Chapters 1-11 Final Review Course Security+ SY0-601 Confidence Not Confident Last Edited @December 9, 2023 1:31 PM Chapter 1 Security Goals CIA - Confidentiality, integrity, and availability Use case - a goal that an organization wants to achieve A use case can have different parts including: 1. Actors - the parties involved 2. Precondition - must occur before the process can start 3. Trigger - starts the use case 4. Postcondition - occurs after the actor triggers the process 5. Normal Flow - lists each of the steps in a specific order 6. Alternate Flow - all flow wont be the same Confidentiality Confidentiality - prevents the unauthorized disclosure of data (authorized personnel = good, unauthorized personnel = cannot access) Several different types of method of confidentiality: Encryption - scrambles data to make it unreadable by unauthorized personnel Access Controls: Identification - claim an identity with a unique username Authentication - users prove their identity with authentication Chapters 1-11 Final Review 1 Authorization - grant or restrict access to resources using an authorization method 💡 Confidentiality ensures that data is only viewable by authorized users. Best way to protect confidentiality of data is by encrypting it. Access controls help protect confidentiality by restricting access. Integrity Integrity - assurances that data has not been changed Hash - a number created by executing a hashing algorithm against data. A variation in the hashes doesn’t tell you what modified the message. It only tells you that the message has been modified. 💡 Integrity verifies that data has not been modified. Loss of integrity can occur through unauthorized or unintended changes. Hashing algorithms, such as SHA, calculate hashes to verify integrity. A hash is simply a number created by applying the algorithm to a file or message at different times. By comparing the hashes, you can verify integrity has been maintained. Availability Availability - data and services are available when needed Organizations typically implement redundancy and fault-tolerance methods to ensure high levels of availability for key systems. 💡 Availability ensures that systems are up and operation when needed and often address single points of failure. You can increase availability by adding fault tolerance and redundancies, such as RAID, failover clusters, backups, and generators. Redundancy adds duplication to critical systems and provides fault tolerance. If a critical component has a fault, the redundancy’s duplication allows the service to Chapters 1-11 Final Review 2 continue without interruption. Types of redundancies: Disk redundancy - RAID 1, 5, 10 allow a system to continue to operate even if a disk fails. Server redundancy - failover clusters Network redundancy - load balancing Power redundancy - uninterruptible power supplies (UPSs) and power generators 💡 Redundancy and fault tolerance methods increase the availability of systems and data. Scalability refers to manually adding or removing resources to a system to scale it up or out. Elasticity refers to dynamically adding or removing resources to a system to scale it. Scalability - systems ability to handle increased workload either by scaling up or scaling out. (Manual) Elasticity - ability of a system to handle an increased workload by dynamically scaling up or out as the need arises. Resiliency - help systems heal themselves or recover from faults with minimal downtime. Risk vs Threat Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss. A threat is a circumstance or event that has the potential to compromise confidentiality, integrity, or availability. Risk mitigation reduces the chances that a threat will exploit a vulnerability or reduces the risk’s impact by implementing security controls. Security controls Managerial control - administrative that focuses on managing risk Risk assessment - help orgs quantify and qualify risks within an org so that they can focus on serious risks Vulnerability assessment - attempts to discover current vulnerabilities Chapters 1-11 Final Review 3 Operational control - ensure day to day operations complying with security policies Technical controls - use tech (hardware, software, firmware) to reduce vulnerabilities Preventative controls - prevent an incident from happening Hardening - making a system more secure than default (disabling unnecessary ports and services, implementing secure protocols, patching system, strong passwords) Training, security guards, change management, account disablement policy, intrusion prevention system Detective controls - detect incidents after they happen Log monitoring, security information and event management systems (SIEM), security audit, video surveillance, motion detection, intrusion detection system (IDS) Corrective controls - reverse the impact of an incident Backups, system recovery Incident handling process - define steps to take in response to security incidents Deterrent controls - attempt to discourage individuals from causing an incident Compensating controls - alt controls used when primary control is not feasible Physical controls - controls you can physically touch Commands Ping A basic command used to test connectivity for remote systems. Hping - similar to ping command, but can send pings using TCP, UDP, and ICMP Ipconfig - internet protocol configuration shows the TCP/IP config info for a windows system Ifconfig - same protocol but for linux Chapters 1-11 Final Review 4 ifconfig eth0 - shows the config of the first ethernet interface (same for wlan0) ifconfig eth0 promisc - enables promiscuous mode. Allows a NIC to process all traffic it receives ifconfig eth0 allmulti - enables multicast mode on the NIC The ip command is more encouraged than the ifconfig because it is no longer maintained by developers ip link show - shows interfaces along with details ip link set eth0 up - enables network interface ip -s link - shows stats on the network interface Netstat Allows you to view stats for TCP/IP protocols on a system netstat - displays all open TCP connections netstat -a - displays all TCP and UDP ports netstat -r - displays routing table netstat -e - displays details on network stats netstat -s - displays stats of packets sent or received for specific protocols netstat -n - displays addresses and port numbers in numerical order netstat -p protocol - shows stats on a specific protocol such as TCP and UDP Tracert & Traceroute Commands all routers between two systems. Used to identify faulty routers on the network and identify modified paths. Pathping Combines the functions of ping and tracert ARP arp the command and ARP the protocol aren’t the same thing Chapters 1-11 Final Review 5 arp - without a switch, shows help on Windows arp -a - shows the ARP cache on Windows LAMP Linux, Apache, MySQL, and PHP/Perl/Python sudo Allows you to run the command with root, or elevated privileges, assuming you have the permissions cat Used to display contents of the files grep Used to search for a specific string or pattern of text within a file ex. sudo cat /var/log/auth.log | grep “authentication failure” head Shows the first 10 lines of a file tail Displays the last 10 lines of a log file by default ex. sudo tail -n 15 /var/log/messages logger Adds entries in the /var/log/syslog file Admins use this command before performing an operation (like backing up) journalctl Queries the Linux system logging utility and displays log entries from several sources ex. journalctl — since “1 hour ago” Chapters 1-11 Final Review 6 ex. journalctl — since “1 hour ago” > myjournal.txt chmod Used to modify permissions on Linux systems files and folders Read - someone can open the file and view its content Write - a user can modify the contents Executes - a user can launch the file and is used with exe files First set of permissions applies to the owner of the file Second set applies to the owner group Third set applies to everyone else Can use octal nums from (0-7) ex. chmod 760 filename Also possible to assign permission using the text method u - file owner g - owner group o - all others ex. chmod g=r filename or chmod o-x filename SIEM System Security information and event management system provides a centralized solution for collection and analyzing and managing data from multiple sources. Capabilities Log collectors - collects and stores log data in a searchable database Data inputs - log entries come from various sources such as firewalls, routers, network intrusion detection and prevention systems Log aggregation - refers to combining several dissimilar items into a single similar format. SIEM system collects data from multiple systems and aggregates the data and stores it so that its easy to analyze and search Chapters 1-11 Final Review 7 Correlation engine - software component used to collect and analyze event log data from various systems within the network. Aggregates data looking for common attributes like patterns Reports - most systems include built-in reports. Typically groups in different categories such as network traffic event monitoring, device events, threat events, and more. Packet capture - protocol analyzers/sniffers capture network traffic allowing admins to view and analyze individual packets User behavior analysis - focuses on what users are doing, such as what applications they are launching and network activity. Sentiment analysis - analyzing text to detect an opinion or emotion Security monitoring - alerts which can provide continuous monitoring of systems and provide notifications of suspicious events Automated triggers - cause an action in response to a predefined number of repeated events Time sync - all servers sending data to the SIEM should be synced with the same time Events deduplication - process of removing duplicate entries Logs/WORM - SIEM typically includes methods to prevent anyone from modifying log entries Syslog Specifies a general log entry format and the details on how to transport log entries. Syslog-ng - allows a system to collect logs form any source. Includes correlation and routing abilities to route log entries to any log analysis tool. Rsyslog - improvement over syslog-ng. Significant change is the ability to send log entries directly into database engines. NXLog log management tool and is similar to rsyslog and syslog-ng. Supports log form Chapters 1-11 Final Review 8 Chapter 2 Authentication - proves an identity with some type of credentials, such as a username and password. Something you know (password or PIN) Something you have (smart card, phone, software tokens, or USB token) Something you are (fingerprint/biometric identification) Accounting - track user activity and record the activity in logs Authorization - access resources based on their proven identity 💡 Complex passwords use a mix of character types. Strong password use a mix of characters types and have a minimum length of at least 8 characters. Pass exp identities when a password much be changed. Knowledge Based Authentication Static KBA - used to verify your identity when you’ve forgotten your password (Security questions) Dynamic KBA - individuals without an account like financials institutions or health care companies. (Multiple choice questions that only the user would know) Account lockout policies Thresholds - max number of times a user can enter the wrong password Duration - how long an account remains locked Smart card authentication Requirements for a smart card: Embedded certificate - holds a user’s private key and is matched with a public key Public Key Infrastructure - supports issuing and managing certificates Often paired with a password or PIN Chapters 1-11 Final Review 9 Token Key Sometimes called a key fob, is an electronic device the size of a car remote that displays a number. Token is synced with a server that knows what the number is at any moment Hash based message authentication code Uses a hash function and cryptographic key for many different functions HMAC based one time password (HOPT) Time based one time password Similar to HOTP, but uses a timestamp instead of a counter 💡 HOTP and TOTP are open source standards used to create one time passwords. HOTP creates OTP that do not expire until used. TOTP creates OTP that expires after 30 seconds. Biometric methods Strongest method of authentication Fingerprint Vein - using new infrared light to view veins. (Hospitals use palm scanners for patients) Retina - one or both eyes and use the pattern of blood vessels Iris - captures the patterns of the iris around the pupil for recognition Facial - identify people based on facial features Voice - speech recognition methods to identify different acoustic features Gait analysis - identifies individuals based on the way they walk. Measures how someone’s feet hit and leave the ground while walking. Chapters 1-11 Final Review 10 💡 Iris and retina scan are the strongest biometric methods. Iris scans are used instead or retina scans because retina scans are intrusive to people medical issues. Facial recognition and gait analysis bypass the enrollment process when done for identification instead of authorization. Biometric efficacy rates False acceptance - allows unknown user as registered user False rejection - incorrectly rejects a registered user True acceptance - system correctly identified a registered user True rejection - system correctly rejected unknown user 2 Factor Authentication Can’t be in the same category (Password & PIN / Retina & Thumbprint) Authentication Attributes Somewhere you are - geolocation but can be spoofed by VPN Something you can do - actions you can take such as gestures on a touch screen (picture password) Something you exhibit - something that you show or display (ID employee badge) Someone you know - someone that vouches for you Privileged access management (PAM) Implement stringent security controls over accounts with elevated privileges, such as admin or root-level accounts Capabilities Allow users to access privileged accounts without knowing password Automatically change privileged account password periodically Limit time users can use the privileged account Allow user to checkout credentials Chapters 1-11 Final Review 11 Log all access of credentials 💡 Usage auditing records user activity in logs. A usage auditing review looks at the logs to see what users are doing and it can be used to re-create an audit trail. Permission auditing reviews help ensure that user have only the access they need and no more and can detect privilege creep issues. Kerberos A network authentication protocol within a Microsoft Windows AD. It uses a database of objects such as AD and KDC to issue time stamped tickets that expire after a certain time period. SAML Security Assertion Markup Language is an Extensible Markup Language (XML) based data format used for SSO on web browsers. It is used to exchange authentication and authorization information between different parties. SAML provides SSO for web based applications. Roles: Principal - typically a user Identity provider - IdP creates, maintains, and manages identity info for principals Service provider - entity that provides services to principles OAuth Open standard for authorization many companies use to provide secure access to protected resources OpenID An authentication standard maintained by the OpenID foundation. Access Control Schemes Chapters 1-11 Final Review 12 Role based - uses roles to manage rights and permissions for users. For users within a specific dept who perform the same job functions. A role based access control scheme uses roles based on jobs and functions. A matrix is a planning document that matches the roles with the required privileges. Rule based - uses rules. Routers and firewalls use rules within access control lists (ACLs) Some rules are static and dynamic depending on the attack used. Rules can be triggered in response to an event like after detecting an attack or granting additional permissions to a user in certain situations. Discretionary (DAC) -scheme, objects have an owner and the owner establishes access for the objects. New Tech File System (NTFS) provides security by allowing users and admins to restrict access to files and folders with permissions. Access control entries (ACE) make up a DACL for example: Lisa: Full control Bart: Read Maggie: Modify Mandatory (MAC) - Uses labels to determine access. Security admins assign labels to both subjects. When the labels match, the system can grant a subject access to an object. Commonly used when access needs to be restricted based on a need to know. Attribute (ABAC) - Evaluates attributes and grants access based on the value of these attributes. Ex. Homers account is defined with employee, inspector, and nuclear aware. A file server at the plant includes a share called inspector. An ABAC policy for the share might grant access to the share for any subjects that have the attribute. Chapter 3 Basic Networking Concepts Sniffing attack - attackers often use a protocol analyzer to capture data sent over a network. After capturing the data, attackers can easily read it within the protocol analyzer if sent in cleartext. Chapters 1-11 Final Review 13 Dos/DDos - denial of service attack is a service attack from a single source that attempts to disrupt the services provided by another system. A DDos attack includes multiple computers attacking a single target. Poisoning attack - many protocols store data in cache for temporary access. Poisoning attacks attempt to corrupt the cache with different data. Basic Networking Protocols Transmission Control Protocol (TCP) - provides connection oriented traffic (guaranteed delivery). TCP uses a three way handshake. Client sends a SYN, the server responds with a SYN/ACK packet, and the client completes the handshake with a ACK packet to establish a connection. User Datagram Protocol (UDP) - provides connectionless sessions (without a three way handshake). While TCP traffic provides guaranteed delivery, UDP makes a best effort to deliver traffic without using extra traffic to ensure delivery. TCP/IP traffic is either connection-oriented TCP traffic or connectionless UDP. Internet Protocol (IP) - identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses. Internet Control Message Protocol (ICMP) - used for testing basic connectivity and includes tools such as ping, pathping, and tracert. Because of how often ICMP is used in attacks, it has become common to block ICMP at firewalls and routers. Blocking prevents attackers from discovering devices in a network. Address Resolution Protocol (ARP) - resolves IPc4 address to media access control (MAC) addresses. TCP/IP uses IP addresses to get a packet to a destination network, It then uses the MAC address to get it to the correct host. Implementing Protocols for Use Cases Chapters 1-11 Final Review 14 Voice and Video Real-time Transport Protocol (RTP) - delivers audio and video over IP networks. (Voice over Internet Protocol (VoIP), streaming media, video teleconferencing, web based push to talk. Secure Real-time Transport Protocol (SRTP) - provides encryption, message authentication, and integrity for RTP. SRTP helps protect the confidentiality of data from these attacks while also ensuring the data transmissions integrity. Session Initiation Protocol (SIP) - used to initiate, maintain, and terminate voice, video, and messaging sessions. SIP messages don’t contain any data, but contain metadata about sessions. Many VoIP support SIP logging and can record these SIP messages. VoIP logs can contain timestamps, caller phone numbers, recipient phone numbers, extensions, and missed calls. SIP log files show timestamps, sender IP addresses, and recipient IP addresses. File Transfer 💡 Secure Shell (SSH) encrypts traffic over TCP port 22 and is used to transfer encrypted files over a network. SFTP uses SSH to encrypt traffic while FTP Secure uses TLS to encrypt. File Transfer Protocol (FTP) - uploads and downloads large files to and from an FTP server. By default transfers data in cleartext, making it easy for attackers to capture and read FTP data with a protocol analyzer. Active mode uses port 21 for control signals and port 20 for data. Passive mode uses port 21 for control signals but uses a random port for data. Trivial File Transfer Protocol (TFTP) - uses UDP port 69 and is used to transfer smaller amounts of data such as communicating with network devices. Often disabled Encryption Protocols Secure Shell (SSH) - encrypts traffic in transit and can be used to encrypt other protocols such as FTP. When SSH encrypts traffic it uses TCP port 22. Secure Sockets Layer (SSL) - was the primary method used to secure HTTP traffic as HTTPS. Chapters 1-11 Final Review 15 Transport Layer Security (TLS) - designated replacement for SSL and should be used instead of SSL for browsers. STARTTLS is a command used to upgrade an unencrypted connection to an encrypted connection on the same port. Internet Protocol security (IPsec) - used to encrypt IP traffic. Encapsulates and encrypts IP packet payloads and uses Tunnel mode to protect VPN traffic. Includes two main components: Authentication Header (AH) identified by protocol ID number 51 and Encapsulating Security Payload (ESP) identified by protocol ID number 50. Secure File Transfer Protocol (SFTP) - a secure implementation of FTP. Extension of SSH to transmit the files in an encrypted format using TCP port 22. File Transfer Protocol Secure (FTPS) - extension of FTP and uses TLS to encrypt the FTP traffic. SFTP uses SSH and FTPS uses TLS. Email and Web Use Cases Simple Mail Transfer Protocol (SMTP) - transfers email between clients and SMTP servers. Uses TCP port 25 for unencrypted email and port 587 for emails encrypted with TLS. Post Office Protocol v3 (POP3) - transfers emails from servers down to clients. Uses port 110 for unencrypted emails and TCP port 995 for encrypted. Internet Message Access Protocol version 4 (IMAP4) - used to store email on an email server and allows users to organize and manage email in folders on the server. Uses TCP port 143 for unencrypted and port 993 for encrypted connections. HTTP - transmits web traffic on the internet and in intranets. Uses TCP port 80. HTTPS - HTTP over SSL/TLS encrypts web traffic to ensure it is secure while in transit. Uses TCP port 443. Directory Services and LDAPS Lightweight Directory Access Protocol (LDAP) - specifies the formats and methods used to query directories. Uses TCP port 389. LDAP secure encrypts with TLS using TCP port 636. 💡 Directory services provide authentication services for a network. Active Directory Domain Services uses LDAP encrypted with TLS when querying the directory. Chapters 1-11 Final Review 16 Remote Access Use Case Remote Desktop Protocol (RDP) - used to connect to other systems from remote locations OpenSSH A suite of tools that simplify the use of SSH to connect to remote server securely ssh ______ - used to connect to the server ssh-keygen -t rsa - creates a key pair (public and private key) ssh-copy-id - copies the public key to a remote server id_rsa.pub - public key id_rsa - private key Time Sync Use Case Network Time Protocol (NTP) - most commonly used protocol for time sync, allowing systems to synchronize their time Simple NTP (SNTP) - can be used for time synchronization. SNTP does not use complex algorithms and queries multiple time servers so it might not be as accurate. Network Address Allocation Use Case Dynamic Host Configuration Protocol (DHCP) - dynamically assign IP addresses to hosts. Also assigns other TCP/IP info such as subnet masks, default gateways, DNS server addresses, and more. IPv4 Uses 32 bit IP addresses expressed in dotted decimal format Routers on the internet include rules to drop any traffic that is coming from or going to a private IP address. 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 DHCP Snooping Chapters 1-11 Final Review 17 Prevents unauthorized DHCP servers from operating on a network DHCP clients and servers normally send four packets back and fourth DHCP Discover - DHCP client broadcasts a message asking a DHCP server for a lease DHCP Offer - DHCP server answers offering a lease. DHCP Request - client responds by requesting the offered lease DHCP Acknowledge - Allocates the offered IP address to the DHCP client and sends back an acknowledge packet. Domain Name Resolution Use Case Domain Name System (DNS) Resolves hostnames to IP addresses DNS servers host data in zones/databases Uses port TCP port 53 for zone transfers and UDP port 53 for DNS client queries Records A (host record) - holds the hostname and IPc4 address and is the most commonly used record in a DNS server. Mostly used with IPv4 AAAA - holds the hostname and IPv6 address. Similar to A record except its for IPv6 MX (Mail exchange) - identifies a mail server used for email. When more than 1 mail server, the one with the lowest preference number in the MX record is the primary one. CNAME - allows a single system to have multiple names associated with a single IP address SOA (Start of authority) - includes info about the DNS zone and some of its settings. Ex. Includes TTL settings which determine how long to cache DNS results. Lower times cause clients to renew the records more often. DNSSEC Chapters 1-11 Final Review 18 A risk of DNS is DNS poisoning which modifies the IP address to redirect to another website. Domain Name System Security Extensions (DNSSEC) - suite of extensions to DNS that provides validation for DNS responses. Adds a Resources Record Signature (RRSIG) or digital signature to each record Nslookup and dig The lowest preference number identifies the primary server nslookup - troubleshoots problems related to DNS Ex. can use nslookup to verify that a DNS server can resolve specific hostnames nslookup -querytype=mx website.com Output: website.com MX preference = 10, mail exchanger = mx1.emailsrvr.com website.com MX preference = 50, mail exchanger = mx2.emailsrvr.com dig - replaced nslookup on Linux systems. Can be used to verify that the DNS server is reachable and verify that a DNS server can resolve hostnames to IP addresses. Quality of Service QoS refers to the tech running on a network that measure and control different traffic types. Allows admins to prioritize certain types of traffic over other types of traffic. Network Devices Unicast - one to one traffic. One host sends traffic to another host using a destination IP address. The host with the destination IP address will process the packet. Other hosts on the same network may see the packet, but they will not process it since it isn’t addressed to them. Broadcast - one to all traffic. One host sends traffic to all other hosts on the subnet, using a broadcast address such as 255.255.255.255. Every host that receives broadcast traffic will process it. Switches pass broadcast traffic between their ports, but routers do not pass broadcast traffic. Chapters 1-11 Final Review 19 Switches Can learn which computer are attached to each of its physical ports. Then uses this knowledge to create internal switched connections when two computers communicate to each other. Port Security Limits the computers that can connect to physical ports on a switch Disabling unused ports and limiting the number of MAC addresses per port. A physical port used by a network device, such as a switch or a router is entirely different from a logical port. A logical port is a number embedded in a packet and identifies services and protocols. Broadcast Storm and Loop Prevention Can flood a network with traffic and can effectively disable a switch Many switches have Spanning Tree Protocol (STP) or Rapid STP (RSTP) which provide both broadcast storm prevention and loop prevention. However if disabled the switch is susceptible to loop problems. Broadcast storm and loop prevention such as STP and RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected together. STP sends Bridge Protocol Data Unit (BPDU) messages in a network to detect loops Routers and ACL’s Access control lists (ACL) are rules implemented on a router/firewalls to identify what traffic is allowed and what traffic is denied. Can block IP addresses, ports, and protocol numbers. Implicit Deny All traffic that isn’t explicitly allowed is implicitly denied Firewalls Filters incoming and outgoing traffic for a single host or between networks Chapters 1-11 Final Review 20 A firewall can ensure only specific types of traffic are allowed into a network or host, and only specific types of traffic are allowed out of a network or host. They start with a basic routing capability for packet filtering including the use of an implicit deny rule. More advanced firewalls go beyond simple packet filtering and include advanced content filtering. Host based firewalls Monitors traffic going in and out of a single host. Many third party firewalls allow you to configure rules to allow or restrict inbound and outbound traffic. 💡 Host based firewalls provide protection for individual hosts, such as servers or workstations. A host based firewall provides intrusion protection for the host. Network based firewalls are often dedicated servers and provide protection for the network. Stateless firewalls Uses rules implemented in ACLs to identify allowed and blocked traffic Stateful firewalls Inspects traffic and makes decisions based on the traffic context or state. Keeps track of established sessions, inspects traffic based on its state within a session, and blocks traffic that isn’t part of an established session. 💡 A stateless firewall blocks traffic using an ACL and a stateful firewall blocks traffic based on the state of the packet within a session. Web app firewalls provide strong protection for web servers. They protect against several different types of attacks, focusing on web app attacks. Next Gen Firewall An advanced firewall that add capabilities that aren’t available in first or second gen firewalls. Chapters 1-11 Final Review 21 NGFW performs deep packet inspection adding app level inspection as a core feature. It can identify app commands and detect potentially malicious traffic Intranet vs Extranet Intranet is an internet network used for communicating and sharing content with each other. Extranet is a part of a network that can be access by authorized entities from outside of the network. Screened subnet Also known as a demilitarized zone (DMZ) A buffered zone between a private network and the internet. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the screened subnet, but the screened subnet provides a layer of protection for the private network. Network Address Translation Gateway A protocol that translates public IP addresses to private IP addresses and private addresses back to public. A gateway provides internal clients with private IP address a path to the internet. Commonly used as Port Address Translation (PAT) Static vs Dynamic Static uses a single public IP address in a one to one mapping. Maps private IP address with a single public IP address Dynamic uses multiple public IP addresses in a one to many mapping. Decides which public IP address to use based on load. Air Gaps Isolates one network from another by ensuing there is a physical space between all systems and cables. VLAN Chapters 1-11 Final Review 22 Virtual local area network uses a switch to group several different computers into a virtual network Separates or segments traffic on physical networks and you can create multiple VLANs with a single layer 3 switch Can group computers together or separate without regard to physical location Proxy Servers Used for forwarding requests such as HTTP or HTTPS Can improve performance by caching content and restrict access to inappropriate websites by filtering content. The server increases the performance by caching each result received from the internet and saving it for another user that requests the same content. Transparent proxy vs Non-transparent proxy Transparent will accept and forward requests without modifying them Non-transparent can modify or filter requests Reverse Proxy Accepts requests from the internet Unified Threat Management A single solution that combines multiple security controls. Reduces workload of admins without sacrificing security May include: URL Filtering Malware inspection Content inspection DDoS mitigator - attempts to detect DDoS attacks and block them Jump Server Chapters 1-11 Final Review 23 A hardened server used to access and manage devices in another network with a different security zone Common to connect to a jump server using passwordless SSH Chapter 4 Understanding IDSs and IPSs HIDS Host based intrusion detection system (HIDS) - additional software installed on a system such as a workstation or a server. It protects the individual host, detect potential attacks, and protects critical operating system files. Monitor all traffic on a single host systems such as a server or a workstation. NIDS Network based intrusion detection system (NIDS) - monitors activity on the network An admin installs NIDS sensors or collectors on network devices such as switches, routers, or firewalls. Cannot monitor encrypted traffic and cannot monitor traffic on individual hosts Detection Methods Two primary detection methods are signature based and heuristic based Any IDS can detect attacks based on signatures, anomalies, or both Signature based detection Use a database of known vulnerabilities or known attack patterns Ex. An attacker can launch a SYN flood attack on a server Heuristic based detection Starts by identifying the networks regular operation or normal behavior Can detect unknown anomalies Chapters 1-11 Final Review 24 Continuously monitors network traffic and compares current network behavior against the baseline False Positives vs False Negatives Admins often set the IDS threshold high enough so that it minimizes false positives but not low enough so that it does not allow false negative False positive - IDS or IPS sends an alarm or alert when there is no actual attack False negative - IDS or IPS fails to send an alarm or alert even though the attack is active True negative - IDS or IPS does not send an alarm or alert and there is no attack True positive - IDS or IPS sends an alarm or alert after recognizing an attack IPS vs IDS IPS is inline with traffic since traffic passes though the IPS and can block IDS is out of band since it just monitors traffic but the traffic doesn’t go through the IDS Because IPS is inline with traffic is is referred to as active whereas IDS is referred to as passive Honeypot A server that is left open or appears to have been locked down sloppily, allowing an attacker relatively easy access. Intent is for the server to look like an easy target so that the attacker spends their time in the honeypot instead of a live network. Goals Deceive the attackers and divert their attention form the live network Observe the attacker and their methodologies Honeynets A group of honeypots within a separate network or zone but accessible from an orgs primary network. Chapters 1-11 Final Review 25 Often create honeynets using multiple virtual servers contained within a single physical server Honeyfile Designed to attract the attention of an attacker Ex. password.txt Telemetry Telemetry - collecting information such as stat data and measurements which then forwards it to a centralized system for processing. Fake telemetry - corrupts data sent to monitoring systems and can disrupt a system Ex. Hackers hack into natural gas company and changes pressure on gas causing explosions Wireless Basic Access point (AP) - connects wireless clients to a wired network All wireless routers are APs but not all APs are wireless routers MAC filtering can restrict access to a wireless network to specific clients. However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. MAC Cloning - process of changing the MAC address on a PC or other device with the same MAC address as the wide area network. A site survey examines the wireless environment to identify potential problem areas. A heat map shows wireless coverage and dead spots if they exist Wireless footprinting gives you a detailed diagram of wireless access points, hotspots, and dead spots within an org WPA2 Can operate is either open, pre-shared key (PSK), or Enterprise mode Chapters 1-11 Final Review 26 Open mode doesn’t use any security. All data is transferred in cleartext making it easy for anyone to read PSK mode allows users to access the wireless network anonymously with a PSK or passphrase Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network. Uses 802.1X which accesses a database of accounts used for authentication. Need to enter this info when using enterprise mode: RADIUS server - enter the IP address assigned to the 802.1X server RADIUS port - port used by the RADIUS server (Default is 1812) Shared secret - similar to a password but not the user’s password 802.1X Authentication Protocols Provides port-based authentication ensuring that only authorized clients can connect to a device or network EAP - provides a method for two systems to create a secure encryption key, also known as a Pairwise Master Key (PMK). This key is used to encrypt all data transmitted between the devices Protected EAP - provides an extra layer of protection for EAP. Used with TLS to protect the communication channel. EAP-FAST - EAP Flexible Authentication via Secure Tunneling for a replacement for Lightweight EAP. EAP-TLS - EAP Transport Layer Security - one of the most secure EAP standards. Requires certificates on the 802.1X server and client. EAP-TTLS - EAP Tunneled TLS is an extension of PEAP allowing systems to use older authentication methods such as PAP within a TLS tunnel. RADIUS Federation - users can log on once and access shared resources with the other entity without logging on again. 💡 Enterprise mode requires an 802.1X server. EAP-FAST supports certificates. PEAP and EAP-TTLS require a cert on the 802.1X server. EAP-TLS requires certs on both the server and client. Chapters 1-11 Final Review 27 Captive Portal A technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network. Free internet access Paid internet access Alt to IEEE 802.1X - requires users to authenticate before granting them access Disassociation Attack Removes a wireless client from a wireless network Attacker sends a disassociation frame to the AP with a spoofed MAC address of the victim. Wi-Fi Protected Setup Allows users to configure wireless devices without typing in the passphrase. A WPS attack guesses all possible PINs until it finds the correct one Evil Twin A rouge access point with the same SSID as a legit access point Used to capture and exfiltrate data VPN IPsec in tunneling protocol Support both tunneling and transport mode Tunnel mode encrypts the entire IP packet, including both the payload and packet headers. Uses Internet Key Exchange (IKE) over port 500 Provides security in two ways: Authentication - includes authentication header (AH) to allow each of the IPsec conversation hosts to authenticate with each other before exchanging data. Uses protocol 51. Chapters 1-11 Final Review 28 Encryption - Includes Encapsulating Security Payload (ESP) to encrypt the data and provide confidentiality. Uses protocol 50 SSL/TLS as a tunneling protocol Some tunneling protocols use TLS to secure the VPN channel Split Tunnel vs Full Tunnel Split tunnel - a VPN admin determines what traffic should use the encrypted tunnel. Doesn’t have to connect to VPN server first if it doesn’t use the private network. Full tunnel - all traffic goes through the encrypted tunnel Network access control NAC provides continuous security monitoring by inspecting computers and preventing them from accessing the network if they don’t pass the inspection. Common health conditions checked by NAC: Firewall enabled OS up to date Antivirus software is up to date and has updated signatures Uses authentication agents to inspect NAC clients VPN Authentication & Authorization Methods Password Authentication Protocol (PAP) - Used with Point to Point Protocol (PPP) to authenticate clients. Sends passwords over a network in clear text Challenge Handshake Authentication Protocol (CHAP) - also uses PPP and authenticates remote users. More secure since it hashes the shared secret to share between the client and server. Remote Authentication Dial-In Service (RADIUS) - centralized authentication service. VPN servers forward the authentication requests to a central RADIUS server. Can be used with EAP to encrypt entire sessions. Terminal Access Controller Access-Control System Plus (TACACS+) - alt to RADIUS and provides two security benefits over RADIUS. Encrypts the entire Chapters 1-11 Final Review 29 authentication process, whereas RADIUS only encrypts the password by default. Uses multiple challenges and responses between the client and server. Can be used with Kerberos Chapter 5 Virtualization Concepts Thin client - computer with enough resources to boot and connect to a server to run specific applications or desktops. Virtual desktop infrastructure (VDI) - hosts a users desktop operating system on a server Container virtualization Runs services or applications within isolated containers or application cells Uses fewer resources and can be more efficient than a system using a traditional Type II virtualization Containers must use same OS as host VM Escape Protection An attack that allows an attacker to access the host system from within the virtual system VM Sprawl Avoidance Occurs when an org has many VM’s that aren’t appropriately managed. Someone creates a test VM that no one knows about and doesn’t get deleted/updated Using Master Images for Baseline Configurations Admins sometimes create them images with templates or with other tools to create a secure baseline Imaging provides two important benefits: Chapters 1-11 Final Review 30 Secure starting point - image includes mandated security configurations for the system Reduced costs - deploying imaged systems reduces the overall maintenance costs and improves reliability Patch Management Ensures that systems and apps stay up to date with current patches Reduces OS and app vulnerabilities since it protects systems from known vulnerabilities Change Management Defines the process and accounting structure for handling modifications and upgrades Reduce risks related to unintended outages and provide documentation for all changes Application Approved Lists and Block Lists Approved lists (whitelist) - apps authorized to run on a system Block Lists (black lists) - list of apps the system blocks Application Programming Interfaces A software component that gives devs access to features or data within an app, service, or OS. Devs need to address several API considerations to ensure that API considerations to ensure that APIs aren’t vulnerable to common exploits: Authentication (2nd factor auth) Authorization (diff levels of access) Transport level security - should use strong security like TLS when transferring any traffic over the internet Full Disk Encryption Encrypts an entire disk Chapters 1-11 Final Review 31 Self encrypting disk (SED) - automatically encrypts and decrypts data on a drive without user intervention. Boot Integrity Measured boot - goes through enough of the boot process to perform these checks without allowing a user to interact with the system. If it detects that the system has lost integrity and can no longer be trusted, the system won’t boot. Trusted Platform Module TPM is a hardware chip on the motherboard that stores cryptographic keys used for encryption. Provides full disk encryption and supports secure boot and remote attestation Hardware security module Security device you can add to a system to manage, generate, and securely store cryptographic keys Diff between a TPM and HSM is that HSM’s are removeable or external devices (Micro SD) Data Exfiltration Unauthorized transfer of data out of a network. Data loss prevention (DLP) tech can block the use of USB devices to prevent data loss and monitor outgoing email traffic for unauthorized data transfers. Software as a Service Includes any software or application provided to users over a network such as the internet Platform as a Service Provides customers with a preconfigured computing platform they can use as needed Easily configurable OS system and appropriate apps with on demand computing. Chapters 1-11 Final Review 32 Infrastructure as a Service Allows an org to outsource its equipment requirements Provides customers with access to hardware in a self managed platform Anything as a service Could services beyond SaaS, PaaS, and IaaS Includes services such as communications, databases, desktops, storage, security, and more. Cloud Deployment Models Private clouds are only available for one organization Public cloud services are available to anyone and are provided by third party organizations Two or more orgs with shared concerns can share a community cloud A hybrid cloud is a combination of two or more clouds Managed Security Service Provider A third party vendor that provides security services for an organization. MSP provides any IT services needed by an org including security services provided by an MSSP Cloud Service Provider Responsibilities An entity that offers one or more cloud services via one or more cloud deployment models High availability Resource Policy - folders, projects, and virtual machine instances Secrets Management - passwords and encryption keys that users create. Stores and manages secrets. Integration and auditing - CSP integrates auditing methods that help customers identify the effectiveness of security controls Chapters 1-11 Final Review 33 Virtual Network - Software defined network tech instead of physical routers and switches Public and private subnets - Public subnets have public IP addresses and are accessible via the internet. Same for private. Segmentation Security groups - Admins assign permissions to a group and add users to the account Dynamic resource allocation Instance awareness - Ability of the CSP to know and report how many instances of cloud based resources an org is renting Virtual private cloud (VPC) endpoint - virtual device within a virtual network. Transit gateway - used to connect VPCs to an on premise network Container security - runs services or apps within containers. Next Generation Secure Web Gateway A combination of a proxy server and a stateless firewall Filters URLs, scans malware, packet filtering Cloud based service but can be on-site 💡 A cloud access security broker (CASB) is a software tool or service deployed between an orgs network and cloud provider. It provides security by monitoring traffic and enforcing security policies. Infrastructure as Code Managing and provisioning data centers with code to define VMs and virtual networks. Reduces complexity of creating virtual objects by allowing admins to run a script to create them Software defined networking Chapters 1-11 Final Review 34 Uses virtualization tech to route traffic instead of using hardware routers and switches Routing protocols such as Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) help routers determine the best path to route traffic on the control plane Edge Computing Practice of storing and processing data close to the devices that generate and use the data Diff between fog and edge computing is that fog computing uses a network close to the device and may have multiple nodes sensing and processing data within the fog network. Edge computing stores and processes the data on single nodes or appliances. Deployment Models Corporate owned - org purchases devices and issues them to employees Corporate owned, personally enabled (COPE) - similar to CO, but employees are free to use the device as if it was their own Bring your own device (BYOD) - employees are responsible for selecting and supporting the device Choose your own device (CYOD) - some orgs create a list of acceptable devices and publish the list in a BYOD policy. The employee purchases the device. Connection and Receiving Methods Cellular WIFI Bluetooth NFC - payment gateway for phone RFID Infrared - used in remote controls or smartphones USB Point to point - between two wireless devices (Bluetooth, RFID, NFC) Chapters 1-11 Final Review 35 Point to multipoint - wireless devices connect to each other without an AP Payment Methods Mobile Device Management Includes the technologies to manage mobile devices Unified endpoint management (UEM) - ensure systems are kept up to date with current patches, have antivirus, and are secured using standard security practices. App management - MDM tools can restrict what apps can run Full device encryption - provides device security, app security, and data security Storage segmentation - users would store corporate data within an encrypted segment and personal data elsewhere on the device. Content management - can force the user to authenticate again when accessing data within this encrypted segment Containerization - orgs can implement containerization in mobile devices and encrypt the container to protect it without encrypting the entire device. Good for BYOD and CYOD Passwords and PINs Biometrics Screen locks Remote wipe Geolocation Geofencing - orgs sometimes use GPS to create a virtual fence or boundary. An org can configure a wireless network to only operate for mobile devices within the defined boundary. GPS tagging - adds geographical info to files like pictures Context aware authentication - uses multiple elements to authenticate a user and a mobile device. Can include identity, geolocation, geofence, time of day, and type of device. Push notifications Chapters 1-11 Final Review 36 Embedded Systems Any device that has a dedicated function and uses a computer system to perform that function Field programmable gate array (FPGA) - programmable integrated circuit installed on a circuit board Arduino - microcontroller board, circuit board contains the CPU, RAM, and ROM. Used for simple repetitive tasks like monitoring temp Raspberry Pi - microprocessor based mini computer. Can be used to send signals to control temp ICS and SCADA Systems Systems within large facilities such as power plants or water treatment facilities. Supervisory control and data acquisition system (SCADA) - controls an ICSS by monitoring it and sending it commands. Protected within isolated networks that can’t access the internet Used in manufacturing, facilities, energy, and logistics Embedded System Constraints Computing Crypto - encrypting data Power Range Authentication Network - often need an interface to configure a device Cost - adding features increases cost Inability to patch Implied trust - most users trust that embedded systems are secure Weak defaults - weak defaults used for authentication or defaulting to no encryption when sending data Chapters 1-11 Final Review 37 Chapter 6 Threat Actors Advanced Persistent Threat (APT) - group of organized threat actors that engage in target attacks against organization State actors - target specific companies organizations, or agencies Criminal syndicates - group of individuals working together in criminal activities Script kiddie - attacker who uses existing computer scripts or code to launch attacks Hacktivist - launches attacks as part of an activist movement or to further a cause Blackhat - unauthorized hacker White hat - security professional working within the law Gray hat - identifies individuals who may have good intentions, but activities may cross ethical lines. Attack Vectors Email - frequently used to send out spam with malicious links or attachments Social media - used to gather info on targets Malware Types Malware - wide range of software that has malicious intent Symptoms include running slower, starting unknown processes, sending out email without user interaction, random reboots, and more. Virus - malicious code that attaches itself to a host application May delete files, cause random reboots, join computer to a botnet, or enable backdoors that attackers can use to access systems Worms - self replicating malware that ravels throughout a network without assistance of a host application or user interaction Logic Bombs - string of code embedded into an app or script that will execute in response to an event or specific time Chapters 1-11 Final Review 38 Backdoor - another way of accessing a system Trojans - can come as pirated software, useful utility, game, or something users might be enticed to download and try Drive by download steps: Attackers compromise website Install trojan into website code Attackers bring in people to the website Users visit and website tries to download trojan onto their system Remote access trojan (RAT) - malware that allows attackers to control systems from remote locations Keyloggers - attempt to capture a user’s keystrokes Spyware - software installed on users systems without their awareness or consent. Often includes a keylogger Changes a users homepage, redirecting web browsers, installing additional software within the browser Rootkit - group of programs that hides that fact that the system has been infected or compromised by malicious code. Modifies internal OS processes, system files, and modifying admin access. Bots/Botnets - software bots used to malicious purposes like stealing sensitive and private info Command and Control - used by botnets to periodically check in for instructions Ransomware - attackers take control of computers and networks, locking out users Cryptomalware - attackers encrypt data on computers within the network to prevent access to demand the org to pay ransom Fileless virus - type of malicious software that runs in memory Potential Indicators of Malware Extra traffic Data exfiltration - unauthorized transfer of data out of a network Encrypted traffic - malware will encrypt the data before data exfiltration attempts Chapters 1-11 Final Review 39 Traffic to specific IPs - bot zombies will attempt to connect to known command and control servers Outgoing spam - botnets are sending phishing emails Social Engineering The practice of using social tactics to gain info Flattery/conning Assuming position of authority Encouraging a risky action Encouraging to reveal sensitive info Impersonating Tailgating Dumpster diving Zero-day vulnerabilities - bug that is unknown to trusted sources. Could be that vendors don’t know about the vulnerability or haven’t written patches to fix it. Can evade up to date anti-virus software Watering hole attack - attempts to discover which website a group of people are likely to visit and then infects those websites with malware that can affect other visitors Typo Squatting - when someone buys a domain name that is close to a legitimate name Hosting malicious websites Earning ad revenue Reselling the domain Eliciting Information - act of getting information without asking for it directly Pretexting - fictitious scenario added to a conversation to make a request more believable Prepending - adding something to the beginning of something else Identity theft - when someone steals personal info Invoice scams Chapters 1-11 Final Review 40 Credential harvesting Reconnaissance Influence campaigns Hybrid warfare - military strategy that blends conventional warfare with unconventional methods to influence people Other Types of Attacks Phishing Whaling Vishing - use the phone system to trick users into giving up personal and financial info Smishing - texts that include malicious attachments and try to trick the user into giving up personal info Blocking Malware Spam filter on mail gateway - detect and filter spam before it gets to users Anti-malware software on mail gateway - strips potentially malicious attachments off the email All systems Boundaries or firewalls Antivirus and Anti-Malware software Signature based detection Heuristic based detection File integrity monitors Cuckoo Sandbox - open source automated software analysis system. Primary purpose is to analyze suspicious files and test Chapters 1-11 Final Review 41 💡 Social engineers are effective because they use psychology based techniques to overcome users objections. Including representing themselves as authoritative figures , intimidation, faking scarcity, urgency, familiarity, or creating a sense of trust. Threat Intelligence Sources Open source intelligence (OSINT) - gathering public information Common types of OSINT: Vulnerability databases - known vulnerabilities and public databases Trusted automated eXchange of Indicator information (TAXII) - open standard that defines a set of services and message exchanges used to share info. Standard way for orgs to exchange cyber threat info Structured threat info eXpression (STIX) - open standard that identifies what cyber threat info orgs should share Automated Indicator sharing (AIS) - used for real time exchange of threat indicators and defensive measures Dark web Public/private info sharing centers Indicators of compromise - evidence that a cyberattack is happening or has happened Predictive analysis - attempt to predict what attackers will do next and how to thwart their attacks Threat maps - visual representation of active threats File/code repositories - prewritten code that developers can use for a variety of purposes, including gathering intelligence Chapter 7 Attack Frameworks Cyber kill chain - concept related to an attack Chapters 1-11 Final Review 42 Reconnaissance - researching, identifying, and selecting targets Weaponization - malware is embedded within a deliverable payload Delivery - payload is transmitted to the target. (malware attachment in phishing email) Exploitation - after weapon is delivered, it activates and triggers the exploit Installation - exploit will often install a remote access Trojan or backdoor on the system Command and Control - infected systems send out a signal over the internet Actions over objectives - attackers can begin taking action to achieve their ultimate goals Diamond Model of Intrusion Analysis Adversary - can be identified by email, usernames, memberships in advanced persistent threat groups Capabilities - malware, exploits, and other hacker tools Infrastructure - Internet domain names, email addresses, and IP addresses used by the adversary Victim - can be identified by names, email, or other network identifiers MITRE ATT&CK - knowledge base of tactics and techniques used in real world attacks Identifying Network Attacks DoS vs DDoS Denial of service - attack from one attacker against one target Distributed denial of service - attack from two or more computers against a single target The goal is resource exhaustion which overloads the system SYN Flood Attacks Disrupts the TCP three way handshake process by never responding with a SYN/ACK Spoofing Chapters 1-11 Final Review 43 When one person or entity impersonates as someone On Path Attacks Man in the middle attacks isa form of active interception or active eavesdropping When secure channels aren’t used, the hackers system may use certs that aren’t issued by a CA and will generate certificate warnings. Secure Sockets Layer Stripping Redirects the user to HTTP by intercepting the beginning of the TLS negotiation process Layer 2 Attacks ARP Poisoning - attack that misleads computers or switches about the actual MAC address of a system ARP Request - broadcasts the IP address and asks, “Who has this IP address?” ARP Reply - the computer with the IP address in the ARP request responds with its MAC address. The sender computer caches the MAC address for the IP. ARP On Path Attacks Can eavesdrop, redirect network traffic, or insert malicious code Normally it goes from user → switch → router → internet But with poisoning it goes user → attacker → router → internet ARP DoS Attacks If all computers cache a bogus MAC address for the default gateway, none of them can reach it, making all traffic stop going out of the network MAC Flooding Attack against a switch that attempts to overload it with different MAC addresses associated with each physical port After flooding, the switch runs out of memory to store all the MAC addresses and enters a fail-open state turning it into a simple hub. Traffic sent to any port of the switch is now sent to all other switch ports Chapters 1-11 Final Review 44 MAC Cloning Changing a systems MAC address to another MAC address DNS Attacks DNS poisoning attacks - attempts to modify or corrupt DNS data Users enter the URL and are taken to a different website Pharming Attack - manipulates the DNS name resolution process Redirects users to a different website like DNS poisoning attacks URL Redirection - used to redirect traffic to a different page within the site. Domain Hijacking - an attacker changes a domain name registration without permission from the owner Domain Reputation - helps ISPs determine the likelihood that an email is being sent by a legitimate organization DNS Sinkhole - a DNS server that gives incorrect results for one or more domain names DNS Log Files - record DNS queries such as each request to resolve a hostname to an IP address Replay Attack and Session Replays An attacker replays data that was already part of a communication session. The attacker modifies the data then tries to impersonate one of the clients in the original session and send the modified data in session replays Secure Coding Concepts OWASP - Open Web Application Security Project focused on improving the security of software Code Reuse and Dead Code Third party Libraries and SDKs - their party libraries that devs can call from within a web application without needing to write any code. Input Validation - prevents an attacker form sending malicious code that an application will use by either sanitizing input to remove malicious code or Chapters 1-11 Final Review 45 rejecting the input Verifies proper characters Blocking HTML code Preventing the use of certain characters Boundary or range checking Protects against buffer overflow, SQL injection, dynamic link library injection, and cross-site scripting attacks Client side and server side input validation - client side input validation is quicker but is vulnerable to attacks. Server side is longer but more secure since it ensures that the application doesn’t receive invalid data Avoiding Race conditions - when two or more applications attempt to access a resource at the same time. Like people buying things and having the same ticket details Proper Error Handling - ensures that an application can handle an error gracefully Errors to users should be general - detailed errors provide info that attackers can use against the system Detailed errors should be logged - makes it easier for devs to identify what caused the error and how to resolve it Code Obfuscation and Camouflage - attempts to make something unclear or difficult to understand. Camouflage attempts to make the code unreadable Software Diversity - used to mimic the use of multiple different core languages A compiler converts code written in a programming language into a binary exe file Adds a level of randomness to the code allowing the same program to behave slightly differently on different OS’s but still achieving the same result. Outsourced Code Development Making sure the code works as expected Vulnerable code Malicious code Chapters 1-11 Final Review 46 Lack of updates Data Exposure HTTP Headers HTTP Strict Transport Security - tells browser to display the page only if sent as HTTPS Content Security Policy - acceptable content X-Frame Options - Tells the browser if X-Frames are allowed Secure Cookies - small text file and is used to enhance the user experience. Secure ensures that the cookie is only transmitted over secure channels like HTTPS Code Signing - authenticate and validates software Analyzing and Reviewing Code Static Code Analysis - examines code without executing it. Can use automated tools Manual Code Review - review code line by line. Done by someone other than the programmer. Dynamic code analysis - checks the code as its running. Fuzzing uses a computer program to send random data to an application. Can crash the program sometimes Sandboxing - used to test applications within an isolated area Software Version Control Tracks the versions of software as its updated, who edited, and is able to rollback changes Secure Development Environment Development - use an isolated environment to create the application Test - put the application through its paces and attempt to discover any bugs or errors Staging - simulates the production environment and is used for late stage testing Chapters 1-11 Final Review 47 Production - application goes live as the final product Quality assurance - helps ensure that an application maintains a high level of quality Database Concepts Normalization - organizing tables and columns to reduce redundant data and improve overall database performance. A database is considered normalized when it conforms to the first three normal forms First Normal Form Each row within a table is unique and identified with a primary key Related data is contained in a separate table None of the columns include repeating groups Second Normal Form Only applies to tables that have a composite primary key where two or more columns make up the full primary key 1NF Non-primary key attributes are completely dependent on the composite primary key Third Normal Form 2NF which also means 1NF All columns that aren’t primary keys are only dependent on the primary key SQL Queries SQL Injection Attacks The attacker enters enters additional data into the webpage form to generate different SQL statements Protecting against SQL injection attacks Stored procedure - group of SQL statements that execute as a whole The stored procedure performs data validation but it handles the parameter differently and prevents a SQL injection attack Chapters 1-11 Final Review 48 Provisioning and Deprovisioning Giving and removing services for users/apps An app can run on IOS devices and use diff services like the accelerometer and gyroscope to detect movement. Deprovisioning an app refers to removing it from the device. Integrity Measurement - Quality of the code and how extensively the code was tested throughout the development cycle. Web Server Logs Logs activity on the server. Will show normal activity like HTTP requests from users and server’s responses Common to send log entries to a centralized logging system and configure it to send alerts after detecting suspicious activity Using Scripting for Automation SIEM systems include a wide variety of scripts working behind the scenes to collect and analyze log entries Automated courses of action - updating code triggers automated responses to verify the application runs correctly Continuous monitoring - monitors code changes to detect compliance issues and security threats Continuous validation - Revalidates code after every change Continuous integration - practice of merging code changes into a version control repository Continuous delivery - code changes are released automatically to a testing or staging environment Continuous deployment - code changes are deployed automatically to the entire production environment. Deployment deploys the changes to a production environment whereas delivery only sends the changes to a testing environment. Identifying Malicious Code and Scripts Can’t update the system Chapters 1-11 Final Review 49 Antivirus is disabled System is slow Internet traffic increases on it own Programs start automatically System randomly crashes or freezes Security warnings Browser home page or search engine changes Ransom message Powershell Task based command line shell and scripting language that uses cmdlets Can run .bat and .ps1 files Common verbs are: get, add, test, remove, new, find, and move Common nouns: command service, location, process, childitem, wmiobject, psdrive Bash Command language interpreter for Unix and Unix-like operating systems When running a bash script file you much prefix it with bash or sh If logs show that bash or sh is being invoked to run scripts it may be an indicator of an attack Python Interpreted programming language that includes extensive libraries Potential indicator of a system running Python scripts is any reference to .py files Macros Short instruction that will run a longer set of instructions Useful for automating repetitive functions Visual Basic for Applications (VBA) Chapters 1-11 Final Review 50 Internal programming language within Microsoft applications Event driven tool and started by initiating macros OpenSSL Software library used to implement SSL and TLS protocols SSH Used by Windows or Linux to connect with remote systems Identifying Application Attacks Zero day attacks - weakness or bug that us unknown to trusted sources Memory vulnerabilities - vulnerabilities in memory or buffers Memory leak - bug in a computer application that causes the application to consume more and more memory the longer it runs Buffer Overflow - occurs when an application recieves more input than it expects Buffer Overflow attacks - include NOP instructions followed by malicious code Integer Overflow - occurs if an application receives a numeric value that is too big for the application to handle Pointer/Object Dereference - Stores a reference to a variable or object. Dynamic Link Library Injection - DLL is a compiled set of code that an application can use without re-creating the code. Injection is an attack that injects DLL into a system’s memory and causes it to run Lightweight directory access protocol injection - specifies the formats and methods used to query databases of objects such as users, computers, and other objects within a network Extensible Markup Language (XML) - markup language commonly used to transfer data. Primary indicator of XML injection is the creation of unwanted accounts Directory Traversal - specific type of injection attack that attempts to access a file by including the full directory path or traversing the directory structure on a computer Chapters 1-11 Final Review 51 Cross-Site Scripting - web application vulnerability that allows attackers to inject scripts into webpages Reflected XSS or non-persistent - attacker crafting a malicious email then encouraging a user to click on it. The request includes malicious code and the server sends it back to the user in the HTTP responses Stored XSS or persistent - malicious code stored in a database or other location trusted by the web application Cross-site request forgery (XSRF or CSRF) - an attack where an attacker tricks a user into performing an action on a website to capture user information such as cookies. Can usually be prevented by a CAPTCHA or dual authentication. Server-side request forgeries (SSRF) - exploit how a server processes external information. If an attacker can modify the external URL he can potentially inject malicious code into the webpage. Client-side request forgeries - occurs if an attacker can inject code into the client side webpage after the server has crafted it and sent it to the user Driver manipulation - Shimming provides the solution that makes it appear that the older drivers are compatible AI and Machine Learning - AI is intelligence that machines can demonstrate. ML refers to technologies that help computer systems improve with experience Adversarial AI - attempts to fool AI models by supplying it with deceptive input Chapter 8 Understanding Risk Management Threats - potential danger Malicious human threats Accidental human threats - users can accidentally delete or corrupt data Environmental threats - long term power failure Risk types Internal - any risks from within an organization External - from outside the organization Chapters 1-11 Final Review 52 IP theft - Intellectual property like copyrights, patents, trademarks, and trade secrets Software compliance - Development companies sell software as licenses which employees can sometimes use up without authorization Legacy systems and legacy platforms - no vendor support Multiparty - occur when an org contracts with an external organization for goods and services Vulnerabilities Default configurations Lack of malware protection or updated definitions - out of date antivirus Improper or weak patch management Lack of firewalls - more vulnerable if host based and network firewalls aren’t enabled Lack of organizational policies - if job rotation, mandatory vacations, and lest privilege policies aren’t implemented, an organization may be more susceptible to fraud from employees Risk Management Practice of identifying, monitoring, and limiting risks to a manageable level Inherent risk - risks that exist before controls are in place to manage the risk Residual risk Control risk - risk that exist if in-place controls do not adequately manage risks Risk appetite - amount of risk an org is willing to accept Avoidance - org can avoid a risk by not providing a service or not participating in a risky activity Mitigation - org implements controls to reduce risks Acceptance - cost of a control outweighs a risk Transference - org transfers the risk to another entity or at least shares the risk with another entity (insurance) Cybersecurity insurance - helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage Chapters 1-11 Final Review 53 Risk Assessment types Quantitative Risk Assessment - measures the risk of using a specific monetary amount Single loss expectancy (SLE) - cost of any single loss Annual rate of occurrence (ARO) - how many times the loss will occur in a year Annual loss expectancy (ALE) - value of SLE x ARO Qualitative Risk Assessment - uses judgement to categorize risks based on the likelihood of occurrence and impact Supply Chain Risks - includes all the elements required to produce and sell a product Risk Register - comprehensive document listing known info about risks Risk Matrix plots risks onto a graph Risk heat map - uses color coding to plot the risks Threat Hunting Process of actively looking for threats within a network before an automated tool detects and reports on the threat Adversary tactics, techniques, and procedures (TTPs) - refers to attackers methods when exploiting a target Intelligence fusion - combines all data to create a picture of likely threats and risks for an organization Comparing Scanning and Testing Tools Checking for vulnerabilities Password Cracker - attempts to discover a password (Online or Offline) Network Scanners - uses various techniques to gather info about hosts within a network Arp ping scan - used to resolve IP addresses to MAC addresses Syn stealth scan - sends a single SYN packet to each IP address in the scan range. If hosts responds the scanner knows the host is operational Chapters 1-11 Final Review 54 with that IP address. Port scan - checks for open ports on a system Service scan - verifies the protocol or service OS detection - analyzes packets from an IP address to identify the OS Vulnerability Scanning - identify which systems are susceptible to attacks Open ports and services Unsecure root accounts Default accounts and passwords Default settings Unpatched systems Errors Open permissions Unsecure protocols Weak encryption Weak passwords Sensitive data Vulnerability Scan Outputs Lists of hosts discovered Detailed list of apps running on each host Open ports and services on each host Vulnerabilities Recommendations 💡 Vulnerability scans are passive and have little impact on a system during a test. A penetration test is intrusive and can potentially compromise a system. Penetration Testing Chapters 1-11 Final Review 55 Rules of engagement - authorization before beginning any vulnerability or penetration testing Reconnaissance - attempts to learn as much as possible about a network Passive - collects info about a targeted system, network, or org using open source intelligence (OSINT) Active - use tools to engage targets Network Reconnaissance and Discovery Use tools to send data to systems and analyze the responses Tools include: IP scanner - searches for active IP addresses Nmap - identifies active hosts on a network, IP addresses, protocols and services, and the host’s OS Netcat - cmd line for remotely accessing Linux systems Scanless - Python based command line utility which performs port scans Dnsenum - list DNS records for domains Nessus - vulnerability scanner used for configuration reviews hping - sends pings using TCP, UDP, or ICMP Sn1per - automated scanner used for vulnerability assessments and to gather info on targets during penetration testing Client URL (Curl) - used to transfer and retrieve data to and from servers Lateral Movement The way attackers maneuver throughout a network Privilege Escalation Attackers using various methods to gain more and more privileges from a user on a network Pivoting Process of using various tools to gain additional info Chapters 1-11 Final Review 56 Uses an exploited system to target other systems Known, Unknown, and Partially Known Testing Environment Unknown - zero knowledge of the environment prior to starting a unknown test. Approach the test with the same knowledge as an attacker Known - testers have full knowledge of the environment before starting a known test. Access to product documentation, source code, and even logon details. Partially - testers have some knowledge of the environment prior to starting the partial test Cleanup One of the last steps of a penetration test Removing any user accounts created on systems in the network Removing scripts or applications Removing files, logs, or temp files Reconfiguring all settings modified during the penetration test Exercise Types Red team - attacks systems, breaking into defenses and exploiting vulnerabilities Blue team - defends. Usually employees Purple team - can do either blue or red team activities White team - establish the rules of engagement for a test and oversee the testing Capturing Network Traffic Packet Capture and Replay - using a protocol analyzer, this allows admins to analyze and modify packet headers and payloads A capture shows info such as the type of traffic, flags, source and destination IP, and MAC addresses. Tcpreplay and Tcpdump Chapters 1-11 Final Review 57 Tcpreplay is a suite of utilities used to edit packet captures and then send the edited packets over the network. Used for testing network devices Tcpdump - cmd protocol analyzer. Allows the capture of packets NetFlow, sFlow, and IPFIX Netflow - feature on routers and switches that can collect IP traffic statistics and send them to a NetFlow collector sFlow - provides traffic info based on a preconfigured sample rate. (Ex. captures 1 packet out of every 10 and sends it to the sFlow collector. Understanding Frameworks and Standards Framework - structure used to provide a foundation ISO 27001 - Information Security Management requirements ISO 27002 - Information Technology Security Techniques ISO 27701 - Privacy Information Management System outlines a framework for managing and protecting PII ISO 31000 - family of standards related to risk management SOC 2 Type I - an orgs systems and covers the design effectiveness of security controls on a specific date SOC 2 Type II - an orgs systems and covers security controls operational effectiveness over a range of dates Risk Management Frameworks Prepare - identifies key roles for implementing the framework, identifies risk tolerance strategies, updates risk assessments, and identifies in place controls Categorize information systems - personnel determine the impact to operations and assests if there is a loss of CIA Select security controls - personnel select and tailor the controls necessary to protect their operations and assets Implement security controls - personnel implement the selected controls Assess security controls - personnel assess the controls to see if they are producing the desired outcome Chapters 1-11 Final Review 58 Authorize info systems - senior management official determines if the system is authorized to operate Monitor security controls - ongoing step where personnel constantly assess changes in the system and environment Cybersecurity Framework Framework core - set of activities that an org can select to achieve desired outcomes (identify, protect, detect, respond, and recover) Framework implantation tiers - help an org identify how it views risks. (Partial Tier 1, Risk informed Tier 2, Repeatable Tier 3, and Adaptive Tier 4) Framework profiles - provide a list of outcomes for an organization based on its needs and risk assessments. By comparing current and target profiles an org can identify gaps in its risk management. Reference Architecture Document or set of documents that provides a set of standards Exploitation Frameworks Metasploit Framework - open source project for Linux. Has data on over 1600 exploits Browser Exploitation Framework (BeEF) - open source web browser exploitation framework. Focuses on identifying web browser vulnerabilities Web app attack and audit framework (w3af) - focuses on web app vulnerabilities Chapter 9 Physical Security Controls Proximity cards Physical locks Cipher locks Biometric locks Cable locks Chapters 1-11 Final Review 59 Security with Personnel Two person integrity - security control that requires the presence of at least two authorized individuals to perform a task Monitoring Areas with Sensors Motion detection Noise detection Temperature Moisture detection Proximity reader Cards Asset Management Process of tracking valuable assets throughout their life cycles Architecture and design weaknesses - helps reduce architecture and design weaknesses by ensuring that purchases go through the approval process System sprawl and undocumented assets - occurs when an org has more systems than it needs Implementing Diversity Defense in depth - security practice of implementing several layers of protection Vendor diversity - practice of implementing security controls from different vendors to increase security Technology diversity - practice of using different technologies to protect an environment Control diversity - use of different security control types, such as tech, physical, and admin controls. Faraday Cage A room that prevents radio frequency signals from entering into or emanating beyond a room. Chapters 1-11 Final Review 60 Malicious Universal Serial Bus Cable Has an embedded WiFi controller capable of receiving commands from nearby wireless devices Redundant array of inexpensive disks RAID-0 - Striping doesn’t provide any redundancy or fault tolerance. Increased read/write performance RAID-1 - Mirroring uses both disks to write, so if one fails the other has the same data. RAID-5 / RAID-6 - Consisted of 3 or more disks. Similar to RAID-0, but if 2 or more disks fails then the data is lost. RAID-6 requires 4 or more disks and 2 drives can fail but still operate RAID-10 - combination of RAID 1 + 0. 4 minimum drives. (Ex. 4 500gb so 1TB of usable storage) NIC Teaming Allows you to group two or more physical network adapters into a single software based virtual network adapter Increases performance using load balancing Power Redundancies Uninterruptible power supplies (UPS) - provides short term power and protects against power fluctuations Dual supply - second power supply Generators - provides long term power during extended outages Managed power distribution units - server racks within a data center house multiple computing devices. Used with a Power Distribution Unit, this monitors the quality of power and reports the measurements to a console. Backup Media Disk Chapters 1-11 Final Review 61 Network attached storage (NAS) - dedicated computer used for file storage and is accessible on a network. Ran by a stripped down version of Linux for simplicity and to reduce costs Storage area network (SAN) - provides block level data storage via full network. Can be used for real time replication of data Cloud Comparing Backup Types Full backup Differential - backs up all the data that has changed or is different since the last time Incremental - backs up all the data that has changed since the last full or incremental backup or a single day Snapshot and image backup - captures the data at a point in time Business Impact Analysis Concepts Important part of a BCP Helps org identify critical system and components that are essential to the orgs success Recovery Time Objective The maximum amount of time it can take to restore a system after an outage Recover Point Objective A point in time where data loss is acceptable MTBF vs MTTR Mean time between failures (MTBF) - provides a measure of a system’s reliability and is usually represented in hours Mean time to repair (MTTR) - average time it takes to restore a system Continuity of Operations Chapters 1-11 Final Review 62 Focuses on restoring mission essential functions at a recover site after a critical outage Site resiliency - if one site suffers a failure an alt site can take over after the disaster Hot site - up and operational 24/7. Includes all the equipment, software, and capabilities of the primary site Cold site - requires power and connectivity. Ability to relocate and operate anywhere Warm site - provides a compromise that a org can tailor to meet its needs Disaster Recovery How to recover critical systems and data after a disaster Phases: Activate the disaster recovery plan Implement contingencies Recover critical systems Test recovered systems After action support Testing Plans with Exercises Table top exercises - discussions based around scenarios Walk throughs - workshops that train team members about their roles and responsibilities Simulations - functional exercises that allow personnel to test the plans in a simulated operational environment Chapter 10 Cryptography Concepts Integrity - provides assurances that data has not been modified Chapters 1-11 Final Review 63 Hash - number derived from performing a calculation on data. Cannot be reversed to re-create the original data Confidentiality - ensures that data is only viewable by authorized users Encryption - scrambles data to make it unreadable if intercepted. Typically includes an algorithm and a key. Symmetric encryption - uses the same key to encrypt and decrypt data Stream ciphers - encrypts data 1 bit at a time Asymmetric encryption - uses two keys (public and private) as a matched pair Requires a Public Key Infrastructure (PKI) to issue certificates Anything encrypted with the Public/Private key has to be decrypted with the matching Public/Private key Steganography - provides a level of confidentiality by hiding data within other files Hash vs Checksum Hashes are longer numbers and used in strong cryptographic implementations Checksum is typically a small piece of data and used to verify the integrity of data 💡 Two popular hashing algorithms used to verify integrity are MD5 and SHA256. MD5 Common hashing algorithm that produces a 128 bit hash Sometimes used to verify the integrity of files as a quick checksum (Ex, emails. disk files, exe files) Secure Hash Algorithms SHA - group of hashing algorithms with variations in grouped four families (SHA0, SHA-1, SHA-2, and SHA-3) Chapters 1-11 Final Review 64 SHA-0 is not used SHA-1 similar to MD5, but weaknesses were discovered so it’s not used SHA-2 improved SHA-1 to overcome potential weaknesses. Includes 4 versions (256, 512, 244, 384. SHA-3 an alternative to SHA-2 Used for file integrity HMAC Hash message authentication code Fixed length string of bits similar to other hashing algorithms such as MD5 and SHA-256 Can be used with a HMAC secret key to create another hash unknown to attackers Hashing Collision Occurs when the hashing algorithm creates the same hash from different inputs MD5 is highly susceptible to collision attacks, which is why it’s no longer recommended as a cryptographic hash Password Attacks Online password attack - attempts to discover a password from an online system Offline password - attempt to discover passwords from a captured database or captured packet scan that is downloaded Dictionary Attacks Uses dictionary of words and attempts every word in the dictionary to see if it works. Brute Force Attacks Attempts to guess all possible character combinations Spraying Attacks Chapters 1-11 Final Review 65 A special type of brute force or dictionary attack designed to avoid being locked out. Loops through a long list of accounts so it takes a while before it hits the same account twice, avoiding the account lockout policy Pass the Hash Attack Attacker discovers the hash of the user’s password and then uses it to log on to the system as the user Birthday Attacks Attacker attempts to create a password that produces the same hash as the user’s actual password Exploit collisions in hashing algorithms Rainbow Table Attacks Attempts to discover the password from the hash Huge database of possible passwords with the precomputed hashes for each The application guesses a password Application hashes the guessed password Compare original password hash with the guessed password hash If not the same password, app repeats Salting Passwords Common method of preventing rainbow table attacks, brute force, and dictionary attacks Key Stretching Advanced technique used to increase the strength of store passwords bcrypt - used on many Unix and Linux distributions to protect the passwords stored in the shadow password file. Salts the password by adding additional random bits before encrypting it Chapters 1-11 Final Review 66 Password-Based Key Derivation Function 2 (PBKDF2) - uses salt of at least 64 bits and uses a pseudo-random function such as HMAC to protect passwords. A weakness is that it can be configured to use less computing time making it beneficial to users but easier for attackers. Argon 2 - uses a password and salt that is passed through an algorithm several times 💡 Encryption provides confidentiality and helps ensure that data is viewable only by authorized users such as data in a database or data in transit. Providing Confidentiality with Encryption Data at rest - refers to any data stored on media Data in transit - any data sent over a network Data in processing - data being used by a computer. Because the data is being used by the computer it is not encrypted while in use. Symmetric Encryption Uses the same key to encrypt and decrypt data Encryption algorithm - move X spaces forward to encrypt Decryption algorithm - move X spaces backward to decrypt Plaintext - human readable text Ciphertext - substituted text ROT13 - rotates 13 places, doesn’t provide true encryption but instead obfuscates the data Block Ciphers vs Stream Ciphers Both symmetric and use the same key to encrypt and decrypt data Block cipher - encrypts data in specific sized blocks such as 64 or 128 bit blocks. Divides large files or messages into these blocks and then encrypts each individual block separately. Chapters 1-11 Final Review 67 Stream cipher - encrypts data as a stream of bits or bytes rather than dividing it into blocks. More efficient when the size of the data is unknown or sent in a continuous stream like video or audio. Common Symmetric Algorithms Advanced Encryption Standard (AES) - strong symmetric block cipher that encrypts data in 128, 192, 256 blocks. 3DES - Triple DES is a symmetric block cipher designed as an improvement over Data Encryption Standard (DES). Encrypts data in three separate passes and 64 bit blocks. Uses key sizes of 56, 112, or 168 bits. Blowfish - encrypts data in 64 bit blocks and supports key sizes between 32 and 448 bits. Twofish - encrypts data in 128 bit blocks and supports 128, 192, or 256 bit keys Asymmetric Encryption Uses two keys in a matched pair to encrypt and decrypt data (public/private key) Private keys are always kept private and never shared Public keys are freely shared by embedding them in a shared certificate Key Exchange Cryptographic method used to share cryptographic keys between two entities Rayburn Box Lockbox that allows people to securely transfer items over long distances Two keys. One can lock the box but not unlock and another can unlock but not lock the box Either used to send secrets in confidential manner or send messages with authentication Certificates Serial Number Issuer Chapters 1-11 Final Review 68 Validity dates Subject Public Key Usage Ephemeral Keys Short lifetime and is recreated for each session Uses a private ephemeral and public key that discards after a single session Perfect forward secrecy - important characteristic that ephemeral keys comply with in asymmetric encryption. Given the same input, the algorithm will create a different public key. Elliptic Curve Cryptography uses mathematical equations to formulate an elliptical curve. It then graphs points on the curve to create keys. ECC keys can be much smaller compared to non-ECC keys. Commonly associated with low powered devices Quantum Computing Quantum cryptography - uses quantum mechanical properties to perform cryptographic tasks Any attempt to read the data changes it If data is changed it corrupts the Quantum Key Distribution and corrupts the connection Post Quantum Cryptography - cryptographic algorithms that are likely to be resistant to attacks using a quantum computer Homomorphic Encryption Allows data to remain encrypted while being processed Key length Any individual algorithm is strengthened by increasing the length of the key Chapters 1-11 Final Review 69 💡 Three common encryption modes of operation used with encryption are authenticated, counter, and unauthenticated. Authenticated provides both confidentiality and authenticity. Counter mode allows block ciphers to function as stream ciphers. Unauthenticated provides confidentiality but not authenticity. Steganography Hides data inside other data If other people know what to look for they will be able to retrieve the message Used with audio, image, and video files Audio Steganography Takes advantage of the limitations of the human ear. Can be used to determine what commercials, shows users are watching Image Steganography Can be done by hiding data in the whitespace of an image without altering the size of the file Video Steganography Similar to image steganography but only used to modify image portion because it can warp the audio portion of the video. Protecting Email Digital Signature Algorithm (DSA) provides: Authentication - Identifies the sender Non-repudiation - sender cannot deny sending the message Integrity - ensures that the message has not been modified Encrypting Email Chapters 1-11 Final Review 70 Asymmetric Encryption - sender retrieves recipients public key and encrypts email with it. It is sent and the receiver unencrypts the email with their private key. Encrypting with Asymmetric and Symmetric - A symmetric key is used to encrypt along with the recipients public key. The recipients private key can only unencrypt the message. S/MIME Secure/Multipurpose Internet Mail Extensions used to digitally sign and encrypt emails. Port 995 for Post Office Protocol 3 (POP3) over TLS Port 587 for Simple Mail Transfer Protocol (SMTP) over TLS Port 993 for Internet Message Access Protocol (IMAP) over TLS HTTPS Transport Encryption TLS provides certificate based authentication and encrypts data with a combination of both symmetric and asymmetric encryption during a session. Requires certificates issued by certificate authorities. TLS uses asymmetric encryption to securely share the symmetric key TLS uses symmetric encryption to encrypt the session data Downgrade attacks on weak implementations Downgrade attack - type of attack that forces a system to downgrade its security Blockchain Public record keeping technology. Block refers to pieces of digital information. Chain refers to a public database. Each block as three parts: Information about a transaction (date, time, amount) Information on the parties involved (digital signature) Unique hash Chapters 1-11 Final Review 71 Identifying Limitations Resource vs Security Constraints - encrypting all data is usually adding 40% more resources Speed and Time - refers to how long an algorithm takes to compute the result. When salting and hashing passwords, a slower algorithm is desirable Size and Computational Overhead - Relates to the amount of memory space the algorithm needs to execute. Entropy - refers to the randomness of a cryptographic algorithm. The higher level of randomness results in a higher level of security Predictability - knowing what will likely happen based on repeating the same events. Given the same input to a pseudo random number generator will produce the same output. Weak keys - short or small key Longevity - how long you can expect to use an algorithm. By doubling a key size it increases the longevity of the algorithm Reuse - When using symmetric encryption, the same keys shouldn’t be used Plaintext attack - Only possible if the attacker has some known plaintext data and the ciphertext created form this plaintext Common use cases Supporting Integrity - hashing protocols are used to support integrity. They can verify that data has been changed by an unauthorized entity. Supporting confidentiality - encryption protocols are used to provide confidentiality. Prevents unauthorized users from accessing data Supporting non-repudiation - digital signatures are used to support nonrepudiation Supporting high resiliency - the security of an encryption key even if an attacker discovers part of the key Supporting obfuscation - steganography is used to support obfuscation. Hiding data in plain sight like in a message, image, audio, or video file. Supporting low power devices Supporting low latency Chapters 1-11 Final Review 72 Exploring PKI Components Public Key Infrastructure - group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Asymmetric encryption depends on the use of certificates for protecting emails, internet traffic. Allows two people or entities to communicate securely without knowing each other previously. (Ex. Someone connecting to Amazon securely if they haven’t before) Certificate Authority Issues, manages, validates, and revokes certificates Certificate Trust Models CAs are trusted by placing a copy of their root certificate into a trusted root CA store. Root certificate is the first certificate create by the CA that identifies it A large trust model: The root CA issues certificates to intermediate CAs Intermediate CAs issue certificates to child CAs Child CAs issue certificates to devices or end users Certificate chaining - combines all the certificates from the root CA down to the certificate issued to the end user. Registration Authority and CSRs Users and systems request certificates from a CA using a registration process like sending a website form or sending a formatted file to the CA. Certificate signing requests (CSR) - include the purpose of the certificate, info about the website, public key. RSA based private key is used to create the public key. Public key is sent to the CSR and the CA will embed the public key in the certificate Online vs Offline CAs Chapters 1-11 Final Review 73 Submitting CSRs online is more susceptible to attacks. Large orgs keep the root CA offline to reduce the risk of compromise. If the root CA is compromised the entire cert path is compromised Updating and Revoking Certificates Common configurations changes related to certificates are updating and revoking them Key compromise CA compromise Change affiliation Superseded Cease of operation Certificate hold Certificate Revocation List CRL includes a list of revoked certs and is publicly available Validating a certificate Expired - If the certification is expired the computer system gives the user an error that the certificate is not valid Certificate not trusted - checks to see if the cert was issued by a trusted CA Certification revoked - clients validate certificates through the CA to ensure they haven’t been revoked Client initiates a session requiring a cert such as a HTTPS session Server responds with a copy of the cert that includes the public key Client queries the CA for a copy of the CRL CA responds with a copy of the CRL Online Certificate Status Protocol (OCSP) - allows the client to query the CA with the serial number of the certificate. The CA responds with “good, revoked, or unknown.” A response of unknown could indicate the certificate is a forgery. OCSP stapling solves the problem of generating too much traffic for the CA. Chapters 1-11 Final Review 74 Public Key Pinning Security mechanism designed to prevent attackers from impersonating a website using fraudulent certificates On a website server, the server responds to client HTTPS requests with an extra header. When connecting again the hash is compared to the first time they connected and validated. Key Escrow Process of placing a copy of a private key in a safe environment Useful for recovery if the original is lost Comparing Certificate Types Machine/Computer - used to identify the computer within a domain User - can be used for encryption, authentication, smart cards, etc… Email - used for email encryption and digital signatures Code signing - used to validate the authentication of executable apps or scripts. Verifies that code has not been modified. Self-signed - Private CAs within an enterprise often create self-signed certificates. Self signed certificates from private CAs eliminate the cost of purchasing certificates from public CAs Root Wildcard - starts with a * and can be used for multiple domains if each domain name has the same root domain. (accounts.google.com, support.google.com) Subject alternative name - used for multiple domains that have different name but are owned by the same org. (*.google.com, *.android.com, *.cloud.google.com) Domain validation - indicates that the certificate requestor has some control over a DNS domain. Extended validation - use additional steps beyond domain validation Comparing Certificate Formats Canonical Encoding Rules (CER) - ASCII format Chapters 1-11 Final Review 75 Distinguished Encoding Rules (DER) - Binary format Privacy Enhanced Mail (PEM) - implies that PEM based certificates are used for email only but is misleading. Can be formatted as CER or DER, can also be used to share public keys within a certificate, request certs from CAs, install private key on a server, publish a CRL, or share the full cert chain. P7B - CER based and are commonly used to share public keys with proof of identity P112 - DER based and are commonly used to hold certificates with the private key Personal Information Exchange (PFX) - predecessor to the P12. Used on Windows to import and export certs Chapter 11 Security Policies Personnel Policies Acceptable Use Policy - The purpose of computer systems and networks, how users can access them, and the responsibilities of users when they access the systems Mandatory Vacations - detect when employees are involved in malicious activity, such as fraud or embezzlement and are discovered when the employee is away. Separation of duties - principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. Helps prevent fraud Least Privilege - specifies that individuals and processes are granted only the privileges needed to perform assigned tasks or functions Job rotation - concept that has employees rotate through different jobs to learn the processes and procedures in each job. Helps prevent a single person from controlling too much. Clean desk space - directs users to keep their areas organized and free of papers. Reduces threats of security incidents by ensuring the protection of sensitive data. Chapters 1-11 Final Review 76 Background check - investigate employees histories to discover anything about them that might make them less than ideal for any given job Onboarding - process of granting individuals access to an organization’s computing resources after being hired Offboarding - removing an employee’s access when they leave the company Nondisclosure agreement (NDA) - used between two entities to ensure that proprietary data is not disclosed to unauthorized entities Social Media Analysis - Monitoring employee activity on social media networks. Third party risk management Supply chain and vendors - includes all the elements required to produce and sell products and services. In some cases the supply chain becomes an attack vector End of life (EOL) - date when a product will no longer be offered for sale Third party agreements Service level agreement (SLA) - an agreement between a company and vendor that stipulates performance expectations, such as min and max uptime/downtime levels. Memorandum of understanding (MOU) - expresses an understanding between two or more parties indicating their intention to work together toward a common goal Business partners agreement (BPA) - written agreement that details the relationship between business partners Terms of agreement Refers to the period that an agreement shall be in effect Measurement systems analysis MSA evaluates the processes and tools used to make measurements. The system should produce the same values when measuring the same sample Incident Response Plan Chapters 1-11 Final Review 77 Provides more detail than incident response policies. Provides orgs with a formal, coordinated plan that personnel can use when responding to an incident. Definitions of incident types - Helps employees identify the difference between an event and an incident. (Attacks from botnets, malware delivered via email, data breaches, and ransom demand) Incident response team - composed of employees with expertise in different areas. Referred to as a computer incident response team (CIRT), or a security incident response team. Combined they have the knowledge and skills to respond to an incident. Roles and responsibilities Communication Plan Provides direction on how to communicate issues related to an incident First responders - initial responders Internal communication - incident response team should know when to inform senior personnel of an incident Reporting requirements - security incident needs to be reported to external entities such as law enforcement when data is breached External communication - who can talk to external entities like the media Law enforcement - Bringing in law enforcement increases the chance that the incident may get increased public scrutiny Customer communication - laws dictate when an org must inform customers of a data breach Data Breach Responses If Intellectual property (IP) such as trade secrets and software algorithms is stolen the org will suffer direct losses If personal information about customers is accessed, attackers can impersonate them and steal their identity Stakeholder Management Any entity with an interest or concern in an org. (Owners, stock owners, employees, creditors, suppliers and more) Chapters 1-11 Final Review 78 Incident Response Process Preparation - Occurs before an incident and provides guidance to personnel on how to respond to an incident Identification - When a potential incident is reported, personnel take the time to verify it’s an actual incident. Containment - Security personnel attempt to isolate or contain it. This protects critical system while maintaining business operations Eradication - Remove components from the attack. Recovery - Admins return all affected systems to normal operation and verify they are operating normally Lessons learned - Security personnel perform a review Understanding SOAR Security Orchestration, Automation, and Response (SOAR) tools that respond to low level security events automatically Combination of tools that can work together to detect and respond to suspicious activity Playbooks Document formal procedures to follow for well known incidents Some playbooks can trigger automated actions, they typically document the steps to take in response to the action and let the runbook automate the response Runbook Implement the guidelines documented in the playbooks using the available tools within the org Understanding Digital Forensics Help an org collect and analyze data as evidence to can use to prosecute a crime Chapters 1-11 Final Review 79 Admissibility of documentation and evidence Essential to follow specific procedures to ensure that the evidence is admissible in a court of law Supports non-repudiation. Includes proof that individuals were involved in an incident prevent them from believably denying they were involved Chain of Custody Process that provides assurances that evidence has been controlled and appropriately handled after collection Provides a record of every person who was in possession of a physical asset collected as evidence Legal Hold Refers to a court order to maintain different types of data as evidence This data may include emails, databases, logs, backup tapes, data store on servers in file shares and document libraries, and data sored on desktop computers, laptops, tablets, and smartphones owned by the company. Video Video surveillance methods such as CCTV systems Interviews Witnesses provide firsthand reports of what happened and when it happened Event Logs Helps investigators re-create events leading up to and during an incident Logs record what happened during an event, when it happened, and what account was used during the event Sequence of Events Timeline of the event Chapters 1-11 Final Review 80 By identifying the first failure in the incident, it becomes easier to make recommendations to prevent such a failure in the future Reports Documents findings that include tactics, techniques, and procedures (TTP) used in the attack Executive summary listing the findings and recommendations Forensic tools used List of evidence collected and analyzed Findings derived from analyzing each piece of the evidence Recommendations based on findings On premises vs Cloud Concerns The cloud provider becomes a third party risk since you don’t know exactly where the data is being stored Right to audit clauses - allows a customer to hire an auditor and review the cloud providers records Regulatory Jurisdiction - cloud provider must comply with laws relevant to the state they’re storing data in. Data Breach Notification Laws - require orgs to notify customers about a data breach and take steps to mitigate loss Acquisition and Preservation Order of volatility - refers to the order in which you should collect evidence. Start with the most volatile moving to the least volatile (least permanent) Cache RAM - data in RAM is used by the operating system and applications Swap or pagefile - rebuilds when rebooting Disk Attached Network Chapters 1-11 Final Review 81 Data Acquisition - by following the order of volatility, you prevent destroying the data before you collect it Web history Recycle bin Windows error reporting - give insight into what programs were running when a system crashed Remote desktop protocol (RDP) cache - can provide useful info if an attacker moves laterally through a network or when an attacker is connecting to a system from an internet server Forensic Tools Capturing data - A forensic image of captured data will collect the data without modifying it all. After it is captured, experts create a copy and analyze the copy Data duplicator (dd) - oldest disk imaging tools used for forensics memdump - can dump any addressable memory space to the terminal or redirect the output to a dump file WinHex - windows based hexadecimal editor used for evidence gathering, data analysis, editing, recovery of data, and data removal FTK imager - capture an image of a disk as a single file or multiple files and save the image in various formats Autopsy - allows users to add command line utilities from The Sleuth Kit (TSK) Verifying Integrity - hashes and checksums are important elements of forensic analysis to provide proof that collected data has retained integrity. Provenance - refers to tracing something back to its origin. In forensic context, hashing and checksums allow you to prove the analyzed copy of data is the same as the original data Bandwidth Monitors - by comparing captures taken at different times, investigators can determine changes in network traffic Electronic Discovery Chapters 1-11 Final Review 82 Identification and collection of electronically stored information (voice mail, social media entries, and website data) Metadata is data about data instead of the data itself File metadata - includes items like when the file was created, who create it, when it was modified, and last accessed Email metadata - includes header, sender, recipient, and when the sent it Web metadata - header, title, character sent, meta tags Mobile metadata - users location, who they called, who called them, messages, website history, and more Data Recovery Restoring lost data Though files can be marked for deletion and emptied from the recycle bin, forensic experts can use tools to undelete the files as well as unformat drives Strategic Intelligence and Counterintelligence Strategic Intelligence - refers to collecting, processing, and analyzing information to create long term plans and goals. Protecting Data Classifying Data Types Government Data Top secret Secret Confidential Identifiers that private companies may use: Public Data Private Data Confidential Data Proprietary Data - data owned by an individual, group, or organization Chapters 1-11 Final Review 83 Financial Information Employee Data Customer Data PII and Health Information Full name Birthday and birthplace Medical and health info Street or email address info Personal characteristics Identification number Impact Assessment Helps orgs understand the value of data by considering the impact if it is lost or released to the public All data doesn’t need the same protection, it needs to be protected according to its classification and value Data Governance Refers to the processes an organization uses to manage, process, and protect data Health Insurance Portability and Accountability Act (HIPAA) - any info related to the health of an individual Gramm Leach Bliley Act (GLBA) - requires financial institutions to provide consumers with privacy notice explaining what information they collect and how it is used Sarbanes Oxley Act (SOX) - requires that executives within an org take individual responsibility for the accuracy of financial reports General Data Protection Regulation (GDPR) - EU directive mandates the protection of privacy data for individuals. Applies to any org that collects and maintains this data Chapters 1-11 Final Review 84 Privacy Enhancing Technologies Data minimization - principle requiring orgs to limit the info they collect and use Data Masking - permanently modifying data to hide the original content (substitution) Anonymization - permanently modifies data to protect the privacy of individuals by removing all the PII within a data set while maintaining other data within the data set Pseudo Anonymization - replaces PII and other data with pseudonyms or artificial identifiers. Anonymization is used when the intent is to anonymize data permanently. Tokenization - replaces sensitive data elements with a token. The token is a substitute value used in place of the sensitive data Data Retention Policies Identifies how long data is retained, and sometimes where it is stored Data Sanitization Ensure that data is removed or destroyed from any devices before disposing of the devices Common methods used to destroy data and sanitize media: File shredding Wiping Erasing and overwriting Paper shredding Burning Pulping - reduces shredded paper to mash or puree Pulverizing Degaussing - passing a disk through a electronic magnet rendering the data on tape unreadable Third party solutions Chapters 1-11 Final Review 85 Training users Computer based training (CBT) - refers to any training where an individual interacts with an application on a computer Phishing Campaigns - attackers tricking users into clicking a malicious link Phishing Simulations - sends out fake phishing emails to employees to see if anyone will clock on it Gamification - intertwines game design elements within user training methods to increase participation and interaction Capture the flag (CTF) - when players solve a challenge, they receive a digital flag that they preset as proof they they solved the challenge Role-based awareness training - targeted to personnel based on their roles Data owners - responsible for ensuring adequate security controls are in place to protect the data Data controller - determines why and how personal data should be processed Data processor - uses and manipulates the data on behalf of the data controller Data custodian - responsible for routine daily tasks like backing up data Data protection officer -ensures the org is complying with all relevant laws Chapters 1-11 Final Review 86