Professor Messer’s CompTIA Security+

SY0-601 Course Notes http://www.ProfessorMesser.com

1.1 - Phishing
Phishing – The fake check scam, phone Impersonation
• Social engineering with a touch of verification code scam, • Attackers pretend to be someone
spoofing – Boss/CEO scam, advance-fee they aren’t
– Often delivered by email, text, scam – Halloween for the fraudsters
etc. – Some great summaries on • Use some of those details from
– Very remarkable when well done https://reddit.com/r/Scams reconnaissance
• Don’t be fooled – You can trust me, I’m with your
– Check the URL Finding the best spot to phish help desk
• Usually there’s something not • Reconnaissance • Attack the victim as someone
quite right – Gather information on the victim higher in rank
– Spelling, fonts, graphics • Background information – Office of the Vice President for
– Lead generation sites Scamming
Tricks and misdirection – LinkedIn, Twitter, Facebook, • Throw tons of technical details
• How are they so successful? Instagram around
– Digital sleight of hand - it fools – Corporate web site – Catastrophic feedback due to the
the best of us • Attacker builds a believable depolarization of the differential
• Typosquatting pretext magnetometer
– A type of URL hijacking – Where you work • Be a buddy
https://professormessor.com – Where you bank – How about those Cubs?
– Prepending: – Recent financial transactions
https://pprofessormesser.com – Family and friends Eliciting information
• Pretexting • Extracting information from the
– Lying to get information Spear phishing victim
– Attacker is a character in a • Targeted phishing with inside – The victim doesn’t even realize
situation they create information this is happening
– Hi, we’re calling from Visa – Makes the attack more believable – Hacking the human
regarding an automated payment • Spear phishing the CEO is • Often seen with vishing (Voice
to your utility service… “whaling” Phishing)
– Targeted phishing with the – Can be easier to get this
Pharming possibility of a large catch information over the phone
• Redirect a legit website to a – The CFO (Chief Financial Officer) is • These are well-documented
bogus site commonly speared psychological techniques
– Poisoned DNS server or client • These executives have direct – They can’t just ask, “So, what’s
vulnerabilities access to the corporate bank your password?”
• Combine pharming with phishing account
– Pharming - Harvest large groups – The attackers would love to have Identity fraud
of people those credentials • Your identity can be used by
– Phishing - Collect access others
credentials 1.1 - Impersonation – Keep your personal information
• Difficult for anti-malware The pretext safe!
software to stop • Before the attack, the trap is set • Credit card fraud
– Everything appears legitimate to – There’s an actor and a story – Open an account in your name, or
the user • “Hello sir, my name is Wendy and use your credit card information
I’m from Microsoft Windows. This is • Bank fraud
Phishing with different bait an urgent check up call for your – Attacker gains access to your
• Vishing (Voice phishing) is done computer as we have found several account or opens a new account
over the phone or voicemail problems with it.” • Loan fraud
– Caller ID spoofing is common • Voice mail: “This is an – Your information is used for a
– Fake security checks or bank enforcement action executed by loan or lease
updates the US Treasury intending your • Government benefits fraud
• Smishing (SMS phishing) is done serious attention.” – Attacker obtains benefits on your
by text message • “Congratulations on your behalf
– Spoofing is a problem here as well excellent payment history! You now
– Forwards links or asks for qualify for 0% interest rates on all Protect against impersonation
personal information of your credit card accounts.” • Never volunteer information
• Variations on a theme – My password is 12345
• Don’t disclose personal details • This is surprisingly easy • Have the mountain come to you
– The bad guys are tricky – Airports / Flights – Go where the mountain hangs
• Always verify before revealing – Hallway-facing monitors out
info – Coffee shops – The watering hole
– Call back, verify through 3rd • Surf from afar – This requires a bit of research
parties – Binoculars / Telescopes
• Verification should be encouraged – Easy in the big city Executing the watering hole
– Especially if your organization – Webcam monitoring attack
owns valuable information Preventing shoulder surfing • Determine which website the
• Control your input victim group uses
1.1 - Dumpster Diving – Be aware of your surroundings – Educated guess - Local coffee or
Dumpster diving • Use privacy filters sandwich shop
• Mobile garbage bin – It’s amazing how well they work – Industry-related sites
– United States brand name • Keep your monitor out of sight • Infect one of these third-party
“Dumpster” – Away from windows and hallways sites
– Similar to a rubbish skip • Don’t sit in front of me on your – Site vulnerability
• Important information thrown flight – Email attachments
out with the trash – I can’t help myself • Infect all visitors
– Thanks for bagging your garbage – But you’re just looking for specific
for me! Computer hoaxes victims
• Gather details that can be used • A threat that doesn’t actually – Now you’re in!
for a different attack exist
– Impersonate names, use phone – But they seem like they COULD be Because that’s where the money is
numbers real • January 2017
• Timing is important • Still often consume lots of • Polish Financial Supervision
– Just after end of month, end of resources Authority, National Banking and
quarter – Forwarded email messages, Stock Commission of Mexico, State-
– Based on pickup schedule printed memorandums, wasted owned bank in Uruguay
time – The watering hole was sufficiently
Is it legal to dive in a dumpster? • Often an email poisoned
• I am not a lawyer. – Or Facebook wall post, or tweet, • Visiting the site would download
– In the United States, it’s legal or... malicious JavaScript files
– Unless there’s a local restriction • Some hoaxes will take your – But only to IP addresses matching
• If it’s in the trash, it’s open season money banks and other financial
– Nobody owns it – But not through electronic means institutions
• Dumpsters on private property or • A hoax about a virus can waste as • Did the attack work?
“No Trespassing” signs may be much time as a regular virus – We still don’t know
restricted
– You can’t break the law to get to De-hoaxing Watching the watering hole
the rubbish • It’s the Internet. Believe no one. • Defense-in-depth
• Questions? Talk to a legal – Consider the source – Layered defense
professional. • Cross reference – It’s never one thing
– http://www.hoax-slayer.net • Firewalls and IPS
Protect your rubbish – http://www.snopes.com – Stop the network traffic before
• Secure your garbage • Spam filters can help things get bad
– Fence and a lock – There are so many other ways... • Anti-virus / Anti-malware
• Shred your documents • If it sounds too good to be true... signature updates
– This will only go so far – So many sad stories – The Polish Financial Supervision
– Governments burn the good stuff Authority attack code was
• Go look at your trash 1.1 - Watering Hole Attacks recognized and stopped by generic
– What’s in there? Watering Hole Attack signatures in Symantec’s anti-virus
• What if your network was really software
1.1 - Shoulder Surfing secure?
Shoulder surfing – You didn’t even plug in that USB 1.1 - Spam
• You have access to important key from the parking lot Spam
information • The attackers can’t get in • Unsolicited messages
– Many people want to see – Not responding to phishing emails – Email, forums, etc.
– Curiosity, industrial espionage, – Not opening any email – Spam over Instant Messaging
competitive advantage attachments (SPIM)
• Various content - Other Social Engineering Attacks
– Commercial advertising Effective social engineering
– Non-commercial proselytizing Tailgating • Constantly changing
– Phishing attempts • Use an authorized person to gain – You never know what they’ll use
• Significant technology issue unauthorized access to a building next
– Security concerns – Not an accident • May involve multiple people
– Resource utilization • Johnny Long / No Tech Hacking – And multiple organizations
– Storage costs – Blend in with clothing – There are ties connecting many
– Managing the spam – 3rd-party with a legitimate reason organizations
– Temporarily take up smoking • May be in person or electronic
Mail gateways – I still prefer bringing doughnuts – Phone calls from aggressive
• Unsolicited email • Once inside, there’s little to stop “customers”
– Stop it at the gateway before it you – Emailed funeral notifications of a
reaches the user – Most security stops at the border friend or associate
– On-site or cloud-based
Watching for tailgating Social engineering principles
Identifying spam • Policy for visitors • Authority
• Allowed list – You should be able to identify – The social engineer is in charge
– Only receive email from trusted anyone – I’m calling from the help
senders • One scan, one person desk/office of the CEO/police
• SMTP standards checking – A matter of policy or mechanically • Intimidation
– Block anything that doesn’t follow required – There will be bad things if you
RFC standards • Mantrap / Airlock don’t help
• rDNS - Reverse DNS – You don’t have a choice – If you don’t help me, the payroll
– Block email where the sender’s • Don’t be afraid to ask checks won’t be processed
domain doesn’t match the IP – Who are you and why are you • Consensus / Social proof
address here? – Convince based on what’s
• Tarpitting normally expected
– Intentionally slow down the Invoice scams – Your co-worker Jill did this for me
server conversation • Starts with a bit of spear phishing last week
• Recipient filtering – Attacker knows who pays the bills • Scarcity
– Block all email not addressed to a • Attacker sends a fake invoice – The situation will not be this way
valid recipient email address – Domain renewal, toner cartridges, for long
etc. – Must make the change before
1.1 - Influence Campaigns – From: address is a spoofed time expires
Hacking public opinion version of the CEO • Urgency
• Influence campaigns • Accounting pays the invoice – Works alongside scarcity
– Sway public opinion on political – It was from the CEO, after all – Act quickly, don’t think
and social issues • Might also include a link to pay • Familiarity / Liking
• Nation-state actors – Now the attacker has payment – Someone you know, we have
– Divide, distract, and persuade details common friends
• Advertising is an option • Trust
– Buy a voice for your opinion Credential harvesting – Someone who is safe
• Enabled through Social media • Also called password harvesting – I’m from IT, and I’m here to help
– Creating, sharing, liking – Attackers collect login credentials
– Amplification • There are a lot of stored 1.2 - An Overview of Malware
credentials on your computer
Hybrid warfare – The attacker would like those Malware
• Military strategy – Chrome, Firefox, Outlook, • Malicious software
– A broad description of the Windows Credential Manager, etc. – These can be very bad
techniques • User receives an email with a • Gather information
– Wage war non-traditionally malicious Microsoft Word doc – Keystrokes
• Not a new concept – Opening the document runs a • Participate in a group
– The Internet adds new methods macro – Controlled over the ‘net
• Cyberwarfare – The macro downloads credential- • Show you advertising
– Attack an entity with technology harvesting malware – Big money
• Influence with a military spin • User has no idea • Viruses and worms
– Influencing foreign elections – Everything happens in the – Encrypt your data
– “Fake news” background – Ruin your day
 • You must pay the bad guys to
Malware Types and Methods Virus types obtain the decryption key
• Viruses • Program viruses – Untraceable payment system
• Crypto-malware – It’s part of the application – An unfortunate use of public-key
• Ransomware • Boot sector viruses cryptography
• Worms – Who needs an OS?
• Trojan Horse Protecting against ransomware
• Rootkit Worms • Always have a backup
• Keylogger • Malware that self-replicates – An offline backup, ideally
• Adware/Spyware – Doesn’t need you to do anything • Keep your operating system up to
• Botnet – Uses the network as a date
transmission medium – Patch those vulnerabilities
How you get malware – Self-propagates and spreads • Keep your applications up to date
• These all work together quickly – Security patches
– A worm takes advantage of a • Worms are pretty bad things • Keep your anti-virus/anti-
vulnerability – Can take over many systems very malware signatures up to date
– Installs malware that includes a quickly – New attacks every hour
remote access backdoor • Firewalls and IDS/IPS can mitigate • Keep everything up to date
– Bot may be installed later many worm infestations
• Your computer must run a – Doesn’t help much once the 1.2 - Trojans and RATs
program worm gets inside Trojan horse
– Email link - Don’t click links • Used by the Greeks to capture
– Web page pop-up Ransomware and Crypto-malware – Troy from the Trojans
– Drive-by download Your data is valuable – A digital wooden horse
– Worm • Personal data • Software that pretends to be
• Your computer is vulnerable – Family pictures and videos something else
– Operating system - Keep your OS – Important documents – So it can conquer your computer
updated! • Organization data – Doesn’t really care much about
– Applications - Check with the – Planning documents replicating
publisher – Employee personally identifiable • Circumvents your existing security
• Script viruses information (PII) – Anti-virus may catch it when it
– Operating system and browser- – Financial information runs
based – Company private data – The better Trojans are built to
• Macro viruses • How much is it worth? avoid and disable AV
– Common in Microsoft Office – There’s a number • Once it’s inside it has free reign
– And it may open the gates for
Fileless virus Ransomware other programs
• A stealth attack • The attackers want your money
– Does a good job of avoiding anti- – They’ll take your computer in the Potentially Unwanted Program
virus detection meantime (PUP)
• Operates in memory • May be a fake ransom • Identified by anti-virus/anti-
– But never installed in a file or – Locks your computer “by the malware
application police” – Potentially undesirable software
• The ransom may be avoided – Often installed along with other
1.2 - Viruses and Worms – A security professional may be software
Virus able to remove these kinds of • Overly aggressive browser toolbar
• Malware that can reproduce itself malware • A backup utility that displays ads
– It needs you to execute a program • Browser search engine hijacker
• Reproduces through file systems Crypto-malware
or the network • A newer generation of Backdoors
– Just running a program can ransomware • Why go through normal
spread a virus – Your data is unavailable until you authentication methods?
• May or may not cause problems provide cash – Just walk in the back door
– Some viruses are invisible, some • Malware encrypts your data files • Often placed on your computer
are annoying – Pictures, documents, music, through malware
• Anti-virus is very common movies, etc. – Some malware software can take
– Thousands of new viruses every – Your OS remains available advantage of backdoors created by
week – They want you running, but not other malware
– Is your signature file updated? working
• Some software includes a • Look for the unusual • Where’s your backup?
backdoor (oops) – Anti-malware scans – You might need it someday
– Old Linux kernel included a • Use a remover specific to the – Cleaning adware isn’t easy
backdoor rootkit • Run some scans - Malwarebytes
– Bad software can have a backdoor – Usually built after the rootkit is
as part of the app discovered 1.2 - Bots and Botnets
• Secure boot with UEFI Bots (Robots)
Remote Access Trojans (RATs) – Security in the BIOS • Once your machine is infected, it
• Remote Administration Tool becomes a bot
– The ultimate backdoor 1.2 - Spyware – You may not even know
– Administrative control of a device Adware • How does it get on your
• Malware installs the • Your computer is one big computer?
server/service/host advertisement – Trojan Horse (I just saw a funny
– Attacker connects with the client – Pop-ups with pop-ups video of you! Click here.) or...
software • May cause performance issues – You run a program or click an ad
• Control a device – Especially over the network you THOUGHT was legit, but...
– Key logging • Installed accidentally – OS or application vulnerability
– Screen recording /screenshots – May be included with other • A day in the life of a bot
– Copy files software – Sit around. Check in with the
– Embed more malware • Be careful of software that claims Command and Control (C&C)
to remove adware server. Wait for instructions.
Protecting against Trojans and – Especially if you learned about it
RATs from a pop-up Botnets
• Don’t run unknown software • A group of bots working together
– Consider the consequences Spyware – Nothing good can come from this
• Keep anti-virus/anti-malware • Malware that spies on you • Distributed Denial of service
signatures updated – Advertising, identity theft, affiliate (DDoS)
– There are always new attacks fraud – The power of many
• Always have a backup • Can trick you into installing • Relay spam, proxy network traffic,
– You may need to quickly recover – Peer to peer, fake security distributed computing tasks
software • Botnets are for sale
Rootkits • Browser monitoring – Rent time from the botnet owner
• Originally a Unix technique – Capture surfing habits – Not a long-term business
– The “root” in rootkit • Keyloggers - Capture every proposition
• Modifies core system files keystroke
– Part of the kernel – Send it back to the mother ship Logic Bomb
• Can be invisible to the operating • Waits for a predefined event
system Why is there so much adware and – Often left by someone with
– Won’t see it in Task Manager spyware? grudge
• Also invisible to traditional anti- • Money • Time bomb
virus utilities – Your eyeballs are incredibly – Time or date
– If you can’t see it, you can’t stop it valuable • User event
• Money – Logic bomb
Kernel drivers – Your computer time and • Difficult to identify
• Zeus/Zbot malware bandwidth is incredibly valuable – Difficult to recover if it goes off
– Famous for cleaning out bank • Money
accounts – Your bank account is incredibly Real-world logic bombs
• Now combined with Necurs valuable • March 19, 2013, South Korea
rootkit – Yes, even your bank account – Email with malicious attachment
– Necurs is a kernel-level driver sent to
• Necurs makes sure you can’t Protecting against – South Korean organizations
delete Zbot adware/spyware – Posed as a bank email
– Access denied • Maintain your anti-virus / anti- – Trojan installs malware
• Trying to stop the Windows malware • March 20, 2013, 2 p.m. local time
process? – Always have the latest signatures – Malware time-based logic-bomb
– Error terminating process: Access • Always know what you’re activates
denied installing – Storage and master boot record
– And watch your options during deleted, system reboots
Finding and removing rootkits the installation – Boot device not found.
– Please install an operating system – Get a better application • Use a dictionary to find common
on your hard disk. words
1.2 - Password Attacks – Passwords are created by humans
1.2 - Logic Bombs Hashing a password • Many common wordlists available
Stopping the bot • Hashes represent data as a fixed- on the ‘net
• Prevent the initial infection length string of text – Some are customized by language
– OS and application patches – A message digest, or “fingerprint” or line of work
– Anti-virus/anti-malware and • Will not have a collision • The password crackers can
updated signatures (hopefully) substitute letters
• Identify an existing infection – Different inputs will not have the – p&ssw0rd
– On-demand scans, network same hash • This takes time
monitoring • One-way trip – Distributed cracking and GPU
• Prevent command and control – Impossible to recover the original cracking is common
(C&C) message from the digest • Discover passwords for common
– Block at the firewall – A common way to store words
– Identify at the workstation with a passwords – This won’t discover random
host-based firewall or host-based character passwords
IPS The password file
• December 17, 2016, 11:53 p.m. • Different across operating 1.2 - Password Attacks (continued)
– Kiev, Ukraine, high-voltage systems and applications Rainbow tables
substation – Different hash algorithms • An optimized, pre-built set of
– Logic bomb begins disabling hashes
electrical circuits Spraying attack – Saves time and storage space
– Malware mapped out the control • Try to login with an incorrect – Doesn’t need to contain every
network password hash
– Began disabling power at a – Eventually you’re locked out – Contains pre-calculated hash
predetermined time • There are some common chains
– Customized for SCADA networks passwords • Remarkable speed increase
(Supervisory Control and Data –https://en.wikipedia.org/wiki/ – Especially with longer password
Acquisition) List_of_the_most_common_passw lengths
ords • Need different tables for different
Preventing a logic bomb • Attack an account with the top hashing methods
• Difficult to recognize three (or more) passwords – Windows is different than MySQL
– Each is unique – If they don’t work, move to the
– No predefined signatures next account Adding some salt
• Process and procedures – No lockouts, no alarms, no alerts • Salt
– Formal change control – Random data added to a
• Electronic monitoring Brute force password when hashing
– Alert on changes • Try every possible password • Every user gets their own random
– Host-based intrusion detection, combination until the hash is salt
Tripwire, etc. matched – The salt is commonly stored with
• Constant auditing • This might take some time the password
– An administrator can circumvent – A strong hashing algorithm slows • Rainbow tables won’t work with
existing systems things down salted hashes
• Brute force attacks - Online – Additional random value added to
Plaintext / unencrypted – Keep trying the login process the original password
passwords – Very slow • This slows things down the brute
• Some applications store – Most accounts will lockout after a force process
passwords “in the clear” number of failed attempts – It doesn’t completely stop the
– No encryption. You can read the • Brute force the hash - Offline reverse engineering
stored password. – Obtain the list of users and • Each user gets a different random
– This is rare, thankfully hashes hash
• Do not store passwords as – Calculate a password hash, – The same password creates a
plaintext compare it to a stored hash different hash
– Anyone with access to the – Large computational resource
password file or database has every requirement When the hashes get out
credential • January 2019 - Collection #1
• What to do if your application Dictionary attacks – A collection of email addresses
saves passwords as plaintext: and passwords
– 12,000+ files and 87 GB of data Skimming • (Thinking About You)
• 1,160,253,228 unique emails and • Stealing credit card information, – Joins Twitter on March 23, 2016
passwords usually during a normal transaction – Designed to learn by interacting
– A compilation of data breach – Copy data from the magnetic with Twitter users
results stripe: – Microsoft didn’t program in anti-
• 772,904,991 unique usernames – Card number, expiration date, offensive behavior
– That’s about 773 million people card holder’s name – Tay quickly became racist, sexist,
• 21,222,975 unique passwords • ATM skimming and inappropriate
– You really need a password – Includes a small camera to also
manager watch for your PIN Evasion attacks
• https://haveibeenpwned.com/ • Attackers use the card • The AI is only as good as the
information for other financial training
1.2 - Physical Attacks transactions – Attackers find the holes and
– Fraud is the responsibility of the limitations
Malicious USB cable seller • An AI that knows what spam
• It looks like a normal USB cable • Always check before using card looks like can be fooled by a
– It has additional electronics inside readers different approach
• Operating system identifies it as a – Change the number of good and
HID 1.2 - Physical attacks (continued) bad words in the message
– Human Interface Device Card cloning • An AI that uses real-world
– It looks like you’ve connected a • Get card details from a skimmer information can release
keyboard or mouse – The clone needs an original confidential information
– A keyboard doesn’t need extra • Create a duplicate of a card – Trained with data that includes
rights or permissions – Looks and feels like the original social security numbers
• Once connected, the cable takes – Often includes the printed CVC – AI can be fooled into revealing
over (Card Validation Code) those numbers
– Downloads and installs malicious • Can only be used with magnetic
software stripe cards Securing the learning algorithms
• Don’t just plug in any USB cable – The chip can’t be cloned • Check the training data
– Always use trusted hardware • Cloned gift cards are common – Cross check and verify
– A magnetic stripe technology • Constantly retrain with new data
Malicious flash drive – More data
• Free USB flash drive! 1.2 Adversarial Artificial Intelligence – Better data
– Plug it in and see what’s on it Machine learning • Train the AI with possible
– That’s a bad idea • Our computers are getting poisoning
• Older operating systems would smarter – What would the attacker try to
automatically run files – They identify patterns in data and do?
– This has now been disabled or improve their predictions
removed by default • This requires a lot of training data 1.2 - Supply Chain Attacks
• Could still act as a HID (Human – Face recognition requires Supply chain
Interface Device) /Keyboard analyzing a lot of faces • The chain contains many moving
– Start a command prompt and – Driving a car requires a lot of road parts
type anything without your time – Raw materials, suppliers,
intervention • In use every day manufacturers, distributors,
• Attackers can load malware in – Stop spam customers, consumers
documents – Recommend products from an • Attackers can infect any step
– PDF files, spreadsheets online retailer along the way
• Can be configured as a boot – What movie would you like to – Infect different parts of the chain
device see? This one. without suspicion
– Infect the computer after a – Prevent car accidents – People trust their suppliers
reboot • One exploit can infect the entire
• Acts as an Ethernet adapter Poisoning the training data chain
– Redirects or modifies Internet • Confuse the artificial intelligence – There’s a lot at stake
traffic requests (AI)
– Acts as a wireless gateway for – Attackers send modified training Supply chain security
other devices data that causes the AI to behave • Target Corp. breach - November
• Never connect an untrusted USB incorrectly 2013
device • Microsoft AI chatter bot named – 40 million credit cards stolen
Tay
• Heating and AC firm in • Security changes can take time
Pennsylvania was infected – New equipment, configurations, Collisions
– Malware delivered in an email and additional costs • Hash digests are supposed to be
– VPN credentials for HVAC techs unique
was stolen Security in the cloud – Different input data should never
• HVAC vendor was the supplier • Data is in a secure environment create the same hash
– Attackers used a wide-open – No physical access to the data • MD5 hash
Target network to infect every cash center – Message Digest Algorithm 5
register at 1,800 stores – Third-party may have access to – Published in April 1992, Collisions
• Do these technicians look like an the data identified in 1996
IT security issue? • Cloud providers are managing • December 2008: Researchers
large-scale security created CA certificate that
Supply chain security – Automated signature and security appeared legitimate when MD5 is
• Can you trust your new updates checked
server/router/switch/firewall/ – Users must follow security best- – Built other certificates that
software? practices appeared to be legit and issued by
– Supply chain cybersecurity • Limited downtime RapidSSL
• Use a small supplier base – Extensive fault-tolerance and
– Tighter control of vendors 24/7/365 monitoring Downgrade attack
• Strict controls over policies and • Scalable security options • Instead of using perfectly good
procedures – One-click security deployments encryption, use something that’s
– Ensure proper security is in place – This may not be as customizable not so great
• Security should be part of the as necessary – Force the systems to downgrade
overall design their security
– There’s a limit to trust 1.2 - Cryptographic Attacks • 2014 - TLS vulnerability - POODLE
Cryptographic attacks (Padding Oracle On Downgraded
Attacks can happen anywhere • You’ve encrypted data and sent it Legacy Encryption)
• Two categories for IT security to another person – On-path attack
– The on-premises data is more – Is it really secure? How do you – Forces clients to fall back to SSL
secure! know? 3.0
– The cloud-based data is more • The attacker doesn’t have the – SSL 3.0 has significant
secure! combination (the key) cryptographic vulnerabilities
• Cloud-based security is – So they break the safe (the – Because of POODLE, modern
centralized and costs less cryptography) browsers won’t fall back to SSL 3.0
– No dedicated hardware, no data • Finding ways to undo the security
center to secure – There are many potential Privilege escalation
– A third-party handles everything cryptographic shortcomings • Gain higher-level access to a
• On-premises puts the security – The problem is often the system
burden on the client implementation – Exploit a vulnerability - Might be a
– Data center security and bug or design flaw
infrastructure costs Birthday attack • Higher-level access means more
• Attackers want your data • In a classroom of 23 students, capabilities
– They don’t care where it is what is the chance of – This commonly is the highest-
two students sharing a birthday? level access
On-premises security About 50%. – This is obviously a concern
• Customize your security posture – For a class of 30, the chance is • These are high-priority
– Full control when everything is in- about 70% vulnerability patches
house • In the digital world, this is a hash – You want to get these holes
• On-site IT team can manage collision closed very quickly
security better – A hash collision is the same hash – Any user can be an administrator
– The local team can ensure value for two • Horizontal privilege escalation
everything is secure different plaintexts – User A can access user B
– A local team can be expensive – Find a collision through brute resources
and difficult to staff force
• Local team maintains uptime and • The attacker will generate 1.3 - Privilege escalation
availability multiple versions of Mitigating privilege escalation
– System checks can occur at any plaintext to match the hashes • Patch quickly
time – Protect yourself with a large hash – Fix the vulnerability
– No phone call for support output size
• Updated anti-virus/anti-malware – Everyone who views the message • SQL Injection
software can have it – Modifying SQL requests
– Block known vulnerabilities posted to their page – Your application shouldn’t really
• Data Execution Prevention – Where someone else can view it allow this
– Only data in executable areas can and propagate it further...
run 1.3 - Injection Attacks
• Address space layout 1.3 - Cross-site Scripting XML injection and LDAP
randomization Hacking a Subaru injection
– Prevent a buffer overrun at a • June 2017, Aaron Guzman • XML - Extensible Markup
known – Security researcher Language
memory address • When authenticating with Subaru, – A set of rules for data transfer
users get a token and storage
Cross-site scripting – This token never expires (bad!) • XML injection
• XSS • A valid token allowed any service – Modifying XML requests - a good
– Cascading Style Sheets (CSS) are request application will validate
something else entirely – Even adding your email address • LDAP - Lightweight Directory
• Originally called cross-site to someone Access Protocol
because of browser security flaws else’s account – Created by the telephone
– Information from one site could – Now you have full access to companies
be shared with another someone else’s car – Now used by almost everyone
• One of the most common web • Web front-end included an XSS • LDAP injection
application vulnerability – Modify LDAP requests to
development errors – A user clicks a malicious link, and manipulate application results
– Takes advantage of the trust a you have
user has for a site their token DLL injection
– Complex and varied • Dynamic-Link Library
• Malware that uses JavaScript - Do Protecting against XSS – A Windows library containing
you allow scripts? Me too. • Be careful when clicking code and data
untrusted links – Many applications can use this
Non-persistent (reflected) XSS – Never blindly click in your email library
attack inbox. Never. • Inject a DLL and have an
• Web site allows scripts to run in • Consider disabling JavaScript application run a program
user input – Or control with an extension – Runs as part of the target process
– Search box is a common source – This offers limited protection Buffer overflows
• Attacker emails a link that takes • Keep your browser and • Overwriting a buffer of memory –
advantage of this vulnerability applications updated Spills over into other memory areas
– Runs a script that sends – Avoid the nasty browser • Developers need to perform
credentials/session IDs/cookies to vulnerabilities bounds checking – The attackers
the attacker • Validate input spend a lot of time looking for
• Script embedded in URL executes – Don’t allow users to add their openings • Not a simple exploit –
in the victim’s browser own scripts to an input field Takes time to avoid crashing things
– As if it came from the server – Takes time to make it do what
• Attacker uses credentials/session Code injection you want • A really useful buffer
IDs/cookies to steal victim’s • Code injection overflow is repeatable – Which
information without their – Adding your own information into means that a system can be
knowledge a data stream compromised
– Very sneaky • Enabled because of bad
programming 1.3 - Replay Attacks
Persistent (stored) XSS attack – The application should properly Replay attack
• Attacker posts a message to a handle • Useful information is transmitted
social network input and output over the network
– Includes the malicious payload • So many different data types – A crafty hacker will take
• It’s now “persistent” - Everyone – HTML, SQL, XML, LDAP, etc. advantage of this
gets the payload • Need access to the raw network
• No specific target - All viewers to SQL injection data – Network tap, ARP poisoning,
the page • SQL - Structured Query Language malware on the victim computer
• For social networking, this can – The most common relational • The gathered information may
spread quickly database help the attacker
management system language
– Replay the data to appear as – You visit ProfessorMesser.com critical vulnerabilities
someone else – Your browser loads text from the
• This is not an on-path attack ProfessorMesser.com server 1.3 - Request Forgeries (continued)
– The actual replay doesn’t require – Your browser loads a video from Capital One SSRF breach -
the original workstation YouTube March 2019
• Avoid this type of replay attack – Your browser loads pictures from • Attacker is able to execute
with a salt Instagram commands
– Use a session ID with the • HTML on ProfessorMesser.com on the Capital One website
password hash to create a unique directs – This is normally stopped by a WAF
authentication hash each time requests from your browser (Web Application Firewall)
– This is normal and expected – The WAF was misconfigured
Header manipulation – Most of these are • Attacker obtained security
• Information gathering unauthenticated requests credentials for the WAF role
– Wireshark, Kismet • WAF-Role account listed the
• Exploits – Cross-site scripting The client and the server buckets on Amazon S3
• Modify headers – Tamper, • Website pages consist of client- • Attacker retrieved the data from
Firesheep, Scapy side the Amazon buckets
• Modify cookies – Cookies code and server-side code • Credit card application data from
Manager+ (Firefox add-on) – Many moving parts 2005 through 2019
• Client side – 106 million names, address,
Prevent session hijacking – Renders the page on the screen phone, email, DoB
• Encrypt end-to-end – HTML, JavaScript – 140,000 Social Security numbers,
– They can’t capture your session ID • Server side 80,000 bank accounts
if they can’t see it – Performs requests from
– Additional load on the web server the client - HTML, PHP Malware hide-and-go-seek
(HTTPS) – Transfer money from one • Traditional anti-virus is very good
– Firefox extension: HTTPS account to another at identifying known attacks
Everywhere, Force-TLS – Post a video on YouTube – Checks the signature
– Many sites are now HTTPS-only – Block anything that matches
• Encrypt end-to-somewhere Cross-site request forgery • There are still ways to infect and
– At least avoid capture over a local • One-click attack, session riding - hide
wireless network XSRF, CSRF (sea surf) – It’s a constant war
– Still in-the-clear for part of the • Takes advantage of the trust that – Zero-day attacks, new attack
journey a web application has for the user types, etc.
– Personal VPN (OpenVPN, – The web site trusts your browser
VyprVPN, etc.) – Requests are made without your Your drivers are powerful
consent or your knowledge • The interaction between the
Browser cookies and session IDs – Attacker posts a Facebook status hardware and your operating
• Cookies on your account system
– Information stored on your • Significant web application – They are often trusted
computer by the browser development oversight – Great opportunity for security
• Used for tracking, personalization, – The application should have anti- issues
session management forgery techniques added • May 2016 - HP Audio Drivers
– Not executable, not generally a – Usually a cryptographic token to – Conexant audio chips
security risk prevent a forgery – Driver installation includes audio
– Unless someone gets access to control software
them Server-side request forgery – Debugging feature enables a
• Could be considered be a privacy (SSRF) keylogger
risk • Attacker finds a vulnerable web • Hardware interactions contain
– Lots of personal data in there application sensitive information
• Session IDs are often stored in the – Sends requests to a web server – Video, keyboard, mouse
cookie – Web server performs the request
– Maintains sessions across on 1.3 - Driver Manipulation
multiple browser sessions behalf of the attacker Shimming
• Caused by bad programming • Filling in the space between two
1.3 - Request Forgeries – Never trust the user input objects
Cross-site requests – Server should validate the input – A middleman
• Cross-site requests are common and the responses • Windows includes it’s own shim
and legitimate – These are rare, but can be
– Backwards compatibility with – Can downgrade to SSL 3.0 • NULL Pointer dereference
previous • TLS 1.1 – Programming technique that
Windows versions – Deprecated in January 2020 by references a
– Application Compatibility Shim modern browsers portion of memory
Cache • TLS 1.2 and TLS 1.3 - The latest – What happens if that reference
• Malware authors write their own standards points to nothing?
shims – Application crash, debug
– Get around security (like UAC) 1.3 - Race Conditions information displayed, DoS
• January 2015 Microsoft Race condition • Integer overflow
vulnerability • A programming conundrum – Large number into a smaller sized
– Elevates privilege – Sometimes, things happen at the space
same time – Where does the extra number
Refactoring – This can be bad if you’ve not go?
• Metamorphic malware planned for it – You shouldn’t be able to
– A different program each time it’s • Time-of-check to time-of-use manipulate
downloaded attack (TOCTOU) memory this way
• Make it appear different each – Check the system
time – When do you use the results of Directory traversal
– Add NOP instructions your last check? • Directory traversal / path
– Loops, pointless code strings – Something might happen traversal
• Can intelligently redesign itself between the check – Read files from a web server that
– Reorder functions and the use are outside of the website’s file
– Modify the application flow directory
– Reorder code and insert unused Race conditions can cause big – Users shouldn’t be able to browse
data types problems the Windows folder
• Difficult to match with signature- • January 2004 - Mars rover “Spirit” • Web server software vulnerability
based detection – Reboot when a problem is – Won’t stop users from browsing
– Use a layered approach identified past the
– Problem is with the file system, so web server root
SSL stripping / HTTP downgrade reboot because of the file system • Web application code
• Combines an on-path attack with problem vulnerability
a downgrade attack – Reboot loop was the result – Take advantage of badly written
– Difficult to implement, but big • GE Energy - Energy Management code
returns for the attacker System
• Attacker must sit in the middle of – Three power lines failed at the Improper error handling
the conversation same time • Errors happen
– Must modify data between the – Race condition delayed alerts – And you should probably know
victim and web server – Caused the Northeast Blackout of about it
– Proxy server, ARP spoofing, rogue 2003 • Messages should be just
Wi-Fi hotspot, etc. • Therac-25 radiation therapy informational enough
• Victim does not see any machine in the 1980s – Avoid too much detail
significant problem – Used software interlocks instead – Network information, memory
– Except the browser page isn’t of hardware dump,
encrypted – Race condition caused 100 times stack traces, database dumps
– Strips the S away from HTTPS the normal dose of radiation • This is an easy one to find and fix
• This is a client and server problem – Six patients injured, three deaths – A development best-practice
– Works on SSL and TLS
Other Application Attacks Improper input handling
1.3 - SSL Stripping Memory vulnerabilities • Many applications accept user
SSL and TLS • Manipulating memory can be input
• SSL (Secure Sockets Layer) 2.0 - advantageous – We put data in, we get data back
Deprecated in 2011 – Relatively difficult to accomplish • All input should be considered
• SSL 3.0 • Memory leak malicious
– Vulnerable to the POODLE attack – Unused memory is not properly – Check everything. Trust nobody.
– Deprecated in June 2015 released • Allowing invalid input can be
• Transport Layer Security (TLS) 1.0 – Begins to slowly grow in size devastating
– Upgrade to SSL 3.0, and a name – Eventually uses all available – SQL injections, buffer overflows,
change memory denial of service, etc.
from SSL to TLS – System crashes
• It takes a lot of work to find input • Configure an access point to look • You may not be able to stop it
that like an existing network – There’s (almost) nothing you can
can be used maliciously – Same (or similar) SSID and do
– But they will find it security settings/captive portal – Time to get a long patch cable
• Overpower the existing access • Wireless disassociation
API attacks points – A significant wireless
• API - Application Programming – May not require the same denial of service (DoS) attack
Interface physical location
• Attackers look for vulnerabilities • WiFi hotspots (and users) are easy 802.11 management frames
in this new to fool • 802.11 wireless includes a
communication path – And they’re wide open number of
– Exposing sensitive data, DoS, • You encrypt your communication, management features
intercepted right? – Frames that make everything
communication, privileged access – Use HTTPS and a VPN work
– You never see them
Resource exhaustion 1.4 - Bluejacking and Bluesnarfing • Important for the operation of
• A specialized DoS (Denial of Bluejacking 802.11 wireless
Service) attack • Sending of unsolicited messages – How to find access points,
– May only require one device and to another manage QoS, associate/
low bandwidths device via Bluetooth disassociate with an access point,
• ZIP bomb – No mobile carrier required! etc.
– A 42 kilobyte .zip compressed file • Typical functional distance is • Original wireless standards did
– Uncompresses to 4.5 petabytes about 10 meters not add
(4,500 terabytes) – More or less, depending on protection for management frames
– Anti-virus will identify these antenna and interference – Sent in the clear
• DHCP starvation • Bluejack with an address book – No authentication or validation
– Attacker floods a network with IP object Protecting against disassociation
address requests – Instead of contact name, write a • IEEE has already addressed the
– MAC address changes each time message problem
– DHCP server eventually runs out – “You are Bluejacked!” – 802.11w - July 2014
of addresses – “You are Bluejacked! Add to • Some of the important
– Switch configurations can rate contacts?” management frames
limit DHCP requests • Third-party software may also be are encrypted
used – Disassociate, deauthenticate,
Rogue access points – Blooover, Bluesniff channel switch announcements,
• An unauthorized wireless access etc.
point Bluesnarfing • Not everything is encrypted
– May be added by an employee or • Access a Bluetooth-enabled – Beacons, probes, authentication,
an attacker device and transfer data association
– Not necessarily malicious – Contact list, calendar, email, • 802.11w is required for 802.11ac
– A significant potential backdoor pictures, video, etc. compliance
• Very easy to plug in a wireless AP • First major security weakness in – This will roll out going forward
– Or enable wireless sharing in your Bluetooth
OS – Marcel Holtmann in September Radio frequency (RF) jamming
• Schedule a periodic survey 2003 and • Denial of Service
– Walk around your – Adam Laurie in November 2003 – Prevent wireless communication
building/campus – This weakness was patched • Transmit interfering wireless
– Use third-party tools / WiFi • Serious security issue signals
Pineapple – If you know the file, you can – Decrease the signal-to-noise ratio
• Consider using 802.1X (Network download it without authentication at
Access Control) the receiving device
– You must authenticate, regardless 1.4 - Wireless Disassociation – The receiving device can’t hear
of the Attacks the good signal
connection type It started as a normal day • Sometimes it’s not intentional
• Surfing along on your wireless – Interference, not jamming
Wireless evil twins network – Microwave oven, fluorescent
• Looks legitimate, but actually – And then you’re not lights
malicious • And then it happens again • Jamming is intentional
– The wireless version of phishing – And again
– Someone wants your network to NFC Security Concern • How can an attacker watch
not work • Remote capture without you knowing?
– It’s a wireless network – Formerly known as man-in-the-
Wireless jamming – 10 meters for active devices middle
• Many different types • Frequency jamming • Redirects your traffic
– Constant, random bits / Constant, – Denial of service – Then passes it on to the
legitimate frames • Relay / Replay attack destination
• Data sent at random times – On-path attack – You never know your traffic was
– Random data and legitimate • Loss of NFC device control redirected
frames – Stolen/lost phone • ARP poisoning
• Reactive jamming – ARP has no security
– Only when someone else tries to 1.4 - Randomizing Cryptography – On-path attack on the local IP
communicate Cryptographic nonce subnet
• Needs to be somewhere close • Arbitrary number
– Difficult to be effective from a – Used once On-path browser attack
distance – “For the nonce” - For the time • What if the middleman was on
• Time to go fox hunting being the same computer as the victim?
– You’ll need the right equipment • A random or pseudo-random – Malware/Trojan does all of the
to hunt down the jam number proxy work
– Directional antenna, attenuator – Something that can’t be – Formerly known as man-in-the-
1.4 - RFID and NFC Attacks reasonably guessed browser
RFID (Radio-frequency – Can also be a counter • Huge advantages for the attackers
identification) • Use a nonce during the login – Relatively easy to proxy encrypted
• It’s everywhere process traffic
– Access badges – Server gives you a nonce – Everything looks normal to the
– Inventory/Assembly line tracking – Calculate your password hash victim
– Pet/Animal identification using the nonce • The malware in your browser
– Anything that needs to be tracked – Each password hash sent to the waits for you to login to your bank
• Radar technology host will be – And cleans you out
– Radio energy transmitted to the different, so a replay won’t work
tag 1.4 - MAC Flooding and Cloning
– RF powers the tag, ID is Initialization Vectors (IV) The MAC address
transmitted back • A type of nonce • Ethernet Media Access Control
– Bidirectional communication – Used for randomizing an address
– Some tag formats can be encryption scheme – The “physical” address of a
active/powered – The more random the better network adapter
• Used in encryption ciphers, WEP, – Unique to a device
RFID Attacks and some • 48 bits / 6 bytes long
• Data capture SSL implementations – Displayed in hexadecimal
– View communication
– Replay attack Salt MAC flooding
• Spoof the reader - Write your • A nonce most commonly • The MAC table is only so big
own data to the tag associated with password • Attacker starts sending traffic
• Denial of service - Signal jamming randomization with different source MAC
• Decrypt communication – Make the password hash addresses
– Many default keys are on Google unpredictable – Force out the legitimate MAC
• Password storage should always addresses
Near field communication (NFC) be salted • The table fills up
• Two-way wireless communication – Each user gets a different salt – Switch begins flooding traffic to
– Builds on RFID, which is mostly • If the password database is all interfaces
one-way breached, you can’t correlate any • This effectively turns the switch
• Payment systems passwords into a hub
– Many options available – Even users with the same – All traffic is transmitted to all
• Bootstrap for other wireless password have different hashes interfaces
– NFC helps with Bluetooth pairing stored – No interruption in traffic flows
• Access token, identity “card” • Attacker can easily capture all
– Short range with encryption 1.4 - On-Path Attacks network traffic!
support On-path network attack • Flooding can be restricted in the
switch’s port
security settings – You don’t need to touch the • Email reputation
actual servers – Suspicious activity
MAC cloning / MAC spoofing – Determines the DNS names and – Malware originating from the IP
• An attacker changes their MAC DNS IP addresses address
address to match the MAC address • Many ways to get into the • A bad reputation can cause email
of an existing device account delivery to fail
– A clone / a spoof – Brute force – Email rejection or simply dropped
• Circumvent filters – Social engineer the password • Check with the email or service
– Wireless or wired MAC filters – Gain access to the email address provider to check the reputation
– Identify a valid MAC address and that manages the account – Follow their instructions to
copy it – The usual things remediate
• Create a DoS • Infected systems are noticed by
– Disrupt communication to the Domain hijacking the search engines
legitimate MAC • Saturday, October 22, 2016, 1 PM – Your domain can be flagged or
• Easily manipulated through • Domain name registrations of removed
software 36 domains are changed • Users will avoid the site
– Usually a device driver option – Brazilian bank – Sales will drop
– Desktop domains, mobile – Users will avoid your brand
LAN switching domains, and more • Malware might be removed
• Forward or drop frames • Under hacker control for 6 hours quickly
– Based on the destination MAC – The attackers became the bank – Recovery takes much longer
address • 5 million customers, $27 billion in
• Gather a constantly updating list assets Denial of Service
of MAC addresses – Results of the hack have not been • Force a service to fail
– Builds the list based on the source publicly released – Overload the service
MAC address of incoming traffic • Take advantage of a design failure
– These age out periodically, often URL hijacking or vulnerability
in 5 minutes • Make money from your mistakes – Keep your systems patched!
• Maintain a loop-free environment – There’s a lot of advertising on the • Cause a system to be unavailable
– Using Spanning Tree Protocol ‘net – Competitive advantage
(STP) • Sell the badly spelled domain to • Create a smokescreen for some
the actual owner other exploit
Learning the MACs – Sell a mistake – Precursor to a DNS spoofing
• Switches examine incoming traffic • Redirect to a competitor attack
– Makes a note of the source MAC – Not as common, legal issues • Doesn’t have to be complicated
address • Phishing site – Turn off the power
• Adds unknown MAC addresses to – Looks like the real site, please
the MAC address table login A “friendly” DoS
– Sets the output interface to the • Infect with a drive-by download • Unintentional DoSing - It’s not
received interface – You’ve got malware! always a ne’er-do-well
• Network DoS - Layer 2 loop
1.4 - DNS Attacks Types of URL hijacking without STP
DNS poisoning • Typosquatting / brandjacking • Bandwidth DoS - Downloading
• Modify the DNS server – Take advantage of poor spelling multi-gigabyte Linux distributions
– Requires some crafty hacking • Outright misspelling over a DSL line
• Modify the client host file – professormesser.com vs. • The water line breaks
– The host file takes precedent over professormessor.com – Get a good shop vacuum
DNS queries • A typing error
• Send a fake response to a valid – professormeser.com Distributed Denial of Service
DNS request • A different phrase (DDoS)
– Requires a redirection of the – professormessers.com • Launch an army of computers to
original request • Different top-level domain bring down a service
or the resulting response – professormesser.org – Use all the bandwidth or
resources - traffic spike
Domain hijacking Domain reputation • This is why the attackers have
• Get access to the domain • The Internet is tracking your botnets
registration, security posture – Thousands or millions of
and you have control where the – They know when things go computers at your command
traffic flows sideways
– At its peak, Zeus botnet infected – Monitor and resolve problems • Designed to make the application
over 3.6 million PCs before they happen easier to use
– Coordinated attack • The need for speed – Can often create security
• Asymmetric threat – The script is as fast as the vulnerabilities
– The attacker may have fewer computer • Attackers create automated
resources than the victim – No typing or delays exploits
– No human error – They just need the user to open
DDoS amplification • Automate the attack the file
• Turn your small attack into a big – The hacker is on borrowed time – Prompts to run the macro
attack
– Often reflected off another device Windows PowerShell Visual Basic for Applications
or service • Command line for system (VBA)
• An increasingly common DDoS administrators • Automates processes within
technique – .ps1 file extension Windows applications
– Turn Internet services against the – Included with Windows 8/8.1 and – Common in Microsoft Office
victim 10 • A powerful programming
• Uses protocols with little (if any) • Extend command-line functions language
authentication or checks – Uses cmdlets (command-lets) – Interacts with the operating
– NTP, DNS, ICMP – PowerShell scripts and functions system
– A common example of protocol – Standalone executables • CVE-2010-0815 / MS10-031
abuse • Attack Windows systems – VBA does not properly search for
– System administration ActiveX
Application DoS – Active Domain administration controls in a document
• Make the application break or – File share access – Run arbitrary code embedded in a
work harder document
– Increase downtime and costs Python – Easy to infect a computer
• Fill the disk space • General-purpose scripting
– A 42 kilobyte .zip compressed file language 1.5 - Threat Actors
– Uncompresses to 4.5 petabytes – .py file extension Threat actors and attributes
(4,500 terabytes) • Popular in many technologies • The entity responsible for an
– Anti-virus will identify these – Broad appeal and support event that has
• Overuse a measured cloud • Commonly used for cloud an impact on the safety of another
resource orchestration entity
– More CPU/memory/network is – Create and tear down application – Also called a malicious actor
more money instances • Broad scope of actors
• Increase the cloud server • Attack the infrastructure – And motivations vary widely
response time – Routers, servers, switches • Advanced Persistent Threat (APT)
– Victim deploys a new application – Attackers are in the network and
instance - repeat Shell script undetected
• Scripting the Unix/Linux shell – 2018 FireEye report:
Operational Technology (OT) – Automate and extend the Americas: 71 days,
DoS command line EMEA: 177 days,
• The hardware and software for – Bash, Bourne, Korn, C APAC: 204 days
industrial equipment • Starts with a shebang or hash-
– Electric grids, traffic control, bang #! Insiders
manufacturing plants, etc. – Often has a .sh file extension • More than just passwords on
• This is more than a web server • Attack the Linux/Unix sticky notes
failing environment – Some insiders are out for no good
– Power grid drops offline – Web, database, virtualization • Sophistication may not be
– All traffic lights are green servers advanced,
– Manufacturing plant shuts down • Control the OS from the but the insider has institutional
• Requires a different approach command line knowledge
– A much more critical security – Malware has a lot of options – Attacks can be directed at
posture vulnerable systems
Macros – The insider knows what to hit
Scripting and automation • Automate functions within an • Extensive resources
• Automate tasks application – Eating away from the inside
– You don’t have to be there – Or operating system
– Solve problems in your sleep Nation states
• Governments – An ethical hacker with good – Collect usernames and passwords
• National security, job security intentions • Transfer files
• Always an external entity – And permission to hack – Take it with you
• Highest sophistication • Unauthorized • Denial of service
• Military control, utilities, financial – Malicious, violates security for – This power cable is in the way
control personal gain
• United States and Israel • Semi-authorized Wireless attack vectors
destroyed 1,000 nuclear centrifuges – Finds a vulnerability, doesn’t use • Default login credentials
with the Stuxnet worm it • Modify the access point
• Constant attacks configuration
• Commonly an Advanced Shadow IT • Rogue access point
Persistent Threat (APT) • Going rogue • A less-secure entry point to the
– Working around the internal IT network
Hacktivist organization • Evil twin
• A hacker with a purpose • Information Technology can put • Attacker collects authentication
– Social change or a political agenda up roadblocks details
– Often an external entity – Shadow IT is unencumbered • On-path attacks
• Can be remarkably sophisticated – Use the cloud • Protocol vulnerabilities
– Very specific hacks – Might also be able to innovate • 2017 - WPA2 Key Reinstallation
– DoS, web site defacing, release of • Not always a good thing Attack (KRACK)
private documents, etc. – Wasted time and money • Older encryption protocols (WEP,
• Funding is limited – Security risks WPA)
– Some organizations have – Compliance issues
fundraising options – Dysfunctional organization Email attack vectors
Competitors • One of the biggest (and most
Script kiddies • Many different motivations successful) attack vectors
• Runs pre-made scripts without – DoS, espionage, harm reputation – Everyone has email
any knowledge • High level of sophistication • Phishing attacks
of what’s really happening – Based on some significant funding – People want to click links
– Not necessarily a youngster – The competitive upside is huge • Deliver the malware to the user
• Can be internal or external (and very unethical) – Attach it to the message
– But usually external • Many different intents • Social engineering attacks
• Not very sophisticated – Shut down your competitor – Invoice scam
• No formal funding during an event
– Looking for low hanging fruit – Steal customer lists Supply chain attack vectors
• Motivated by the hunt – Corrupt manufacturing databases • Tamper with the underlying
– Working the ego, trying to make a – Take financial information infrastructure
name – Or manufacturing process
1.5 - Attack Vectors • Gain access to a network using a
Organized crime Attack vectors vendor
• Professional criminals • A method used by the attacker – 2013 Target credit card breach
– Motivated by money – Gain access or infect to the target • Malware can modify the
– Almost always an external entity • A lot of work goes into finding manufacturing process
• Very sophisticated vulnerabilities in these vectors – 2010 - Stuxnet disrupts Iran’s
– Best hacking money can buy – Some are more vulnerable than uranium enrichment program
• Crime that’s organized others • Counterfeit networking
– One person hacks, one person • IT security professional spend equipment
manages the exploits, another their career watching these vectors – Install backdoors, substandard
person sells the data, another – Closing up existing vectors performance and availability
handles customer support – Finding new ones – 2020 - Fake Cisco Catalyst 2960-X
• Lots of capital to fund hacking Direct access attack vectors and WS-2960X-48TS-L
efforts • There’s a reason we lock the data
center Social media attack vectors
Hackers – Physical access to a system is a • Attackers thank you for putting
• Experts with technology significant attack vector your personal information online
– Often driven by money, power, • Modify the operating system – Where you are and when
and ego – Reset the administrator password – Vacation pictures are especially
• Authorized in a few minutes telling
• Attach a keylogger • User profiling
– Where were you born? – Mostly public hearings, reports, Automated indicator sharing
– What is the name of your school websites, etc. (AIS)
mascot? • Commercial data • Intelligence industry needs a
• Fake friends are fake – Maps, financial reports, databases standard way to share important
– The inner circle can provide threat data
additional information Closed/proprietary intelligence – Share information freely
• Someone else has already • Structured Threat Information
Removable media attack vectors compiled the threat information eXpression (STIX)
• Get around the firewall – You can buy it – Describes cyber threat
– The USB interface • Threat intelligence services information
• Malicious software on USB flash – Threat analytics, correlation – Includes motivations, abilities,
drives across different data sources capabilities, and response
– Infect air gapped networks • Constant threat monitoring information
– Industrial systems, high-security – Identify new threats • Trusted Automated eXchange of
services – Create automated prevention Indicator Information (TAXII)
• USB devices can act as keyboards workflows – Securely shares STIX data
– Hacker on a chip
• Data exfiltration Vulnerability databases Dark web intelligence
– Terabytes of data walk out the • Researchers find vulnerabilities • Dark web
door – Everyone needs to know about – Overlay networks that use the
– Zero bandwidth used them Internet
• Common Vulnerabilities and – Requires specific software and
Cloud attack vectors Exposures (CVE) configurations to access
• Publicly-facing applications and – A community managed list of • Hacking groups and services
services vulnerabilities – Activities
– Mistakes are made all the time – Sponsored by the U.S. – Tools and techniques
• Security misconfigurations Department of Homeland Security – Credit card sales
– Data permissions and public data (DHS) and Cybersecurity and – Accounts and passwords
stores Infrastructure Security Agency • Monitor forums for activity
• Brute force attacks (CISA) – Company names, executive
– Or phish the users of the cloud • U.S. National Vulnerability names
service Database (NVD)
• Orchestration attacks – A summary of CVEs Indicators of compromise (IOC)
– Make the cloud build new – Also sponsored by DHS and CISA • An event that indicates an
application instances • NVD provides additional details intrusion
• Denial of service over the CVE list – Confidence is high
– Disable the cloud services for – Patch availability and severity – He’s calling from inside the house
everyone scoring • Indicators
– Unusual amount of network
1.5 - Threat Intelligence Public/private information- activity
Threat intelligence sharing centers – Change to file hash values
• Research the threats - And the • Public threat intelligence – Irregular international traffic
threat actors – Often classified information – Changes to DNS data
• Data is everywhere • Private threat intelligence – Uncommon login patterns
– Hacker group profiles, tools used – Private companies have extensive – Spikes of read requests to certain
by the attackers, and much more resources files
• Make decisions based on this • Need to share critical security
intelligence details Predictive analysis
– Invest in the best prevention – Real-time, high-quality cyber • Analyze large amounts of data
• Used by researchers, security threat information sharing very quickly
operations teams, and others • Cyber Threat Alliance (CTA) – Find suspicious patterns
– Members upload specifically – Big data used for cybersecurity
Open-source intelligence (OSINT) formatted threat intelligence • Identify behaviors
• Open-source – CTA scores each submission and – DNS queries, traffic patterns,
– Publicly available sources validates location data
– A good place to start across other submissions • Creates a forecast for potential
• Internet – Other members can extract the attacks
– Discussion groups, social media validated data – An early-warning system
• Government data
• Often combined with machine • Consolidated view of security • A gathering of local peers
learning issues – Shared industry and technology,
– Less emphasis on signatures geographical presence
Conferences • Associations
Threat maps • Watch and learn – Information Systems Security
• Identify attacks and trends – An early warning of things to Association,
– View worldwide perspective come Network Professional Association
• Created from real attack data • Researchers – Meet others in the area, discuss
– Identify and react – New DDoS methods, intelligence local challenges
gathering, • Industry user groups
File/code repositories hacking the latest technologies – Cisco, Microsoft, VMware, etc. -
• See what the hackers are building • Stories from the trenches Secure specific technologies
– Public code repositories, GitHub – Fighting and recovering from
• See what people are accidentally attacks Social media
releasing – New methods to protect your • Hacking group conversations -
– Private code can often be data Monitor the chatter
published publicly • Building relationships - forge • Honeypot monitoring on Twitter
• Attackers are always looking for alliances – Identify new exploit attempts
this code • Keyword monitoring - CVE-2020-
– Potential exploits exist Academic journals *, bugbounty, 0-day
– Content for phishing attacks • Research from academic • Analysis of vulnerabilities -
1.5 - Threat Research professionals Professionals discussing the details
Threat research – Cutting edge security analysis • Command and control - Use social
• Know your enemy • Evaluations of existing security media as the transport
– And their tools of war technologies
• A never-ending process – Keeping up with the latest attack Threat feeds
– The field is constantly moving and methods • Monitor threat announcements -
changing • Detailed post mortem Stay informed
• Information from many different – Tear apart the latest malware and • Many sources of information
places see what makes it tick – U.S. Department of Homeland
– You can’t rely on a single source • Extremely detailed information Security
– Break apart topics into their – U.S. Federal Bureau of
Vendor websites smaller pieces Investigation
• Vendors and manufacturers – SANS Internet Storm Center
– They wrote the software Request for comments (RFC) – VirusTotal Intelligence:
• They know when problems are • Published by the Internet Society – Google and Facebook correlation
announced (ISOC)
– Most vendors are involved in the – Often written by the Internet TTP
disclosure process Engineering • Tactics, techniques, and
• They know their product better Task Force (IETF) procedures
than anyone – Internet Society description is RFC – What are adversaries doing and
– They react when surprises happen 1602 how are they doing it?
– Scrambling after a zero-day • Not all RFCs are standards • Search through data and
announcement documents networks
– Mitigating and support options – Experimental, Best Current – Proactively look for threats
Practice, – Signatures and firewall rules can’t
Vulnerability feeds Standard Track, and Historic catch everything
• Automated vulnerability • Many informational RFCs analyze • Different types of TTPs
notifications threats – Information on targeted victims
• National Vulnerability Database – RFC 3833 - Threat Analysis of the (Finance for energy companies)
(https://nvd.nist.gov) Domain – Infrastructure used by attackers
• CVE Data Feeds Name System (DNS and IP addresses)
(https://cve.mitre.org) – RFC 7624 - Confidentiality in the – Outbreak of a particular malware
• Third-party feeds Face of variant on a service type
• Additional vulnerability coverage Pervasive Surveillance:
• Roll-up to a vulnerability – A Threat Model and Problem 1.6 - Vulnerability Types
management system Statement Zero-day attacks
• Coverage across teams • Many applications have
Local industry groups vulnerabilities
– We’ve just not found them yet – Used a debugger to help monitor – It’s important to manage access
• Someone is working hard to find and troubleshoot web site issues • Often managed with a firewall
the next – Was left exposed to the Internet – Manage traffic flows
big vulnerability – Effectively allowed for remote – Allow or deny based on port
– The good guys share these with code executions number or application
developers – Gigabytes of customer data was • Firewall rulesets can be complex
• Attackers keep these yet-to-be- released online – It’s easy to make a mistake
discovered holes to themselves • Always test and audit
– They want to use these Weak encryption – Double and triple check
vulnerabilities for • Encryption protocol (AES, 3DES,
personal gain etc.) Improper patch management
• Zero-day – Length of the encryption key (40 • Often centrally managed
– The vulnerability has not been bits, 128 bits, – The update server determine
detected or published 256 bits, etc.) when you patch
– Zero-day exploits are increasingly – Hash used for the integrity check – Test all of your apps, then deploy
common (SHA, MD5, etc.) – Efficiently manage bandwidth
• Common Vulnerabilities and – Wireless encryption (WEP, WPA) • Firmware - The BIOS of the device
Exposures (CVE) • Some cipher suites are easier to • Operating system- Monthly and
– http://cve.mitre.org/ break than others on-demand patches
– Stay updated with the latest best • Applications
Open permissions practices – Provided by the manufacturer as-
• Very easy to leave a door open • TLS is one of the most common needed
– The hackers will always find it issues
• Increasingly common with cloud – Over 300 cipher suites Legacy platforms
storage • Which are good and which are • Some devices remain installed for
– Statistical chance of finding an bad? a long time
open permission – Weak or null encryption (less than – Perhaps too long
• June 2017 - 14 million Verizon 128 bit key sizes), • Legacy devices
records exposed outdated hashes (MD5) – Older operating systems,
– Third-party left an Amazon S3 applications, middleware
data repository open Insecure protocols • May be running end-of-life
– Researcher found the data before • Some protocols aren’t encrypted software
anyone else – All traffic sent in the clear - – The risk needs to be compared to
• Many, many other examples Telnet, FTP, SMTP, IMAP the return
– Secure your permissions! • Verify with a packet capture • May require additional security
– View everything sent over the protections
Unsecured root accounts network – Additional firewall rules
• The Linux root account • Use the encrypted versions- SSH, – IPS signature rules for older
– The Administrator or superuser SFTP, IMAPS, etc. operating systems
account
• Can be a misconfiguration Default settings 1.6 - Third-party Risks
– Intentionally configuring an easy- • Every application and network Third-party risks
to-hack password device has a default login • IT security doesn’t change
– 123456, ninja, football – Not all of these are ever changed because it’s a third-party
• Disable direct login to the root • Mirai botnet – There should be more security,
account – Takes advantage of default not less
– Use the su or sudo option configurations • Always expect the worst
• Protect accounts with root or – Takes over Internet of Things (IoT) – Prepare for a breach
administrator access devices • Human error is still the biggest
– There should not be a lot of these – 60+ default configurations issue
– Cameras, routers, doorbells, – Everyone needs to use IT security
Errors garage door openers, etc. best practices
• Error messages can provide useful • Mirai released as open-source • All security is important
information to an attacker software – Physical security and
– Service type, version information, – There’s a lot more where that cybersecurity work hand-in-hand
debug data came from
• September 2015 - Patreon is System integration risk
compromised Open ports and services • Professional installation and
• Services will open ports maintenance
– Can include elevated OS access – Healthcare details, financial Financial loss
• Can be on-site information • March 2016 - Bank of Bangladesh
– With physical or virtual access to • Storage at a third-party may need – Society for Worldwide Interbank
data and systems encryption Financial
– Keylogger installations and USB – Limits exposure, adds complexity Telecommunications (SWIFT)
flash drive data transfers • Transferring data • Attackers sent secure messages to
• Can run software on the internal – The entire data flow needs to be transfer nearly one billion dollars in
network encrypted reserves to accounts in Philippines
– Less security on the inside and Sri Lanka
– Port scanners, traffic captures 1.6 - Vulnerability Impacts – Fortunately, most of the
– Inject malware and spyware, Vulnerability impacts messages were
sometimes inadvertently • Malicious cyber activity cost the incorrectly formatted
U.S. economy between $57 billion • Thirty-five requests were acted
1.6 Third-party Risks (continued) and $109 billion in 2016 upon
– The Cost of Malicious Cyber – $81 million lost and laundered
Lack of vendor support Activity to the U.S. Economy, through the
• Security requires diligence – The Council of Economic Advisers, Filipino casino industry
– The potential for a vulnerability is February 2018 • Similar SWIFT vulnerabilities: $12
always there • Many other non-economic million from Wells Fargo, $60
• Vendors are the only ones who impacts - Far reaching effects million from Taiwanese Far Eastern
can fix their products • These are the reasons we patch International Bank
– Assuming they know about the vulnerabilities
problem Reputation impacts
– And care about fixing it Data loss • Getting hacked isn’t a great look
• Trane Comfortlink II thermostats • Vulnerability: Unsecured – Organizations are often required
– Control the temperature from databases to disclose
your phone – No password or default password – Stock prices drop, at least for the
– Trane notified of three • July 2020 - Internet-facing short term
vulnerabilities in April 2014 databases are being deleted • October 2016 - Uber breach
– Two patched in April 2015, one in – No warning, no explanation – 25.6 million Names, email
January 2016 • Thousands of databases are addresses, mobile numbers
missing • Didn’t publicly announce it until
Supply chain risk – I hope you had a backup November 2017
• You can’t always control security • Overwrites data with iterations of – Allegedly paid the hackers
at a third-party location the word “meow” $100,000 and had them sign an
– Always maintain local security – No messages or motivational NDA
controls content – 2018 - Uber paid $148 million in
• Hardware and software from a fines
vendor can contain malware Identity theft • Hackers pleaded guilty in October
– Verify the security of new systems • May through July 2017 - Equifax 2019
• Counterfeit hardware is out there – Data breach of 147.9 million – August 2020 - Uber’s former Chief
– It looks like a Cisco switch…Is it Americans, Security Officer
malicious? – 15.2 million British citizens,
19,000 Canadian citizens Availability loss
Outsourced code development – Names, SSNs, birthdates, • Outages and downtime - Systems
• Accessing the code base addresses, some driver’s license are unavailable
– Internal access over a VPN numbers • The pervasive ransomware threat
– Cloud-based access • Apache Struts vulnerability from – Brings down the largest networks
• Verify security to other systems March 7, 2017 • September 2020 - BancoEstado
– The development systems should – Breach started March 12th – One of Chile’s three biggest banks
be isolated – Wasn’t patched by Equifax until – Ransomware attack over the
• Test the code security July 30th after discovering weekend
– Check for backdoors “suspicious network traffic” • Bank closed for an extended
– Validate data protection and – September 7th - Public disclosure period
encryption • September 15th - CIO and CSO – Segmented network - Only hit
depart Equifax internal systems
Data storage • July 2019 - Equifax pays $575 – Wipe and restore everything
• Consider the type of data million in fines
– Contact information Threat hunting
• The constant game of cat and – The computer reacts instantly • Common Vulnerabilities and
mouse • Combine with fused intelligence Exposures (CVE):
– Find the attacker before they find – Ongoing combat from many https://cve.mitre.org/cve/
you fronts • Microsoft Security Bulletins:
• Strategies are constantly changing • Tomorrow it’s a different fight http://www.microsoft.com/
– Firewalls get stronger, so phishing technet/security/current.aspx
gets better 1.7 - Vulnerability Scans • Some vulnerabilities cannot be
• Intelligence data is reactive Vulnerability scanning definitively identified
– You can’t see the attack until it • Usually minimally invasive – You’ll have to check manually to
happens – Unlike a penetration test see if a
• Speed up the reaction time • Port scan system is vulnerable
– Use technology to fight – Poke around and see what’s open – The scanner gives you a heads-up
• Identify systems • National Vulnerability Database:
Intelligence fusion – And security devices http://nvd.nist.gov/
• An overwhelming amount of • Test from the outside and inside – Synchronized with the CVE list
security data – Don’t dismiss insider threats – Enhanced search functionality
– Too much data to properly detect, • Gather as much information as • Common Vulnerability Scoring
analyze, and react possible System (CVSS)
• Many data types – We’ll separate wheat from chaff – Quantitative scoring of a
– Dramatically different in type and later vulnerability - 0 to 10
scope – The scoring standards change
• Separate teams Scan types over time
– Security operations, security • Scanners are very powerful – Different scoring for CVSS 2.0 vs
intelligence, threat response – Use many different techniques to CVSS 3.x
• Fuse the security data together identify • Industry collaboration
with vulnerabilities – Enhanced feed sharing and
big data analytics • Non-intrusive scans automation
– Analyze massive and diverse – Gather information, don’t try to
datasets exploit a Vulnerability scan log review
– Pick out the interesting data vulnerability • Lack of security controls
points • Intrusive scans – No firewall
and correlations – You’ll try out the vulnerability to – No anti-virus
see if it works – No anti-spyware
Fusing the data • Non-credentialed scans • Misconfigurations
• Collect the data – The scanner can’t login to the – Open shares
– Logs and sensors, network remote device – Guest access
information, • Credentialed scan • Real vulnerabilities
Internet events, intrusion detection – You’re a normal user, – Especially newer ones
• Add external sources emulates an insider attack – Occasionally the old ones
– Threat feeds, governmental
alerts, advisories and bulletins, Identify vulnerabilities Dealing with false positives
social media • The scanner looks for everything • False positives
• Correlate with big data analytics – Well, not everything - The – A vulnerability is identified that
– Focuses on predictive analytics signatures are the key doesn’t really exist
and user behavior analytics • Application scans • This is different than a low-
– Mathematical analysis of – Desktop, mobile apps severity vulnerability
unstructured data • Web application scans – It’s real, but it may not be your
– Software on a web server highest priority
Cybersecurity maneuvers • Network scans • False negatives
• In the physical world, move – Misconfigured firewalls, open – A vulnerability exists, but you
troops and tanks ports, vulnerable devices didn’t detect it
– Stop the enemy on a bridge or • Update to the latest signatures
shore Vulnerability research – If you don’t know about it, you
• In the virtual world, move • The vulnerabilities can be cross- can’t see it
firewalls and operating systems referenced online • Work with the vulnerability
– Set a firewall rule, block an IP – Almost all scanners give you a detection manufacturer
address, delete malicious software place to go – They may need to update their
• Automated maneuvers • National Vulnerability Database: signatures for your environment
– Moving at the speed of light http://nvd.nist.gov/
Configuration review – Important metrics in the incoming
• Validate the security of device logs Rules of engagement
configurations • Track important statistics • An important document
– It’s easy to misconfigure one thing – Exceptions can be identified – Defines purpose and scope
– A single unlocked window puts • Send alerts when problems are – Makes everyone aware of the test
the entire home at risk found parameters
• Workstations – Email, text, call, etc. • Type of testing and schedule
– Account configurations, local • Create triggers to automate – On-site physical breach, internal
device settings responses test,
• Servers - Access controls, – Open a ticket, reboot a server external test
permission settings – Normal working hours, after 6 PM
• Security devices - Firewall rules, Analyzing the data only, etc.
authentication options • Big data analytics • The rules
– Analyze large data stores – IP address ranges
SIEM – Identify patterns that would – Emergency contacts
• Security Information and Event normally remain invisible – How to handle sensitive
Management • User and entity behavior analytics information
– Logging of security events and (UEBA) – In-scope and out-of-scope devices
information – Detect insider threats or applications
• Log collection of security alerts – Identify targeted attacks
– Real-time information – Catches what the SIEM and DLP Working knowledge
• Log aggregation and long-term systems might miss • How much do you know about
storage • Sentiment analysis the test?
– Usually includes advanced – Public discourse correlates to – Many different approaches
reporting features real-world behavior • Unknown environment
• Data correlation - Link diverse – If they hate you, they hack you – The pentester knows nothing
data types – Social media can be a barometer about the
• Forensic analysis - Gather details systems under attack
after an event SOAR – “Blind” test
• Security orchestration, • Known environment
Syslog automation, and response – Full disclosure
• Standard for message logging – Automate routine, tedious, and • Partially known environment
– Diverse systems, consolidated log time intensive activities – A mix of known and unknown
• Usually a central log collector • Orchestration – Focus on certain systems or
– Integrated into the SIEM – Connect many different tools applications
• You’re going to need a lot of disk together
space – Firewalls, account management, Exploiting vulnerabilities
– No, more. More than that. email filters • Try to break into the system
– Data storage from many devices • Automation - Handle security – Be careful; this can cause a denial
over tasks automatically of service or
an extended timeframe • Response - Make changes loss of data
immediately – Buffer overflows can cause
SIEM data Testing instability
• Data inputs Penetration testing – Gain privilege escalation
– Server authentication attempts • Pentest • You may need to try many
– VPN connections – Simulate an attack different vulnerability types
– Firewall session logs • Similar to vulnerability scanning – Password brute-force, social
– Denied outbound traffic flows – Except we actually try to exploit engineering,
– Network utilizations the vulnerabilities database injections, buffer
• Packet captures • Often a compliance mandate overflows
– Network packets – Regular penetration testing by a • You’ll only be sure you’re
– Often associated with a critical 3rd-party vulnerable if you can bypass
alert • National Institute of Standards security
– Some organizations capture and Technology Technical Guide to – If you can get through, the
everything Information Security Testing and attackers can get through
Assessment
Security monitoring – The process
• Constant information flow https://professormesser.link/80011 • Initial exploitation - Get into the
5 (PDF) network
• Lateral movement • Business organizations • Social engineering - Constant
– Move from system to system vigilance
– The inside of the network is 1.8 Reconnaissance (continued) • Web application scanning - Test
relatively unprotected Wardriving or warflying and test again
• Persistence • Combine WiFi monitoring and a
– Once you’re there, you need to GPS Blue team
make sure there’s a way back in – Search from your car or plane • Defensive security - Protecting
– Set up a backdoor, build user – Search from a drone the data
accounts, change or verify default • Huge amount of intel in a short • Operational security - Daily
passwords period of time security tasks
• The pivot – And often some surprising results • Incident response - Damage
– Gain access to systems that would • All of this is free control
normally not be accessible – Kismet, inSSIDer • Threat hunting - Find and fix the
– Use a vulnerable system as a – Wireless Geographic holes
proxy or relay – Logging Engine • Digital forensics - Find data
– http://wigle.net everywhere
Pentest aftermath
• Cleanup Open Source Intelligence Purple team
– Leave the network in its original (OSINT) • Red and blue teams
state • Gathering information from many – Working together
– Remove any binaries or open sources • Competition isn’t necessarily
temporary files – Find information on anyone or useful
– Remove any backdoors anything – Internal battles can stifle
– Delete user accounts created – The name is not related to open- organizational security
during the test source software – Cooperate instead of compete
• Bug bounty • Data is everywhere - • Deploy applications and data
– A reward for discovering https://osintframework.com/ securely
vulnerabilities • Automated gathering - Many – Everyone is on-board
– Earn money for hacking a system software tools available • Create a feedback loop
– Document the vulnerability to – Red informs blue, blue informs
earn cash Active footprinting red
• Trying the doors
1.8 - Reconnaissance – Maybe one is unlocked White team
Reconnaissance – Don’t open it yet • Not on a side
• Need information before the – Relatively easy to be seen – Manages the interactions
attack • Visible on network traffic and logs between red teams
– Can’t rush blindly into battle • Ping scans, port scans, DNS and blue teams
• Gathering a digital footprint queries, • The referees in a security exercise
– Learn everything you can OS scans, OS fingerprinting, Service – Enforces the rules
• Understand the security posture scans, version scans – Resolves any issues
– Firewalls, security configurations – Determines the score
• Minimize the attack area 1.8 - Security Teams • Manages the post-event
– Focus on key systems Security teams assessments
• Create a network map • Cybersecurity involves many skills – Lessons learned
– Identify routers, networks, – Operational security, penetration – Results
remote sites testing, exploit research, web
application hardening, etc. 2.1 Configuration Management
Passive footprinting • Become an expert in your niche
• Learn as much as you can from – Everyone has a role to play Configuration management
open sources • The teams • The only constant is change
– There’s a lot of information out – Red team, blue team, purple – Operating systems, patches,
there team, white team application updates, network
– Remarkably difficult to protect or modifications, new application
identify Red team instances, etc.
• Social media • Offensive security team - The • Identify and document hardware
• Corporate web site hired attackers and software settings
• Online forums, Reddit • Ethical hacking - Find security – Manage the security when
• Social engineering holes changes occur
• Dumpster diving • Exploit vulnerabilities -Gain access
• Rebuild those systems if a – A complex mesh of technology – Different sites have a different
disaster occurs and legalities subnet
– Documentation and processes will • Where is your data stored? – 10.1.x.x/24, 10.2.x.x/24,
be critical – Your compliance laws may 10.3.x.x/24
prohibit • Reserved addresses
Diagrams moving data out of the country – Users, printers, routers/default
• Network diagrams - Document gateways
the physical wire and device Data masking • Confusion
• Physical data center layout • Data obfuscation – The encrypted data is drastically
– Can include physical rack – Hide some of the original data different
locations • Protects PII than the plaintext
• Device diagrams - Individual – And other sensitive data • Diffusion
cabling • May only be hidden from view – Change one character of the
– The data may still be intact in input, and many
Baseline configuration storage characters change of the output
• The security of an application – Control the view based on
environment permissions Data at-rest
should be well defined • Many different techniques • The data is on a storage device
– All application instances must – Substituting, shuffling, encrypting, – Hard drive, SSD, flash drive, etc.
follow this baseline masking out, etc. • Encrypt the data
– Firewall settings, patch levels, OS – Whole disk encryption
file versions Data encryption – Database encryption
– May require constant updates • Encode information into – File- or folder-level encryption
• Integrity measurements check for unreadable data • Apply permissions
the – Original information is plaintext, – Access control lists
secure baseline encrypted – Only authorized users can access
– These should be performed often form is ciphertext the data
– Check against well-documented • This is a two-way street
baselines – Convert between one and the Data in-transit
– Failure requires an immediate other • Data transmitted over the
correction – If you have the proper key network
– Also called data in-motion
Protecting Data 2.1 - Configuration Management • Not much protection as it travels
• A primary job task (continued) – Many different switches, routers,
– An organization is out of business devices
without data Standard naming conventions • Network-based protection
• Data is everywhere • Create a standard – Firewall, IPS
– On a storage drive, on the – Needs to be easily understood by • Provide transport encryption
network, in a CPU everyone – TLS (Transport Layer Security)
• Protecting the data • Devices – IPsec (Internet Protocol Security)
– Encryption, security policies – Asset tag names and numbers
• Data permissions – Computer names - location or Data in-use
– Not everyone has the same region • Data is actively processing in
access – Serial numbers memory
• Networks - Port labeling – System RAM, CPU registers and
Data sovereignty • Domain configurations cache
• Data sovereignty – User account names • The data is almost always
– Data that resides in a country is – Standard email addresses decrypted
subject to – Otherwise, you couldn’t do
the laws of that country IP schema anything with it
– Legal monitoring, court orders, • An IP address plan or model • The attackers can pick the
etc. – Consistent addressing for network decrypted information out of RAM
• Laws may prohibit where data is devices – A very attractive option
stored – Helps avoid duplicate IP • Target Corp. breach - November
– GDPR (General Data Protection addressing 2013
Regulation) • Locations – 110 million credit cards
– Data collected on EU citizens – Number of subnets, hosts per – Data in-transit encryption and
must be stored subnet data at-rest encryption
in the EU • IP ranges
– Attackers picked the credit card • Legal implications
numbers out of the point-of-sale USB blocking – Business regulations vary
RAM • DLP on a workstation between states
– Allow or deny certain tasks – For a recovery site outside of the
Tokenization • November 2008 - U.S. country, personnel must have a
• Replace sensitive data with a non- Department of Defense passport and be able to clear
sensitive placeholder – Worm virus “agent.btz” replicates immigration
– SSN 266-12-1112 is now 691-61- using USB storage – Refer to your legal team
8539 – Bans removable flash media and • Offsite backup
• Common with credit card storage devices – Organization-owned site or 3rd-
processing • All devices had to be updated party secure facility
– Use a temporary token during – Local DLP agent handled USB • Offsite recovery
payment blocking – Hosted in a different location,
– An attacker capturing the card • Ban was lifted in February 2010 outside the scope of the disaster
numbers – Replaced with strict guidelines – Travel considerations for support
can’t use them later staff and employees
• This isn’t encryption or hashing 2.1 - Data Loss Prevention
– The original data and token aren’t Cloud-based DLP 2.1 - Managing Security
mathematically related • Located between users and the Response and recovery controls
– No encryption overhead Internet • Incident response and recovery
– Watch every byte of network has become
2.1 - Protecting Data (continued) traffic commonplace
Information Rights Management – No hardware, no software – Attacks are frequent and complex
(IRM) • Block custom defined data strings • Incident response plan should be
• Control how data is used – Unique data for your organization established
– Microsoft Office documents, • Manage access to URLs – Documentation is critical
email messages, PDFs – Prevent file transfers to cloud – Identify the attack
• Restrict data access to storage – Contain the attack
unauthorized persons • Block viruses and malware • Limit the impact of an attacker
– Prevent copy and paste – Anything traversing the network – Limit data exfiltration
– Control screenshots – Limit access to sensitive data
– Manage printing DLP and email
– Restrict editing • Email continues to be the most SSL/TLS inspection
• Each user has their own set of critical risk vector • Commonly used to examine
rights – Inbound threats, outbound data outgoing SSL/TLS
– Attackers have limited options loss – Secure Sockets Layer/Transport
• Check every email inbound and Layer Security
Data Loss Prevention (DLP) outbound – For example, from your computer
• Where’s your data? – Internal system or cloud-based to your bank
– Social Security numbers, credit • Inbound - Block keywords, • Wait a second. Examine
card numbers, identify impostors, encrypted traffic?
medical records quarantine email messages – Is that possible?
• Stop the data before the attackers • Outbound - Fake wire transfers, • SSL/TLS relies on trust
get it W-2 transmissions, employee – Without trust, none of this works
– Data “leakage” information
• So many sources, so many Trust me, I’m SSL
destinations Emailing a spreadsheet template • Your browser contains a list of
– Often requires multiple solutions • November 2016 - Boeing trusted CAs
in different places employee emails spouse a – My browser contains about 170
spreadsheet to use as a template trusted
Data Loss Prevention (DLP) • Contained the PII of 36,000 CAs certificates
systems Boeing employees • Your browser doesn’t trust a web
• On your computer – In hidden columns site unless a CA has signed the web
– Data in use – Social security numbers, date of server’s encryption certificate
– Endpoint DLP birth, etc. – The web site pays some money to
• On your network • Boeing sells its own DLP software the CA for this
– Data in motion – But only uses it for classified work • The CA has ostensibly performed
• On your server some checks
– Data at rest Geographical considerations
– Validated against the DNS record, changes – Kippo, Google Hack Honeypot,
phone call, etc. • WAF (Web Application Firewall) Wordpot, etc.
• Your browser checks the web – Apply rules to API communication • Constant battle to discern the real
server’s certificate from the fake
– If it’s signed by a trusted CA, the Site resiliency
encryption • Recovery site is prepped Honeyfiles and honeynets
works seamlessly – Data is synchronized • Honeynets
• A disaster is called – More than one honeypot on a
Hashing – Business processes failover to the network
• Represent data as a short string of alternate – More than one source of
text processing site information
– A message digest • Problem is addressed – Stop spammers -
• One-way trip – This can take hours, weeks, or https://projecthoneypot.org
– Impossible to recover the original longer • Honeyfiles
message • Revert back to the primary – Bait for the honeynet
from the digest location (passwords.txt)
– Used to store passwords / – The process must be documented – An alert is sent if the file is
confidentiality for both directions accessed
• Verify a downloaded document is – A virtual bear trap
the same Hot site
as the original • An exact replica Fake telemetry
– Integrity – Duplicate everything • Machine learning
• Can be a digital signature • Stocked with hardware – Interpret big data to identify the
– Authentication, non-repudiation, – Constantly updated invisible
and integrity – You buy two of everything • Train the machine with actual
• Will not have a collision • Applications and software are data
(hopefully) constantly updated – Learn how malware looks and
– Different messages will not have – Automated replication acts
the same hash • Flip a switch and everything – Stop malware based on actions
moves instead of signatures
API considerations – This may be quite a few switches • Send the machine learning model
• API (Application Programming fake telemetry
Interface) 2.1 - Site Resiliency – Make malicious malware look
– Control software or hardware Cold Site benign
programmatically • No hardware
• Secure and harden the login page – Empty building DNS sinkhole
– Don’t forget about the API • No data • A DNS that hands out incorrect IP
• On-path attack – Bring it with you addresses
– Intercept and modify API • No people – Blackhole DNS
messages, – Bus in your team • This can be bad
replay API commands – An attacker can redirect users to a
• API injection Warm site malicious site
– Inject data into an API message • Somewhere between cold and • This can be good
• DDoS (Distributed Denial of hot – Redirect known malicious
Service) – Just enough to get going domains to a benign IP address
– One bad API call can bring down a • Big room with rack space – Watch for any users hitting that IP
system – You bring the hardware address
• Hardware is ready and waiting – Those devices are infected
API security – You bring the software and data • Can be integrated with a firewall
• Authentication – Identify infected devices not
– Limit API access to legitimate Honeypots directly connected
users • Attract the bad guys
– Over secure protocols – And trap them there 2.2 - Cloud Models
• Authorization • The “attacker” is probably a Infrastructure as a service (IaaS)
– API should not allow extended machine • Sometimes called Hardware as a
access – Makes for interesting recon Service (HaaS)
– Each user has a limited role • Honeypots – Outsource your equipment
– A read-only user should not be – Create a virtual world to explore • You’re still responsible for the
able to make • Many different options management
– And for the security – Internal staff – Smaller startup costs and pay-as-
• Your data is out there, but more – Development team you-go
within your control – Operational support • Not always the best solution
• Web server providers – Latency - the cloud is far away
Managed service providers – Limited bandwidth
Platform as a service (PaaS) • Managed Service Provider (MSP) – Difficult to protect data
• No servers, no software, no – Also a cloud service provider – Requires Internet/network
maintenance team, – Not all cloud service providers are connectivity
no HVAC MSPs
– Someone else handles the • MSP support Edge computing
platform, – Network connectivity • Over 30 billion IoT devices on the
you handle the development management Internet
• You don’t have direct control of – Backups and disaster recovery – Devices with very specific
the data, – Growth management and functions
people, or infrastructure planning – A huge amount of data
– Trained security professionals are • Managed Security Service • Edge computing - “Edge”
watching your stuff Provider (MSSP) – Process application data on an
– Choose carefully – Firewall management edge server
• Put the building blocks together – Patch management, security – Close to the user
– Develop your app from what’s audits • Often process data on the device
available on the platform – Emergency response itself
– SalesForce.com – No latency, no network
On-premises vs. off-premises requirement
Software as a service (SaaS) • On-premises – Increased speed and performance
• On-demand software – Your applications are on local – Process where the data is, instead
– No local installation hardware of
– Why manage your own email – Your servers are in your data processing in the cloud
distribution? center in your building
– Or payroll? • Off-premises / hosted Fog computing
• Central management of data and – Your servers are not in your • Fog
applications building – A cloud that’s close to your data
– Your data is out there – They may not even be running on – Cloud + Internet of Things - Fog
• A complete application offering your hardware computing
– No development work required – Usually a specialized computing • A distributed cloud architecture -
– Google Mail environment Extends the cloud
• Distribute the data and
Anything as a Service (XaaS) Cloud deployment models processing
• A broad description of all cloud • Public – Immediate data stays local - No
models – Available to everyone over the latency
– Use any combination of the cloud Internet – Local decisions made from local
• Services delivered over the • Community data
Internet – Several organizations share the – No bandwidth requirements
– Not locally hosted or managed same resources – Private data never leaves -
• Flexible consumption model • Private Minimizes security concerns
– No large upfront costs or ongoing – Your own virtualized local data – Long-term analysis can occur in
licensing center the cloud - Internet only when
• IT becomes more of an operating • Hybrid required
model – A mix of public and private
– And less of a cost-center model 2.2 - Designing the Cloud
– Any IT function can be changed 2.2 - Edge and Fog Computing Designing the cloud
into a service Cloud computing • On-demand computing power
• Computing on-demand – Click a button
2.2 - Cloud Models (continued) – Instantly available computing • Elasticity
Cloud service providers power – Scale up or down as needed
• Provide cloud services – Massive data storage capacity • Applications also scale
– SaaS, PaaS, IaaS, etc. • Fast implementation – Access from anywhere
• Charge a flat fee or based on use – IT teams can adjust rapidly to • How does it all happen?
– More data, more cost change – Planning and technology
• You still manage your processes
Thin client • API is the “glue” for the • SIAM is the integration of these
• Basic application usage microservices diverse providers
– Applications actually run on a – Work together to act as the – Provide a single business-facing
remote server application IT organization
– Virtual Desktop Infrastructure • Scalable • An evolving set of processes and
(VDI), – Scale just the microservices you procedures
– Desktop as a Service (DaaS) need Database
– Local device is a keyboard, • Resilient
mouse, and screen. – Outages are contained Transit gateway
• Minimal operating system on the • Security and compliance • Virtual Private Cloud (VPC)
client – Containment is built-in – A pool of resources created in a
– No huge memory or CPU needs public cloud
• Network connectivity Serverless architecture • Common to create many VPCs
– Big network requirement • Function as a Service (FaaS) – Many different application clouds
– Everything happens across the – Applications are separated into • Connect VPCs with a transit
wire individual, autonomous functions gateway
– Remove the operating system – And users to VPCs
Virtualization from the equation – A “cloud router”
• Virtualization • Developer still creates the server- • Now make it secure
– Run many different operating side logic – VPCs are commonly on different
systems on the – Runs in a stateless compute IP subnets
same hardware container – Connecting to the cloud is often
• Each application instance has its • May be event triggered and through a VPN
own operating system ephemeral
– Adds overhead and complexity – May only run for one event 2.2 - Infrastructure as Code
– Virtualization is relatively • Managed by a third-party Infrastructure as code
expensive – All OS security concerns are at the • Describe an infrastructure
third-party – Define servers, network, and
Application containerization applications as code
• Container Resource policies • Modify the infrastructure and
– Contains everything you need to • Assigning permissions to cloud create versions
run an application resources – The same way you version
– Code and dependencies – Not the easiest task application code
– A standardized unit of software – Everything is in constant motion • Use the description (code) to
• An isolated process in a sandbox • Specify which resources can be build other application instances
– Self-contained provisioned (Azure) – Build it the same way every time
– Apps can’t interact with each – Create a service in a specific based on the code
other region, • An important concept for cloud
• Container image deny all others computing
– A standard for portability • Specify the resource and what – Build a perfect version every time
– Lightweight, uses the host kernel actions are
– Secure separation between permitted (Amazon) SDN (Software Defined
applications – Allow access to an API gateway Networking)
from an • Networking devices have two
Microservices and APIs IP address range functional planes of operation
• Monolithic applications • Explicitly list the users who can – Control plane, data plane
– One big application that does access the • Directly programmable
everything resource (Amazon) – Configuration is different than
• Application contains all decision – Userlist is associated with the forwarding
making processes resource • Agile - Changes can be made
– User interface dynamically
– Business logic Service integration • Centrally managed - Global view,
– Data input and output • Service Integration and single pane of glass
• Code challenges Management (SIAM) • Programmatically configured
– Large codebase • Many different service providers – No human intervention
– Change control challenges – The natural result of • Open standards / vendor neutral
• APIs multisourcing – A standard interface to the
– Application Programming • Every provider works differently network
Interfaces – Different tools and processes
SDV (Software Defined Visibility) • Once you escape the VM, you – All of the pieces are put together
• You must see the traffic to secure have great control – Does it all work?
the data – Control the host and control – Functional tests
– React and respond other guest VMs
• Dynamic deployments include • This would be a huge exploit Verifying the application
security and network visibility – Full control of the virtual world • Quality Assurance (QA)
devices – Verifies features are working as
– Next-generation firewalls, web Escaping the VM expected
application firewalls, • March 2017 - Pwn2Own – Validates new functionality
– Security Information and Event competition – Verifies old errors don’t reappear
Management (SIEM) – Hacking contest • Staging
• Data is encapsulated and – You pwn it, you own it - along – Almost ready to roll it out
encrypted with some cash – Works and feels exactly like the
– VXLAN and SSL/TLS • JavaScript engine bug in Microsoft production
• New technologies change what Edge environment
you can see – Code execution in the Edge – Working with a copy of
– Infrastructure as code, sandbox production data
microservices • Windows 10 kernel bug – Run performance tests
• Security devices monitor – Compromise the guest operating – Test usability and features
application traffic system
– SDV provides visibility to traffic • Hardware simulation bug in Using the application2
flows VMware https://ProfessorMesser.com
• Visibility expands as the – Escape to the host • Production
application instances expand • Patches were released soon – Application is live
– Real-time metrics across all traffic afterwards – Rolled out to the user community
flows • A challenging step
• Application flows can be 2.3 - Secure Deployments – Impacts the users
controlled via API Development to production • Logistical challenges
– Identify and react to threats • Your programming team has been – New servers
working on a new application – New software
2.2 - Virtualization Security – How will you deploy it safely and – Restart or interrupt of service
VM sprawl avoidance reliably?
• Click a button • Patch Tuesday Secure baselines
– You’ve built a server – Test and deploy Wednesday? • The security of an application
– Or multiple servers, networks, Thursday? Friday? environment should be well
and firewalls • Manage the process defined
• It becomes almost too easy to – Safely move from a non- – All application instances must
build instances production phase to full production follow this baseline
– This can get out of hand very – Firewall settings, patch levels, OS
quickly Sandboxing file versions
• The virtual machines are sprawled • Isolated testing environment – May require constant updates
everywhere – No connection to the real world • Integrity measurements check for
– You aren’t sure which VMs are or production system the secure baseline
related to which applications – A technological safe space – These should be performed often
– It becomes extremely difficult to • Use during the development – Check against well-documented
deprovision process baselines
• Formal process and detailed – Try some code, break some code, – Failure requires an immediate
documentation nobody gets hurt correction
– You should have information on • Incremental development
every virtual object – Helps build the application 2.3 - Provisioning and
Deprovisioning
VM escape protection Building the application Provisioning
• The virtual machine is self- • Development • Deploy an application
contained – Secure environment – Web server, database server,
– There’s no way out - Or is there? – Writing code middleware server, user
• Virtual machine escape – Developers test in their workstation configurations,
– Break out of the VM and interact sandboxes certificate updates, etc.
with the host operating • Test • Application software security
system or hardware – Still in the development stage – Operating system, application
• Network security 2.3 - Secure Coding Techniques • If the old code has security
– Secure VLAN, internal access, Secure coding concepts vulnerabilities, reusing the code
external access • A balance between time and spreads it to other applications
• Software deployed to quality – You’re making this much more
workstations – Programming with security in difficult for everyone
– Check executables for malicious mind is often secondary • Dead code
code, verify security posture of the • Testing, testing, testing – Calculations are made, code is
workstation – The Quality Assurance (QA) executed,
process results are tallied
Scalability and elasticity • Vulnerabilities will eventually be – The results aren’t used anywhere
• Handle application workload found else in the
– Adapt to dynamic changes – And exploited application
• Scalability • All code is an opportunity for a
– The ability to increase the Stored procedures security problem
workload in a • SQL databases – Make sure your code is as alive as
given infrastructure – Client sends detailed requests for possible
– Build an application instance that data
can handle – ‘SELECT * FROM wp_options Input validation
– 100,000 transactions per second WHERE option_id = 1’ • What is the expected input?
• Elasticity • Client requests can be complex – Validate actual vs. expected
– Increase or decrease available – And sometimes modified by the • Document all input methods
resources as the workload changes user – Forms, fields, type
– Deploy multiple application – This would not be good • Check and correct all input
instances to handle • Stored procedures limit the client (normalization)
– 500,000 transactions per second interactions – A zip code should be only X
– ‘CALL get_options’ characters long with a letter in the
Orchestration – That’s it. No modifications to the X column
• Automation is the key to cloud query are possible. – Fix any data with improper input
computing • To be really secure, use only • The fuzzers will find what you
– Services appear and disappear stored procedures missed
automatically, – The application doesn’t use any – Don’t give them an opening
or at the push of a button SQL queries
• Entire application instances can Validation points
be instantly provisioned Obfuscation/camouflage • Server-side validation
– All servers, networks, switches, • Obfuscate – All checks occur on the server
firewalls, and policies – Make something normally – Helps protect against malicious
• Instances can move around the understandable very difficult to users
world as needed understand – Attackers may not even be using
– Follow the sun • Take perfectly readable code and your interface
• The security policies should be turn it into nonsense • Client-side validation
part of the orchestration – The developer keeps the readable – The end-user’s app makes the
– As applications are provisioned, code and gives you the chicken validation decisions
the proper security is automatically scratch – Can filter legitimate input from
included – Both sets of code perform exactly genuine users
the same way Page 43 – May provide additional speed to
Deprovisioning https://ProfessorMesser.com the user
• Dismantling and removing an • Helps prevent the search for • Use both - But especially server-
application instance security holes side validation
– All good things – Makes it more difficult to figure
• Security deprovisioning is out Memory management
important what’s happening - But not • As a developer, you must be
– Don’t leave open holes, don’t impossible mindful of how memory is used
close important ones – Many opportunities to build
• Firewall policies must be reverted Code reuse/dead code vulnerable code
– If the application is gone, so is the • Code reuse • Never trust data input
access – Use old code to build new – Malicious users can attempt to
• What happens to the data? applications circumvent your code
– Don’t leave information out there – Copy and paste • Buffer overflows are a huge
security risk
– Make sure your data matches • Attackers often exploit application • Basic set of security checks during
your buffer sizes vulnerabilities development
• Some built-in functions are – They find the unlocked door and – Documented security baselines as
insecure open it the bare minimum
– Use best practices when • Once you exploit one binary, you • Large-scale security analysis
designing your code can exploit them all during the testing phase
– The application works the same – Significant problems will have
Third-party libraries and SDKs on all systems already been covered
• Your programming language does – A Windows 10 exploit affects all
everything - Almost Windows 10 users Continuous delivery/deployment
• Third-party libraries and software • What if all of the computers were (CD)
development kits running different software? • Continuous delivery
– Extend the functionality of a – Unique binaries – Automate the testing process
programming language – Functionally identical – Automate the release process
• Security risk – Click a button and deploy the
– Application code written by Software diversity application
someone else • Alternative compiler paths would • Continuous deployment
– Might be secure. Might not be result in a different binary each – Even more automation
secure. time – Automatically deploy to
– Extensive testing is required – Each compiled application would production
• Balancing act - Application be a little bit – No human integration or manual
features vs. unknown code base different checks
– But functionally the same
Data exposure • An attack against different Directory services
• So much sensitive data binaries would only be successful • Keep all of an organization’s
– Credit card numbers, social on a fraction of the users usernames and passwords in a
security numbers, medical – An attacker wouldn’t know what single database
information, address details, email exploit to use – Also contains computers, printers,
information – Make the game much harder to and other devices
• How is the application handling win • Large distributed database
the data? 2.3 - Automation and Scripting – Constantly replicated
– No encryption when stored Automation and scripting • All authentication requests
– No encryption across the network • Plan for change reference this directory
– Displaying information on the – Implement automatically – Each user only needs one set of
screen • Automated courses of action credentials
• All input and output processes are – Many problems can be predicted – One username and password for
important – Have a set of automated all services
– Check them all for data exposure responses • Access via Kerberos or LDAP
• Continuous monitoring
Version control – Check for a particular event, and Federation
• Create a file, make a change, then react • Provide network access to others
make another change, and another • Configuration validation – Not just employees - Partners,
change – Cloud-based technologies allow suppliers, customers, etc.
– Track those changes, revert back for – Provides SSO and more
to a previous version constant change • Third-parties can establish a
• Commonly used in software – Automatically validate a federated network
development configuration – Authenticate and authorize
– But also in operating systems, before going live between the
wiki software, and cloud-based file – Perform ongoing automated two organizations
storage checks – Login with your Facebook
• Useful for security credentials
– Compare versions over time Continuous integration (CI) • The third-parties must establish a
– Identify modifications to • Code is constantly written trust relationship
important files – And merged into the central – And the degree of the trust
– A security challenge repository many times a day
– Historical information can be a • So many chances for security Attestation
security risk problems • Prove the hardware is really yours
2.3 - Software Diversity – Security should be a concern from – A system you can trust
Exploiting an application the beginning • Easy when it’s just your computer
– More difficult when there are – Timestamps are synchronized via – Use the card with a PIN or
1,000 NTP fingerprint
• Remote attestation • Timestamp usually increments
– Device provides an operational every 30 seconds 2.4 - Biometrics
report to a – Put in your username, password, Biometric factors
verification server and TOTP code • Fingerprint scanner
– Encrypted and digitally signed • One of the more common OTP – Phones, laptops, door access
with the TPM methods • Retinal scanner
– An IMEI or other unique hardware – Used by Google, Facebook, – Unique capillary structure in
component can be included in the Microsoft, etc. the back of the eye
report • Iris scanner
HOTP – Texture, color
Short message service (SMS) • One-time passwords • Voice recognition
• Text messaging – Use them once, and never again – Talk for access
– Includes more than text these – Once a session, once each • Facial recognition
days authentication attempt – Shape of the face and features
• Login factor can be sent via SMS • HMAC-based One-Time Password
to a predefined phone number algorithm Biometric acceptance rates
– Provide username and password – Keyed-hash message • False acceptance rate (FAR)
– Phone receives an SMS authentication code (HMAC) – Likelihood that an unauthorized
– Input the SMS code into the login – The keys are based on a secret user will be accepted
form key and a counter – Not sensitive enough
• Security issues exist • Token-based authentication • False rejection rate (FRR)
– Phone number can be reassigned – The hash is different every time – Likelihood that an authorized user
to a • Hardware and software tokens will be rejected
different phone available – Too sensitive
– SMS messages can be intercepted – You’ll need additional technology • Crossover error rate (CER)
to make this work – Defines the overall accuracy of a
Push notification biometric system
• Similar process to an SMS Phone call – The rate at which FAR and FRR
notification • A voice call provides the token are equal
– Authentication factor is pushed to – The computer is talking to you – Adjust sensitivity to equalize both
a specialized app – “Your code is 1-6-2-5-1-7.” values
– Usually on a mobile device • Similar disadvantages to SMS
• Security challenges – Phone call can be intercepted or AAA framework
– Applications can be vulnerable forwarded • Identification
– Some push apps send in the clear – Phone number can be added to – This is who you claim to be
• Still more secure than SMS another phone – Usually your username
– Multiple factors are better than • Authentication
one factor Static codes – Prove you are who you say you
• Authentication factors that don’t are
Authentication apps change – Password and other
• Pseudo-random token generators – You just have to remember authentication factors
– A useful authentication factor • Personal Identification Number • Authorization
• Carry around a physical hardware (PIN) – Based on your identification and
token generator – Your secret numbers authentication, what access do you
– Where are my keys again? • Can also be alphanumeric have?
• Use software-based token – A password or passphrase • Accounting
generator on your phone – Resources used: Login time, data
– Powerful and convenient Smart cards sent
• Integrated circuit card - Contact and received, logout time
TOTP or contactless
• Time-based One-Time Password • Common on credit cards - Also Cloud vs. on-premises
algorithm used for access control authentication
– Use a secret key and the time of • Must have physical card to • Cloud-based security
day provide digital access – Third-party can manage the
– No incremental counter – A digital certificate platform
• Secret key is configured ahead of • Multiple factors – Centralized platform
time
– Automation options with API – You can change your password • No software failure
integration – You can’t change your fingerprint – Services always available
– May include additional options • Used in very specific situations • No system failure
(for a cost) – Not foolproof – Network performing optimally
• On-premises authentication
system Somewhere you are Geographic dispersal
– Internal monitoring and • Provide a factor based on your • Bad things can happen in a local
management location area
– Need internal expertise – The transaction only completes if – Hurricanes, tornadoes, flooding,
– External access must be granted you are in a • Disperse technologies to different
and managed particular geography geographies
• IP address – Use multiple data centers
Multi-factor authentication – Not perfect, but can help provide – In different locations
• Factors more info • Data centers might be part of the
– Something you know – Works with IPv4, not so much normal operations
– Something you have with IPv6 – East coast and west coast
– Something you are • Mobile device location services operations centers
• Attributes – Geolocation to a very specific • May be part of a disaster recovery
– Somewhere you are area center
– Something you can do – Must be in a location that can – If Florida gets hit, fire up the
– Something you exhibit receive GPS Denver data center
– Someone you know information or near an identified
mobile Disk redundancy
Something you know or 802.11 network • Multipath I/O (Input/Output)
• Password – Still not a perfect identifier of – Especially useful for network-
– Secret word/phrase, string of location based storage subsystems
characters – Multiple Fibre Channel interfaces
– Very common authentication Something you can do with multiple switches
factor • A personal way of doing things • RAID - Redundant Array of
• PIN – You’re special Independent Disks
– Personal identification number • Handwriting analysis • Multiple drives create
– Not typically contained anywhere – Signature comparison redundancy
on a – Writing technique – Many different designs and
smart card or ATM card • Very similar to biometrics implementations
• Pattern – Close to something you are
– Complete a series of patterns Load balancing
– Only you know the right format Other attributes • Some servers are active - Others
• Something you exhibit are on standby
Something you have – A unique trait, personal to you • If an active server fails, the
• Smart card – Gait analysis - the way you walk passive server takes its place
– Integrates with devices – Typing analysis - the way you hit
– May require a PIN the enter key too hard NIC teaming
• USB token - Certificate is on the • Load Balancing / Fail Over (LBFO)
USB device • Someone you know – Aggregate bandwidth, redundant
• Hardware or software tokens – A social factor paths
– Generates pseudo-random – It’s not what you know… – Becomes more important in the
authentication codes – Web of trust virtual world
• Your phone -SMS a code to your – Digital signature • Multiple network adapters
phone – Looks like a single adapter
2.5 - Disk Redundancy – Integrate with switches
Something you are Redundancy • NICs talk to each other
• Biometric authentication • Duplicate parts of the system – Usually multicast instead of
– Fingerprint, iris scan, voice print – If a part fails, the redundant part broadcast
• Usually stores a mathematical can be used – Fails over when a NIC doesn’t
representation • Maintain uptime respond
of your biometric – The organization continues to
– Your actual fingerprint isn’t function 2.5 - Network Redundancy
usually saved • No hardware failure UPS - Uninterruptible Power
• Difficult to change – Servers keep running Supply
– Short-term backup power – Duplicate data from one data – These are usually smaller
– Blackouts, brownouts, surges center to another than the full backup
• UPS types • SAN snapshot • A restoration requires the full
– Offline/Standby UPS – Create a state of data based on a backup and all of the incremental
– Line-interactive UPS point in time backups
– On-line/Double-conversion UPS – Copy that state to other SANs
• Features Differential Backup
– Auto shutdown, battery capacity, VM replication • A full backup is taken first
outlets, • Virtual machine redundancy • Subsequent backups contain
phone line suppression – Maintain one VM, replicate to all data changed since the last full
others backup
2.5 - Power Redundancy – The virtual machine is really just – These usually grow larger as
Generators one big file data is changed
• Long-term power backup • Consistent service offering • A restoration requires the full
– Fuel storage required – Maintain copies anywhere in the backup and the last differential
• Power an entire building world backup
– Some power outlets may be • Recover from a replicated copy
marked as – Provides a backup if needed Backup media
generator-powered • Efficient copying • Magnetic tape
• It may take a few minutes to get – Only replicates the data that has – Sequential storage
the changed – 100 GB to multiple terabytes per
generator up to speed cartridge
– Use a battery UPS while the On premises vs. cloud – Easy to ship and store
generator is starting redundancy • Disk
• Speed – Faster than magnetic tape -
Dual-power supplies – Local devices are connected over Deduplicate and compress
• Redundancy very fast networks • Copy
– Internal server power supplies – Cloud connections are almost – A useful strategy
– External power circuits always slower – May not include versioning - May
• Each power supply can handle • Money need to keep offsite
100% of the load – Purchasing your own storage is an
– Would normally run at 50% of the expensive NAS vs. SAN
load capital investment • Network Attached Storage (NAS)
• Hot-swappable – Cloud costs have a low entry – Connect to a shared storage
– Replace a faulty power supply point and can scale device across the network
without powering down • Security – File-level access
– Local data is private • Storage Area Network (SAN)
Power distribution units (PDUs) – Data stored in the cloud requires – Looks and feels like a local
• Provide multiple power outlets additional storage device
– Usually in a rack security controls – Block-level access
• Often include monitoring and – Very efficient reading and writing
control 2.5 - Backup Types • Requires a lot of bandwidth
– Manage power capacity Backup Types – May use an isolated network and
– Enable or disable individual • The archive attribute high-speed
outlets – Set when a file is modified network technologies
• Full - Everything
SAN replication – You’ll want this one first Other backups
• Share data between different • Incremental • Cloud
devices – All files changed since the last – Backup to a remote device in the
– If one device fails, you can still incremental backup cloud
work with the data • Differential –Support many devices
– VERY fast recovery times – All files changed since the last full –May be limited by bandwidth
compared to backup • Image
traditional backups – Capture an exactly replica of
• Storage area networks (SANs) Incremental Backup everything on a
– Specialized high-performance • A full backup is taken first storage drive
network of • Subsequent backups contain data – Restore everything on a partition,
storage devices changed since the last full backup including
• SAN-to-SAN replication and last incremental backup
operating system files and user – Certain components may need to • Security considerations are
documents be restored first important
Backup locations – Databases should be restored – Difficult to upgrade hardware
• Offline backup before the application – Limited off-the-shelf security
– Backup to local devices • Backup-specific options
– Fast and secure – Incremental backups restore the
– Must be protected and full backup, Field-programmable gate array
maintained then all subsequent incremental (FPGA)
– Often requires offsite storage for backups • An integrated circuit that can be
disaster recovery – Differential backups restore the configured
• Online backup full backup, after manufacturing
– Remote network-connected third- then the last differential backup – Array of logic blocks
party – Programmed in the field
– Encrypted Diversity • A problem doesn’t require a
– Accessible from anywhere • Technologies hardware replacement
– Speed is limited by network – A zero-day OS vulnerability can – Reprogram the FPGA
bandwidth cause significant outages • Common in infrastructure
– Multiple security devices – Firewall logic
Non-persistence • Vendors – Routers
• The cloud is always in motion – A single vendor can become a
– Application instances are disadvantage SCADA/ICS
constantly built – No options during annual • Supervisory Control and Data
and torn down renewals Acquisition System
• Snapshots can capture the – A bad support team may not be – Large-scale, multi-site Industrial
current configuration and data able to resolve problems in a timely Control Systems (ICS)
– Preserve the complete state of a manner • PC manages equipment
device, or • Cryptographic – Power generation, refining,
just the configuration – All cryptography is temporary manufacturing equipment
• Revert to known state – Diverse certificate authorities can – Facilities, industrial, energy,
– Fall back to a previous snapshot provide logistics
• Rollback to known configuration additional protection • Distributed control systems
– Don’t modify the data, but use a • Controls – Real-time information
previous configuration – Administrative controls – System control
• Live boot media – Physical controls • Requires extensive segmentation
– Run the operating system from – Technical controls – No access from the outside
removable – Combine them together
media - very portable! – Defense in depth 2.6 - Embedded Systems
Smart devices / IoT (Internet of
High availability Embedded systems Things)
• Redundancy doesn’t always mean • Hardware and software designed • Sensors - Heating and cooling,
always available for a specific function lighting
– May need to be powered on – Or to operate as part of a larger • Smart devices - Home
manually system automation, video doorbells
• HA (high availability) • Is built with only this task in mind • Wearable technology - Watches,
– Always on, always available – Can be optimized for size and/or health monitors
• May include many different cost • Facility automation -
components • Common examples Temperature, air quality, lighting
working together – Traffic light controllers • Weak defaults
– Active/Active can provide – Digital watches – IOT manufacturers are not
scalability advantages – Medical imaging systems security professionals
• Higher availability almost always
means higher costs SoC (System on a Chip) Specialized
– There’s always another • Multiple components running on • Medical devices
contingency you could add a single chip – Heart monitors, insulin pumps
– Upgraded power, high-quality – Common with embedded systems – Often use older operating systems
server components, etc. • Small form-factor • Vehicles
– External interface support – Internal network is often
Order of restoration – Cache memory, flash memory accessible from
• Application-specific – Usually lower power consumption mobile networks
– Control internal electronics – Everything you need in one single – Additional cloud processing
• Aircraft device
– DoS could damage the aircraft • No longer a simple printer Subscriber identity module (SIM)
– An outage would be problematic – Very sophisticated firmware • SIM card - A universal integrated
• Smart meters - Measure power • Some images are stored locally on circuit card
and water usage the device • Used to provide information to a
– Can be retrieved externally cellular
VoIP • Logs are stored on the device network provider - Phones, tablets,
• Voice over Internet Protocol – Contain communication and fax embedded systems
– Instead of analog phone line or details • Contains mobile details
the – IMSI (International Mobile
– Plain Old Telephone Service 2.6 - Embedded Systems Subscriber Identity)
(POTS) (continued) – Authentication information,
• A relatively complex embedded RTOS (Real-Time Operating contact information
system System) • Important to manage
– Can be relatively important • An operating system with a – Many embedded systems, many
• Each device is a computer deterministic SIM cards
– Separate boot process processing schedule
– Individual configurations – No time to wait for other Narrowband
– Different capabilities and processes • Communicate analog signals over
functionalities – Industrial equipment, a narrow range of frequencies
automobiles, – Over a longer distance - Conserve
HVAC – Military environments the frequency use
• Heating, Ventilation, and Air • Extremely sensitive to security • Many IoT devices can
Conditioning issues communicate over long distances
– Thermodynamics, fluid – Non-trivial systems – SCADA equipment - Sensors in oil
mechanics, and heat transfer – Need to always be available fields
• A complex science – Difficult to know what type of
– Not something you can properly security is in place Baseband
design yourself • Generally a single cable with a
– Must be integrated into the fire Surveillance systems digital signal
system • Video/audio surveillance – Can be fiber or copper
• PC manages equipment – Embedded systems in the • The communication signal uses all
– Makes cooling and heating cameras and the of the bandwidth
decisions for workspaces monitoring stations – Utilization is either 0% or 100%
and data centers • Secure the security system • Bidirectional communication
• Traditionally not built with – Restrict access from others - – But not at the same time using
security in mind Prevent a denial of service the same wire/fiber
– Difficult to recover from an • Physically difficult to replace • Ethernet standard - 100BASE-TX,
infrastructure DoS cameras 1000BASE-T, 10GBASE-T
– Accessible independently over the
Drones network Zigbee
• Flying vehicle – May allow for firmware upgrades • Internet of Things networking
– No pilot on board – Open standard - IEEE 802.15.4
• May be manually controlled from 5G PAN
the ground • Fifth generation cellular • Alternative to WiFi and Bluetooth
– Often with some autonomy networking – Longer distances than Bluetooth
– Set it and forget it – Launched worldwide in 2020 – Less power consumption than
• Extensive commercial and non- • Significant performance WiFi
commercial use improvements • Mesh network of all Zigbee
– May require federal licenses – At higher frequencies devices in your home
– Security and fail-safes are – Eventually 10 gigabits per second – Light switch communicates to
required – Slower speeds from 100-900 light bulbs
Mbit/s – Tell Amazon Echo to lock the door
Printers, scanners, and fax • Significant IoT impact • Uses the ISM band
machines – Bandwidth becomes less of a – Industrial, Scientific, and Medical
• All-in-one or multifunction constraint – 900 MHz and 2.4 GHz frequencies
devices (MFD) – Larger data transfers in the US
– Faster monitoring and notification
Embedded systems Barricades / bollards – Motion recognition can alarm and
• Not usually a fully capable • Prevent access alert when
computer – There are limits to the prevention something moves
– Low cost, purpose-built • Channel people through a specific – Object detection can identify a
• Adds additional constraints access point license plate or
– May have limited or missing – And keep out other things person’s face
features – Allow people, prevent cars and • Often many different cameras
– Upgradability limitations trucks – Networked together and
– Limits in communication options • Identify safety concerns recorded over time
• An ongoing trade off – And prevent injuries
– Low cost systems - Unique • Can be used to an extreme Industrial camouflage
management challenges – Concrete barriers / bollards • Conceal an important facility in
– Moats plain sight
Constraints – Blends in to the local
• Power - May not have access to a Access control vestibules environment
main power source • All doors normally unlocked • Protect a data center
– Batteries may need to be replaced – Opening one door causes others – No business signs
and maintained to lock – No visual clues
• Compute • All doors normally locked – Surround it with a water feature
– Low-power CPUs are limited in – Unlocking one door prevents – Install a guard gate
speed others from being unlocked – Planters out front are bollards
– Cost and heat considerations • One door open / other locked Guards and access lists
• Network – When one is open, the other • Security guard
– May not have the option for a cannot be unlocked – Physical protection at the
wired link • One at a time, controlled groups reception area of a
– May be in the middle of a field – Managed control through an area facility
– Wireless is the limiting factor – Validates identification of existing
• Crypto Alarms employees
– Limited hardware options • Circuit-based – Provides guest access
– Difficult to change or modify – Circuit is opened or closed • ID badge
cryptography features – Door, window, fence – Picture, name, other details
• Inability to patch – Useful on the perimeter – Must be worn at all times
– Some IoT devices have no field- • Motion detection • Access list
upgradable options – Radio reflection or passive – Physical list of names
– Upgrade options may be limited infrared – Enforced by security guard
or difficult to install – Useful in areas not often in use • Maintains a visitor log
• Authentication • Duress
– Security features are often an – Triggered by a person - The big Guards
afterthought red button • Two-person integrity/control
– Limited options, no multi-factor, – Minimize exposure to an attack
limited integration Signs – No single person has access to a
with existing directory services • Clear and specific instructions physical asset
• Range – Keep people away from restricted • Robot sentries
– Purpose-built - usually does one areas – Monitoring
thing very well – Consider visitors – Rounds / Periodic checks
– May not provide much additional • Consider personal safety – An emerging technology
functionality – Fire exits
• Cost – Warning signs Biometrics
– Single-purpose functionality – Chemicals • Biometric authentication
comes at a low cost – Construction – Fingerprint, retina, voiceprint
– Low cost may affect product – Medical resources • Usually stores a mathematical
quality • Informational representation
• Implied trust – In case of emergency, call this of your biometric
– Limited access to the hardware number – Your actual fingerprint isn’t
and software usually saved
– Difficult to verify the security Video surveillance • Difficult to change
posture • CCTV (Closed circuit television) – You can change your password
– Can replace physical guards – You can’t change your fingerprint
2.7 - Physical Security Controls • Camera features are important • Used in very specific situations
– Not foolproof Fire suppression – Airplanes
• Electronics require unique – Nuclear power plant operations
Door access controls responses to fire
• Conventional - Lock and key – Water is generally a bad thing Vaults and safes
• Deadbolt - Physical bolt • Detection • Vault
• Electronic - Keyless, PIN – Smoke detector, flame detector, – A secure reinforced room
• Token-based heat detector – Store backup media
– RFID badge, magnetic swipe card, • Suppress with water – Protect from disaster or theft
or key fob – Where appropriate – Often onsite
• Biometric - Hand, fingers or retina • Suppress with chemicals • Safe
• Multi-factor - Smart card and PIN – Halon - No longer manufactured – Similar to a vault, but smaller
– Destroys ozone – Less expensive to implement
Cable locks – Commonly replaced with Dupont – Space is limited - Install at more
• Temporary security FM-200 locations
– Connect your hardware to
something solid Sensors Hot and cold aisles
• Cable works almost anywhere • Motion detection • Data centers
– Useful when mobile – Identify movement in an area – Lots and lots of equipment
• Most devices have a standard • Noise detection – This equipment generates heat
connector – Recognize an increase in sound • Optimize cooling
– Reinforced notch • Proximity reader – Keep components at optimal
• Not designed for long-term – Commonly used with electronic temperatures
protection door locks • Conserve energy
– Those cables are pretty thin – Combined with an access card – Data centers are usually very
• Moisture detection large rooms
USB data blocker – Useful to identify water leaks – Focus the cooling
• Don’t connect to unknown USB • Temperature – Lower energy costs
interfaces – Monitor changes over time
– Even if you need a quick charge Drones
– Prevent “juice jacking” 2.7 - Secure Areas • Quickly cover large areas
• Use a USB data blocker – More than just one building
– Allow the voltage, reject the data Secure areas • More than physical security
• Use your power adapter • Physically secure the data – Site surveys, damage assessments
– Avoid the issue entirely – As important as the digital • On-board sensors
security – Motion detection
Proper lighting • An important part of a security – Thermal sensors
• More light means more security policy • Video evidence
– Attackers avoid the light – Not a question to leave – High resolution video capture
– Easier to see when lit unanswered
– Non IR cameras can see better • Secure active operations Faraday cage
• Specialized design – Prevent physical access to the • Blocks electromagnetic fields
– Consider overall light levels systems – Discovered by Michael Faraday in
– Lighting angles may be important • Secure offline data 1836
– Facial recognition – Backups are an important security • A mesh of conductive material
– Avoid shadows and glare concern – The cage cancels the
electromagnetic field’s
Fencing Air gap effect on the interior
• Build a perimeter • Physical separation between – The window of a microwave oven
– Usually very obvious networks • Not a comprehensive solution
– May not be what you’re looking – Secure network and insecure – Not all signal types are blocked
for network – Some signal types are not blocked
• Transparent or opaque – Separate customer infrastructures at all
– See through the fence (or not) • Most environments are shared • Can restrict access to mobile
• Robust – Shared routers, switches, firewalls networks
– Difficult to cut the fence – Some of these are virtualized – Some very specific contingencies
• Prevent climbing • Specialized networks require air would need to be in place for
– Razor wire gaps emergency calls
– Build it high – Stock market networks
– Power systems/SCADA Screened subnet
• Formerly known as a – Quick and easy - Platters, all the – It’s a secret
demilitarized zone (DMZ) way through • Authentication and access control
– An additional layer of security • Electromagnetic (degaussing) – I know it’s you. I REALLY know it’s
between the – Remove the magnetic field you.
Internet and you – Destroys the drive data and • Non-repudiation - You said it. You
– Public access to public resources renders the drive unusable can’t deny it.
• Incineration - Fire hot. • Integrity - Tamper-proof
Protected distribution
• Protected Distribution System Certificate of destruction Cryptography terms
(PDS) • Destruction is often done by a 3rd • Plaintext - An unencrypted
– A physically secure cabled party message (in the clear)
network – How many drills and degaussers • Ciphertext - An encrypted
• Protect your cables and fibers do you have? message
– All of the data flows through • Need confirmation that your data • Cipher - The algorithm used to
these conduits is destroyed encrypt and/or decrypt
• Prevent cable and fiber taps – Service should include a • Cryptanalysis
– Direct taps and inductive taps certificate – The art of cracking encryption
• Prevent cable and fiber cuts • A paper trail of broken data – Researchers are constantly trying
– A physical denial of service (DoS) – You know exactly what happened to find
• Hardened protected distribution weaknesses in ciphers
system Sanitizing media – A mathematically flawed cipher is
– Sealed metal conduit, periodic • Purge data bad for everyone
visual inspection – Remove it from an existing data
store 2.8 - Cryptography Concepts
2.7 - Secure Data Destruction – Delete some of the data from a Cryptographic keys
database • Keys
Data destruction and media • Wipe data – Add the key to the cypher to
sanitization – Unrecoverable removal of data on encrypt
• Disposal becomes a legal issue a storage device – Larger keys are generally more
– Some information must not be – Usually overwrites the data secure
destroyed storage locations • Some encryption methods use
– Consider offsite storage – Useful when you need to reuse or one key
• You don’t want critical continue using the media – Some use more than one key
information in the trash – Every method is a bit different
– People really do dumpster dive Data security
– Recycling can be a security • July 2013 - UK National Health Give weak keys a workout
concern Service Surrey • A weak key is a weak key
– Physically destroy the media – Provided hard drives to a 3rd- – By itself, it’s not very secure
• Reuse the storage media party to be destroyed • Make a weak key stronger by
– Sanitize the media for reuse – Contained 3,000 patient records performing
– Ensure nothing is left behind – Received a destruction certificate, multiple processes
but not – Hash a password. Hash the hash
Protect your rubbish actually destroyed. of the password. And continue…
• Secure your garbage - Fence and – Sold on eBay. Buyer contacted – Key stretching, key strengthening
a lock authorities, • Brute force attacks would require
• Shred your documents fined £200,000 reversing each of those hashes
– This will only go so far • File level overwriting – The attacker has to spend much
– Governments burn the good stuff – Sdelete – Windows Sysinternals more time, even though the key is
• Burn documents - No going back • Whole drive wipe secure data small
• Pulp the paper removal
– Large tank washing to remove ink – DBAN - Darik’s Boot and Nuke Symmetric encryption
– Paper broken down into pulp – Physical drive destruction - • A single, shared key
– Creates recycled paper – One-off or industrial removal and – Encrypt with the key
destroy – Decrypt with the same key
Physical destruction – If it gets out, you’ll need another
• Shredder / pulverizer Cryptography key
– Heavy machinery, complete • Greek: “kryptos” • Secret key algorithm
destruction – Hidden, secret – A shared secret
• Drill / Hammer • Confidentiality • Doesn’t scale very well
– Can be challenging to distribute • Password-Based Key Derivation Collision
• Very fast to use Function 2 (PBKDF2) • Hash functions – Take an input of
– Less overhead than asymmetric – Part of RSA public key any size - Create a fixed size string
encryption cryptography standards – Message digest, checksum-
– Often combined with asymmetric (PKCS #5, RFC 2898) • The hash should be unique
encryption – Different inputs should never
Lightweight cryptography create the same hash
Asymmetric encryption • Powerful cryptography has – If they do, it’s a collision
• Public key cryptography traditionally • MD5 has a collision problem –
– Two (or more) mathematically required strength Found in 1996 - Don’t use MD5
related keys – A powerful CPU and lots of time
• Private key - Keep this private • Internet of Things (IoT) devices Practical hashing
• Public key - Anyone can see this have limited power • Verify a downloaded file
key - Give it away – Both watts and CPU – Hashes may be provided on the
• The private key is the only key • New standards are being created download site – Compare the
that can decrypt data encrypted – National Institute of Standards downloaded file hash with the
with the public key and Technology (NIST) leading the posted hash value
– You can’t derive the private key effort • Password storage
from the public key – Provide powerful encryption – Instead of storing the password,
– Include integrity features store a salted hash
2.8 - Symmetric and Asymmetric – Keep costs low – Compare hashes during the
The key pair authentication process
• Asymmetric encryption Homomorphic encryption (HE) – Nobody ever knows your actual
– Public Key Cryptography • Encrypted data is difficult to work password
• Key generation with
– Build both the public and private – Decrypt the data Adding some salt
key at the same time – Perform a function • Salt
– Lots of randomization – Encrypt the answer – Random data added to a
– Large prime numbers • Homomorphic encryption password when hashing
– Lots and lots of math – Perform calculations of data while • Every user gets their own random
• Everyone can have the public key it’s encrypted salt
– Only Alice has the private key – Perform the work directly on the – The salt is commonly stored with
encrypted data the password
Elliptic curve cryptography – The decrypted data can only be • Rainbow tables won’t work with
(ECC) viewed with salted hashes – Additional random
• Asymmetric encryption the private key value added to the original
– Need large integers composed of • Many advantages password
two or more large prime factors – Securely store data in the cloud • This slows things down the brute
• Instead of numbers, use curves! – Perform research on data without force process
– Uses smaller keys than non-ECC viewing the data – It doesn’t completely stop the
asymmetric 2.8 - Hashing and Digital Signatures reverse engineering
encryption Hashes • Each user gets a different random
– Smaller storage and transmission • Represent data as a short string of hash
requirements text - A message digest – The same password creates a
– Perfect for mobile devices • One-way trip different hash
– Impossible to recover the original
Key stretching libraries message from the digest Digital signatures
• Already built for your application – Used to store passwords / • Prove the message was not
– No additional programming confidentiality changed
involved • Verify a downloaded document is – Integrity
• bcrypt the same as the original • Prove the source of the message
– Generates hashes from – Integrity – Authentication
passwords • Can be a digital signature • Make sure the signature isn’t fake
– An extension to the UNIX crypt – Authentication, non-repudiation, – Non-repudiation
library and integrity • Will not have a • Sign with the private key
– Uses Blowfish cipher to perform collision (hopefully) – The message doesn’t need to be
multiple – Different messages will not have encrypted
rounds of hashing the same hash – Nobody else can sign this
(obviously)
• Verify with the public key – Without compromising the • The process of making something
– Any change in the message will security part unclear
invalidate the signature • Share a symmetric session key – It’s now much more difficult to
• In-band key exchange using understand
– It’s on the network asymmetric encryption • But it’s not impossible to
– Protect the key with additional – Client encrypts a random understand
encryption (symmetric) key with a server’s – If you know how to read it
– Use asymmetric encryption to public key • Make source code difficult to read
deliver – The server decrypts this shared – But it doesn’t change the
a symmetric key key and uses it to encrypt data functionality of the code
– This is the session key • Hide information inside of an
2.8 - Cryptographic Keys • Implement session keys carefully image
Cryptographic Keys – Need to be changed often – Steganography
• There’s very little that isn’t known (ephemeral keys)
about the cryptographic process – Need to be unpredictables Steganography
– The algorithm is usually a known • Greek for “concealed writing”
entity Symmetric key from asymmetric – Security through obscurity
– The only thing you don’t know is keys • Message is invisible
the key • Use public and private key – But it’s really there
• The key determines the output cryptography to create a symmetric • The covertext
– Encrypted data key – The container document or file
– Hash value – Math is powerful
– Digital signature 2.8 - Steganography
• Keep your key private! Traditional web server encryption Common steganography
– It’s the only thing protecting your • SSL/TLS uses encryption keys to techniques
data protect web • Network based
server communication – Embed messages in TCP packets
Key strength – Traditionally, this has been based • Use an image
• Larger keys tend to be more on the web server’s RSA key pair – Embed the message in the image
secure – One key that encrypts all itself
– Prevent brute-force attacks symmetric keys • Invisible watermarks
– Attackers can try every possible • This server’s private key can – Yellow dots on printers
key combination rebuild everything
• Symmetric encryption – If you capture all of the traffic, Other steganography types
– 128-bit or larger symmetric keys you can decrypt all of the data • Audio steganography
are common – These numbers get • One point of failure for all of your – Modify the digital audio file
larger as time goes on web site encryption – Interlace a secret message within
• Asymmetric encryption the audio
– Complex calculations of prime Perfect Forward Secrecy (PFS) – Similar technique to image
numbers • Change the method of key steganography
– Larger keys than symmetric exchange • Video steganography
encryption – Don’t use the server’s private RSA – A sequence of images
– Common to see key lengths of key – Use image steganography on a
3,072 bits or larger • Elliptic curve or Diffie-Hellman larger scale
ephemeral – Manage the signal to noise ratio
Key exchange – The session keys aren’t kept – Potentially transfer much more
• A logistical challenge around information
– How do you transfer an • Can’t decrypt with the private
encryption key across an insecure server key 2.8 Quantum Computing
medium without having an – Every session uses a different Quantum computing
encryption key? private key for the exchange • Computers based on quantum
• Out-of-band key exchange • PFS requires more computing physics
– Don’t send the symmetric key power – This is not an upgrade to your
over the ‘net – Not all servers choose to use PFS existing computer
– Telephone, courier, in-person, • The browser must support PFS – This is a new computing
etc. – Check your SSL/TLS information technology
for details • Classical mechanics
Real-time encryption/decryption – Smallest form of information is a
• There’s a need for fast security Obfuscation bit
– Bits are zeros and ones – If it’s identical, the key was not ciphertext blocks
• Quantum mechanics viewed during
– Smallest form of information is a transmission ECB (Electronic Code book)
qubit • An attacker eavesdropping on the cipher mode
– Bits are zeros, ones, and any communication would modify the Post-quantum cryptography
combination data stream • Breaks our existing encryption
in-between, at the same time – The attacker would have to mechanisms
– This is called quantum violate quantum physics – Quickly factor large prime
superposition numbers
• Search quickly through large 2.8 - Stream and Block Ciphers • This would cause significant issues
databases Stream ciphers – None of the existing cryptography
– Index everything at the same time • Encryption is done one bit or byte could be trusted
• Simulate the quantum world at a time – No financial transactions would
– Medical advances, weather – High speed, low hardware be safe
prediction, complexity – No data would be private
astrophysics, and much more • Used with symmetric encryption • Peter Shor invented Shor’s
– Not commonly used with algorithm in 1994
Post-quantum cryptography asymmetric encryption – Given an integer N, find its prime
• Breaks our existing encryption • The starting state should never be factors
mechanisms the same twice – Traditional computers would take
– Quickly factor large prime – Key is often combined with an longer than the lifetime of the
numbers initialization vector (IV) universe
• This would cause significant issues – Shor’s algorithm would
– None of the existing cryptography Block ciphers theoretically be much,
could be trusted • Encrypt fixed-length groups much faster
– No financial transactions would – Often 64-bit or 128-bit blocks • Time for updated cryptography
be safe – Pad added to short blocks – Not vulnerable to quantum
– No data would be private – Each block is encrypted or computer based attacks
• Peter Shor invented Shor’s decrypted independently • NTRU
algorithm in 1994 • Symmetric encryption – A cryptosystem using lattice
– Given an integer N, find its prime – Similar to stream ciphers theory
factors • Block cipher modes of operation – Relies on the “closest-vector”
– Traditional computers would take – Avoid patterns in the encryption problem
longer than the – Many different modes to choose – Instead of finding the prime
lifetime of the universe from factorizations of
– Shor’s algorithm would large numbers
theoretically be much, Block cipher mode of operation • We will need to consider our
much faster • Encrypt one fixed-length group of options for future cryptography
• Time for updated cryptography bits at a time – This is a problem that can be
– Not vulnerable to quantum – A block easily seen and
computer based attacks • Mode of operation addressed
• NTRU – Defines the method of encryption
– A cryptosystem using lattice – May provide a method of
theory authentication CBC (Cipher Block Chaining)
– Relies on the “closest-vector” • The block size is a fixed size • A popular mode of operation -
problem – Not all data matches the block Relatively easy to implement
– Instead of finding the prime size perfectly • Each plaintext block is XORed
factorizations of – Split your plaintext into smaller with the previous ciphertext block
large numbers blocks – Adds additional randomization
Quantum communication – Some modes require padding – Use an initialization vector for the
• Protect against eavesdropping before encrypting first block
using quantum
cryptography ECB (Electronic Code Book) CTR (Counter)
– Quantum Key Distribution (QKD) • The simplest encryption mode • Block cipher mode / acts like a
• Create unbreakable encryption – Too simple for most use cases stream cipher – Encrypts successive
– Send a random stream of qubits • Each block is encrypted with the values of a “counter”
(the key) across a quantum network same key • Plaintext can be any size, since it’s
channel – Identical plaintext blocks create part of the XOR i.e., 8 bits at a time
• Both sides can verify the key identical
(streaming) instead of a 128-bit • Obfuscation • Longevity
block – Modern malware – A specific cryptographic
– Encrypted data hides the active technology can become less secure
GCM (Galois/Counter Mode) malware code over time
• Encryption with authentication – Decryption occurs during – Smaller keys are easier to brute
– Authentication is part of the block execution force, larger keys take long er to
mode • Authentication process
– Combines Counter Mode with – Password hashing – Key retirement is a good best
– Galois authentication – Protect the original password practice
• Minimum latency, minimum – Add salt to randomize the stored • Predictability and entropy
operation overhead password hash – Random numbers are critical for
– Very efficient encryption and • Non-Repudiation secure cryptography
authentication – Confirm the authenticity of data – Hardware random number
• Commonly used in packetized – Digital signature provides both generators can
data integrity be predictable
– Network traffic security (wireless, and non-repudiation – A passphrase needs to be
IPsec) appropriately random
– SSH, TLS 2.8 - Cryptography Limitations • Key reuse
– Reusing the same key reduces
2.8 - Blockchain Technology Finding the balance complexity
Blockchain • Cryptography isn’t a perfect – Less cost and effort to recertify
• A distributed ledger solution keys
– Keep track of transactions – It can have significant limitations – Less administrative overhead
• Everyone on the blockchain • Not all implementations are the – If the key is compromised,
network maintains the ledger same everything using that key is at risk
– Records and replicates to anyone – Different platforms, different – IoT devices often have keys
and everyone cryptographic options embedded in the firmware
• Many practical applications • Cryptography can’t fix bad • Resource vs. security constraints
– Payment processing technique – IoT devices have limited CPU,
– Digital identification – Hashing easily guessed passwords memory, and power
– Supply chain monitoring without a salt – Real-time applications can’t delay
– Digital voting • Every situation is different – Difficult to maintain and update
– Do your homework security components
2.8 - Cryptography Use Cases
Finding the balance Limitations 3.1 - Secure Protocols
• Low power devices • Speed Voice and video
– Mobile devices, portable systems – Cryptography adds overhead • SRTP
– Smaller symmetric key sizes – A system needs CPU, CPU needs – Secure Real-Time Transport
– Use elliptic curve cryptography power Protocol / Secure RTP
(ECC) for – More involved encryption • Adds security features to RTP
asymmetric encryption increases the load – Keep conversations private
• Low latency • Size • Encryption
– Fast computation time – Typical block ciphers don’t – Uses AES to encrypt the
– Symmetric encryption, smaller increase the size of voice/video flow
key sizes encrypted data • Authentication, integrity, and
• High resiliency – AES block size is 128 bits/16 bytes replay protection
– Larger key sizes – Encrypting 8 bytes would – HMAC-SHA1 - Hash-based
– Encryption algorithm quality potentially double the storage size message authentication code using
– Hashing provides data integrity • Weak keys SHA1
– Larger keys are generally more
Use cases difficult to brute force Time synchronization
• Confidentiality – The weak IV in RC4 resulted in the • Classic NTP has no security
– Secrecy and privacy WEP security issues features
– Encryption (file-level, drive-level, • Time – Exploited as amplifiers in DDoS
email) – Encryption and hashing takes attacks
• Integrity time – NTP has been around prior to
– Prevent modification of data – Larger files take longer 1985
– Validate the contents with hashes – Asymmetric is slower than • NTPsec
– File downloads, password storage symmetric – Secure network time protocol
– Began development in June of – Resuming interrupted transfers, – DNS records are signed with a
2015 directory listings, remote file trusted third party
• Cleaned up the code base removal – Signed DNS records are published
– Fixed a number of vulnerabilities in DNS
LDAP (Lightweight Directory
Email Access Protocol) Routing and switching
• S/MIME • Protocol for reading and writing • SSH - Secure Shell
– Secure/Multipurpose Internet directories over an IP network – Encrypted terminal
Mail Extensions – An organized set of records, like a communication
– Public key encryption and digital phone directory • SNMPv3 - Simple Network
signing • X.500 specification was written by – Management Protocol version 3
of mail content the International – Confidentiality - Encrypted data
– Requires a PKI or similar Telecommunications Union (ITU) – Integrity - No tampering of data
organization of keys – They know directories! – Authentication - Verifies the
• Secure POP and Secure IMAP • DAP ran on the OSI protocol stack source
– Use a STARTTLS extension to – LDAP is lightweight, and uses • HTTPS
encrypt POP3 with SSL or use IMAP TCP/IP – Browser-based management
with SSL • LDAP is the protocol used to – Encrypted communication
• SSL/TLS query and update an X.500
– If the mail is browser based, directory Network address allocation
always encrypt with SSL – Used in Windows Active • Securing DHCP
Directory, – DHCP does not include any built-
Web Apple OpenDirectory, OpenLDAP, in security
• SSL/TLS etc. – There is no “secure” version of
– Secure Sockets Layer/Transport the DHCP protocol
Layer Security Directory services • Rogue DHCP servers
• HTTPS • LDAP (Lightweight Directory – In Active Directory, DHCP servers
– HTTP over TLS / HTTP over SSL / Access Protocol) must be authorized
HTTP Secure • LDAPS (LDAP Secure) – Some switches can be configured
• Uses public key encryption – A non-standard implementation with
– Private key on the server of LDAP over SSL “trusted” interfaces
– Symmetric session key is • SASL (Simple Authentication and – DHCP distribution is only allowed
transferred using Security Layer) from
asymmetric encryption – Provides authentication using trusted interfaces
– Security and speed many different – Cisco calls this DHCP Snooping
methods, i.e., Kerberos or client – DHCP client DoS - Starvation
IPSec (Internet Protocol Security) certificate attack
• Security for OSI Layer 3 – Use spoofed MAC addresses to
– Authentication and encryption for Remote access exhaust the DHCP pool
every packet • SSH (Secure Shell) – Switches can be configured to
• Confidentiality and integrity/anti- – Encrypted terminal limit the number of MAC addresses
replay communication per interface
– Encryption and packet signing – Replaces Telnet (and FTP) – Disable an interface when
• Very standardized – Provides secure terminal multiple MAC addresses are seen
– Common to use multi-vendor communication and
implementations file transfer features Subscription services
• Two core IPSec protocols • Automated subscriptions
– Authentication Header (AH) Domain name resolution – Anti-virus / Anti-malware
– Encapsulation Security Payload • DNS had no security in the signature updates
(ESP) original design – IPS updates
– Relatively easy to poison a DNS – Malicious IP address databases /
File transfer • DNSSEC Firewall updates
• FTPS – Domain Name System Security • Constant updates
– FTP over SSL (FTP-SSL) Extensions – Each subscription uses a different
– File Transfer Protocol Secure • Validate DNS responses update method
– This is not SFTP – Origin authentication • Check for encryption and integrity
• SFTP – Data integrity checks
– SSH File Transfer Protocol • Public key cryptography – May require an additional public
– Provides file system functionality key configuration
– Set up a trust relationship medical records – Buffer overflows, registry
– Certificates, IP addresses • Stop the data before the attacker updates, writing files to the
3.2 - Endpoint Protection gets it Windows folder
The endpoint – Data “leakage” – Access to non-encrypted data
• The user’s access - Applications • So many sources, so many
and data destinations 3.2 - Boot Integrity
• Stop the attackers - Inbound – Often requires multiple solutions Hardware root of trust
attacks, outbound attacks – Endpoint clients • Security is based on trust
• Many different platforms - – Cloud-based systems – Is your data safely encrypted?
Mobile, desktop – Email, cloud storage, – Is this web site legitimate?
• Protection is multi-faceted - collaboration tools – Has the operating system been
Defense in depth infected?
Next-generation firewall (NGFW) • The trust has to start somewhere
Anti-virus and anti-malware • The OSI Application Layer - All – Trusted Platform Module (TPM),
• Anti-virus is the popular term data in every packet – Hardware Security Module (HSM)
– Refers specifically to a type of • Can be called different names – Designed to be the hardware root
malware – Application layer gateway of the trust
– Trojans, worms, macro viruses – Stateful multilayer inspection, • Difficult to change or avoid
• Malware refers to the broad deep packet inspection – It’s hardware
malicious • Broad security controls – Won’t work without the
software category – Allow or disallow application hardware
– Anti-malware stops spyware, features
ransomware, – Identify attacks and malware Trusted Platform Module (TPM)
fileless malware – Examine encrypted data • A specification for cryptographic
• The terms are effectively the – Prevent access to URLs or URL functions
same these days categories – Hardware to help with encryption
– The names are more of a functions
marketing tool Host-based firewall • Cryptographic processor
– Anti-virus software is also anti- • Software-based firewall – Random number generator, key
malware software now – Personal firewall, runs on every generators
– Make sure your system is using endpoint • Persistent memory
– a comprehensive solution • Allow or disallow incoming or – Comes with unique keys burned
outgoing in during production
Endpoint detection and response application traffic • Versatile memory
(EDR) – Control by application process – Storage keys, hardware
• A different method of threat – View all data configuration information
protection • Identify and block unknown • Password protected
– Scale to meet the increasing processes – No dictionary attacks
number of threats – Stop malware before it can start
• Detect a threat • Manage centrally Boot integrity
– Signatures aren’t the only • The attack on our systems is
detection tool Finding intrusions constant
– Behavioral analysis, machine • Host-based Intrusion Detection – Techniques are constantly
learning, System (HIDS) changing
process monitoring – Uses log files to identify intrusions • Attackers compromise a device
– Lightweight agent on the – Can reconfigure firewalls to block – And want it to stay compromised
endpoint • Host-based Intrusion Prevention • The boot process is a perfect
• Investigate the threat System (HIPS) infection point
– Root cause analysis – Recognize and block known – Rootkits run in kernel mode
• Respond to the threat attacks – Have the same rights as the
– Isolate the system, quarantine the – Secure OS and application configs, operating system
threat, rollback to a previous config validate • Protecting the boot process is
– API driven, no user or technician incoming service requests important
intervention required – Often built into endpoint – Secure boot, trusted boot, and
protection software measured boot
Data Loss Prevention (DLP) • HIPS identification – A chain of trust
• Where’s your data? – Signatures, heuristics, behavioral
– Social Security numbers, credit UEFI BIOS Secure Boot
card numbers, • Secure Boot
– Part of the UEFI specification 3.2 - Database Security • This slows things down the brute
• UEFI BIOS protections Database security force process
– BIOS includes the manufacturer’s • Protecting stored data – It doesn’t completely stop the
public key – And the transmission of that data reverse engineering
– Digital signature is checked during • Intellectual property storage
a BIOS update – Data is valuable 3.2 - Application Security
– BIOS prevents unauthorized • Compliance issues Secure coding concepts
writes to the flash – PCI DSS, HIPAA, GDPR, etc. • A balance between time and
• Secure Boot verifies the • Keep the business running quality
bootloader – Security provides continuity • Programming with security in
– Checks the bootloader’s digital • Breaches are expensive - Keep mind is often secondary
signature costs low • Testing, testing, testing
– Bootloader must be signed with a • The Quality Assurance (QA)
trusted certificate Tokenization process
– Or a manually approved digital • Replace sensitive data with a non- • Vulnerabilities will eventually be
signature sensitive placeholder found
– SSN 266-12-1112 is now 691-61- • And exploited
Trusted Boot 8539
• Bootloader verifies digital • Common with credit card Input validation
signature of the OS kernel processing • What is the expected input?
– A corrupted kernel will halt the – Use a temporary token during • Validate actual vs. expected
boot process payment • Document all input methods
• The kernel verifies all of the other – An attacker capturing the card • Forms, fields, type
startup components numbers • Check and correct all input
– Boot drivers, startup files can’t use them later (normalization)
• Just before loading the drivers, • This isn’t encryption or hashing • A zip code should be only X
– ELAM (Early Launch Anti- – The original data and token aren’t characters long
Malware) starts mathematically related with a letter in the X column
– Checks every driver to see if it’s – No encryption overhead • Fix any data with improper input
trusted • The fuzzers will find what you
– Windows won’t load an untrusted Hashing a password missed • Don’t give them an
driver • Hashes represent data as a fixed- opening
length string of text
Measured Boot – A message digest, or “fingerprint” Dynamic analysis (fuzzing)
• Nothing on this computer has • Will not have a collision • Send random input to an
changed (hopefully) application
– There have been no malware – Different inputs will not have the • Fault-injecting, robustness
infections same hash testing,
– How do you know? • One-way trip syntax testing, negative testing
• Easy when it’s just your computer – Impossible to recover the original • Looking for something out of the
– More difficult when there are message ordinary • Application crash, server
1,000 from the digest error, exception
• UEFI stores a hash of the – A common way to store • 1988 class project at the
firmware, boot drivers, and passwords University of Wisconsin
everything else loaded during the • “Operating System Utility
Secure Boot and Adding some salt Program Reliability”
– Trusted Boot process • Salt • Professor Barton Miller
– Stored in the TPM – Random data added to a • The Fuzz Generator
• Remote attestation password when hashing
– Device provides an operational • Every user gets their own random Fuzzing engines and frameworks
report to a salt • Many different fuzzing options
verification server – The salt is commonly stored with • Platform specific, language
– Encrypted and digitally signed the password specific, etc.
with the TPM • Rainbow tables won’t work with • Very time and processor resource
• Attestation server receives the salted hashes heavy
boot report – Additional random value added to • Many, many different iterations
– Changes are identified and the original to try
managed password • Many fuzzing engines use high-
probability tests
• Carnegie Mellon Computer • Developer signs the code with • Remove the potential for all
• Emergency Response Team their private key known vulnerabilities
(CERT) • For internal apps, use your own – As well as the unknown
• CERT Basic Fuzzing Framework CA • Some hardening may have
(BFF) compliance mandates
• https://professormesser.link/bff Allow list / deny list – HIPAA servers, PCI DSS, etc.
• Any application can be dangerous • There are many different
Secure cookies • Vulnerabilities, trojan horses, resources
• Cookies malware – Center for Internet Security (CIS)
• Information stored on your • Security policy can control app – Network and Security Institute
computer by the execution (SANS)
browser • Allow list, deny/block list – National Institute of Standards
• Used for tracking, personalization, • Allow list and Technology (NIST)
session • Nothing runs unless it’s approved
management - Very restrictive Open ports and services
• Not executable, not generally a • Deny list • Every open port is a possible
security risk • Nothing on the “bad list” can be entry point
• Unless someone gets access to executed – Close everything except required
them • Anti-virus, anti-malware ports
• Secure cookies have a Secure • Control access with a firewall
attribute set Examples of allow and deny lists – NGFW would be ideal
• Browser will only send it over • Decisions are made in the • Unused or unknown services
HTTPS operating system – Installed with the OS or from
• Sensitive information should not • Often built-in to the operating other applications
be saved in a cookie system management • Application • Applications with broad port
• This isn’t designed to be secure hash ranges
storage • Only allows applications with this – Open port 0 through 65,535
unique identifier • Certificate • Use Nmap or similar port scanner
HTTP secure headers • Allow digitally signed apps from to verify
• An additional layer of security certain publishers – Ongoing monitoring is important
• Add these to the web server • Path - Only run applications in
configuration these folders Registry
• You can’t fix every bad application • Network zone • The primary configuration
• Enforce HTTPS communication • The apps can only run from this database for Windows
• Ensure encrypted communication network zone – Almost everything can be
• Only allow scripts, stylesheets, or configured from the registry
images from Static code analyzers • Useful to know what an
the local site • Static Application Security Testing application modifies
• Prevent XSS attacks (SAST) – Many third-party tools can show
• Prevent data from loading into an • Help to identify security flaws registry changes
inline frame • Many security vulnerabilities • Some registry changes are
(iframe) found easily important security settings
• Also helps to prevent XSS attacks • Buffer overflows, database – Configure registry permissions
injections, etc. – Disable SMBv1
Code signing • Not everything can be identified
• An application is deployed through analysis Disk encryption
• Users run application executable • Authentication security, insecure • Prevent access to application data
or scripts • So many security cryptography, etc. files
questions • Don’t rely on automation for – File system encryption
• Has the application been modified everything • Full disk encryption (FDE)
in any way? • Still have to verify each finding – Encrypt everything on the drive
• Can you confirm that the • False positives are an issue – BitLocker, FileVault, etc.
application was written by a specific • Self-encrypting drive (SED)
developer? 3.2 - Application Hardening – Hardware-based full disk
• The application code can be Static code analyzer results encryption
digitally signed by the developer Application hardening – No operating system software
• Asymmetric encryption • Minimize the attack surface needed
• A trusted CA signs the developer’s – Remove all possible entry points • Opal storage specification
public key – The standard for of SED storage
 – Mandated segmentation (PCI
Operating system hardening Load balancer compliance)
• Many and varied • Configurable load – Makes change control much
– Windows, Linux, iOS, Android, et – Manage across servers easier
al. • TCP offload
• Updates – Protocol overhead Physical segmentation
– Operating system updates/service • SSL offload • Devices are physically separate -
packs, – Encryption/Decryption Air gap between Switch A and
security patches • Caching Switch B
• User accounts – Fast response • Must be connected to provide
– Minimum password lengths and • Prioritization communication
complexity – QoS – Direct connect, or another switch
– Account limitations • Content switching or router
• Network access and security – Application-centric balancing • Web servers in one rack -
– Limit network access Database servers on another
• Monitor and secure Scheduling • Customer A on one switch,
– Anti-virus, anti-malware • Round-robin customer B on another
– Each server is selected in turn – No opportunity for mixing data
Patch management • Weighted round-robin • Separate devices
• Incredibly important – Prioritize the server use – Multiple units, separate
– System stability, security fixes • Dynamic round-robin infrastructure
• Monthly updates – Monitor the server load and
– Incremental (and important) distribute to the server with the Logical segmentation with
• Third-party updates lowest use VLANs
– Application developers, device • Active/active load balancing • Virtual Local Area Networks
drivers (VLANs)
• Auto-update - Not always the Affinity – Separated logically instead of
best option • Affinity physically
• Emergency out-of-band updates – A kinship, a likeness – Cannot communicate between
– Zero-day and important security • Many applications require VLANs without
discoveries communication to the same a Layer 3 device / router
instance
Sandboxing – Each user is “stuck” to the same Screened subnet
• Applications cannot access server • Previously known as the
unrelated resources – Tracked through IP address or demilitarized zone (DMZ)
– They play in their own sandbox session IDs – An additional layer of security
• Commonly used during – Source affinity / sticky session / between
development session persistence the Internet and you
– Can be a useful production – Public access to public resources
technique Active/passive load balancing
• Used in many different • Some servers are active Extranet
deployments – Others are on standby • A private network for partners
– Virtual machines • If an active server fails, the – Vendors, suppliers
– Mobile devices passive server takes its place • Usually requires additional
– Browser iframes (Inline Frames) authentication
– Windows User Account Control 3.3 - Network Segmentation – Only allow access to authorized
(UAC) Segmenting the network users
• Physical, logical, or virtual
3.3 - Load Balancing segmentation Intranet
Balancing the load – Devices, VLANs, virtual networks • Private network - Only available
• Distribute the load • Performance internally
– Multiple servers – High-bandwidth applications • Company announcements,
– Invisible to the end-user • Security important documents, other
• Large-scale implementations – Users should not talk directly to company business
– Web server farms, database database servers – Employees only
farms – The only applications in the core • No external access
• Fault tolerance are SQL and SSH – Internal or VPN access only
– Server outages have no effect • Compliance
– Very fast convergence East-west traffic
• Traffic flows within a data center (usually light) VPN client – Guarantees the data origin
– Important to know where traffic – Across many operating systems (authentication)
starts and ends • On-demand access from a remote – Prevents replay attacks (sequence
• East-west device – Software connects to a numbers)
– Traffic between devices in the VPN concentrator
same data center • Some software can be configured Encapsulation Security Payload
– Relatively fast response times as always-on (ESP)
• North-south traffic • Encrypts and authenticates the
– Ingress/egress to an outside AH (Authentication Header) tunneled data
device • Data integrity – Commonly uses SHA-2 for hash,
– A different security posture than • Origin authentication AES for encryption
east-west traffic • Replay attack protection – Adds a header, a trailer, and an
• Keyed-hash mechanism Integrity Check Value
Zero-trust • No confidentiality/encryption • Combine with Authentication
• Many networks are relatively Header (AH) for integrity and
open on the inside ESP (Encapsulating Security authentication of the outer header
– Once you’re through the firewall, Payload)
there are few security controls • Data confidentiality (encryption) IPsec Transport mode and
• Zero trust is a holistic approach to • Limited traffic flow confidentiality Tunnel mode
network security • Data integrity • Tunnel mode is the most common
– Covers every device, every • Anti-replay protection – Transport mode may not even be
process, every person an option
• Everything must be verified AH and ESP
– Nothing is trusted • Combine the data integrity of AH HTML5 VPNs
– Multifactor authentication, with the confidentiality of ESP • Hypertext Markup Language
encryption, system permissions, version 5
additional firewalls, monitoring and L2TP – The language commonly used in
• Layer 2 Tunneling Protocol web browsers
analytics, etc.
– Connecting sites over a layer 3 • Includes comprehensive API
network as if they were connected support
3.3 - Virtual Private Networks
VPNs at layer 2 – Application Programming
• Virtual Private Networks • Commonly implemented with Interface
– Encrypted (private) data IPsec – Web cryptography API
traversing a public network – L2TP for the tunnel, IPsec for the • Create a VPN tunnel without a
• Concentrator encryption separate VPN application
– Encryption/decryption access – L2TP over IPsec (L2TP/IPsec) – Nothing to install
device • Use an HTML5 compliant browser
IPSec (Internet Protocol Security) – Communicate directly to the VPN
– Often integrated into a firewall
• Security for OSI Layer 3 concentrator
• Many deployment options
– Authentication and encryption for
– Specialized cryptographic
every packet 3.3 - Port Security
hardware
• Confidentiality and integrity/anti- Port security
– Software-based options available
replay • There’s a lot of security that
• Used with client software
– Encryption and packet signing happens at the
– Sometimes built into the OS
• Very standardized physical switch interface
– Common to use multi-vendor – Often the first and last point of
SSL VPN (Secure Sockets Layer
VPN) implementations transmission
• Uses common SSL/TLS protocol • Two core IPSec protocols • Control and protect
(tcp/443) – Authentication Header (AH) – Limit overall traffic
– (Almost) No firewall issues! – Encapsulation Security Payload – Control specific traffic types
• No big VPN clients (ESP) – Watch for unusual or unwanted
– Usually remote access Authentication Header (AH) traffic
• Hash of the packet and a shared • Different options are available
communication
key – Manage different security issues
• Authenticate users
– SHA-2 is common
– No requirement for digital
– Adds the AH to the packet header Broadcasts
certificates or shared
• This doesn’t provide encryption • Send information to everyone at
passwords (like IPSec)
– Provides data integrity (hash) once
• Can be run from a browser or
from a
– One frame or packet, received by – This shouldn’t happen - • A query to a known-malicious
everyone Workstations don’t send BPDUs address can identify infected
– Every device must examine the systems
broadcast DHCP Snooping – And prevent further exploitation
• Limited scope - The broadcast • IP tracking on a layer 2 device • Content filtering
domain (switch) – Prevent DNS queries to unwanted
• Routing updates, ARP requests - – The switch is a DHCP firewall or
Can add up quickly – Trusted: Routers, switches, DHCP suspicious sites
• Malicious software or a bad NIC servers
– Not always normal traffic – Untrusted: Other computers, Out-of-band management
• Not used in IPv6 unofficial DHCP servers • The network isn’t available
– Focus on multicast • Switch watches for DHCP – Or the device isn’t accessible from
conversations the network
Broadcast storm control – Adds a list of untrusted devices to • Most devices have a separate
• The switch can control broadcasts a table management interface
– Limit the number of broadcasts • Filters invalid IP and DHCP – Usually a serial connection / USB
per second information • Connect a modem
• Can often be used to control – Static IP addresses – Dial-in to manage the device
multicast and unknown unicast – Devices acting as DHCP servers • Console router / comm server
traffic – Other invalid traffic patterns – Out-of-band access for multiple
– Tight security posture devices
• Manage by specific values or by MAC filtering – Connect to the console router,
percentage • Media Access Control then choose
– Or the changeover normal traffic – The “hardware” address where you want to go
patterns • Limit access through the physical
hardware address The need for QoS
Loop protection – Keeps the neighbors out • Many different devices
• Connect two switches to each – Additional administration with – Desktop, laptop, VoIP phone,
other visitors mobile devices
– They’ll send traffic back and forth • Easy to find working MAC • Many different applications
forever addresses through wireless LAN – Mission critical applications,
– There’s no “counting” analysis streaming video,
mechanism at the MAC layer – MAC addresses can be spoofed streaming audio
• This is an easy way to bring down – Free open-source software • Different apps have different
a network • Security through obscurity network requirements
– And somewhat difficult to – Voice is real-time
troubleshoot 3.3 - Secure Networking – Recorded streaming video has a
– Relatively easy to resolve Domain Name Resolution buffer
• IEEE standard 802.1D to prevent • DNS had no security in the – Database application is interactive
loops in bridged (switched) original design • Some applications are “more
networks (1990) – Relatively easy to poison a DNS important” than others
– Created by Radia Perlman • DNSSEC – Voice traffic needs to have
– Used practically everywhere – Domain Name System Security priority over YouTube
Extensions
BPDU Guard • Validate DNS responses QoS (Quality of Service)
• Spanning tree takes time to – Origin authentication • Prioritize traffic performance
determine if a switch port should – Data integrity – Voice over IP traffic has priority
forward frames • Public key cryptography over web-browsing
– Bypass the listening and learning – DNS records are signed with a – Prioritize by maximum
states trusted third party bandwidth, traffic rate,
– Cisco calls this PortFast – Signed DNS records are published VLAN, etc.
• BPDU (Bridge Protocol Data Unit) in DNS • Quality of Service
– The spanning tree control – Describes the process of
protocol Using a DNS for security controlling traffic flows
• If a BPDU frame is seen on a • Stop end users from visiting • Many different methods
PortFast configured interface (i.e., a dangerous sites – Across many different topologies
workstation), shut down the – The DNS resolves to a sinkhole
interface address IPv6 security is different
• More IP address space
– More difficult to IP/port scan (but – Home, office, and in your Next-generation firewall (NGFW)
not impossible) operating system • The OSI Application Layer
– The tools already support IPv6 • Control the flow of network traffic – All data in every packet
• No need for NAT – Everything passes through the • Can be called different names
– NAT is not a security feature firewall – Application layer gateway
• Some attacks disappear • Corporate control of outbound – Stateful multilayer inspection
– No ARP, so no ARP spoofing and inbound data – Deep packet inspection
• New attacks will appear – Sensitive materials • Requires some advanced decodes
– For example, Neighbor Cache • Control of inappropriate content – Every packet must be analyzed
Exhaustion – Not safe for work, parental and categorized before a security
• IPsec built in / IPsec ready controls decision is determined
• Protection against evil
Taps and port mirrors – Anti-virus, anti-malware NGFWs
• Intercept network traffic • Network-based Firewalls
– Send a copy to a packet capture Network-based firewalls – Control traffic flows based on the
device • Filter traffic by port number or application
• Physical taps application – Microsoft SQL Server, Twitter,
– Disconnect the link, put a tap in – Traditional vs. NGFW firewalls YouTube
the middle • Encrypt traffic - VPN between • Intrusion Prevention Systems
– Can be an active or passive tap sites – Identify the application
• Port mirror • Most firewalls can be layer 3 – Apply application-specific
– Port redirection, SPAN (Switched devices (routers) vulnerability signatures to the
Port Analyzer) – Often sits on the ingress/egress of traffic
– Software-based tap the network • Content filtering
– Limited functionality, but can – Network Address – URL filters
work well in a pinch – Translation (NAT) functionality – Control website traffic by
– Authenticate dynamic routing category
Monitoring services communication
• Constant cybersecurity Web application firewall (WAF)
monitoring Stateless firewall • Not like a “normal” firewall
– Ongoing security checks • Does not keep track of traffic – Applies rules to HTTP/HTTPS
– A staff of cybersecurity experts at flows conversations
a – Each packet is individually • Allow or deny based on expected
Security Operations Center (SoC) examined, regardless of past input
• Identify threats history – Unexpected input is a common
– A broad range of threats across – Traffic sent outside of an active method of
many different session will exploiting an application
organizations traverse a stateless firewall • SQL injection
• Respond to events – Add your own commands to an
– Faster response time Stateful firewall application’s
• Maintain compliance • Stateful firewalls remember the SQL query
– Someone else ensures PCI DSS, “state” of the session • A major focus of Payment Card
HIPAA compliance, etc. – Everything within a valid flow is Industry
allowed – Data Security Standard (PCI DSS)
FIM (File Integrity Monitoring)
• Some files change all the time UTM / All-in-one security Firewall rules
– Some files should NEVER change appliance • Access control lists (ACLs)
• Monitor important operating • Unified Threat Management – Allow or disallow traffic based on
system and application files (UTM) / tuples
– Identify when changes occur • Web security gateway – Groupings of categories
• Windows - SFC (System File • URL filter / Content inspection – Source IP, Destination IP, port
Checker) • Malware inspection number, time of day, application,
• Linux - Tripwire • Spam filter etc.
• Many host-based IPS options • CSU/DSU • A logical path
• Router, Switch – Usually top-to-bottom
3.3 - Firewalls • Firewall • Can be very general or very
The universal security control • IDS/IPS specific
• Standard issue • Bandwidth shaper – Specific rules are usually at the
• VPN endpoint top
• Implicit deny – Is it running anti-virus? Which • Most proxies in use are
– Most firewalls include a deny at one? Is it updated? application proxies
the bottom – Are the corporate applications • The proxy understands the way
– Even if you didn’t put one installed? the application works
– Is it a mobile device? • A proxy may only know one
Firewall characteristics – Is the disk encrypted? application
• Open-source vs. proprietary – The type of device doesn’t matter • HTTP
– Open-source provides traditional - Windows, Mac, Linux, iOS, • Many proxies are multipurpose
firewall functionality Android proxies
– Proprietary features include • HTTP, HTTPS, FTP, etc.
application control and high-speed Health checks/posture assessment
hardware • Persistent agents Forward Proxy
• Hardware vs. software – Permanently installed onto a • An “internal proxy”
– Purpose-built hardware provides system • Commonly used to protect and
efficient and – Periodic updates may be required control user access to the Internet
flexible connectivity options • Dissolvable agents
– Software-based firewalls can be – No installation is required Open Proxy
installed – Runs during the posture • A third-party, uncontrolled proxy
almost anywhere assessment • Can be a significant security
• Appliance vs. host-based vs. – Terminates when no longer concern
virtual required • Often used to circumvent existing
– Appliances provide the fastest • Agentless NAC security controls
throughput – Integrated with Active Directory
– Host-based firewalls are – Checks are made during login and Reverse Proxy
application-aware and can view logoff • Inbound traffic from the Internet
non-encrypted data – Can’t be scheduled to your
– Virtual firewalls provide valuable internal service
East/West Failing your assessment
network security • What happens when a posture 3.3 - Intrusion Prevention
assessment fails? NIDS and NIPS
3.3 - Network Access Control – Too dangerous to allow access • Intrusion Detection System /
Edge vs. access control • Quarantine network, notify – Intrusion Prevention System
• Control at the edge administrators – Watch network traffic
– Your Internet link – Just enough network access to fix • Intrusions
– Managed primarily through the issue – Exploits against operating
firewall rules • Once resolved, try again systems,
– Firewall rules rarely change – May require additional fixes applications, etc.
• Access control – Buffer overflows, cross-site
– Control from wherever you are - 3.3 - Proxies scripting, other
Inside or outside vulnerabilities
– Access can be based on many Proxies • Detection vs. Prevention
rules • Sits between the users and the – Detection – Alarm or alert
– By user, group, location, external network – Prevention – Stop it before it gets
application, etc. • Receives the user requests and into
– Access can be easily revoked or sends the request the network
changed on their behalf (the proxy)
– Change your security posture at • Useful for caching information, Passive monitoring
any time access control, • Examine a copy of the traffic
URL filtering, content scanning – Port mirror (SPAN), network tap
Posture assessment • Applications may need to know • No way to block (prevent) traffic
• You can’t trust everyone’s how to use the proxy (explicit)
computer • Some proxies are invisible Out-of-band-response
– BYOD (Bring Your Own Device) (transparent) • When malicious traffic is
– Malware infections / missing anti- identified,
malware Application proxies – IPS sends TCP RST (reset) frames
– Unauthorized applications • One of the simplest “proxies” is – After-the-fact
• Before connecting to the NAT – Limited UDP response available
network, perform a health check • A network-level proxy
Inline monitoring
– Is it a trusted device?
• IDS/IPS sits physically inline authentication logs, web server – Message Integrity Check (MIC)
– All traffic passes through the access logs, database transaction with
IDS/IPS logs, email logs – Galois Message Authentication
• Collectors Code (GMAC)
In-band response
• Malicious traffic is immediately 3.4 - Cryptography The WPA2 PSK problem
identified Securing a wireless network • WPA2 has a PSK brute-force
– Dropped at the IPS • An organization’s wireless problem
– Does not proceed through the network can contain confidential – Listen to the four-way handshake
network information – Some methods can derive the PSK
– Not everyone is allowed access hash without the handshake
Identification technologies • Authenticate the users before – Capture the hash
• Signature-based granting access • With the hash, attackers can
– Look for a perfect match – Who gets access to the wireless brute force the
• Anomaly-based network? pre-shared key (PSK)
– Build a baseline of what’s – Username, password, multi- • This has become easier as
“normal” factor authentication technology improves
• Behavior-based • Ensure that all communication is – A weak PSK is easier to brute
– Observe and report confidential force
• Heuristics – Encrypt the wireless data – GPU processing speeds
– Use artificial intelligence to • Verify the integrity of all – Cloud-based password cracking
identify communication • Once you have the PSK, you have
– The received data should be everyone’s
3.3 - Other Network Appliances identical to the wireless key
Hardware Security Module original sent data – There’s no forward secrecy
(HSM) – A message integrity check (MIC)
• High-end cryptographic hardware SAE
– Plug-in card or separate hardware Wireless encryption • WPA3 changes the PSK
device • All wireless computers are radio authentication process
• Key backup transmitters and receivers – Includes mutual authentication
– Secured storage – Anyone can listen in – Creates a shared session key
• Cryptographic accelerators • Solution: Encrypt the data - without sending that key across the
– Offload that CPU overhead from Everyone has an encryption key network
other devices • Only people with the right key can – No more four-way handshakes,
• Used in large environments transmit and listen no hashes,
Clusters, redundant power – WPA2 and WPA3 no brute force attacks
– Adds perfect forward secrecy
Jump server WPA2 and CCMP • Simultaneous Authentication of
• Access secure network zones • Wi-Fi Protected Access II (WPA2) Equals (SAE)
– Provides an access mechanism to – WPA2 certification began in 2004 – A Diffie-Hellman derived key
a protected network • CCMP block cipher mode exchange with an authentication
• Highly-secured device – Counter Mode with Cipher Block component
– Hardened and monitored Chaining – Everyone uses a different session
• SSH / Tunnel / VPN to the jump – Message Authentication Code key, even with the same PSK
server Protocol, or – An IEEE standard - the dragonfly
– RDP, SSH, or jump from there – Counter/CBC-MAC Protocol handshake
• A significant security concern • CCMP security services
– Compromise to the jump server is – Data confidentiality with AES 3.4 - Wireless Authentication
a significant breach – Message Integrity Check (MIC) Methods
with CBC-MAC Wireless authentication methods
Sensors and collectors • Gain access to a wireless network
• Aggregate information from WPA3 and GCMP – Mobile users
network devices • Wi-Fi Protected Access 3 (WPA3) - – Temporary users
– Built-in sensors, separate devices Introduced in 2018 • Credentials
– Integrated into switches, routers, • GCMP block cipher mode – Shared password / pre-shared key
servers, firewalls, etc. – Galois/Counter Mode Protocol (PSK)
• Sensors – A stronger encryption than WPA2 – Centralized authentication
– Intrusion prevention systems, • GCMP security services (802.1X)
firewall logs, – Data confidentiality with AES • Configuration
– Part of the wireless network – It was built wrong from the IEEE 802.1X and EAP
connection beginning • Supplicant – The client
– Prompted during the connection • PIN is an eight-digit number • Authenticator
process – Really seven digits and a – The device that provides access
checksum • Authentication server
Wireless security modes – Seven digits, 10,000,000 possible – Validates the client credentials
• Configure the authentication on combinations
your wireless • The WPS process validates each EAP-FAST
access point / wireless router half of the PIN • EAP Flexible Authentication via
• Open System – First half, 4 digits. Second half, 3 Secure Tunneling
– No password is required digits. – Authentication server (AS) and
• WPA3-Personal / WPA3-PSK – First half, 10,000 possibilities, supplicant share a protected access
– WPA3 with a pre-shared key second half, 1,000 possibilities credential (PAC) (shared secret)
– Everyone uses the same key • It takes about four hours to go • Supplicant receives the PAC
– Unique WPA3 session key is through all of them • Supplicant and AS mutually
derived from the PSK using SAE – Most devices never considered a authenticate and
(Simultaneous Authentication of lockout function negotiate a Transport Layer
Equals) – Brute force lockout features are Security (TLS) tunnel
• WPA3-Enterprise / WPA3-802.1X now the norm • User authentication occurs over
– Authenticates users individually the TLS tunnel
with an 3.4 - Wireless Authentication • Need a RADIUS server
authentication server (i.e., RADIUS) Protocols – Provides the authentication
Wireless authentication database and
Captive Portal • We’ve created many EAP-FAST services
• Authentication to a network - authentication methods
Common on wireless networks through the years PEAP
• Access table recognizes a lack of – A network administrator has • Protected Extensible
authentication many choices • Use a username Authentication Protocol
– Redirects your web access to a and password – Protected EAP
captive portal page – Other factors can be included – Created by Cisco, Microsoft, and
• Username / password - And • Commonly used on wireless RSA Security
additional authentication factors networks – Also works on wired • Also encapsulates EAP in a TLS
• Once proper authentication is networks tunnel
provided, the – AS uses a digital certificate
web session continues EAP instead of a PAC
– Until the captive portal removes • Extensible Authentication – Client doesn’t use a certificate
your access Protocol (EAP) • User authenticates with
– An authentication framework MSCHAPv2
Using WPS • Many different ways to – Authenticates to Microsoft’s MS-
• Wi-Fi Protected Setup authenticate based on CHAPv2 databases
– Originally called Wi-Fi Simple RFC standards • User can also authenticate with a
Config – Manufacturers can build their GTC
• Allows “easy” setup of a mobile own EAP methods – Generic Token Card, hardware
device • EAP integrates with 802.1X token generator
– A passphrase can be complicated – Prevents access to the network
to a novice until the EAP-TLS
• Different ways to connect authentication succeeds • EAP Transport Layer Security
– PIN configured on access point – Strong security, wide adoption
must be entered on the mobile IEEE 802.1X – Support from most of the industry
device • IEEE 802.1X • Requires digital certificates on the
– Push a button on the access point – Port-based Network Access AS and
– Near-field communication - Control (NAC) all other devices
– Bring the mobile device close to – You don’t get access to the – AS and supplicant exchange
the access point network until you certificates for
authenticate mutual authentication
The WPS hack • Used in conjunction with an – TLS tunnel is then built for the
• December 2011 - WPS has a access database user
design flaw – RADIUS, LDAP, TACACS+ authentication process
• Relatively complex • Potential interference – Conversation between two
implementation • Built-in tools devices
– Need a public key infrastructure • 3rd-party tools • Connections between buildings
(PKI) • Spectrum analyzer – Point-to-point network links
– Must deploy and manage • Wi-Fi repeaters
certificates to Wireless packet analysis – Extend the length of an existing
all wireless clients • Wireless networks are incredibly network
– Not all devices can support the easy to monitor
use of digital certificates – Everyone “hears” everything Point-to-multipoint
• You have to be quiet • One of the most popular
EAP-TTLS – You can’t hear the network if communication methods 802.11
• EAP Tunneled Transport Layer you’re busy transmitting wireless
Security – Support other • Some network drivers won’t • Does not imply full connectivity
authentication protocols in a TLS capture wireless information between nodes
tunnel • Requires a digital – You’ll need specialized
certificate on the AS – Does not adapters/chipsets and drivers Cellular networks
require digital certificates on every • View wireless-specific information • Mobile devices
device – Signal-to-noise ratio, channel – “Cell” phones
– Builds a TLS tunnel using this information, etc. • Try it yourself! - • Separate land into “cells”
digital certificate • Use any https://www.wireshark.org – Antenna coverages a cell with
authentication method inside the certain frequencies
TLS tunnel Channel selection and overlaps • Security concerns
– Other EAPs • Overlapping channels – Traffic monitoring
– MSCHAPv2 – Frequency conflicts - use non- – Location tracking
– Anything else overlapping channels – Worldwide access to a mobile
– Automatic or manual device
RADIUS Federation configurations
• Use RADIUS with federation Wi-Fi
– Members of one organization can Access point placement • Local network access
authenticate to the network of • Minimal overlap – Local security problems
another organization – Maximize coverage, minimize the • Same security concerns as other
– Use their normal credentials number of access points Wi-Fi devices
• Use 802.1X as the authentication • Avoid interference • Data capture
method – Electronic devices (microwaves) – Encrypt your data!
– And RADIUS on the backend - EAP – Building materials • On-path attack
to authenticate – Third-party wireless networks – Modify and/or monitor data
• Driven by eduroam (education • Signal control • Denial of service
roaming) – Place APs where the users are – Frequency interference
– Educators can use their normal – Avoid excessive signal distance
authentication when visiting a Bluetooth
different campus Wireless infrastructure security • High speed communication over
– https://www.eduroam.org/ • Wireless controllers short distances
3.4 - Installing Wireless Networks – Centralized management of – PAN (Personal Area Network)
Site surveys wireless access points • Connects our mobile devices
• Determine existing wireless – Manage system configuration and – Smartphones, tethering, headsets
landscape performance and
– Sample the existing wireless • Securing wireless controllers headphones, health monitors,
spectrum – Control access to management automobile and
• Identify existing access points console phone integration, smartwatches,
– You may not control all of them – Use strong encryption with HTTPS external speakers
• Work around existing frequencies – Automatic logout after no activity
– Layout and plan for interference • Securing access points RFID (Radio-frequency
• Plan for ongoing site surveys – Use strong passwords identification)
– Things will certainly change – Update to the latest firmware • It’s everywhere
• Heat maps - Identify wireless – Access badges
signal strengths 3.5 - Mobile Networks – Inventory/Assembly line tracking
Point-to-point – Pet/Animal identification
Wireless survey tools • One-to-one connection – Anything that needs to be tracked
• Signal coverage • Radar technology
– Radio energy transmitted to the • Created by the U.S. Department – Cloud-based storage (Box, Office
tag of Defense 365)
– RF powers the tag, ID is – Over 30 satellites currently in • Data sent from the mobile device
transmitted back orbit – DLP (Data Loss Prevention)
– Bidirectional communication • Precise navigation prevents copy/paste of sensitive
– Some tag formats can be – Need to see at least 4 satellites data
active/powered • Determines location based on – Ensure data is encrypted on the
timing differences mobile device
Near field communication (NFC) – Longitude, latitude, altitude • Managed from the mobile device
• Two-way wireless communication • Mobile device location services manager (MDM)
– Builds on RFID and geotracking
• Payment systems – Maps, directions Remote wipe
– Google wallet, Apple Pay – Determine physical location • Remove all data from your mobile
• Bootstrap for other wireless based on GPS, device
– NFC helps with Bluetooth pairing – WiFi, and cellular towers – Even if you have no idea where it
• Access token, identity “card” is
– Short range with encryption 3.5 - Mobile Device Management – Often managed from the MDM
support Mobile Device Management • Connect and wipe from the web
(MDM) – Nuke it from anywhere
NFC security concerns • Manage company-owned and • Need to plan for this
• Remote capture user-owned mobile devices – Configure your mobile device now
– It’s a wireless network – BYOD - Bring Your Own Device • Always have a backup
– 10 meters for active devices • Centralized management of the – Your data can be removed at any
• Frequency jamming - Denial of mobile devices time
service – Specialized functionality – As you are walking out the door
• Relay / Replay attack - Man in the • Set policies on apps, data,
middle camera, etc. Geolocation
• Loss of RFC device control - – Control the remote device • Precise tracking details - Tracks
Stolen/lost phone – The entire device or a “partition” within feet
• Manage access control • Can be used for good (or bad)
IR (Infrared) – Force screen locks and PINs on – Find your phone, find you
• Included on many smartphones, these single user devices • Most phones provide an option to
tablets, and smartwatches disable
– Not really used much for printing Application management – Limits functionality of the phones
• Control your entertainment • Managing mobile apps are a • May be managed by the MDM
center challenge
– Almost exclusively IR – Mobile devices install apps Geofencing
• File transfers are possible constantly • Some MDMs allow for geofencing
• Other phones can be used to • Not all applications are secure – Restrict or allow features when
control your IR devices – And some are malicious the device is in a particular area
– Android malware is a rapidly • Cameras
USB (Universal Serial Bus) growing security concern – Might only work when outside
• Physical connectivity to your • Manage application use through the office
mobile device allow lists • Authentication
– USB to your computer – Only approved applications can – Only allow logins when the device
– USB, Lightning, or proprietary on be installed is located in a particular area
your phone – Managed through the MDM
• Physical access is always a • A management challenge Screen lock
concern – New applications must be • All mobile devices can be locked
– May be easier to gain access than checked and added – Keep people out of your data
over a remote connection • Simple passcode or strong
• A locked device is relatively Content management passcode
secure • Mobile Content Management – Numbers vs. Alphanumeric
– Always auto-lock (MCM) • Fail too many times?
• Mobile phones can also exfiltrate – Secure access to data, protect – Erase the phone
– Phone can appear to be a USB data from outsiders • Define a lockout policy
storage device • File sharing and viewing – Create aggressive lockout timers
– On-site content (Microsoft – Completely lock the phone
Global Positioning System (GPS) Sharepoint, file servers)
Push notification services • Combine multiple contexts • Secure storage
• Information appears on the – Where you normally login (IP – Protect private keys -
mobile device screen address Cryptocurrency storage
– The notification is “pushed” to – Where you normally frequent
your device (GPS information) Unified Endpoint Management
• No user intervention – Other devices that may be paired (UEM)
– Receive notifications from one (Bluetooth, etc.) • Manage mobile and non-mobile
app when using a completely • And others devices
different app – An emerging technology – An evolution of the Mobile Device
• Control of displayed notifications – Another way to keep data safe Manager (MDM)
can be • End users use different types of
managed from the MDM Containerization devices
– Or notifications can be pushed • Difficult to separate personal – Their use has blended together
from the MDM from business • Applications can be used across
– Especially when the device is different platforms
Passwords and PINs BYOD – Work on a laptop and a
• The universal help desk call – Owned by the employee smartphone
– I need to reset my password • Separate enterprise mobile apps • All of these devices can be used
• Mobile devices use multiple and data from anywhere
authentication methods – Create a virtual “container” for – User’s don’t stay in one place
– Password/passphrase, PINs, company data
patterns – A contained area - limit data Mobile Application Management
• Recovery process can be initiated sharing (MAM)
from the – Storage segmentation keeps data • Provision, update, and remove
separate apps
MDM • Easy to manage offboarding – Keep everyone running at the
– Password reset option is provided – Only the company information is correct version
on the deleted • Create an enterprise app catalog
mobile device – Personal data is retained – Users can choose and install the
– “What is the name of your – Keep your pictures, video, music, apps they need
favorite car maiden email, etc. • Monitor application use
cat’s color?” – Apps used on a device, devices
• MDM also has full control Full device encryption with unauthorized apps
– Completely remove all security • Scramble all of the data on the • Remotely wipe application data
controls mobile device – Securely manage remote data
– Not the default or best practice – Even if you lose it, the contents
are safe SEAndroid
Biometrics • Devices handle this in different • Security Enhancements for
• You are the authentication factor ways Android
– Fingerprint, face – Strongest/stronger/strong ? – SELinux (Security-Enhanced Linux)
• May not be the most secure • Encryption isn’t trivial in the Android OS
authentication factor – Uses a lot of CPU cycles – Supports access control security
– Useful in some environments – Complex integration between policies
– Completely forbidden in others hardware • A project from the US National
• Availability is managed through and software Security Agency (NSA)
the MDM • Don’t lose or forget your – Based on the NSA’s SELinux
– Organization determines the password! • Addresses a broad scope of
security of the device – There’s no recovery system security
• Can be managed per-app – Often backed up on the MDM – Kernel, userspace, and policy
– Some apps require additional configuration
biometric 3.5 - Mobile Device Security • Enabled by default with Android
authentication MicroSD HSM version 4.3
• Shrink the PCI Express – July 2013
Context-aware authentication – Hardware Security Module - Now – Protect privileged Android system
• Who needs 2FA? in a microSD card form daemons
– The attackers can get around • Provides security services – Prevent malicious activity
anything – Encryption, key generation, digital • Change from Discretionary Access
• Authentication can be contextual signatures, Control (DAC) to Mandatory Access
– If it walks like a duck… authentication Control (MAC)
– Move from user-assigned control constantly changing - Similar to a – No computer required, only a
to object labels and minimum user desktop computer cable
access • Updates are provided over the air • The mobile device can be both a
– Isolates and sandboxes Android (OTA) host and a device
apps – No cable required – Read from an external device,
• Centralized policy configuration • Security patches or entire then act as
– Manage Android deployments operating system updates a storage device itself
– Significant changes without – No need for a third-party storage
3.5 - Mobile Device Enforcement connecting the device device
Third-party app stores • This may not be a good thing • A USB 2.0 standard - Commonly
• Centralized app clearinghouses – The MDM can manage what OTA seen on Android devices
– Apple App Store updates are allowed • Extremely convenient
– Google Play – From a security perspective, it’s
• Not all applications are secure Camera use too convenient
– Vulnerabilities, data leakage • Cameras are controversial
• Not all applications are – They’re not always a good thing Recording microphone
appropriate for business use – Corporate espionage, • Audio recordings
– Games, instant messaging, etc. inappropriate use – There are microphones on every
• MDM can allow or deny app store • Almost impossible to control on mobile device
use. the device • Useful for meetings and note
– No good way to ensure the taking
Rooting/jailbreaking camera won’t be used – A standard for college classes
• Mobile devices are purpose-built • Camera use can be controlled by • A legal liability
systems the MDM – Every state has different laws
– You don’t need access to the – Always disabled – Every situation is different
operating system – Enabled except for certain • Disable or geo-fence - Manage
• Gaining access - Android - Rooting locations (geo-fencing) from the MDM
/ Apple iOS - Jailbreaking
• Install custom firmware SMS/MMS Geotagging / GPS tagging
– Replaces the existing operating • Short Message Service / • Your phone knows where you are
system Multimedia Messaging Service – Location Services, GPS
• Uncontrolled access – Text messages, video, audio • Adds your location to document
– Circumvent security features, • Control of data can be a concern metadata
sideload apps without using an app – Outbound data leaks, financial – Longitude, latitude - Photos,
store disclosures videos, etc.
– The MDM becomes relatively – Inbound notifications, phishing • Every document may contain
useless attempts geotagged information
• MDM can enable or disable – You can track a user quite easily
Carrier unlocking SMS/MMS • This may cause security concerns
• Most phones are locked to a – Or only allow during certain – Take picture, upload to social
carrier timeframes or locations media
– You can’t use an AT&T phone on
Verizon External media WiFi Direct/ad hoc
– Contract with a carrier subsidizes • Store data onto external or • We’re so used to access points
the cost of the phone removable drives – SSID configurations
• You can unlock the phone – SD flash memory or USB/lightning • The wireless standard includes an
– If your carrier allows it drives ad hoc mode
– A carrier lock may be illegal in • Transfer data from flash – Connect wireless devices directly
your country – Connect to a computer to retrieve – Without an access point
• Security revolves around • This is very easy to do • WiFi Direct simplifies the process
connectivity – Limit data written to removable – Easily connect many devices
– Moving to another carrier can drives together
circumvent the MDM – Or prevent the use of them from – Common to see in home devices
– Preventing a SIM unlock may not the MDM • Simplicity can aid vulnerabilities
be possible on a personal device – Invisible access to important
USB OTG devices
Firmware OTA updates • USB On-The-Go - Connect devices
• The operating system of a mobile directly together Hotspot/tethering
device is
• Turn your phone into a WiFi • CYOD - Choose Your Own Device – Who gets access, what they get
hotspot – Similar to COPE, but with the access to
– Your own personal wireless user’s choice of device • Map job functions to roles
router – Combine users into groups
– Extend the cellular data network Corporate owned • Provide access to cloud resources
to all of your devices • The company owns the device – Set granular policies - Group, IP
• Dependent on phone type and – And controls the content on the address, date and time
provider device • Centralize user accounts,
– May require additional charges • The device is not for personal use synchronize across all platforms
and data costs – You’ll need to buy your own
• May provide inadvertent access device for home Secrets management
to an internal network • Very specific security • Cloud computing includes many
– Ensure proper security / passcode requirements secrets
– Not able to mix business with – API keys, passwords, certificates
Payment methods home use • This can quickly become
• Send small amounts of data overwhelming
wirelessly over VDI/VMI – Difficult to manage and protect
a limited area (NFC) • Virtual Desktop Infrastructure / • Authorize access to the secrets
– Built into your phone Virtual Mobile – Limit access to the secret service
– Payment systems, transportation, Infrastructure • Manage an access control policy
in-person – The apps are separated from the – Limit users to only necessary
information exchange mobile device secrets
• A few different standards – The data is separated from the • Provide an audit trail
– Apple Pay, Android Pay, Samsung mobile device – Know exactly who accesses
Pay • Data is stored securely, secrets and when
• Bypassing primary authentication centralized
would allow payment • Physical device loss - Risk is Integration and auditing
– Use proper security - or disable minimized • Integrate security across multiple
completely • Centralized app development platforms
– Write for a single VMI platform – Different operating systems and
3.5 - Mobile Deployment Models • Applications are managed applications
BYOD centrally • Consolidate log storage and
• Bring Your Own Device / Bring – No need to update all mobile reporting
Your Own Technology devices – Cloud-based Security Information
• Employee owns the device and Event
– Need to meet the company’s 3.6 - Cloud Security Controls Management (SIEM)
requirements HA across zones • Auditing - Validate the security
• Difficult to secure • Availability zones (AZ) controls
– It’s both a home device and a – Isolated locations within a cloud – Verify compliance with financial
work device region (geographical location) and user data
– How is data protected? – AZ commonly spans across
– What happens to the data when a multiple regions 3.6 - Securing Cloud Storage
device is – Each AZ has independent power, Cloud storage
sold or traded in? HVAC, and networking • Data is on a public cloud
• Build applications to be highly – But may not be public data
COPE available (HA) • Access can be limited
• Corporate owned, personally – Run as active/standby or – And protected
enabled active/active • Data may be required in different
– Company buys the device – Application recognizes an outage geographical locations
– Used as both a corporate device and moves to the other AZ – A backup is always required
and a personal device • Use load balancers to provide • Availability is always important
• Organization keeps full control of seamless HA – Data is available as the cloud
the device – Users don’t experience any changes?
– Similar to company-owned application issues
laptops and desktops Permissions
• Information is protected using Resource policies • A significant cloud storage
corporate policies • Identity and access management concern
– Information can be deleted at any (IAM) – One permission mistake can
time cause a data breach
– Accenture, Uber, US Department • A cloud contains virtual devices
of Defense – Servers, databases, storage 3.6 - Securing Compute Clouds
• Public access devices Compute cloud instances
– Should not usually be the default • Virtual switches, virtual routers • The IaaS component for the cloud
• Many different options – Build the network from the cloud computing
– Identity and Access Management console environment
(IAM) – The same configurations as a – Amazon Elastic Compute Cloud
– Bucket policies physical device (EC2)
– Globally blocking public access • The network changes with the – Google Compute Engine (GCE)
– Don’t put data in the cloud unless rest of the infrastructure – Microsoft Azure Virtual Machines
it really – On-demand • Manage computing resources
needs to be there – Rapid elasticity – Launch a VM or container
– Allocate additional resources
Encryption Public and private subnets – Disable/remove a VM or
• Cloud data is more accessible • Private cloud container
than non-cloud data – All internal IP addresses
– More access by more people – Connect to the private cloud over Security groups
• Server-side encryption a VPN • A firewall for compute instances
– Encrypt the data in the cloud – No access from the Internet – Control inbound and outbound
– Data is encrypted when stored on • Public cloud traffic flows
disk – External IP addresses • Layer 4 port number
• Client-side encryption – Connect to the cloud from – TCP or UDP port
– Data is already encrypted when anywhere • Layer 3 address
it’s sent to the cloud • Hybrid cloud – Individual addresses
– Performed by the application – Combine internal cloud resources – CIDR block notation
• Key management is critical with external – IPv4 or IPv6
– May combine both public and
Replication private subnets Dynamic resource allocation
• Copy data from one place to • Provision resources when they
another Segmentation are needed
– Real-time data duplication in • The cloud contains separate VPCs, – Based on demand - Provisioned
multiple locations containers, automatically
• Disaster recovery, high availability and microservices • Scale up and down
– Plan for problems – Application segmentation is – Allocate compute resources
– Maintain uptime if an outage almost guaranteed where and
occurs • Separation is a security when they are needed
– Hot site for disaster recovery opportunity – Rapid elasticity
• Data analysis – Data is separate from the – Pay for only what’s used
– Analytics, big data analysis application • Ongoing monitoring
• Backups – Add security systems between – If CPU utilization hits a particular
– Constant duplication of data application threshold, provision a new
components application instance
3.6 - Securing Cloud Networks • Virtualized security technologies
Cloud Networks – Web Application Firewall (WAF) Instance awareness
• Connect cloud components – Next-Generation Firewall (NGFW) • Granular security controls
– Connectivity within the cloud • Intrusion Prevention System (IPS) – Identify and manage very specific
– Connectivity from outside the data flows
cloud API inspection and integration – Each instance of a data flow is
• Users communicate to the cloud • Microservice architecture is the different
– From the public Internet underlying application engine • Define and set policies
– Over a VPN tunnel – A significant security concern – Allow uploads to the corporate
• Cloud devices communicate • API calls can include risk box.com file share
between each other – Attempts to access critical data • Corporate file shares can contain
– Cloud-based network – Geographic origin PII
– East/west and north/south – Unusual API calls • Any department can upload to
communication • API monitoring the
– No external traffic flows – View specific API queries corporate file share
– Monitor incoming and outgoing – Deny certain uploads to a
Virtual networks data personal box.com file share
• Allow graphics files • Threat prevention – Integrated and supported by the
• Deny any spreadsheet – Allow access by authorized users, cloud provider
• Deny files containing credit card prevent attacks – Many configuration options
numbers • Data security – Security is part of the
• Quarantine the file and send an – Ensure that all data transfers are infrastructure
alert encrypted – No additional costs
– Protect the transfer of PII with • Third-party solutions
Virtual private cloud endpoints DLP – Support across multiple cloud
• Microservice architecture is the providers
VPC gateway endpoints Application security – Single pane of glass
– Allow private cloud subnets to • Secure cloud-based applications – Extend policies outside the scope
communicate to other cloud – Complexity increases in the cloud of the cloud provider
services • Application misconfigurations – More extensive reporting
• Keep private resources private – One of the most common security
– Internet connectivity not required issues 3.7 - Identity Controls
• Add an endpoint to connect VPC – Especially cloud storage Identity provider (IdP)
resources • Authorization and access • Who are you?
– Controls should be strong enough – A service needs to vouch for you
Container security for access – Authentication as a Service
• Containers have similar security from anywhere • A list of entities
concerns as any other application • API security - Attackers will try to – Users and devices
deployment method exploit interfaces and APIs • Commonly used by SSO
– Bugs, insufficient security applications or an
controls, misconfigurations Next-Gen Secure Web Gateway authentication process
• Use container-specific operating (SWG) – Cloud-based services need to
systems • Protect users and devices know who you are
– A minimalist OS designed for – Regardless of location and activity • Uses standard authentication
containers • Go beyond URLs and GET methods
• Group container types on the requests – SAML, OAuth, OpenID Connect,
same host – Examine the application API etc.
– The same purpose, sensitivity, – Dropbox for personal use or
and threat posture corporate use? Attributes
– Limit the scope of any intrusion • Examine JSON strings and API • An identifier or property of an
requests entity
3.6 - Cloud Security Solutions – Allow or disallow certain activities – Provides identification
Cloud access security broker • Instance-aware security • Personal attributes
(CASB) – A development instance is – Name, email address, phone
• Clients are at work, data is in the different than production number, Employee ID
cloud • Other attributes
– How do you keep everything 3.6 - Cloud Security Solutions – Department name, job title, mail
secure? (continued) stop
– The organization already has well- Firewalls in the cloud • One or more attributes can be
defined • Control traffic flows in the cloud used for identification
security policies – Inside the cloud and external – Combine them for more detail
• How do you make your security flows
policies • Cost Certificates
work in the cloud? – Relatively inexpensive compared • Digital certificate - Assigned to a
– Integrate a CASB to appliances person or device
– Implemented as client software, – Virtual firewalls • Binds the identity of the
local security – Host-based firewalls certificate owner to a
appliances, or cloud-based security • Segmentation public and private key
solutions – Between microservices, VMs, or – Encrypt data, create digital
• Visibility VPCs signatures
– Determine what apps are in use • OSI layers • Requires an existing public-key
– Are they authorized to use the – Layer 4 (TCP/UDP), Layer 7 infrastructure (PKI)
apps? (Application) – The Certificate Authority (CA) is
• Compliance the trusted entity
– Are users complying with HIPAA? Security controls – The CA digitally signs the
PCI? • Cloud-native security controls certificates
 – No way to know exactly who was – Scheduled password changes
Tokens and cards working
• Smart card – Difficult to determine the proper 3.7 - Account Policies
– Integrates with devices - may privileges Account policies
require a PIN • Password management becomes • Control access to an account
• USB token - Certificate is on the difficult – It’s more than just username and
USB device – Password changes require password
notifying everyone – Determine what policies are best
SSH keys – Difficult to remember so many for an organization
• Secure Shell (SSH) - Secure password changes • The authentication process
terminal communication – Just write it down on this yellow – Password policies, authentication
• Use a key instead of username sticky paper factor policies, other considerations
and password • Best practice: Don’t use these • Permissions after login - Another
– Public/private keys - Critical for accounts line of defense
automation Guest accounts
• Key management is critical • Access to a computer for guests Perform routine audits
– Centralize, control, and audit key – No access to change settings, • Is everything following the policy?
use modify applications, view other – You have to police yourself
• SSH key managers - Open source, user’s files, and more • It’s amazing how quickly things
Commercial – Usually no password can change
• This brings significant security – Make sure the routine is
SSH key-based authentication challenges scheduled
• Create a public/private key pair – Access to the userspace is one • Certain actions can be
– ssh-keygen step closer to an exploit automatically identified
• Copy the public key to the SSH • Must be controlled – Consider a tool for log analysis
server – Not the default - Removed from
– ssh-copy-id user@host Windows 10 build 10159 Auditing
• Try it out • Permission auditing
– ssh user@host Service accounts – Does everyone have the correct
– No password prompt! • Used exclusively by services permissions?
running on a computer – Some Administrators don’t need
3.7 - Account Types – No interactive/user access to be there
User accounts (ideally) – Scheduled recertification
• An account on a computer – Web server, database server, etc. • Usage auditing - How are your
associated with a • Access can be defined for a resources used?
specific person specific service – Are your systems and applications
– The computer associates the user – Web server rights and secure?
with a specific identification permissions will be different than a
number database server Password complexity and length
• Storage and files can be private to • Commonly use usernames and • Make your password strong -
that user passwords Resist brute-force attack
– Even if another person is using – You’ll need to determine the best • Increase password entropy
the same policy for – No single words, no obvious
computer password updates passwords
• No privileged access to the • What’s the name of your dog?
operating system Privileged accounts – Mix upper and lower case and use
– Specifically not allowed on a user • Elevated access to one or more special characters
account systems • Don’t replace a o with a 0, t with
• This is the account type most – Administrator, Root a7
people will use • Complete access to the system • Stronger passwords are at least 8
– Your user community – Often used to manage hardware, characters
drivers, and – Consider a phrase or set of words
Shared and generic accounts software installation • Prevent password reuse
• Shared account • This account should not be used – System remembers password
– Used by more than one person for normal history, requires
– Guest login, anonymous login administration unique passwords
• Very difficult to create an audit – User accounts should be used
trail • Needs to be highly secured Account lockout and disablement
– Strong passwords, 2FA
• Too many incorrect passwords – Passwords are still important – Questions are based on an
will cause a lockout identity verification service
– Prevents online brute force Password vaults – What was your street number
attacks • Password managers when you lived in Pembroke Pines,
– This should be normal for most – All passwords in one location Florida?
user accounts – A database of credentials
– This can cause big issues for • Secure storage 3.8 - PAP and CHAP
service accounts – All credentials are encrypted PAP (Password Authentication
• You might want this – Cloud-based synchronization Protocol)
• Disabling accounts options • A basic authentication method
– Part of the normal change process • Create unique passwords – Used in legacy operating systems
– You don’t want to delete – Passwords are not the same – Rare to see singularly used
accounts across sites • PAP is in the clear
• At least not initially • Personal and enterprise options – Weak authentication scheme
• May contain important – Corporate access – Non-encrypted password
decryption keys exchange
Trusted Platform Module (TPM) – We didn’t require encryption on
Location-based policies • A specification for cryptographic analog dialup lines
• Network location functions – The application would need to
– Identify based on IP subnet – Hardware to help with all of this provide any encryption
– Can be difficult with mobile encryption stuff
devices • Cryptographic processor CHAP
• Geolocation - determine a user’s – Random number generator, key • Challenge-Handshake
location generators Authentication Protocol
– GPS - mobile devices, very • Persistent memory – Encrypted challenge sent over the
accurate – Comes with unique keys burned network
– 802.11 wireless, less accurate in • Three-way handshake
– IP address, not very accurate during production – After link is established, server
• Geofencing • Versatile memory sends a challenge
– Automatically allow or restrict – Storage keys, hardware – Client responds with a password
access when the user is in a configuration information hash calculated from the challenge
particular location • Password protected and the password
– Don’t allow this app to run unless – No dictionary attacks – Server compares received hash
you’re near the office with stored hash
• Geotagging Hardware Security Module • Challenge-Response continues
– Add location metadata to a (HSM) – Occurs periodically during the
document or file • High-end cryptographic hardware connection
– Latitude and longitude, distance, – Plug-in card or separate hardware – User never knows it happens
time stamps device
• Location-based access rules • Key backup MS-CHAP
– Your IP address is associated with – Secured storage • Microsoft’s implementation of
an IP block in Russia • Cryptographic accelerators CHAP
– We don’t have an office in Russia – Offload that CPU overhead from – Used commonly on Microsoft’s
– You were in Colorado Springs an other devices – Point-to-Point Tunneling Protocol
hour ago • Used in large environments (PPTP)
– Permission not granted – Clusters, redundant powers – MS-CHAP v2 is the more recent
• Time-based access rules version
– Nobody needs to access the lab at Knowledge-based authentication • Security issues related to the use
(KBA) of DES
3 AM
• Use personal knowledge as an – Relatively easy to brute force the
authentication factor 256 possible keys to decrypt the
3.8 - Authentication Management
– Something you know NTLM hash
Password keys
• Static KBA – Don’t use MS-CHAP!
• Hardware-based authentication
– Pre-configured shared secrets – Consider L2TP, IPsec, 802.1X or
– Something you have
– Often used with account recovery some other secure authentication
• Helps prevent unauthorized logins
– What was the make and model of method
and
your first car?
account takeovers
• Dynamic KBA 3.8 - Identity Access Services
– The key must be present to login
• Doesn’t replace other factors
RADIUS (Remote Authentication – Cryptographic tickets – And the degree of the trust
Dial-in User Service) • No constant username and
• One of the more common AAA password input! Security Assertion Markup
protocols – Save time Language (SAML)
– Supported on a wide variety of • Only works with Kerberos • Open standard for authentication
platforms and devices – Not everything is Kerberos- and authorization
– Not just for dial-in friendly – You can authenticate through a
• Centralize authentication for • There are many other SSO third-party to gain access
users methods – One standard does it all, sort of
– Routers, switches, firewalls, – Smart-cards, SAML, etc. • Not originally designed for mobile
server authentication, remote VPN apps
access, 802.1X network access RADIUS, TACACS+, or – This has been SAML’s largest
• RADIUS services available on Kerberos? roadblock
almost any server OS • Three different ways to
communicate to an OAuth
TACACS authentication server • Authorization framework
• Terminal Access Controller – More than a simple login process – Determines what resources a user
– Access-Control System • Often determined by what is at will be
– Remote authentication protocol hand able to access
– Created to control access to dial- – VPN concentrator can talk to a • Created by Twitter, Google, and
up lines to ARPANET RADIUS server many others
• XTACACS (Extended TACACS) – We have a RADIUS server – Significant industry support
– A Cisco-created (proprietary) • TACACS+ • Not an authentication protocol
version of TACACS – Probably a Cisco device – OpenID Connect handles the
– Additional support for accounting • Kerberos single sign-on
and auditing – Probably a Microsoft network authentication
• TACACS+ – OAuth provides authorization
– The latest version of TACACS, not IEEE 802.1X between applications
backwards • IEEE 802.1X • Relatively popular
compatible – Port-based Network Access – Used by Twitter, Google,
– More authentication requests and Control (NAC) Facebook,
response codes – You don’t get access to the – LinkedIn, and more
– Released as an open standard in network until you
1993 authenticate 3.8 - Access Control
• EAP integrates with 802.1X Access control
Kerberos – Extensible Authentication • Authorization
• Network authentication protocol Protocol – The process of ensuring only
– Authenticate once, trusted by the – 802.1X prevents access to the authorized
system network until the authentication rights are exercised
– No need to re-authenticate to succeeds • Policy enforcement
everything • Used in conjunction with an – The process of determining rights
– Mutual authentication - the client access database • Policy definition
and the server – RADIUS, LDAP, TACACS+ • Users receive rights based on
– Protect against on-path or replay – Access Control models
attacks 3.8 - Federated Identities – Different business needs or
• Standard since the 1980s Federation mission requirements
– Developed by the Massachusetts • Provide network access to others
Institute of – Not just employees - Partners, Mandatory Access Control
Technology (MIT) suppliers, customers, etc. (MAC)
• Microsoft starting using Kerberos – Provides SSO and more • The operating system limits the
in Windows 2000 • Third-parties can establish a operation on an object
– Based on Kerberos 5.0 open federated network – Based on security clearance levels
standard – Authenticate and authorize • Every object gets a label
– Compatible with other operating between the two – Confidential, secret, top secret,
systems and devices organizations etc.
– Login with your Facebook • Labeling of objects uses
SSO with Kerberos credentials predefined rules
• Authenticate one time • The third-parties must establish a – The administrator decides who
– Lots of backend ticketing trust relationship gets access to
what security level • The rule is associated with the – Extensive tracking and auditing
– Users cannot change these object
settings – System checks the ACLs for that 3.9 - Public Key Infrastructure
object Public Key Infrastructure (PKI)
Discretionary Access Control • Rule examples • Policies, procedures, hardware,
(DAC) – Lab network access is only software, people
• Used in most operating systems available between 9 and 5 – Digital certificates: create,
– A familiar access control model – Only Chrome browsers may distribute, manage,
• You create a spreadsheet complete this web form store, revoke
– As the owner, you control who • This is a big, big, endeavor
has access File system security – Lots of planning
– You can modify access at any time • Store files and access them • Also refers to the binding of
• Very flexible access control – Hard drive, SSDs, flash drives, public keys to people or devices
– And very weak security DVDs, part of most OSs – The certificate authority
• Accessing information – It’s all about trust
Role-based access control (RBAC) – Access control list
• You have a role in your – Group/user rights and The key management lifecycle
organization permissions • Key generation
– Manager, director, team lead, – Can be centrally administered – Create a key with the requested
project manager and/or users can manage files they strength using the proper cipher
• Administrators provide access own • Certificate generation
based on the role of the user • The file system handles – Allocate a key to a user
– Rights are gained implicitly encryption and decryption • Distribution
instead of explicitly – Make the key available to the
• In Windows, use Groups to Conditional access user
provide role-based • Difficult to apply old methods of • Storage
access control authentication to new methods of – Securely store and protect against
– You are in shipping and receiving, working unauthorized use
so you can – Mobile workforce, many different • Revocation
use the shipping software devices, – Manage keys that have been
– You are the manager, so you can constantly changing cloud compromised
review shipping logs • Conditions • Expiration
– Employee or partner, location, – A certificate may only have a
Attribute-based access control type of application accessed, device certain “shelf life”
(ABAC) • Controls
• Users can have complex – Allow or block, require MFA, Digital certificates
relationships to provide limited access, require • A public key certificate
applications and data password reset – Binds a public key with a digital
– Access may be based on many • Administrators can build complex signature
different criteria access rules – And other details about the key
• ABAC can consider many – Complete control over data holder
parameters access • A digital signature adds trust
– A “next generation” authorization – PKI uses Certificate Authority for
model Privileged access management additional trust
– Aware of context (PAM) – Web of Trust adds other users for
• Combine and evaluate multiple • Managing superuser access additional trust
parameters – Administrator and Root • Certificate creation can be built
– Resource information, IP address, – You don’t want this in the wrong into the OS
time of day, desired action, hands – Part of Windows Domain services
relationship to the data, etc. • Store privileged accounts in a – 3rd-party Linux options
digital vault
Rule-based access control – Access is only granted from the Commercial certificate authorities
• Generic term for following rules vault by request • Built-in to your browser
– Conditions other than who you – These privileges are temporary – Any browser
are • PAM advantages • Purchase your web site certificate
• Access is determined through – Centralized password – It will be trusted by everyone’s
system-enforced rules management browser
– System administrators, not users – Enables automation • Create a key pair, send the public
– Manage access for each user key to the CA to be signed
– A certificate signing request (CSR) – Limit exposure to compromise different domains
• May provide different levels of – 398 day browser limit (13 • Wildcard domain
trust and months) – Certificates are based on the
additional features name of the server
– Add a new “tag” to your web site Key revocation – A wildcard domain will apply to all
• Certificate Revocation List (CRL) server names in a domain
Private certificate authorities – Maintained by the Certificate – *.professormesser.com
• You are your own CA Authority (CA)
– Build it in-house • Many different reasons Code signing certificate
– Your devices must trust the – Changes all the time • Developers can provide a level of
internal CA • April 2014 - CVE-2014-0160 trust
• Needed for medium-to-large – Heartbleed – Applications can be signed by the
organizations – OpenSSL flaw put the private key developer
– Many web servers and privacy of affected • The user’s operating system will
requirements web servers at risk examine
• Implement as part of your overall – OpenSSL was patched, every web the signature
computing strategy server – Checks the developer signature
– Windows Certificate Services, certificate was replaced – Validates that the software has
OpenCA – Older certificates were moved to not been modified
the CRL • Is it from a trusted entity?
PKI trust relationships – The user will have the
• Single CA Getting revocation details to the opportunity to stop the
– Everyone receives their browser application execution
certificates from one authority • OCSP (Online Certificate Status
• Hierarchical Protocol) Root certificate
– Single CA issues certs to – The browser can check certificate • The public key certificate that
intermediate CAs revocation identifies the root CA (Certificate
– Distributes the certificate • Messages usually sent to an OCSP Authority)
management load responder via HTTP – Everything starts with this
– Easier to deal with the revocation – Easy to support over Internet certificate
of an intermediate CA than the root links • The root certificate issues other
CA • Not all browsers/apps support certificates
OCSP – Intermediate CA certificates
Registration authority (RA) – Early Internet Explorer versions – Any other certificates
• The entity requesting the did not • This is a very important certificate
certificate needs to be verified support OCSP – Take all security precautions
– The RA identifies and – Some support OCSP, but don’t – Access to the root certificate
authenticates the requester bother checking allows for the
• Approval or rejection 3.9 - Certificates creation of any trusted certificate
– The foundation of trust in this Web server SSL certificates
model • Domain validation certificate (DV) Self-signed certificates
• Also responsible for revocations – Owner of the certificate has some • Internal certificates don’t need to
– Administratively revoked or by control over a DNS domain be signed by a public CA
request • Extended validation certificate – Your company is the only one
• Manages renewals and re-key (EV) going to use it
requests – Additional checks have verified – No need to purchase trust for
– Maintains certificates for current the certificate devices that already trust you
cert holders owner’s identity • Build your own CA
– Browsers used to show a green – Issue your own certificates signed
Important certificate attributes name on the by your own CA
• Common Name (CN) address bar • Install the CA certificate/trusted
– The FQDN (Fully Qualified – Promoting the use of SSL is now chain on all devices
– Domain Name) for the certificate outdated – They’ll now trust any certificates
• Subject alternative name • Subject Alternative Name (SAN) signed by
– Additional host names for the cert – Extension to an X.509 certificate your internal CA
– Common on web servers – Lists additional identification – Works exactly like a certificate
– professormesser.com and information you purchased
www.professormesser.com – Allows a certificate to support
• Expiration many
Machine and computer DER (Distinguished Encoding
certificates Rules) PKCS #7
• You have to manage many • Format designed to transfer • Public Key Cryptography
devices syntax for data structures Standards #7
– Often devices that you’ll never – A very specific encoding format • Cryptographic Message Syntax
physically see – Perfect for an X.509 certificate Standard
• How can you truly authenticate a • Binary format – Associated with the .p7b file
device? – Not human-readable • Stored in ASCII format
– Put a certificate on the device • A common format – Human-readable
that you signed – Used across many platforms • Contains certificates and chain
• Other business processes rely on – Often used with Java certificates certificates
the certificate – Private keys are not included in
– Access to the remote access PEM (Privacy-Enhanced Mail) a .p7b file
– VPN from authorized devices • A very common format • Wide platform support
– Management software can – BASE64 encoded DER certificate – Microsoft Windows
validate the end device – Generally the format provided by – Java Tomcat
CAs
Email certificates – Supported on many different Email certificates
• Use cryptography in an email platforms • Use cryptography in an email
platform • ASCII format platform
– You’ll need public key – Letters and numbers – You’ll need public key
cryptography – Easy to email, readable cryptography
• Encrypting emails • Encrypting emails
– Use a recipient’s public key to PKCS #12 – Use a recipient’s public key to
encrypt • Public Key Cryptography encrypt
• Receiving encrypted emails Standards #12 • Receiving encrypted emails
– Use your private key to decrypt – Personal Information Exchange – Use your private key to decrypt
• Digital signatures Syntax Standard • Digital signatures
– Use your private key to digitally – Developed by RSA Security, now – Use your private key to digitally
sign an email an RFC standard sign an email
– Non-repudiation, integrity • Container format for many – Non-repudiation, integrity
certificates
User certificates – Store many X.509 certificates in a User certificates
• Associate a certificate with a user single • Associate a certificate with a user
– A powerful electronic “id card” .p12 or .pfx file – A powerful electronic “id card”
• Use as an additional – Often used to transfer a private • Use as an additional
authentication factor and public key pair authentication factor
– Limit access without the – The container can be password – Limit access without the
certificate protected certificate
• Integrate onto smart cards • Extended from Microsoft’s .pfx • Integrate onto smart cards
– Use as both a physical and digital format – Use as both a physical and digital
access card – Personal Information Exchange access card
(PFX)
3.9 - Certificate Formats – The two standards are very 3.9 - Certificate Concepts
Certificate file formats similar Online and offline CAs
• X.509 digital certificates – Often referenced interchangeably • A compromised certificate
– The structure of the certification authority
is standardized CER (Certificate) – A very, very bad thing
– The format of the actual • Primarily a Windows X.509 file – No certificates issued by that CA
certificate file can take many extension can be trusted
different forms – Can be encoded as binary DER • Distribute the load
• There are many certificate file format or as the ASCII PEM format – Then take the root CA offline and
formats • Usually contains a public key protect it
– You can convert between many of – Private keys would be transferred
the formats in the OCSP stapling
– Use openssl or a similar .pfx file format • Online Certificate Status Protocol
application to view the certificate • Common format for Windows – Provides scalability for OCSP
contents certificates checks
– Look for the .cer extension
• The CA is responsible for • Need clear process and -Both Windows and POSIX-based –
responding to all procedures Lookup names and IP addresses –
client OCSP requests – Keys are incredibly important Deprecated (use dig instead)
– This does not scale well pieces of •dig or DiG (Domain Information
• Instead, have the certificate information Groper)
holder verify their own status • You must be able to trust your – More advanced domain
– Status information is stored on 3rd-party information
the certificate holder’s server – Access to the keys is at the – Probably your first choice
• OCSP status is “stapled” into the control of the – Install in Windows:
SSL/TLS handshake 3rd-party https://professormesser.link/
– Digitally signed by the CA • Carefully controlled conditions digwin
– Legal proceedings and court
Pinning orders ipconfig and ifconfig
• You’re communicating over • Most of your troubleshooting
TLS/SSL to a server Certificate chaining starts with your IP address
– How do you really know it’s a • Chain of trust – Ping your local router/gateway
legitimate server? – List all of the certs between the • Determine TCP/IP and network
• “Pin” the expected certificate or server adapter information
public key to an application and the root CA – And some additional IP details
– Compiled in the app or added at • The chain starts with the SSL •ipconfig – Windows TCP/IP
first run certificate configuration
• If the expected certificate or – And ends with the Root CA •ifconfig – Linux interface
public key doesn’t match, the certificate configuration
application can decide what to do • Any certificate between the SSL
– Shut down, show a message certificate Nmap
and the root certificate is a chain • Network mapper
PKI trust relationships certificate – Find and learn more about
• Single CA – Or intermediate certificate network devices
– Everyone receives their • The web server needs to be • Port scan
certificates from one authority configured with – Find devices and identify open
• Hierarchical the proper chain ports
– Single CA issues certs to – Or the end user may receive an • Operating system scan
intermediate CAs error – Discover the OS without logging
• Mesh in to a device
– Cross-certifying CAs - Doesn’t 4.1 - Reconnaissance Tools • Service scan
scale well traceroute – What service is available on a
• Web-of-trust • Determine the route a packet device?
– Alternative to traditional PKI takes to a destination Name, version, details
• Mutual Authentication – Map the entire path • Additional scripts
– Server authenticates to the client •tracert (Windows) or traceroute – Nmap Scripting Engine (NSE)
and the client authenticates to the (POSIX) • Extend capabilities, vulnerability
server • Takes advantage of ICMP Time to scans
Live Exceeded error message
Key escrow – The time in TTL refers to hops, ping
• Someone else holds your not seconds or minutes • Test reachability
decryption keys – TTL=1 is the first router, TTL=2 is – Determine round-trip time
– Your private keys are in the hands the second router, etc. – Uses Internet Control Message
of a 3rd-party • Not all devices will reply with Protocol (ICMP)
• This can be a legitimate business ICMP Time Exceeded messages • One of your primary
arrangement – Some firewalls filter ICMP troubleshooting tools
– A business might need access to – ICMP is low-priority for many – Can you ping the host?
employee devices • Written by Mike Muuss in 1983
information – The sound made by sonar
– Government agencies may need nslookup and dig – Not an acronym for Packet
to decrypt • Lookup information from DNS INternet Groper
partner data servers – A backronym
– Canonical names, IP addresses,
It’s all about the process cache timers, etc. pathping
•nslookup • Combine ping and traceroute
– Included with Windows NT and – Keep gathering information - • Many different services
later Nmap, hping, etc. – Choose the option for scan
• First phase runs a traceroute origination
– Build a map Address Resolution Protocol – Your IP is hidden as the scan
• Second phase • Determine a MAC address based source
– Measure round trip time and on an IP address
packet loss at each hop – You need the hardware address dnsenum
to communicate • Enumerate DNS information
hping •arp -a – Find host names
• TCP/IP packet assembler/analyzer – View local ARP table • View host information from DNS
– A ping that can send almost route servers
anything • View the device’s routing table – Many services and hosts are listed
• Ping a device – Find out which way the packets in DNS
– ICMP, TCP, UDP will go • Find host names in Google
– #hping3 --destport 80 10.1.10.1 • Windows: route print – More hosts can probably be
• Send crafted frames • Linux and macOS: netstat -r found in the index
– Modify all IP, TCP, UDP, and ICMP curl
values • Client URL Nessus
• A powerful tool – Retrieve data using a URL • Industry leader in vulnerability
– It’s easy to accidentally flood and – Uniform Resource Locator scanning
DoS – Web pages, FTP, emails, – Extensive support
– Be careful! databases, etc. – Free and commercial options
• Grab the raw data • Identify known vulnerabilities
netstat – Search – Find systems before they can be
• Network statistics – Parse exploited
– Many different operating systems – Automate • Extensive reporting
•netstat -a – A checklist of issues
– Show all active connections theHarvester – Filter out the false positives
•netstat -b • Gather OSINT
– Show binaries – Open-Source Intelligence Cuckoo
•netstat -n • Scrape information from Google • A sandbox for malware
– Do not resolve names or Bing – Test a file in a safe environment
– Find associated IP addresses • A virtualized environment
netcat • List of people from LinkedIn – Windows, Linux, macOS, Android
• “Read” or “write” to the network – Names and titles • Track and trace
– Open a port and send or receive • Find PGP keys by email domain – API calls, network traffic, memory
some traffic – A list of email contacts analysis
• Many different functions • DNS brute force – Traffic captures
– Listen on a port number – Find those unknown hosts; vpn, – Screenshots
– Transfer data chat, mail, partner, etc.
– Scan ports and send data to a 4.1 - File Manipulation Tools
port sn1per head
• Become a backdoor • Combine many recon tools into a • View the first part of a file
– Run a shell from a remote device single framework – The head, or beginning, of the file
• Other alternatives and OSes - – dnsenum, metasploit, nmap, – head [OPTION] … [FILE] …
Ncat theHarvester, and much more • Use -n to specify the number of
• Both non-intrusive and very lines
IP scanners intrusive scanning options – head -n 5 syslog
• Search a network for IP addresses – You choose the volume
– Locate active devices • Another tool that can cause tail
– Avoid doing work on an IP problems • View the last part of a file
address that isn’t there – Brute force, server scanning, etc – The tail, or end, or the file
• Many different techniques – Make sure you know what you’re – tail [OPTION] … [FILE] …
– ARP (if on the local subnet) doing • Use -n to specify the number of
– ICMP requests (ping) lines
– TCP ACK scanless – tail -n 5 syslog
– ICMP timestamp requests • Run port scans from a different
• A response means more recon host cat
can be done – Port scan proxy • Concatenate
– Link together in a series – Standalone executables – Identify unknown traffic
• Copy a file/files to the screen • Automate and integrate – Verify packet filtering and security
– cat file1.txt file2.txt – System administration controls
• Copy a file/files to another file – Active Domain administration • Extensive decodes
– cat file1.txt file2.txt > both.txt – View the application traffic
grep Python 4.1 - Forensic Tools
• Find text in a file • General-purpose scripting dd
– Search through many files at a language • A reference to the DD command
time – .py file extension in
•grep PATTERN [FILE] – grep • Popular in many technologies – IBM mainframe JCL (Job Control
failed auth.log – Broad appeal and support Language)
– Data Definition (ASCII to EBCDIC
chmod OpenSSL converter)
• Change mode of a file system • A toolkit and crypto library for • Create a bit-by-bit copy of a drive
object SSL/TLS – Used by many forensics tools
– r=read, w=write, x=execute – Build certificates, manage SSL/TLS • Create a disk image
– Can also use octal notation communication – dd if=/dev/sda of=/tmp/sda-
– Set for the file owner (u), the • Create X.509 certificates image.img
group(g), – Manage certificate signing • Restore from an image
others(o), or all(a) requests (CSRs) and certificate – dd if=/tmp/sda-image.img
– chmod mode FILE revocation lists (CRLs) of=/dev/sda
– chmod 744 script.sh • Message digests memdump
•chmod 744 first.txt – Support for many hashing • Copy information in system
– User; read, write execute protocols memory to the standard output
– Group; read only • Encryption and Decryption stream
– Other; read only – SSL/TLS for services – Everything that happens is in
•chmod a-w first.txt • Much more memory
– All users, no writing to first.txt – Many third-party tools can read a
•chmod u+x script.sh 4.1 - Packet Tools memory dump
– The owner of script.sh can Tcpreplay • Copy to another host across the
execute the file • A suite of packet replay utilities network
– Replay and edit packet captures – Use netcat, stunnel, openssl, etc.
logger – Open source
• Add entries to the system log • Test security devices Winhex
– syslog – Check IPS signatures and firewall • A universal hexadecimal editor for
• Adding to the local syslog file rules Windows OS
– logger “This information is • Test and tune IP Flow/NetFlow • Edit disks, files, RAM
added to syslog” devices – Includes data recovery features
• Useful for including information in – Send hundreds of thousands of • Disk cloning
a local or remote syslog file traffic flows – Drive replication
– Include as part of an automation per second • Secure wipe
script • Evaluate the performance of – Hard drive cleaning
– Log an important event security devices • Much more
– Test throughput and flows per – A full-featured forensics tool
4.1 - Shell and Script Environments second
SSH (Secure Shell) FTK imager
• Encrypted console tcpdump • Access Data forensic drive
communication - tcp/22 • Capture packets from the imaging tool
• Looks and acts the same as Telnet command line – Includes file utilities and read-only
– Display packets on the screen image mounting
Windows PowerShell – Write packets to a file – Windows executable
• Command line for system • Widely supported in many
administrators Wireshark forensics tools
– .ps1 file extension • Graphical packet analyzer – Third-party analysis
– Included with Windows 8/8.1 and – Get into the details • Support for many different file
10 • Gathers frames on the network systems and full disk
• Extend command-line functions – Or in the air encryption methods
– Uses cmdlets (command-lets) • Sometimes built into the device – Investigator still needs the
– PowerShell scripts and functions – View traffic patterns password
• Can also import other image – Malware then communicates with – Different levels of detail, different
formats external servers levels of perception
– dd, Ghost, Expert Witness, etc. • DDoS • A large amount of “volume”
– Botnet attack – Attacks are incoming all the time
Autopsy • Confidential information is stolen – How do you identify the
• Perform digital forensics of hard – Thief wants money or it goes legitimate threats?
drives, smartphones public • Incidents are almost always
– View and recover data from • User installs peer-to-peer complex
storage devices software and allows external access – Extensive knowledge needed
• Extract many different data types to internal servers
– Downloaded files Incident precursors
– Browser history and cache Roles and responsibilities • An incident might occur in the
– Email messages • Incident response team future
– Databases – Specialized group, trained and – This is your heads-up
– Much more tested • Web server log
• IT security management – Vulnerability scanner in use
Exploitation frameworks – Corporate support • Exploit announcement
• A pre-built toolkit for • Compliance officers – Monthly Microsoft patch release,
exploitations – Intricate knowledge of – Adobe Flash update
– Build custom attacks compliance rules • Direct threats
– Add more tools as vulnerabilities • Technical staff – A hacking group doesn’t like you
are found – Your team in the trenches
– Increasingly powerful utilities • User community Incident indicators
• Metasploit – They see everything • An attack is underway
– Attack known vulnerabilities – Or an exploit is successful
• The Social-Engineer Toolkit (SET) NIST SP800-61 • Buffer overflow attempt
– Spear phishing, Infectious media • National Institute of Standards – Identified by an intrusion
generator and Technology detection/prevention system
– NIST Special Publication 800-61 • Anti-virus software identifies
Password crackers Rev. 2 malware
• The keys to the kingdom – Computer Security Incident – Deletes from OS and notifies
– Find the passwords – Handling Guide administrator
• Online cracking • The incident response lifecycle: • Host-based monitor detects a
– Try username/password – Preparation configuration change
combinations – Detection and Analysis – Constantly monitors system files
• Offline cracking – Containment, Eradication, and • Network traffic flows deviate
– Brute force a hash file Recovery from the norm
• Limitations – Post-incident Activity – Requires constant monitoring
– Password complexity / strength
(entropy) Preparing for an incident Isolation and containment
– Hashing method and CPU power • Communication methods • Generally a bad idea to let things
– Graphics processors are useful – Phones and contact information run their course
hardware tools • Incident handling hardware and – An incident can spread quickly
software – It’s your fault at that point
Data sanitization – Laptops, removable media, • Sandboxes
• Completely remove data forensic software, – An isolated operating system
– No usable information remains digital cameras, etc. – Run malware and analyze the
• Many different use cases • Incident analysis resources results
– Clean a hard drive for future use – Documentation, network – Clean out the sandbox when done
– Permanently delete a single file diagrams, baselines, • Isolation can be sometimes be
• A one-way trip critical file hash values problematic
– Once it’s gone, it’s really gone • Incident mitigation software – Malware or infections can
– No recovery with forensics tools – Clean OS and application images monitor connectivity
• Policies needed for incident – When connectivity is lost,
4.2 - Incident Response Process handling everything could be
Security incidents – Everyone knows what to do deleted/encrypted/damaged
• User clicks an email attachment
and executes malware The challenge of detection Recovery after an incident
• Many different detection sources • Get things back to normal
– Remove the bad, keep the good • Test yourselves before an actual • Keeping an good ongoing
• Eradicate the bug event relationship with
– Remove malware – Scheduled update sessions customers of IT
– Disable breached user accounts (annual, semi-annual, etc.) – These can be internal or external
– Fix vulnerabilities • Use well-defined rules of customers
• Recover the system engagement – An incident response will require
– Restore from backups – Do not touch the production teamwork
– Rebuild from scratch systems – Without the stakeholder, IT
– Replace compromised files • Very specific scenario would not exist
– Tighten down the perimeter – Limited time to run the event • Most of this happens prior to an
• Evaluate response incident
Reconstitution – Document and discuss – Ongoing communication and
• A phased approach meetings
– It’s difficult to fix everything at Tabletop exercises – Exercises should include the
once • Performing a full-scale disaster customers
• Recovery may take months drill can be costly • Continues after the incident
– Large-scale incidents require a – And time consuming – Prepare for the next event
large amount of work • Many of the logistics can be
• The plan should be efficient determined through analysis Communication plan
– Start with quick, high-value – You don’t physically have to go • Get your contact list together
security changes through a – There are a lot of people in the
• Patches, firewall policy changes disaster or drill loop
– Later phases involve much • Get key players together for a • Corporate / Organization
“heavier lifting” tabletop exercise – CIO / Head of Information
• Infrastructure changes, large- – Talk through a simulated disaster Security / Internal
scale security Response Teams
rollouts Walkthrough • Internal non-IT
• Include responders – Human resources, public affairs,
Lessons learned – A step beyond a tabletop exercise legal department
• Learn and improve – Many moving parts • External contacts
– No system is perfect • Test processes and procedures – System owner, law enforcement
• Post-incident meeting before an event – US-CERT (for U.S. Government
– Invite everyone affected by the – Walk through each step agencies)
incident – Involve all groups
• Don’t wait too long – Reference actual response Disaster recovery plan
– Memories fade over time materials • If a disaster happens, IT should be
– Some recommendations can be • Identifies actual faults or missing ready
applied to the steps – Part of business continuity
next event – The walkthrough applies the planning
concepts from the tabletop exercise – Keep the organization up and
Answer the tough questions running
• What happened, exactly? Simulation • Disasters are many and varied
– Timestamp of the events • Test with a simulated event – Natural disasters
• How did your incident plans – Phishing attack, password – Technology or system failures
work? requests, data breaches – Human-created disasters
– Did the process operate • Going phishing • A comprehensive plan
successfully? – Create a phishing email attack – Recovery location
• What would you do differently – Send to your actual user – Data recovery method
next time? community – Application restoration
– Retrospective views provide – See who bites – IT team and employee availability
context • Test internal security
• Which indicators would you – Did the phishing get past the Continuity of operations planning
watch next time? filter? (COOP)
– Different precursors may give you • Test the users • Not everything goes according to
better alerts – Who clicked? plan
– Additional training may be • Disasters can cause a disruption
4.2 - Incident Response Planning required to the norm
Exercise • We rely on our computer systems
Stakeholder management • Technology is pervasive
• There needs to be an alternative – US not-for-profit based in – You’ll have to check manually to
• Manual transactions Massachusetts and Virginia see if a
• Paper receipts – Supports several U.S. government system is vulnerable
• Phone calls for transaction agencies – But the scanner gives you a
approvals • The MITRE ATT&CK framework heads-up
• These must be documented and – https://attack.mitre.org/
tested before • Determine the actions of an Vulnerability scan results
a problem occurs attacker • Lack of security controls
– Identify point of intrusion – No firewall
Incident response team – Understand methods used to – No anti-virus
• Receives, reviews, and responds move around – No anti-spyware
– A predefined group of – Identify potential security • Misconfigurations
professionals techniques to – Open shares
• Determine what type of events block future attacks – Guest access
require a response • Real vulnerabilities
– A virus infection? Ransomware? Diamond Model of Intrusion – Especially newer ones
DDoS? Analysis – Occasionally the old ones
• May or may not be part of the • Designed by the intelligence
organizational structure community Dealing with false positives
– Pulled together on an as-needed – • False positives
basis https://apps.dtic.mil/docs/citations – A vulnerability is identified that
• Focuses on incident handling /ADA586960 doesn’t really exist
– Incident response, incident – Guide analysts to help understand • This is different than a low-
analysis, incident reporting intrusions severity vulnerability
– Integrates well with other – It’s real, but it may not be your
Retention policies frameworks highest priority
• Backup your data • Apply scientific principles to • False negatives
– How much and where? Copies, intrusion analysis – A vulnerability exists, but you
versions of copies, lifecycle of data, – Measurement, testability, and didn’t detect it
purging old data repeatability • Update to the latest signatures
• Regulatory compliance – Appears simple, but is remarkably – If you don’t know about it, you
– A certain amount of data backup complex can’t see it
may be required • An adversary deploys a capability • Work with the vulnerability
• Operational needs over some detection manufacturer
– Accidental deletion, disaster infrastructure against a victim – They may need to update their
recovery – Use the model to analyze and fill signatures
• Differentiate by type and in the details for your environment
application
– Recover the data you need when Cyber Kill Chain 4.3 - SIEM Dashboards
you need it • Seven phases of a cyber attack SIEM
– A military concept • Security Information and Event
4.2 Attack Frameworks Management
Attacks and responses 4.3 - Vulnerability Scan Output – Logging of security events and
• A constantly moving chessboard Identify vulnerability information
– The rules are also constantly • The scanner looks for everything • Security alerts
changing – Well, not _everything_ – Real-time information
• Response and intelligence teams – The signatures are the key • Log aggregation and long-term
need assistance • The vulnerabilities can be cross- storage
– Gather and maintain ongoing referenced online – Usually includes advanced
reconnaissance – Almost all scanners give you a reporting features
• Understand attacks place to go • Data correlation
– Many different vectors – National Vulnerability Database: – Link diverse data types
• Assess the risk in an organization http://nvd.nist.gov/ • Forensic analysis
– Determine if a risk exists – Microsoft Security Bulletins: – Gather details after an event
– Use appropriate mitigation – https://docs.microsoft.com/en-
us/security-updates/ Getting the data
MITRE ATT&CK framework • Some vulnerabilities cannot be • Sensors and logs
• The MITRE corporation definitively identified – Operating systems
– Infrastructure devices
– NetFlow sensors • Critical security information additional details
• Sensitivity settings – Documentation of every traffic
– Easy to be overwhelmed with flow VoIP and Call Manager logs
data – Summary of attack info • View inbound and outbound call
– Some information is unnecessary – Correlate with other logs info
– Informational, Warning, Urgent – Endpoint details, gateway
Web log files communication
Viewing the data • Web server access • Security information
• Trends – IP address, web page URL – Authentications, audit trail
– Identify changes over time • Access errors • SIP traffic logs
– Easily view constant attack – Unauthorized or non-existent – Session Initiation Protocol
metrics folders/files – Call setup, management, and
• Alerts • Exploit attempts teardown
– Identify a security event – Attempt to access files containing – Inbound and outbound calls
– View raw data known – Alert on unusual numbers or
– Visualize the log information vulnerabilities country codes
• Correlation • Server activity
– Combine and compare – Startup and shutdown notices 4.3 - Log Management
– View data in different ways – Restart messages Syslog
• Standard for message logging
4.3 - Log files DNS log files – Diverse systems create a
Network log files • View lookup requests consolidated log
• Switches, routers, access points, – And other DNS queries • Usually a central logging receiver
VPN concentrators • IP address of the request – Integrated into the SIEM (Security
– And other infrastructure devices – The request FQDN or IP Information and Event Manager)
• Network changes • Identify queries to known bad • Each log entry is labeled
– Routing updates URLs – Facility code (program that
– Authentication issues – Malware sites, known command created the log) and severity level
– Network security issues and control domains • Syslog daemon options
• Block or modify known bad – Rsyslog -“Rocket-fast System for
System log files requests log processing”
• Operating system information at the DNS server – syslog-ng - A popular syslog
– Extensive logs – Log the results daemon with additional filtering
– File system information – Report on malware activity and storage options
– Authentication details – NXLog - Collection from many
• Can also include security events Authentication log files diverse log types
– Monitoring apps • Know who logged in (or didn’t)
– Brute force, file changes – Account names Journalctl
• May require filtering – Source IP address • Linux has a lot of logs
– Don’t forward everything – Authentication method – The OS, daemons, applications,
– Success and failure reports etc.
Application log files • Identify multiple failures • System logs are stored in a binary
• Specific to the application – Potential brute force attacks format
– Information varies widely • Correlate with other events – Optimized for storage and queries
• Windows - Event Viewer / – File transfers – Can’t read them with a text editor
Application Log – Authentications to other devices • Journalctl provides a method for
• Linux / macOS - /var/log – Application installation querying the system journal
• Parse the log details on the SIEM – Search and filter
– Filter out unneeded info Dump files – View as plain text
• Store all contents of memory into
Security log files a diagnostic file Bandwidth monitors
• Detailed security-related – Developers can use this info • The fundamental network
information • Easy to create from the statistic
– Blocked and allowed traffic flows – Windows Task Manager – Percentage of network use over
– Exploit attempts – Right-click, Create dump file time
– Blocked URL categories • Some applications have their own • Many different ways to gather
– DNS sinkhole traffic dump file process this metric
• Security devices – Contact the appropriate support – SNMP, NetFlow, sFlow, IPFIX
– IPS, firewall, proxy team for protocol analysis, software agent
• Identify fundamental issues – Get into the details – The apps can only run from this
– Nothing works properly if • Gathers packets on the network network zone
bandwidth is highly utilized – Or in the air
– Sometimes built into the device 4.4 - Security Configurations
Metadata • View detailed traffic information Configuration changes
• Metadata – Identify unknown traffic • Firewall rules
– Data that describes other data – Verify packet filtering and security – Manage application flows
sources controls – Block dangerous applications
• Email – View a plain-language description • Mobile Device Manager (MDM)
– Header details, sending servers, of the – Enable or disable phone and
destination address application data tablet functionality
• Mobile - Type of phone, GPS – Regardless of physical location
location, 4.4 - Endpoint Security • Data Loss Prevention (DLP)
• Web - Operating system, browser Configuration – Block transfer of personally
type, IP address The endpoint identifiable information (PII) or
• Files - Name, address, phone • The end user device sensitive data
number, title – Desktop PC, laptop, tablet, phone, – Credit card numbers, social
etc. security numbers, etc.
NetFlow • Many ways to exploit a system • Content filter/URL filter
• Gather traffic statistics from all – OS vulnerability, malware, user – Limit access to untrusted
traffic flows intervention websites
– Shared communication between • Security team has to cover all of – Block known malicious sites
devices the bases – Large blocklists are used to share
• NetFlow – Recognize and react to any suspicious site URLs
– Standard collection method malicious activity • Updating or revoking certificates
– Many products and options – Manage device certificates to
• Probe and collector Application approved/deny lists verify trust
– Probe watches network • Any application can be dangerous – Revoking a certificate effectively
communication – Vulnerabilities, trojan horses, removes access
– Summary records are sent to the malware
collector – Security policy can control app Isolation
• Usually a separate reporting app execution • Administratively isolate a
– Closely tied to the collector • Approved list compromised device from
– Nothing runs unless it’s approved everything else
IPFIX – Very restrictive – Prevent the spread of malicious
• IP Flow Information Export • Blocklist / deny list software
– A newer, NetFlow-based standard – Nothing on the “bad list” can be – Prevent remote access or C2
– Evolved from NetFlow v9 executed (Command and Control)
• Flexible data support – Anti-virus, anti-malware • Network isolation
– Templates are used to describe • Quarantine – Isolate to a remediation VLAN
the data – Anything suspicious can be – No communication to other
moved to a safe area devices
sFlow • Process isolation
• sFlow (Sampled Flow) Examples of application approval – Limit application execution
– Only a portion of the actual lists – Prevent malicious activity but
network traffic • Decisions are made in the allow device
– So, technically not a flow operating system management
• Usually embedded in the – Often built-in to the operating
infrastructure system management Containment
– Switches, routers – Application hash • Application containment
– Sampling usually occurs in • Only allows applications with this – Run each application in its own
hardware/ASICs unique identifier sandbox
• Relatively accurate statistics • Certificate – Limit interaction with the host
– Useful information regarding – Allow digitally signed apps from operating system and other
video streaming and high-traffic certain publishers applications
applications • Path – Ransomware would have no
– Only run applications in these method of infection
Protocol analyzer output folders • Contain the spread of a multi-
• Solve complex application issues • Network zone device security
event, i.e., ransomware information (ESI) • The time zone determines how
– Disable administrative shares – Many different data sources and the time is displayed
– Disable remote management types – Document the local device
– Disable local account access and – Unique workflow and retention settings
change local requirements • Different file systems store
administrator password • Ongoing preservation timestamps differently
– Once notified, there’s an ongoing – FAT: Time is stored in local time
Segmentation obligation to preserve data – NTFS: Time is stored in GMT
• Separate the network • Record the time offset from the
– Prevent unauthorized movement Capture video operating system
– Limit the scope of a breach • A moving record of the event – The Windows Registry
– Gathers information external to – Many different values (daylight
SOAR the computer saving time,
• Security Orchestration, and network time change information, etc.)
Automation, and Response • Captures the status of the screen
– Integrate third-party tools and and other Event logs
data sources volatile information • System logs
– Make security teams more – Today’s mobile video devices are – Documents important operating
effective remarkable system and
• Runbooks • Don’t forget security cameras and application events
– Linear checklist of steps to your phone • Export and store for future
perform • The video content must also be reference
– Step-by-step approach to archived – Filter and parse
automation – May have some of the most • Log store
– Reset a password, create a important record – Linux: /var/log
website certificate, of information – Windows: Event Viewer
back up application data
• Playbooks Admissibility Interviews
– Conditional steps to follow; a • Not all data can be used in a court • Who might have seen this?
broad process of law – You won’t know until you ask
– Investigate a data breach, recover – Different rules in different • Interview and document
from ransomware jurisdictions – These folks might not be around
• Legal authorization later
4.5 - Digital Forensics – Search and seizure of information • Not all witness statements are
Digital forensics • Procedures and tools 100% accurate
• Collect and protect information – The correct tools used the correct – Humans are fallible
relating to an intrusion way
– Many different data sources and • Laboratories Reports
protection – Proper scientific principles used • Document the findings
mechanisms to analyze – For Internal use, legal
• RFC 3227 - Guidelines for the evidence proceedings, etc.
– Evidence Collection and Archiving • Technical and academic • Summary information
– A good set of best practices qualifications – Overview of the security event
• Standard digital forensic process – Competence and qualifications of • Detailed explanation of data
– Acquisition, analysis, and experts acquisition
reporting – Step-by-step method of the
• Must be detail oriented Chain of custody process
– Take extensive notes • Control evidence • The findings
– Maintain integrity – An analysis of the data
Legal hold • Everyone who contacts the • Conclusion
• A legal technique to preserve evidence – Professional results, given the
relevant information – Use hashes analysis
– Prepare for impending litigation – Avoid tampering
– Initiated by legal counsel • Label and catalog everything 4.5 - Forensics Data Acquisition
• Hold notification – Digitally tag all items for ongoing Order of volatility
– Records custodians are instructed documentation • How long does data stick around?
to preserve data – Seal and store – Some media is much more
• Separate repository for volatile than others
electronically stored Recording time offsets
– Gather data in order from the – Logged in users – CPU cache is very short-term
most volatile to – Open ports instruction storage
less volatile – Processes currently running • Some data may never be used
– Attached device list – Erased after a specified
Disk timeframe or when the cache is full
• Copy everything on a storage Device – Browser caches are often long-
drive • Mobile devices and tablets lived
– Hard drive, SSD, flash drive – A more challenging forensics task • Data
• Drive image preparation • Capture data – URL locations
– Power down to prevent changes – Use an existing backup file – Browser page components (text,
– Remove storage drive – Transfer image over USB images)
• Connect to imaging device • Data
– With write-protection – Phone calls Network
• Forensic clone – Contact information • Gather information about and
– Bit-for-bit copy – Text messages from the network
– Preserve all data (even the – Email data – Network connections, packet
“deleted” data) – Images and movies captures
• Inbound and outbound sessions
Random access memory (RAM) Firmware – OS and application traffic
• A difficult target to capture • Extract the device firmware • Packet data
– Changes constantly – Rootkits and exploited hardware – Capture raw network data
– Capturing data changes the data device – May include long-term packet
• Memory dump – A reprogrammed firmware or captures
– Grab everything in active RAM ROM • Third-party packet captures
– Many third-party tools • Specific to the platform – Firewalls, IPS, etc.
• Important data – Firmware implementations vary
– Browsing history widely Artifacts
– Clipboard information • Attacker gains access to the • Digital items left behind
– Encryption keys device – Every contact leaves a trace
– Command history – Maintains access through OS – May not be obvious to access
updates • Artifact locations
Swap/pagefile • Data discovery – Log information
• Used by different operating – Exploit data – Flash memory
systems – Firmware functionality – Prefetch cache files
– Slightly different usage in each – Real-time data – Recycle Bin
• A place to store RAM when – Browser bookmarks and logins
memory is depleted Snapshot
– There’s a lot more space on the • Generally associated with virtual 4.5 - On-Premises vs. Cloud
storage drive machines (VMs) Forensics
– Transfer pages of RAM to a – A point-in-time system image Forensics in the cloud
storage drive • Incremental between snapshots • Adding complexity to the digital
• Can also contain portions of an – Original image is the full backup forensics process
application – Each snapshot is incremented – Cloud technologies
– Page out portions that aren’t in from the last • Technical challenges
use – Restoring requires the original – Devices are not totally in your
• Contains data similar to a RAM and all snapshots control
dump • Contains all files and information – There may be limited access
– Anything active on the system about a VM – Associate data with a specific user
– Similar to a system image • Legal issues
Operating system – Operating system, applications, – Laws are different around the
• OS files and data user data, etc. world
– May have been modified – The rules may not be immediately
• Core operating system Cache obvious
– Executable files and libraries • Store data for use later Right to audit clauses
– Can be compared later to known- – Often used to increase • Common to work with business
good files performance partners
– Usually captured with a drive – Many different caches (CPU, disk, – Data sharing
image Internet, etc.) – Outsourcing
• Other OS data • Can contain specialized data • Cloud computing providers
– Can hold all of the data – A relatively simple integrity check • Proof of data integrity and the
– Manage Internet access – Not designed to replace a hash origin of the data
– Are they secure? • Provenance – The data is unchanged and really
• Right-to-audit should be in the – Documentation of authenticity did come from the sender
contract – A chain of custody for data – Hashing the data
– A legal agreement to have the handling • Authentication that is genuine
option to perform a security audit – Blockchain technology with high confidence
at any time – The only person who could have
– Everyone agrees to the terms and Preservation sent the data is the sender
conditions • Handling evidence • Message Authentication Code
– Ability to verify security before a – Isolate and protect the data (MAC)
breach occurs – Analyze the data later without – The two parties can verify non-
any alterations repudiation
Regulatory/jurisdiction • Manage the collection process • Digital Signature
• Cloud computing technology – Work from copies – The non-repudiation can be
appeared relatively quickly – Manage the data collection from publicly verified
– The legal world is scrambling to mobile devices
catch up • Live collection has become an Strategic
• Forensics professionals must important skill intelligence/counterintelligence
know their legal rights – Data may be encrypted or difficult • Strategic intelligence
– Data in a different jurisdiction to collect after powering down – A focus on key threat activity for a
may be bound by very different • Follow best practices to ensure domain
regulations admissibility of data in court – Business sectors, geographical
• Data stored in cloud may not be – What happens now affects the regions, countries
located in the same country future – Gather information from internal
– Location of the data center may E-discovery threat reports,
determine how data can be treated • Electronic discovery third-party data sources, and other
• Location of the data is critical – Collect, prepare, review, data inputs
– Legal frameworks vary widely interpret, and produce electronic – Determine the threat landscape
between countries documents based on the trends
– Some countries don’t allow • E-discovery gathers data required • Strategic counterintelligence (CI)
electronic searches outside of their by the legal process – Prevent hostile intelligence
borders – Does not generally involve operations
analysis – Discover and disrupt foreign
Data breach notification laws – There’s no consideration of intent intelligence threats
• Notification laws • Works together with digital – Gather threat information on
– If consumer data is breached, the forensics foreign intelligence operations
consumer must be informed – The e-discovery process obtains a
• Many data breach notification storage drive 5.1 - Security Controls
laws – Data on the drive is smaller than Security controls
– Vary widely across countries and expected • Security risks are out there
localities – Forensics experts determine that – Many different types to consider
– If you’re in the cloud, you’re a data was deleted and attempt to • Assets are also varied
global entity recover the data – Data, physical property, computer
• Notification requirements also systems
vary Data recovery • Prevent security events, minimize
– Type of data breached • Extract missing data without the impact,
– Who gets notified affecting the and limit the damage
– How quickly integrity of the data – Security controls
– Requires training and expertise
4.5 - Managing Evidence • The recovery process can vary Control categories
Integrity – Deleted files • Managerial controls
• Hashing – Hidden data – Controls that address security
– Cryptographic integrity – Hardware or software corruption design and implementation
verification – Storage device is physically – Security policies, standard
– A digital “fingerprint” damaged operating procedures
• Checksums • Operational controls
– Protects against accidental Non-repudiation – Controls that are implemented by
changes during transmission people
– Security guards, awareness – Domestic and international – Define tasks and prioritize
programs requirements projects
• Technical controls
– Controls implemented using GDPR - General Data Protection Center for Internet Security (CIS)
systems Regulation • Center for Internet Security
– Operating system controls • European Union regulation – Critical Security Controls for
– Firewalls, anti-virus – Data protection and privacy for – Effective Cyber Defense
individuals in the EU – CIS CSC
Control types – Name, address, photo, email • Improve cyber defenses
• Preventive address, bank details, posts on – Twenty key actions (the critical
– Physically control access social networking websites, medical security controls)
– Door lock information, a computer’s IP – Categorized for different
– Security guard address, etc. organization sizes
– Firewall • Controls export of personal data • Designed for implementation -
• Detective – Users can decide where their data Written for IT professionals
– May not prevent access goes – Includes practical and actionable
– Identifies and records any • Gives individuals control of their tasks
intrusion attempt personal data
– Motion detector, – A right to be forgotten NIST RMF
IDS/IPShttps://ProfessorMesser.co • Site privacy policy • National Institute of Standards
m – Details all of the privacy rights for and Technology
• Corrective a user – Risk Management Framework
– Designed to mitigate damage (RMF)
– IPS can block an attacker PCI DSS – Mandatory for US federal
– Backups can mitigate a • Payment Card Industry agencies and
ransomware infection – Data Security Standard (PCI DSS) organizations that handle federal
– A backup site can provide options – A standard for protecting credit data
when a storm hits cards • Six step process
• Deterrent • Six control objectives – Step 1: Categorize - Define the
– May not directly prevent access – Build and maintain a secure environment
– Discourages an intrusion attempt network and – Step 2: Select - Pick appropriate
– Warning signs, login banner systems controls
• Compensating – Protect cardholder data – Step 3: Implement - Define proper
– Doesn’t prevent an attack – Maintain a vulnerability implementation
– Restores using other means management program – Step 4: Assess - Determine if
– Re-image or restore from backup – Implement strong access control controls are working
– Hot site measures – Step 5: Authorize - Make a
– Backup power system – Regularly monitor and test decision to
• Physical networks authorize a system
– Fences, locks, mantraps – Maintain an information security – Step 6: Monitor - Check for
– Real-world security policy ongoing compliance

Compliance 5.2 - Security Frameworks NIST CSF

• Compliance Security frameworks • National Institute of Standards
– Meeting the standards of laws, • Secure your data. and Technology
policies, and regulations – Where do you start? What are the – Cybersecurity Framework (CSF)
• A healthy catalog of regulations best practices? – A voluntary commercial
and laws – If only there was a book. framework
– Across many aspects of business • Often a complex problem • Framework Core
and life – Unique organizational – Identify, Protect, Detect,
– Many are industry-specific or requirements Respond, and Recover
situational – Compliance and regulatory • Framework Implementation Tiers
• Penalties requirements – An organization’s view of
– Fines, incarceration, loss of – Many different processes and cybersecurity risk and processes to
employment tools are available manage the risk
• Scope • Use a security framework • Framework Profile - The
– Covers national, territory, or state – Documented processes alignment of standards, guidelines,
laws – A guide for creating a security and practices to the Framework
program Core
 – You need some guidelines to keep – Limit rights to what’s required
ISO/IEC frameworks everything safe – Limit access from other devices
• International Organization for • Hardening guides are specific to
Standardization the software or platform Network infrastructure devices
– International Electrotechnical – Get feedback from the • Switches, routers, firewalls, IPS,
Commission manufacturer or etc.
• ISO/IEC 27001 Internet interest group – You never see them, but they’re
– Standard for an Information – They’ll have the best details always there
Security • Other general-purpose guides are • Purpose-built devices
Management System (ISMS) available online – Embedded OS, limited OS access
• ISO/IEC 27002 • Configure authentication
– Code of practice for information Web server hardening – Don’t use the defaults
security controls • Access a server with your browser • Check with the manufacturer
• ISO/IEC 27701 – The fundamental server on the – Security updates
– Privacy Information Management Internet – Not usually updated frequently
Systems (PIMS) – Microsoft Internet Information – Updates are usually important
• ISO 31000 Server,
– International standards for risk Apache HTTP Server, et al. 5.3 - Personnel Security
management practices • Huge potential for access issues Acceptable use policies (AUP)
– Data leaks, server access • What is acceptable use of
SSAE SOC 2 Type I/II • Secure configuration company assets?
• The American Institute of – Information leakage: Banner – Detailed documentation
Certified Public Accountants information, directory browsing – May be documented in the Rules
(AICPA) auditing standard – Permissions: Run from a non- of Behavior
Statement on Standards for privileged account, configure file • Covers many topics
Attestation Engagements number permissions – Internet use, telephones,
18 (SSAE 18) – Configure SSL: Manage and install computers,
• SOC 2 - Trust Services Criteria certificates mobile devices, etc.
(security controls) – Log files: Monitor access and • Used by an organization to limit
– Firewalls, intrusion detection, and error logs legal liability
multi-factor authentication – If someone is dismissed, these are
• Type I audit Operating system hardening the well documented reasons why
– Tests controls in place at a • Many and varied - Windows,
particular point in time Linux, iOS, Android, et al. Business policies
• Type II • Updates • Job rotation
– Tests controls over a period of at – Operating system updates/service – Keep people moving between
least six packs, responsibilities
consecutive months security patches – No one person maintains control
• User accounts for long periods of time
Cloud Security Alliance (CSA) – Minimum password lengths and • Mandatory vacations
• Security in cloud computing complexity – Rotate others through the job
– Not-for-profit organization – Account limitations – The longer the vacation, the
• Cloud Controls Matrix (CCM) • Network access and security better chance
– Cloud-specific security controls – Limit network access to identify fraud
– Controls are mapped to • Monitor and secure – Especially important in high-
standards, best practices, and – Anti-virus, anti-malware security environments
regulations • Separation of duties
• Enterprise Architecture Application server – Split knowledge
– Methodology and tools • Programming languages, runtime • No one person has all of the
– Assess internal IT groups and libraries, etc. details
cloud providers – Usually between the web server • Half of a safe combination
– Determine security capabilities and the database – Dual control
– Build a roadmap – Middleware • Two people must be present to
• Very specific functionality perform
5.2 - Secure Configurations – Disable all unnecessary services the business function
Secure configurations • Operating system updates • Two keys open a safe (or launch a
• No system is secure with the – Security patches missile)
default configurations • File permissions and access • Clean desk policy
controls
– When you leave, nothing is on – Associate the user with the 5.3 - Third-party Risk Management
your desk proper groups Vendors
– Limit the exposure of sensitive and departments • Every organization works with
data to third-parties • Provide required IT hardware vendors
– Laptops, tablets, etc. - – Payroll, customer relationship
Least privilege Preconfigured and ready to go management,
• Rights and permissions should be email marketing, travel, raw
set to Off-boarding materials
the bare minimum • All good things… (But you knew • Important company data is often
– You only get exactly what’s this day would come) shared
needed to complete your objective • This process should be pre- – May be required for cloud-based
• All user accounts must be limited planned services
– Applications should run with – You don’t want to decide how to • Perform a risk assessment
minimal privileges do things at this point – Categorize risk by vendor and
• Don’t allow users to run with • What happens to the hardware manage the risk
administrative privileges and the data? • Use contracts for clear
– Limits the scope of malicious • Account information is usually understanding
behavior deactivated – Make sure everyone understands
– But not always deleted the expectations
Background checks – Use the contract to enforce a
• Background checks User training secure environment
– Pre-employment screening • Gamification
– Verify the applicant’s claims – Score points, compete with Target credit card breach -
– Discover criminal history, workers others, collect badges November 2013
compensation claims, etc. • Capture the flag (CTF) • Every point of sale terminal
– Legalities vary by country – Security competition infected
• Adverse actions – Hack into a server to steal data – A third-party was allowed in
– An action that denies (the flag) through lapses in
employment based on the – Can involve highly technical security policy
background check simulations • A vendor was infected through an
– May require extensive – A practical learning environment email attachment
documentation • Phishing simulation – The vendor didn’t have or follow
– Can also include existing – Send simulated phishing emails a security policy for their
employees – Make vishing calls workstations
– See which users are susceptible to • Target didn’t segment the vendor
Personnel security procedures phishing attacks network
• NDA (Non-disclosure agreement) without being a victim of phishing from the corporate
– Confidentiality agreement / Legal • Computer-based training (CBT) – The attackers jumped from the
contract – Automated pre-built training vendor to the
– Prevents the use and – May include video, audio, and Target network
dissemination of Q&A • The corporate network was not
confidential information – Users all receive the same segmented from point of sale (POS)
• Social media analysis training experience terminals
– Gather data from social media – Once on the inside, it was
– Facebook, Twitter, LinkedIn, Role-based security awareness relatively easy to get to your credit
Instagram training card numbers
– Build a personal profile • Before providing access, train – (110 million card numbers)
– Another data point when making your users
a hiring decision – Detailed security requirements Supply chain
• Specialized training • The system involved when
On-boarding – Each user role has unique security creating a product
• Bring a new person into the responsibilities – Involves organizations, people,
organization • Also applies to third-parties activities, and resources
– New hires or transfers – Contractors, partners, suppliers • Supply chain assessment
• IT agreements need to be signed • Detailed documentation and – Get a product or service from
– May be part of the employee records supplier to customer
handbook or – Problems later can be severe for – Evaluate coordination between
a separate AUP everyone groups
• Create accounts – Identify areas of improvement
– Assess the IT systems supporting • Business Partnership Agreement – Ensures compliance with any
the operation (BPA) applicable laws and standards
– Document the business process – Going into business together • Formal rules for data
changes – Owner stake – Everyone must know and follow
• New laptops arrive with bundled – Financial contract the processes
malware – Decision-making agreements
– Lenovo, August 2014 through – Prepare for contingencies Data classification
early 2015 • Identify data types
– Superfish software added a self- Product support lifetime – Personal, public, restricted, etc.
signed root cert (!) • End of life (EOL) – Use and protect data efficiently
– Allowed for on-path attacks when – Manufacturer stops selling a • Associate governance controls to
browsing any site, including over product the classification levels
HTTPS – May continue supporting the – How the data class should be
product managed
Business partners – Important for security patches • Data compliance
• Much closer to your data than a and updates – Laws and regulations regarding
vendor • End of service life (EOSL) certain types of data
– May require direct access – Manufacturer stops selling a – GDPR - General Data Protection
– May be a larger security concern product Regulation
than an outside hacker – Support is no longer available for
• Often involves communication the product Data retention
over a trusted connection – No ongoing security patches or • Keep files that change frequently
– More difficult to identify updates for version control
malicious activity – May have a premium-cost – Files change often
• Partner risk management should support option – Keep at least a week, perhaps
be included • Technology EOSL is a significant more
– Requirements for best practices, concern • Recover from virus infection
data handling, intellectual property – Security patches are part of – Infection may not be identified
• Include additional security normal operation immediately
between partners – May need to retain 30 days of
– Firewalls and traffic filters Non-disclosure agreement (NDA) backups
• Confidentiality agreement • Often legal requirements for data
Common agreements between parties retention
• Service Level Agreement (SLA) – Information in the agreement – Email storage may be required
– Minimum terms for services should not over years
provided be disclosed – Some industries must legally store
– Uptime, response time • Protects confidential information certain data types
agreement, etc. – Trade secrets – Different data types have
– Commonly used between – Business activities different
customers and – Anything else listed in the NDA storage requirements
service providers • Unilateral or bilateral (or – Corporate tax information,
• Memorandum of Understanding multilateral) customer PII,
(MOU) – On-way NDA or mutual NDA tape backups, etc.
– Both sides agree on the contents • Formal contract
of the memorandum – Signatures are usually required 5.3 - Credential Policies
– Usually includes statements of Credential management
confidentiality 5.3 - Managing Data • All that stands between the
– Informal letter of intent; not a Data governance outside world and
signed contract • Rules, processes, and all of the data
• Measurement system analysis accountability associated with an – The data is everything
(MSA) organization’s data • Passwords must not be
– Don’t make decisions based on – Data is used in the right ways embedded in the application
incorrect data! • Data steward – Everything needs to reside on the
– Used with quality management – Manages the governance server, not the client
systems, processes • Communication across the
i.e., Six Sigma – Responsible for data accuracy, network should be encrypted
– Assess the measurement process privacy, and security – Authentication traffic should be
– Calculate measurement – Associates sensitivity labels to the impossible to see
uncertainty data
Personnel accounts – Web server rights and – Have a backout plan if the change
• An account on a computer permissions will be doesn’t work
associated with different than a database server – Document the changes
a specific person • Commonly use usernames and
– The computer associates the user passwords Asset management
with a specific identification – You’ll need to determine the best • Identify and track computing
number policy for assets
• Storage and files can be private to password updates – Usually an automated process
that user Administrator/root accounts • Respond faster to security
– Even if another person is using • Elevated access to one or more problem
the same computer systems – You know who, what, and where
• No privileged access to the – Super user access • Keep an eye on the most valuable
operating system • Complete access to the system assets
– Specifically not allowed on a user – Often used to manage hardware, – Both hardware and data
account drivers, and • Track licenses
• This is the account type most software installation – You know exactly how many
people will use • This account should not be used you’ll need
– Your user community for normal • Verify that all devices are up to
administration date
Third-party accounts – User accounts should be used – Security patches, anti-malware
• Access to external third-party • Needs to be highly secured signature updates, etc.
systems – Strong passwords, 2FA
– Cloud platforms for payroll, – Scheduled password changes 5.4 - Risk Management Types
enterprise resource planning, etc. Risk assessment
• Third-party access to corporate 5.3 - Organizational Policies • Identify assets that could be
systems Change management affected by an attack
– Access can come from anywhere • How to make a change – Define the risk associated with
• Add additional layers of security – Upgrade software, change firewall each asset
– 2FA (two factor authentication) configuration, modify switch ports – Hardware, customer data,
– Audit the security posture of • One of the most common risks in intellectual property
third-parties the enterprise • Identify threats
• Don’t allow account sharing – Occurs very frequently – Loss of data, disruption of
– All users should have their own • Often overlooked or ignored services, etc.
account – Did you feel that bite? • Determine the risk - High,
• Have clear policies medium, or low risk
Device accounts – Frequency, duration, installation • Assess the total risk to the
• Access to devices process, organization
– Mobile devices fallback procedures – Make future security plans
• Local security • Sometimes extremely difficult to
– Device certificate implement Risk assessments
– Require screen locks and – It’s hard to change corporate • External threats
unlocking standards culture – Outside the organization
– Manage through a Mobile Device – Hacker groups, former employees
Manager (MDM) Change control • Internal threats
• Add additional security • A formal process for managing – Employees and partners
– Geography-based change – Disgruntled employees
– Include additional authentication – Avoid downtime, confusion, and • Legacy systems
factors mistakes – Outdated, older technologies
– Associate a device with a user • Nothing changes without the – May not be supported by the
process manufacturer
Service accounts – Determine the scope of the – May not have security updates
• Used exclusively by services change – Depending on the age, may not
running on a computer – Analyze the risk associated with be easily accessible
– No interactive/user access the change
(ideally) – Create a plan Multi-party risk
– Web server, database server, etc. – Get end-user approval • Breaches involving multiple
• Access can be defined for a – Present the proposal to the parties
specific service change control board – Often trusted business
relationships
– Events often involve many – View the results of the risk and partners
different parties assessment • Maintaining awareness
• May 2019 - American Medical – Visually identify risk based on – Ongoing group discussions
Collection Agency color – Presentations from law
– Provided debt collection for many – Combines the likelihood of an enforcement
different event with – Attend security conferences and
organizations the potential impact programs
– Data breach disclosed personal – Assists with making strategic
information on 24 million decisions Regulations that affect risk
individuals posture
– Twenty-three healthcare Audit risk model • Many of them
organizations affected by this single • Inherent risk – Regulations tend to regulate
breach – Impact + Likelihood • Regulations directly associated to
– A single breach can cause a ripple – Risk that exists in the absence of cybersecurity
effect controls – Protection of personal
– Some models include the existing information, disclosure of
Risk assessments set of controls information breaches
• Intellectual Property (IP) theft • Residual risk – Requires a minimum level of
– Theft of ideas, inventions, and – Inherent risk + control information security
creative expressions effectiveness • HIPAA - Health Insurance
– Human error, hacking, employees – Risk that exists after controls are Portability and
with access, etc. considered Accountability Act
– Identify and protect IP – Some models base it on including – Privacy of patient records
– Educate employees and increase additional controls – New storage requirements,
security • Risk appetite network security,
• Software compliance/licensing – The amount of risk an protect against threats
– Operational risk with too few organization is willing to take • GDPR - General Data Protection
licenses Regulation
– Financial risk with budgeting and Risk control assessment – European Union data protection
over-allocated licenses • Risk has been determined and privacy
– Legal risk if proper licensing is not – Heat maps have been created – Personal data must be protected
followed • Time to build cybersecurity and managed for privacy
requirements
Risk management strategies – Based on the identified risks Qualitative risk assessment
• Acceptance • Find the gap • Identify significant risk factors
– A business decision; we’ll take the – Often requires a formal audit – Ask opinions about the
risk! – Self-assessments may be an significance
• Risk-avoidance option – Display visually with traffic light
– Stop participating in a high-risk • Build and maintain security grid or
activity systems based on the requirements similar method
• Transference – The organizational risk
– Buy some cybersecurity insurance determines the proper Quantitative risk assessment
• Mitigation controls • Likelihood
– Decrease the risk level • Determine if existing controls are – Annualized Rate of Occurrence
– Invest in security systems compliant or noncompliant (ARO)
– Make plans to bring everything – How likely is it that a hurricane
5.4 - Risk Analysis into compliance will hit?
Evaluating risk In Montana? In Florida?
• Risk register Risk awareness • SLE (Single Loss Expectancy)
– Every project has a plan, but also • A constantly changing battlefield – What is the monetary loss if a
has risk – New risks, emerging risks single event occurs?
– Identify and document the risk – A nearly overwhelming amount of – Laptop stolen (asset value or AV)
associated information = $1,000
with each step – Difficult to manage a defense • ALE (Annualized Loss Expectancy)
– Apply possible solutions to the • Knowledge is key – ARO x SLE
identified risks – Part of every employee’s daily job – Seven laptops stolen a year (ARO)
– Monitor the results role x
• Risk matrix / risk heat map – Part of the onboarding process $1,000 (SLE) = $7,000
for employees
• The business impact can be more – A good hurricane can disrupt • Creation and receipt
than monetary personnel travel – Create data internally or receive
– Quantitative vs. qualitative • There’s no practical way to data
remove all points of failure from a third-party
Disaster types – Money drives redundancy • Distribution - Records are sorted
• Environmental threats and stored
– Tornado, hurricane, earthquake, Disaster recovery plan (DRP) • Use
severe weather • Detailed plan for resuming – Make business decisions, create
• Person-made threats operations after a disaster products
– Human intent, negligence, or – Application, data center, building, and services
error campus, region, etc. • Maintenance
– Arson, crime, civil disorder, fires, • Extensive planning prior to the – Ongoing data retrieval and data
riots, etc. disaster transfers
• Internal and external – Backups • Disposition
– Internal threats are from – Off-site data replication – Archiving or disposal of data
employees – Cloud alternatives
– External threats are from outside – Remote site Consequences
the organization • Many third-party options • Reputation damage
– Physical locations – Opinion of the organization
5.4 - Business Impact Analysis – Recovery services becomes negative
Recovery – Can have an impact on products
• Recovery time objective (RTO) Impact or services
– Get up and running quickly • Life - The most important – Can impact stock price
– Get back to a particular service consideration • Identity theft
level • Property - The risk to buildings – Company and/or customers
• Recovery point objective (RPO) and assets information
– How much data loss is • Safety - Some environments are becomes public
acceptable? too dangerous to work – May require public disclosure
– Bring the system back online; how • Finance - The resulting financial – Credit monitoring costs
far back cost • Fines
does data go? • Reputation – Uber
• Mean time to repair (MTTR) – An event can cause status or • Data breach in 2016 wasn’t
– Time required to fix the issue character problems disclosed
• Mean time between failures • Uber paid the hackers $100,000
(MTBF) Mission-essential functions instead
– Predict the time between outages • If a hurricane blew through, what • Lawsuit settlement was $148
functions would be essential to the million
Functional recovery plans organization? – Equifax
• Recover from an outage – That’s where you start your • 2017 data breach
– Step-by-step guide analysis • Government fines were
• Contact information – These are broad business approximately $700 million
– Someone is on-call requirements • Intellectual Property (IP) theft
– Keep everyone up to date • What computing systems are – Stealing company secrets
• Technical process required for these mission-essential – Can put an organization out of
– Reference the knowledge base business functions? business
– Follow the internal processes – Identify the critical systems
• Recover and test Notification
– Confirm normal operation Site risk assessment • Internal escalation process
• All locations are a bit different – Breaches are often found by
Removing single points of failure – Even those designed to be similar technicians
• A single event can ruin your day • Recovery plans should consider – Provide a process for making
– Unless you make some plans unique environments those findings known
• Network configuration – Applications • External escalation process
– Multiple devices (the “Noah’s – Personnel – Know when to ask for assistance
Ark” of networking) – Equipment from
• Facility / Utilities – Work environment external resources
– Backup power, multiple cooling – Security experts can find and stop
devices 5.5 - Privacy and Data Breaches an active breach
• People / Location Information life cycle
• Public notifications and – May also include trade secrets mathematically related
disclosures – Often data unique to an – No encryption overhead
– Refer to security breach organization
notification laws • PII - Personally Identifiable Data minimization
– All 50 US states, EU, Australia, etc. Information • Minimal data collection
– Delays might be allowed for – Data that can be used to identify – Only collect and retain necessary
criminal investigations an individual data
– Name, date of birth, mother’s • Included in many regulations
Privacy impact assessment (PIA) maiden name, – HIPAA has a “Minimum
• Almost everything can affect biometric information Necessary” rule
privacy • PHI - Protected Health – GDPR - “Personal data shall be
– New business relationships, Information adequate, relevant and not
product updates, website features, – Health information associated excessive in relation to the purpose
service offering with an individual or purposes for which they are
• Privacy risk needs to be identified – Health status, health care processed.”
in each initiative records, payments for health care, • Some information may not be
– How could the process and much more required
compromise customer privacy? • Public / Unclassified – Do you need a telephone number
• Advantages – No restrictions on viewing the or address?
– Fix privacy issues before they data • Internal data use should be
become a problem • Private / Classified / Restricted / limited
– Provides evidence of a focus on Internal use only – Only access data required for the
privacy – Restricted access, may require a task
– Avoid data breach non-disclosure agreement (NDA)
– Shows the importance of privacy • Sensitive - Intellectual property, Anonymization
to everyone PII, PHI • Make it impossible to identify
• Confidential - Very sensitive, must individual data
Notices be approved to view from a dataset
• Terms of service • Critical - Data should always be – Allows for data use without
– Terms of use, terms and available privacy concerns
conditions (T&C) • Financial information • Many different anonymization
– Legal agreement between service – Internal company financial techniques
provider and user information – Hashing, masking, etc.
– User must agree to the terms to – Customer financial details • Convert from detailed customer
use the service • Government data purchase data
• Privacy notice, privacy policy – Open data – Remove name, address, change
– May be required by law – Transfer between government phone number to ### ### ####
– Documents the handling of entities – Keep product name, quantity,
personal data – May be protected by law total, and sale date
– May provide additional data • Customer data • Anonymization cannot be
options and – Data associated with customers reversed
contact information – May include user-specific details – No way to associate the data to a
– Legal handling requirements user
5.5 - Data Classifications
Labeling sensitive data 5.5 - Enhancing privacy Data masking
• Not all data has the same level of Tokenization • Data obfuscation
sensitivity • Replace sensitive data with a non- – Hide some of the original data
– License tag numbers vs. health sensitive placeholder • Protects PII
records – SSN 266-12-1112 is now 691-61- – And other sensitive data
• Different levels require different 8539 • May only be hidden from view
security and handling • Common with credit card – The data may still be intact in
– Additional permissions processing storage
– A different process to view – Use a temporary token during – Control the view based on
– Restricted network access payment permissions
– An attacker capturing the card • Many different techniques
Data classifications numbers can’t use them later – Substituting, shuffling, encrypting,
• Proprietary • This isn’t encryption or hashing masking out, etc.
– Data that is the property of an – The original data and token aren’t
organization Pseudo-anonymization
• Pseudonymization – Implements security controls
– Replace personal information • Data protection officer (DPO)
with pseudonyms – Responsible for the organization’s
– Often used to maintain statistical data privacy
relationships – Sets policies, implements
• May be reversible processes and procedures
– Hide the personal data for daily
use or in case of breach
– Convert it back for other
processes
• Random replacement
– James Messer -> Jack O’Neill ->
Sam Carter -> Daniel Jackson
• Consistent replacements
– James Messer is always converted
to George Hammond

5.5 - Data Roles and Responsibilities

Data responsibility
• High-level data relationships
– Organizational responsibilities,
not always technical
• Data owner
– Accountable for specific data,
often a senior officer
– VP of Sales owns the customer
relationship data
– Treasurer owns the financial
information

Data roles
• Data controller
– Manages the purposes and means
by which
personal data is processed
• Data processor
– Processes data on behalf of the
data controller
– Often a third-party or different
group
• Payroll controller and processor
– Payroll department (data
controller) defines
payroll amounts and timeframes
– Payroll company (data processor)
processes payroll
and stores employee information

Additional data roles

• Data custodian/steward
– Responsible for data accuracy,
privacy, and security
– Associates sensitivity labels to the
data
– Ensures compliance with any
applicable laws
and standards
– Manages the access rights to the
data