ITI581 CYBER SECURITY FUNDAMENTALS Subject Introduction Subject Introduction Your Mentor… Andrew Stephen • 25+ years in the IT industry • 20+ years in information security management, consulting, strategy, architecture, governance, risk, compliance and operations • Information security experience across multiple organisations and industries – – – – – – Banking & financial services Airlines Utilities & critical infrastructure Education Health Government • Tertiary qualified with various industry certifications Class Times • Tutorials will run/be available: – Tuesday evenings 8:00pm Sydney time. – https://itmasters.zoom.us/j/97354430418?pwd=LzR6eTdPallacHRENFZv RUU3Z1RDZz09 • All recordings will be uploaded to Interact within 24 hours. – Interact – PDF copy of slides – Numerous other resources available throughout the course as applicable. • If you are unable to attend tutorials that is fine! – Watch the recording and stay in touch via Discussion forums or e-mail Contact andrew.stephen@itmasters.edu.au • Course Content ONLY • E-Mail me at any time. • I monitor discussion forums often. EVERYTHING ELSE admin@itmasters.edu.au Extensions • • Must be made in advance of due date. Length must be negotiated. To apply for an extension of <= 7 days: https://assist.csu.edu.au For a longer extension: e-mail admin@itmasters.edu.au • You DO NOT need to get my permission or e-mail me regarding extensions. Subject Outline Learning Objectives (LOs) • be able to construct and implement a security baseline for an organisation; • be able to justify an appropriate set of security policies for an organisation, and to ensure policy compliance; • be able to analyse the security threats to a network and propose effective countermeasures; • be able to apply security protection mechanisms, such as authentication and access control; • be able to investigate the cause of a security incident, and to respond as appropriate. Text CompTIA Security+ Study Guide: Exam SY0-601 – Paperback or eBook is fine. – Older versions are not suitable. – Available via CSU library. Assessment – Case Study Case Study – Single scenario, broken into 3 parts. – Worth 55% of your final mark. – Part 1 – 10%, Due 23:59 (11:59PM) AEST on 6th June 2022 – Part 2 – 15%, Due 23:59 (11:59PM) AEST on 4th July 2022 – Part 3 – 30%. Due 23:59 (11:59PM) AEST on 25th July 2022 APA 7 referencing Assessment - Exam • E-exam - will be available to register for later in the session • Worth 45% of final grade (hurdle requirement!) – WXYZ multiple choice (not as easy as it sounds). – Standard multiple choice. – Extended answer. • More on this later in the session. • Date TBA but during exam period. Subject Feedback • Online feedback forms – Mid-session to: adjust things if required – End of session: to help improve this, and other, subjects • Notification will be posted on Main Discussion Forum when available ITI581 CYBER SECURITY FUNDAMENTALS Topic 1 Contemporary Security Fundamentals Topic Reading • Chapter 1: Today’s Security Professional. • Interact Content. Security Primitives Information Security Primary Goals • Mechanisms by which networked information assets are protected. • Protect confidentiality. • Maintain integrity. • Assure availability. Security Provides? Security should ensure that: • Users can only perform tasks they are authorised for. • Users can only obtain information they are authorised to have. • The elimination of damage to data, applications, or operating environment. • Data exchanges are conducted in a secure and safe manner. Security Models CIA/DAD Triads Goal • • Threat/Risk Confidentiality Disclosure Integrity Alteration Availability Denial Fundamental model. We will use this one exclusively but there are others that exist. Security Models McCumber Cube • First model to formally evaluate information security, merging theory with practical implementations in policy, education, and technology. Security Models Community Cyber Security Maturity Model • A “yardstick” to allow communities to measure their current level of cyber security maturity. • A “roadmap” so communities can know what they need to do in order to advance the state of their cyber preparedness. • A common point of reference so different communities can discuss common aspects of security and issues. https://nationalcpc.org/ccsmm.html Impact of Breaches Incident impacts can be many & varied Depends on nature of incident and organization type Risks can be categorized as relating to: • • • • • Financial Reputational Strategic Operational Compliance Risks are rarely singular, rather multiple risks co-exist Security Controls Organizations must analyze the risk environment to determine: • Level of protection required to preserve C, I & A. • Controls to facilitate the required level of protection. • Cost/benefit of implementation of controls. Security Control Categories Controls are categorized based on how they achieve their objectives: Category of Control Mechanism of Action Technical Digital enforcement of C, I & A. Examples include firewall rules, ACLs, intrusion prevention & crypto. Operational Processes enforced to manage technology securely. Examples include monitoring and vulnerability assessment and management. Managerial Procedures that focus on the process of risk management. Examples include annual risk assessments, security planning, secure change management, DR/BCP. Security Control Categories Many mechanisms of action may be combined to provide a complete security paradigm for an organizational environment. For example, an organization with the goal to prevent unauthorized access to a R&D facility might achieve this by; • Implementing biometric access control (technical). • Regularly review authorization list (operational). • Bi-annual risk assessments (managerial). Security Control Types Controls can be further categorized based on the desired effect. Control Type Desired Effect Preventive Stops an issue before it occurs, e.g. firewall. Detective Identify issues that have occurred, e.g. IDS. Corrective Remediate issues that have occurred, e.g. backups. Deterrent Prevents attempts to violate security policies, e.g. guard dogs, CCTV. Physical Controls that impact the physical world, e.g. fences, gates, fire suppression systems. Compensating Mitigate the risk when exceptions to security policy occur, e.g. PCI DSS certification. Data Protection • • Much time is spent protecting data against breaches of C, I or A. To help protect data it is useful to understand the 3 possible states of data: Data State Description At rest Stored data residing in any storage location. Can be at risk of theft/damage from anyone who can gain access. In motion Data in transition across some form of communications link. Can be at risk of eavesdropping or MiTM type attacks. In processing Data actively being used by a compute system. Is at risk if compute system is compromised. Keeping Data Safe Tool Description Encryption Encryption technology uses mathematical algorithms (and keys) to protect information from disclosure, in transit and while it resides on systems. Data Loss Prevention DLP systems enforce information handling policies and procedures to prevent data loss and theft. They monitor sensitive information stores and intercept and block possible breaches. Data Minimization This seeks to reduce risk by reducing the sensitive information that is regularly maintained i.e. when information is no longer needed it is removed, destroyed or deidentified. Big Picture Cybersecurity professionals: • are responsible for ensuring the confidentiality, integrity, and availability of information and systems maintained by their organizations. • seek to protect their organizations by evaluation of risks to the CIA triad. • design and implement an appropriate mix of security controls drawn from the managerial, operational, and technical control categories. Controls should vary and include preventive, detective, corrective, deterrent, physical, and compensating controls. Risk Management Risk Management • Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. A risk comprises a threat and a vulnerability of an asset, defined as follows: • Threat: Any natural or man-made circumstance that could have an adverse impact on an organizational asset. • Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more likely to occur, or likely to occur more frequently. • Asset: An asset is a resource, process, product, or system that has some value to an organization and must, therefore, be protected. Goals of Risk Analysis • Identify assets and their values. • Identify vulnerabilities and threats. • Provide an economic balance between the impact of the threat and the cost of the countermeasure. Risk Analysis Steps • Identify the assets to be protected, including their relative value, sensitivity, or importance to the organization. • Define specific threats, including threat frequency and impact data. • Determine the probability and business impact of these potential threats • Select appropriate safeguards. This is a component of both risk identification and Risk Control/Management. Quick Word on ALE • Single Loss Expectancy (SLE) is a measure of the loss incurred from a single realized threat or event, expressed in dollars. It is calculated as Asset Value ($) x Exposure Factor (EF). • Exposure Factor (EF) is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage. • Annualized Rate of Occurrence (ARO) is the estimated annual frequency of occurrence for a threat or event. Quick Word on ALE • The Annualized Loss Expectancy (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. • ALE is determined by this formula: Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = Annualized Loss Expectancy (ALE) Qualitative Risk Analysis • Qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis. • Develop real scenarios that describe a threat and potential losses to organizational assets. • Unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis. Risk Matrix (Likelihood) - example Rare Unlikely Possible Likely Almost Certain <5% chance 5% - 10% chance 10% - 50% chance 50% - 90% chance >90% chance Less than once every 20 years Every 10-20 years Every 2-10 years Every 1-2 years More that once per year Risk Matrix (Consequence) – example Insignificant Financial <$10,000 Reputation/Brand Isolated media attention - no change in public or customer perception. No regulatory involvement. Regulatory compliance No fines but possibility of litigation. Minor $10,000-$100,000 Moderate Major $100,000-$1M $1M-$5M >$5M Short term media attention – minor change in public or customer perception. National media attention or social media activity – minor change in public or customer perception. National or international media attention or social media activity – significant change in public or customer perception. Prolonged national or international media attention or social media activity – substantial change in public or customer perception. Warning/request for explanation from regulator. Moderate financial penalties. Major financial penalties. Severe financial penalties. Minor fines/penalties. Medium period of litigation or regulatory scrutiny. Long period of litigation or regulatory scrutiny. Short period of litigation or regulatory scrutiny. Safety or injury No treatment required. Severe First aid or treatment by medical practitioner – no follow up required. Extended period of litigation or regulatory scrutiny. Loss/suspension of operating license. Treatment by medical practitioner requiring ongoing treatment – no permanent disability. Admission to hospital requiring ongoing treatment – possible permanent disability. Immediate admission to hospital requiring ongoing treatment – permanent disability/loss of capacity. Risk Matrix (Consequence) – example (cont’d) Security Insignificant Minor Moderate Major Severe Impacts to systems not rated important or critical Single instance of “Internal” information compromised Multiple instances of “Internal" information compromised Single instance of "Confidential" information compromised Multiple instances of "Confidential" information compromised Single "Important" system(s) unavailable for up to 1hour Single "Important" system unavailable for 1-24 hours Single "Critical" system(s) unavailable for up to 1hour Single "Critical" system unavailable for 1-24 hours Multiple "Important" systems unavailable for 1-24 hours Multiple "Critical" system unavailable for up to 1 hour Single "Important" system unavailable for 1-7 days Single "Important" system unavailable for >7 days Multiple "Important" systems unavailable for up to 1 hour Multiple "Important" system unavailable for >1 day Operations No impact to operations – workaround readily available and easily implemented. Minor impact (<1hr) to operation. Moderate impact (1-4hr) to operations. Moderate impact (4-8hr) to operations. Moderate impact ( >8hr) to operations. Likely DR/BCP declaration. Risk Matrix (example) Risk Matrix Source: https://cdn6.bigcommerce.com/s-g93hfm7/product_images/uploaded_images/example-cybersecurity-risk-assessment-matrix.jpg?t=1452991364 Qual v Quan • Quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis. • In quantitative risk analysis all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability are measured and assigned a numeric value. • Achieving a purely quantitative risk analysis is impossible. Qual v Quan • Qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis. • Develop real scenarios that describe a threat and potential losses to organizational assets. • Unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis. Risk Control Remedies Risk Control Remedies • Avoid – Simply avoid the activity that would make you incur the risk. – This is the simplest strategy, but potentially very costly because the benefit of the activity is eliminated. • This strategy can work well for risks that result in; – a catastrophic failure if incurred, – or which cannot be reasonably addressed by any other strategy. Risk Control Remedies • Control – Continue to perform the activity while putting mechanisms in place to mitigate (reduce) the risk of the activity. – There is usually some level of residual risk. • Common cyber security controls include firewalls, intrusion detection systems, antivirus, policies, and incident response management. Risk Control Remedies • Accept – Continue to perform the activity with no mitigations in place. – Requires analyzing the various components of the risk before proceeding. • This strategy can work well when the cost of addressing the risk with one of the other strategies is greater than the cost of incurring the risk. Risk Control Remedies • Transfer – Does not mitigate the overall risk, but it does move ownership of the risk to another entity. – Typically done in the form of an insurance policy or cooperative. – While it is straightforward to purchases insurance for traditional risk categories, doing so for cyber risk can be a challenge due to its novelty and dynamics. • This strategy can work well for risks that are low likelihood but high impact. Risk Control Remedies • Ignore – This is NEVER effective. – May seem like acceptance but is significantly different. – Accepting risk is the acknowledgement of the risk yet moving forward despite it. Ignoring risk simply assumes that there is no risk or that it is insignificant. • Ignoring risk and the risk management process can lead to: – Catastrophic failure: inadvertently accepting more risk than you would have had you truly understood it. – Missed opportunity: avoidance of an activity because you believe the risk is too high, even though it may not be. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 2 Cybersecurity Threats Topic Reading • Chapter 2: Cybersecurity Threat Landscape. • Interact content. Evolution of Threats • Cybersecurity threats have increased in sophistication, prevalence and diversity over time. • Hackers are not longer unsocial, long haired, introverts hiding in darkened rooms! • Threat actors vary widely in skills, capabilities, resources and motivation. • Cybersecurity professionals must be skilled, agile and organized to protect contemporary digital systems and assets. Threat Characteristics • Threat characteristics are important because the allow cybersecurity professionals to be at one with an opponent (i.e. understand attackers). Characteristic Description Internal v External Threats can exist both outside and inside our environment. Inside threats are generally more dangerous because of the elevated level of trust given to internal actors. Sophistication Threat actors vary in skill from “script kiddie” to hardened blackhat, state sponsored agent or simple guru of security. Resources Similar to the point above the availability of resources can greatly enhance the danger a threat actor represents. Intent/Motivation This also widely varies and can be tied to the level of both sophistication and resources available to a threat actor. White, Grey and Black…Hats • White-Hat Hackers: Authorized actors who seek to discover and advise on vulnerabilities in an environment through vulnerability scanning and penetration testing type activities. • Black-Hat Hackers: Unauthorized actors who, with malicious intent, attempt to defeat security mechanisms and unlawfully impact C, I or A. • Grey-Hat Hackers: Semi-authorized actors who act without any authorization but with the intent to warn and prevent black-hat attacks. Who are the Threat Actors • Script Kiddies • Derogatory term for those who hack but lack finesse, skill or sophistication. • Often use entirely automated or web-based tools and make little attempt to conceal their identities. • Can represent a significant threat because of the vast array of tools available to them and because their recklessness often has unintended, but dire, consequences for the target environments. • Often driven by desire to show off their skill. • Typically external. Who are the Threat Actors • Hacktivists • Threat actors using hacking tools/techniques for a specific activist goal. • Famous example is the group Anonymous. • Operation DarkNet: Anonymous broke into 40 child pornography websites and published over 1500 names of users who frequented one of the sites. • Operation Russia: unidentified hackers cracked emails of pro-Kremlin activists and officials. • Skill levels can vary widely and may even be employed cybersecurity professionals. • Powerful because they have many numbers. • Typically external. Who are the Threat Actors • Criminal Syndicates • Where there is money to be made organized crime will appear! • Typical motive is simply driven by money. • Serious intent and motivation. • Tend to want to remain undetected rather than show off their skills. • Can be very highly skilled though. • Many types of crimes: – Cyber-dependant: Ransomware, DDoS, defacement etc. – Child sexual exploitation. – Payment fraud. – Darkweb. – Terrorism – Cross-cutting crime: social engineering, money mules, crypto etc. Who are the Threat Actors • Advanced Persistent Threats • Refers to state sponsored actors. • Make use of advanced tools and techniques. • Are a constant presence and build attacks over long periods of time. • Motivation can be political, economic or espionage based. • Many reports of attacks against western nations from Chinese or Russian based hackers. • Don’t always attempt to hide their identities. Who are the Threat Actors • Insiders • Threat actor is an employee, contractor, vendor, partner or other individual with some level of elevated and authorized access. • Attacks typically aim at confidentiality but may also target availability. • Skills, motivation and resources can all vary widely. • Motivation is also diverse – activism, financial, revenge. Who are the Threat Actors • Competitors • Corporate espionage aimed at theft of intellectual property (IP). • Motivation may be to gain an advantage, economical or purely disruptive. • Can make use of disgruntled employees to act from the inside. • Can have ties to the darkweb for selling of IP. Threat Vectors • Now that we have an understanding of who the threat actors are, through what vectors can they launch attacks? • Threat vectors are the means by which threat actors obtain unauthorized access. Vector Description E-Mail, Social Media Most commonly exploited vector; massive audience. Direct Access Actors gain physical access. Wireless Networks Often an easy path into an environment. Removable Media Spread malware to launch attacks; Theft of IP. Cloud Cloud services scanned and used often. Third-Party Risks Supply chain attacks, other process based attacks. Threat Intelligence • Activities, mechanisms, tools and resources used to learn about changes in the threat environment. • Important for cybersecurity professionals to build an intelligence database to build defensive capabilities. • Intelligence can also be used to predict future attacks. • Many sources of intelligence: • Open Source Intelligence (OSINT). • Commercial threat databases. • Vulnerability databases. • Indicators of Compromise. • File and code repositories. Assessing Threat Intelligence Important factors to consider: 1. Is it timely? Delayed intelligence results in failure of protective response. 2. Is it accurate? Inaccuracy also results in failure of protective responses. 3. Is it relevant? Can it help you to prevent, stop attacks? https://threatconnect.com/blog/best-practices-indicator-rating-and-confidence/ Big Picture • Cybersecurity professionals must have a strong working understanding of the threat landscape in order to assess the risks facing their organizations and the controls required to mitigate those risks. • Cybersecurity threats may be classified based on their internal or external status, their level of sophistication and capability, their resources and funding, and their intent and motivation. • Threat actors take many forms, ranging from relatively unsophisticated script kiddies who are simply seeking the thrill of a successful hack to advanced nation-state actors who use cyberattacks as a military weapon to achieve political advantage. • Cyberattacks come through a variety of threat vectors. Vulnerability Scanning & Penetration Testing NIST Assessment Guidelines • National Institute of Standards & Technology. • Computer Security Division has a mountain of great standards and guidelines for computer security. – https://csrc.nist.gov/publications/sp800 • SP800-115 deals with Information Security Testing & Assessment. – Provides guidelines on planning and conducting IS testing and assessment, analyzing findings and the development of mitigation strategies. Identifying Vulnerabilities Identifying vulnerabilities through a vulnerability appraisal. • Determines the current security weaknesses that could expose assets to threats. Two categories of software and hardware tools. • Vulnerability scanning. • Penetration testing. Vulnerability Scanning • Vulnerability Scans are used to discover existing vulnerabilities within a network or system. • Does not seek to exploit them…merely report existence. • Uncovers potential security holes for the purpose of reporting and subsequent remediation. Penetration Testing • These seek out vulnerabilities and then actively attempt to exploit found vulnerabilities. • Purpose is to demonstrate consequences of a real hacker exploiting the vulnerabilities within a network or system. Penetration Testing Pen Tests have two basic categories: • Internal – performed from within the confines of the target network/system from various access points. • External – analyses publicly available information, performs scanning, enumeration and testing from outside the local confines of the network or system…generally from the Internet. Penetration Testing Can further be categorised by the types of tools used. • Fully automated – i.e. point and shoot tools run by anyone. • Manual testing – performed by security consultants using many tools, deep analysis and “manual” work. Penetration Testing • Fully automated tools are often used to save time and money and to give a general report of what might be happening with respect to security. • A number of tools available in both free and paid variants. – Metasploit, Codenomicon, Core Impact, CANVAS. Penetration Testing • Manual testing is usually a better choice for true assessment of a network or system. • Is more expensive but you are paying for a high level of expertise. • Often outsourced. • Requires planning, design, scheduling and expertise. • Allows real human ingenuity to show its impact. Pen Test Phases • Typically, 3 phases. 1. Pre-attack Phase (Reconnaissance, scanning, enumeration). 2. Attack Phase (Attempt to actually penetrate the network defences). • • Specify targets, execute attacks, escalate privileges. Possible packet crafting, tunnelling, XSS, buffer overflows, injections, password cracking etc…… • This is where you exploit the vulnerabilities found. Pen Test Phases 3. Post-Attack Phase. • Cleanup. – A lot has changed during the attack phase and this needs to be reverted back to the way it was before the attack….remember this is a customer. • What the customer really wants/needs – the report! Pen Test Phases • After testing you’ll need to write your report detailing everything you did, to what, when and how! Report Structure The following should be part of the Pen Test Report. • An executive summary of the organization’s overall security posture. • The names of all participants and the dates of all tests. • A list of findings, usually presented in order of highest risk. • An analysis of each finding, and recommended mitigation steps that are possible. • Log files and other evidence from your testing. Vulnerability Scanner v Pen Testing • Vulnerability scanning is the process of looking for weaknesses in computer systems, networks or applications. – Involves mostly passive type operations that involve scanning or enumeration techniques in order to identify potential targets. • Penetration Testing is using specific security tools to actually take advantage of the identified weaknesses to see just how far an attacker could go. VS v PT • Vulnerability scanner can be done by anyone with a little care but….. • Pen Testing is not something that should be performed without substantial knowledge and experience! – Remember you are not an attacker….you are trying to validate your security design and implementation so damage is not something you want to do. • Best course of action is to engage the services of a suitable company that specializes in pen testing. VS v PT • Reputable security companies will be able to perform both scanning and penetration testing as part of the one project. • You should also consider using tools to periodically scan samples of your network internally & externally for vulnerabilities…especially after outages or any changes to software, hardware, topology or configuration. • Leave pen testing to the experts! Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 3 Malicious Code Topic Reading • Chapter 3: Malicious Code. • Interact content. Malware • Malware describes a broad range of software that is designed specifically to cause harm to systems, devices, networks or users. • Can be used to gather information, gain unauthorized access, elevate privileges and perform unwanted actions resulting in breaches to C, I or A. • Comes in many forms: • Ransomware. • RA Trojans/Trojans. • Bots. • Command-and-control. Ransomware • Increasingly common malware that takes over target systems and demands ransom. • Crypto ransomware encrypts target systems, rendering them useless, until a ransom is paid. • Other ransomware might may threaten to release confidential information unless a ransom is paid. • Can be very difficult to recover from but best protection is a plain and simple backup. • Cryptanalysis can be difficult and often fruitless. Trojans • Software that masquerades as legitimate software but actually provides unauthorized access to attackers. • Require some form of human interaction to spread and operate. • Remote Access Trojans (RATs) provide unauthorized remote access. • Often combated using antimalware tools and security awareness training. Worms • Are self-replicating. • Often associated with spreading via attacks on vulnerable services but can also propagate through automated means such as e-mail or file shares. • Because they can self-install without human interaction they can be quick to spread and difficult to stop. Rootkits • Malware specifically written to permit unauthorized access to systems via a backdoor. • Modern rootkits are very good at concealing their presence through: • Use of filesystem drivers. • Infection of master boot records (MBR) of disks. • Detection can be tough because systems infected with rootkits is untrustworthy. • Best to use a trusted system to inspect suspect infected systems. • Rootkit detection looks for signatures and known behaviours. Backdoors • Methods and tools that allow bypassing of regular authentication methods. • Like rootkits they are sometimes used by manufacturers to provide ongoing access to systems and software. • Backdoors can sometimes be detected by finding unexpected open ports or services but some may use legitimate services. Bots • Groups of remote-controlled systems or devices that have a malware infection. • Groups more commonly referred to as botnets. • Botnets are used to control targets in order to use them to launch various types of attacks against further target systems. • Many botnet command and control systems operate in client-server mode. Botnets Source: https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fblog.eccouncil.org%2Fwp-content%2Fuploads%2F2018%2F12%2Fthe-structure-of-a-botnet.png&f=1&nofb=1 Keyloggers • Programs that, once loaded, may capture keyboard keystrokes, mouse movement, touchscreen inputs or credit care swipes from infected devices. • Can work in various ways including capturing via the kernel, through APIs or scripts, or directly from memory. • Best defense is through best practice software maintenance and comprehensive AV/Malware solution. Logic Bombs • Functions or codes maliciously placed inside other programs. • Are activated when defined conditions are met. • Uncommon but when activated can create significant issues. Viruses • Most well known, widespread and understood of the malware types. • Are spread via varied infection mechanisms and have many different attacks methods and targets. Virus Type Description Memory resident Remain in memory while the device is running. Non-memory resident Execute, spread and then shutdown to prevent detection. Boot sector Reside on disk boot sectors. Macro Use macros or code inside common applications to spread. E-mail Spread via e-mail attachments or flaws within clients. Spyware • Designed to obtain information about a target. • Many different variants and deployment methods. • May be innocuous but certain types are quite malicious. • Often associated with identity theft and fraud. • Most frequently combated using anti-malware tools. • User awareness is also an important tool. Potentially Unwanted Programs (PUPs) • Many types of malware are malicious and cause damage. • PUPs are different in that they may not cause any harm directly. • Installed without users knowledge or permission. • Can include adware, browser toolbars, tracking programs and other types. • PUPs don’t always indicate that a system has been seriously compromised. Malicious Code • Includes scripts or bespoke code that isn’t malware but is may still be used by attackers. • Attacks can happen locally or remotely. • May leverage built-in OS tools such as PowerShell, Visual Basic and macros in Windows environments or Bash or Python in Linux environments. • Can be difficult to guard against because they leverage legitimate and well used tools. Adversarial Artificial Intelligence (AAI) • A developing field where AI used to launch attacks. • Focus is typically on poisoning of data, inserting malicious analytics or algorithms into systems or privacy based attacks. Big Picture • Malware has many variants. • Some is malicious and some is simply used to spy on us, advertise products or somehow socially manipulate us. • Depending on the type of malware prevention of infection and protection against can be very challenging. • Best practice software configuration, patching and AV tools are a good start. • Security awareness training assist greatly. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 4 Endpoint Security Topic Reading • Chapter 11: Endpoint Security. • Interact content. Endpoint Security • Protecting endpoints provides a significant proportion of daily tasks for the cybersecurity professional. • Endpoints are the predominant device category in any digital environment. • Given they are controlled by end users the variety of risks is significant. Endpoints • Devices such as servers, desktops, laptops and mobile devices are called endpoints because they are an end point of either a wired or wireless network. • Because endpoints are so diverse the protective security mechanisms available are also incredibly diverse. • Cybersecurity professionals need to have significant expertise to understand what solutions exist for specific security problems, how and when they are deployed and any considerations that must be made. Protecting the Boot Sequence • If any endpoint is to be secure and useful to an end user it must first be able to start up in a secure fashion. • Preservation of boot integrity is exactly this. • If malicious components are present during the boot sequence the endpoint is untrustworthy. • Modern Unified Extensible Firmware Interface (UEFI) firmware provides protection via two means: • Secure boot. • Measured boot. UEFI Secure Boot Process Figure 11 from text, p.425 Endpoint Security Tools Antivirus & Antimalware • Arguably the most common security tools used. • Although these tools are typically reactive they are an excellent first level of defence. • Both should always be used on user endpoints. • Unless there are specific reasons not to antivirus software should always be used on server endpoints. Methods of Detection • There are four common detection methods used by AV and AM software. Method Description Signature-based Signature generation method to identify files or components of the malware that have been previously observed. Fails with polymorphic viruses, encryption or packing methods. Heuristic-based Examines actions malicious software takes and matches them to profiles of unwanted activities. Heuristic-based detection systems can identify new malware based on what it is doing. Artificial Intelligence Uses large amounts of data to find ways to identify malware that may include heuristic, signature, and other detection capabilities. Sandboxing Protected environment where unknown, untrusted, potentially dangerous, or known malicious code can be run to observe it. Allow and Deny Lists • Simply put these are lists that either permit or deny the installation or operation of a specific piece of software or application. • Although simple they can require substantial administrative effort to maintain and are therefore not widely utilised. Endpoint Detection & Response • Where AV and AM software is not enough endpoint detection and response (EDR) tools may be deployed. • EDR provides a client-server platform where endpoints report to collectors who then collect, correlate and analyse events as they occur. • Reporting of this level is a very strong advantage of EDR systems. • Can result in a lot of data collection if there are many endpoints and so must be carefully deployed and managed. Data Loss Prevention (DLP) • DLP protects data from both theft and accidently exposure. • Can be deployed as a client or as an application on endpoints. • Has numerous features including: • Data classification to inform which data needs protection. • Data labelling and tagging to support classification and management. • Policy management and enforcement. • Monitoring and reporting. • Some DLP systems also encrypt. Network Defenses • Protection from network based attacks can be done using: • Host Intrusion Detection Systems (HIDS). – Typically monitor only and require intervention. • Host Intrusion Protection Systems (HIPS). – Can actively block. • Host Based Firewall. – Intercepts inbound communications. • All are useful but can result in high resource utilisation. Host Firewalls & IPS v Network Firewalls & IPS • Network based devices should always be used, host based will depend on circumstances. Figure 11.2 from text, p.433. Hardening Endpoints & Systems • Hardening is the process of securing a system, operating system or other application/software such that it is as secure as possible against all attacks while still allowing it to serve its required function. • More simply put the goal is to minimise the vulnerability footprint. • One of the quickest and easiest ways to harden an endpoint is to reduce the number of open ports and services that it provides. • While firewalls can be used to protect ports/services there is no need to have them enabled if they provide no purpose. Hardening Operating Systems • This involves changing settings to adhere the desired security posture. • A number of automated tools exist to make this form of hardening easier. • Examples of settings that might be considered: • Password history; set to remember 10 passwords. • Password age set to maximum of 30 days, but more than 0. • Minimum password length of 15. • Password complexity. • Setting password encryption. Windows Registry Hardening • The registry is a vital configuration component of Windows and corruption of it can be catastrophic. • Attackers can compromise the registry to: • Automatically run programs. • Information enumeration. • Perform a variety of malicious actions on operational characteristics. • Hardening the registry involves configuring appropriate permissions, disallowing remote access and, limiting access to registry tools. Patch Management • Ensuring that endpoint systems are up to date with service packs, security patches and specific application patches is critical. • Only apply service packs and patches if they are relevant to services or applications you provide or use. • You may accidently introduce issues if you rollout unrequired patches. • Many operating systems and applications have automated update tools. • Important to carefully consider if you need this automation. Disk Security & Sanitization • Full Disk Encryption (FDE) is used to ensure that should a disk be stolen the data is protected. • FDE requires the bootloader or other hardware device provides a key and software or hardware to decrypt the drive for use. • Transparent encryption is commonly used and is undetectable to the user. • Disk volumes, or folders/files, can also be encrypted. • Can be problematic if the decryption key is lost. Disk Security & Sanitization • Sanitization is ensuring that once a disk is past its used by date the entire contents are securely erased and not retrievable. • This can be done using mathematical algorithms that wipe the data from the disk. • Many software wiping tools are available. • Can also be done by simply physically destroying the disk in question. • Secure shredding services are often used but any physically destruction method will work. Internet of Things (IoT) • IoT is a broad term that describes many different non-compute devices that store data and connect to the online digital world. • Many popular devices are IoT devices (Garmin, Apple, Android devices). • Examples include automation systems, sensors, security systems, smart devices etc. • IoT brings functionality and flexibility but also some security concerns. – Poor security settings and configurations. – Short support lifespans. – Vendor and cloud services data-handling practices. Big Picture • Endpoints are the most common category of devices that require securing in an enterprise environment. • Cybersecurity experts need significantly broad levels of expertise to secure the variety of endpoints in contemporary networks. • Many tools and mechanisms are available to use. • Main goal is to reduce the vulnerability footprint while maintaining required functionality. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 5 Network Security Topic Reading • Chapter 12: Network Security. • Interact content. Importance of Networks Networks are the core of our digital environments. Provide transfer of data that drives business functions. As such they are a key target for would be attackers, criminals or competitors. Key Concepts The OSI Model The OSI model is a vital concept within data networking, and security, that you must come to terms with. It is a framework upon which all data communications are built. Allows any vendor product, software or hardware, to communicate with any other vendor product. Understanding it greatly assists with troubleshooting. OSI Model Reference model • Framework. • Software & hardware. • Reading on Interact. text. p.471 of Segmentation Division of a network into logical or physical groupings. Can be based on: Trust boundaries. Functional requirements. Other depending on importance to business. Typical driven using Virtual Local Area Networks (VLANs). Layer 2 construct implemented by switches. Divides network into broadcast domains from a traffic perspective. Segmentation • Can also be derived from function: • Demilitarized Zone (DMZ) – segments of a network that are accessible to lower trust entities such as external Internet located devices/users. • Intranets – segments of a network that are accessible to only higher trust entities such as internal devices/users. • Extranets – segments of a network providing access to external, but more trusted, devices/users such as partners or customers. • These are still facilitated by VLANs in many cases. Network Access (Admission) Control (NAC) • Network segmentation divides networks in security zones but do not provision/manage the access to those zones. • NAC technologies decide if an incoming system/device/user should be permitted. • NAC interrogates incoming devices to ascertain if they meet expected standards of security. • Can be done via an installed agent or agentless via a browser. • If the device meets the expected standard they are admitted. • If standards are not meet the requesting client is either denied outright or allocated to a remediation zone where the “standard” can be applied. Network Access (Admission) Control (NAC) • Installed agents typically have a greater ability to interrogate a device. • Items validated may include: • Patch levels, Security settings, AV versions, other settings. • Some systems also track user behaviour. • NAC is therefore a useful tool for policy enforcement but is most useful at the initial stage of connection. • Once a device is connected other tools must be used to keep things secure. Port Protection • Protecting your network from nefarious traffic is a tough task and can begin with securing the flow of traffic into physical/logical ports. • Port Security is a technology that gives you the ability to limit the number of hosts that can connect to a port by limiting the incoming MAC addresses. • Technology varies depending on vendor platform by most port-security capabilities allow: • Dynamic locking by specifying a limit to the number of MAC addresses allowed. • Static locking by specifying the value of the MAC addresses allowed. Port-Span, Port-Mirror • These terms are interchangeable. • The do not, in and of themselves, protect anything. • The purpose is to copy or mirror traffic from a specified port/s or network segment to a security monitoring device such as an IDS or IPS. • They can also be used for troubleshooting in conjunction with protocol analyzers. Virtual Private Network (VPN) • • • Creates a virtual network link across a public network (i.e. Internet). Connected hosts appear as if they are on the local network. Security is achieved using encryption. • IPSec VPNs operate at Layer 3 and require a client. • Tunnel mode: protects whole packet. • Transport mode: only encrypts payload. • Typically used for site-to-site VPNs or where traffic is not just web/application based. • SSL (TLS) VPNs operate using a web browser portal. • or Tunnel mode similar to IPSec. Virtual Private Network (VPN) • Site-to-site (typically between sites and always active). • Remote access (for mobile users and are only active when required). • VPNs can be implemented as split-tunnel or full-tunnel. • Full-tunnel – protect all traffic, more bandwidth required but more secure. • Split-tunnel – only protects specific traffic sent to remote network, less bandwidth required but less secure. Appliances and Security Tools • There are many different ways in which appliances can be implemented. • Hardware, virtual, cloud, hybrid. • Chosen based on performance, manageability, expense, purpose. • Many types of appliances that serve a number of different functions. • Jump servers. • Load balancers. • Proxy Servers. • Network Address Translation (NAT) Gateways. • Content/URL Filters. • Data Protection or Data Loss Protection (DLP). Firewalls • Used to setup traffic treatment profiles by filtering packets on some set criteria. • Designed to prevent malicious packets from entering the network. • Firewall can be software-based or hardware-based. Firewall Principles • The foundation of a firewall is the rule base. – Establishes traffic treatment profile. • Traffic evaluated using variations of the 5-tuple concept: – A 5-tuple is a set of five different values that comprise a connection. 1. Source IP address. 2. Source port number. 3. Destination IP address. 4. Destination port number. 5. The protocol in use (TCP or UDP primarily). Firewall Principles Application Layer • Able to decode and understand layer 7 protocols. • Cannot decrypt so fail for SSL applications (SSH, HTTPS). Unified Threat Management (UTM) • All in one wonder box. – Firewall, IDS/IDP, AV, web content filtering. – True layer 7…probably more even! Firewall Necessities Application awareness • Layers 3 ïƒ 7. Application fingerprinting • Must be able to correctly identify applications flowing through them by traffic contents. Granular Application control • Must identify & characterize application features in order to control those applications strictly. QoS • Based on the traffic priorities of the host network. Core Functions NAT • Static, dynamic, PAT. • Often debated as a valid security measure. Audit & logging • Preferably to a separate and secure management system. • Can consume vast quantities of disk space. What else can Firewalls do? Malware blocking • Detection, stopping, logging. AV • Used as an additional layer of defense in conjunction with other technologies. IDS/IDP • Again…as an addition to specific IDS/IDP devices. URL filtering/caching • Being at the perimeter FWs are perfectly placed. • Many FWs are brilliant at this…which saves you! What else can Firewalls do? SPAM Filtering • Similar to web filtering. Wire speed transmission • Cannot afford to introduce latency to transmission. Secure Firewall Design • Irrespective of type of firewall used location is the most important factor of design. – Poorly placed firewalls = false sense of security • All comm’s in/out of protected networks should flow through a firewall. • Only authorized traffic is permitted to pass. – Be explicit with permissions, everything = blocked! • Most likely best to fail closed. • Must be able to recognize, resist & log attacks on itself. Rule Base Practices • Build rules from most to least specific – Rules are generally processed top to bottom and stop once a match is found. • Place most active rules at the top – Saves CPU and memory. • Drop unrouteable packets without question – RFC1918, internal addresses or broadcasts. Intrusion Detection (IDS) Monitors & IDs specific malicious traffic. • Anything anomalous to the baseline. – Traffic. – Access or attempted access. – Unauthorized changes. – Unusual log messages or events. – File manipulation. – Elevation of rights. – System changes. – Many more….. Threats that ID protects against Attacks • Unauthorized activity with malicious intent. • Network protocol attacks. – Flag Exploits. – Fragmentation & reassembly. • Application attacks. • Content obfuscation (confusing communication). Threats that ID cannot detect • Attacks that use encryption. • “Misuse” attacks. – Copying documents. – Posting documents to portals. – Social engineering. Types of IDS & Detection Models Anomaly detection • Looks at patterns of behavior and changes or abnormalities. Signature • Uses specific knowledge profiles to match against traffic patterns. Active • Triggers some configurable action. Passive • Logs only. HIDS Installed on a host device • Server, workstation, router, printer, gateway etc. • Installs as a service. • Intercepts and scans traffic before any other process. • Excels at examining application layer interactions. Realtime • Always looks for attacks and events. • Takes up a lot of system resources. Snapshot • Takes snapshots to show the differences between a known good state and a corrupt state. NIDS Protects networks • • • • • Most popular form of IDS. Capture & analyze live traffic. Designed to protect more than one host (cf HIDS). Configuration required to ensure detection and analysis is turned on. Requires some form of VLAN or port-based traffic mirroring or network tap to work correctly. IPS • Along with detection & reporting IPS can stop attacks in real time. • Can sometimes overact! – False positives can sometimes lead to traffic starvation. Which should I use? It depends…… • What do you want to protect? – Host, subnet, entire network? – Do you provide network services to customers or are you an enterprise? – What is your network topology? – Anomaly Detection or Signature? There is rarely one solution to a problem but there is often a best solution. UTM Unified Threat Management • All in one security appliance. – Firewall. – Gateway AV. – IDS/IDP. – SMTP filtering. – Web filtering. – VPN. • Great for blended attacks . • Reduces complexity of deployment of security services. Big Picture • Understand the key security concepts in enterprise security, the supporting tools and secure design principles. • Many, varied appliances, tools and implementations to consider. • Always try to use the most secure version, implementation or design for anything you do. • Even with great defences you must still have knowledge of possible attack vectors. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 6 Identity and Access Management (IAM) Topic Reading • Chapter 8: Identity and Access Management. • Interact content. Important of Identity & Access Management (IAM) • Are a vital security layer in modern digital systems. • They allow associated accounts to access systems and services as dictated by the controlling enterprise. • Facilitate control of rights associated with accounts. • Identity and Access Management is critical in ensuring the safe operation of an enterprise network. Some Quick Terminology • Subject: Typically people, applications, devices or organizations. • Most commonly refers to individual users. • Attributes: any information related to a subject. • Can include name, age, location, job role, hair or eye colour, height etc. • Identity: Sets of claims made about a subject, linked to attributes. Identity Use • In order to use (claim) an identity a subject will authenticate via presentation of one or more appropriate symbols asserting their identity. • Examples may include: • • • • • Usernames (most common). Certificates. Tokens. SSH Keys. Smartcards. Authentication, Authorization • Authentication: When an entities identity is confirmed/verified through a specific system. • May also be referred to as “access control” although it is typically considered a component of access control. • Authorization: When an entity is granted permissions to a resource. • Authentication must occur before this is possible. Authentication & Authorization Technologies • Many of these exist but the following are more salient for our purposes. • Extensible Authentication Protocol (EAP) • Authentication framework most commonly used in wireless networks. • Has many implementations (both vendor-specific and open). – EAP-TLS, LEAP, EAP-TTLS are all open methods. • Challenge Handshake Authentication Protocol (CHAP) • Uses an encrypted challenge and 3-way handshake to send credentials. • 802.1x • IEEE standard for NAC and authenticates devices wanting to connect to a network. Authentication & Authorization Technologies • Remote Authentication Dial-in User Service (RADIUS) • Very common AAA systems for network devices, wireless networks and various other services. • Client-server based model. • Terminal Access Controller Access Control System Plus (TACACS+) • Cisco designed extension to TACACS. • Full packet encryption, granular command controls. • Kerberos • Designed for untrusted networks. • Uses authentication to shield its authentication traffic! Single Sign On Authentication • Used where access is required to several systems with separate logins. • Necessarily complemented by Single Sign Off. • Designed to relieve password “fatigue” or “confusion”. • When implemented appropriately: • Reduce IT costs significantly. • Reduce incidents of phishing. SSO & Identity Management • Identity management. – Using a single authenticated ID to be shared across multiple networks. • Federated identity management (FIM). – Used when networks are owned by different organizations. – Single Sign On. • Windows Live ID. – When the user wants to log into a Web site that supports Windows Live ID the user will first be redirected to the nearest authentication server. – Once authenticated, the user is given an encrypted time-limited “global” cookie. Authentication Models Single and multi-factor authentication (MFA). • One-factor authentication. – Use of single credential. • Two-factor authentication. – 2 different credentials. • Three-factor authentication. – 3 different credentials. – Very secure. Authentication Factors Something you know. • Password/Passphrase/PIN. • Knowledge factor. Somewhere you are. • GPS/IP Subnet/VLAN. • At work/at home/in the car. Something you have. • Token/swipe card. • Possession factor. Something you do. • Signature, gesture, typing cadence. • Other habitual behaviour. Something you are. • Biometrics (thumb print, retina scan). • Inherence factor. Authentication Factors • Multifactor stronger than single factor but also more complex. • More factors = stronger ≠ easier or cheaper to implement. • MFA is also mostly static in nature. • A more dynamic method is context-aware authentication. Context Aware Authentication • Adaptive method of authentication. • Based on usage of resources and confidence the system has in an authenticating entity. • Automatically increase level of authentication required or increase/decrease access to resources based on continuous analysis of the entity in question. Access Control Schemes (Models) Access Control Terminology • Computer access control can be accomplished in one of three ways: – Hardware. – Software. – Policy. • Access control can take different forms depending on what is being protected. • Other terminology is used to describe how computer systems impose access control: – Object. – Subject. – Operation. Access Control Definition • A simple definition is: The process by which resources or services are granted or denied on a computer system or network. • Four main schemes/models to discuss. Access Control Schemes/Models • I use the terms Scheme and Model interchangeable. • A Scheme/Model definition: A predefined framework for hardware and software developers who need to implement access control in their devices or applications. • Once an access control scheme/model is applied. – Custodians configure security based on parameters set by the owner. – Enables end users to do their jobs. Mandatory Access Control (MAC) • End user cannot implement, modify, or transfer any controls. • The owner and custodian are responsible for managing access controls. • Most restrictive model as all controls are fixed. • In the original MAC model, all objects and subjects were assigned a numeric access level. • The access level of the subject had to be higher than that of the object in order for access to be granted. Discretionary Access Control (DAC) • The least restrictive. • A user has total control over any objects that they own. • Along with the programs that are associated with those objects. • In the DAC model, a subject can also change the permissions for other subjects over objects. Discretionary Access Control (DAC) Weaknesses 1. Reliance on the end-user to set the proper security parameters. 2. A subject’s permissions will be “inherited” by any programs that the subject executes. Role Based Access Control (RBAC) • Sometimes called Non-Discretionary Access Control. • Considered a more “real world” approach than the other models. • Assigns permissions to particular roles in the organization, and then assigns users to that role. • Objects are set to be a certain type, to which subjects with that particular role have access. Benefits of Role-Based Access Control • Improving operational efficiency. • Enhancing compliance. • Giving administrators increased visibility. • Reducing costs. • Decreasing risk of breaches and data leakage. Rule Based Access Control (RBAC) • Also called the Rule-Based Role-Based Access Control (RB-RBAC) model. • Dynamically assign roles to subjects based on a set of rules defined by custodian. • Each resource object contains a set of access properties based on the rules. • Rule Based Access Control is often used for managing user access to one or more systems (SSO). Access Control Models Summary Name Restrictions Description Mandatory Access Control (MAC) End user cannot set security Most restrictive Discretionary Access Control (DAC) Owner has total control over objects Least restrictive Role Based Access Control (RBAC) Permissions assigned to roles, users assigned to roles Real world approach Rule Based Access Control (RBAC) Roles assigned dynamically based on security parameters Assigns access across multiple systems Big Picture • Identity is key with respect to organizational security. • Authentication is how a claimant proves their identity. • Authorization provides authenticated identities with appropriate restrictions. • There are many authentication methods that can be used. • Access control schemes determine which subjects can perform which operations on which objects. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 7 Cryptography & PKI Topic Reading • Chapter 7: Cryptography and Public Key Infrastructure • Interact content. Cryptography • “the science or study of the techniques of secret writing, especially code and cipher systems, methods, and the like”. • At its simplest it deals with keeping secrets secret – confidentiality. • More complex cryptography techniques also provide integrity of data. Cryptography (crypto) • Crypto is an essential in contemporary communications but often not used outside of the military, education or other big business. • Crypto generally thought of as being good. – Securing nuclear launch codes. – Protecting financial, medical or other personal details. • Crypto can be easily used by criminals for hiding their activities! Definitions Crypto Goals 1 Confidentiality • Protect information from casual prying eyes or deliberate attempts to steal. • Information doesn’t always have to be of significant value to anyone other than an individual. • Common layman definition of security is confidentiality. • Crypto directly addresses this issue by scrambling plain text into something that only the intended recipient can unscramble. Crypto Goals 2 Integrity • Some components of crypto perform verification and validation of data. • Fundamentally digitally signs data with any changes to the signature indicating a change to the underlying data; integrity compromised. • Attacks on integrity of data can be more dangerous as they can be difficult to confirm and generally are designed to result in unexpected, but seemingly legitimate, results. Crypto Goals 3 Availability • A major component of the CIA triangle but unfortunately not something crypto can help with. • This point is important because it confirms that crypto is not a complete security solution but rather part of a good defense in depth strategy. Authentication • Confirmation that the person you think sent the information really did…clearly important for commercial transactions. Crypto Goals 4 Non-repudiation • Ability to prove who signed information & that that signature has not been spoofed. • Without this digital signatures & contracts would be meaningless. Crypto Primitives • Crypto can be better understood through four primitives: – Generation of random numbers. – Symmetric encryption. – Asymmetric encryption. – Hashing. • Primitives can be used singularly for some purposes but are usually used together. Random Numbers • Actual random strings of bits. • Truly random numbers are not possible using algorithms alone. • Value is in generate pseudo-random numbers to provide keys for crypto algorithms. • For this purpose numbers need only be unpredictable not totally random. Symmetric Encryption • Same key for encryption/decryption. • Also known as classical, conventional or single-key encryption. • Oldest type of encryption. • Only type until the 1970’s. • Still the most widely used. Symmetric Encryption Symmetric Encryption • Uses the notion of “computationally secure”… • That is… – The time it would take to compute all possible key combinations is so large that it cannot be achieved within the time frame that the encrypted information is useful to. • Not worth the effort! Symmetric Encryption • Ability to use ciphers is hamstrung by the fact that communicating parties must both know the shared key. • How do we keep this secure? • Must be shared by another means prior to encryption. – Secure post, secure phone. – Not with e-mail or yellow sticky notes! • Can also use a trusted third party. Asymmetric Encryption Asymmetric Encryption • The concept of public key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption: • Whitfield Diffie and Martin Hellman from Stanford University achieved a breakthrough in 1976 by coming up with a method that addressed both problems and was radically different from all previous approaches to cryptography. Asymmetric Encryption • A public-key system has 6 ingredients: Asymmetric Encryption Hash Functions • A hash function (H) takes variable-length blocks of data (M) as input and outputs a fixed-size hash value. • h = H(M) • Primary objective is to ensure data integrity. • Cryptographic hash function is: • An algorithm for which it is CI to find: – A data object that maps to a pre-specified hash result (1-way property). – Two data objects that map to the same hash result (collision-free property). Hash Function; h=H(M) L Bits Message or data block M (variable length) H Hash value h (fixed length) P, L = padding plus length field. P, L Applications Application of Encryption • There are many useful applications of cryptographic theories. • Some of commonly used and others should be commonly used! • Following slides look at the most common. E-Mail Privacy • Not so commonly used by the average e-mail user. • Both POP and IMAP have crypto features built in. • PGP also a good option for e-mail encryption. – Digital sigs, confidentiality, message compression, format conversion. VPN • Probably the most popular use of crypto technology. • Connecting offices, users and partners securely using public infrastructure. • IPSec or SSL based are best. • PPTP really legacy but still widely used. • Can be point-to-point for static offices. • Remote access for teleworkers & road warriors. SSL/TLS • Encrypts between clients and servers. • Most common tool for secure websites. • Uses asymmetric encryption. • Supported by all browsers and many e-mail clients. • Used in VPNs to provide web based portals. Public Key Infrastructure (PKI) PKI • A group of technologies for secure communications using asymmetric public key encryption. • Provides: – Confidentiality, integrity, authentication and non-repudiation. PKI – Explained in 5…. Common Challenges PKI solves…. • MiTM attacks. • Management of certificates. • Distribution and use of certificate services. • Maintenance of security in a digital world. Common uses of PKI • SSL/TLS certificates to secure web browsing experiences and communications. • Digital signatures on software. • Restricted access to enterprise intranets and VPNs. • Password-free Wi-Fi access based on device ownership. • Email and data encryption. Big Picture • Cryptography is a vital weapon in your cybersecurity armory. • Touches almost every other area of security. • Supports C, I, A and non-repudiation. • Secrecy of the key is the single most important thing. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 8 Resilience & Physical Security Topic Reading • Chapter 9: Resilience and Physical Security. • Interact content. Cybersecurity Resilience Building Resiliency • Primary focus in this topic is Availability. • Regardless of how great your C and I are if you have no A then you have nothing. • Typically neglected element of availability is resiliency. • Resiliency should always be considered during design. • Most common implementation is through redundancy. Resilient Design • Infrastructure components must be analysed to determine where singlepoints of failure exist. • Components may include: • Power distribution/control systems. • Environmental control systems. • Hardware and software. • Information storage systems. • Network and other communications. • Security systems (physical and digital). Resilient Design • Typical resilient designs implement some level of geographic dispersal. • Split major data processing capabilities between sites. • Typically means 100km or more between locations although this is not always the case. • Helps to alleviate the impact of natural disasters, power disruptions, network connectivity or other local factors. • Separation of compute devices within a data centre is common. • Separate any critical resilient infrastructure between racks, rows, rooms, floors etc. Resilient Design • Implementation of multiple network paths. • Protects against cable, device or provider issues. • Hardware redundancy. • Routers, switches, firewalls, IDS, servers, NIC teaming, load balancing. • Uninterruptable Power Supply (UPS). • Short term battery backup for short outages, power surges/drops, filtering. • Generator systems for protection during longer outages. Resilient Design • Storage redundancy. • Protect against disk or server failure. • Diversity in technology used or vendors used. • Less reliant on single brand or proprietary software/firmware. RAID • Redundant Arrays of Inexpensive Disks (RAID). • Very common solution involving various implementations of disk systems. RAID Level Description Benefit Problem 0 – Striping. Data is spread across all drives in an array. ↑ performance. 100% use of space. No fault tolerance(FT). 1 – Mirroring. Data replicated to another drive. ↑ read speed. Single drive failure (SDF) protection. 2 x storage. 5 – Striping with parity. Data striped across drives, one used for parity. ↑ reads, ↓ writes. SDF protection. Only SDF. Rebuild is slow. 6 – Striping with double parity. Additional parity drive to RAID 5. ↑ reads, ↓ writes. Multiple DF protection. ↓ writes than RAID 5. Rebuild slower. 10 – Mirroring and striping. Data striped across 2+ drives then mirrored. Combined per RAID 0 & 1. Combined per RAID 0 & 1. Backups • Backups and replications are very typical at any size organisation. • Common backup schemes include: • Full – backs up everything selected. • Incremental – backs up any changes since last backup. • Differential – backs up any changes since last full backup. • Various forms of rotational schemes for backup media also: • FIFO, grandfather, Tower of Hanoi. • Snapshots are also commonly used in virtualized environments. Backup Media Tape. Disks. Optical. • Low cost/capacity ratio. • Robotic systems common. • Magnetic or solid state. • Networked Attached Storage (NAS). • Storage Area Network (SAN). • Blue-ray. • Not commonly used in large scale backup systems. Flash based systems. • Short term or very small backups. Further Discussion • See text for further detail. Physical Security Physical Security • Addresses design, implementation, and maintenance of mechanisms that protect physical resources of an organization. • Most other controls can be circumvented if attacker gains physical access. • Physical security is as important as logical security. • Often undervalued. Source of Physical Loss Temperature extremes. Gases. Liquids. Organics. Projectiles. Movement. Energy anomalies. Responsibility is Shared General management. IT management and security staff. • responsible for facility security. • responsible for environmental and access security. Information Security management and professionals. • perform risk assessments and implementation reviews. Physical Access Controls • Secure facility – physical location engineered with controls designed to minimize risk of attacks from physical threats. • Secure facility can take advantage of natural terrain, traffic flow, and degree of urban development; can complement these with protection mechanisms (fences, gates, walls, guards, alarms). Physical Controls • Walls, fencing, and gates. • Mantraps. • Guards. • Electronic monitoring. • Dogs. • Alarms and alarm systems. • ID cards and badges. • Computer rooms and wiring closets. • Locks and keys. • Interior walls and doors. ID Cards and Badges • Ties physical security with information access control. – ID card is typically concealed. – Name badge is visible. • Serve as simple form of biometrics (facial recognition). • Should not be only means of control as cards can be easily duplicated, stolen, and modified. • Tailgating occurs when unauthorized individual follows authorized user through the control. Locks and Keys Two types of locks: mechanical and electromechanical. Locks can also be divided into four categories: manual, programmable, electronic, biometric. Locks fail and alternative procedures for controlling access must be put in place. Mantraps Small enclosure that has entry point and different exit point. Individual enters mantrap, requests access, and if verified, is allowed to exit mantrap into facility. Individual denied entry is not allowed to exit until security official overrides automatic locks of the enclosure. Mantraps Electronic Monitoring • Records events where other types of physical controls are impractical or incomplete. • May use cameras with video recorders; includes CCTV systems. • Drawbacks. – Reactive; do not prevent access or prohibited activity. – Recordings often not monitored in real time; must be reviewed to have any value. Alarms and Alarm Systems • Alarm systems notify when an event occurs. • Detect fire, intrusion, environmental disturbance, or an interruption in services. • Rely on sensors that detect event; e.g., motion detectors, smoke detectors, thermal detectors, glass breakage detectors, weight sensors, contact sensors, vibration sensors. Data Halls & Wiring • Require special attention to ensure CIA of information. • Logical controls can be defeated if physical access to equipment is available. • Custodial staff often the least scrutinized persons who have access to offices; are given greatest degree of unsupervised access. Interior Walls and Doors • Information asset security sometimes compromised by construction of facility walls and doors. • Facility walls typically either standard interior or firewall. • High-security areas must have firewall-grade walls to provide physical security from potential intruders and improve resistance to fires. • Doors allowing access to high security rooms should be evaluated. Fire Security and Safety • Most serious threat to safety of people who work in an organization is possibility of fire. • Fires account for more property damage, personal injury, and death than any other threat. • Imperative that physical security plans examine and implement strong measures to detect and respond to fires. Fire Detection and Response • Fire Suppression Systems. – Monitor. – Suppress fire through some form of retardant or extinguishing agent. – Alert. Fire Detection • Fire detection systems may be manual or automatic. • Part of a complete fire safety program includes individuals that monitor chaos of fire evacuation to prevent an attacker accessing offices. • There are three basic types of fire detection systems. – thermal detection. – smoke detection. – flame detection. Fire Suppression • Systems consist of portable, manual, or automatic apparatus. • Portable extinguishers are rated by the type of fire. • Installed systems apply suppressive agents. – usually either sprinkler or gaseous systems. Gaseous Emission Systems • Used in specialized environments (data centers) where other systems are not appropriate. • Two common sub-types of systems. – ODS (Ozone Depleting Substances). – SGG (Synthetic Greenhouse Gases). • Many gases are being phased out through legislative changes for environment protection. Limitations of Gaseous Emission Systems • Chemicals that contain their own supply of oxygen, e.g. [C6H7(NO2)3O5]n used in gunpowder & nail polish. • Mixtures containing oxidising chemicals, e.g. NaNO3. • Chemicals capable of undergoing auto-thermal decomposition. • Reactive metals, e.g. Na, K or Mg. • Areas where large surfaces are heated (not by a fire) to temperature that breaks down the chemical structure of the extinguishing agent. Utilities & Building Structure Supporting utilities have significant impact on continued safe operation of a facility. Each utility must be properly managed to prevent potential damage to information and information systems. HVAC • Areas within heating, ventilation, and air conditioning (HVAC) system that can cause damage to information systems include: – – – – Temperature. Filtration. Humidity. Static electricity. Ventilation Shafts • While ductwork is small in residential buildings, in large commercial buildings it can be large enough for individual to climb though. • If vents are large, security can install wire mesh grids at various points to compartmentalize the runs. Water Problems • Lack of water poses problem to systems, including functionality of fire suppression systems and ability of water chillers to provide air-conditioning. • Surplus of water, or water pressure, poses a real threat (flooding; leaks). • Very important to integrate water detection systems into alarm systems that regulate overall facilities operations. Structural Collapse • Unavoidable forces can cause failures of structures that house organization. • Structures designed and constructed with specific load limits; overloading these limits results in structural failure and potential injury or loss of life. • Periodic inspections by qualified civil engineers assists in identifying potentially dangerous structural conditions. Maintenance of Facility Systems • Physical security must be constantly documented, evaluated, and tested • Documentation of facility’s configuration, operation, and function should be integrated into DR/BCP and operating procedures • Testing helps improve the facility’s physical security and identify weak points Inventory Management • Computing equipment should be inventoried and inspected on a regular basis. • Classified information should also be inventoried and managed. • Physical security of computing equipment, data storage media and classified documents varies for each organization. Big Picture • Resilience is vital and can be implemented in any number of ways. • Resilience can be constrained by various factors. • Physical security is vital also. • Physical security responsibility is shared. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 9 Wireless & Mobile Security Topic Reading • Chapter 13: Wireless and Mobile Security. • Interact content. Wireless Security & Threats Wi-FI Networks • Most common form of “wireless” networking. Standard Max Speed Frequencies 802.11b 11 Mbps 2.4GHz 802.11a 65 Mbps 5 GHz 802.11g 54 Mbps 2.4GHz 802.11n 600 Mbps 2.4 & 5 GHz 802.11ac 6933 Mbps 5 GHz 802.11ax 9608 Mbps 2.4, 5, 6 GHz Other Forms of Wireless • Bluetooth. • Low power, short range (5-30m). • 2.4 GHz. • Near-field Communication (NFC). • Very short range (<50mm). • Payment terminals biggest use. • Radio Frequency Identification (RFID). • Short range (<1m up to ~100m). Other Forms of Wireless • Infrared. • Mainly used for controlling other systems. • TV, VCD etc. • Global Positioning System (GPS). • Not used for data transmission. Advantages of Wireless • Lower costs associated with installation & operation. • Easy of installation. • Mobility. • Reliability. • Damage to “wires” not possible. • Disaster Recovery. • Similar to point above. Disadvantages of Wireless • Security concerns. • Ease of access, protocol/configuration weaknesses. • Installation challenges (although less than wired usually). • Transmission speeds. • Standards much faster now but downshifting problematic in poor coverage areas and when many clients are connected. • Coverage. • Can be tricky to fine tune coverage areas to meet requirements due to sources of interference. Wireless Security Overview • Concerns for wireless security are similar to those found in a wired environment • Security requirements are the same: – confidentiality, integrity, availability, authenticity, accountability – most significant source of risk is the underlying communications medium Wireless Risks Key factors contributing to higher security risk of wireless networks compared to wired networks include: • Channel – Wireless networking typically involves broadcast communications, which is far more susceptible to eavesdropping and jamming than wired networks – Wireless networks are also more vulnerable to active attacks that exploit vulnerabilities in communications protocols • Mobility – Wireless devices are far more portable and mobile, thus resulting in a number of risks Wireless Risks 2 Key factors contributing to higher security risk of wireless networks compared to wired networks include: • Resources – Some wireless devices, such as smartphones and tablets, have sophisticated operating systems but limited memory and processing resources with which to counter threats, including denial of service and malware • Accessibility – Some wireless devices, such as sensors and robots, may be left unattended in remote and/or hostile locations, thus greatly increasing their vulnerability to physical attacks Wireless Data Threats • There are many common threats and some are not exclusive to wireless. • The main difference between wired and wireless networks is that access is much easier to get in the wireless domain. • The most serious threats to wireless networks are….. Wireless Data Threats • Man-in-The-Middle (MiTM). • Ease of access and ability to “hide” is key. • Password cracking & decryption. • Brute force attacks on wireless security protocols. • Assuming attacker has necessary resources. • Packet sniffers. • Easy to capture large volumes of traffic for analysis and attack preparation. • Emergency of new technologies (e.g. 5G) gives greater opportunity to attackers. Wireless Network Threat Example – Rogue AP • A rogue access point (rogue AP) is any wireless access point that has been installed on a network's wired infrastructure without the consent of the network's administrator or owner, thereby providing unauthorized wireless access to the network's wired infrastructure. (Wikipedia) • Used by attackers: • To gain unauthorised access/entry point into network. • To collect information/traffic on target wireless networks and/or clients. Rogue AP – Protection Against • Keep track of all your devices with accurate, up to date, network documentation. • Search for rogue APs with a laptop or handheld computer with Windows’ wireless application, the wireless network adapter’s built-in software, or third-party applications. • If traffic from a rogue AP does enter your network, a NIDS or NIPS solution can be instrumental in detecting and preventing that data and data that comes from other rogue devices. • Organizations commonly perform site surveys to detect rogue APs, and other unwanted wireless devices. • Older APs, especially ones with weak encryption, should be updated, disabled or simply disconnected from the network. Mobile Device Security An organization’s networks must accommodate: • Growing use of new devices. – Significant growth in employee’s use of mobile devices. • Cloud-based applications. – Applications no longer run solely on physical servers in corporate data centers. Mobile Device Security 2 An organization’s networks must accommodate: • De-perimeterization. – There are a multitude of network perimeters around devices, applications, users, and data. • External business requirements. – The enterprise must also provide guests, third-party contractors, and business partners network access using various devices from a multitude of locations. Other Security Threats Lack of physical security controls Use of untrusted networks Interaction with other systems Use of untrusted mobile devices Use of untrusted content Use of applications created by unknown parties Use of location services Securing Wireless Networks Best Practices Requirements • Choose security measures appropriate for your network. • Establish and document security policies. • Monitor and enforce compliance of policies without exception. • Monitor for evolving vulnerabilities and misconfigurations. • Monitor for wireless intrusion and attacks. • Include threat response and suppression tools. Security Policy & Enforcement • Authentication & encryption are a must. • Consider 802.1x for authentication. • Strong authentication. • Many variants of EAP. • WPA2/3 & 802.11i. • VPN. • WIPS. EAP • MD5 –Weakest of the possible EAP methods, provides negligible benefits over WEP. • LEAP –2-way authentication without using certificates but requires passwords and is thus susceptible to dictionary attacks. • TLS – Provides a very secure solution, requires client certificates. • PEAP – Very secure. Uses TLS to create a secure tunnel where a second authentication mechanism can be used. Requires server certificates. • TTLS – Very secure. Uses TLS to create a tunnel to avoid using client certificates. • FAST – Very secure. Creates a secure tunnel, then uses AAA server to authenticate the server and client. Big Picture • Wireless systems are extremely common. • Provide access to “unknown” clients. • Security is largely the same as for wired networks. • Danger is in volume of possible users. • Many varied technologies used in “wireless” communications. Thanks for watching! ITI581 CYBER SECURITY FUNDAMENTALS Topic 10 Cloud & Virtualization Security Topic Reading • Chapter 10: Cloud and Virtualization Security. • Interact content. Cloud Computing The “Cloud” • • • This can be an intimidating concept to comes to terms with but is really quite simple. Cloud Service Providers (CSP) simply provide business compute services via the Internet. Common cloud examples include: • Google. • Amazon Web Services. • Microsoft Azure. • Apple iCloud. Cloud Definition • A more formal definition from NIST: “Cloud computing is a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Why use Cloud? • Benefits include: • On-demand self-service compute services. • Scalability. – Vertical. – Horizontal. From page 385 of text. Why use Cloud? • Benefits include: • Elasticity. • Measured Service. • Agility & Flexibility. Cloud Roles • CSP • Consumers • Partners • Auditors • Carriers. Service Models • All based on the acronym XaaS – meaning X as a Service. • IaaS – Infrastructure. • SaaS – Software. • PaaS – Platform. • FaaS – Function. Deployment Models • Public Cloud. • Typically thought of deployment model. • Supports all XaaS models (multi-tenant model) • Private Cloud. • Any cloud infrastructure deployed and used by a single customer. • Community Cloud. • Shares characteristics of both Public and private cloud deployments. – Multi-tenated to members of a specific community. • Hybrid Cloud. • Catch all term for models that use all of the above. Virtualization Virtualized Machines • CSPs, and private companies, make extensive use of virtualized platforms. • Virtual host hardware run specialised operating systems (hypervisors). • Virtual Machines (VM) run on top of the hypervisor. • Virtual hosts can use “virtually” any regular operating system. Hypervisors • Primary responsibility is enforce isolation between virtual machines. • Two types of Hypervisors: • Type I, also known as bare metal hypervisors, operate directly on top of the supporting hardware platform. Hypervisors • Type II hypervisors run as an application of top of an existing operating system. Cloud Security Issues Cloud Responsibilities Cloud Security Issues • Availability • Data Sovereignty • Virtualization Security • Application Security • Governance and Auditing Cloud Security Controls Cloud Access Security Brokers. Software tools that serve as intermediaries between users and CSPs. Resource Policies. Policies that limit damage caused accidentally or maliciously. Secrets Management. Special purpose compute modules that manage encryption. Cloud Security Controls Security groups Security groups define permitted traffic (similar to firewall rules). These can be enforced at various points within the cloud environment. Microsegmentation Microsegmentation – similar to security groups – but can be very granular when implementing permitted communication between VMs. Enforced at hypervisor. Availability zones Can specify where resources will be deployed (to enforce diverse locations and redundancy) Big Picture • Cloud computing brings many challenges with it. • Responsibility for security is shared and distributed. • Control is potentially difficult. Congratulations…you have reached the end!