Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
646 Cards in this Set
- Front
- Back
|
• An OSI layer 2 device• Hardware bridging ASICs (very fast!)• Forwards traffic based on MAC address • The core of an enterprise network• High bandwidth - Many simultaneous packets
|
Switch
|
|
|
An OSI layer 3 device• Routes traffic between IP subnets• Routers inside of switches are sometimescalled “layer 3 switches”• Layer 2 = Switch, Layer 3 = Router• Often connects diverse network types -LAN, WAN, copper, fiber
|
Router
|
|
|
• OSI layer 4 (TCP/UDP), some firewalls filter through OSI layer 7• Filters traffic by port number• Can encrypt traffic into/out of the networkand between sites• Can proxy traffic - A common security technique• Most firewalls can be layer 3 devices (routers)
|
Firewall
|
|
|
• Captures network packets• Decodes each part of the communication• Sees all of the network conversation
|
Protocol analyzer
|
|
|
• Stop unsolicited email at the gateway• Whitelist• Only receive email from trusted senders• SMTP standards checking• Block anything that doesn’t follow RFC standards• rDNS - Reverse DNS• Block email where the sender’s domain doesn’t match the IP address• Tarpitting• Intentionally slow down the server conversation• Recipient filtering• Block all email not addressed to a validrecipient email address
|
Spam Filters
|
|
|
• Applies rules to HTTP conversations• Allow or deny based on expected input• Protects against exploits like SQL injections and buffer overflows• Focus of Payment Card Industry Data Security Standard (PCI DSS)
|
Web Application Firewall
|
|
|
A security appliance that combined multiple security controls into a single solution. UTM appliances can inspect data streams for malicious content and often include URL filtering, malware inspection, and content inspection components. |
UTM-Unified Threat Management |
|
|
A line bridging device used with T1 and similar lines. It Typically connects with a DSU as a CSU/DSU. |
CSU-Channel Service Unit |
|
|
An interface used to connect equipment to a T1and si,ilair lines. It typically connects with a CSU as a CSU/DSU. |
DSU- Data Service Unit |
|
|
• Unified Threat Management (UTM) /Web security gateway• URL filter / Content inspection, malware inspection, spam filter, CSU/DSU, router, switch, firewall, IDS/IPS, bandwidth shaper, VPN endpoint
|
All-in-one security appliance
|
|
|
• Network-based Firewalls• Control traffic flows based on the application• Microsoft SQL Server, Twitter, YouTube• Intrusion Prevention Systems• Identify the application• Apply application-specific vulnerability signaturesto the traffic• Host-based firewalls• Work with the OS to determine the application
|
Application-aware Security Devices
|
|
|
• Allow or disallow traffic based on security tuples• Source IP, Destination IP, port number,time of day, application, etc.• Evaluated top-to-bottom• There’s an implicit deny at the bottom
|
Configuring firewall rules
|
|
|
• Logically separate your switch ports into subnets• Cannot communicate to each other without a router• Group users together by function
|
VLANs- Virtual Local Area Network
|
|
|
• Always change the default login / password• Protect configuration file transfers• TFTP - in the clear• SCP - encrypted• HTTPS - encrypted
|
Secure router configuration
|
|
|
• IEEE 802.1X• Port-based Network Access Control (PNAC)• Makes extensive use of EAP and RADIUS• Extensible Authentication Protocol• Remote Authentication Dial In User Service• Disable your unused ports• Enable duplicate MAC address checking / spoofing
|
Switch port security
|
|
|
Provides central authentication for remote access clients. Uses symmetric encryption to encrypt the password packets and it uses UDP in contrast. |
RADIUS-Remote Authentication Dial In User Service
|
|
|
An authentication framework that provides general guidance for authentication methods. |
EAP- Extensible Authentication Protocol
|
|
|
• Permissions associated with an object• Used in file systems, network devices,operating systems, and more
|
Access Control Lists (ACLs)
|
|
|
• Commonly seen on intrusion prevention systems• DoS / DDoS• Denial of Service• SYN floods• Overload a server• Ping floods / ping scans• Overwhelm the network• Identify what’s out there• Port floods / port scans• Identify open ports on a device
|
Flood Guards
|
|
|
• IEEE standard 802.1D• Prevents loops in bridged (switched) networks• Built into the switch configuration options
|
Spanning Tree Protocol (STP
|
|
|
Separate switches, separate routers, no overlap• Used in sensitive environments• Logical separation• Virtualization of the network infrastructure
|
Network Separation
|
|
|
Good for post-event analysis• Can provide useful real-time analysis• Automation and consolidation is the key
|
Log Analysis
|
|
|
An important requirement• We are increasingly mobile• Take advantage of encryption technologies• Keep everything private• Consider adding additional authentication technologies (One-time passwords)• Constantly audit your access logs |
Remote Access
|
|
|
• One of the newest digital technologies• And one of the most difficult to secure• Firewalls generally don’t like VoIP technologies• You’ll need protocol-specific application gateways• Don’t forget your legacy telephony!• Long distance still costs money
|
Telephony
|
|
|
• A complex technology• But powerful when well engineered• Very useful in large open environments• Universities and large enterprises• Requires a large security infrastructure• Authentication is critical• Redundancy is required
|
Network Access Control
|
|
|
• A complex technology• But powerful when well engineered• Very useful in large open environments• Universities and large enterprises• Requires a large security infrastructure• Authentication is critical• Redundancy is required
|
Network Access Control
|
|
|
• Huge cost savings• Security has to catch up to the speed of change• The control of physical objects is gone• Also difficult to apply external security components• Requires additional insight• Harder to view intra-server communication• Take advantage of your logs• They’ll tell you much more than you can see
|
Virtualization
|
|
|
• No servers, no software, no maintenance team• No hardware of any kind• Someone else handles the platform, you handle the product• You don’t have direct control of the data, people, or infrastructure•
|
Platform as a Service (PaaS
|
|
|
• On-demand software, no local installation• Used for common business functions such as payroll services • Data and applications are centrally managed•
|
Software as a service (SaaS)
|
|
|
• Sometimes called Hardware as a Service (HaaS)• Equipment is outsourced• You are still responsible for the overall device and application management• You’re also responsible for the security• Your data is out there, but more within your control•
|
Infrastructure as a service (IaaS)
|
|
|
Cloud Deployment Models• Private - A virtualized data center• Public - Available to everyone over the Internet• Hybrid - A mix of public and private• Community - Several organizations share the same resources
|
Cloud Deployment Models
|
|
|
A ______ could be hardware or software to implement and enforce a policy
|
control |
|
|
Passwords and encryptions those are ____ controls.
|
technical
|
|
|
Controls that govern the operation within the business environment and this could be in the form of procedures, standards, and best practices.
|
Operational
|
|
|
• A report that isn’t true - a false alarm or mistaken identity• IDS/IPS information - only as good as the signatures• Workstation anti-virus - False positives can remove legit files• Consider a second opinion - http://www.VirusTotal.com
|
False Postitives
|
|
|
• A report missed identifying something - no notification• Malicious traffic got through your defenses• It’s difficult to know when this happens - It’s completely silent• Get catch/miss rates with industry tests - IPS, anti-virus
|
False Negatives
|
|
|
The password _____ indicates how many passwords a system remembers and how many different passwords must be used before a password can be used. |
history |
|
|
Password ____ identifies the minimum number of characters. |
length |
|
|
Password ____ ____ identifies when users must change passwords. |
maximum age |
|
|
Password _____ _____ identifies the length of time that must pass before users can change a password again. |
minimum age |
|
|
• Mean time to repair
|
• Mean time to restore (MTTR)
|
|
|
The expected lifetime of a product or system
|
• Mean time to failure (MTTF)
|
|
|
Predict the time between failures
|
Mean time between failures (MTBF)
|
|
|
• Get up and running quickly• Get back to a particular service level
|
• Recovery time objectives (RTO)
|
|
|
• How much data loss is acceptable?• Bring the system back online; how far back does data go?
|
• Recovery point objectives (RPO
|
|
|
• Control of data• Data in the cloud can potentially be accessed by anyone• Security is managed elsewhere• Your control mechanisms are in the hands of others• Server unavailability / Account lockout• Cloud computing doesn’t guarantee availability
|
Risks with Cloud Computing
|
|
|
Compromising the virtualization layer puts all systems at risk• There is little control over VM to VM communication• Support for “virtual firewalls” is an emerging technology• Single physical host contains VMs that have different security profiles• Physical separation is no longer possible• There is potential for loss of separation of duties• System admin controls many servers on a single piece of hardware
|
Risks associated with virtualization
|
|
|
Send management messages between devices
|
Internet Control Message Protocol (ICMP)
|
|
|
Authentication, intergrity, confidentiality, and encryption. |
Internet Protocol (Ipsec) |
|
|
udp/161, Gather statistics and manage network device.
|
Simple Network Management Protocol (SNMP)
|
|
|
Send management messages between device.
|
Internet Control Message Protocol(ICMP)
|
|
|
Remote console login to network devices;tcp23
|
Telecommunication Network(Telnet)
|
|
|
Encrypted console login; tcp/22
|
Secure Shell(SSH)
|
|
|
Sends and receives files between systems in the clear;tcp/20, tcp/21
|
File Transfer Protocol(FTP)
|
|
|
Relatively simple file copy over SSH;tcp/22
|
Secure Copy(SCP)
|
|
|
SSH file transfer with file management; tcp/22
|
Secure File Transfer Protocol(SFTP)
|
|
|
Convert domain names to IP addresses; udp/53, tcp/53
|
Domain Name Services(DNS)
|
|
|
tcp/443; Hypertext Transfer Protocol Secure
|
Hypertext Transfer Protocol Secure
|
|
|
tcp/443;Web server communication with encryption.
|
Hypertext Transfer Protocol Secure(HTTPS)
|
|
|
tcp/443;Secure protocols for web browsing
|
Transport Layer Security and Secure Sockets Layer(TLS/SSL)
|
|
|
Connect to a shared storage device across the network• File-level access
|
Network Attached Storage (NAS)
|
|
|
• Looks and feels like a local storage device• Block-level access
|
Storage Area Network (SAN)
|
|
|
Run Fiber Channel on Ethernet, not routable
|
Fibre Channel over Ethernet (FCoE)
|
|
|
Encapsulate Fibre Channel frames into IP
|
Fibre Channel over IP (FCIP)
|
|
|
Send SCSI commands over an IP network
|
iSCSI - Internet Small Computer Systems Interface
|
|
|
Register, remove, and find services by name; udp/137
|
NetBIOS name service
|
|
|
Connectionless data transfer; udp/138
|
NetBIOS datagram service
|
|
|
Connection-oriented data transfer;tcp/139
|
NetBIOS session service
|
|
|
A connection-oriented protocol; A reliable protocol. |
TCP Transmission Control Protocol. |
|
|
no idea whether that traffic made it to the other side or not;unreliable protocol; no reordering of packets. There’s no re transmissions;
|
User Datagram Protocol (UDP)
|
|
|
A non-ephemeral port number____ ____ change.
|
does not |
|
|
An ephemeral port is a _____port. |
temporary
|
|
|
tcp/25; Transfer email between mail servers
|
Simple Mail Transfer Protocol(SMTP)
|
|
|
udp/69;A very simple file transfer protocl
|
Trivial File Transfer Protocol (TFTP)
|
|
|
tcp/80;Web server communication
|
Hypertext Transfer Protocol(HTTP)
|
|
|
tcp/110; Receive mail into a mail client.
|
Post Office Protocol version 3(POP3)
|
|
|
A newer mail client protocol;tcp/143
|
Internet Message Access Protocol v4(IMAP4 )
|
|
|
tcp/443;Web server communication with encryption
|
Hypertext Transfer Protocol Secure(HTTPS)
|
|
|
tcp/990, tcp/989; Adds security to FTP with TLS/SSL
|
File Transfer Protocol over Secure Sockets Layer(FTPS)
|
|
|
Graphical display of remote device; tcp/3389
|
Remote Desktop Protocol (RDP)
|
|
|
Layer 1; Signaling,cabling,connectors,(cables,NICs,hubs)
|
Physical
|
|
|
Layer2 ; The switching layer(frames,MAC addresses,EUI+48,EUI+64,switches)
|
Data Link
|
|
|
Layer3; The routing layer (IP addresses,routers,packets)
|
Network
|
|
|
Layer4;The post office layer (TCP segments,UDP datagrams)
|
Transport
|
|
|
Layer 5;Communications between devices (control protocols,tunneling protocols)
|
Session |
|
|
Layer 6;Encoding and encryption (SSL/TLS)
|
Presentation
|
|
|
Layer7; The layer we see Google Mail, Twitter, Facebook
|
Application |
|
|
• 64-bit or 128-bit key size• Cryptographic vulnerabilties found in 2001• Is no longer used, because it uses static keys.
|
Wired Equivalent privacy(WEP)
|
|
|
• Short-term workaround after WEP• Used RC4 cipher as a TKIP (Temporal Key Integrity Protocol)• TKIP has its own vulnerabilities
|
Wi-Fi protected access.(WPA)
|
|
|
• Replaced TKIP with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)• Replaced RC4 with AES (Advanced Encryption Standard)• WPA2 is the latest and most secure wireless encryption method
|
Wi-Fi protected access 2.(WPA2)
|
|
|
WPA2-Enterprise adds 802.1x• RADIUS server authentication
|
Wi-Fi protected access 2-Enterprise
|
|
|
• An authentication framework• WPA and WPA2 use five EAP types asauthentication mechanisms
|
EAP (Extensible Authentication Protocol)
|
|
|
• Cisco proprietary• Uses passwords only• No detailed certificate management• Based on MS-CHAP(including MS-CHAP security shortcomings)
|
LEAP (Lightweight Extensible Authentication Protocol)
|
|
|
• Created by Cisco, Microsoft, and RSA Security• Encapsulates EAP in a TLS tunnel• Only one certificate needed, on the server
|
PEAP (Protected Extensible Authentication Protocol)
|
|
|
• Access is controlled through the physical hardware address• It’s easy to find a working _ _ _addresses through wireless LAN analysis• _ _ _ addresses can be spoofed• Security through obscurity
|
MAC (Media Access Control) filtering
|
|
|
The name of the wireless network• i.e., LINKSYS, DEFAULT, NETGEAR• Change the _ _ _ _to something appropriate for its use• The _ _ _ _ broadcasts can be disabled• You can still determine the _ _ _ _ through wireless network analysis• Security through obscurity
|
SSID (Service Set Identifier) Management
|
|
|
Created when WEP was broken• We needed a stopgap to make 802.11 stronger• Mixed the keys - Combines the secret root key with the IV• Adds sequence counter - Prevents replay attacks• 64-bit Message Integrity Check - Protects against tampering• Used in WPA (Wi-Fi Protected Access) prior to the creation of WPA2
|
Temporal Key Integrity Protocol(TKIP)
|
|
|
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol• Replaced TKIP when WPA2 was published• A more advanced security protocol• Based on AES and uses a 128-bit key and a 128-bit block size• Requires additional computing resources• Data confidentiality - Only authorized parties can access the information• Authentication - Provides proof of genuineness of the user• Access control - Allow or disallow access to the network
|
Cypher Block Chaining Message Authentication Code Protocol(CCMP)
|
|
|
• Authentication to a network• Common on wireless networks• Access table recognizes a lack of authentication• Redirects your web access to a captive portal page• Username / password• And additional authentication factors• Once proper authentication is provided, the web session continues• Until the captive portal removes your access
|
Captive Portal
|
|
|
• One of the most common• Included on most access points• Signal is evenly distributed on all sides• Omni=all• Good choice for most environments• You need coverage in all directions• No ability to focus the signal• A different antenna will be required
|
Omnidirectional Antennas
|
|
|
• Focus the signal - Increased distances• Send and receive in a single direction• Focused transmission and listening• Antenna performance is measured in dB• Double power every 3dB of gain
|
Directional Antennas
|
|
|
Very directional and high gain
|
Yagi antenna
|
|
|
Focus the signal to a single point
|
Parabolic antenna
|
|
|
Sample the existing wireless spectrum• Identify existing access points• Work around existing frequencies - layout and plan for interference• Plan for ongoing site surveys - things will certainly change
|
Site Surveys
|
|
|
tcp/20, tcp/21
|
FTP
|
|
|
tcp/22
|
SSH,SCP, SFTP
|
|
|
tcp23
|
Telnet
|
|
|
tcp/25
|
SMTP
|
|
|
udp/53, tcp/53
|
DNS
|
|
|
udp/69
|
TFTP
|
|
|
tcp/80
|
HTTP
|
|
|
tcp/110
|
POP3
|
|
|
udp/137
|
NetBIOSname service
|
|
|
udp/138
|
NetBIOSdatagram service
|
|
|
tcp/139
|
NetBIOS session service
|
|
|
tcp/143
|
IMAP4
|
|
|
udp/161
|
SNMP
|
|
|
tcp/443
|
HTTPS,TLS/SSL
|
|
|
tcp/990, tcp/989
|
FTPS
|
|
|
tcp/3389
|
RDP
|
|
|
Various
|
IPsec
|
|
|
Access control, audit and accountability, identification and authentication, system and communications protection.
|
Technical security controls
|
|
|
Security assessment and authorization, planning,risk assessment, system and services acquisition,program management.
|
Management security controls
|
|
|
Awareness and training, configuration management, contingency planning, incident response, maintenance, media protection, physical and environmental protection, personnel security, system and information integrity
|
Operational security controls
|
|
|
A set of policies that covers many areas of security• Human resource policies• Business policies• Certificate policies• Incident-response policies
|
Security policies
|
|
|
• Where are we vulnerable to threats?• OS, applications, 3rd-party connections, Internet• Constant vigilance• New threats discovered all the time• Old threats become popular again
|
Threat Assessment
|
|
|
• Annualized Rate of Occurrence (ARO)• How likely is it that a hurricane will hit?In Montana? In Florida?• SLE (Single Loss Expectancy)• What is the monetary loss if a single event occurs?• Laptop stolen = $1,000• ALE (Annual Loss Expectancy)• ARO x SLE• 7 laptops stolen a year (ARO) x $1,000 (SLE) = $7,000• The business impact can be more than monetary• Quantitative vs. qualitative
|
Risk Calculation
|
|
|
• Identify significant risk factors• Ask opinions about the significance• Display visually with traffic light grid or similar method
|
Qualitative Risk Assessment
|
|
|
• Identify significant risk factors• Ask opinions about the significance• Display visually with traffic light grid or similar method
|
Qualitative Risk Assessment
|
|
|
• Where are we vulnerable to threats?• OS, applications, 3rd-party connections, Internet• Constant vigilance• New threats discovered all the time• Old threats become popular again
|
Threat Assessment
|
|
|
• Actively scan a network in search of vulnerabilities• Known vulnerabilities• Automated process• For unknown vulnerabilities, consider input validation/fuzzing• Can identify obvious and no-so-obvious vulnerabilities• Lack of application/OS patches• No anti-virus/anti-spyware• Weak passwords
|
Vulnerability Assessment
|
|
|
• A flaw or weakness• A door with a broken lock• An operating system library that grants administrative access• This doesn’t mean your system has been breached• Someone first has to know about the vulnerability• Some vulnerabilities were there, but previously unknown• This is why we patch• New vulnerabilities are identified all the time
|
Vulnerabilities
|
|
|
• The path that the threat takes to the target• Target: Your computer, mobile device, gaming system• Email: Embedded links, attached files• Web browser: Fake site, session hijack• Wireless hotspot: Rogue access point• Telephone: Social engineering• USB flash drive: Auto-executing malware• And many more...
|
Threat Vectors
|
|
|
• Identify actual and potential threats• Regardless of the probability• Identify as many vulnerabilities as possible• Check your OS, your services, and your applications• Nobody said this would be easy• Now you can calculate the likelihood of a successful exploit• There’s no official formula here• Different organizations will have different priorities
|
Threat Probability
|
|
|
Stop participating in high-risk activity
|
Risk-avoidance
|
|
|
Buy some insurance
|
Risk transference
|
|
|
A business decision; we’ll take the risk!
|
Risk acceptance
|
|
|
Decrease the risk level
|
Risk mitigation
|
|
|
Big dogs, security fences, warning signs
|
Risk deterrence
|
|
|
• Bring a new partner into the organization• This is more particular than hiring new staff• Many agreements will be in place• Legalities associated with business and security matters• Implement technical functions• Secure connections between partners• Usually as an IPsec tunnel or physical segmentation• Establish an authentication method• Provide access to shared resources• Audit all security controls• Properly share (and separate) data
|
On-boarding
|
|
|
• This process should be pre-planned• You don’t want to decide how to do things at this point• How will the systems be dissolved?• What happens to the data?• When will the final connections be terminated?
|
Off-boarding
|
|
|
• Data is everything• The most important asset in an organization• Without the data, there’s no company• The owner of the data has a responsibility• Protection, privacy• Technical / Logical controls• Physical controls• Who owns the data if the third-party agreement ends?• This should be determined prior to that circumstance• Who owns the data?• There’s more than one participant• Is there more than one owner?• What part of the data is owned by which partner?• Data ownership agreements can avoid some of the messy details• Where is the data stored?• Who owns the data when • the relationship is over?• How is data destroyed?
|
Data Ownership
|
|
|
• Management of data• Social media data includes privacy concerns• Some of the data is extremely valuable• Your social media reputation• Someone else is tweeting for you• The tone is as important as the message• Account control is important• Social media accounts are shared by a large group• A mistake on one phone can be seen by many
|
Social Media and Third-Party Concerns
|
|
|
• Memorandum of Understanding• Informal letter of intent;not a signed contract• Usually includes statements of confidentiality• Service Level Agreement (SLA)• Minimum terms for services provided• Uptime, response time agreement, etc.• Business Partners Agreement (BPA)• Commonly seen between manufacturers and resellers• Interconnection Security Agreement (ISA)• Used by US Federal Government to define security controls
|
Interoperability Agreements
|
|
|
Privacy of the individual• Both personal and professional• Legally mandated privacy laws in many European countries• An employer can’t track your personal computer use• Customer data often contains a aspect of privacy• Even benign data can be combined to violate privacy• Third-party agreements must consider privacy• The rules should be in place from the beginning
|
Privacy Considerations
|
|
|
Combine two systems• Hopefully get a seamless technical integration• Security must be designed into the project• Usually designed by teams from both organizations• Everyone must be aware of the risks• Security policies must be examined for additional risks• Resources, business requirements, and risk must be balanced• Agreements must be in place• For example: Who does backups?Who gets access to the backups? How are the backups
|
Risk Awareness with Third-Parties
|
|
|
Data shared between partners• Network connections may exist• Proper controls may not be in place• Data shared with others• Agreements are usually in place with the data owners• Data is sometimes shared with others without permission
|
Third-party Data Sharing
|
|
|
Backups are often overlooked• They contain everything• Data backups are often kept off-site• Yet-another third-party• Losing data from a backup is a very bad thing• Seems to happen more often than you might think• Not all backups are the same• Financial data, health care data, top secret data, etc.
|
Data Backups with Third-Parties
|
|
|
The security policy is the weakest link• A badly implemented security policy puts data at risk• Protect information between vendors, partners, and customers• Avoid data modification, disclosure, damage, or destruction• Most of this language is contractual• Everybody understands their responsibilities• Security policies are constantly updated• The threat landscape is constantly changing
|
Security Policy Considerations with Third-parties
|
|
|
• Third-party relationships add to the need for security compliance• Shared resources require additional oversight• Compliance can be technically challenging• Cloud-based services add additional complexity• Some compliance requirements are legally mandated• HIPAA - Health Insurance Portability and Accountability Act• PCI DSS - Payment Card Industry Data Security Standard• FISMA - Federal Information Security Management Act• Perform a gap analysis• Determine all gaps in security• Resolve the issues• Some issues can’t be easily resolved• A decision must be made regarding cost vs. benefit• Perform periodic audits• These audits may be involved and far-reaching• More coordination required with the third-party
|
Third-Party Security Compliance
|
|
|
Upgrade software, change firewall configuration, modify switch ports• Occurs very frequently• The change management process is often overlooked or ignored• Clear policies are needed• Frequency, duration, installation process, fallback procedures
|
Change Management
|
|
|
Series of events that negatively affects the organization• Database hack, stolen laptop, water pipe burst• Who will be contacted when an incident occurs?• Who’s responsible for managing the incident response?• Technical steps for handling systems and preserving evidence• What goes on the report?
|
Incident Management
|
|
|
• Series of events that negatively affects the organization• Database hack, stolen laptop, water pipe burst• Who will be contacted when an incident occurs?• Who’s responsible for managing the incident response?• Technical steps for handling systems and preserving evidence• What goes on the report?
|
Incident Management
|
|
|
• Management sets the limits• Security team administers the limits• You must translate management requirements into technical access• Periodic audits are useful
|
User Rights and Permissions
|
|
|
Does everyone have the correct permissions?• How are your resources used?• Are your systems and applications secure?• Are your disaster recovery plans going to work?• Can you contact the right people at the right time?• Document everything
|
Auditing
|
|
|
• Involves process and procedure• Some of the most difficult data policies to implement• It’s very easy to carry large amounts of data around• There are both internal and external threats• You have to protect everywhere• This is a bigger threat every day
|
Preventing data loss or theft
|
|
|
On your computer
|
Data Loss Prevention Systems:
Data in use |
|
|
On your network
|
Data Loss Prevention Systems
Data in motion |
|
|
On your server
|
Data Loss Prevention Systems
Data at rest |
|
|
Copy the contents of a disk• Bit-for-bit, byte-for-byte• Get every morsel of information• Software imaging tools• Use a bootable device• Remove the physical drive• Use a hardware write-blocker• Get the backup tapes• Some of this work may have been done for you
|
Capturing System Images
|
|
|
• Traffic logs• Firewalls log a lot of information• Switches and routers don’t usually log user-level information• Intrusion Detection/Prevention Systems• Raw network traffic data• Rebuild images, email messages, browser sessions, file transfers
|
Network traffic and logs
|
|
|
• A moving record of the event• Gathers information external to the computer and network• Captures the status of the screen and other volatile information• Don’t forget security cameras• The video content must also be archived
|
Capture video
|
|
|
Number of 100-nanosecond intervals since January 1, 1601 00:00:00 GMT
|
Windows: 64-bit time stamp
|
|
|
• Number of seconds since January 1, 1970 00:00:00 GMT• This stops working on Tuesday, January 19, 2038 at 3:14:07 GMT
|
Unix: 32-bit time stamp
|
|
|
Time is stored in local time
|
FAT ( File allocation table)
|
|
|
Time is stored in GMT
|
NTFS(New Technology File System)
|
|
|
128 bits, displayed as hexadecimal
|
MD5 (Message Digest 5)
|
|
|
32 bits, displayed as hexadecimal
|
CRC (Cyclical Redundancy Check)
|
|
|
Create an _____ hash for an image, file, or groups of file , and data can be verified at any time
|
MD5
|
|
|
Capture the state of the screen• Difficult to reproduce, even with a disk image• External capture• Use digital camera• Internal capture• PrintScreen key• Third-party utility
|
Screenshots
|
|
|
• Who might have seen this?• Interview and document• Not all witness statements are 100% accurate• Humans are fallible
|
Witnesses
|
|
|
Some incidents can use massive resources• May have an impact on the bottom line• May be required for restitution• Be as accurate as possible
|
Tracking man hours and expense
|
|
|
• Controlling and managing the evidence to maintain integrity• Document everyone who contacts the evidence• Use hashes with digital evidence• Label and catalog everything• Seal, sign, and store
|
Chain of custody
|
|
|
• Large amounts of data, stored without structure• Incidents can create an enormous amount of data• Diverse log formats and data types• Collecting the data is only the first part• You must also be able to view it• Query the data• A structured language that applies to large scale data• Visualization tools can display the data in unique ways• Graphs• Statistical analysis• Tag clouds
|
Big Data Analysis
|
|
|
Laptops, removable media, forensic software, digital cameras• Incident analysis resources
|
Incident handling hardware and software
|
|
|
Documentation, network diagrams,baselines, critical file hash values
|
Incident analysis resources
|
|
|
Clean OS and application images
|
Incident mitigation software
|
|
|
Everyone knows what to do
|
Policies needed for incident handling
|
|
|
Periodic analysis, prioritization of risk, disposition of risk
|
Risk assessments
|
|
|
Harden the operating system, patches, and ongoing monitoring.
|
Host security
|
|
|
Firewalls, VPNs, intrusion prevention systems
|
Network security
|
|
|
Hosts, email and file servers, application clients
|
Malware prevention
|
|
|
Keep your users updated with the latest security techniques
|
User awareness and training
|
|
|
Vulnerability scanner in use
|
Incident Precursors• Web server log
|
|
|
Monthly Microsoft patch release, Adobe Flash update
|
Incident PrecursorsExploit announcement
|
|
|
A hacking group doesn’t like you
|
Incident PrecursorsDirect threats
|
|
|
An attack is underway or an exploit is successful
|
Incident Indicators
|
|
|
Buffer overflow attempt
|
Incident Indicators-Identified by an intrusion detection/prevention system
|
|
|
Deletes from OS an notifies administrator
|
Incident Indicators -Anti-virus software identifies malware
|
|
|
Constantly monitors system files
|
Incident Indicators-Host-based monitor detects a configuration change
|
|
|
Requires constant monitoring
|
Incident Indicators-Network traffic flows deviate from the norm
|
|
|
CIO / Head of Information Security / Internal Response Teams
|
Incident Notification - Corporate / Organization
|
|
|
Human resources, public affairs, legal department
|
Incident Notification- Internal non-IT
|
|
|
System owner, law enforcement• US-CERT (for U.S. Government agencies
|
Incident Notification- External contacts
|
|
|
Notification is ongoing during an event• Status updates, wide-scale notifications• Consider in-band and out-of-band methods• Email, Web (intranet, external, etc.), Telephone calls, In-person updates, Voice mail recordings, Paper flyers, notices
|
Event Notification
|
|
|
prevent the destruction
|
Potential damage and thef
|
|
|
gather as many details as possible
|
Preserve the evidence
|
|
|
The organization must continue
|
Maintain service availability
|
|
|
Every task requires resources
|
Implementation resources and time
|
|
|
amount of containment
|
Effectiveness
|
|
|
Let’s get this over quickly
|
Duration of the mitigation
|
|
|
• Generally a bad idea to let things run their course• An incident can spread quickly
|
Isolation and Containment
|
|
|
The attacker thinks they’re on a real system, but they’re not
|
Sandboxes
|
|
|
• What happened, exactly?• Timestamp of the events• How did your incident plans work?• Did the process operate successfully?• What would you do differently next time?• Retrospective views provide context• Which indicators would you watch next time?• Different precursors may give you better alerts
|
Lessons Learned from Incidents
|
|
|
A lot of information is created during an incident• Information should be objective and factual
|
Incident Reporting
|
|
|
a pencil and paper is remarkable technology
|
Logbook
|
|
|
- a snapshot or movie of a device
|
Digital camera
|
|
|
easier to say it and transcribe later
|
Audio recorder
|
|
|
capture terminal sessions and digital evidence
|
Laptop
|
|
|
Incident status• Summary information• Relationship between incidents• Actions taken by all parties• Chain of custody information• Contact information• Comments from incident handlers• Next steps to be taken
|
Tracking Issues
|
|
|
A phased approach - it’s difficult to fix everything at once• Recovery may take months• Large-scale incidents require a large amount work• The plan should be efficient• Start with quick, high-value security changes• Patches, firewall policy changes• Later phases involve much “heavier lifting”• Infrastructure changes, large-scale security rollouts
|
Reconstitution
|
|
|
• Very specific tasks for the first person on the scene• Objective is to contain the damage• Don’t disturb the environment• Get the right people in place before poking around• Follow the escalation policy
|
First Responders
|
|
|
• Try to determine the attacker• Useful for law enforcement and to stop future breaches• Security must be analyzed and secured• Change passwords, update firewalls • Even across systems that may not appear to be breached• Notify all affected people - customers, partners, employees• Personally Identifiable Information (PII) may require additional notifications
|
Handling a Data Breach
|
|
|
• Prevent the spread of damage• Needs to be part of the incident response policy• Virus infection may be handled differently than a DoS attack• Device removal - pull a device from the network• Disconnect the Internet• Every case is a bit different• What’s attacked or damaged?• Can you gather additional details if you leave it in place
|
Damage and Loss Control
|
|
|
• All of your policy information is on the Intranet• Provide in-person mandatory training sessions• Train people on general security best practices• Define a company policy for visitors GUI configuration
|
Security policy training and procedures
|
|
|
Part of your privacy policy• Not everyone realizes the importance of this data• It should become a normal part of security management
|
Personally identifiable information (PII)
|
|
|
no restrictions on viewing the data
|
Unclassified (public)
|
|
|
restricted
|
Classified (private / restricted / internal use only)
|
|
|
viewing is severely restricted
|
Secret (medium)
|
|
|
highly sensitive, must be approved to view
|
Confidential (low)
|
|
|
Data is usually saved for a very long time• Document and label everything• Some backups must be legally preserved• Trash and recycling can be a security concern
|
Data labeling, handling and disposal
|
|
|
• Non-compliance has serious repercussions
|
Compliance, best practices and standards
|
|
|
The Public Company AccountingReform and Investor Protection Act of 2002
|
Sarbanes-Oxley Act (SOX)
|
|
|
Extensive standards for storage, use, and transmission of health care information
|
The Health Insurance Portability and Accountability Act (HIPAA)
|
|
|
Disclosure of privacy information from financial institutions
|
The Gramm-Leach-Bliley Act of 1999 (GLBA)
|
|
|
• Promote good password behaviors• Document data handling processes• Define clean desk policies• Personally owned devices can be a challenge• Tailgating can allow unauthorized people to enter the building
|
User habits
|
|
|
New viruses - thousands every week• Phishing attacks• Spyware• Learns personal info, captures keystrokes & browsing information
|
Threat Awareness
|
|
|
• You become a file server• All of your content can be exposed• Social networks provide false sense of trust |
Social networking and P2P
|
|
|
• Formative assessment• Constant monitoring, target areas that need work• Summative assessment• High-stakes, final exam, certification exam
|
Gathering Training Metrics
|
|
|
• Thermodynamics, fluid mechanics, and heat transfer• Not something you can properly design yourself• Must be integrated into the fire system• Data Center should be separate from the rest of the building• Overheating is a huge issue• Engineer for closed-loop recirculating and positive pressurization• Recycle internal air and air is pushed out
|
HVAC (Heating, Ventilating, and Air Conditioning)
|
|
|
Electronics require unique responses to fire• Water is generally a bad thing• Identify with smoke detector, flame detector, heat detector• Suppress with water / dry pipe, wet pipe, preaction• Suppress with chemicals• Halon is no longer manufactured• Use Dupont FM-200 / American Pacific Halotron
|
Fire Suppression
|
|
|
• Computers produce large amounts of EMI• Metal shielding inside of a computer case can minimize EMI• Appears as noise on video and analog audio
|
Electromagnetic Interference Shielding
|
|
|
• Optimize your cooling infrastructure• Constantly monitor and log the environment• Many servers include internal temperature sensors• Portable or emergency cooling may be valuable
|
Environmental Monitoring
|
|
|
Lock and key, deadbolt, electronic, token-based, biometric, multi-factor smart card
|
Hardware locks
|
|
|
Multiple doors that only unlock one at a time
|
Mantraps
|
|
|
closed-circuit television
|
Video surveillance
|
|
|
a perimeter
|
Fencing
|
|
|
deter crime and provide camera lighting
|
Proper lighting
|
|
|
- specific instructions, fire exits, warning signs
|
Signs
|
|
|
access lists, physical protection
|
Guards
|
|
|
channel people through a particular access point
|
Barricades
|
|
|
physically secured cabling
|
Protected Distribution System (PDS) -
|
|
|
circuit-based, motion detection
|
Alarms
|
|
|
Controls implemented using systems
|
Technical
|
|
|
Controls that determine how people act
|
Administrative
|
|
|
Discourages an intrusion attempt
|
Deterrent
|
|
|
Physically control access
|
Preventive
|
|
|
Identifies and records any intrusion attempt
|
Detective
|
|
|
Restores using other means
|
Compensating
|
|
|
• What are your critical business functions?• Is there loss of revenue, legal requirements, or customer service?• How long will you be impacted?• What’s the impact to the bottom line?
|
Business Impact Analysis
|
|
|
• Make a list of critical systems - this is an involved process• List business processes - Accounting systems, manufacturing application, VoIP call center, etc.• Associate tangible and intangible assets and resourceswith the business processes
|
Critical Systems
|
|
|
• A single event can ruin your day• Network redundancy with multiple devices• Backup power, multiple cooling devices• Plan for additional people and other locations• There’s no practical way to remove all points of failure
|
Removing Single Points of Failure
|
|
|
buildings, furniture, equipment, data,paper documents
|
Tangible assets
|
|
|
Ideas, commercial reputation, brand
|
Intangible assets
|
|
|
• Assign a dollar value to risk• Single Loss Expectancy (SLE) - How much loss for one event?• Annual Loss Expectancy - SLE x Annual Rate of Occurrence (ARO)
|
Quantitative Risk Assessment
|
|
|
• Identify significant risk factors• Ask opinions about the significance• Display visually with traffic light grid or similar method
|
Qualitative Risk Assessment
|
|
|
• Business processes are interrelated• HR drives payroll, IT provides payroll system, accounting provides the money• Almost everything business-related relies on IT• Involve the entire company• It can be difficult to document the company operations
|
Continuity of operations
|
|
|
• Plan for both small disasters and large disasters• Can be managed through a 3rd-party• Take advantage of geographically diverse areas• Many variables, the unknown can bite you
|
Disaster Recovery
|
|
|
Develop the contingency planning policy statement
|
Seven-step contingency planning process
(Step1) |
|
|
Conduct the business impact analysis
|
Seven-step contingency planning process(Step 2)
|
|
|
Identify preventive controls
|
Seven-step contingency planning process(Step 3)
|
|
|
Create contingency strategies
|
Seven-step contingency planning process(Step 4)
|
|
|
Develop an information system contingency plan
|
Seven-step contingency planning process(Step 5)
|
|
|
Ensure plan testing, training, and exercises
|
Seven-step contingency planning process(Step 6)
|
|
|
Ensure plan maintenance
|
Seven-step contingency planning process(Step 7)
|
|
|
• Manage the leadership of the company• A gap can cause a vacuum or financial impact• Management can leave the company, retire, die• Often a deputy who can assume the role• Travel restrictions may apply
|
Succession Planning
|
|
|
• Performing a full-scale disaster drill can be costly• Many of the logistics can be determined through analysis• You don’t physically have to go through a disaster or drill• Get key players together for a tabletop exercise• Talk through a simulated disaster
|
Tabletop Exercises
|
|
|
• Maintain uptime - the organization continues to function• No hardware failure - servers keep running• No software failure - services always available• No system failure - network performing optimally
|
Redundancy and Fault Tolerance
|
|
|
• Redundancy doesn’t always mean always available• HA (high availability) - always on, always available• May include many different components working together• Watch for single points of failure
|
High Availability
|
|
|
in the box, turned off
|
Cold spare
|
|
|
may be racked and powered, but not connected• Software and configurations may occasionally be updated
|
Warm spare
|
|
|
powered on, always updated
|
Hot spare
|
|
|
no hardware, no data, no people
|
Cold site |
|
|
hardware is waiting, you bring the data
|
Warm site
|
|
|
an exact replica, stocked with hardware and software• Flip a switch and everything moves
|
Hot site
|
|
|
Striping without parity; high peromance, no fault tolerence |
RAID 0 |
|
|
Mirrioring; duplicates data for fault tolernce, but requires twice the disk space. |
RAID1 |
|
|
striping wit parity; Fault tolerant only requires an additional disk for redundancy. |
Raid 5 |
|
|
Multiple RAID types; Combine RAID methods to increase redundancy. |
RAID 0+1, RAID1+0, RAID, 5 +1, etc.
|
|
|
Certain information should only be known to certain people• Encryption - Encode messages so only certain people can read it• Access controls - Selectively restrict access to a resource
|
Confidentiality |
|
|
• Conceal information within another piece of information• Commonly associated with hiding information in an image
|
Steganography
|
|
|
Data is stored and transferred as intended• Any modification to the data would be identified
|
Integrity
|
|
|
Map data of an arbitrary length to data of a fixed length
|
Hashing
|
|
|
Verify the integrity of data
|
Digital signatures
|
|
|
Combine with a digital signature to verify an individua
|
Certificates
|
|
|
Provides proof of integrity
|
Non-repudiation
|
|
|
Information is accessible to authorized users
|
Availability
|
|
|
Redundancy
|
Build services that will always be available
|
|
|
System will continue to run with failures
|
Fault tolerance
|
|
|
Stability, close security holes
|
Patching
|
|
|
Keep out the unwanted
|
Fencing
|
|
|
Protect assets, especially at night
|
Lighting
|
|
|
Closed-circuit television - video camera monitoring
|
CCTV
|
|
|
Best way out of an area
|
Escape plans and routes
|
|
|
Test and adjust
|
Drills
|
|
|
Test against physical and digital security
|
Testing controls
|
|
|
• Can gather information• Can capture your keystrokes• Often controlled over the ‘net• Can show you advertising• May install an OS backdoor
|
Malware
|
|
|
• Malware that can reproduce itself• It doesn’t need you to click anything• It needs you to execute a program• Reproduces through file systems or the network• Just running a program can spread a virus• Some viruses are invisible, some are annoying• Anti-virus software is very common• There are thousands of new viruses every week
|
Virus
|
|
|
Installs into the drive boot area
|
Boot sector viruses
|
|
|
Part of a legitimate application
|
Program viruses
|
|
|
Operating system and browser-based
|
Script viruses
|
|
|
Common in Microsoft Office
|
Macro viruses
|
|
|
Infects and spreads in multiple ways
|
Multipartite viruses
|
|
|
Malware that self-replicates without human intervention• Uses the network as a transmission medium• Can infect many PCs very quickly• Firewalls and IDS/IPS can mitigate many worm infestations
|
Worms
|
|
|
• Your computer shows you advertisements• May cause performance issues• May be included with other software installations• Be careful of software that claims to remove adware
|
Adware
|
|
|
• Malware that spies on you• Advertising, identity theft, affiliate fraud• Can trick you into installing• Monitors your browser activity• Logs your keystrokes• Send this information back to a central server
|
Spyware
|
|
|
• Software that pretends to be something else• Replicating isn’t the primary requirement• Circumvents your existing security because you ran it yourself• Anti-virus may catch it when it runs• The better _____are built to avoid and disable AV• Once it’s inside it has free reign• May then open the gates for other programs
|
Trojan Horse
|
|
|
• Why go through normal authentication methods? Just walk in the back door• Often placed on your computer through malware• Some malware software can take advantageof ____ created by other malware• Bad software can have a_____ as part of the app
|
Backdoors
|
|
|
• Modifies core system files• May be part of the kernel• Designed to be invisible to the operating system• You won’t see it in Task Manager• Also invisible to traditional anti-virus utilities
|
Rootkits
|
|
|
Waits for a predefined event;Difficult to identify• Difficult to recover if it goes off;
|
Logic Bomb
|
|
|
Based on time or date
|
Time bomb
|
|
|
• Robot networks• Once your machine is infected, it becomes a bot• You usually do not know that you’re a bot• May be installed as part of a malware• Waits around until receiving commands from the mothership
|
Botnets
|
|
|
• The bad guys want your money• They’ll take your data in the meantime• May be a “fake”_____• Locks your computer “by the police”• The ransom may be avoided• A security professional can remove these kinds of malware
|
Ransomware
|
|
|
• Changes itself to avoid signature detection• Every download is different• The attack code doesn’t change• Just everything around it• Encrypt the malware executable• Use a different key pair every time• Create signatures that look for a specific payload• One signature can stop many variants• Use heuristic detection systems• Be ready to use some additional resources
|
Polymorphic Malware
|
|
|
Virus writers don’t want their work to be discovered• Makes the anti-virus software look elsewhere• If found, make it difficult to deconstruct• Security researchers disassemble the virus code• The virus is usually obfuscated with unnecessary and nonsense code• The virus writer’s goal is to make it as painful as possible to identify and block• The longer the research, the more widespread the infection
|
Armored Virus
|
|
|
Redirects your traffic, then passes it on to the destination• You never know your traffic was redirected•_ _ _ has no security, relies on security in the switch
|
ARP Poisoning, Spoofing, and Man-in-the-Middle
|
|
|
Force a service to fail• Overload the service• Take advantage of a design failure or vulnerability• Cause a system to be unavailable• Can be used to create a smokescreen for some other exploit• May be a precursor to a DNS spoofing attack• Not usually a very complicated attack• Turning off your power is an uncommon but effective DoS
|
Denial of service
|
|
|
• Useful information is transmitted over the network• Network Tap is used to access to the raw network data• ARP poisoning can redirect traffic• Malware on the victim computer gathers information• Data is replayed to appear as someone else
|
Replay Attack
|
|
|
When ______ a password a session ID is only in use for the duration of that session.
|
Salting |
|
|
• Pretend to be something you aren’t• Fake web server, fake DNS server, etc.• Email address spoofing• The sending address of an email isn’t really the sender• Man-in-the-middle attacks• The person in the middle of the conversation pretends to be both endpoints• Caller ID spoofing• The incoming call information is completely fake
|
Spoofing
|
|
|
Modify the DNS server• Modify the client host file• Send a fake response to a valid DNS request
|
DNS Poisoning
|
|
|
• Redirection to a bogus site• Combines farming with phishing• Everything appears legitimate to the user
|
Pharming
|
|
|
Harvest large groups of people
|
Farming
|
|
|
Collect access credentials
|
Phishing
|
|
|
Unsolicited email, traditionally for advertising• Can also be used to spread trojans/botnets
|
Spam
|
|
|
Spam over IM• Links in IM can be malicious
|
Spim
|
|
|
Spam over internet telephony• VoIP providers have made this difficult to practically implement
|
Spit
|
|
|
to only allow known senders
|
White list
|
|
|
to remove the bad senders
|
Black list
|
|
|
can filter based on certain words/phrases
|
Bayesian filtering
|
|
|
check email before it arrives
|
Cloud-based spam services
|
|
|
• Send a carefully crafted packet to a host• URG, PUSH, and FIN are set - 00101001• Lit up “like a Christmas tree”• May slow down the remote device (DoS)• Easy to see this attack with an IPS• Most modern devices will drop these packets
|
Xmas Tree Attack
|
|
|
• Gain higher-level access to a system• Exploit a vulnerability, might be a bug or design flaw• Higher-level access means more capabilities• This commonly is the highest-level access• These are high-priority vulnerability patches• You want to get these holes closed very quickly• Any user can be an administrator• Horizontal privilege escalation• User A can access user B resources
|
Privilege Escalation |
|
|
• Patch quickly - Fix the vulnerability• Updated anti-virus/anti-malware software• Data Execution Prevention• Address space randomization• Prevent a buffer overrun at a known memory address
|
Mitigating privilege escalation |
|
|
• We give people a lot of access• This is why we have the concept of least privilege• You have more access than others by entering the building• Lock away your documents• Harms your organization’s reputation• Can cause a critical system distruption• May include loss of confidential or proprietary information |
Insider Threats |
|
|
• Servers are more secure than ever• Attack the client - Bad programming makes it easier• Browsers, media players, office applications, email clients• A single insecurity can reveal all information• Keep operating system and applications updated• A single vulnerability can own a computer |
Client-side attacks
|
|
|
Guess the password, calculate the hash |
Brute force |
|
|
Use common words as passwords |
Dictionary attack |
|
|
Combine brute force and dictionary attacks |
Hybrid attack |
|
|
The same hash value for two plain texts |
Birthday attack |
|
|
An optimized, pre-built set of hashes |
Rainbow tables |
|
|
Typosquatting / brandjacking• Take advantage of poor spelling• Outright misspelling• professormesser.com vs. professermesser.com• A typing error• professormeser.com• A different phrase• professormessers.com• Different top-level domain• professormesser.org
|
URL Hijacking
|
|
|
Determine which website the victim group uses• Educated guess - Local coffee shop, industry-related sites• Infect one of these third-party sites• Site vulnerability, email attachments• Infect all visitors, even if you’re just looking for specific victims
|
Watering Hole Attack
|
|
|
• You have access to important information, and people want it• This is surprisingly easy• Airports / flights, coffee shops• Surf from afar with binoculars / telescopes• Webcam monitoring
|
Shoulder Surfing
|
|
|
• Control your output• Be aware of your surroundings• Use privacy filters
|
Preventing Shoulder Surfing
|
|
|
• Important information can be thrown out with the trash• Easily gather details that can be used for a different attack• Secure your garbage with a fence and lock• Shred/destroy important documents
|
Dumpster Diving
|
|
|
Using someone else to gain access to a building• Blend in with clothing• Once inside, there’s little to stop you• Most security stops at the border
|
Tailgating
|
|
|
Pretend to be someone you aren’t• Use some of those details you got from the dumpster• You can trust me, I’m with your help desk
|
Impersonation
|
|
|
• Never volunteer information• Don’t disclose personal details• Always verify before revealing info
|
Protecting against Impersonation
|
|
|
• A threat that doesn’t actually exist, but SEEMS real• Still often consume lots of resources• Forwarded emailst, printed memorandums, wasted time• Often an email or social network post• A _____ about a virus can waste as much time as a regular virus
|
Computer Hoaxes
|
|
|
• It’s difficult to identify _____ with traditional security devices• Passes through the firewall and IPS• Difficult to train• Consider using practical exercises
|
Stopping the Whale Hunts
|
|
|
• Constantly changing• You never know what they’ll use next• May involve multiple people• And multiple organizations• There are ties connecting many organizations• May be in person or electronic• Phone calls from aggressive “customers”• Emailed funeral notifications of a friend or associate
|
Effective Social Engineering
|
|
|
• A significant potential backdoor• Very easy to plug in a wireless AP• Schedule a periodic wireless survey• Consider using 802.1X (Network Access Control)
|
Rogue Access Points
|
|
|
• Buy a wireless access point• Configure it exactly the same way as an existing network• Same SSID and security settings• May not require the same physical location• Use HTTPS and a VPN to help mitigate
|
Evil Twins
|
|
|
• Radio waves can be disrupted• Intentional jamming or disruption of wireless signalsis illegal in the United States (and elsewhere)• Degrades or completely denies service• May be used in conjunction with a wireless “evil twin
|
Wireless Interference
|
|
|
• Combine WiFi monitoring and a GPS• Gather a huge amount of intel in a short period of time• All of this is free with tools like Kismet, inSSIDer• You can also use Warflying, warbiking
|
Wardriving
|
|
|
• Historical footnote to 802.11 wireless networking• Created in June 2002,publicized by Matt Jones• If you find a node, let someone else know• By the time this was a big problem,it wasn’t a problem anymore
|
Warchalking
|
|
|
Sending of unsolicited messages to another device via Bluetooth• Typical functional distance is about 10 meters• Bluejack with an address book object, instead of contact name a message is written• “You are Bluejacked! Add to contacts?”• Third-party software may also be used, Blooover, Bluesniff
|
Bluejacking
|
|
|
• A rare attack that takes advantage of a vulnerability• Access a Bluetooth-enabled device and transfer data• Exploited through security weakenesses• Must be fixed with a patch• If you know the file, you can download it without authentication
|
Bluesnarfing
|
|
|
No key management, everyone usually has the same key• The WEP IV is 24-bits long - relatively small• 16,777,216 possible RC4 cypher streams for a given WEP key• IV values eventually are reused• Some “weak” IVs don’t properly provide for goodencryption, and makes it easy to discover the key• The bad guys will inject frames to intentionally duplicateIVs and make key identification easier
|
WEP IV
|
|
|
• Most information over the network is “in the clear”• Relatively difficult to capture data over wired networks• Wireless networks are incredibly easy to monitor• Some network drivers won’t capture wireless information• Free capture software - http://www.wireshark.org
|
Wireless Packet Analysis
|
|
|
• Use WPA2 encryption on your wireless access point• Use encryption for authentication• Use end-to-end VPN• Use encrypted proxy services and virtual tunnel networks |
Protecting against packet analysis
|
|
|
• Two-way wireless communication• Payment systems, i.e., Google wallet and MasterCard• Bootstrap for other wireless - _ _ _helps with Bluetooth pairing• Access token, identity “card” - Short range with encryption
|
Near Field Communication (NFC)
|
|
|
• Remote capture - It’s a wireless network• Frequency jamming - Denial of service• Relay attack - Man in the middle• Loss of RFC device control - Stolen/lost phone
|
NFC Security Concerns
|
|
|
• WPA-Personal / WPA-PSK• WPA with a pre-shared key• Everyone uses the same 256-bit key• The only way in is a brute force / dictionary attack• Some cloud-based services already have the hashes• Use a complex set of letters and numbers / Avoid words• WPA-Enterprise / WPA-802.1X• Authenticates users individually with an authentication server• No practical attacks
|
WPA Attacks
|
|
|
PIN is an eight-digit number• Really seven digits and a checksum• Seven digits, 10,000,000 possible combinations• The WPS process validates each half of the PIN• First half, 4 digits. Second half, 3 digits.• First half, 10,000 possibilities. Second half, 1,000 possibilities• It takes about four hours to go through all of them• Most devices never considered a lockout function
|
WPS Attacks
|
|
|
• Web site allows scripts to run in user input /search box• Bad guy may email a link• Email link runs a script that sendscredentials/session IDs/cookies to the bad guy• Script embedded in URL executes in the victim’sbrowser, as if it came from the server• Bad guys use credentials/session IDs/cookiesto steal victim’s information without their knowledge
|
Non-persistent (reflected) XSS attack
|
|
|
• Bad guy posts a message to a social network thatincludes a malicious payload (it’s now “persistent”)• Everyone gets the payload• No specific target• For social networking, this can spread quickly• Everyone who views the message can have it posted totheir page, where someone else can view it and
|
Persistent (stored) XSS attack
|
|
|
• Be careful when clicking untrusted links• Consider disabling JavaScript, or control with an extension• Keep your browser and applications updated• Keep your web server applications updated
|
Protecting Against XSS
|
|
|
• Adding information into a data stream• Applications should be developed to properlyhandle input and output• Used with many different data types
|
Code Injection
|
|
|
Extensible Markup Language
|
XML
|
|
|
XML injection modifies XML requests• A good application will validate all input• LDAP - Lightweight Directory Access Protocol• LDAP injection modifies LDAP requests to manipulate
|
XML Injection and LDAP Injection
|
|
|
• The most common relational database managementsystem language• SQL Injection modifies SQL requests in the browser• The application should be written to prevent this
|
SQL (Structured Query Language) Injection
|
|
|
A misconfigured server allows inappropriate access• Command injection can be dangerous when this happens• Run unauthorized commands from your browser• Combine with directory traversal for really scary results
|
Directory Traversal
|
|
|
• Overwriting a buffer of memory• Spills over into other memory areas• Developers need to perform bounds checking• The bad guys spend a lot of time looking for openings• A really useful buffer overflow is repeatable
|
Buffer Overflows
|
|
|
Usually has a fixed boundary• Vulnerable software may allow an integer to go out of bounds• This integer may allocate a memory location for a buffer• The buffer will now be too small, and overflow may occur
|
Integer Overflow
|
|
|
• Many applications have undiscovered vulnerabilities• Someone is working hard to find the next big vulnerability• A ___ ___ vulnerability has not been detected or published• Zero-day exploits are increasingly common• Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/
|
Zero-day Attacks
|
|
|
______ contain browser information stored on your computer• Used for tracking, personalization, session management• Not executable, not generally a security risk• Could be considered be a privacy risk• Session IDs are often stored in the ______ • Used with _____ to masquerade as another person
|
Browser Cookies and Session IDs
|
|
|
• Also called Flash Cookies• Used by Adobe Flash Player to store data• Information is saved on the user’s computer• On by default• Applies to all browsers• Data is stored in a common directory• Can only be read by the domain that created the LSO• www.example.com can only be read by www.example.com• Unless specifically passed to another domain
|
Locally Shared Objects
|
|
|
• Attachments may be files sent via email• All attachments should be considered a security risk• Add-ons extend your browser functionality• Add-ons tend to be more trusted
|
Malicious Add-ons and Attachments
|
|
|
The attacker runs whatever they want• An attacker takes over a process• The original executable is vulnerable to this attack• No elevated rights needed for many attacks• Infect with malware or adware• Remote code execution• Attack a machine from a remote device• Extremely dangerous vulnerability
|
Arbitrary and Remote Code Execution
|
|
|
• Huge source of detailed network information• Routers, switches, firewalls, IDS/IPS, anti-virus scanners,applications, authentications, etc.• Contain data on servers, applications, security
|
Monitoring System Logs
|
|
|
Details of normal activity• Not remarkably useful in the moment, very useful after the fact• Huge storage requirements• Logs from everything - Servers, routers, switches, firewalls
|
Event Logs
|
|
|
• Changes must be controlled• Can recognize legitimate activity• Firewall policy change, file permission update• Can recognize unapproved activity, unapproved changes• Not as many logs as event log, but perhaps more important
|
Audit Logs
|
|
|
Many different instances of access• Files, VPN connection, partners, customers• Many different formats - Servers, application logs, etc.• Important to know who’s coming in and out, and who is failing• Automation can limit the attack vector• Very useful when rebuilding after an attack
|
Access Logs
|
|
|
• Focused on security-related events• Very specific events• Not necessarily useful to the rest of the organization• Many diverse devices• Firewall, VPN concentrator, IPS, content filter, authenticationserver, router, switch, email gateway, anti-virus manager, etc.• Often requires it’s own logging strategy
|
Security Logs
|
|
|
Increase the security of your operating system• Constant maintenance to patch vulnerabilities• One configuration error can inadvertently create an opening• Plan a regular preventive maintenance cycle
|
Operating System Hardening
|
|
|
• This is a good best-practice• Requires additional maintenance and constant vigilance• Plan on periodic reviews using the switch management console
|
Physical Port Security
|
|
|
• Find devices that should not be on the network and remove them• Visual audit - Check ports and switches for incursion• Network mapping - Automated functions for finding devices• Wireless audits - Walk around and find rogue access points• Network Access Control (NAC)• Require authentication before gaining access to the network
|
Rogue Machine Detection
|
|
|
• Initial ______Configuration• Determine the minimum level of protection required• Continuous Security Monitoring• New threats are announced every day• Systems are constantly modified and updated• Remediation network• Access may be based on the missing security• Access allowed once the device is back to full security posture
|
Security Posture
|
|
|
• Every device contains information• Define metrics to monitor (throughput, authentications, etc.)• Define thresholds per metric - Up/down, Percentage, Exact value• Disposition - Email, SMS
|
Alarms and Alerts
|
|
|
• Identify details that would be otherwise invisible• Monitoring intervals and reporting timeframes• You’re collecting a LOT of data - age it out as you go• Focus on security metrics - Malware activity, patch failures,increase in bandwidth, etc.
|
Trends
|
|
|
_____ are identified every day• National ____ Database (http://nvd.nist.gov/)• Applications, operating systems, services• Scan a device to determine susceptibility to a known _____• Can be quite invasive• Scan general OS, web servers, application, database servers
|
Vulnerability Scanning
|
|
|
• Scanners aren’t perfect• Network-level challenges with firewalls• Device-level challenges with OS changes, patch updates, application versions
|
Interpreting Vulnerability Scans
|
|
|
• No interaction• Gather information external to the device• Packet capture
|
Passive tools
|
|
|
The device can see you looking• Vulnerability scanners, honeypots, port scanners,banner grabbing
|
Active tools
|
|
|
Capture and display network traffic, Packet by packet• Wireshark, a popular open-source option• Valuable vulnerability recon - Encrypt your traffic
|
Protocol Analyzer
|
|
|
Identify vulnerabilities in web servers, database servers, etc.•
|
Application scanners
|
|
|
Identify operating system vulnerabilities for Windows, Linux, Mac OS, etc
|
OS scanners
|
|
|
Attract the bad guys and trap them there• Makes for interesting recon• Single-use/single-system traps• • More than one ___on a network
|
Honeypots and Honeynets
|
|
|
Identify open ports on a system• Identify firewalls and packet filters• Identify operating systems and services• Based on simple packet requests and responses• Identify applications without authenticating
|
Port scanners
|
|
|
• Applications can be chatty• The banner is always there• Capture it with telnet or an automated tool
|
Banner Grabbing
|
|
|
Assign a dollar value to risk• Single Loss Expectancy (SLE)• How much loss for one event?• Annual Loss Expectancy• SLE x Annual Rate of Occurrence (ARO) |
Quantitative Risk Assessment
|
|
|
Identify significant risk factors• Ask opinions about the significance• Display visually with traffic light grid or similar method
|
Qualitative Risk Assessment
|
|
|
Actively scan a network in search of known vulnerabilities• Usually an automated process• For unknown vulnerabilities, consider input validation/fuzzing
|
Vulnerability Assessment
|
|
|
Baseline Reporting• Determine risk• Determine which metrics and resources to monitor• Changes might indicate security concern• The baseline is constantly changing
|
Assessment Techniques
|
|
|
• Audit your in-house applications• Examine the source code• Test for input validation, injection attacks, etc.
|
Code Review
|
|
|
Review the database engine, Web server, browser type• Consider confidentiality, integrity and availability• Not all servers provide the same security posture
|
Architecture Review
|
|
|
• Simulate an attack• Similar to vulnerability scanning, except we actually try to exploit the vulnerabilities |
Penetration Testing (Pentest)
|
|
|
Stay up-to-date• Reference the National Institute of Standards andTechnology National Vulnerability Database• http://nvd.nist.gov• Perform regular vulnerability scans
|
Verify a threat exists
|
|
|
Force your way in• People in the organization may bypass security controls
|
Bypass Security Controls
|
|
|
Attempt to circumvent the same controls as the bad guys• Test with different techniques• This should represent what the bad guys see
|
Actively Test Security Controls
|
|
|
• Try to break into the system• This might cause a denial of service or loss of data• Buffer overflows can cause instability• You may need to try many different vulnerability types• Password brute-force• Social engineering• Database injections• Buffer overflows• You’ll only be sure you’re vulnerable if you can successfully exploit a system• If you can get through, the bad guys can get throug
|
Exploiting Vulnerabilities
|
|
|
A “blind” test• The pentester knows nothing about the systems
|
Black box
|
|
|
Full disclosure - The pentester knows everything
|
White box
|
|
|
A mix of black and whiteFocus on certain systems or applications
|
Grey box
|
|
|
• A passive test, unlike a penetration test• May include port scanning• Test froGather information, don’t try to exploit a vulnerability
|
Vulnerability Scanning
|
|
|
Gather information, don’t try to exploit a vulnerability
|
Non-intrusive scans
|
|
|
You’ll try out the vulnerability to see if it works
|
Intrusive scans
|
|
|
The scanner can’t login to the remote device
|
Non-credentialed scans
|
|
|
You’re a normal user, emulates an insider attack
|
Credentialed scan
|
|
|
The scanner looks for many vulnerability types• The vulnerabilities can be cross-referenced online• Some vulnerabilities cannot be definitively identified
|
Identify Vulnerabilities
|
|
|
• Many results can be identified:• Lack of security controls• No firewall• No anti-virus• No anti-spyware• Misconfigurations• Open shares• Guest access• Real vulnerabilities
|
Vulnerability Scan Results
|
|
|
A vulnerability is identified that doesn’t really exist• This is different than a low-severity vulnerability• It’s real, but it may not be your highest priority
|
False positives
|
|
|
A vulnerability exists, but you didn’t detect it• Update to the latest signatures• Work with the vulnerability detection manufacturer• They may need to update their signatures
|
False negatives
|
|
|
Send random input to an application• Fault-injecting, robustness testing, syntax testing, etc.• Looking for something out of the ordinary, such as an application crash, server error, exception • Many different fuzzing utilities and options• Fuzzing is time and resource heavy• Many fuzzing engines use high-probability tests
|
Fuzzing
|
|
|
• There’s a balance between time and quality• Programming with security in mind is often secondary• The Quality Assurance (QA) process tests applications• Vulnerabilities will eventually be found
|
Secure Coding Concepts
|
|
|
• What happens when an error occurs?• Network connection fails, server hangs, database unavailable• Think of every possible problem• Mishandled exceptions can allow execution of code
|
Error and Exception Handling
|
|
|
Called cross-site because of browser security flaws• Information from one site can be shared with another• One of the most common vulnerabilities• Used by malware that uses JavaScript vulnerabilities
|
Cross-site Scripting (XSS)
|
|
|
Web site allows scripts to run in user input /search box• Bad guy may email a link• Email link runs a script that sends credentials/session IDs/cookies to the bad guy• Script embedded in URL executes in the victim’s browser, as if it came from the server• Bad guys use credentials/session IDs/cookies to steal victim’s information without their knowledge
|
Non-persistent (reflected) XSS attack
|
|
|
• Bad guy posts a message to a social network that includes a malicious payload (it’s now “persistent”)• Everyone gets the payload• No specific target• For social networking, this can spread quickly• Everyone who views the message can have it posted totheir page, where someone else can view it andpropagate it further...
|
Persistent (stored) XSS attack
|
|
|
• Be careful when clicking untrusted links• Consider disabling JavaScript, or control with an extension• Keep your browser and applications updated• Keep your web server applications updated
|
Protecting Against XSS
|
|
|
• Determine a security baseline for every application• Monitor the baseline over time• Perform scheduled scans• Once-a-month security patches and service packs• May require security testing after major updates
|
Application Configuration Baseline
|
|
|
Update the operating system• Apply security patches and service packs• Update application software• Restrict user accounts to “least privilege” access• Restrict additional software installations
|
Application Hardening
|
|
|
• May provide additional features• Patches may fix bugs• Close any open security holes
|
Application Patch Management
|
|
|
Use Windows Update for client-initiated updates• Centralize patch management with Windows Server Update Services (WSUS)• Mac OS - update from the Apple menu / Software Update• Linux - update using rpm, yum, apt-get, software update GUI
|
Updating Operating Systems
|
|
|
A bug fix might introduce others• Updating one application might break another• Security updates are important• Don’t forget your security check after updating,based on your application security baseline
|
The Patch Management Challenge
|
|
|
Keep important information centralized• In a format that allows for easy retrieval
|
SQL Databases
|
|
|
• Not Only SQL• Not SQL, not relational• A good choice for large datasets• Scales very large• Can analyze very large unstructured data sets• Big data• Grab as much data as you can and put it into a database• There might be relationships between the data, or perhaps not• The database needs to be able to handle anything
|
NoSQL Databases
|
|
|
Relies on a hash table to locate and represent data
|
Key-value store
|
|
|
• Large data stores can reference multiple columns with a single key
|
Column family store
|
|
|
Similar to key-value stores• Contains documents that are collections of other key-value collections
|
Document database
|
|
|
Instead of a spreadsheet, use nodes, node properties, and the relationship between the nodes
|
Graph database
|
|
|
• Attack an application through the user input• Provide data the application isn’t expecting• Unexpected results may occur• SQL injection• Gain access to the database• Filenames• Traverse the file system• Perform extensive tests before releasing app• Fuzzing or random input testing
|
Validating Data
|
|
|
All checks occur on the server• Helps protect against malicious users• Bad guys may not even be using your interface
|
Validation Points
|
|
|
The end-user’s app makes the validation decisions• Can filter legitimate input from genuine users• May provide additional speed to the user
|
Client-side validation
|
|
|
BYOD
|
Bring Your Own Device
|
|
|
• Manage company-owned and user-owned mobile devices• Centralized management of the mobile devices• Specialized functionality• Set policies on apps, data, camera, etc.• Control the remote device• The entire device or a “partition”• Manage access control• Force screen locks and PINs on these single user devices
|
Mobile Device Management
|
|
|
• Scramble all of the data on the mobile device• Even if you lose it, the contents are safe• Devices handle this in different ways• Strongest/stronger/strong ?• Encryption isn’t trival• Uses a lot of CPU cycles• Don’t lose or forget your password!• There’s no recovery
|
Device Encryption
|
|
|
• Remove all data from your mobile device• Even if you have no idea where it is• Connect and wipe from the web• Nuke it from anywhere• Need to plan for this• Configure your mobile device now
|
Remote Wipe / Sanitation
|
|
|
All mobile devices can be locked• Keep people out of your data• Simple passcode or strong passcode• Numbers vs. Alphanumeric• Fail too many times?• Erase the phone• Define a lockout policy• Create aggressive lockout timers• Completely lock the phone
|
Screen Lock
|
|
|
• An MDM can control exactly what’s loaded• Only approved corporate applications• Unapproved applications are restricted or removed• The MDM has complete control• Some MDM software segments corporate data• A separate area of the mobile device• Run personal and corporate without conflict• Some devices support removable storage• Control where organization’s data is stored• Individual and unused features can also be disabled• Bluetooth, video camera, etc.
|
Application Control and Storage Segmentation
|
|
|
Precise tracking details - Tracks within feet• Can be used for good - Find your phone• Can be used for bad - Find you• Most phones provide an option to disable• Limits functionality of the phones
|
GPS Tracking
|
|
|
• Encrypted data is important to mobile devices• Keep your information safe as it moves around• Is information encrypted when stored on the device?• Every application does this differently• Data across the network• Use the device APIs to send traffic via SSL• SSL requires a stored group of trusted Certificate Authorities (CA)• Locally-created CA certificates can be added through an MDM
|
Encryption and key management
|
|
|
• Usernames and passwords• Always separated from the application code• Credential details are almost always server-based• Easier to protect and manage• Credentials are usually communicated over SSL• Sometimes the app doesn’t actually encrypt anything!• Use a transitive trust for authentication• Login with Facebook, Google, etc
|
Credential Managment
|
|
|
• Your phone knows where you are• Location Services, GPS• Adds your location to document metadata• Longitude, latitude, Photos, videos, etc.• Every document may contain geotagged information• You can track a user quite easily• This may cause security concerns• Take picture, upload to social media
|
Geo-tagging
|
|
|
Managing mobile apps are a challenge• Mobile devices install apps constantly• Not all applications are secure• Android malware is a rapidly growing security concern• Manage application use through whitelists• Only approved applications can be installed• Managed through the MDM• A management challenge• New applications must be checked and added
|
Application Whitelisting
|
|
|
Corporate control of a personal device• Users must accept the integration of work onto the mobile device• Mobile Device Managers (MDMs) will be used• Specific security controls ensure adherence to corporate policies• May be a different acceptable use policy (AUP) for BYOD devices• A personal device, but used for business - Which policy wins?
|
User Acceptance and Adherence to Corporate Policies
|
|
|
• Not all devices can be reasonably managed• The organization may create a list of approved devices• All devices must be managed through the MDM• The device manager may have limitations on the type and number of devices• MDMs must be purchased, installed, etc.• Training costs, ongoing management costs• May require specific connectivity to the Internet• The MDM must talk to the mobile devices directly
|
Architecture and infrastructure considerations
|
|
|
• The organization now supports the device• If lost, the first call is to the corporate help desk• Not the wireless provider• Corporate office needs to wipe data• Or selectively remove the organization’s informationv• On-boarding and off-boarding is more involved• Carve out the organization’s section of the device• Remove just the organization’s data• I would completely nuke and rebuild
|
Support ownership and on/off-boarding
|
|
|
• Mobile devices are used everywhere• In the building, out of the building• New applications are installed all the time• With the potential for malware and viruses each time• Some patches may break other features• Or important corporate applications• On-device anti-virus may be required• Manage through the MDM
|
Patch and Anti-virus Management
|
|
|
The device belongs to a person• Some of the data belongs to the organization• Some of the data is very private• Use policies to determine data ownership• Document and communicate detailed security policy• Use technology to determine data ownership• Storage segmentation can build walls around employer data• Separate apps, separate data in the enterprise “box”
|
Data Ownership and Privacy
|
|
|
A corporate and social challenge• Privacy concerns, industrial espionage• Some policies restrict the use of the camera• Always available or always disabled• Some MDMs allow for geo-fencing• Restrict or allow features when in a particular area(The camera might only work when outside the office)
|
On-board Camera and Video
|
|
|
Post-attack actions• What forensic processes are followed?• With a desktop, the entire device is quarantined• The organization may not own the mobile device• The mobile device contains personal data• The forensics process may need to look at all information• Does the organization have a legal right to the device/data?• Does the user have a legal requirement of privacy to their data?
|
Forensics and Legal Concerns
|
|
|
Access to files and groups
|
User rights
|
|
|
Event log detail and log forwarding• File permissions
|
Log settings
|
|
|
Not all registry hives should be accessible
|
Registry permissions
|
|
|
What each user can and cannot do
|
Account policies
|
|
|
Millions of virus signatures are known• Always install an anti-virus application• Always keep the signatures current!• No anti-virus application can stop everything
|
Anti-Virus
|
|
|
Unsolicited emails (buy my stuff)• Phishing attempts to obtain your username and password• Many email clients include anti-spam technology• Your ISP may include this in the cloud
|
Anti-Spam
|
|
|
• Messages appear in separate windows in your browser• Became popular as an advertising method• Malware is especially good at popping windows• Legitimate applications may use pop-up windows
|
Pop-up Blockers
|
|
|
• Protect against others on the network• Can restrict access to your personal computer• Protect wherever you go• Important for laptops and mobile devices• Restricts by application and network port numbers
|
Host-based Firewalls
|
|
|
• Incredibly important• Provides system stability• May include security fixes and service packs• Provides emergency out-of-band updates• Protect against 0-day and important security discoveries
|
Patch Management
|
|
|
Nothing runs unless it’s approved• Very restrictive
|
Whitelisting (App)
|
|
|
• Decisions are made in the operating system• Often built-in to the operating system management
|
Examples of Application Management
|
|
|
Only allows applications with this unique identifier
|
Application hash
|
|
|
Allow digitally signed apps from certain publishers
|
Certificate
|
|
|
Only run applications in these folders
|
Path
|
|
|
The apps can only run from this network zone
|
Network zone
|
|
|
• Evaluation Assurance Levels• Common Criteria for Information Technology Security Evaluation• Also called Common Criteria (or CC)• Very common reference for US Federal Government• Evaluation Assurance Level (EAL) - EAL1 through EAL7• Trusted operating system• The operating system is EAL compliant• EAL4 is the most accepted minimum leve
|
Trusted OS
|
|
|
“Personal” firewalls• More than personal these days• Included in many operating systems• 3rd-party solutions also available• Stops unauthorized network access “Stateful” firewall• Blocks traffic by application• Windows Firewall• Filters traffic by port number and application
|
Host-Based Firewalls
|
|
|
Started as a separate application• Now integrated into many “endpoint” products• Protect based on signatures• Constantly growing database• Protect based on activity• Why are you modifying that file? |
Host-Based Intrusion Prevention
|
|
|
• Temporary security• Connect your hardware to something solid• Cable works almost anywhere, useful when mobile• Most devices have a standard connector• Reinforced notch• Not designed for long-term protection• Those cables are pretty thin
|
Cable Locks
|
|
|
Secure your important hardware and media• Protection against fire and water• Very heavy and difficult to steal• Access must be carefully managed
|
Safe
|
|
|
Data center devices may be managed by different groups• Responsibility lies with the owner• Racks can have enclosed cabinets with locks• Ventilation on front, back, top, and bottom
|
Locking Cabinets
|
|
|
Security baselining• Determine what the application requires• Host resources, network connectivity, etc.• Need to tighten down operating system• Host-based firewall• Application execution restrictions• Limit access to certain folders• Useful for configuring external security devices• Firewall security policies• Allow or restrict application communication
|
Host Software Baselining
|
|
|
• Web server, cloud based• The application is centralized• Other services may be using the same physical hardware• Difficult to completely secure and limit access• Redundancy may be required• Protect against downtime• Denial of Service (DoS)• Hardware failures• Network outages
|
Software on the Server
|
|
|
• One physical computer, many operating systems• Mac OS X, Windows 7, Linux, all at the same time!• Separate OS, independent CPU, memory, network, etc.• Host-based virtualization runs all OSes on your desktop
|
Virtualization
|
|
|
• Every guest is self-contained in a single file• Virtual hosts can be versioned• Take snapshots at any point, revert instantly• Store multiple snapshots• Easy to recover to a specific date and time• Historical analysis - determine when a vulnerability was exploited
|
Snapshots and Security
|
|
|
Provide resources when demand requires it• Scale down when things are slow
|
Elasticity
|
|
|
• New server deployed with a few mouse clicks• Virtualization integrates a layer of orchestration• Automate the deployment and movement of virtual hosts• Servers can be added or moved to other data centers• All of the management systems follow the servers
|
Host availability
|
|
|
• Virtualized hosts are perfect for spinning up a custom host• Network scans, vulnerability scanning, penetration testing• Sandboxing• Don’t click that link! Don’t launch that attachment!• Unless you’re in a sandbox• Individual sandboxes• Or centralized sandboxes for everyone
|
Using Virtual Hosts for Security
|
|
|
© 2014 Messer Studios, LLCEnsuring Data Securityhttp://www.ProfessorMesser.comProfessor Messer’s CompTIA SY0-401 Security+ Course Notes - Page 26SAN Data Security• The network is the SAN• You’re in one place, the data is in another• Physically secure SAN• Restricted physical access• Protected data center• Self-encrypting drives• Encrypt data when it leaves the protected area• Network-to-network (switch-to-switch)• Backup tapes• Plan for encryption overhead in CPU and network use
|
SAN Data Security
|
|
|
Massive datasets• Normal access controls may not apply• Doesn’t fit a “need to know” principle• You don’t even know what’s in there• An important part of big data is hunting for patterns• Consider removing Personally Identifiable Information (PII)• Difficult to completely remove an individual’s identification• Difficult to audit every bit of information accessed• Log just the queries• Implement Data Loss Prevention (DLP) techniqu
|
Securing Big Data
|
|
|
Massive datasets• Normal access controls may not apply• Doesn’t fit a “need to know” principle• You don’t even know what’s in there• An important part of big data is hunting for patterns• Consider removing Personally Identifiable Information (PII)• Difficult to completely remove an individual’s identification• Difficult to audit every bit of information accessed• Log just the queries• Implement Data Loss Prevention (DLP) techniques
|
Securing Big Data
|
|
|
• Serious data protection - Every bit and byte is encrypted• Perfect for mobile devices - But not exclusive to laptops• Built-in protection - BitLocker• Commercial and open-source options - PGP, TrueCrypt• Key management is incredibly important• Lose the key, lose your data
|
Full-Disk Encryption
|
|
|
• Relatively impractical to encrypt an entire database• Huge files, lots of access• Encryption based on the Database Management System (DBMS)• Different capabilities across different software platforms• Individual columns/fields are usually encrypted• Don’t encrypt your key fields!
|
Database Encryption
|
|
|
• Many different options• Built-in to the OS• 3rd-party applications• Some files are encrypted others are not• Pick and choose your security• And your resource management• Many of those still require key management• Backup your keys, protect your keys
|
Individual File Encryption
|
|
|
• Big concern• Where’s my USB drive?• Administrative controls over removable media• Require encryption• Again with the key management• This can be automated in many operating systems• No USB storage at all• An extreme case
|
Removable Media Encryption
|
|
|
Practically all mobile devices encrypt user data• The key is on the device• Email and apps using “Data Protection” are encrypted in iOS• The key is based on the passcode• Even if stolen, you can get the data• Some information may not be encrypted in iOS• On Android, configure encryption in Settings > Security• Full-disk encryption, the key is based on the passcode
|
Mobile Devices
|
|
|
• A specification for cryptographic functions• Cryptographic processor with random number generator, key generators• Persistent memory • Comes with unique keys burned in during production• Versatile memory• Storage keys, hardware configuration information• Password protected
|
Trusted Platform Module (TPM)
|
|
|
• High-end cryptographic hardware• Plug-in card or separate hardware device• Key backup in secured storage• Cryptographic accelerators for offloading CPU overhead• Used in large environments
|
Hardware Security Module (HSM)
|
|
|
Hardware-based AES encryption as part of the drive• Includes trusted browser, identity software• Can be used as secure tokens withtwo-factor authentication and single sign-on• Remote management included to unlock or reset remotely
|
USB Encryption
|
|
|
Data transmitted over the network• Also called data in-motion• Not much protection as it travels• Many different switches, routers, devices• Provide transport encryption• TLS (Transport Layer Security), IPsec (Internet Protocol Security)
|
Data In-Transit
|
|
|
• The data is on a storage device• Encrypt the data• Whole disk encryption, database encryption• File- or folder-level encryption• Apply permissions• Access control lists - only authorized users can access the data
|
Data At-Rest
|
|
|
• The data is in memory• System RAM, CPU registers and cache• The data is almost always decrypted• Otherwise, you couldn’t do anything with it• The bad guys can pick the decrypted information out of RAM
|
Data In-Use
|
|
|
• Permissions associated with an object• Used in file systems, network devices, operating systems, and more• List the permissions• Bob can read files• Fred can access the network• James can access network 192.168.1.0/24 using • tcp ports 80, 443, and 8088• Many operating systems use ACLs to provide access to files• A trustee and the access rights allowed
|
Access Control Lists
|
|
|
• Remote removal of data• The administrator can delete all or part of live data• Retiring hardware• Hard drives contain a lot of information• Overwrite all disk data before disposing• May be based around device loss or employee off-boarding• The organization controls the location of data at all times
|
Data Wiping
|
|
|
Some information cannot be disposed of• Legal requirements for maintaining information• Some information is destroyed to make room for more• Archived data, especially with high storage costs• Personal data may have a very short life• Only store for however long as is necessary• Sensitive information may be destroyed to control distribution• Keep the information out of the hands of others
|
Disposing of Data
|
|
|
• Keep files that change frequently for version control• Files change often - Keep at least a week, perhaps more• Recover from virus infection• Infection may not be identified immediately• May need to retain 30 days of backups• Consider legal requirements for data retention• Email storage may be required over years• Some industries must legally store certain data types• Different data types have different storage requirements
|
Data Retention
|
|
|
• User can’t change very much, unlike a PC• Very useful for security - Easier to protect and defend Even static environments can be updated• Firmware upgrades are common
|
Static Environments
|
|
|
A computing system designed to• perform a specific, dedicated function• Intravenous drip-rate meter, water treatment plant controls
|
Embedded systems
|
|
|
Supervisory Control and Data Acquisition System• Large-scale, multi-site Industrial Control Systems (ICS)• Runs on normal PCs, manages equipment• Power generation, refining, manufacturing equipment• Traditionally not built with security in mind• This has obviously been a problem these days• Huge emphasis in securing all SCADA systems• Enormous improvements in a short time
|
SCADA and HVAC
|
|
|
• All-in-one or multifunction devices (MFD)• Everything you need in one single device• No longer a simple printer - very sophisticated firmware• Some images are stored locally on the device• Can be retrieved externally• Logs are stored on the device• Contain communication and fax details
|
Printers, Scanners, and Fax Machines
|
|
|
Huge amount of computing power in a car• Navigation, in-vehicle entertainment• Engine electronics• Embedded technology for fuel consumption and engine functions• Telemetry• Event data recorder “black box”• Acceleration, braking, position
|
In-Vehicle Computing Systems
|
|
|
Operating system for many different products• iPod, iPhone, iPad• Closed operating system• Derived from Unix• Apps available in the App Store• Developers must submit their apps for approval• Only one place to download applications• Very closed environment• Security issues are relatively mitigated
|
Apple iOS
|
|
|
• Open Handset Alliance• Driven by Google• A more open model than iOS• Open-source operating system• A more open app distribution system• Completely distributed, no centralized store• More susceptible to malware• Applications have limited access to user data• Unless the user allows it
|
Android
|
|
|
Connect TV, Hybrid TV• Combine a computer with a television• Stream video/audio, video on demand, games, social networking, etc. - Video without an antenna• Most use a Linux kernel• Security concerns associated with JavaScript,HTML5, Java, etc.• Disable if features aren’t needed• Office conference room, OTA-only
|
Smart Televisions
|
|
|
Legacy systems - Proprietary operating systems• Still used for large-scale applications• Bulk data, transaction processing• Very reliable and redundant• Can run interrupted for decades• Not many mainframe-specific attacks exist• A unique OS with relatively few installations• Attacks tend to be from the inside• Very specialized, attacking specific data source
|
Mainframes
|
|
|
Very similar to a PC - Specific hardware and a purpose-built OS• Xbox and PlayStation - Windows and Linux• Large storage and CPU capacity - Perfect to use as a server• Rooting or jailbreaking - Gain access to the hardware and/or the OS• Network-centric - Keep away from the corporate network
|
Game Consoles
|
|
|
Layered security• Defense-in-depth - You need more than just one type of security• The security controls should be diverse• If you get over one hurdle, there’s another one to stop you• Avoid any single points of failure• Security also needs redundancy• Multiple firewalls, multiple IPS, multiple management system
|
Security Layers and Control Redundancy
|
|
|
Separate logical sections of the organization• Internet, DMZ, storage, management, corporate, etc.• Physical separation• Completely different infrastructure• Logical separation• Firewall rules, based on zones or IP address ranges• Specific policies for types of data per zone• No PII in the DMZ, no credit card information on the Internet
|
Network Segmentation
|
|
|
Puts a wrapper between the network and the service• Used ACLs to filter access to services• A very early form of application control
|
TCP Wrapper
|
|
|
Filters traffic based on the application• Can provide very detailed application control• Can protect specialized applications
|
Application firewalls -
|
|
|
Embedded systems have relatively few updates• Some embedded systems can’t be updated easily• Many embedded systems require manual updates• There’s no automated process or external management• More time consuming• May be seen as less of a priority
|
Firmware Version Control
|
|
|
• Authentication protocol for almost everything• A very common AAA service• Modems, routers, switches, firewalls, etc.• A common authentication method for 802.1X• Secure authentication - sends passwords as a hash
|
RADIUS (Remote Authentication Dial-in User Service)
|
|
|
• Remote authentication protocol, RFC 1492• Created to control access to dial-up lines to ARPANET• XTACACS (Extended TACACS)• A Cisco-created (proprietary) version of TACACS• Additional support for accounting and auditing• TACACS+• The latest Cisco proprietary version of TACACS• Not backwards compatible• More authentication requests and response codes
|
TACACS (Terminal Access Controller Access-Control System)
|
|
|
• Protocol for reading and writing directories over an IP network• X.500 specification was written by the International Telecommunications Union (ITU) • LDAP is lightweight, and uses TCP/IP (tcp/389 and udp/389)• LDAP is the protocol used to query and update an X.500 directory• Used in Windows Active Directory, Apple OpenDirectory, Novell eDirectory, etc.
|
LDAP (Lightweight Directory Access Protocol)
|
|
|
LDAP User Access and Security• Simple Authentication and Security Layer (SASL) in LDAP v3• Usually two levels of access - Read-only (query) and read-write (update)
|
X.500 Directory Information Tree
|
|
|
LDAP over SSL - Encrypt with SSL/TLS• Commonly configured in Microsoft environments - Active Directory uses TCP port 636
|
Secure LDAP
|
|
|
• You need access to resources on a service provider• You can authenticate through a third-party• Service provider• You need access to this web server• Client• The user that needs access, often from a browser• Identity Provider• The owner of the identities and credentials
|
SAML(Security Association Markup Language)
|
|
|
Identification associates a user with an action• Authentication proves a user is who it claims to be• The access control process• Prove a user is who they say they are (authorization)• Prove a user performed an action (non-repudiation)
|
Identification vs. authentication
|
|
|
Proves a user or process is who it claims to be• Provide a username and a secret passphrase• Many different authentication types
|
Authentication
|
|
|
Now you’re identified - What rights and permissions do you have?• Policy definition - What rights and permissions should apply?• Policy enforcement - Only authorized rights are exercised• Allow and deny based on defined policies
|
Authorization
|
|
|
Now you’re identified - What rights and permissions do you have?• Policy definition - What rights and permissions should apply?• Policy enforcement - Only authorized rights are exercised• Allow and deny based on defined policies
|
Authorization
|
|
|
Authorization• Ensure only authorized rights are exercised (policy enforcement)• The process of determining rights (policy definition)
|
Access Control
|
|
|
A generic term for following the rules• Access is determined through system-enforced rules
|
Rule-based access control
|
|
|
The owner is in full control• Very flexible but very weak security
|
Discretionary access control (DAC)
|
|
|
Access is based on the role of the user• Rights are gained implicitly instead of explicitly• Windows Groups can provide role-based access control
|
Role-based access control (RBAC)
|
|
|
Based on security clearance levels• Every object gets a label• Labeling of objects uses predefined rules
|
Mandatory Access Control (MAC)
|
|
|
Unless otherwise stated, there’s no access of any kind
|
Implicit Deny
|
|
|
Unless otherwise stated, there’s no access of any kind
|
Implicit Deny
|
|
|
Access control changes depending on the time of day
|
Time of Day Restrictions
|
|
|
Something you know -
|
Password, PIN
|
|
|
Something you have
|
Smart card, token
|
|
|
Something you are
|
Fingerprint, iris scan
|
|
|
More than one factor
|
Multi-factor Authentication
|
|
|
Somewhere you are
|
Biometrics
|
|
|
GPS information, IP address
|
Somewhere you are
|
|
|
Handwriting analysis, typing technique
|
Something you do
|
|
|
HOTP - HMAC-based One-Time Password• The keys are based on a secret key and a counter• Token-based authentication• The hash is different every time• Hardware and software tokens available• You’ll need additional technology to make this work
|
One-Time Password Algorithms
|
|
|
Use a secret key and the time of day• Secret key is configured ahead of time• Timestamps are synchronized via NTP• Timestamp usually increments every 30 seconds• Put in your username, password, and TOTP code• One of the more common OTP methods• Used by Google, Facebook, Microsoft, etc.
|
TOTP Time-based One-Time Password
|
|
|
____ is clear-text authentication• Unsophisticated, insecure
|
PAP (Password Authentication Protocol)
|
|
|
• Encrypted challenge sent over the network• Three-way handshake• After link is established, server sends a challenge message• Client responds with a password hash• Server compares received hash with stored hash
|
CHAP (Challenge-Handshake Authentication Protocol)
|
|
|
Authenticate one time• Kerberos authentication and authorization• 3rd-party options
|
Single Sign-on (SSO)
|
|
|
• Authenticate one time• No constant username and password input• Not everything is Kerberos-friendly
|
SSO with Kerberos
|
|
|
Software as a Service (SaaS)Many 3rd-party services are available
|
SSO for everything
|
|
|
• Provide network access to others - Not just employees• Third-parties can establish a federated network• Authenticate and authorize between the two organizations• Login with your Facebook credentials• The third-parties much establish a trust relationship• And the degree of the trust
|
Federation
|
|
|
Domain B trusts Domain A, Domain A doesn’t trust Domain B
|
One-way trust
|
|
|
Both domains are peers, both trust each other equally
|
Two-way trust
|
|
|
A trust is specifically created and applies only to that trust
|
Non-transitive trust
|
|
|
Domain A trusts Domain B, Domain B trusts Domain C,therefore Domain A trusts Domain C
|
Transitive trust
|
|
|
Define groups based on a user’s role• Make the definitions tight enough to apply security controls• There may be different permissions in the same department• A user can logically only have rights for one role at a time
|
Role-based Management
|
|
|
Authentication details for one account is known by more than one person• Sharing accounts makes auditing very difficult, • Breaks non-repudiation• Activities on a shared account can be challenged• The account credentials are more likely to be compromised• Changing the password will involve many people
|
Shared Accounts
|
|
|
All that stands between the outside world and all of the data• Passwords must not be embedded in the application• Everything needs to reside on the server, not the client• Communication across the network should be encrypted• Authentication traffic should be impossible to see
|
Protecting Credentials
|
|
|
Apply security and admin settings across many computers• Different than NTFS or Share permissions• Control the use of the operating system• Linked to Active Directory administrative boundaries• Sites, domains, organization units (OUs)• Define by groups, locations, etc.
|
Group Policy
|
|
|
Remove Add or Remove Programs• Prohibit changing sounds• Allow font downloads• Only allow approved domains to use• ActiveX controls without prompt
|
Group Policy Control
Administrative policies |
|
|
Specify minimum password length• Require smart card• Maximum security log size• Enforce user login restrictions
|
Group Policy Control
Security policies |
|
|
Make your password strong• No single words, no obvious passwords• Mix upper and lower case, use special characters• A strong password is at least 8 characters• Prevent password reuse
|
Password Complexity and Length
|
|
|
All passwords should expire, change every 30 days, 60 days, etc.• Critical systems might change more frequently• The recovery process should not be trivial!• Some organizations have a very formal process
|
Password Expiration and Recovery
|
|
|
Too many bad passwords will cause a lockout• This can cause big issues for service accounts• Disabling accounts is usually part of the normal change process• You don’t want to delete accounts, at least not initially
|
Account lockout and disablement
|
|
|
Put users into a single group, then set privileges on the group• Add/remove users from the group to assign privileges• Users can be members of multiple groups• Group permissions can overlap
|
Group Management
|
|
|
Individual users are granted specific rights• Difficult to make global changes• Doesn’t scale very well
|
User Management
|
|
|
Based on the role of the user• Administrators, Users, HR managers, Accounting analysts• Users can be moved in and out of a role as their job changes• A user should only have rights for one role at a time
|
Role-based Management
|
|
|
• There can be misconfigurations, changes in user policies• Auditing should occur often• Monitor group membership• Review access control lists• Identify and disable unused accounts• Disable unnecessary accounts
|
User Access Review
|
|
|
Keep a list of every action, i.e., application, security, audit• This can be an enormous database• Don’t turn these off!• Use to detect unauthorized access to a resource
|
Monitoring Event Logs
|
|
|
An unencrypted message (in the clear)
|
Plaintext
|
|
|
An encrypted message
|
Ciphertext
|
|
|
The algoithm used to encrypt and/or decrypt
|
Cipher
|
|
|
The art of cracking encryption
|
Cryptanalysis
|
|
|
Substitute one letter with another - ROT13• “Uryyb Jbeyq” is “Hello World”• Transposition Cipher• Keep the letters, change the order - “HLOOLELWRD”• Hack these ciphers with a frequency analysis
|
Substitution Cipher (Caesar cipher)
|
|
|
Germany’s Enigma machine (WW II)
|
Mechanical Cipher
|
|
|
Use complex algorithms to encrypt
|
Mathematical Ciphers
|
|
|
The plaintext was combined with a shared “pad” of text to produce the ciphertext• The decryption would be done with the same pad of text
|
One-time pad
|
|
|
A single, shared key• Encrypt with the key, decrypt with the same key• If the key is found, all data can be decrypted• Very fast to use, not a lot of overhead• Often combined with asymmetric encryption
|
Symmetric Encryption
|
|
|
Public key cryptography• Private key - keep this private• Public key - give to everyone• The private key is the only key that can decrypt dataencrypted with the public key• You can’t derive the private key from the public key
|
Asymmetric encryption
|
|
|
Don’t send the symmetric key over the ‘net• Telephone, courier, in-person, etc.
|
Out-of-band key exchange
|
|
|
It’s on the network• Protect the key with additional encryption• Often uses asymmetric encryption to deliver a symmetric key
|
In-band key exchange
|
|
|
There’s a need for fast security • Without compromising the security part• Share a symmetric session key using asymmetric encryption• Client encrypts a random (symmetric) key witha server’s public key• The server decrypts this shared key and uses it to encrypt data• This is the session key• Implement session keys carefully• Need to be changed often (ephemeral keys)• Need to be unpredictable
|
Real-time Encryption/Decryption
|
|
|
• Used in symmetric encryption• Not used in asymmetric encryption• Encrypt fixed-length groups (blocks)• Often 64-bit or 128-bit blocks• Pad added to short blocks to fill the block size
|
Block Ciphers
|
|
|
The key-to-ciphertext relationship should be very complicated• You can’t determine the key based on the ciphertext
|
Confusion
|
|
|
Output should depend on the input in a complex way• If you change one bit of the input, at least 50% of the output should be different
|
Diffusion
|
|
|
Also used with symmetric encryption• Encryption is done one bit or byte at a time• High speed, low hardware complexity• The starting state should never be the same twice• Key is often combined with an initialization vector (IV)
|
Stream Ciphers
|
|
|
Proof of integrity• Proof of origin, with high assurance of authenticity• Used for digital signatures• Digitally “sign” your files/messages with your private key• Others check with your public key
|
Non-repudiation
|
|
|
Represent data as a short string of text (a message digest)• Impossible to recover the original message from the digest• Used to store passwords and provide confidentiality• Can be a digital signature for authentication,non-repudiation, and integrity• A well designed hash will not collide• Different messages will not have the same hash
|
Hashes
|
|
|
A trusted third-party holds the keys• Allows for recovery of encrypted dataSomeone else holds your decryption keys• Your private keys are in the hands of a 3rd-party• This can be a legitimate business arrangement• A business might need access to employee information• Government agencies may need to decrypt partner data
|
Key Escrow
|
|
|
• Symmetric encryption - Hide a key in a safe• Asymmetric encryption - Add an additional private decryption key• The process is just as important as the key• When do you get the key? Who has access? Is there more than one key?
|
Key escrow with encryption types
|
|
|
Greek for “concealed writing”• Message is invisible, but it’s really there• The covertext is the container document or file• Network based steganography• Embed messages in TCP packets• Embed a message in an image• Use (nearly) invisible watermarks• Yellow dots on printers
|
Steganography
|
|
|
Asymmetric encryption• Need large integers composed of two or morelarge prime factors• Instead of numbers, use curves!• Smaller storage and transmission requirements• Perfect for mobile devices
|
Elliptic curve cryptography (ECC)
|
|
|
Use quantum physics to provide cryptographic references• Quantum key distribution (QKD)• Used to communicate a shared key between two users• If a third-party tries to get in the middle, the data is disturbed
|
Quantum cryptography
|
|
|
Don’t use the server’s RSA key pair• Use Elliptic curve, Diffie-Hellman ephemeral• The keys aren’t kept around• You can’t recover the key, so you can’t decrypt• PFS requires more computing power - Not all servers use PFS• The browser must support PFS• Check your SSL/TLS information for details
|
Perfect Forward Secrecy (PFS)
|
|
|
First published: April 1992• Replaced MD4• 128-bit hash value• 1996: Vulnerabilities found - not collision resistant• December 2008: Researchers created CA certificatethat appeared legitimate when MD5 is checked
|
MD5 Message Digest Algorithm
|
|
|
Developed by the National Security Agency (NSA)• A US Federal Information Processing Standard
|
Secure Hash Algorithm (SHA)
|
|
|
Widely used• 160-bit digest• 2005: Collision attacks published
|
SHA-1
|
|
|
The preferred SHA variant• Up to 512-bit digests• SHA-1 is now retired for most US Government use
|
SHA-2
|
|
|
A family of message digest algorithms• RACE Integrity Primitives Evaluation Message Digest• RACE - Research and Development in AdvancedCommunications Technologies in Europe• Original RIPEMD was found to have collision issues (2004)• Effectively replaced with RIPEMD-160 (no known collision issues)• Based upon MD4 design but performs similar to SHA-1• RIPEMD-128, RIPEMD-256, RIPEMD-320
|
RIPEMD
|
|
|
Combine a hash with a secret key• e.g., HMAC-MD5, HMAC-SH1• • Verify data integrity and authenticity• No fancy asymmetric encryption required• • Used in network encryption protocols• IPsec, TLS
|
HMAC-Hash-based Message Authentication Code
|
|
|
One of the Federal Information Processing Standards (FIPS)• 64-bit block cipher• 56-bit key (very small in modern terms)
|
Data Encryption Standard - DES
|
|
|
Use the DES algorithm three times• Three keys, two keys, or the same key three times• Superseded by AES (Advanced Encryption Standard)
|
3DES
|
|
|
• US Federal Government Standard• 128-bit block cipher - 128-, 192-, and 256-bit keys• Used in WPA2 - Powerful wireless encryption
|
AES (Advanced Encryption Standard)
|
|
|
Designed in 1993 by Bruce Schneier• 64-bit block cipher, variable length key (1 to 448 bits)• No known way to break the full 16 rounds of encryption• One of the first secure ciphers not limited by patents
|
Blowfish
|
|
|
Successor to Blowfish• 128-bit block size, key sizes up to 256• No patent, public domain
|
Twofish
|
|
|
Ron Rivest, Adi Shamir, and Leonard Adelman (1977)• Public-key cryptography system• Based on the product of two large prime numbers• You must know the factors to decode• Now released into the public domain• Used extensively for web site encryption and DRM
|
RSA
|
|
|
A key exchange method over an insecure communications channel, published in 1976• Witfield Diffie and Martin Hellman (and Ralph Merkle)• DH does not itself encrypt or authenticate• It’s an anonymous key-agreement protocol• Used for Perfect Forward Secrecy• Ephemeral Diffie-Hellman (EDH or DHE)• Combine with elliptic curve cryptography for ECDHE
|
Diffie-Hellman Key Exchange
|
|
|
1917 - Built to encrypt teletype communication• Mixed a paper tape (message) with another paper tape (key)• The “pad” is a pad of paper• Very simple encryption and decryption process• Very secure encryption - Unbreakable when used correctly
|
One-Time Pad
|
|
|
• Microsoft and 3Com network operating system• Hash challenge, similar to CHAP• Somewhat insecure• All uppercase ASCII, password is 14-characters max• Passwords over 7 characters are split and encrypted separately• Passwords are not salted
|
LAN Manager (LANMAN)
|
|
|
Some Windows password databases contain LM hash versions of the passwords• NTLM is vulnerable to a credentials forwarding attack
|
NTLM vulnerabilities
|
|
|
Used in early versions of Windows NT• Password is Unicode and up to 127 characters long• Stored as a 128-bit MD4 hash
|
NTLM (NT LAN Manager)
|
|
|
• New password response• MD4 password hash (same as NTLMv1)• HMAC-MD5 hash of username and server name• Variable-length challenge of timestamp,random data, domain name
|
NTLMv2 was first seen on Windows NT SP4
|
|
|
• Developed by Netscape in 1996• TLS (Transport Layer Security) - Derived from SSL• HTTPS uses SSL/TLS to encrypt web server communication
|
SSL (Secure Sockets Layer)
|
|
|
Encrypted console communication• Used often for remote administration• Includes secure file transfer (SFTP) and secure file copy (SCP)
|
SSH (Secure Shell)
|
|
|
• Security for OSI Layer 3• Encrypts IP packets (tcp/udp 1293)• Provides confidentiality and integrity/anti-replay• Encryption and packet signing• Very standardized• Two core IPsec protocols are Authentication Header (AH)and Encapsulation Security Payload (ESP)
|
IPsec
|
|
|
Transport mode• Only IP payload is encryptedand/or authenticated Tunnel mode• Entire packet is encrypted and/or authenticatedAH (Authentication Header)• Data integrity• Origin authentication• Replay attack protection• Keyed-hash mechanism• No confidentiality (encryption)Building the Authentication Header• Hash of the packet and a shared key• Often uses a well-known hash• MD5, SHA-1, or SHA-2• The AH is added to the packet header
|
IPsec Authentication Header (AH)
|
|
|
• Data confidentiality (encryption)• Limited traffic flow confidentiality• Data integrity• Anti-replay protection
|
ESP (Encapsulating Security Payload)
|
|
|
Combine the data integrity of AH with the confidentiality of ESP
|
AH and ESP
|
|
|
Practically everything can be brute forced• Strong algorithms have been around for a while• That’s part of the reason that they are strong• Wired Equivalent Privacy (WEP) was found to have design flaws• Strong algorithms - PGP, AES• Weak algorithms - DES (56-bit keys), WEP (design flaw)
|
The Strength of Encryption
|
|
|
A weak key is a weak key - by itself, it’s not very secure• Make a weak key stronger by performing multiple processes• Hash a password. Hash the hash of the password. And continue...• Brute force attacks would require reversing each of those hashes• The attacker has to spend much more time, even though the key is small
|
Key Stretching
|
|
|
bcrypt• Generates hashes from passwords• An extension to the UNIX crypt library• Uses Blowfish cipher to perform multiple rounds of hashing• Password-Based Key Derivation Function 2 (PBKDF2)• Part of RSA public key cryptography standards(PKCS #5, RFC 2898)
|
Key stretching libraries
|
|
|
• Built-in to your browser• Purchase your web site certificate• It will be trusted by everyone’s browser• Create a key pair, send the public key to the CA to be signed• A certificate signing request (CSR)• May provide different levels of trust and additional features• Add a new “tag” to your web site
|
Commercial certificate authorities
|
|
|
• You are your own CA - build it in-house• Needed for medium-to-large organizations• Implement as part of your overall computing strategy• Windows Certificate Services• OpenCA
|
Private certificate authorities
|
|
|
Certificate Revocation List (CRL)• Maintained by the Certificate Authority (CA)
|
Key Revocation
|
|
|
The browser can check certificate revocation• Messages usually sent to an ____responder via HTTP• Not all browsers support ____• Early Internet Explorer versions did not support ___
|
OCSP Online Certificate Status Protocol
|
|
|
You manage your own certificates• You must find others to sign your certificate, and those people must be trusted by others• Plan to revoke your key with a revocation certificate• You can also enable others to create revocation certs for your key
|
Web-of-Trust Key Revocation
|
|
|
• Policies, procedures, hardware, software,people to manage digital certificates• Create, distribute, manage, store, revoke• Requires extensive planning• Also refers to the binding of public keys to people
|
Public Key Infrastructure (PKI)
|
|
|
Create a key with the requested strengthusing the proper cipher
|
Key generation
|
|
|
Allocate a key to a user
|
Certificate generation
|
|
|
Makes the key available to the user
|
Distribution
|
|
|
Secure storage and protection against unauthorized use
|
Storage
|
|
|
Manage keys that have been compromised
|
Revocation
|
|
|
A certificate may only have a certain “shelf life”
|
Expiration
|
|
|
Your private key is valuable• Backup and store private keys• Use “M of N” control to restrict access• Built-in to Windows Server CA and other 3rd-party CAs
|
Key Recovery
|
|
|
The Key Pair• Asymmetric encryption, Public Key Cryptography• Both the public and private key are built at the same time• Lots of randomization and large prime numbers
|
Public Keys and Private Keys
|
|
|
Sign with the private key• The message doesn’t need to be encrypted• Verify with the public key• Any change in the message will invalidate the signature
|
Digital Signatures
|
|
|
Use public and private key cryptography to create a symmetric key
|
Symmetric key from asymmetric keys
|
|
|
The Registration Authority (RA) provides the PKI role thatensures the public key is bound to the individual• Important for non-repudiation• This can range from a casual verification to a formal,multi-step verification• Federal Public Key Infrastructure Policy AuthorityX.509 Certificate Policy for the U.S. Federal Government
|
Key Registration
|
|
|
|
|
