file with the permissions of the file owner rather that the user who
runs it. In simple words users will get file owner's permissions as well as owner UID
and GID when executing a file/program/command.
261
Penetration Test Report
Click to edit Master title style
1.
2.
3.
4.
Executive summary to guide the strategic direction
Walkthrough of physical and technical risks
Potential impact of found vulnerabilities
Multiple vulnerability remediation options
1 - Executive Summary for Strategic Direction
The executive summary serves as a high-level view of both risk and business impact
in plain English. The purpose is to be concise and clear. It should be something that
non-technical readers can review and gain insight into the security concerns
highlighted in the report.
2 - Walkthrough of Technical Risks
Most reports use some sort of rating system to measure risk, but seldom do they take
the time to explain the risk. The client’s IT department needs to make swift, impactful
decisions on how best to resolve vulnerabilities. To do so, they require approval from
the people upstairs. To simply state that something is dangerous does not properly
convey risk.
3 - Potential Impact of Vulnerability
Risk can be broken down into two pieces: likelihood (probability) and potential
impact (magnitude) over a time frame.
4 - Multiple Vulnerability Remediation Options
262
Most penetration test reports will include a generic, high-level description of how to
handle these problems; however, these generic “catch-all’ remediation guides often
fall short when it comes to the unique context of the client’s needs. If a client has a
vulnerable service running on a webserver that they depend on, the remediation
should offer more than telling them to simply disable the service altogether.
262
Virtualization Defined
Click to edit Master title style
• According to NIST:
• "Virtualization is the simulation of the software and/or
hardware upon which other software runs."
• "It is a methodology for emulation or abstraction of hardware
resources that enables complete execution stacks including
software applications to run on it."
263
Virtualization Components
Click to edit Master title style
• A hypervisor is the software that generates and controls a
virtual infrastructure allowing multiple OSs (multi-tenancy) to
run on a single physical machine
• The system running the hypervisor is called the “host”
• The virtual machines running on the host are “guests”
264
Virtualization Components
Click to edit Master title style
• Proprietary hypervisors:
•
•
•
•
Hyper-V
vSphere/ESXi
OVM
FusionSphere
• Open source hypervisors:
•
•
•
•
KVM
OpenVZ
Red Hat
Xen
265
Type 1 Hypervisor
Click to edit Master title style
(Paravirtualization
Drivers and Tools)
There are two types of hypervisors: Type 1 and Type 2. Type 1 hypervisors run directly
on the system hardware. They are often referred to as a native or bare metal (or even
embedded hypervisors) in vendor documentation. The first thing installed is the
hypervisor itself which functions as the OS for the bare metal physical host. The
hypervisor software talks directly to the host hardware and boots before the OS. This
is where you really earn your stripes in a private cloud environment – making these
key well-researched decisions. IaaS pretty much removes that overhead – but you will
pay for it.
Google Cloud uses the open-source KVM hypervisor that has been validated by
scores of researchers as the foundation of Google Compute Engine and Google
Container Engine.
Every AWS AMI uses the Xen hypervisor on bare metal. Xen offers two kinds of
virtualization: HVM (Hardware Virtual Machine) and PV (Paravirtualization).
Oracle also uses Xen hypervisor
The Physical Host is also called the Virtualization Host and the first step is to make
266
sure that your system meets the requirements to serve as a physical host based on
the open-source or proprietary solution specifications.
In the traditional x86 architecture, operating system kernels expect direct CPU access
running in Ring 0, which is the most privileged and protected level. With software
virtualization, guest operating systems can’t run in Ring 0 because the Hypervisor sits
there. The guest operating systems must therefore run in Ring 1, but there's a catch:
Some x86 instructions work only in Ring 0, so the operating systems must be
recompiled to avoid them. This process is called paravirtualization, and it is
impractical — especially if the source code for the OS is not available. To get around
this, the Hypervisor traps these instructions and emulates them, which unfortunately
results in an enormous performance hit making these Virtual machines significantly
slower than real physical ones. The solution is Hardware-Assisted Virtualization
266
Hardware-Assisted Virtualization
Click to edit Master title style
• With hardware-assisted virtualization, the operating system
has direct access to resources without any emulation or OS
modification
• Intel (Intel VT) and AMD (AMD-V) have supporting
virtualization technologies providing a set of new instructions
and – crucially – a new privilege level
• The hypervisor can now run at Ring -1 so the guest operating
systems can run in Ring 0
• There's no need for paravirtualization, the VMM does less
work, and the performance hit is reduced
267
Type 2 Hypervisor
Click to edit Master title style
Type 2 hypervisors are loaded on top of an already installed HOST operating system
like Windows Server, Windows 10 or Linux Ubuntu or Debian. Common ones are
VMware Workstation and Oracle VirtualBox to name a couple. A Type 2 hypervisor
depends on the underlying operating system.
Mention your penetration testing detonation chamber (Kali, Parrot Project to
Metasploitable2/3 OS, Windows clients and Servers)
Type 2 are less scalable since they run on another OS. They can be more complex to
manage. The security of the Host operating system can also represent a security
vulnerability. These are more likely to fit the needs of consumers as they support
desktop virtualization.
268
Containers
Click to edit Master title style
• According to Docker:
“A container is a standard unit of software that packages
up code and all its dependencies, so the application runs
quickly and reliably from one computing environment to
another.”
• “A Docker container image is a lightweight, standalone,
executable package of software that includes everything
needed to run an application: code, runtime, system
tools, system libraries and settings.”
A container runtime is the environment for each container - comprised of binaries
coordinating multiple operating system components that isolate resources and
resource usage for running containers
269
VM Sprawl
Click to edit Master title style
• VM sprawl can happen if the number of virtual
machines on a network gets to the point where the
administrator can no longer efficiently manage them
effectively
• It can also be a scenario where unauthorized and
unlicensed operating systems and application cause
shadow IT
270
VM Escape
Click to edit Master title style
• The ability for the guest operating system to break into
the host
• It began as a simple directory traversal attack in VMware
(2007) to side-channel attacks
• A major vulnerability was found at Black Hat USA 2009
• There have been over 30 known vulnerabilities
In 2008, a vulnerability (CVE-2008-0923) in VMware discovered by Core Security
Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. A
fully working exploit labeled Cloudburst was developed by Immunity Inc. for
Immunity CANVAS (commercial penetration testing tool). Cloudburst was presented
in Black Hat USA 2009.
The most recent is “AMD ATI Radeon ATIDXX64.DLL MOVC shader functionality
denial-of-service vulnerability”
January 21, 2020
CVE Number: CVE-2019-5147
271
Infrastructure as a Service
Click to edit Master title style
• The capabilities offered to the consumer is rapid on-demand
provisioning of processing, storage, networks, and other
fundamental computing resources
• Consumers can then deploy and run operating systems and
applications – sometimes from a third-party marketplace of
partner vendors
272
Infrastructure as a Service at AWS
Click to edit Master title style
@aws.amazon.com
The customer does not manage or control the underlying cloud infrastructure
(everything in orange) but does have control over operating systems, block and object
storage, and deployed applications including possibly limited control of select
networking components (e.g. Routing, NAT, NACLS, and L2/3 and WAF firewalls to
name a few)
For example: AWS products that fall into the well-understood category of
Infrastructure as a Service (IaaS), would be Amazon EC2 OS instances, Elastic Block
Storage (EBS) made up of directly attached SSD and HDD drives deployed in RAID
arrays, and Amazon Virtual Private Clouds (VPC). These are completely under your
control and require you to perform all of the necessary security configuration,
updates and management tasks.
For example, for EC2 instances, you’re responsible for management of the guest OS
(including updates and security patches), any application software or utilities you
install on the instances, and the configuration of the AWS-provided firewall (called a
security group) on each instance.
273
Platform-as-a-Service (PaaS)
Click to edit Master title style
• PaaS offers capability to build or buy applications onto the
cloud infrastructure
• It uses a variety of programming languages, libraries, services,
and tools supported by the cloud provider
• The PaaS customer will control the deployed applications and
often configuration settings for the application-hosting
environment
Platform as a service remove the need for organizations to control the underlying
infrastructure (typically hardware and operating systems) and let you focus on the
deployment and management of your applications. This helps you be more efficient
as you don’t need to worry about resource procurement, capacity planning, software
maintenance, patching, or any of the other undifferentiated heavy lifting involved in
running your application.
Containers are also popular PaaS solutions
274
Platform-as-a-Service (PaaS)
Click to edit Master title style
• .NET, Java, Ruby, Python, Go, JSON, YAML, etc.
• Amazon Web Services examples
•
•
•
•
•
Lightsail
Amazon Aurora DB
Lambda
Elastic Beanstalk
CloudFront
Can be server-based applications or serverless code like AWS Lambda functions
Can be containerized (with Kubernetes) or not
Can leverage many partner marketplace Amazon Machine Images (AMIs) or you can
create your own of course
275
Platform-as-a-Service at AWS
Click to edit Master title style
@aws.amazon.com
@aws.amazon.com
Managed Services like Relational Database Service (RDS) and Elastic MapReduce
(EMR) grant more responsibility with the CSP
RDS - Amazon Relational Database Service (Amazon RDS) makes it easy to set up,
operate, and scale a relational database in the cloud. It provides cost-efficient and
resizable capacity while automating time-consuming administration tasks such as
hardware provisioning, database setup, patching and backups. It frees you to focus
on your applications so you can give them the fast performance, high availability,
security and compatibility they need. Amazon RDS is available on several database
instance types - optimized for memory, performance or I/O - and provides you with 6
familiar database engines to choose from: Amazon Aurora, PostgreSQL, MySQL,
MariaDB, Oracle, and Microsoft SQL Server.
Elastic MapReduce - Amazon EMR provides a managed Hadoop framework that
makes it easy, fast, and cost-effective to process vast amounts of data across
dynamically scalable Amazon EC2 instances. You can also run other popular
distributed frameworks such as Apache Spark and HBase in Amazon EMR, and
interact with data in other AWS data stores such as Amazon S3 and Amazon
DynamoDB. Amazon EMR securely and reliably handles a broad set of big data use
276
cases:
• Log analysis
• Web indexing
• Data transformations (ETL – extract, transform, and load)
• Machine learning
• Financial analysis
• Scientific simulation
• Bioinformatics
276
Software-as-a-Service (SaaS)
Click to edit Master title style
• Customer uses the service provider’s applications running
entirely on a cloud infrastructure
• The applications are accessible from various client devices
through either a thin client interface, such as a web browser
(e.g., web-based email) or a program interface
• There are possible exceptions of limited user-specific
application configuration settings
The consumer doesn’t not manage or control the underlying infrastructure or even
individual application capabilities
Zoho.com is a good example
Many vendors actually build their SaaS companies and offerings on top of AWS IaaS
and using AWS PaaS services and marketplace partners!
277
Common SaaS Use Cases
Click to edit Master title style
•
•
•
•
•
•
•
Customer Relationship Management (CRM)
Enterprise Resource Planning (ERP)
Community services
Billing services
Analytics services
Personal storage services
Security services
278
*-as-a-Service
Click to edit Master title style
•
•
•
•
•
•
Database as a Service (DBaaS)
Functions as a Service (FaaS)
Communications as a Service (CaaS)
Business Process as a Service (BPaaS)
Security as a Service (Sec-as-a-Service or MSSPs)
Malware as a Service (MaaS)
279
Cloud Deployment Models
Click to edit Master title style
• This decision will have a significant impact on the
organization regarding:
•
•
•
•
•
Business strategy and objectives
Regulations and governance
Costs and forecasted budgets
Risk treatment (handling)
New technologies and green initiatives
A deployment model also has to be selected to determine residency, ownership, and
shared responsibilities
Risk treatment – Avoidance, Acceptance, Reduction/Mitigate, Share/Transfer
280
Public Cloud Deployment
Click to edit Master title style
• Public cloud is provisioned for open use by the general public
• It may be owned, managed, and operated by a business,
academic, or government organization, or some combination
of them, yet it exists on the premises of the cloud provider
AWS fully deploys the cloud and all applications run in their cloud. Applications in the
cloud have either been created in the cloud or have been migrated from an existing
infrastructure to take advantage of the benefits of cloud computing. Cloud-based
applications can be built on low-level infrastructure pieces or can use higher level
services that provide abstraction from the management, architecting, and scaling
requirements of core infrastructure.
281
Private Cloud Deployment
Click to edit Master title style
• The cloud infrastructure is provisioned for exclusive use by a
single organization comprising multiple consumers
• It may be owned, managed, and operated by the
organization, a third-party, or some combination of them
• Offers the same benefits of a public cloud without giving up
control, privacy, and security
• May be necessary due to regulations (HIPAA)
• Private cloud may exist on or off premises
Deploying resources on-premises, using virtualization and resource management
tools, is sometimes called “private cloud”. On-premises deployment does not provide
many of the benefits of cloud computing but is sometimes sought for its ability to
provide dedicated resources. In most cases this deployment model is the same as
legacy IT infrastructure while using application management and virtualization
technologies to try and increase resource utilization.
282
Community Cloud Deployment
Click to edit Master title style
• Provisioned for exclusive use by a specific community of
consumers from organizations that have shared concerns
• Often owned and operated by one or more of the
organizations in the community, a third party, or some
combination of them
• Common examples are healthcare
and finance communities
• AWS GovCloud is an example
Shared concerns e.g., mission, security requirements, policy and compliance
considerations
Common use case is several healthcare providers using a community cloud to share
patients information while maintaining HIPAA compliance.
283
Hybrid Cloud Deployment
Click to edit Master title style
• A combination of two or more distinct cloud infrastructures
(private, community, or public) that remain unique entities
• They are bound together by standardized or proprietary
technology that enables data and application portability
(e.g., cloud bursting for load balancing between clouds)
284
Hybrid Cloud Deployment
Click to edit Master title style
• Organizations may need to keep certain resources internal
and private for mission-criticality or regulatory reasons
• Often involves “Bursting Up” to the cloud as needed
• AWS offers Outposts – Hybrid as a Service
• Simply using SaaS solutions does not make it a hybrid
285
Cloud Deployments
Click to edit Master title style
A hybrid deployment is a way to connect infrastructure and applications between
cloud-based resources and existing resources that are not located in the cloud.
The most common method of hybrid deployment is between the cloud and existing
on-premises infrastructure to extend, and grow, an organization's infrastructure into
the cloud while connecting cloud resources to internal system.
SDN – Cisco Software-Defined Networking
286
Cloud Value Propositions: Cost
Click to edit Master title style
• Some customers experience 50% or more cost reduction
from their previous private cloud or traditional hosted
data center
• Eliminates large upfront investments for: cabling,
cooling, power, networks, racks, servers, storage,
certifications, and labor
• Cost reduction due to economy of scale
• Pay-as-you-go and pay-as-you-use
Some AWS customers experience 50% or more lower cost than their previous on
premise or traditional hosted data center. A significant portion of the savings comes
from eliminating large upfront investments for: Cabling – Cooling – Power –
Networking – Racks – Servers – Storage – Certifications – Labor
Secondly, the massive scale will reduce costs on an ongoing basis as shown in the
graphic below from AWS. This benefit is one of the primary reasons AWS has grown
to be 5 times the size of it's next 5 competitors and also the difficulty of start ups
being able to deliver lower costs.
The third component of lower costs come from customers paying only for what they
use. This ability is attributable to the elasticity of AWS services as compared to on
premise and traditional data centers. The graphic below from AWS highlights the
waste required to meet infrastructure demand by paying for more than needed or the
customer dissatisfaction when paying for less than is needed to save money. AWS's
ability to provide what is needed when it is needed as an infrastructure service
removes this inefficiency.
287
Value Propositions: Agility and Elasticity
Click to edit Master title style
• Companies can leverage the infrastructure for speed,
experimentation and innovation
• Rapidly respond to markets trends and new potential
• Unlimited scalability and dynamic provisioning &
deprovisioning of processing, storage, database, and
memory
• Allows organizations to shift and pool resources over
different infrastructures to avoid overprovisioning and
cost overruns
288
Value Proposition: On-Demand Access
Click to edit Master title style
• Represents anywhere, anytime access to resources on a
wide-variety of devices
• Offers an online portal that allows consumers the ability
to provision cloud resources as needed automatically
and rapidly without human interaction in most scenarios
• Uses edge locations caching CDN resources in many
global cities
289
Value Propositions: Auto Scaling
Click to edit Master title style
• Auto Scaling monitors your applications and automatically
adjusts capacity to maintain steady, predictable performance
at the lowest possible cost
• CSPs allow for easy setup of application scaling for multiple
resources across multiple services in minutes
• Service offers simple, powerful user interfaces that let you
build scaling plans for instances, fleets, tasks, database tables,
indexes, and replicas
290
Value Propositions: Security
Click to edit Master title style
• Cloud providers operate and manage the components from
the host operating system and virtualization layer down to
the physical security of the facilities in which the services
operate
• They are designed to security best practices and security
compliance standards on top of some of the most secure
computing infrastructure in the world
291
Value Propositions: Security
Click to edit Master title style
•
•
•
Nondescript, undisclosed locations
24/7 security staffing
MFA with biometrics for facility access with frequent refreshing of
authorization
• Continuous monitoring and auditing
• Network boundary devices monitor
and audit access
• Intrusion detection and analysis
• Automated change control
• Bastion services act as gateways for
privileged access
292
AWS Global Infrastructure
Click to edit Master title style
The AWS Type 1 Xen hypervisors on massive NAS and RAID arrays are deployed within
AWS datacenters located in the 60 Availability Zones within 20 geographic regions
around the world, with announced plans for 12 more Availability Zones and four
more AWS Regions in Bahrain, Cape Town, Hong Kong SAR, and Milan.
Availability Zones are connected to each other with fast, private fiber-optic
networking, enabling you to easily architect applications that automatically fail-over
between Availability Zones without interruption. In addition to replicating
applications and data across multiple data centers in the same Region using
Availability Zones, you can also choose to increase redundancy and fault tolerance
further by replicating data between geographic Regions. You can do so using both
private, high speed networking and public internet connections to provide an
additional layer of business continuity, or to provide low latency access across the
globe.
AWS Edge Network Locations:
Edge locations - Ashburn, VA (3); Atlanta GA (3); Boston, MA; Chicago, IL (2);
Dallas/Fort Worth, TX (5); Denver, CO (2); Hayward, CA; Hillsboro, OR; Jacksonville,
FL; Los Angeles, CA (4); Miami, FL (3); Minneapolis, MN; Montreal, QC; New York, NY
293
(3); Newark, NJ (3); Palo Alto, CA; Phoenix, AZ; Philadelphia, PA; San Jose, CA (2);
Seattle, WA (3); South Bend, IN; St. Louis, MO; Toronto, ON; Regional Edge Caches Northern Virginia; Ohio; Oregon
293
Root Account Compromise
Click to edit Master title style
• All providers have a standalone single-sign on root or billing
account
• This has highest privileges and is linked to the direct or credit
card billing and original email address
• This is the primary target for external attackers
• Fake access keys are common honey tokens to catch
privileged insiders
294
Access Keys
Click to edit Master title style
• Some CSPs require all API calls be digitally signed using
HMAC-SHA128/256
• Keys offers origin authentication, non-repudiation, and
integrity
• Forward secrecy demands that you use a key derived from
the secret access key
• Do NOT embed credentials into API calls or application code!
If you use any of the AWS SDKs to generate requests, the digital signature calculation
is done for you; otherwise, you can have your application calculate it and include it in
your REST or Query requests by following the directions in the AWS documentation.
Not only does the signing process help protect message integrity by preventing
tampering with the request while it is in transit, it also helps protect against potential
replay attacks. A request must reach AWS within 15 minutes of the time stamp in the
request. Otherwise, AWS denies the request.
Version 4 provides an additional measure of protection over previous versions by
requiring that you sign the message using a key that is derived from your secret
access key rather than using the secret access key itself.
Because access keys can be misused if they fall into the wrong hands, you should save
them in a safe place and not embed them in your code if you’re a developer.
For customers with large fleets of elastically scaling EC2 instances, the use of IAM
roles is a more secure and convenient way to manage the distribution of access keys.
IAM roles provide temporary credentials, which not only get automatically loaded to
295
the target instance, but are also automatically rotated multiple times a day.
We will look at the IAM Roles functionality as well today…
295
Command Line Interface Access
Click to edit Master title style
296
CSP Attacks: Instance Backdoors
Click to edit Master title style
•
•
•
•
•
•
•
Spambots
C&CActivity
DenialOfService.Tcp
DenialOfService.Udp
DenialOfService.Dns
DenialOfService.UdpOnTcpPorts
DenialOfService.UnusualProtocol
297
CSP Attacks: Cryptojacking
Click to edit Master title style
• CryptoCurrency:EC2/
BitcoinTool.B!DNS
• An instance is querying a domain name associated with
cryptocurrency-related activity
• CryptoCurrency:EC2/
BitcoinTool.B
• An instance is querying an IP address that is associated with
cryptocurrency-related activity
298
CSP Attacks: Pentest Threats
Click to edit Master title style
• There are popular penetration testing tools that can identify
weaknesses in instances that need patching
• Attackers also use this tool to find configuration weaknesses
and gain unauthorized access to your environment
• Machines running Linux are making API calls using credentials
that belong to your account using:
• Kali Linux
• Parrot Linux
• Pentoo Linux
299
CSP Attacks: Persistence
Click to edit Master title style
• Your credentials might be compromised when configuration
settings are changed under suspicious circumstances
• Principal invokes an API commonly used to change the access
permissions for firewalls, security groups, and ACLs in an
account
• Network Permissions
• Resource Permissions
• User Permissions
A user is exhibiting behavior that is different from the established baseline as they
have no prior history of invoking an API.
300
CSP Attacks: Policy Changes
Click to edit Master title style
• Attacker changes the public access policy for your object
storage (S3, Google Cloud Storage, Azure Blob)
• A suspicious API is invoked using the root or billing account
• A principal attempts to assign a highly permissive policy to
themselves – behavior associated with a privilege escalation
attack
301
CSP Attacks: Reconnaissance
Click to edit Master title style
• An instance has an unprotected port being probed by a
known malicious host
• Instance is performing outbound port scans to a remote host
• API was invoked from a:
• Tor exit node IP address
• IP address on a custom threat list
• Known malicious IP
Tor is software for enabling anonymous communication. It encrypts and randomly
bounces communications through relays between a series of network nodes. The last
Tor node is called the exit node. This can be a reconnaissance attack: an anonymous
user trying to gather information or gain access to your AWS resources for malicious
purposes.
302
CSP Attacks: Reconnaissance
Click to edit Master title style
• API commonly used to discover the network, resource, and
user access permissions
• A principal with no prior history of doing so invokes the
RunInstances API
303
CSP Attacks: Stealth
Click to edit Master title style
• Server access logging is disabled for an object storage
container
• Account password policy has been weakened – not
strengthened
• A principal invoked an API call commonly used to stop
logging, delete existing logs, and otherwise eliminate traces
of activity in your cloud account.
AWS S3 – Google Cloud Storage – Azure Blob Storage
304
CSP Attacks: Trojans
Click to edit Master title style
• Attempting to communicate with the IP of a remote host that
is a known black hole or remote host known to hold
credentials and other stolen data captured by malware
(DropPoint)
• Querying a domain name that is being redirected to a black
hole, drive-by download, or DGA address
An instance in your environment might be compromised because it is trying to
communicate with an IP address of a black hole (or sink hole). Black holes refer to
places in the network where incoming or outgoing traffic is silently discarded without
informing the source that the data didn't reach its intended recipient. A black hole IP
address specifies a host machine that is not running or an address to which no host
has been assigned.
There is an instance in your environment trying to query domain generation
algorithms (DGA) domains. Such domains are commonly used by malware and could
be an indication of a compromised instance.
305
CSP Attacks: Trojans
Click to edit Master title style
• Instance is exfiltrating data through DNS queries
• Instance is querying domains involved in phishing attacks
• Unauthorized access through:
• Tor IP Caller
• Metadata DNS Rebind
(169.254.169.254)
• Multiple worldwide successful console logins
Tor is software for enabling anonymous communication. It encrypts and randomly
bounces communications through relays between a series of network nodes. The last
Tor node is called the exit node. This can indicate unauthorized access to your AWS
resources with the intent of hiding the attacker’s true identity.
DNS Rebinding involves tricking an application running on the instance to load a
return data from a URL, where the domain name in the URL resolves to the instance
metadata IP address (169.254.169.254). This causes the application to access
metadata and possibly make it available to the attacker. It is possible to access
metadata using DNS Rebinding only if the EC2 instance is running a vulnerable
application that allows injection of URLs, or if a human user accesses the URL in a
web
browser running on the EC2 instance.
306
Cryptology
Click to edit Master title style
• Cryptology is an umbrella term which covers both
cryptography and cryptanalysis
• It is the study of ciphers:
• Algorithms and techniques used for hashing, encryption and
decryption
• Presents a well-defined series of steps to perform operations
• There are many different types of ciphers from the basic to the
multifaceted
307
Cryptography
Click to edit Master title style
•
Cryptography creates techniques to secure communications in the
presence of third parties
• Offers confidentiality, integrity, origin authentication, and nonrepudiation
• Cryptographic problems can be tractable or intractable
• Tractable are easier problems that can be solved quickly for certain
inputs (constant, linear, quadratic)
• Intractable problems are difficult and cannot be solved quickly
• Factoring large primes (RSA)
• Computing elliptic curves (ECC)
• Exponential or super-polynomial problems
Historically, cryptography was synonymous with encryption. Its goal was to keep
messages private.
308
Cryptanalysis
Click to edit Master title style
•
•
•
•
•
You can only prove that an algorithm is not vulnerable to known
cryptanalytic attack
Cryptanalysis is the practice and study of determining and
exploiting weaknesses in cryptographic techniques
There is a symbiotic relationship between cryptographers and
cryptanalysts
Three main types of attacks
• Brute force attacks
• Implementation attacks
• Side channel attacks
Poor key management is the main weakness in systems today
It is an ironic fact of cryptography that it is impossible to prove that an algorithm is
secure. You can prove only that it is not vulnerable to known cryptanalytic attacks. If
there are methods that have been developed but are unknown to the cryptographers,
then an algorithm may be able to be cracked. You can prove only invulnerability to
known attacks, except for a brute-force attack. All algorithms are vulnerable to brute
force. If every possible key is tried, one of the keys has to work. Therefore, no
algorithm is unbreakable. The best you can hope for are algorithms that are
vulnerable only to brute-force attacks.
309
Encryption
Click to edit Master title style
• Encryption hides the original data or message content by
scrambling the clear text into a random appearing string of
characters called ciphertext
• Decryption reverses the process of encryption when an entity
has the proper decryption key
• Many applications store and send information in clear text
310
Cryptographic Keys
Click to edit Master title style
• Cryptographic keys are strings of bits used by cryptographic
algorithms to transform plain text into cipher text or vice
versa
• The keys should remain private to ensure secure
communication
• A cryptographic key is the core aspect of cryptographic
operations
311
Block Ciphers
Click to edit Master title style
• Block ciphers perform their operations on varying
chunks of data in different sized blocks
• With encryption operations, blocks are actually the
mode of operation
When you encrypt or decrypt a message with a block cipher (of any size), you don't
use the block cipher directly, but put it into a mode of operation. The simplest such
mode would be electronic code book mode (ECB) used by the deprecated DES, which
simply cuts the message in blocks, applies the cipher to each block and outputs the
resulting blocks.
312
Block Ciphers
Click to edit Master title style
• MD5 hashing uses compression function operating on
512-bit blocks divided into smaller 32-bit blocks
• DES, 3DES, Blowfish, Twofish and AES use block modes
• AES is iterated block cipher based on Rijndael using key
lengths of 128, 192, or 256 to encrypt 128-bit blocks
AES is an iterated block cipher, which means that the initial input block and cipher key
undergo multiple transformation cycles before producing output. It is based on the
more general Rijndael cipher. Rijndael specifies variable block sizes and key sizes, but
AES specifically uses keys with a length of 128, 192, or 256
bits to encrypt 128-bit blocks.
MD5 - The main algorithm itself is based on a compression function, which operates
on blocks. The input is a data block, plus feedback of previous blocks. The 512-bit
blocks are divided into sixteen 32-bit sub-blocks. These blocks are then rearranged
with simple operations in a main loop, which consists of four rounds. The output of
the algorithm is a set of four 32-bit blocks, which concatenate to form a single 128-bit
hash value. The message length is also encoded into the digest.
313
Stream Ciphers
Click to edit Master title style
• Stream ciphers encrypt one bit or byte at a time with a
stream of pseudorandom bits as a key
• A One-Time Pad (OTP) is an effective stream cipher that
applies the exclusive OR (XOR) operation to plaintext
• Using an unpredictable and never re-used purely
random key should make OTP unbreakable
Often such stream ciphers work by producing a keystream from the actual key (and
maybe an initialization vector) and then simply XOR-ing it with the message – these
are called synchronous stream ciphers. Other stream ciphers might vary the
encryption of future parts of the message depending on previous parts.
Some block cipher modes of operation actually create a synchronous stream cipher,
like CTR and OFB mode.
The One-Time Pad, is supposed to use a purely random key to achieve "perfect
secrecy". IOW, it's supposed to be totally immune to brute force attacks – or what
physicists would call ‘absurdity’. The practical challenge with the one-time pad is that,
in order to create a guaranteed cipher, its key should be longer than the plaintext. In
other words, if I want perfect encryption of a 500 MB video of my band - I would
need a key that is Gigabits long.
314
Stream Ciphers
Click to edit Master title style
• RC4 is a prevalent stream cipher used to secure web traffic in
SSL and TLS
• RFC 7465 prohibits the use of RC4 in all versions of TLS due to
cryptographic weaknesses
• These recent findings may allow other stream ciphers like
SALSA, SOSEMANUK, PANAMA, and others to gain ground
RFC 7465: Because of the RC4 deficiencies, the following apply:
➢ TLS clients MUST NOT include RC4 cipher suites in the ClientHello message
➢ TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a
cipher suite in the ClientHello message
315
Simple Stream Cipher Example
Click to edit Master title style
The Boolean Exclusive OR (XOR) function is a fundamental cryptographic operation.
The output of a XOR is TRUE if exactly one of the inputs is true (1). Otherwise, the
output is false (0).
316
Hashing
Click to edit Master title style
• A hash function operates much like the checksums performed
on frames and file transfers to maintain integrity
• Hash functions are algorithms that change input (or data) of
an arbitrary or random length into a smaller, fixed-sized
output called a digest or fingerprint
• The most common for years was MD5 which is a 128-bit
hashing algorithm that has been deprecated
317
Cryptographic Hashing
Click to edit Master title style
• The function should be collision
resistant - computationally infeasible to
find two messages that can produce
the same hash result
• Birthday paradox affects strength
• The avalanche effect is applied to result
318
Hashed-Message-Authentication-Code
Click to edit Master title style
HMAC operates by interleaving the hashing key with the message in a secure manner.
319
HMACs
Click to edit Master title style
• SHA-2 HMACs are always preferable
• With TLS 1.2, all cipher suites are required to explicitly specify
a pseudorandom function (PRF) based on HMAC and SHA-256
• TLS 1.2 will generate a key block which is made up of 2 MAC
keys, 2 encryption keys (preferably AES-256_CGM) and 2
initialization vectors (IV) when needed with block ciphers
320
Symmetric Key Systems
Click to edit Master title style
• Symmetric key cryptosystems use the same key to encrypt
and decrypt data
• They are also called secret-key or private-key encryption
• The sender and receiver must share the same secret key
before achieving secure communication so protecting this key
is tantamount
• They are often used to protect data in storage and with VPNs
• Key management can be a challenge with symmetric systems
321
Symmetric Key Systems - AES
Click to edit Master title style
• They work fast and are often used for bulk encryption when
data privacy is needed using 40 to 256-bit keys (1.5 x 1077
possible keys)
• Common algorithms are DES, 3DES-EDE and AES
• AES uses 4 cryptographic transformations:
•
•
•
•
AddRoundKey: XOR the round key bit-by-bit
SubBytes: uses an S-box to substitute each 8-bit value
ShiftRows: a left circular shift of rows 1, 2 and 3
MixColumns: an additional byte value substitution
AES is an iterated block cipher, which means that the initial input block and cipher key
undergo multiple transformation cycles before producing output.
322
Symmetric Key Cryptography
Click to edit Master title style
323
Block vs. Stream
Click to edit Master title style
A block cipher mode is an algorithm that features the use of a symmetric key block
cipher algorithm to provide an information service, such as confidentiality or
authentication. Currently, NIST has approved fourteen modes of the approved block
ciphers in a series of special publications. In this classic example we see 3DES in block
chain mode.
Currently, there are two NIST approved block cipher algorithms that can be used for
both applying cryptographic protection (e.g., encryption) and removing or verifying
the protection that was previously applied (e.g., decryption): AES and Triple DES. Two
other block cipher algorithms were previously approved: DES and Skipjack; however,
their approval has been withdrawn.
Stream ciphers use of a symmetric key that uses plaintext combined with a
pseudorandom cipher digit stream called a keystream. Stream ciphers will encrypt
plaintext digits “one at a time” along with the corresponding figure of the keystream.
The resulting output will provide the corresponding output of the ciphertext stream.
Another name for the stream cipher is a state cipher because every digit is dependent
on the current state of the cipher. Typically a digit will be a bit and the combination
operation will use the XOR operation.
324
RC4 is the most popular stream cipher that's been around for several years. However,
it is now “illegal” to use RC4 with TLS on public websites.
The ChaCha family of stream ciphers, also known as Snuffle 2008, which is a variant
of the Salsa20 family of stream ciphers is gaining in popularity.
324
Key Stretching
Click to edit Master title style
• Converts passwords using various algorithms to produce a
more random and longer key than the original
• Tries to make passwords based on one-way hashes much
harder to compromise
• Uses key derivation processes such as a salt (and/or pepper)
combined with a a specialized function such as PBKDF2,
bcrypt, or scrypt
Key stretching is the practice of converting a password to a longer and more random
key for cryptographic purposes such as encryption.
This is generally recognized as making encryption stronger as it ensures that the
encryption itself is reasonably hard. The process of converting a password into a key
is accomplished by a type of algorithm known as a key derivation function that may
include salt and pepper with the password to make the key more difficult to guess.
Key stretching can also be applied to a master key as well as a password
Pepper: The main idea is to add random bits to the password encryption, similar to
the "salt" bits that are currently used to protect passwords against dictionary attacks.
We call the new bits: "pepper" bits. Unlike the "salt" bits that are saved with the
encrypted password, the pepper bits are used to encrypt the password, but are never
saved.
325
Asymmetric Key Systems
Click to edit Master title style
• Asymmetric encryption is also known as public key encryption
• The system uses a pair of mathematically related keys
• Entities generate the key pair and share the public key while
keeping the private key secret
• Data that is encrypted with the private key requires the public
key to decrypt and vice versa
• Common asymmetric protocols are RSA, DSA, ElGamal, DiffieHellman, ECDH (elliptic curve) and EC-DSA
Asymmetric algorithms utilize a pair of keys for encryption and decryption. The paired
keys are mathematically related and are generated together – think of them as
fraternal twins as opposed to identical twins. Typically, an entity – let’s say a
corporate edge router – that generates an RSA key pair will share one of the keys (the
public key) and it keep the other key (the private key) secret. Data that is encrypted
with the private key requires the public key to decrypt and vice versa.
Asymmetric encryption is also known as public key encryption.
Common Asymmetric protocols are: RSA, DSA, ElGamal, Diffie-Hellman, and elliptic
curve ECDH, and EC-DSA.
326
Asymmetric Key Confidentiality
Click to edit Master title style
Alice
Bob
RSA
Encryption
Decryption
Bob’s Public Key
Bob’s Private Key
The security services that are provided by asymmetric encryption can differ by
scenario. Imagine that Bob has generated a public/private key pair. Bob keeps the
private key totally secret but publishes the public key so it is available to everyone.
Alice has a message that she wants to send to Bob in private. If Alice encrypts the
message using Bob’s public key, only Bob has the private key that is required to
decrypt the message, providing confidentiality.
327
Asymmetric Key Origin Authentication
Click to edit Master title style
Alice
Bob
Encryption
Decryption
Alice’s Private Key
Alice’s Public Key
RSA
Now, let’s say that Alice has an important message that she wants to send to Bob.
Alice encrypts the message with her private key and sends it to Bob. Bob can use
Alice’s public key to decrypt the message, but so can anyone else who has
intercepted the message. Obviously, this does not provide privacy, but there is a
security benefit. If Bob can use Alice’s public key to decrypt the message, Bob then
knows that the message was originally encrypted with Alice’s private key. Only Alice
has that private key, so Bob knows that the message originated from Alice. This
provides origin authentication.
328
(Perfect) Forward Secrecy
Click to edit Master title style
• Ensures that a session key derived from a set of long-term
public and private keys will not be compromised if one of the
(long-term) private keys is compromised in the future
• IPsec can negotiate new keys for every communication and if
a key is compromised only the specific session it protected
will be revealed
• With forward secrecy, every TLS connection to the web server
is individually protected
Ensures that a session key derived from a set of long-term public and private keys will
not be compromised if one of the (long-term) private keys is compromised in the
future.
IPsec can negotiate new keys for every communication and if a key is compromised
only the specific session it protected will be revealed
With forward secrecy every TLS connection to the web server is individually protected
One of the biggest flaws of RSA is that it does not provide forward secrecy for TLS
(check out: FHMQV-C protocol on Wikipedia)
329
Digital Signatures
Click to edit Master title style
• Digital signatures offer a service comparable to
handwritten signatures but over the network
• They use hashing algorithms to append a fingerprint (or
digest) to the original data or message
• The fingerprint is encrypted with the sender’s (signer)
private key and becomes the digital signature
• The original message/data and signature are sent
together to the recipient
Suppose that you send transaction instructions through email to your online stock
trading company for a pretty substantial sum and the transaction timing was really
bad - so you lost a ton of money on some options trade. It is plausible that you could
claim never to have sent the transaction order or that someone forged your email
account. The brokerage firm could protect itself by requiring the use of digital
signatures before accepting instructions via email.
Digital signatures can provide the same functionality as handwritten signatures, but
even more.
The idea of encrypting a file with your private key is a step towards digital signatures.
Anyone who decrypts the file with your public key knows that you were the one who
encrypted it. But, since asymmetric encryption is computationally expensive, this is
not optimal. Digital signatures actually leave the original data
unencrypted. It does not require expensive decryption to simply read the signed
documents. Digital signatures, instead, use a hash algorithm to produce a much
smaller fingerprint of the original data. This fingerprint is then encrypted with the
signer’s private key. The document and the signature are delivered
together. The digital signature is validated by taking the document and running it
330
through the hash algorithm to produce its fingerprint. The signature is then decrypted
with the sender’s public key. If the decrypted signature and the computed hash
match, then the document is identical to what was originally signed by the signer.
Usually asymmetric algorithms, such as RSA and DSA, are used for digital signatures.
330
Digital Signatures
Click to edit Master title style
331
Digital Signature Services
Click to edit Master title style
• Digital signatures provide integrity of the digitally signed
message or information
• They verify the source authenticity of the digitally signed
data
• Digital signatures provide transactional non-repudiation
• The properties of digital signatures must be nonforgeable, authentic, non-reusable, unchangeable, and
not repudiated
That scenario showed how the authenticity and integrity of the message is
confirmed, even though the actual data is public. Keep in mind that BOTH digital
signatures AND encryption and are necessary to ensure that the message is
confidential and has not changed.
Digital signatures provide three basic security services in secure communications:
• Authenticity of digitally signed data: Digital signatures authenticate a source,
proving that a certain party has seen and has signed the data in question.
• Integrity of digitally signed data: Digital signatures guarantee that the data has not
changed from the time it was signed.
• Nonrepudiation of the transaction: The recipient can take the data to a third party,
and the third party accepts the digital signature as a proof that this data exchange
did take place. The signing party cannot repudiate that it has signed the data.
332
Adding a Programmatic IAM User
Click to edit Master title style
Applications running outside of an AWS environment will need access keys for
programmatic access to AWS resources. For example, monitoring tools running onpremises and third-party automation tools will need access keys. These are called
“Service Accounts” as well in AWS. In GCP they are specifically configured Service
Accounts in fact.
If you use any of the AWS SDKs to generate requests, the digital signature calculation
is done for you; otherwise, you can have your application calculate it and include it in
your REST or Query requests by following the directions in the AWS documentation.
Not only does the signing process help protect message integrity by preventing
tampering with the request while it is in transit, it also helps protect against potential
replay attacks. A request must reach AWS within 15 minutes of the time stamp in the
request. Otherwise, AWS denies the request.
Version 4 provides an additional measure of protection over previous versions by
requiring that you sign the message using a key that is derived from your secret
access key rather than using the secret access key itself.
333
AWS Command Line Interface
Click to edit Master title style
334
AWS Key Management Service
Click to edit Master title style
335
Digitally Signed Code
Click to edit Master title style
336
Digitally Signed Code
Click to edit Master title style
337
IP Security (IPsec)
Click to edit Master title style
• IP security (IPsec) is a suite of protocols created for IPv4 to
maintain the integrity, confidentiality, and authentication of
data communications over an IP network
• The two main protocols are Authentication Header (AH) and
Encapsulating Security Payload (ESP offers confidentiality)
• IPsec can function in tunnel mode between two terminating
devices, or in transport mode in an end-to-end configuration
• It is used for virtual private networks, application-level
security, and routing security
338
IPsec Algorithms
Click to edit Master title style
•
•
•
•
•
HMAC-SHA1/SHA2 for integrity protection and authenticity
3DES-CBC for confidentiality
AES-CBC for confidentiality
AES-GCM for confidentiality and authentication
ChaCha20 + Poly1305 providing confidentiality and authentication
together efficiently
339
IKE version 1 (IKEv1)
Click to edit Master title style
• IKE phase one’s job is to establish a secure authenticated
communication channel using the Diffie–Hellman key
exchange algorithm
• This generates a shared secret key to encrypt further IKE
communications
• This creates a bidirectional IKE peering SA
• 2 peers begin the DH process by agreeing on a large prime
number
• The authentication can be performed using either pre-shared
key (shared secret), signatures, or public key encryption
Main Mode protects the identity of the peers and the hash of the shared key by
encrypting them; Aggressive Mode does not.
340
IKE version 1 (IKEv1)
Click to edit Master title style
• Phase one operates in either main mode or aggressive
mode
• During IKE phase two, the peers use the secure channel
established in phase one to negotiate security
associations (SA) for IPsec
• This negotiation creates a minimum of two
unidirectional SA’s
• IKEv1 phase two operates in quick mode
341
VPN Gateways
Click to edit Master title style
• Can be based on servers, routers, firewalls, dedicated
appliances
• Terminate S2S and remote access VPNs
• Typically IPSec (IKEv1/2) and/or SSL/TLS
• Support client-based full tunnel or clientless
• Often will also be a CA server for VPN PKI
342
SSL/TLS
Click to edit Master title style
• Transport Layer Security (TLS) is arguably the most
important protocol for global communication
• It is a message and handshake structure for entities to:
•
•
•
•
Agree on cryptographic parameters
Establish secret keys
Authenticate identities
Transmit messages
In Nov 1994, SSL1 and SSL2 was developed by Netscape – In August 2019, TLS 1.3 was
released in RFC 8446
343
Transport Layer Security (TLS)
Click to edit Master title style
• All TLS packets are sent using the record protocol
• Data is sent using one of the four subprotocols in the
record layer:
•
•
•
•
20-ChangeCipherSpec
21-Alert
22-Handshake
23-Application data
20 ChangeCipherSpec - Switching to a new encryption suite
21 Alert – an alert mechanism
22 Handshake - Handshake messages
23 Application Data - Opaque application data
344
Transport Layer Security (TLS)
Click to edit Master title style
• The TLS handshake protocol contains its own header and
is used to form parameters for the rest of the session,
and it must:
•
•
•
•
Agree ciphers and protocols
Authenticate the server (and client)
Be robust against tampering and attack
Establish shared secrets
345
TLS 1.3 is a Major Change
Click to edit Master title style
• All ciphers removed except for modern AEAD
• Provides a wider use of extensions
• The key exchange and authentication are separated
from the ciphers
• There are major handshake improvements
• 0-RTT is resumed
In 1.3, the handshake embeds much of the key exchange into the hello messages.
0-RTT Resumption means that during application data, the server can send a pre
shared key for use next time.
346
Transport Layer Security (TLS)
Click to edit Master title style
TLS defines cipher suites that describe the cryptographic primitives and other security
parameters that will be used in that session
347
Public Key Infrastructure (PKI)
Click to edit Master title style
• PKI has 2 main goals:
• Scalable and secure way to distribute public keys in digital
certificates
• Reliable method to revoke keys in certificates when they are no
longer valid
348
Certificate Life Cycle
Click to edit Master title style
1. The subscriber submits a Certificate Signing request (CSR) to
a Certificate Authority (CA)
2. CSR transports a public key (plus other metadata) and
reveals the public key ownership using a digital signature
1.
2.
3.
4.
Subscriber submits Certificate Signing request (CSR) to CA
CRS transports public key (plus other metadata) and reveals public key
ownership using a digital signature
CA then follows a validation process:
a)
Domain Validated (DV)
b)
Organization Validated (OV)
c)
Extended Validation (EV)
Upon validation, CA issues certificate and all
intermediary certificates needed to chain to its root
349
Certificate Life Cycle
Click to edit Master title style
Content
PU-A
User
CA
Public Key
of User A
RSA
PR-CA
PU-CA
Private Key
of CA
Public Key
of CA
Sign
PU-A
Public Key of
User A, signed
by the CA
Signing Key
350
Certificate Life Cycle
Click to edit Master title style
3. The CA then follows a validation process:
• Domain Validated (DV)
• Organization Validated (OV)
• Extended Validation (EV)
4. Upon validation, the CA issues the certificate and all
intermediary certificates needed to chain to its root
1.
2.
3.
4.
Subscriber submits Certificate Signing request (CSR) to CA
CRS transports public key (plus other metadata) and reveals public key
ownership using a digital signature
CA then follows a validation process:
a)
Domain Validated (DV)
b)
Organization Validated (OV)
c)
Extended Validation (EV)
Upon validation, CA issues certificate and all
intermediary certificates needed to chain to its root
351
Certificate Life Cycle
Click to edit Master title style
CA
PR-CA
PU-CA
Private Key
of CA
Public Key
of CA
User A
PR-A
Private Key
of User A
PU-A
Public Key
of User A
User B
PU-CA
PU-A
PR-C
PU-C
PU-CA
PU-C
Public Key
of CA
Public Key of
User A signed
by the CA
Private Key
of User C
Public Key
of User C
Public Key
of CA
Public Key of
User C Signed
by the CA
CA
CA
Certificates are then returned to the customers from the CA’s which are part of a web
of trust.
Certificates can now be exchanged over untrusted network.
Certificates/public keys of entities are now verified with public key of CA.
352
X509v3 Certificate
Click to edit Master title style
353
X509v3 Certificate
Click to edit Master title style
•
•
•
•
•
Version number
Serial number
Signature algorithm ID
Issuer name
Validity period
• Not before
• Not after
• Subject name
• Subject Alternate Name (SAN)
• Used to associate additional names like email address, IP
addresses, and DNS names
354
X509v3 Certificate
Click to edit Master title style
•
•
•
•
•
•
•
•
Subject public key info
Public key algorithm
Subject public key
Issuer unique identifier
Subject unique identifier
Extensions
Certificate signature algorithm
Certificate signature
355
Certificate Types
Click to edit Master title style
• Self-signed
• Signed by the entity it certifies
• Root CAs
• Root unsigned or self-signed that
identifies the root CA
• Trust anchor for digital certificates in
the chain of trust
• Email (S/MIME)
• Sign and encrypt email messages
356
Certificate Types
Click to edit Master title style
•
•
•
Wildcard
• Used with multiple subdomains like
*.mycompany.com
Code signing
• Used to authenticate the source and
integrity of code, like device drivers,
applications, macros, configuration files,
and binaries
User and machine/computer
• Used by the local machine, device, or user
to authenticate to a directory (EAP-TLS)
357
Reasons for Invalid Certificates
Click to edit Master title style
• Misconfiguring virtual servers
• A common mistake is to put plaintext sites on the same address
as another site using encryption on TCP port 443
• Private CAs and self-signed certificates
• Expired certificates
• Inadequate name coverage
• Certificates are bought but operator does not designate all of
the required hostnames (for example: www.example.com AND
example.com AND the wildcard *.example.com )
Miscofiguring virtual servers
Common mistake is to put plaintext sites on the same address as another site
using encryption on TCP port 443
Private CAs and self-signed certificates
Expired certificates
Inadequate name coverage
Certificates are bought but operator does not designate all of the required
hostnames (for example: www.pearson.com AND pearson.com)
358
CRL Revocation
Click to edit Master title style
• The CRL is a list of revoked, but not yet expired, serial
numbers
• Every certificate should have the location of a CRL in the CRL
Distribution Point extension
• Real-time lookups are slow and often ignored by browsers
and other clients
• Long validity periods are another problem
Chrome doesn’t check CRLs by default; Firefox doesn’t check URLs even for EV
certificates; IE does check; Safari checks but ignores failures.
Clients often will not check the validity of Intermediate certificates – even then they
can be considered fresh for 12 months.
Biggest problem with OCSP wasn’t built fresh from the ground up but simply
attempted to improve on CRL. Actally, the OCSP attacks are less threatening since so
many user agents ignore it completely - and some modern browsers choose not to
use OCSP. OCSP has a reputation for unreliability and therefore most browsers take a
soft-fail approach.
359
OCSP Revocation
Click to edit Master title style
• OCSP relies on responder servers to return the status
• The location of responder is in Authority Information Access
extension
• Responders bring privacy and performance challenges
• Replay and response suppression attacks are common
360
OCSP Stapling
Click to edit Master title style
• OCSP Stapling forces the server to send fresh certificate data
to clients in the CertificateStatus handshake
• Clients implement “status_request extension” to support
OCSP stapling
• Stapling supports only one response (changing in RFC 6961)
and only checks the status of the server certificate
• New proposals are for “Must Staple” feature with either a
new type of certificate that only works with stapled
responses OR the server can advertise in response header
(possibly as an extension to the HSTS protocol)
• Forces server to send fresh certificate data to clients in the CertificateStatus
handshake
• Clients implement “status_request extension” to support OCSP stapling
• Supports only one response (changing in RFC 6961) and only checks the status of
the server certificate
• New proposals are for “Must Staple” feature with either a new type of certificate
that only works with stapled responses OR server can advertise in response header
(possibly as an extension to the HSTS protocol)
361
Certificate Pinning
Click to edit Master title style
• Pinning a service to one or more cryptographic identities for:
• Reducing attack surfaces
• Maintaining continuity of keys
• Performing authentication
• TLS can pin the SubjectPublicKeyInfo (SPKI)
field in server certificate
• Doing this elsewhere in the certificate chain may be more
practical
…identities such as certificates and public keys – keep track of certificates based on
their SHA256 hashes.
Reducing attack surfaces – Today, a domain owners authorization is not required for a
CA to issue a certificate! A CA can issue for any domain name and that is a huge
attack surface. Noe domain owners can “PIN” the Cas that they allow to issue
certificates for their domains. They can pick Verisign and GoDaddy or Comodo and
Thawte and configure the pins accordingly
Continuity of keys – just like with SSH, keys are associated with pinned web servers
when visited for the first time then checked on subsequent visits. TOFU –Trust On
First Use. This is similar to the way Mozilla Firefox lets you create an Exception for a
certificate it can’t verify.
Authentication – Can also be used for authentican in the future especially if
combined with DNSSEC.
362
Written Security Policies
Click to edit Master title style
• A written information security policy is the keystone of
an Information Security Program
• The policy should mirror the organization’s mission,
goals, and objectives for security
• It is the established management strategy for delivering
CIA
In order to be useful in providing authority to execute the remainder of the
Information Security Program, it must also be formally agreed upon by executive
management. This means that, in order to compose an information security policy
document, an organization has to have well-defined objectives for security and an
agreed-upon management strategy for securing information.
363
Written Security Policies
Click to edit Master title style
• The first step in writing a security policy is to determine
how executive management positions and prioritizes
security
• It is acceptable to use existing templates, but it should
be as customized and targeted as possible
364
365
366
An effective computer security awareness and training program might be a SevenStep program. This 7-Steps will not be on the exam per-se. Approach this process
from a common sense real-world approach:
Scope of the program: should provide training to all of the types of people who
interact with IT systems. Because users need training that relates directly to their use
of particular systems, you need to supplement a large organization-wide program
with more system-specific programs. New hires should undergo this training within
the first 30 days if possible.
Staff: It is important that trainers have sufficient knowledge of computer security
issues, principles, and techniques. It is also vital that they know how to communicate
information and ideas effectively.
Target Audience: Not everyone needs the same degree or type of computer security
information to do their jobs. A computer security awareness and training program
that distinguishes between groups of people, presents only the information that is
needed by that particular audience, omitting irrelevant information, to obtain the
best results.
367
Motivate management and employees: To successfully implement an awareness and
training program, it is important to gain the support of management and employees.
Consider using motivational techniques to show management and employees how
their participation in a computer security and awareness program benefits the
organization.
Examine step 5 – Conduct the Program – in detail on the next slide…
Maintain the program: The organization should make an effort to keep current with
changes in computer technology and security requirements. A training program that
meets the needs of an organization today may become ineffective when the
organization starts to use a new application or changes its environment, such as by
connecting to the Internet.
Evaluate the program: An evaluation should attempt to ascertain how much
information is retained, to what extent computer security procedures are being
followed, and general attitudes toward computer security.
367
Administer the program: Several important considerations for administering the
program include visibility, selection of appropriate training methods, topics,
materials, and presentation techniques.
Visual reminders: login banners, posters, short periodic email reminders, mouse pads,
coffee cups, awards for days without a breach (pizza party – casual Friday)
368
Administer the program: Several important considerations for administering the
program include visibility, selection of appropriate training methods, topics,
materials, and presentation techniques.
Visual reminders: login banners, posters, short periodic email reminders, mouse pads,
coffee cups, awards for days without a breach (pizza party – casual Friday)
369
Policies
Click to edit Master title style
• Policies are formal declarations that are produced and
reinforced by senior management or a steering committee
• They can be directed at the entire organization, select
business or organizational unit, department, system, or
initiative (i.e. mobility)
• The policies should reflect the goals for the information
security program and driven by business objectives and risk
management
370
Standards
Click to edit Master title style
• Standards are mandatory activities or rules that underpin the
broader formal policies
• A challenge of developing standards for an information
security program is getting a company-wide consensus on
what standards need to be in place
• This can be a time-consuming process but is vital to the
success of your information security program.
• Used to indicate expected user behavior
• For example, a consistent company email signature
• Might specify what hardware and software is used
371
Guidelines
Click to edit Master title style
• Guidelines are recommendations to users when specific
standards do not apply
• Guidelines are designed to streamline certain processes
according to what the best practices are. Guidelines, by
nature, should open to interpretation and do not need
to be followed to the letter
• Are more general vs. specific rules
• Provide flexibility for unforeseen circumstances
• Should NOT be confused with formal policy statements
372
373
Written Security Policies
Click to edit Master title style
• On the exam remember that the most common section of the
written security policy is the AUP
• Try to collect as many examples off the web and from expert
peers as you can to help you form the best possible policy
• It will be a document that should change regularly with new
threats, new technology, and new apps – what will be the
next TikTok?
• Also, keep in mind that security is a continual balance
between restriction and productivity
• You don’t want a policy that actually thwarts interactivity and
efficiency of employees
• Morale is important so try to strike a good balance
374
Defining Risk
Click to edit Master title style
• Risk is defined differently by various organizations and
methodologies
• Risk is a potential loss, disaster, or other undesirable event
measured with probabilities assigned to losses of various
magnitudes [long]
• It is the possibility that something bad could happen [short]
A state of uncertainty where some of the possibilities involve a loss, injury,
catastrophe or other undesirable outcome
375
Defining Risk
Click to edit Master title style
• Inherent risk is the present risk level given the existing set of
controls (rather than the hypothetical idea of the absence of
any controls)
• Residual risk is whatever risk level remains after additional
controls are applied
• Risk Treatment (Handling):
•
•
•
•
Acceptance
Avoidance
Transference
Mitigation
Inherent risk is current risk level given the existing set of controls rather than the
hypothetical notion of an absence of any controls. The flaw with inherent risk is that
in most cases, when used in practice, it does not explicitly consider which controls
are being included or excluded.
Residual risk would then be whatever risk level remain after additional controls are
applied.
376
Risk Acceptance
Click to edit Master title style
• Risk acceptance involves retaining the risk and accepting the
loss if it happens
• This assumes that you have accounted for the possibility of
loss from the risk
• This type of risk handling is a viable strategy for small risks,
where the cost of controls or insurance would be greater over
time than the total sustained losses
• Acceptance assumes that the cost of protecting the asset is
generally substantially more than the value of the asset
377
Risk Avoidance
Click to edit Master title style
• Avoidance results in not performing an activity that could
carry risk
• An example is never using mobile device on the premises
• This might seem like the best way to address all risks, but
avoiding risk also means losing out on the potential gain that
accepting (retaining) the risk might allow
• An example is not starting a new partnership to avoid the risk of
loss but losing out on potential revenue gained
378
Risk Transference
Click to edit Master title style
• Transfer or sharing of risk involves distributing the burden of
loss or the benefit of gain with another entity
• The term "risk transfer" is often used in place of risk sharing,
although in practice the transfer of risk to an insurance or
outsourcing company may result in loss if the company goes
out of business
• In most cases, the buyer of insurance generally retains legal
responsibility for the losses that are transferred
Taking advantage of the shared responsibility model of a cloud service provider is also
a way to transfer or share risk.
379
Risk Mitigation
Click to edit Master title style
• Risk mitigation is also known as risk reduction or optimization
• It involves reducing the severity of the loss or the likelihood
that the loss will occur
• Risk is mitigated at various levels, based on the effectiveness
of the control
• Most technical controls fall within this category:
• Firewalls, NG-IPS, IAM, endpoint detection and response,
physical security, and security awareness
Risk is mitigated at various levels, based on the effectiveness of the control (difficulty
or resistance strength)
380
Top 5 Risks based on Recent Surveys
Click to edit Master title style
Aon
EIU
Pro
Damage to reputation
Weakening demand
Disruptive technologies
Economic slowdown
Market sector instability
Internal resistance to
change
Increased competition
Difficulty raising funds
Cyber threats
Regulatory changes
Labor issues
Regulatory changes
Cyber threats
Fluctuating exchange
rates
Timely identification of
handling of risks
The Economist Intelligence Unit (EIU)
Aon Global Risk Consulting
Protiviti
381
Defining Risk Management
Click to edit Master title style
• Risk management involves identifying, analyzing, and
prioritizing risks
• This process should be followed up with a coordinated and
economically efficient deployment of resources to:
• Monitor meaningful metrics
• Control the probability of events and incidents
• Reduce overall impact
382
Defining Risk Analysis
Click to edit Master title style
• Risk analysis is the meticulous examination of all risk
components
• This includes the evaluation of the probabilities (likelihood) of
varying likely events and the ultimate consequences (impact)
• The primary objective is to inform the efforts of risk
management
383
Main Challenges for Risk Management
Click to edit Master title style
• A lack of consensus on the concept of risk
• An unrelenting reliance on subjective human judgment
• A reliance on traditional methods with arbitrary rules and
values
• A general lack of quality control
• Accepting various institutional factors
384
Threat Enumeration
Click to edit Master title style
• Threat enumeration is the process of launching an active
connection to various target hosts to ascertain potential
attack vectors in the system, service, or application
• This information can be used for threat assessment and
penetration testing or it could be used maliciously to further
exploit the target
Enumeration is defined as a process which establishes an active connection to the
target hosts to discover potential attack vectors in the system, and the same can be
used for further exploitation of the system.
385
Threat Enumeration
Click to edit Master title style
• Enumeration is used to gather:
•
•
•
•
•
•
Hostnames, usernames and group names
Network shares and service
IP addresses and routing tables
Service settings and Audit configurations
Application and banners
SNMP, DHCP and DNS info
• Enumeration can be also be performed on: NetBios, LDAP,
NTP, SMTP, Windows, UNIX/Linux, iOS and Android
Significance of enumeration:
Enumeration is often considered as a critical phase in Penetration testing as the
outcome of enumeration can be used directly for exploiting the system.
Enumeration classification:
Enumeration can be performed on the below.
NetBios Enumeration
SNMP Enumeration
LDAP Enumeration
NTP Enumeration
SMTP Enumeration
DNS Enumeration
Windows Enumeration
UNIX /Linux Enumeration
386
Threat Matrix
Click to edit Master title style
From Intel
387
Sample Entity Relationship Diagram (ERD)
Click to edit Master title style
Mention LucidChart
388
FAIR-based Capability Maturity Model
Click to edit Master title style
Level 5 – Purely Explicit
Level 4 – Mature Explicit
Level 3 – Early Explicit
Level 2 – Implicit
Level 1 – Chaotic
1 – Decision-making is on-the-fly and ad-hoc; based almost completely on experience
(if any), instincts and intuition. Poorly defined decision-making authority; inconsistent
and not-aligned with C-Suite. Total lack of KGIs, KRIs, and KPIs.
2 – Decision-making driven by strict adherence to standards and policies that may or
may not align with expectations and demands from leadership. Superficial and poorly
scrutinized information is the most common input. Roles and responsibilities are
vague. Most assessments are done qualitatively and are dependent on subjective
“expert judgment”, SMEs, or clear bias and agenda. KGIs, KRIs, and KPIs may exist but
are basically immaterial from a practical standpoint. Understanding of risk concepts
are unreliable or artificial at this maturity level.
3 – Here terminology is becoming standardized with a clear path to an ontology
(according to Wikipedia: “In computer science and information science, an ontology
is a formal naming and definition of the types, properties, and interrelationships of
the entities that really or fundamentally exist for a particular domain of discourse. It
is thus a practical application of philosophical ontology, with a taxonomy.”) Decisionmaking is supported by more complete and reliable information. Visibility tools are
being used and updated (Dashboards). The beginning of robust and defensible
389
analysis is being performed. C-Suite is performing high-level policy reviews and
steering committees are being formed and are productive. A risk register is being
compiled and severity scales (qual and quant) are being established. KGIs, KRIs, and
KPIs are established.
4 – The quality of the visibility of the risk management program is evident. Data and
information is timely. Information is transitioning into real knowledge where
aggregate and correlating views of the enterprise risk treatment is quantitatively
being decided. The pros and cons are becoming clear. Executives are strategically
prioritizing and selecting the proper controls based on a variety of well-established
metrics. Here one could see the introduction of data science tools in R programming;
machine-learning; and big data analysis.
5 – All decisions are being made completely based on risk appetite using proven
quantifiable and visible metrics and analysis. There is a near-complete wisdom into
terminology, risk concepts and treatment (residual and inherent risk), visibility,
analysis, and authority of decision-making.
389
Risk Assessment & Management Program
Click to edit Master title style
1.
2.
3.
4.
5.
6.
7.
Purpose and context of program
Scope and charter (C-suite must sign)
Authority, structure, and reporting
Asset identification, classification, and ownership
Risk management objectives
Select the methodology
Choose the implementation team
390
OCTAVE
Click to edit Master title style
© OCTAVE
• OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) - is one
of the best known risk management methodologies. It is a structured approach to
evaluating risk that addresses operational risk, security practices and the
technology that is used to mitigate the recognized risk. The goal of this approach,
compared to others, is that it takes a more strategic approach compared to a
tactical one. It not only focuses on the technology but the practices and processes
also. This is also a methodology that a company can learn and use in-house instead
of requiring security consultants to run this type of program.
391
ISO/IEC 31000:2009
Click to edit Master title style
Context Establishment
Risk Identification
Risk
Assessment
Risk Analysis
Risk Evaluation
Risk Treatment
ISO 31000:2009 is Risk Management Principles and guidelines. It offers principles,
framework and a process for managing risk. It can be used by any organization
regardless of its size, activity or sector. Using ISO 31000 can help organizations
increase the likelihood of achieving objectives, improve the identification of
opportunities and threats and effectively allocate and use resources for risk
treatment. It’s meant for people who create and protect value in an organization by
managing risks, making decisions, setting and achieving objectives and improving
performance. The standard’s revision process discovers the virtues of keeping risk
management simple.
However, ISO 31000 can’t be used for certification purposes, but does provide
guidance for internal or external audit programs. Organizations using it can compare
their risk management practices with an internationally recognized benchmark,
providing sound principles for effective management and corporate governance.
Context example: Brio is introducing a CASB SaaS initiative for all of our customers
who use Office 365 and Workday. We will recommend a third-party company like
Cloudlock or Forcepoint – as opposed to Microsoft’s own CASB solution which at this
point in time isn’t mature enough for our standards.
392
Risk Identification: This simply what can happen, when, where, how & why. It is
combining gap analysis and vulnerability assessment. Involves identifying key
processes, tasks, activities and recognizing risk areas due to lack of adequate
controls. You will define, categorize, and prioritize risks of all types.
Analyzing risk involves processes to identify controls, determine likelihood, determine
consequence/impact, and determine levels of risk using meaningful metrics and
calibrated estimates.
Risk Evaluation activities include: Compare against criteria. Identify & assess options.
Decide on response. Establish priorities.
A Risk Treatment Plan (RTP) is used to identify each information asset flagged in the
Risk Assessment report that has an unacceptable level of risk and will state the
method of treatment intended to handle or treat that risk.
.
392
Translating Risk into Business Terms
Click to edit Master title style
• Business dependency
assessment is the process of
identifying resources vital to
the successful operation of
business
• Translating risk into simpler
results for the non-technical
business executives and
stakeholders
• Use a variety of graphical tools
to simplify and communicate
findings of risk assessment
and analysis
• SIEM Dashboards preferable to
charts
• If charting use: bar and bullet
graphs, dot and scatterplots,
boxplots, spatial and heat
maps
393
Dashboards
Click to edit Master title style
Courtesy:
Security Wizardry
394
Translating Risk into Business Terms
Click to edit Master title style
• Total Cost of Ownership (TCO)
• The original cost plus maintenance, upgrades (HW/SW),
support, training, impact on user productivity
• Return on Investment (ROI)
• The operating performance and efficiency by dividing net
income
by total investment over a certain timeframe
• Return on Security Investment (ROSI)
• The results of added controls to increase resistance or difficulty
395
Defining an Event
Click to edit Master title style
• An event is a recognized occurrence in the state of data,
network, application, or system
• A web server crashes
• Unauthorized access is attempted
• Cryptojacking indications of compromise at you cloud service
provider account Risk Treatment (Handling):
• An event can be benign or destructive and is usually
discovered by monitoring or logging activities
396
Defining an Incident
Click to edit Master title style
• An incident is an established negative occurrence that affects
the state of data, network, application, or system
• An incident can cause damage or loss either directly (primary)
or indirectly (secondary)
• All incidents are made up of events , but not all events are
categorized as incidents
397
Incident Handling
Click to edit Master title style
• The first responders to an occurrence must skillfully
determine what is an event and what is considered an
incident
• Events that are not incidents will be dealt with by change,
configuration, and problem management
• Incidents are managed by incident handlers and/or incident
response teams (IRT or CSIRT)
398
E-discovery
Click to edit Master title style
• State-of-the-art technology that has appeared to lower the
risk and costs associated with big data
• Used especially in litigation and corporate/government
investigations
• The e-discovery process includes three phases:
1.
2.
3.
Identifying and collecting documents
Sorting through data by relevance
Creating production sets
399
E-discovery
Click to edit Master title style
Electronic Discovery Reference Model
Processing
Preservation
Information
Governance
Identification
Review
Production
Presentation
Collection
Analysis
400
Six Step Incident Handling Lifecycle
Click to edit Master title style
1
Preparation
6
Lessons
Learned
2
Identification
Incident
Handling
Lifecycle
3
Containment
5
Recovery
4
Eradication
401
1. Preparation
Click to edit Master title style
• Establishing processes for quantified incidents before one
occurs
• Gathering information from all available sources and experts
• Should be a section in the written security policy
• Involve executive management and other key stakeholders
across multiple roles and departments
402
1. Preparation
Click to edit Master title style
•
•
•
•
•
•
•
•
•
Dedicated IRT or swarm
First responders
C-team point of contact
Budgetary concerns
Relationship to business continuity
Gather toolkits and jump bags
Establish procedures and checklists
Testing, drills, and exercises
Continual improvement training
403
2. Identification
Click to edit Master title style
• Know all methods for being alerted to an event – then
determine if it is an incident
• Rely on the first responders and primary handlers
• Classify and categorize incident as quickly and as accurately as
possible
• These skills provide the glue between preparation and
containment
404
3. Containment
Click to edit Master title style
•
Stabilize the situation
• Remove systems from the network
• Do not power down
• Secure the area
• Physical containment
• Virtual containment
• For multiple incidents use a triage approach
• Remain steady and calm
• Decide to bring in third-parties
• Forensic teams
• Law enforcement
• Security consultants (insurance company teams)
405
3. Containment
Click to edit Master title style
• Be prepared to use forensic methods and tools if necessary
and you have in-house expertise
•
•
•
•
•
•
Perform extraction of data using write-blockers
Hash all volumes, drives, and memory images
Package and label physical evidence
Take videos and photos
Maintain chain of custody
Fully document all activities
406
4. Eradication
Click to edit Master title style
•
•
•
•
•
•
Solve the problem or remove the threat
Determine the root cause
Identify IoC’s, backdoors, and remnant artifacts
Conduct vulnerability scanning and assessment
Introduce additional controls for improved defense
Return systems and applications to a production state
407
5. Recovery
Click to edit Master title style
• Eradication and recovery are often combined in to one phase
• Involves using restoration from backups and snapshots
• Returning to a known validated state by installing and
updating systems and data
• May involve disaster recovery procedures if the incident
qualifies as a catastrophic event
408
6. Lessons Learned
Click to edit Master title style
• The knowledge gained from the process of performing
incident response
• It is often included in both an After-Action Report (AAR) and
the Risk Register (ledger)
• Formal "lessons learned" sessions are usually held by the
team after recovery phase
• These lessons can and should be recognized and documented
at all point during the life cycle
Remember that these lessons can and should be recognized and documented at all
point during the life cycle
409
6. Lessons Learned
Click to edit Master title style
•
The purpose of lessons learned is:
•
•
•
•
To share and use knowledge derived from an experience
To sanction the recurrence of positive outcomes
To prevent the reappearance of negative outcomes
To provide input for improving the initial preparation phase
Remember that these lessons can and should be recognized and documented at all
point during the life cycle
410
Business Continuity Planning (BCP)
Click to edit Master title style
•
Business continuity planning involves creating an actionable
continuity solution to prepare for the impact of a broad range of
threats including natural disasters, disease outbreaks, accidents and
terrorism
• Business continuity planning can assist with technology-related
hazards like the failure of systems, equipment or software
• BCP consists of the following:
•
• Business Impact Analysis (BIA)
• Backups and Restoration
• Disaster Recovery Planning (DRP) (optionally incident response teams)
PlanBcp is a Team-Based Disaster Recovery and Business Continuity
Planning App made for Office 365 SharePoint Online
411
Business Impact Analysis (BIA)
Click to edit Master title style
•
BIA is an analysis of an information
system’s requirements, functions, and
interdependencies used to characterize
system contingency requirements and
priorities in the event of a significant
disruption
• The BIA is a key step in implementing
the Continuity Planning controls in NIST
SP 800-53 and in the contingency
planning process overall
412
Business Impact Analysis (BIA)
Click to edit Master title style
1. Determine mission/business processes and recovery criticality
•
Mission/business processes supported by the system are identified
and the impact of a system disruption to those processes is
determined along with outage impacts and estimated downtime
2. Identify resource requirements
• Realistic recovery efforts require a thorough evaluation of the resources
required to resume mission/business processes and related
interdependencies as quickly as possible
3. Identify recovery priorities for system resources
• Based on the results from the previous activities, system resources can
be linked more clearly to critical mission/business processes and
functions
The downtime should reflect the maximum time that an organization can tolerate
while still maintaining the mission.
413
Disaster Recovery Planning (DRP)
Click to edit Master title style
•
•
•
•
•
The DRP applies to major (usually physical) disruptions to service that
deny access to the primary facility infrastructure for a period
A DRP is an information system-focused plan designed to restore
operability of the target system, application, or computer facility
infrastructure at an alternate site after an emergency
The DRP may be supported by information system contingency plans to
address recovery of impacted individual systems once the alternate
facility has been established
A DRP may support an existing BCP by recovering supporting systems
for mission/business processes or essential functions at an alternate
location
The DRP only addresses information system disruptions that require
relocation to a cold, warm, hot, mobile, or cloud site
The downtime should reflect the maximum time that an organization can tolerate
while still maintaining the mission.
414
General Tools to Know for the GSEC Exam
Click to edit Master title style
•
•
•
•
•
•
•
•
Windows Process Hacker
SECEDIT.EXE
Nessus
Nmap
Wireshark
tcpdump
John the Ripper
Cain and Abel
•
•
•
•
•
•
•
•
Kismet and aircrack.ng
Snort
Hping3
Image Steganography
Pretty Good Privacy (PGP)
GNU Privacy Guard (GPG)
Hashing and file integrity tools
PowerShell ISE basics
415
Windows Admin Concepts to Know
Click to edit Master title style
•
•
What is a SID (example: local administrator group is S-1-5-32-544)
A Security Access Token (SAT) contains SID of user account, all groups, and a list of
your privileges
•
Permissions: NTFS is default file system, shared folders (Example: Full Control,
Change, and Read are Share permission)
•
•
•
•
NTFS DACLs are ALWAYS enforced
Deny ALWAYS overrides Allow
Kerberos is default authentication mechanism in Active Directory environments and
uses a Ticket Granting Service
Multi-master replication – if a conflict then the later change overrides the previous
change
416
Windows Admin Concepts to Know
Click to edit Master title style
•
•
•
•
•
•
•
•
REGEDIT.EXE = Key > Value > Value Type> Value Data
AGULP = Accounts > Global Groups > Universal Groups > Local Groups > Permissions
and Rights
Permission is always attached to an object vs. Rights (privileges) which are general
capabilities
Administrator may have to take ownership from another user who owns an object
Workgroups vs. Domains
Define forests and cross-forest trusts models
How Group Policy Objects operate (Local GPO security Settings vs. Domain GPO’s)
Security Configuration and Analysis (SCA) Snap-in and Security Templates
•
SECEDIT.EXE is command-line version of SCA – but can’t apply template over networks
417
Windows Admin Concepts to Know
Click to edit Master title style
•
Servicing Channels (Semi-Annual, Windows Insider, Long-Term Channel)
•
•
Widows Server Update Services (WSUS)
•
•
•
•
•
•
•
Home edition users can defer quality (not feature) updates for up to 35 days
A single server can handle more than 10,000 client systems
WSUS can be managed with PowerShell and logs to a local SQL Server database
WSUS is free but you still must purchase the Server and client CAL licenses
AppLocker and BitLocker
User Account Control (UAC)
Common ports use by Windows (i.e. RDP 3389, DNS 53, SQL 1433/1434, NetBIOS)
Be familiar with the Process Hacker tool from processhacker.sourceforge.net
418
Windows Admin Concepts to Know
Click to edit Master title style
•
•
•
•
•
Kerberos ticket authentication
BitLocker drive encryption and TPM
Windows Remote Assistance and RDP
Password policies
Microsoft Azure
• Office 365 uses Azure Active Directory
419
Linux Admin Concepts to Know
Click to edit Master title style
•
•
•
•
•
•
•
Linux filesystem basics and mounting disk partitions
*nix file permissions
chmod, chown, chgrp
Escalate privileges with sudo
Shadow file
Systemd and Cron
Sysctl hardening and /etc/sysctl.conf file
•
•
Modprobe
SELinux adds multi-level mandatory access control (MAC) security
•
net.ipv4.conf.all.accept_source_route=0
420
Linux Admin Concepts to Know
•
Click to edit Master title style
Linux logging
•
•
•
•
•
•
Commands to know
•
•
•
•
•
using the “last” and “utmpdump” commands
Files = utmp, wtmp, dmesg, messages
Syslog-NG and Rsyslogd
Logrotate
Auditd
Ls –l
Netstat, top, tail
Ps –ef | grep syslog
Iptables, Bastille, CIS Hardening Guides
Advanced Packaging Tool: apt-get
421