1.1 - Phishing Phishing – Some great summaries on • Attack the victim as someone higher in • Social engineering with a touch of https://reddit.com/r/Scams rank spoofing – Office of the Vice President for – Often delivered by email, text, etc. Finding the best spot to phish Scamming – Very remarkable when well done • Reconnaissance • Throw tons of technical details around • Don’t be fooled – Gather information on the victim – Catastrophic feedback due to the – Check the URL • Background information depolarization of the differential • Usually there’s something not quite – Lead generation sites magnetometer right – LinkedIn, Twitter, Facebook, Instagram • Be a buddy – Spelling, fonts, graphics – Corporate web site – How about those Cubs? • Attacker builds a believable pretext Tricks and misdirection – Where you work Eliciting information • How are they so successful? – Where you bank • Extracting information from the victim – Digital sleight of hand - it fools the best – Recent financial transactions – The victim doesn’t even realize this is of us – Family and friends happening • Typosquatting – Hacking the human – A type of URL hijacking Spear phishing • Often seen with vishing (Voice Phishing) https://professormessor.com • Targeted phishing with inside – Can be easier to get this information – Prepending: information over the phone https://pprofessormesser.com – Makes the attack more believable • These are well-documented • Pretexting • Spear phishing the CEO is “whaling” psychological techniques – Lying to get information – Targeted phishing with the possibility of – They can’t just ask, “So, what’s your – Attacker is a character in a situation a large catch password?” they create – The CFO (Chief Financial Officer) is – Hi, we’re calling from Visa regarding an commonly speared Identity fraud automated payment to your utility • These executives have direct access to • Your identity can be used by others service… the corporate bank account – Keep your personal information safe! – The attackers would love to have those • Credit card fraud Pharming credentials – Open an account in your name, or use • Redirect a legit website to a bogus site your credit card information – Poisoned DNS server or client 1.1 - Impersonation • Bank fraud vulnerabilities The pretext – Attacker gains access to your account or • Combine pharming with phishing • Before the attack, the trap is set opens a new account – Pharming - Harvest large groups of – There’s an actor and a story • Loan fraud people • “Hello sir, my name is Wendy and I’m – Your information is used for a loan or – Phishing - Collect access credentials from Microsoft Windows. This is an urgent lease • Difficult for anti-malware software to check up call for your computer as we • Government benefits fraud stop have found several problems with it.” – Attacker obtains benefits on your behalf – Everything appears legitimate to the • Voice mail: “This is an enforcement user action executed by the US Treasury Protect against impersonation intending your serious attention.” • Never volunteer information Phishing with different bait • “Congratulations on your excellent – My password is 12345 • Vishing (Voice phishing) is done over the payment history! You now qualify for 0% • Don’t disclose personal details phone or voicemail interest rates on all of your credit card – The bad guys are tricky – Caller ID spoofing is common accounts.” • Always verify before revealing info – Fake security checks or bank updates – Call back, verify through 3rd parties • Smishing (SMS phishing) is done by text Impersonation • Verification should be encouraged message • Attackers pretend to be someone they – Especially if your organization owns – Spoofing is a problem here as well aren’t valuable information – Forwards links or asks for personal – Halloween for the fraudsters information • Use some of those details from 1.1 - Dumpster Diving • Variations on a theme reconnaissance Dumpster diving – The fake check scam, phone verification – You can trust me, I’m with your help • Mobile garbage bin code scam, desk – United States brand name “Dumpster” – Boss/CEO scam, advance-fee scam – Similar to a rubbish skip • Important information thrown out with • Some hoaxes will take your money • Anti-virus / Anti-malware signature the trash – But not through electronic means updates – Thanks for bagging your garbage for me! • A hoax about a virus can waste as much – The Polish Financial Supervision • Gather details that can be used for a time as a regular virus Authority attack code was recognized and different attack stopped by generic signatures in – Impersonate names, use phone De-hoaxing Symantec’s anti-virus software numbers • It’s the Internet. Believe no one. • Timing is important – Consider the source 1.1 - Spam – Just after end of month, end of quarter • Cross reference Spam – Based on pickup schedule – http://www.hoax-slayer.net • Unsolicited messages – http://www.snopes.com – Email, forums, etc. Is it legal to dive in a dumpster? • Spam filters can help – Spam over Instant Messaging (SPIM) • I am not a lawyer. – There are so many other ways... • Various content – In the United States, it’s legal • If it sounds too good to be true... – Commercial advertising – Unless there’s a local restriction – So many sad stories – Non-commercial proselytizing • If it’s in the trash, it’s open season – Phishing attempts – Nobody owns it 1.1 - Watering Hole Attacks • Significant technology issue • Dumpsters on private property or “No Watering Hole Attack – Security concerns Trespassing” signs may be restricted • What if your network was really secure? – Resource utilization – You can’t break the law to get to the – You didn’t even plug in that USB key – Storage costs rubbish from the parking lot – Managing the spam • Questions? Talk to a legal professional. • The attackers can’t get in – Not responding to phishing emails Mail gateways Protect your rubbish – Not opening any email attachments • Unsolicited email • Secure your garbage • Have the mountain come to you – Stop it at the gateway before it reaches – Fence and a lock – Go where the mountain hangs out the user • Shred your documents – The watering hole – On-site or cloud-based – This will only go so far – This requires a bit of research – Governments burn the good stuff Identifying spam • Go look at your trash Executing the watering hole attack • Allowed list – What’s in there? • Determine which website the victim – Only receive email from trusted senders group uses • SMTP standards checking 1.1 - Shoulder Surfing – Educated guess - Local coffee or – Block anything that doesn’t follow RFC Shoulder surfing sandwich shop standards • You have access to important – Industry-related sites • rDNS - Reverse DNS information • Infect one of these third-party sites – Block email where the sender’s domain – Many people want to see – Site vulnerability doesn’t match the IP address – Curiosity, industrial espionage, – Email attachments • Tarpitting competitive advantage • Infect all visitors – Intentionally slow down the server • This is surprisingly easy – But you’re just looking for specific conversation – Airports / Flights victims • Recipient filtering – Hallway-facing monitors – Now you’re in! – Block all email not addressed to a valid – Coffee shops recipient email address • Surf from afar Because that’s where the money is – Binoculars / Telescopes • January 2017 1.1 - Influence Campaigns – Easy in the big city • Polish Financial Supervision Authority, Hacking public opinion – Webcam monitoring National Banking and Stock Commission of • Influence campaigns Preventing shoulder surfing Mexico, State-owned bank in Uruguay – Sway public opinion on political and • Control your input – The watering hole was sufficiently social issues – Be aware of your surroundings poisoned • Nation-state actors • Use privacy filters • Visiting the site would download – Divide, distract, and persuade – It’s amazing how well they work malicious JavaScript files • Advertising is an option • Keep your monitor out of sight – But only to IP addresses matching banks – Buy a voice for your opinion – Away from windows and hallways and other financial institutions • Enabled through Social media • Don’t sit in front of me on your flight • Did the attack work? – Creating, sharing, liking – I can’t help myself – We still don’t know – Amplification
Computer hoaxes Watching the watering hole Hybrid warfare
• A threat that doesn’t actually exist • Defense-in-depth • Military strategy – But they seem like they COULD be real – Layered defense – A broad description of the techniques • Still often consume lots of resources – It’s never one thing – Wage war non-traditionally – Forwarded email messages, printed • Firewalls and IPS • Not a new concept memorandums, wasted time – Stop the network traffic before things – The Internet adds new methods • Often an email get bad • Cyberwarfare – Or Facebook wall post, or tweet, or... – Attack an entity with technology • Influence with a military spin – Emailed funeral notifications of a friend • Your computer must run a program – Influencing foreign elections or associate – Email link - Don’t click links – “Fake news” – Web page pop-up - Other Social Engineering Attacks Social engineering principles – Drive-by download • Authority – Worm Tailgating – The social engineer is in charge • Your computer is vulnerable • Use an authorized person to gain – I’m calling from the help desk/office of – Operating system - Keep your OS unauthorized access to a building the CEO/police updated! – Not an accident • Intimidation – Applications - Check with the publisher • Johnny Long / No Tech Hacking – There will be bad things if you don’t help • Script viruses – Blend in with clothing – If you don’t help me, the payroll checks – Operating system and browser-based – 3rd-party with a legitimate reason won’t be processed • Macro viruses – Temporarily take up smoking • Consensus / Social proof – Common in Microsoft Office – I still prefer bringing doughnuts – Convince based on what’s normally • Once inside, there’s little to stop you expected Fileless virus – Most security stops at the border – Your co-worker Jill did this for me last • A stealth attack week – Does a good job of avoiding anti-virus Watching for tailgating • Scarcity detection • Policy for visitors – The situation will not be this way for • Operates in memory – You should be able to identify anyone long – But never installed in a file or • One scan, one person – Must make the change before time application – A matter of policy or mechanically expires required • Urgency 1.2 - Viruses and Worms • Mantrap / Airlock – Works alongside scarcity Virus – You don’t have a choice – Act quickly, don’t think • Malware that can reproduce itself • Don’t be afraid to ask • Familiarity / Liking – It needs you to execute a program – Who are you and why are you here? – Someone you know, we have common • Reproduces through file systems or the friends network Invoice scams • Trust – Just running a program can spread a • Starts with a bit of spear phishing – Someone who is safe virus – Attacker knows who pays the bills – I’m from IT, and I’m here to help • May or may not cause problems • Attacker sends a fake invoice – Some viruses are invisible, some are – Domain renewal, toner cartridges, etc. 1.2 - An Overview of Malware annoying – From: address is a spoofed version of • Anti-virus is very common the CEO Malware – Thousands of new viruses every week • Accounting pays the invoice • Malicious software – Is your signature file updated? – It was from the CEO, after all – These can be very bad • Might also include a link to pay • Gather information Virus types – Now the attacker has payment details – Keystrokes • Program viruses • Participate in a group – It’s part of the application Credential harvesting – Controlled over the ‘net • Boot sector viruses • Also called password harvesting • Show you advertising – Who needs an OS? – Attackers collect login credentials – Big money • There are a lot of stored credentials on • Viruses and worms Worms your computer – Encrypt your data • Malware that self-replicates – The attacker would like those – Ruin your day – Doesn’t need you to do anything – Chrome, Firefox, Outlook, Windows – Uses the network as a transmission Credential Manager, etc. Malware Types and Methods medium • User receives an email with a malicious • Viruses – Self-propagates and spreads quickly Microsoft Word doc • Crypto-malware • Worms are pretty bad things – Opening the document runs a macro • Ransomware – Can take over many systems very quickly – The macro downloads credential- • Worms • Firewalls and IDS/IPS can mitigate many harvesting malware • Trojan Horse worm infestations • User has no idea • Rootkit – Doesn’t help much once the worm gets – Everything happens in the background • Keylogger inside • Adware/Spyware Effective social engineering • Botnet Ransomware and Crypto-malware • Constantly changing Your data is valuable – You never know what they’ll use next How you get malware • Personal data • May involve multiple people • These all work together – Family pictures and videos – And multiple organizations – A worm takes advantage of a – Important documents – There are ties connecting many vulnerability • Organization data organizations – Installs malware that includes a remote – Planning documents • May be in person or electronic access backdoor – Employee personally identifiable – Phone calls from aggressive “customers” – Bot may be installed later information (PII) – Financial information • A backup utility that displays ads • Use a remover specific to the rootkit – Company private data • Browser search engine hijacker – Usually built after the rootkit is • How much is it worth? discovered – There’s a number Backdoors • Secure boot with UEFI • Why go through normal authentication – Security in the BIOS Ransomware methods? • The attackers want your money – Just walk in the back door 1.2 - Spyware – They’ll take your computer in the • Often placed on your computer through Adware meantime malware • Your computer is one big advertisement • May be a fake ransom – Some malware software can take – Pop-ups with pop-ups – Locks your computer “by the police” advantage of backdoors created by other • May cause performance issues • The ransom may be avoided malware – Especially over the network – A security professional may be able to • Some software includes a backdoor • Installed accidentally remove these kinds of malware (oops) – May be included with other software – Old Linux kernel included a backdoor • Be careful of software that claims to Crypto-malware – Bad software can have a backdoor as remove adware • A newer generation of ransomware part of the app – Especially if you learned about it from a – Your data is unavailable until you pop-up provide cash Remote Access Trojans (RATs) • Malware encrypts your data files • Remote Administration Tool Spyware – Pictures, documents, music, movies, etc. – The ultimate backdoor • Malware that spies on you – Your OS remains available – Administrative control of a device – Advertising, identity theft, affiliate fraud – They want you running, but not working • Malware installs the server/service/host • Can trick you into installing • You must pay the bad guys to obtain the – Attacker connects with the client – Peer to peer, fake security software decryption key software • Browser monitoring – Untraceable payment system • Control a device – Capture surfing habits – An unfortunate use of public-key – Key logging • Keyloggers - Capture every keystroke cryptography – Screen recording /screenshots – Send it back to the mother ship – Copy files Protecting against ransomware – Embed more malware Why is there so much adware and • Always have a backup spyware? – An offline backup, ideally Protecting against Trojans and RATs • Money • Keep your operating system up to date • Don’t run unknown software – Your eyeballs are incredibly valuable – Patch those vulnerabilities – Consider the consequences • Money • Keep your applications up to date • Keep anti-virus/anti-malware signatures – Your computer time and bandwidth is – Security patches updated incredibly valuable • Keep your anti-virus/anti-malware – There are always new attacks • Money signatures up to date • Always have a backup – Your bank account is incredibly valuable – New attacks every hour – You may need to quickly recover – Yes, even your bank account • Keep everything up to date Rootkits Protecting against adware/spyware 1.2 - Trojans and RATs • Originally a Unix technique • Maintain your anti-virus / anti-malware Trojan horse – The “root” in rootkit – Always have the latest signatures • Used by the Greeks to capture • Modifies core system files • Always know what you’re installing – Troy from the Trojans – Part of the kernel – And watch your options during the – A digital wooden horse • Can be invisible to the operating system installation • Software that pretends to be something – Won’t see it in Task Manager • Where’s your backup? else • Also invisible to traditional anti-virus – You might need it someday – So it can conquer your computer utilities – Cleaning adware isn’t easy – Doesn’t really care much about – If you can’t see it, you can’t stop it • Run some scans - Malwarebytes replicating • Circumvents your existing security Kernel drivers 1.2 - Bots and Botnets – Anti-virus may catch it when it runs • Zeus/Zbot malware Bots (Robots) – The better Trojans are built to avoid and – Famous for cleaning out bank accounts • Once your machine is infected, it disable AV • Now combined with Necurs rootkit becomes a bot • Once it’s inside it has free reign – Necurs is a kernel-level driver – You may not even know – And it may open the gates for other • Necurs makes sure you can’t delete Zbot • How does it get on your computer? programs – Access denied – Trojan Horse (I just saw a funny video of • Trying to stop the Windows process? you! Click here.) or... Potentially Unwanted Program (PUP) – Error terminating process: Access – You run a program or click an ad you • Identified by anti-virus/anti-malware denied THOUGHT was legit, but... – Potentially undesirable software – OS or application vulnerability – Often installed along with other Finding and removing rootkits • A day in the life of a bot software • Look for the unusual • Overly aggressive browser toolbar – Anti-malware scans – Sit around. Check in with the Command – Each is unique – Most accounts will lockout after a and Control (C&C) server. Wait for – No predefined signatures number of failed attempts instructions. • Process and procedures • Brute force the hash - Offline – Formal change control – Obtain the list of users and hashes Botnets • Electronic monitoring – Calculate a password hash, compare it • A group of bots working together – Alert on changes to a stored hash – Nothing good can come from this – Host-based intrusion detection, – Large computational resource • Distributed Denial of service (DDoS) Tripwire, etc. requirement – The power of many • Constant auditing • Relay spam, proxy network traffic, – An administrator can circumvent Dictionary attacks distributed computing tasks existing systems • Use a dictionary to find common words • Botnets are for sale – Passwords are created by humans – Rent time from the botnet owner Plaintext / unencrypted passwords • Many common wordlists available on – Not a long-term business proposition • Some applications store passwords “in the ‘net the clear” – Some are customized by language or Logic Bomb – No encryption. You can read the stored line of work • Waits for a predefined event password. • The password crackers can substitute – Often left by someone with grudge – This is rare, thankfully letters • Time bomb • Do not store passwords as plaintext – p&ssw0rd – Time or date – Anyone with access to the password file • This takes time • User event or database has every credential – Distributed cracking and GPU cracking is – Logic bomb • What to do if your application saves common • Difficult to identify passwords as plaintext: • Discover passwords for common words – Difficult to recover if it goes off – Get a better application – This won’t discover random character passwords Real-world logic bombs 1.2 - Password Attacks • March 19, 2013, South Korea Hashing a password 1.2 - Password Attacks (continued) – Email with malicious attachment sent to • Hashes represent data as a fixed-length Rainbow tables – South Korean organizations string of text • An optimized, pre-built set of hashes – Posed as a bank email – A message digest, or “fingerprint” – Saves time and storage space – Trojan installs malware • Will not have a collision (hopefully) – Doesn’t need to contain every hash • March 20, 2013, 2 p.m. local time – Different inputs will not have the same – Contains pre-calculated hash chains – Malware time-based logic-bomb hash • Remarkable speed increase activates • One-way trip – Especially with longer password lengths – Storage and master boot record deleted, – Impossible to recover the original • Need different tables for different system reboots message from the digest hashing methods – Boot device not found. – A common way to store passwords – Windows is different than MySQL – Please install an operating system on your hard disk. The password file Adding some salt • Different across operating systems and • Salt 1.2 - Logic Bombs applications – Random data added to a password Stopping the bot – Different hash algorithms when hashing • Prevent the initial infection • Every user gets their own random salt – OS and application patches Spraying attack – The salt is commonly stored with the – Anti-virus/anti-malware and updated • Try to login with an incorrect password password signatures – Eventually you’re locked out • Rainbow tables won’t work with salted • Identify an existing infection • There are some common passwords hashes – On-demand scans, network monitoring – – Additional random value added to the • Prevent command and control (C&C) https://en.wikipedia.org/wiki/List_of_the original password – Block at the firewall _most_common_passwords • This slows things down the brute force – Identify at the workstation with a host- • Attack an account with the top three (or process based firewall or host-based IPS more) passwords – It doesn’t completely stop the reverse • December 17, 2016, 11:53 p.m. – If they don’t work, move to the next engineering – Kiev, Ukraine, high-voltage substation account • Each user gets a different random hash – Logic bomb begins disabling electrical – No lockouts, no alarms, no alerts – The same password creates a different circuits hash – Malware mapped out the control Brute force network • Try every possible password When the hashes get out – Began disabling power at a combination until the hash is matched • January 2019 - Collection #1 predetermined time • This might take some time – A collection of email addresses and – Customized for SCADA networks – A strong hashing algorithm slows things passwords (Supervisory Control and Data Acquisition) down – 12,000+ files and 87 GB of data • Brute force attacks - Online • 1,160,253,228 unique emails and Preventing a logic bomb – Keep trying the login process passwords • Difficult to recognize – Very slow – A compilation of data breach results • 772,904,991 unique usernames • Create a duplicate of a card Supply chain – That’s about 773 million people – Looks and feels like the original • The chain contains many moving parts • 21,222,975 unique passwords – Often includes the printed CVC (Card – Raw materials, suppliers, manufacturers, – You really need a password manager Validation Code) distributors, customers, consumers • https://haveibeenpwned.com/ • Can only be used with magnetic stripe • Attackers can infect any step along the cards way 1.2 - Physical Attacks – The chip can’t be cloned – Infect different parts of the chain • Cloned gift cards are common without suspicion Malicious USB cable – A magnetic stripe technology – People trust their suppliers • It looks like a normal USB cable • One exploit can infect the entire chain – It has additional electronics inside 1.2 Adversarial Artificial Intelligence – There’s a lot at stake • Operating system identifies it as a HID Machine learning – Human Interface Device • Our computers are getting smarter Supply chain security – It looks like you’ve connected a – They identify patterns in data and • Target Corp. breach - November 2013 keyboard or mouse improve their predictions – 40 million credit cards stolen – A keyboard doesn’t need extra rights or • This requires a lot of training data • Heating and AC firm in Pennsylvania was permissions – Face recognition requires analyzing a lot infected • Once connected, the cable takes over of faces – Malware delivered in an email – Downloads and installs malicious – Driving a car requires a lot of road time – VPN credentials for HVAC techs was software • In use every day stolen • Don’t just plug in any USB cable – Stop spam • HVAC vendor was the supplier – Always use trusted hardware – Recommend products from an online – Attackers used a wide-open Target retailer network to infect every cash register at Malicious flash drive – What movie would you like to see? This 1,800 stores • Free USB flash drive! one. • Do these technicians look like an IT – Plug it in and see what’s on it – Prevent car accidents security issue? – That’s a bad idea • Older operating systems would Poisoning the training data Supply chain security automatically run files • Confuse the artificial intelligence (AI) • Can you trust your new – This has now been disabled or removed – Attackers send modified training data server/router/switch/firewall/software? by default that causes the AI to behave incorrectly – Supply chain cybersecurity • Could still act as a HID (Human Interface • Microsoft AI chatter bot named Tay • Use a small supplier base Device) /Keyboard • (Thinking About You) – Tighter control of vendors – Start a command prompt and type – Joins Twitter on March 23, 2016 • Strict controls over policies and anything without your intervention – Designed to learn by interacting with procedures • Attackers can load malware in Twitter users – Ensure proper security is in place documents – Microsoft didn’t program in anti- • Security should be part of the overall – PDF files, spreadsheets offensive behavior design • Can be configured as a boot device – Tay quickly became racist, sexist, and – There’s a limit to trust – Infect the computer after a reboot inappropriate • Acts as an Ethernet adapter Attacks can happen anywhere – Redirects or modifies Internet traffic Evasion attacks • Two categories for IT security requests • The AI is only as good as the training – The on-premises data is more secure! – Acts as a wireless gateway for other – Attackers find the holes and limitations – The cloud-based data is more secure! devices • An AI that knows what spam looks like • Cloud-based security is centralized and • Never connect an untrusted USB device can be fooled by a different approach costs less – Change the number of good and bad – No dedicated hardware, no data center Skimming words in the message to secure • Stealing credit card information, usually • An AI that uses real-world information – A third-party handles everything during a normal transaction can release confidential information • On-premises puts the security burden – Copy data from the magnetic stripe: – Trained with data that includes social on the client – Card number, expiration date, card security numbers – Data center security and infrastructure holder’s name – AI can be fooled into revealing those costs • ATM skimming numbers • Attackers want your data – Includes a small camera to also watch – They don’t care where it is for your PIN Securing the learning algorithms • Attackers use the card information for • Check the training data On-premises security other financial transactions – Cross check and verify • Customize your security posture – Fraud is the responsibility of the seller • Constantly retrain with new data – Full control when everything is in-house • Always check before using card readers – More data • On-site IT team can manage security – Better data better 1.2 - Physical attacks (continued) • Train the AI with possible poisoning – The local team can ensure everything is Card cloning – What would the attacker try to do? secure • Get card details from a skimmer – A local team can be expensive and – The clone needs an original 1.2 - Supply Chain Attacks difficult to staff • Local team maintains uptime and – Message Digest Algorithm 5 development errors availability – Published in April 1992, Collisions – Takes advantage of the trust a user has – System checks can occur at any time identified in 1996 for a site – No phone call for support • December 2008: Researchers created CA – Complex and varied • Security changes can take time certificate that appeared legitimate when • Malware that uses JavaScript - Do you – New equipment, configurations, and MD5 is checked allow scripts? Me too. additional costs – Built other certificates that appeared to be legit and issued by RapidSSL Non-persistent (reflected) XSS attack Security in the cloud • Web site allows scripts to run in user • Data is in a secure environment Downgrade attack input – No physical access to the data center • Instead of using perfectly good – Search box is a common source – Third-party may have access to the data encryption, use something that’s not so • Attacker emails a link that takes • Cloud providers are managing large- great advantage of this vulnerability scale security – Force the systems to downgrade their – Runs a script that sends – Automated signature and security security credentials/session IDs/cookies to the updates • 2014 - TLS vulnerability - POODLE attacker – Users must follow security best- (Padding Oracle On Downgraded Legacy • Script embedded in URL executes in the practices Encryption) victim’s browser • Limited downtime – On-path attack – As if it came from the server – Extensive fault-tolerance and 24/7/365 – Forces clients to fall back to SSL 3.0 • Attacker uses credentials/session monitoring – SSL 3.0 has significant cryptographic IDs/cookies to steal victim’s information • Scalable security options vulnerabilities without their knowledge – One-click security deployments – Because of POODLE, modern browsers – Very sneaky – This may not be as customizable as won’t fall back to SSL 3.0 necessary Persistent (stored) XSS attack Privilege escalation • Attacker posts a message to a social 1.2 - Cryptographic Attacks • Gain higher-level access to a system network Cryptographic attacks – Exploit a vulnerability - Might be a bug – Includes the malicious payload • You’ve encrypted data and sent it to or design flaw • It’s now “persistent” - Everyone gets the another person • Higher-level access means more payload – Is it really secure? How do you know? capabilities • No specific target - All viewers to the • The attacker doesn’t have the – This commonly is the highest-level page combination (the key) access • For social networking, this can spread – So they break the safe (the – This is obviously a concern quickly cryptography) • These are high-priority vulnerability – Everyone who views the message can • Finding ways to undo the security patches have it – There are many potential cryptographic – You want to get these holes closed very posted to their page shortcomings quickly – Where someone else can view it and – The problem is often the – Any user can be an administrator propagate it further... implementation • Horizontal privilege escalation – User A can access user B resources 1.3 - Cross-site Scripting Birthday attack Hacking a Subaru • In a classroom of 23 students, what is 1.3 - Privilege escalation • June 2017, Aaron Guzman the chance of Mitigating privilege escalation – Security researcher two students sharing a birthday? About • Patch quickly • When authenticating with Subaru, users 50%. – Fix the vulnerability get a token – For a class of 30, the chance is about • Updated anti-virus/anti-malware – This token never expires (bad!) 70% software • A valid token allowed any service • In the digital world, this is a hash – Block known vulnerabilities request collision • Data Execution Prevention – Even adding your email address to – A hash collision is the same hash value – Only data in executable areas can run someone for two • Address space layout randomization else’s account different plaintexts – Prevent a buffer overrun at a known – Now you have full access to someone – Find a collision through brute force memory address else’s car • The attacker will generate multiple • Web front-end included an XSS versions of Cross-site scripting vulnerability plaintext to match the hashes • XSS – A user clicks a malicious link, and you – Protect yourself with a large hash – Cascading Style Sheets (CSS) are have output size something else entirely their token • Originally called cross-site because of Collisions browser security flaws Protecting against XSS • Hash digests are supposed to be unique – Information from one site could be • Be careful when clicking untrusted links – Different input data should never create shared with another – Never blindly click in your email inbox. the same hash • One of the most common web Never. • MD5 hash application • Consider disabling JavaScript – Or control with an extension Replay attack – You visit ProfessorMesser.com – This offers limited protection • Useful information is transmitted over – Your browser loads text from the • Keep your browser and applications the network ProfessorMesser.com server updated – A crafty hacker will take advantage of – Your browser loads a video from – Avoid the nasty browser vulnerabilities this YouTube • Validate input • Need access to the raw network data – – Your browser loads pictures from – Don’t allow users to add their own Network tap, ARP poisoning, malware on Instagram scripts to an input field the victim computer • HTML on ProfessorMesser.com directs • The gathered information may help the requests from your browser Code injection attacker – This is normal and expected • Code injection – Replay the data to appear as someone – Most of these are unauthenticated – Adding your own information into a data else requests stream • This is not an on-path attack • Enabled because of bad programming – The actual replay doesn’t require the The client and the server – The application should properly handle original workstation • Website pages consist of client-side input and output • Avoid this type of replay attack with a code and server-side code • So many different data types salt – Many moving parts – HTML, SQL, XML, LDAP, etc. – Use a session ID with the password hash • Client side to create a unique authentication hash – Renders the page on the screen SQL injection each time – HTML, JavaScript • SQL - Structured Query Language • Server side – The most common relational database Header manipulation – Performs requests from management system language • Information gathering the client - HTML, PHP • SQL Injection – Wireshark, Kismet – Transfer money from one – Modifying SQL requests • Exploits – Cross-site scripting account to another – Your application shouldn’t really allow • Modify headers – Tamper, Firesheep, – Post a video on YouTube this Scapy • Modify cookies – Cookies Manager+ Cross-site request forgery 1.3 - Injection Attacks (Firefox add-on) • One-click attack, session riding - XSRF, XML injection and LDAP injection CSRF (sea surf) • XML - Extensible Markup Language Prevent session hijacking • Takes advantage of the trust that a web – A set of rules for data transfer and • Encrypt end-to-end application has for the user storage – They can’t capture your session ID if – The web site trusts your browser • XML injection they can’t see it – Requests are made without your – Modifying XML requests - a good – Additional load on the web server consent or your knowledge application will validate (HTTPS) – Attacker posts a Facebook status on • LDAP - Lightweight Directory Access – Firefox extension: HTTPS Everywhere, your account Protocol Force-TLS • Significant web application development – Created by the telephone companies – Many sites are now HTTPS-only oversight – Now used by almost everyone • Encrypt end-to-somewhere – The application should have anti-forgery • LDAP injection – At least avoid capture over a local techniques added – Modify LDAP requests to manipulate wireless network – Usually a cryptographic token to prevent application results – Still in-the-clear for part of the journey a forgery – Personal VPN (OpenVPN, VyprVPN, etc.) DLL injection Server-side request forgery (SSRF) • Dynamic-Link Library Browser cookies and session IDs • Attacker finds a vulnerable web – A Windows library containing code and • Cookies application data – Information stored on your computer by – Sends requests to a web server – Many applications can use this library the browser – Web server performs the request on • Inject a DLL and have an application run • Used for tracking, personalization, behalf of the attacker a program session management • Caused by bad programming – Runs as part of the target process – Not executable, not generally a security – Never trust the user input Buffer overflows risk – Server should validate the input • Overwriting a buffer of memory – Spills – Unless someone gets access to them and the responses over into other memory areas • • Could be considered be a privacy risk – These are rare, but can be Developers need to perform bounds – Lots of personal data in there critical vulnerabilities checking – The attackers spend a lot of • Session IDs are often stored in the time looking for openings • Not a simple cookie 1.3 - Request Forgeries (continued) exploit – Takes time to avoid crashing – Maintains sessions across multiple Capital One SSRF breach - March 2019 things – Takes time to make it do what browser sessions • Attacker is able to execute commands you want • A really useful buffer overflow on the Capital One website is repeatable – Which means that a 1.3 - Request Forgeries – This is normally stopped by a WAF system can be compromised Cross-site requests (Web Application Firewall) • Cross-site requests are common and – The WAF was misconfigured 1.3 - Replay Attacks legitimate • Attacker obtained security credentials SSL stripping / HTTP downgrade – Used software interlocks instead of for the WAF role • Combines an on-path attack with a hardware • WAF-Role account listed the buckets on downgrade attack – Race condition caused 100 times the Amazon S3 – Difficult to implement, but big returns normal dose of radiation • Attacker retrieved the data from the for the attacker – Six patients injured, three deaths Amazon buckets • Attacker must sit in the middle of the • Credit card application data from 2005 conversation Other Application Attacks through 2019 – Must modify data between the victim Memory vulnerabilities – 106 million names, address, phone, and web server • Manipulating memory can be email, DoB – Proxy server, ARP spoofing, rogue Wi-Fi advantageous – 140,000 Social Security numbers, hotspot, etc. – Relatively difficult to accomplish 80,000 bank accounts • Victim does not see any significant • Memory leak problem – Unused memory is not properly released Malware hide-and-go-seek – Except the browser page isn’t encrypted – Begins to slowly grow in size • Traditional anti-virus is very good at – Strips the S away from HTTPS – Eventually uses all available memory identifying known attacks • This is a client and server problem – System crashes – Checks the signature – Works on SSL and TLS • NULL Pointer dereference – Block anything that matches – Programming technique that references • There are still ways to infect and hide 1.3 - SSL Stripping a – It’s a constant war SSL and TLS portion of memory – Zero-day attacks, new attack types, etc. • SSL (Secure Sockets Layer) 2.0 - – What happens if that reference points to Deprecated in 2011 nothing? Your drivers are powerful • SSL 3.0 – Application crash, debug information • The interaction between the hardware – Vulnerable to the POODLE attack displayed, DoS and your operating system – Deprecated in June 2015 • Integer overflow – They are often trusted • Transport Layer Security (TLS) 1.0 – Large number into a smaller sized space – Great opportunity for security issues – Upgrade to SSL 3.0, and a name change – Where does the extra number go? • May 2016 - HP Audio Drivers from SSL to TLS – You shouldn’t be able to manipulate – Conexant audio chips – Can downgrade to SSL 3.0 memory this way – Driver installation includes audio control • TLS 1.1 software – Deprecated in January 2020 by modern Directory traversal – Debugging feature enables a keylogger browsers • Directory traversal / path traversal • Hardware interactions contain sensitive • TLS 1.2 and TLS 1.3 - The latest – Read files from a web server that are information standards outside of the website’s file directory – Video, keyboard, mouse – Users shouldn’t be able to browse 1.3 - Race Conditions the Windows folder 1.3 - Driver Manipulation Race condition • Web server software vulnerability Shimming • A programming conundrum – Won’t stop users from browsing past • Filling in the space between two objects – Sometimes, things happen at the same the – A middleman time web server root • Windows includes it’s own shim – This can be bad if you’ve not planned for • Web application code vulnerability – Backwards compatibility with previous it – Take advantage of badly written code Windows versions • Time-of-check to time-of-use attack – Application Compatibility Shim Cache (TOCTOU) Improper error handling • Malware authors write their own shims – Check the system • Errors happen – Get around security (like UAC) – When do you use the results of your last – And you should probably know about it • January 2015 Microsoft vulnerability check? • Messages should be just informational – Elevates privilege – Something might happen between the enough check – Avoid too much detail Refactoring and the use – Network information, memory dump, • Metamorphic malware stack traces, database dumps – A different program each time it’s Race conditions can cause big problems • This is an easy one to find and fix downloaded • January 2004 - Mars rover “Spirit” – A development best-practice • Make it appear different each time – Reboot when a problem is identified – Add NOP instructions – Problem is with the file system, so Improper input handling – Loops, pointless code strings reboot because of the file system problem • Many applications accept user input • Can intelligently redesign itself – Reboot loop was the result – We put data in, we get data back – Reorder functions • GE Energy - Energy Management System • All input should be considered malicious – Modify the application flow – Three power lines failed at the same – Check everything. Trust nobody. – Reorder code and insert unused data time • Allowing invalid input can be types – Race condition delayed alerts devastating • Difficult to match with signature-based – Caused the Northeast Blackout of 2003 – SQL injections, buffer overflows, detection • Therac-25 radiation therapy machine in denial of service, etc. – Use a layered approach the 1980s • It takes a lot of work to find input that can be used maliciously – But they will find it • Sending of unsolicited messages to channel switch announcements, etc. another • Not everything is encrypted API attacks device via Bluetooth – Beacons, probes, authentication, • API - Application Programming Interface – No mobile carrier required! association • Attackers look for vulnerabilities in this • Typical functional distance is about 10 • 802.11w is required for 802.11ac new meters compliance communication path – More or less, depending on antenna and – This will roll out going forward – Exposing sensitive data, DoS, interference intercepted • Bluejack with an address book object Radio frequency (RF) jamming communication, privileged access – Instead of contact name, write a • Denial of Service message – Prevent wireless communication Resource exhaustion – “You are Bluejacked!” • Transmit interfering wireless signals • A specialized DoS (Denial of Service) – “You are Bluejacked! Add to contacts?” – Decrease the signal-to-noise ratio at attack • Third-party software may also be used the receiving device – May only require one device and low – Blooover, Bluesniff – The receiving device can’t hear the good bandwidths signal • ZIP bomb Bluesnarfing • Sometimes it’s not intentional – A 42 kilobyte .zip compressed file • Access a Bluetooth-enabled device and – Interference, not jamming – Uncompresses to 4.5 petabytes (4,500 transfer data – Microwave oven, fluorescent lights terabytes) – Contact list, calendar, email, pictures, • Jamming is intentional – Anti-virus will identify these video, etc. – Someone wants your network to not • DHCP starvation • First major security weakness in work – Attacker floods a network with IP Bluetooth address requests – Marcel Holtmann in September 2003 Wireless jamming – MAC address changes each time and • Many different types – DHCP server eventually runs out of – Adam Laurie in November 2003 – Constant, random bits / Constant, addresses – This weakness was patched legitimate frames – Switch configurations can rate limit • Serious security issue • Data sent at random times DHCP requests – If you know the file, you can download it – Random data and legitimate frames without authentication • Reactive jamming Rogue access points – Only when someone else tries to • An unauthorized wireless access point 1.4 - Wireless Disassociation Attacks communicate – May be added by an employee or an It started as a normal day • Needs to be somewhere close attacker • Surfing along on your wireless network – Difficult to be effective from a distance – Not necessarily malicious – And then you’re not • Time to go fox hunting – A significant potential backdoor • And then it happens again – You’ll need the right equipment to hunt • Very easy to plug in a wireless AP – And again down the jam – Or enable wireless sharing in your OS • You may not be able to stop it – Directional antenna, attenuator • Schedule a periodic survey – There’s (almost) nothing you can do 1.4 - RFID and NFC Attacks – Walk around your building/campus – Time to get a long patch cable RFID (Radio-frequency identification) – Use third-party tools / WiFi Pineapple • Wireless disassociation • It’s everywhere • Consider using 802.1X (Network Access – A significant wireless – Access badges Control) denial of service (DoS) attack – Inventory/Assembly line tracking – You must authenticate, regardless of the – Pet/Animal identification connection type 802.11 management frames – Anything that needs to be tracked • 802.11 wireless includes a number of • Radar technology Wireless evil twins management features – Radio energy transmitted to the tag • Looks legitimate, but actually malicious – Frames that make everything work – RF powers the tag, ID is transmitted – The wireless version of phishing – You never see them back • Configure an access point to look like an • Important for the operation of 802.11 – Bidirectional communication existing network wireless – Some tag formats can be – Same (or similar) SSID and security – How to find access points, manage QoS, active/powered settings/captive portal associate/ • Overpower the existing access points disassociate with an access point, etc. RFID Attacks – May not require the same physical • Original wireless standards did not add • Data capture location protection for management frames – View communication • WiFi hotspots (and users) are easy to – Sent in the clear – Replay attack fool – No authentication or validation • Spoof the reader - Write your own data – And they’re wide open Protecting against disassociation to the tag • You encrypt your communication, right? • IEEE has already addressed the problem • Denial of service - Signal jamming – Use HTTPS and a VPN – 802.11w - July 2014 • Decrypt communication • Some of the important management – Many default keys are on Google 1.4 - Bluejacking and Bluesnarfing frames Bluejacking are encrypted Near field communication (NFC) – Disassociate, deauthenticate, • Two-way wireless communication – Builds on RFID, which is mostly one-way – You never know your traffic was – Builds the list based on the source MAC • Payment systems redirected address of incoming traffic – Many options available • ARP poisoning – These age out periodically, often in 5 • Bootstrap for other wireless – ARP has no security minutes – NFC helps with Bluetooth pairing – On-path attack on the local IP subnet • Maintain a loop-free environment • Access token, identity “card” – Using Spanning Tree Protocol (STP) – Short range with encryption support On-path browser attack • What if the middleman was on the same Learning the MACs NFC Security Concern computer as the victim? • Switches examine incoming traffic • Remote capture – Malware/Trojan does all of the proxy – Makes a note of the source MAC – It’s a wireless network work address – 10 meters for active devices – Formerly known as man-in-the-browser • Adds unknown MAC addresses to the • Frequency jamming • Huge advantages for the attackers MAC address table – Denial of service – Relatively easy to proxy encrypted traffic – Sets the output interface to the received • Relay / Replay attack – Everything looks normal to the victim interface – On-path attack • The malware in your browser waits for • Loss of NFC device control you to login to your bank 1.4 - DNS Attacks – Stolen/lost phone – And cleans you out DNS poisoning • Modify the DNS server 1.4 - Randomizing Cryptography 1.4 - MAC Flooding and Cloning – Requires some crafty hacking Cryptographic nonce The MAC address • Modify the client host file • Arbitrary number • Ethernet Media Access Control address – The host file takes precedent over DNS – Used once – The “physical” address of a network queries – “For the nonce” - For the time being adapter • Send a fake response to a valid DNS • A random or pseudo-random number – Unique to a device request – Something that can’t be reasonably • 48 bits / 6 bytes long – Requires a redirection of the original guessed – Displayed in hexadecimal request – Can also be a counter or the resulting response • Use a nonce during the login process MAC flooding – Server gives you a nonce • The MAC table is only so big Domain hijacking – Calculate your password hash using the • Attacker starts sending traffic with • Get access to the domain registration, nonce different source MAC addresses and you have control where the traffic – Each password hash sent to the host will – Force out the legitimate MAC addresses flows be • The table fills up – You don’t need to touch the actual different, so a replay won’t work – Switch begins flooding traffic to all servers interfaces – Determines the DNS names and DNS IP Initialization Vectors (IV) • This effectively turns the switch into a addresses • A type of nonce hub • Many ways to get into the account – Used for randomizing an encryption – All traffic is transmitted to all interfaces – Brute force scheme – No interruption in traffic flows – Social engineer the password – The more random the better • Attacker can easily capture all network – Gain access to the email address that • Used in encryption ciphers, WEP, and traffic! manages the account some • Flooding can be restricted in the switch’s – The usual things SSL implementations port security settings Domain hijacking Salt • Saturday, October 22, 2016, 1 PM • A nonce most commonly associated MAC cloning / MAC spoofing • Domain name registrations of with password randomization • An attacker changes their MAC address 36 domains are changed – Make the password hash unpredictable to match the MAC address of an existing – Brazilian bank • Password storage should always be device – Desktop domains, mobile domains, and salted – A clone / a spoof more – Each user gets a different salt • Circumvent filters • Under hacker control for 6 hours • If the password database is breached, – Wireless or wired MAC filters – The attackers became the bank you can’t correlate any passwords – Identify a valid MAC address and copy it • 5 million customers, $27 billion in assets – Even users with the same password • Create a DoS – Results of the hack have not been have different hashes stored – Disrupt communication to the legitimate publicly released MAC 1.4 - On-Path Attacks • Easily manipulated through software URL hijacking On-path network attack – Usually a device driver option • Make money from your mistakes • How can an attacker watch without you – There’s a lot of advertising on the ‘net knowing? LAN switching • Sell the badly spelled domain to the – Formerly known as man-in-the-middle • Forward or drop frames actual owner • Redirects your traffic – Based on the destination MAC address – Sell a mistake – Then passes it on to the destination • Gather a constantly updating list of MAC • Redirect to a competitor addresses – Not as common, legal issues • Phishing site • Launch an army of computers to bring – The hacker is on borrowed time – Looks like the real site, please login down a service • Infect with a drive-by download – Use all the bandwidth or resources - Windows PowerShell – You’ve got malware! traffic spike • Command line for system administrators • This is why the attackers have botnets – .ps1 file extension Types of URL hijacking – Thousands or millions of computers at – Included with Windows 8/8.1 and 10 • Typosquatting / brandjacking your command • Extend command-line functions – Take advantage of poor spelling – At its peak, Zeus botnet infected over – Uses cmdlets (command-lets) • Outright misspelling 3.6 million PCs – PowerShell scripts and functions – professormesser.com vs. – Coordinated attack – Standalone executables professormessor.com • Asymmetric threat • Attack Windows systems • A typing error – The attacker may have fewer resources – System administration – professormeser.com than the victim – Active Domain administration • A different phrase – File share access – professormessers.com DDoS amplification • Different top-level domain • Turn your small attack into a big attack Python – professormesser.org – Often reflected off another device or • General-purpose scripting language service – .py file extension Domain reputation • An increasingly common DDoS • Popular in many technologies • The Internet is tracking your security technique – Broad appeal and support posture – Turn Internet services against the victim • Commonly used for cloud orchestration – They know when things go sideways • Uses protocols with little (if any) – Create and tear down application • Email reputation authentication or checks instances – Suspicious activity – NTP, DNS, ICMP • Attack the infrastructure – Malware originating from the IP address – A common example of protocol abuse – Routers, servers, switches • A bad reputation can cause email delivery to fail Application DoS Shell script – Email rejection or simply dropped • Make the application break or work • Scripting the Unix/Linux shell • Check with the email or service provider harder – Automate and extend the command line to check the reputation – Increase downtime and costs – Bash, Bourne, Korn, C – Follow their instructions to remediate • Fill the disk space • Starts with a shebang or hash-bang #! • Infected systems are noticed by the – A 42 kilobyte .zip compressed file – Often has a .sh file extension search engines – Uncompresses to 4.5 petabytes (4,500 • Attack the Linux/Unix environment – Your domain can be flagged or removed terabytes) – Web, database, virtualization servers • Users will avoid the site – Anti-virus will identify these • Control the OS from the command line – Sales will drop • Overuse a measured cloud resource – Malware has a lot of options – Users will avoid your brand – More CPU/memory/network is more • Malware might be removed quickly money Macros – Recovery takes much longer • Increase the cloud server response time • Automate functions within an – Victim deploys a new application application Denial of Service instance - repeat – Or operating system • Force a service to fail • Designed to make the application easier – Overload the service Operational Technology (OT) DoS to use • Take advantage of a design failure or • The hardware and software for – Can often create security vulnerabilities vulnerability industrial equipment • Attackers create automated exploits – Keep your systems patched! – Electric grids, traffic control, – They just need the user to open the file • Cause a system to be unavailable manufacturing plants, etc. – Prompts to run the macro – Competitive advantage • This is more than a web server failing • Create a smokescreen for some other – Power grid drops offline Visual Basic for Applications (VBA) exploit – All traffic lights are green • Automates processes within Windows – Precursor to a DNS spoofing attack – Manufacturing plant shuts down applications • Doesn’t have to be complicated • Requires a different approach – Common in Microsoft Office – Turn off the power – A much more critical security posture • A powerful programming language – Interacts with the operating system A “friendly” DoS Scripting and automation • CVE-2010-0815 / MS10-031 • Unintentional DoSing - It’s not always a • Automate tasks – VBA does not properly search for ne’er-do-well – You don’t have to be there ActiveX • Network DoS - Layer 2 loop without STP – Solve problems in your sleep controls in a document • Bandwidth DoS - Downloading multi- – Monitor and resolve problems before – Run arbitrary code embedded in a gigabyte Linux distributions over a DSL they happen document line • The need for speed – Easy to infect a computer • The water line breaks – The script is as fast as the computer – Get a good shop vacuum – No typing or delays 1.5 - Threat Actors – No human error Threat actors and attributes Distributed Denial of Service (DDoS) • Automate the attack • The entity responsible for an event that • There’s a reason we lock the data center has Organized crime – Physical access to a system is a an impact on the safety of another entity • Professional criminals significant attack vector – Also called a malicious actor – Motivated by money • Modify the operating system • Broad scope of actors – Almost always an external entity – Reset the administrator password in a – And motivations vary widely • Very sophisticated few minutes • Advanced Persistent Threat (APT) – Best hacking money can buy • Attach a keylogger – Attackers are in the network and • Crime that’s organized – Collect usernames and passwords undetected – One person hacks, one person manages • Transfer files – 2018 FireEye report: the exploits, another person sells the – Take it with you Americas: 71 days, data, another handles customer support • Denial of service EMEA: 177 days, • Lots of capital to fund hacking efforts – This power cable is in the way APAC: 204 days Hackers Wireless attack vectors Insiders • Experts with technology • Default login credentials • More than just passwords on sticky – Often driven by money, power, and ego • Modify the access point configuration notes • Authorized • Rogue access point – Some insiders are out for no good – An ethical hacker with good intentions • A less-secure entry point to the network • Sophistication may not be advanced, – And permission to hack • Evil twin but the insider has institutional • Unauthorized • Attacker collects authentication details knowledge – Malicious, violates security for personal • On-path attacks – Attacks can be directed at vulnerable gain • Protocol vulnerabilities systems • Semi-authorized • 2017 - WPA2 Key Reinstallation Attack – The insider knows what to hit – Finds a vulnerability, doesn’t use it (KRACK) • Extensive resources • Older encryption protocols (WEP, WPA) – Eating away from the inside Shadow IT • Going rogue Email attack vectors Nation states – Working around the internal IT • One of the biggest (and most successful) • Governments organization attack vectors • National security, job security • Information Technology can put up – Everyone has email • Always an external entity roadblocks • Phishing attacks • Highest sophistication – Shadow IT is unencumbered – People want to click links • Military control, utilities, financial – Use the cloud • Deliver the malware to the user control – Might also be able to innovate – Attach it to the message • United States and Israel destroyed 1,000 • Not always a good thing • Social engineering attacks nuclear centrifuges with the Stuxnet – Wasted time and money – Invoice scam worm – Security risks • Constant attacks – Compliance issues Supply chain attack vectors • Commonly an Advanced Persistent – Dysfunctional organization • Tamper with the underlying Threat (APT) Competitors infrastructure • Many different motivations – Or manufacturing process Hacktivist – DoS, espionage, harm reputation • Gain access to a network using a vendor • A hacker with a purpose • High level of sophistication – 2013 Target credit card breach – Social change or a political agenda – Based on some significant funding • Malware can modify the manufacturing – Often an external entity – The competitive upside is huge (and process • Can be remarkably sophisticated very unethical) – 2010 - Stuxnet disrupts Iran’s uranium – Very specific hacks • Many different intents enrichment program – DoS, web site defacing, release of – Shut down your competitor during an • Counterfeit networking equipment private documents, etc. event – Install backdoors, substandard • Funding is limited – Steal customer lists performance and availability – Some organizations have fundraising – Corrupt manufacturing databases – 2020 - Fake Cisco Catalyst 2960-X and options – Take financial information WS-2960X-48TS-L
Script kiddies 1.5 - Attack Vectors Social media attack vectors
• Runs pre-made scripts without any Attack vectors • Attackers thank you for putting your knowledge • A method used by the attacker personal information online of what’s really happening – Gain access or infect to the target – Where you are and when – Not necessarily a youngster • A lot of work goes into finding – Vacation pictures are especially telling • Can be internal or external vulnerabilities in these vectors • User profiling – But usually external – Some are more vulnerable than others – Where were you born? • Not very sophisticated • IT security professional spend their – What is the name of your school • No formal funding career watching these vectors mascot? – Looking for low hanging fruit – Closing up existing vectors • Fake friends are fake • Motivated by the hunt – Finding new ones – The inner circle can provide additional – Working the ego, trying to make a name Direct access attack vectors information • Common Vulnerabilities and Exposures • Indicators Removable media attack vectors (CVE) – Unusual amount of network activity • Get around the firewall – A community managed list of – Change to file hash values – The USB interface vulnerabilities – Irregular international traffic • Malicious software on USB flash drives – Sponsored by the U.S. Department of – Changes to DNS data – Infect air gapped networks Homeland Security (DHS) and – Uncommon login patterns – Industrial systems, high-security services Cybersecurity and Infrastructure Security – Spikes of read requests to certain files • USB devices can act as keyboards Agency (CISA) – Hacker on a chip • U.S. National Vulnerability Database Predictive analysis • Data exfiltration (NVD) • Analyze large amounts of data very – Terabytes of data walk out the door – A summary of CVEs quickly – Zero bandwidth used – Also sponsored by DHS and CISA – Find suspicious patterns • NVD provides additional details over the – Big data used for cybersecurity Cloud attack vectors CVE list • Identify behaviors • Publicly-facing applications and services – Patch availability and severity scoring – DNS queries, traffic patterns, location – Mistakes are made all the time data • Security misconfigurations Public/private information-sharing • Creates a forecast for potential attacks – Data permissions and public data stores centers – An early-warning system • Brute force attacks • Public threat intelligence • Often combined with machine learning – Or phish the users of the cloud service – Often classified information – Less emphasis on signatures • Orchestration attacks • Private threat intelligence – Make the cloud build new application – Private companies have extensive Threat maps instances resources • Identify attacks and trends • Denial of service • Need to share critical security details – View worldwide perspective – Disable the cloud services for everyone – Real-time, high-quality cyber threat • Created from real attack data information sharing – Identify and react 1.5 - Threat Intelligence • Cyber Threat Alliance (CTA) Threat intelligence – Members upload specifically formatted File/code repositories • Research the threats - And the threat threat intelligence • See what the hackers are building actors – CTA scores each submission and – Public code repositories, GitHub • Data is everywhere validates • See what people are accidentally – Hacker group profiles, tools used by the across other submissions releasing attackers, and much more – Other members can extract the – Private code can often be published • Make decisions based on this validated data publicly intelligence • Attackers are always looking for this – Invest in the best prevention Automated indicator sharing (AIS) code • Used by researchers, security operations • Intelligence industry needs a standard – Potential exploits exist teams, and others way to share important threat data – Content for phishing attacks – Share information freely 1.5 - Threat Research Open-source intelligence (OSINT) • Structured Threat Information Threat research • Open-source eXpression (STIX) • Know your enemy – Publicly available sources – Describes cyber threat information – And their tools of war – A good place to start – Includes motivations, abilities, • A never-ending process • Internet capabilities, and response information – The field is constantly moving and – Discussion groups, social media • Trusted Automated eXchange of changing • Government data Indicator Information (TAXII) • Information from many different places – Mostly public hearings, reports, – Securely shares STIX data – You can’t rely on a single source websites, etc. • Commercial data Dark web intelligence Vendor websites – Maps, financial reports, databases • Dark web • Vendors and manufacturers – Overlay networks that use the Internet – They wrote the software Closed/proprietary intelligence – Requires specific software and • They know when problems are • Someone else has already compiled the configurations to access announced threat information • Hacking groups and services – Most vendors are involved in the – You can buy it – Activities disclosure process • Threat intelligence services – Tools and techniques • They know their product better than – Threat analytics, correlation across – Credit card sales anyone different data sources – Accounts and passwords – They react when surprises happen • Constant threat monitoring • Monitor forums for activity – Scrambling after a zero-day – Identify new threats – Company names, executive names announcement – Create automated prevention workflows – Mitigating and support options Indicators of compromise (IOC) Vulnerability databases • An event that indicates an intrusion Vulnerability feeds • Researchers find vulnerabilities – Confidence is high • Automated vulnerability notifications – Everyone needs to know about them – He’s calling from inside the house • National Vulnerability Database (https://nvd.nist.gov) – Cisco, Microsoft, VMware, etc. - Secure • Very easy to leave a door open • CVE Data Feeds (https://cve.mitre.org) specific technologies – The hackers will always find it • Third-party feeds • Increasingly common with cloud storage • Additional vulnerability coverage Social media – Statistical chance of finding an open • Roll-up to a vulnerability management • Hacking group conversations - Monitor permission system the chatter • June 2017 - 14 million Verizon records • Coverage across teams • Honeypot monitoring on Twitter exposed • Consolidated view of security issues – Identify new exploit attempts – Third-party left an Amazon S3 data • Keyword monitoring - CVE-2020-*, repository open Conferences bugbounty, 0-day – Researcher found the data before • Watch and learn • Analysis of vulnerabilities - Professionals anyone else – An early warning of things to come discussing the details • Many, many other examples • Researchers • Command and control - Use social – Secure your permissions! – New DDoS methods, intelligence media as the transport gathering, Unsecured root accounts hacking the latest technologies Threat feeds • The Linux root account • Stories from the trenches • Monitor threat announcements - Stay – The Administrator or superuser account – Fighting and recovering from attacks informed • Can be a misconfiguration – New methods to protect your data • Many sources of information – Intentionally configuring an easy-to-hack • Building relationships - forge alliances – U.S. Department of Homeland Security password – U.S. Federal Bureau of Investigation – 123456, ninja, football Academic journals – SANS Internet Storm Center • Disable direct login to the root account • Research from academic professionals – VirusTotal Intelligence: – Use the su or sudo option – Cutting edge security analysis – Google and Facebook correlation • Protect accounts with root or • Evaluations of existing security administrator access technologies TTP – There should not be a lot of these – Keeping up with the latest attack • Tactics, techniques, and procedures methods – What are adversaries doing and how are Errors • Detailed post mortem they doing it? • Error messages can provide useful – Tear apart the latest malware and • Search through data and networks information to an attacker see what makes it tick – Proactively look for threats – Service type, version information, debug • Extremely detailed information – Signatures and firewall rules can’t catch data – Break apart topics into their smaller everything • September 2015 - Patreon is pieces • Different types of TTPs compromised – Information on targeted victims (Finance – Used a debugger to help monitor and Request for comments (RFC) for energy companies) troubleshoot web site issues • Published by the Internet Society (ISOC) – Infrastructure used by attackers (DNS – Was left exposed to the Internet – Often written by the Internet and IP addresses) – Effectively allowed for remote code Engineering – Outbreak of a particular malware variant executions Task Force (IETF) on a service type – Gigabytes of customer data was – Internet Society description is RFC 1602 released online • Not all RFCs are standards documents 1.6 - Vulnerability Types – Experimental, Best Current Practice, Zero-day attacks Weak encryption Standard Track, and Historic • Many applications have vulnerabilities • Encryption protocol (AES, 3DES, etc.) • Many informational RFCs analyze – We’ve just not found them yet – Length of the encryption key (40 bits, threats • Someone is working hard to find the 128 bits, – RFC 3833 - Threat Analysis of the next 256 bits, etc.) Domain big vulnerability – Hash used for the integrity check (SHA, Name System – The good guys share these with MD5, etc.) – RFC 7624 - Confidentiality in the Face of developers – Wireless encryption (WEP, WPA) Pervasive Surveillance: • Attackers keep these yet-to-be- • Some cipher suites are easier to break – A Threat Model and Problem Statement discovered holes to themselves than others – They want to use these vulnerabilities – Stay updated with the latest best Local industry groups for practices • A gathering of local peers personal gain • TLS is one of the most common issues – Shared industry and technology, • Zero-day – Over 300 cipher suites geographical presence – The vulnerability has not been detected • Which are good and which are bad? • Associations or published – Weak or null encryption (less than 128 – Information Systems Security – Zero-day exploits are increasingly bit key sizes), Association, common outdated hashes (MD5) Network Professional Association • Common Vulnerabilities and Exposures – Meet others in the area, discuss local (CVE) Insecure protocols challenges – http://cve.mitre.org/ • Some protocols aren’t encrypted • Industry user groups – All traffic sent in the clear - Telnet, FTP, Open permissions SMTP, IMAP • Verify with a packet capture • IT security doesn’t change because it’s a – Check for backdoors – View everything sent over the network third-party – Validate data protection and encryption • Use the encrypted versions- SSH, SFTP, – There should be more security, not less IMAPS, etc. • Always expect the worst Data storage – Prepare for a breach • Consider the type of data Default settings • Human error is still the biggest issue – Contact information • Every application and network device – Everyone needs to use IT security best – Healthcare details, financial information has a default login practices • Storage at a third-party may need – Not all of these are ever changed • All security is important encryption • Mirai botnet – Physical security and cybersecurity work – Limits exposure, adds complexity – Takes advantage of default hand-in-hand • Transferring data configurations – The entire data flow needs to be – Takes over Internet of Things (IoT) System integration risk encrypted devices • Professional installation and – 60+ default configurations maintenance 1.6 - Vulnerability Impacts – Cameras, routers, doorbells, garage – Can include elevated OS access Vulnerability impacts door openers, etc. • Can be on-site • Malicious cyber activity cost the U.S. • Mirai released as open-source software – With physical or virtual access to data economy between $57 billion and $109 – There’s a lot more where that came and systems billion in 2016 from – Keylogger installations and USB flash – The Cost of Malicious Cyber Activity to drive data transfers the U.S. Economy, Open ports and services • Can run software on the internal – The Council of Economic Advisers, • Services will open ports network February 2018 – It’s important to manage access – Less security on the inside • Many other non-economic impacts - Far • Often managed with a firewall – Port scanners, traffic captures reaching effects – Manage traffic flows – Inject malware and spyware, sometimes • These are the reasons we patch – Allow or deny based on port number or inadvertently vulnerabilities application • Firewall rulesets can be complex 1.6 Third-party Risks (continued) Data loss – It’s easy to make a mistake • Vulnerability: Unsecured databases • Always test and audit Lack of vendor support – No password or default password – Double and triple check • Security requires diligence • July 2020 - Internet-facing databases are – The potential for a vulnerability is being deleted Improper patch management always there – No warning, no explanation • Often centrally managed • Vendors are the only ones who can fix • Thousands of databases are missing – The update server determine when you their products – I hope you had a backup patch – Assuming they know about the problem • Overwrites data with iterations of the – Test all of your apps, then deploy – And care about fixing it word “meow” – Efficiently manage bandwidth • Trane Comfortlink II thermostats – No messages or motivational content • Firmware - The BIOS of the device – Control the temperature from your • Operating system- Monthly and on- phone Identity theft demand patches – Trane notified of three vulnerabilities in • May through July 2017 - Equifax • Applications April 2014 – Data breach of 147.9 million Americans, – Provided by the manufacturer as- – Two patched in April 2015, one in – 15.2 million British citizens, 19,000 needed January 2016 Canadian citizens – Names, SSNs, birthdates, addresses, Legacy platforms Supply chain risk some driver’s license numbers • Some devices remain installed for a long • You can’t always control security at a • Apache Struts vulnerability from March time third-party location 7, 2017 – Perhaps too long – Always maintain local security controls – Breach started March 12th • Legacy devices • Hardware and software from a vendor – Wasn’t patched by Equifax until July – Older operating systems, applications, can contain malware 30th after discovering “suspicious middleware – Verify the security of new systems network traffic” • May be running end-of-life software • Counterfeit hardware is out there – September 7th - Public disclosure – The risk needs to be compared to the – It looks like a Cisco switch…Is it • September 15th - CIO and CSO depart return malicious? Equifax • May require additional security • July 2019 - Equifax pays $575 million in protections Outsourced code development fines – Additional firewall rules • Accessing the code base – IPS signature rules for older operating – Internal access over a VPN Financial loss systems – Cloud-based access • March 2016 - Bank of Bangladesh • Verify security to other systems – Society for Worldwide Interbank 1.6 - Third-party Risks – The development systems should be Financial Third-party risks isolated Telecommunications (SWIFT) • Test the code security • Attackers sent secure messages to – Security operations, security – You’re a normal user, transfer nearly one billion dollars in intelligence, threat response emulates an insider attack reserves to accounts in Philippines and Sri • Fuse the security data together with Lanka big data analytics Identify vulnerabilities – Fortunately, most of the messages were – Analyze massive and diverse datasets • The scanner looks for everything incorrectly formatted – Pick out the interesting data points – Well, not everything - The signatures are • Thirty-five requests were acted upon and correlations the key – $81 million lost and laundered through • Application scans the Fusing the data – Desktop, mobile apps Filipino casino industry • Collect the data • Web application scans • Similar SWIFT vulnerabilities: $12 million – Logs and sensors, network information, – Software on a web server from Wells Fargo, $60 million from Internet events, intrusion detection • Network scans Taiwanese Far Eastern International Bank • Add external sources – Misconfigured firewalls, open ports, – Threat feeds, governmental alerts, vulnerable devices Reputation impacts advisories and bulletins, social media • Getting hacked isn’t a great look • Correlate with big data analytics Vulnerability research – Organizations are often required to – Focuses on predictive analytics and user • The vulnerabilities can be cross- disclose behavior analytics referenced online – Stock prices drop, at least for the short – Mathematical analysis of unstructured – Almost all scanners give you a place to term data go • October 2016 - Uber breach • National Vulnerability Database: – 25.6 million Names, email addresses, Cybersecurity maneuvers http://nvd.nist.gov/ mobile numbers • In the physical world, move troops and • Common Vulnerabilities and Exposures • Didn’t publicly announce it until tanks (CVE): November 2017 – Stop the enemy on a bridge or shore https://cve.mitre.org/cve/ – Allegedly paid the hackers $100,000 and • In the virtual world, move firewalls and • Microsoft Security Bulletins: had them sign an NDA operating systems http://www.microsoft.com/technet/secur – 2018 - Uber paid $148 million in fines – Set a firewall rule, block an IP address, ity/current.aspx • Hackers pleaded guilty in October 2019 delete malicious software • Some vulnerabilities cannot be – August 2020 - Uber’s former Chief • Automated maneuvers definitively identified Security Officer – Moving at the speed of light – You’ll have to check manually to see if a – The computer reacts instantly system is vulnerable Availability loss • Combine with fused intelligence – The scanner gives you a heads-up • Outages and downtime - Systems are – Ongoing combat from many fronts • National Vulnerability Database: unavailable • Tomorrow it’s a different fight http://nvd.nist.gov/ • The pervasive ransomware threat – Synchronized with the CVE list – Brings down the largest networks 1.7 - Vulnerability Scans – Enhanced search functionality • September 2020 - BancoEstado Vulnerability scanning • Common Vulnerability Scoring System – One of Chile’s three biggest banks • Usually minimally invasive (CVSS) – Ransomware attack over the weekend – Unlike a penetration test – Quantitative scoring of a vulnerability - 0 • Bank closed for an extended period • Port scan to 10 – Segmented network - Only hit internal – Poke around and see what’s open – The scoring standards change over time systems • Identify systems – Different scoring for CVSS 2.0 vs CVSS – Wipe and restore everything – And security devices 3.x • Test from the outside and inside • Industry collaboration Threat hunting – Don’t dismiss insider threats – Enhanced feed sharing and automation • The constant game of cat and mouse • Gather as much information as possible – Find the attacker before they find you – We’ll separate wheat from chaff later Vulnerability scan log review • Strategies are constantly changing • Lack of security controls – Firewalls get stronger, so phishing gets Scan types – No firewall better • Scanners are very powerful – No anti-virus • Intelligence data is reactive – Use many different techniques to – No anti-spyware – You can’t see the attack until it happens identify • Misconfigurations • Speed up the reaction time vulnerabilities – Open shares – Use technology to fight • Non-intrusive scans – Guest access – Gather information, don’t try to exploit • Real vulnerabilities Intelligence fusion a – Especially newer ones • An overwhelming amount of security vulnerability – Occasionally the old ones data • Intrusive scans – Too much data to properly detect, – You’ll try out the vulnerability to see if it Dealing with false positives analyze, and react works • False positives • Many data types • Non-credentialed scans – A vulnerability is identified that doesn’t – Dramatically different in type and scope – The scanner can’t login to the remote really exist • Separate teams device • This is different than a low-severity • Credentialed scan vulnerability – It’s real, but it may not be your highest • Constant information flow • The rules priority – Important metrics in the incoming logs – IP address ranges • False negatives • Track important statistics – Emergency contacts – A vulnerability exists, but you didn’t – Exceptions can be identified – How to handle sensitive information detect it • Send alerts when problems are found – In-scope and out-of-scope devices • Update to the latest signatures – Email, text, call, etc. or applications – If you don’t know about it, you can’t see • Create triggers to automate responses it – Open a ticket, reboot a server Working knowledge • Work with the vulnerability detection • How much do you know about the test? manufacturer Analyzing the data – Many different approaches – They may need to update their • Big data analytics • Unknown environment signatures for your environment – Analyze large data stores – The pentester knows nothing about the – Identify patterns that would normally systems under attack Configuration review remain invisible – “Blind” test • Validate the security of device • User and entity behavior analytics • Known environment configurations (UEBA) – Full disclosure – It’s easy to misconfigure one thing – Detect insider threats • Partially known environment – A single unlocked window puts the – Identify targeted attacks – A mix of known and unknown entire home at risk – Catches what the SIEM and DLP systems – Focus on certain systems or applications • Workstations might miss – Account configurations, local device • Sentiment analysis Exploiting vulnerabilities settings – Public discourse correlates to real-world • Try to break into the system • Servers - Access controls, permission behavior – Be careful; this can cause a denial of settings – If they hate you, they hack you service or • Security devices - Firewall rules, – Social media can be a barometer loss of data authentication options – Buffer overflows can cause instability SOAR – Gain privilege escalation SIEM • Security orchestration, automation, and • You may need to try many different • Security Information and Event response vulnerability types Management – Automate routine, tedious, and time – Password brute-force, social – Logging of security events and intensive activities engineering, information • Orchestration database injections, buffer overflows • Log collection of security alerts – Connect many different tools together • You’ll only be sure you’re vulnerable if – Real-time information – Firewalls, account management, email you can bypass security • Log aggregation and long-term storage filters – If you can get through, the attackers can – Usually includes advanced reporting • Automation - Handle security tasks get through features automatically • Data correlation - Link diverse data • Response - Make changes immediately The process types Testing • Initial exploitation - Get into the • Forensic analysis - Gather details after Penetration testing network an event • Pentest • Lateral movement – Simulate an attack – Move from system to system Syslog • Similar to vulnerability scanning – The inside of the network is relatively • Standard for message logging – Except we actually try to exploit unprotected – Diverse systems, consolidated log the vulnerabilities • Persistence • Usually a central log collector • Often a compliance mandate – Once you’re there, you need to make – Integrated into the SIEM – Regular penetration testing by a 3rd- sure there’s a way back in • You’re going to need a lot of disk space party – Set up a backdoor, build user accounts, – No, more. More than that. • National Institute of Standards and change or verify default passwords – Data storage from many devices over Technology Technical Guide to • The pivot an extended timeframe Information Security Testing and – Gain access to systems that would Assessment normally not be accessible SIEM data – https://professormesser.link/800115 – Use a vulnerable system as a proxy or • Data inputs (PDF) relay – Server authentication attempts – VPN connections Rules of engagement Pentest aftermath – Firewall session logs • An important document • Cleanup – Denied outbound traffic flows – Defines purpose and scope – Leave the network in its original state – Network utilizations – Makes everyone aware of the test – Remove any binaries or temporary files • Packet captures parameters – Remove any backdoors – Network packets • Type of testing and schedule – Delete user accounts created during the – Often associated with a critical alert – On-site physical breach, internal test, test – Some organizations capture everything external test • Bug bounty – Normal working hours, after 6 PM only, – A reward for discovering vulnerabilities Security monitoring etc. – Earn money for hacking a system – Document the vulnerability to earn cash • Cybersecurity involves many skills – Documentation and processes will be – Operational security, penetration critical 1.8 - Reconnaissance testing, exploit research, web application Reconnaissance hardening, etc. Diagrams • Need information before the attack • Become an expert in your niche • Network diagrams - Document the – Can’t rush blindly into battle – Everyone has a role to play physical wire and device • Gathering a digital footprint • The teams • Physical data center layout – Learn everything you can – Red team, blue team, purple team, – Can include physical rack locations • Understand the security posture white team • Device diagrams - Individual cabling – Firewalls, security configurations • Minimize the attack area Red team Baseline configuration – Focus on key systems • Offensive security team - The hired • The security of an application • Create a network map attackers environment – Identify routers, networks, remote sites • Ethical hacking - Find security holes should be well defined • Exploit vulnerabilities -Gain access – All application instances must follow this Passive footprinting • Social engineering - Constant vigilance baseline • Learn as much as you can from open • Web application scanning - Test and test – Firewall settings, patch levels, OS file sources again versions – There’s a lot of information out there – May require constant updates – Remarkably difficult to protect or Blue team • Integrity measurements check for the identify • Defensive security - Protecting the data secure baseline • Social media • Operational security - Daily security – These should be performed often • Corporate web site tasks – Check against well-documented • Online forums, Reddit • Incident response - Damage control baselines • Social engineering • Threat hunting - Find and fix the holes – Failure requires an immediate • Dumpster diving • Digital forensics - Find data everywhere correction • Business organizations Purple team Protecting Data 1.8 Reconnaissance (continued) • Red and blue teams • A primary job task Wardriving or warflying – Working together – An organization is out of business • Combine WiFi monitoring and a GPS • Competition isn’t necessarily useful without data – Search from your car or plane – Internal battles can stifle organizational • Data is everywhere – Search from a drone security – On a storage drive, on the network, in a • Huge amount of intel in a short period – Cooperate instead of compete CPU of time • Deploy applications and data securely • Protecting the data – And often some surprising results – Everyone is on-board – Encryption, security policies • All of this is free • Create a feedback loop • Data permissions – Kismet, inSSIDer – Red informs blue, blue informs red – Not everyone has the same access – Wireless Geographic – Logging Engine White team Data sovereignty – http://wigle.net • Not on a side • Data sovereignty – Manages the interactions between red – Data that resides in a country is subject Open Source Intelligence (OSINT) teams to • Gathering information from many open and blue teams the laws of that country sources • The referees in a security exercise – Legal monitoring, court orders, etc. – Find information on anyone or anything – Enforces the rules • Laws may prohibit where data is stored – The name is not related to open-source – Resolves any issues – GDPR (General Data Protection software – Determines the score Regulation) • Data is everywhere - • Manages the post-event assessments – Data collected on EU citizens must be https://osintframework.com/ – Lessons learned stored • Automated gathering - Many software – Results in the EU tools available – A complex mesh of technology and 2.1 Configuration Management legalities Active footprinting • Where is your data stored? • Trying the doors Configuration management – Your compliance laws may prohibit – Maybe one is unlocked • The only constant is change moving data out of the country – Don’t open it yet – Operating systems, patches, application – Relatively easy to be seen updates, network modifications, new Data masking • Visible on network traffic and logs application instances, etc. • Data obfuscation • Ping scans, port scans, DNS queries, • Identify and document hardware and – Hide some of the original data OS scans, OS fingerprinting, Service scans, software settings • Protects PII version scans – Manage the security when changes – And other sensitive data occur • May only be hidden from view 1.8 - Security Teams • Rebuild those systems if a disaster – The data may still be intact in storage Security teams occurs – Control the view based on permissions • Many different techniques • Data transmitted over the network Data Loss Prevention (DLP) systems – Substituting, shuffling, encrypting, – Also called data in-motion • On your computer masking out, etc. • Not much protection as it travels – Data in use – Many different switches, routers, – Endpoint DLP Data encryption devices • On your network • Encode information into unreadable • Network-based protection – Data in motion data – Firewall, IPS • On your server – Original information is plaintext, • Provide transport encryption – Data at rest encrypted – TLS (Transport Layer Security) form is ciphertext – IPsec (Internet Protocol Security) USB blocking • This is a two-way street • DLP on a workstation – Convert between one and the other Data in-use – Allow or deny certain tasks – If you have the proper key • Data is actively processing in memory • November 2008 - U.S. Department of – System RAM, CPU registers and cache Defense 2.1 - Configuration Management • The data is almost always decrypted – Worm virus “agent.btz” replicates using (continued) – Otherwise, you couldn’t do anything USB storage with it – Bans removable flash media and storage Standard naming conventions • The attackers can pick the decrypted devices • Create a standard information out of RAM • All devices had to be updated – Needs to be easily understood by – A very attractive option – Local DLP agent handled USB blocking everyone • Target Corp. breach - November 2013 • Ban was lifted in February 2010 • Devices – 110 million credit cards – Replaced with strict guidelines – Asset tag names and numbers – Data in-transit encryption and data at- – Computer names - location or region rest encryption 2.1 - Data Loss Prevention – Serial numbers – Attackers picked the credit card Cloud-based DLP • Networks - Port labeling numbers out of the point-of-sale RAM • Located between users and the Internet • Domain configurations – Watch every byte of network traffic – User account names Tokenization – No hardware, no software – Standard email addresses • Replace sensitive data with a non- • Block custom defined data strings sensitive placeholder – Unique data for your organization IP schema – SSN 266-12-1112 is now 691-61-8539 • Manage access to URLs • An IP address plan or model • Common with credit card processing – Prevent file transfers to cloud storage – Consistent addressing for network – Use a temporary token during payment • Block viruses and malware devices – An attacker capturing the card numbers – Anything traversing the network – Helps avoid duplicate IP addressing can’t use them later • Locations • This isn’t encryption or hashing DLP and email – Number of subnets, hosts per subnet – The original data and token aren’t • Email continues to be the most critical • IP ranges mathematically related risk vector – Different sites have a different subnet – No encryption overhead – Inbound threats, outbound data loss – 10.1.x.x/24, 10.2.x.x/24, 10.3.x.x/24 • Check every email inbound and • Reserved addresses 2.1 - Protecting Data (continued) outbound – Users, printers, routers/default Information Rights Management (IRM) – Internal system or cloud-based gateways • Control how data is used • Inbound - Block keywords, identify • Confusion – Microsoft Office documents, impostors, – The encrypted data is drastically email messages, PDFs quarantine email messages different • Restrict data access to unauthorized • Outbound - Fake wire transfers, W-2 than the plaintext persons transmissions, employee information • Diffusion – Prevent copy and paste – Change one character of the input, and – Control screenshots Emailing a spreadsheet template many – Manage printing • November 2016 - Boeing employee characters change of the output – Restrict editing emails spouse a spreadsheet to use as a • Each user has their own set of rights template Data at-rest – Attackers have limited options • Contained the PII of 36,000 Boeing • The data is on a storage device employees – Hard drive, SSD, flash drive, etc. Data Loss Prevention (DLP) – In hidden columns • Encrypt the data • Where’s your data? – Social security numbers, date of birth, – Whole disk encryption – Social Security numbers, credit card etc. – Database encryption numbers, • Boeing sells its own DLP software – File- or folder-level encryption medical records – But only uses it for classified work • Apply permissions • Stop the data before the attackers get it – Access control lists – Data “leakage” Geographical considerations – Only authorized users can access the • So many sources, so many destinations • Legal implications data – Often requires multiple solutions in – Business regulations vary between different places states Data in-transit – For a recovery site outside of the – Impossible to recover the original – Automated replication country, personnel must have a passport message • Flip a switch and everything moves and be able to clear immigration from the digest – This may be quite a few switches – Refer to your legal team – Used to store passwords / • Offsite backup confidentiality 2.1 - Site Resiliency – Organization-owned site or 3rd-party • Verify a downloaded document is the Cold Site secure facility same • No hardware • Offsite recovery as the original – Empty building – Hosted in a different location, outside – Integrity • No data the scope of the disaster • Can be a digital signature – Bring it with you – Travel considerations for support staff – Authentication, non-repudiation, and • No people and employees integrity – Bus in your team • Will not have a collision (hopefully) 2.1 - Managing Security – Different messages will not have the Warm site Response and recovery controls same hash • Somewhere between cold and hot • Incident response and recovery has – Just enough to get going become API considerations • Big room with rack space commonplace • API (Application Programming Interface) – You bring the hardware – Attacks are frequent and complex – Control software or hardware • Hardware is ready and waiting • Incident response plan should be programmatically – You bring the software and data established • Secure and harden the login page – Documentation is critical – Don’t forget about the API Honeypots – Identify the attack • On-path attack • Attract the bad guys – Contain the attack – Intercept and modify API messages, – And trap them there • Limit the impact of an attacker replay API commands • The “attacker” is probably a machine – Limit data exfiltration • API injection – Makes for interesting recon – Limit access to sensitive data – Inject data into an API message • Honeypots • DDoS (Distributed Denial of Service) – Create a virtual world to explore SSL/TLS inspection – One bad API call can bring down a • Many different options • Commonly used to examine outgoing system – Kippo, Google Hack Honeypot, Wordpot, SSL/TLS etc. – Secure Sockets Layer/Transport Layer API security • Constant battle to discern the real from Security • Authentication the fake – For example, from your computer to – Limit API access to legitimate users your bank – Over secure protocols Honeyfiles and honeynets • Wait a second. Examine encrypted • Authorization • Honeynets traffic? – API should not allow extended access – More than one honeypot on a network – Is that possible? – Each user has a limited role – More than one source of information • SSL/TLS relies on trust – A read-only user should not be able to – Stop spammers - – Without trust, none of this works make https://projecthoneypot.org changes • Honeyfiles Trust me, I’m SSL • WAF (Web Application Firewall) – Bait for the honeynet (passwords.txt) • Your browser contains a list of trusted – Apply rules to API communication – An alert is sent if the file is accessed CAs – A virtual bear trap – My browser contains about 170 trusted Site resiliency CAs certificates • Recovery site is prepped Fake telemetry • Your browser doesn’t trust a web site – Data is synchronized • Machine learning unless a CA has signed the web server’s • A disaster is called – Interpret big data to identify the encryption certificate – Business processes failover to the invisible – The web site pays some money to the alternate • Train the machine with actual data CA for this processing site – Learn how malware looks and acts • The CA has ostensibly performed some • Problem is addressed – Stop malware based on actions instead checks – This can take hours, weeks, or longer of signatures – Validated against the DNS record, phone • Revert back to the primary location • Send the machine learning model fake call, etc. – The process must be documented for telemetry • Your browser checks the web server’s both directions – Make malicious malware look benign certificate – If it’s signed by a trusted CA, the Hot site DNS sinkhole encryption • An exact replica • A DNS that hands out incorrect IP works seamlessly – Duplicate everything addresses • Stocked with hardware – Blackhole DNS Hashing – Constantly updated • This can be bad • Represent data as a short string of text – You buy two of everything – An attacker can redirect users to a – A message digest • Applications and software are constantly malicious site • One-way trip updated • This can be good – Redirect known malicious domains to a Cloud service providers – A huge amount of data benign IP address • Provide cloud services • Edge computing - “Edge” – Watch for any users hitting that IP – SaaS, PaaS, IaaS, etc. – Process application data on an edge address • Charge a flat fee or based on use server – Those devices are infected – More data, more cost – Close to the user • Can be integrated with a firewall • You still manage your processes • Often process data on the device itself – Identify infected devices not directly – Internal staff – No latency, no network requirement connected – Development team – Increased speed and performance – Operational support – Process where the data is, instead of 2.2 - Cloud Models processing in the cloud Infrastructure as a service (IaaS) Managed service providers • Sometimes called Hardware as a Service • Managed Service Provider (MSP) Fog computing (HaaS) – Also a cloud service provider • Fog – Outsource your equipment – Not all cloud service providers are MSPs – A cloud that’s close to your data • You’re still responsible for the • MSP support – Cloud + Internet of Things - Fog management – Network connectivity management computing – And for the security – Backups and disaster recovery • A distributed cloud architecture - • Your data is out there, but more within – Growth management and planning Extends the cloud your control • Managed Security Service Provider • Distribute the data and processing • Web server providers (MSSP) – Immediate data stays local - No latency – Firewall management – Local decisions made from local data Platform as a service (PaaS) – Patch management, security audits – No bandwidth requirements • No servers, no software, no – Emergency response – Private data never leaves - Minimizes maintenance team, security concerns no HVAC On-premises vs. off-premises – Long-term analysis can occur in the – Someone else handles the platform, • On-premises cloud - Internet only when required you handle the development – Your applications are on local hardware • You don’t have direct control of the – Your servers are in your data center in 2.2 - Designing the Cloud data, your building Designing the cloud people, or infrastructure • Off-premises / hosted • On-demand computing power – Trained security professionals are – Your servers are not in your building – Click a button watching your stuff – They may not even be running on your • Elasticity – Choose carefully hardware – Scale up or down as needed • Put the building blocks together – Usually a specialized computing • Applications also scale – Develop your app from what’s environment – Access from anywhere available on the platform • How does it all happen? – SalesForce.com Cloud deployment models – Planning and technology • Public Software as a service (SaaS) – Available to everyone over the Internet Thin client • On-demand software • Community • Basic application usage – No local installation – Several organizations share the same – Applications actually run on a remote – Why manage your own email resources server distribution? • Private – Virtual Desktop Infrastructure (VDI), – Or payroll? – Your own virtualized local data center – Desktop as a Service (DaaS) • Central management of data and • Hybrid – Local device is a keyboard, mouse, and applications – A mix of public and private screen. – Your data is out there • Minimal operating system on the client • A complete application offering 2.2 - Edge and Fog Computing – No huge memory or CPU needs – No development work required Cloud computing • Network connectivity – Google Mail • Computing on-demand – Big network requirement – Instantly available computing power – Everything happens across the wire Anything as a Service (XaaS) – Massive data storage capacity • A broad description of all cloud models • Fast implementation Virtualization – Use any combination of the cloud – IT teams can adjust rapidly to change • Virtualization • Services delivered over the Internet – Smaller startup costs and pay-as-you-go – Run many different operating systems – Not locally hosted or managed • Not always the best solution on the • Flexible consumption model – Latency - the cloud is far away same hardware – No large upfront costs or ongoing – Limited bandwidth • Each application instance has its licensing – Difficult to protect data own operating system • IT becomes more of an operating model – Requires Internet/network connectivity – Adds overhead and complexity – And less of a cost-center model – Virtualization is relatively expensive – Any IT function can be changed into a Edge computing service • Over 30 billion IoT devices on the Application containerization Internet • Container 2.2 - Cloud Models (continued) – Devices with very specific functions – Contains everything you need to run an resource (Amazon) application – Userlist is associated with the resource SDV (Software Defined Visibility) – Code and dependencies • You must see the traffic to secure the – A standardized unit of software Service integration data • An isolated process in a sandbox • Service Integration and Management – React and respond – Self-contained (SIAM) • Dynamic deployments include security – Apps can’t interact with each other • Many different service providers and network visibility devices • Container image – The natural result of multisourcing – Next-generation firewalls, web – A standard for portability • Every provider works differently application firewalls, – Lightweight, uses the host kernel – Different tools and processes – Security Information and Event – Secure separation between applications • SIAM is the integration of these Management (SIEM) diverse providers • Data is encapsulated and encrypted Microservices and APIs – Provide a single business-facing – VXLAN and SSL/TLS • Monolithic applications IT organization • New technologies change what you can – One big application that does everything • An evolving set of processes and see • Application contains all decision making procedures – Infrastructure as code, microservices processes Database • Security devices monitor application – User interface traffic – Business logic Transit gateway – SDV provides visibility to traffic flows – Data input and output • Virtual Private Cloud (VPC) • Visibility expands as the application • Code challenges – A pool of resources created in a public instances expand – Large codebase cloud – Real-time metrics across all traffic flows – Change control challenges • Common to create many VPCs • Application flows can be controlled via • APIs – Many different application clouds API – Application Programming Interfaces • Connect VPCs with a transit gateway – Identify and react to threats • API is the “glue” for the microservices – And users to VPCs – Work together to act as the application – A “cloud router” 2.2 - Virtualization Security • Scalable • Now make it secure VM sprawl avoidance – Scale just the microservices you need – VPCs are commonly on different IP • Click a button • Resilient subnets – You’ve built a server – Outages are contained – Connecting to the cloud is often through – Or multiple servers, networks, and • Security and compliance a VPN firewalls – Containment is built-in • It becomes almost too easy to build 2.2 - Infrastructure as Code instances Serverless architecture Infrastructure as code – This can get out of hand very quickly • Function as a Service (FaaS) • Describe an infrastructure • The virtual machines are sprawled – Applications are separated into – Define servers, network, and everywhere individual, autonomous functions applications as code – You aren’t sure which VMs are related – Remove the operating system from the • Modify the infrastructure and create to which applications equation versions – It becomes extremely difficult to • Developer still creates the server-side – The same way you version application deprovision logic code • Formal process and detailed – Runs in a stateless compute container • Use the description (code) to build other documentation • May be event triggered and ephemeral application instances – You should have information on every – May only run for one event – Build it the same way every time based virtual object • Managed by a third-party on the code – All OS security concerns are at the third- • An important concept for cloud VM escape protection party computing • The virtual machine is self-contained – Build a perfect version every time – There’s no way out - Or is there? Resource policies • Virtual machine escape • Assigning permissions to cloud SDN (Software Defined Networking) – Break out of the VM and interact with resources • Networking devices have two functional the host operating – Not the easiest task planes of operation system or hardware – Everything is in constant motion – Control plane, data plane • Once you escape the VM, you have • Specify which resources can be • Directly programmable great control provisioned (Azure) – Configuration is different than – Control the host and control other guest – Create a service in a specific region, forwarding VMs deny all others • Agile - Changes can be made • This would be a huge exploit • Specify the resource and what actions dynamically – Full control of the virtual world are • Centrally managed - Global view, single permitted (Amazon) pane of glass Escaping the VM – Allow access to an API gateway from an • Programmatically configured • March 2017 - Pwn2Own competition IP address range – No human intervention – Hacking contest • Explicitly list the users who can access • Open standards / vendor neutral – You pwn it, you own it - along with some the – A standard interface to the network cash • JavaScript engine bug in Microsoft Edge • Logistical challenges • The security policies should be part of – Code execution in the Edge sandbox – New servers the orchestration • Windows 10 kernel bug – New software – As applications are provisioned, the – Compromise the guest operating system – Restart or interrupt of service proper security is automatically included • Hardware simulation bug in VMware – Escape to the host Secure baselines Deprovisioning • Patches were released soon afterwards • The security of an application • Dismantling and removing an environment should be well defined application instance 2.3 - Secure Deployments – All application instances must follow this – All good things Development to production baseline • Security deprovisioning is important • Your programming team has been – Firewall settings, patch levels, OS file – Don’t leave open holes, don’t close working on a new application versions important ones – How will you deploy it safely and – May require constant updates • Firewall policies must be reverted reliably? • Integrity measurements check for the – If the application is gone, so is the • Patch Tuesday secure baseline access – Test and deploy Wednesday? Thursday? – These should be performed often • What happens to the data? Friday? – Check against well-documented – Don’t leave information out there • Manage the process baselines – Safely move from a non-production – Failure requires an immediate 2.3 - Secure Coding Techniques phase to full production correction Secure coding concepts • A balance between time and quality Sandboxing 2.3 - Provisioning and Deprovisioning – Programming with security in mind is • Isolated testing environment Provisioning often secondary – No connection to the real world or • Deploy an application • Testing, testing, testing production system – Web server, database server, – The Quality Assurance (QA) process – A technological safe space middleware server, user workstation • Vulnerabilities will eventually be found • Use during the development process configurations, certificate updates, etc. – And exploited – Try some code, break some code, • Application software security nobody gets hurt – Operating system, application Stored procedures • Incremental development • Network security • SQL databases – Helps build the application – Secure VLAN, internal access, external – Client sends detailed requests for data access – ‘SELECT * FROM wp_options WHERE Building the application • Software deployed to workstations option_id = 1’ • Development – Check executables for malicious code, • Client requests can be complex – Secure environment verify security posture of the workstation – And sometimes modified by the user – Writing code – This would not be good – Developers test in their sandboxes Scalability and elasticity • Stored procedures limit the client • Test • Handle application workload interactions – Still in the development stage – Adapt to dynamic changes – ‘CALL get_options’ – All of the pieces are put together • Scalability – That’s it. No modifications to the query – Does it all work? – The ability to increase the workload in a are possible. – Functional tests given infrastructure • To be really secure, use only stored – Build an application instance that can procedures Verifying the application handle – The application doesn’t use any SQL • Quality Assurance (QA) – 100,000 transactions per second queries – Verifies features are working as • Elasticity expected – Increase or decrease available resources Obfuscation/camouflage – Validates new functionality as the workload changes • Obfuscate – Verifies old errors don’t reappear – Deploy multiple application instances to – Make something normally • Staging handle understandable very difficult to – Almost ready to roll it out – 500,000 transactions per second understand – Works and feels exactly like the • Take perfectly readable code and turn it production Orchestration into nonsense environment • Automation is the key to cloud – The developer keeps the readable code – Working with a copy of production data computing and gives you the chicken scratch – Run performance tests – Services appear and disappear – Both sets of code perform exactly the – Test usability and features automatically, same way Page 43 or at the push of a button https://ProfessorMesser.com Using the application2 • Entire application instances can be • Helps prevent the search for security https://ProfessorMesser.com instantly provisioned holes • Production – All servers, networks, switches, firewalls, – Makes it more difficult to figure out – Application is live and policies what’s happening - But not impossible – Rolled out to the user community • Instances can move around the world as • A challenging step needed Code reuse/dead code – Impacts the users – Follow the sun • Code reuse – Use old code to build new applications • Third-party libraries and software • An attack against different binaries – Copy and paste development kits would only be successful on a fraction of • If the old code has security – Extend the functionality of a the users vulnerabilities, reusing the code spreads it programming language – An attacker wouldn’t know what exploit to other applications • Security risk to use – You’re making this much more difficult – Application code written by someone – Make the game much harder to win for everyone else 2.3 - Automation and Scripting • Dead code – Might be secure. Might not be secure. Automation and scripting – Calculations are made, code is executed, – Extensive testing is required • Plan for change results are tallied • Balancing act - Application features vs. – Implement automatically – The results aren’t used anywhere else in unknown code base • Automated courses of action the – Many problems can be predicted application Data exposure – Have a set of automated responses • All code is an opportunity for a security • So much sensitive data • Continuous monitoring problem – Credit card numbers, social security – Check for a particular event, and then – Make sure your code is as alive as numbers, medical information, address react possible details, email information • Configuration validation • How is the application handling the – Cloud-based technologies allow for Input validation data? constant change • What is the expected input? – No encryption when stored – Automatically validate a configuration – Validate actual vs. expected – No encryption across the network before going live • Document all input methods – Displaying information on the screen – Perform ongoing automated checks – Forms, fields, type • All input and output processes are • Check and correct all input important Continuous integration (CI) (normalization) – Check them all for data exposure • Code is constantly written – A zip code should be only X characters – And merged into the central repository long with a letter in the X column Version control many times a day – Fix any data with improper input • Create a file, make a change, make • So many chances for security problems • The fuzzers will find what you missed another change, and another change – Security should be a concern from the – Don’t give them an opening – Track those changes, revert back to a beginning previous version • Basic set of security checks during Validation points • Commonly used in software development • Server-side validation development – Documented security baselines as the – All checks occur on the server – But also in operating systems, wiki bare minimum – Helps protect against malicious users software, and cloud-based file storage • Large-scale security analysis during the – Attackers may not even be using your • Useful for security testing phase interface – Compare versions over time – Significant problems will have already • Client-side validation – Identify modifications to important files been covered – The end-user’s app makes the validation – A security challenge decisions – Historical information can be a security Continuous delivery/deployment (CD) – Can filter legitimate input from genuine risk • Continuous delivery users 2.3 - Software Diversity – Automate the testing process – May provide additional speed to the Exploiting an application – Automate the release process user • Attackers often exploit application – Click a button and deploy the • Use both - But especially server-side vulnerabilities application validation – They find the unlocked door and open it • Continuous deployment • Once you exploit one binary, you can – Even more automation Memory management exploit them all – Automatically deploy to production • As a developer, you must be mindful of – The application works the same on all – No human integration or manual checks how memory is used systems – Many opportunities to build vulnerable – A Windows 10 exploit affects all Directory services code Windows 10 users • Keep all of an organization’s usernames • Never trust data input • What if all of the computers were and passwords in a single database – Malicious users can attempt to running different software? – Also contains computers, printers, and circumvent your code – Unique binaries other devices • Buffer overflows are a huge security risk – Functionally identical • Large distributed database – Make sure your data matches your – Constantly replicated buffer sizes Software diversity • All authentication requests reference • Some built-in functions are insecure • Alternative compiler paths would result this directory – Use best practices when designing your in a different binary each time – Each user only needs one set of code – Each compiled application would be a credentials little bit – One username and password for all Third-party libraries and SDKs different services • Your programming language does – But functionally the same • Access via Kerberos or LDAP everything - Almost Federation • Time-based One-Time Password – Unique capillary structure in • Provide network access to others algorithm the back of the eye – Not just employees - Partners, suppliers, – Use a secret key and the time of day • Iris scanner customers, etc. – No incremental counter – Texture, color – Provides SSO and more • Secret key is configured ahead of time • Voice recognition • Third-parties can establish a federated – Timestamps are synchronized via NTP – Talk for access network • Timestamp usually increments every 30 • Facial recognition – Authenticate and authorize between the seconds – Shape of the face and features two organizations – Put in your username, password, and – Login with your Facebook credentials TOTP code Biometric acceptance rates • The third-parties must establish a trust • One of the more common OTP methods • False acceptance rate (FAR) relationship – Used by Google, Facebook, Microsoft, – Likelihood that an unauthorized user will – And the degree of the trust etc. be accepted – Not sensitive enough Attestation HOTP • False rejection rate (FRR) • Prove the hardware is really yours • One-time passwords – Likelihood that an authorized user will – A system you can trust – Use them once, and never again be rejected • Easy when it’s just your computer – Once a session, once each – Too sensitive – More difficult when there are 1,000 authentication attempt • Crossover error rate (CER) • Remote attestation • HMAC-based One-Time Password – Defines the overall accuracy of a – Device provides an operational report to algorithm biometric system a – Keyed-hash message authentication – The rate at which FAR and FRR are equal verification server code (HMAC) – Adjust sensitivity to equalize both values – Encrypted and digitally signed with the – The keys are based on a secret key and a TPM counter AAA framework – An IMEI or other unique hardware • Token-based authentication • Identification component can be included in the report – The hash is different every time – This is who you claim to be • Hardware and software tokens available – Usually your username Short message service (SMS) – You’ll need additional technology to • Authentication • Text messaging make this work – Prove you are who you say you are – Includes more than text these days – Password and other authentication • Login factor can be sent via SMS to a Phone call factors predefined phone number • A voice call provides the token • Authorization – Provide username and password – The computer is talking to you – Based on your identification and – Phone receives an SMS – “Your code is 1-6-2-5-1-7.” authentication, what access do you have? – Input the SMS code into the login form • Similar disadvantages to SMS • Accounting • Security issues exist – Phone call can be intercepted or – Resources used: Login time, data sent – Phone number can be reassigned to a forwarded and received, logout time different phone – Phone number can be added to another – SMS messages can be intercepted phone Cloud vs. on-premises authentication • Cloud-based security Push notification Static codes – Third-party can manage the platform • Similar process to an SMS notification • Authentication factors that don’t change – Centralized platform – Authentication factor is pushed to a – You just have to remember – Automation options with API integration specialized app • Personal Identification Number (PIN) – May include additional options (for a – Usually on a mobile device – Your secret numbers cost) • Security challenges • Can also be alphanumeric • On-premises authentication system – Applications can be vulnerable – A password or passphrase – Internal monitoring and management – Some push apps send in the clear – Need internal expertise • Still more secure than SMS Smart cards – External access must be granted and – Multiple factors are better than one • Integrated circuit card - Contact or managed factor contactless • Common on credit cards - Also used for Multi-factor authentication Authentication apps access control • Factors • Pseudo-random token generators • Must have physical card to provide – Something you know – A useful authentication factor digital access – Something you have • Carry around a physical hardware token – A digital certificate – Something you are generator • Multiple factors • Attributes – Where are my keys again? – Use the card with a PIN or fingerprint – Somewhere you are • Use software-based token generator on – Something you can do your phone 2.4 - Biometrics – Something you exhibit – Powerful and convenient Biometric factors – Someone you know • Fingerprint scanner TOTP – Phones, laptops, door access Something you know • Retinal scanner • Password – Secret word/phrase, string of characters – Typing analysis - the way you hit the • NICs talk to each other – Very common authentication factor enter key too hard – Usually multicast instead of broadcast • PIN – Fails over when a NIC doesn’t respond – Personal identification number • Someone you know – Not typically contained anywhere on a – A social factor 2.5 - Network Redundancy smart card or ATM card – It’s not what you know… UPS - Uninterruptible Power Supply • Pattern – Web of trust – Short-term backup power – Complete a series of patterns – Digital signature – Blackouts, brownouts, surges – Only you know the right format • UPS types 2.5 - Disk Redundancy – Offline/Standby UPS Something you have Redundancy – Line-interactive UPS • Smart card • Duplicate parts of the system – On-line/Double-conversion UPS – Integrates with devices – If a part fails, the redundant part can be • Features – May require a PIN used – Auto shutdown, battery capacity, • USB token - Certificate is on the USB • Maintain uptime outlets, device – The organization continues to function phone line suppression • Hardware or software tokens • No hardware failure – Generates pseudo-random – Servers keep running 2.5 - Power Redundancy authentication codes • No software failure Generators • Your phone -SMS a code to your phone – Services always available • Long-term power backup • No system failure – Fuel storage required Something you are – Network performing optimally • Power an entire building • Biometric authentication – Some power outlets may be marked as – Fingerprint, iris scan, voice print Geographic dispersal generator-powered • Usually stores a mathematical • Bad things can happen in a local area • It may take a few minutes to get the representation – Hurricanes, tornadoes, flooding, generator up to speed of your biometric • Disperse technologies to different – Use a battery UPS while the generator is – Your actual fingerprint isn’t usually geographies starting saved – Use multiple data centers • Difficult to change – In different locations Dual-power supplies – You can change your password • Data centers might be part of the • Redundancy – You can’t change your fingerprint normal operations – Internal server power supplies • Used in very specific situations – East coast and west coast operations – External power circuits – Not foolproof centers • Each power supply can handle 100% of • May be part of a disaster recovery the load Somewhere you are center – Would normally run at 50% of the load • Provide a factor based on your location – If Florida gets hit, fire up the Denver • Hot-swappable – The transaction only completes if you data center – Replace a faulty power supply without are in a powering down particular geography Disk redundancy • IP address • Multipath I/O (Input/Output) Power distribution units (PDUs) – Not perfect, but can help provide more – Especially useful for network-based • Provide multiple power outlets info storage subsystems – Usually in a rack – Works with IPv4, not so much with IPv6 – Multiple Fibre Channel interfaces with • Often include monitoring and control • Mobile device location services multiple switches – Manage power capacity – Geolocation to a very specific area • RAID - Redundant Array of Independent – Enable or disable individual outlets – Must be in a location that can receive Disks GPS • Multiple drives create redundancy SAN replication information or near an identified mobile – Many different designs and • Share data between different devices or 802.11 network implementations – If one device fails, you can still work – Still not a perfect identifier of location with the data Load balancing – VERY fast recovery times compared to Something you can do • Some servers are active - Others are on traditional backups • A personal way of doing things standby • Storage area networks (SANs) – You’re special • If an active server fails, the passive – Specialized high-performance network • Handwriting analysis server takes its place of – Signature comparison storage devices – Writing technique NIC teaming • SAN-to-SAN replication • Very similar to biometrics • Load Balancing / Fail Over (LBFO) – Duplicate data from one data center to – Close to something you are – Aggregate bandwidth, redundant paths another – Becomes more important in the virtual • SAN snapshot Other attributes world – Create a state of data based on a point • Something you exhibit • Multiple network adapters in time – A unique trait, personal to you – Looks like a single adapter – Copy that state to other SANs – Gait analysis - the way you walk – Integrate with switches VM replication – Sequential storage • Rollback to known configuration • Virtual machine redundancy – 100 GB to multiple terabytes per – Don’t modify the data, but use a – Maintain one VM, replicate to all others cartridge previous configuration – The virtual machine is really just one big – Easy to ship and store • Live boot media file • Disk – Run the operating system from • Consistent service offering – Faster than magnetic tape - Deduplicate removable – Maintain copies anywhere in the world and compress media - very portable! • Recover from a replicated copy • Copy – Provides a backup if needed – A useful strategy High availability • Efficient copying – May not include versioning - May need • Redundancy doesn’t always mean – Only replicates the data that has to keep offsite always available changed – May need to be powered on manually NAS vs. SAN • HA (high availability) On premises vs. cloud redundancy • Network Attached Storage (NAS) – Always on, always available • Speed – Connect to a shared storage device • May include many different components – Local devices are connected over very across the network working together fast networks – File-level access – Active/Active can provide scalability – Cloud connections are almost always • Storage Area Network (SAN) advantages slower – Looks and feels like a local storage • Higher availability almost always means • Money device higher costs – Purchasing your own storage is an – Block-level access – There’s always another contingency you expensive – Very efficient reading and writing could add capital investment • Requires a lot of bandwidth – Upgraded power, high-quality server – Cloud costs have a low entry point and – May use an isolated network and high- components, etc. can scale speed • Security network technologies Order of restoration – Local data is private • Application-specific – Data stored in the cloud requires Other backups – Certain components may need to be additional • Cloud restored first security controls – Backup to a remote device in the cloud – Databases should be restored before the –Support many devices application 2.5 - Backup Types –May be limited by bandwidth • Backup-specific Backup Types • Image – Incremental backups restore the full • The archive attribute – Capture an exactly replica of everything backup, – Set when a file is modified on a then all subsequent incremental backups • Full - Everything storage drive – Differential backups restore the full – You’ll want this one first – Restore everything on a partition, backup, • Incremental including then the last differential backup – All files changed since the last operating system files and user incremental backup documents Diversity • Differential Backup locations • Technologies – All files changed since the last full • Offline backup – A zero-day OS vulnerability can cause backup – Backup to local devices significant outages – Fast and secure – Multiple security devices Incremental Backup – Must be protected and maintained • Vendors • A full backup is taken first – Often requires offsite storage for – A single vendor can become a • Subsequent backups contain data disaster recovery disadvantage changed since the last full backup and last • Online backup – No options during annual renewals incremental backup – Remote network-connected third-party – A bad support team may not be able to – These are usually smaller – Encrypted resolve problems in a timely manner than the full backup – Accessible from anywhere • Cryptographic • A restoration requires the full backup – Speed is limited by network bandwidth – All cryptography is temporary and all of the incremental backups – Diverse certificate authorities can Non-persistence provide Differential Backup • The cloud is always in motion additional protection • A full backup is taken first – Application instances are constantly • Controls • Subsequent backups contain built – Administrative controls data changed since the last full backup and torn down – Physical controls – These usually grow larger as • Snapshots can capture the current – Technical controls data is changed configuration and data – Combine them together • A restoration requires the full – Preserve the complete state of a device, – Defense in depth backup and the last differential backup or just the configuration Embedded systems Backup media • Revert to known state • Hardware and software designed for a • Magnetic tape – Fall back to a previous snapshot specific function – Or to operate as part of a larger system • Vehicles • An operating system with a • Is built with only this task in mind – Internal network is often accessible from deterministic – Can be optimized for size and/or cost mobile networks processing schedule • Common examples – Control internal electronics – No time to wait for other processes – Traffic light controllers • Aircraft – Industrial equipment, automobiles, – Digital watches – DoS could damage the aircraft – Military environments – Medical imaging systems – An outage would be problematic • Extremely sensitive to security issues • Smart meters - Measure power and – Non-trivial systems SoC (System on a Chip) water usage – Need to always be available • Multiple components running on a – Difficult to know what type of security is single chip VoIP in place – Common with embedded systems • Voice over Internet Protocol • Small form-factor – Instead of analog phone line or the Surveillance systems – External interface support – Plain Old Telephone Service (POTS) • Video/audio surveillance – Cache memory, flash memory • A relatively complex embedded system – Embedded systems in the cameras and – Usually lower power consumption – Can be relatively important the • Security considerations are important • Each device is a computer monitoring stations – Difficult to upgrade hardware – Separate boot process • Secure the security system – Limited off-the-shelf security options – Individual configurations – Restrict access from others - Prevent a – Different capabilities and functionalities denial of service Field-programmable gate array (FPGA) • Physically difficult to replace cameras • An integrated circuit that can be HVAC – Accessible independently over the configured • Heating, Ventilation, and Air network after manufacturing Conditioning – May allow for firmware upgrades – Array of logic blocks – Thermodynamics, fluid mechanics, and – Programmed in the field heat transfer 5G • A problem doesn’t require a hardware • A complex science • Fifth generation cellular networking replacement – Not something you can properly design – Launched worldwide in 2020 – Reprogram the FPGA yourself • Significant performance improvements • Common in infrastructure – Must be integrated into the fire system – At higher frequencies – Firewall logic • PC manages equipment – Eventually 10 gigabits per second – Routers – Makes cooling and heating decisions for – Slower speeds from 100-900 Mbit/s workspaces • Significant IoT impact SCADA/ICS and data centers – Bandwidth becomes less of a constraint • Supervisory Control and Data • Traditionally not built with security in – Larger data transfers Acquisition System mind – Faster monitoring and notification – Large-scale, multi-site Industrial Control – Difficult to recover from an – Additional cloud processing Systems (ICS) infrastructure DoS • PC manages equipment Subscriber identity module (SIM) – Power generation, refining, Drones • SIM card - A universal integrated circuit manufacturing equipment • Flying vehicle card – Facilities, industrial, energy, logistics – No pilot on board • Used to provide information to a cellular • Distributed control systems • May be manually controlled from the network provider - Phones, tablets, – Real-time information ground embedded systems – System control – Often with some autonomy • Contains mobile details • Requires extensive segmentation – Set it and forget it – IMSI (International Mobile Subscriber – No access from the outside • Extensive commercial and non- Identity) commercial use – Authentication information, contact 2.6 - Embedded Systems – May require federal licenses information Smart devices / IoT (Internet of Things) – Security and fail-safes are required • Important to manage • Sensors - Heating and cooling, lighting – Many embedded systems, many SIM • Smart devices - Home automation, video Printers, scanners, and fax machines cards doorbells • All-in-one or multifunction devices • Wearable technology - Watches, health (MFD) Narrowband monitors – Everything you need in one single device • Communicate analog signals over a • Facility automation - Temperature, air • No longer a simple printer narrow range of frequencies quality, lighting – Very sophisticated firmware – Over a longer distance - Conserve the • Weak defaults • Some images are stored locally on the frequency use – IOT manufacturers are not security device • Many IoT devices can communicate over professionals – Can be retrieved externally long distances • Logs are stored on the device – SCADA equipment - Sensors in oil fields Specialized – Contain communication and fax details • Medical devices Baseband – Heart monitors, insulin pumps 2.6 - Embedded Systems (continued) • Generally a single cable with a digital – Often use older operating systems RTOS (Real-Time Operating System) signal – Can be fiber or copper – Purpose-built - usually does one thing • CCTV (Closed circuit television) • The communication signal uses all of the very well – Can replace physical guards bandwidth – May not provide much additional • Camera features are important – Utilization is either 0% or 100% functionality – Motion recognition can alarm and alert • Bidirectional communication • Cost when – But not at the same time using the same – Single-purpose functionality comes at a something moves wire/fiber low cost – Object detection can identify a license • Ethernet standard - 100BASE-TX, – Low cost may affect product quality plate or 1000BASE-T, 10GBASE-T • Implied trust person’s face – Limited access to the hardware and • Often many different cameras Zigbee software – Networked together and recorded over • Internet of Things networking – Difficult to verify the security posture time – Open standard - IEEE 802.15.4 PAN • Alternative to WiFi and Bluetooth 2.7 - Physical Security Controls Industrial camouflage – Longer distances than Bluetooth Barricades / bollards • Conceal an important facility in plain – Less power consumption than WiFi • Prevent access sight • Mesh network of all Zigbee devices in – There are limits to the prevention – Blends in to the local environment your home • Channel people through a specific • Protect a data center – Light switch communicates to light bulbs access point – No business signs – Tell Amazon Echo to lock the door – And keep out other things – No visual clues • Uses the ISM band – Allow people, prevent cars and trucks – Surround it with a water feature – Industrial, Scientific, and Medical • Identify safety concerns – Install a guard gate – 900 MHz and 2.4 GHz frequencies in the – And prevent injuries – Planters out front are bollards US • Can be used to an extreme Guards and access lists – Concrete barriers / bollards • Security guard Embedded systems – Moats – Physical protection at the reception area • Not usually a fully capable computer of a – Low cost, purpose-built Access control vestibules facility • Adds additional constraints • All doors normally unlocked – Validates identification of existing – May have limited or missing features – Opening one door causes others to lock employees – Upgradability limitations • All doors normally locked – Provides guest access – Limits in communication options – Unlocking one door prevents others • ID badge • An ongoing trade off from being unlocked – Picture, name, other details – Low cost systems - Unique management • One door open / other locked – Must be worn at all times challenges – When one is open, the other cannot be • Access list unlocked – Physical list of names Constraints • One at a time, controlled groups – Enforced by security guard • Power - May not have access to a main – Managed control through an area • Maintains a visitor log power source – Batteries may need to be replaced and Alarms Guards maintained • Circuit-based • Two-person integrity/control • Compute – Circuit is opened or closed – Minimize exposure to an attack – Low-power CPUs are limited in speed – Door, window, fence – No single person has access to a physical – Cost and heat considerations – Useful on the perimeter asset • Network • Motion detection • Robot sentries – May not have the option for a wired link – Radio reflection or passive infrared – Monitoring – May be in the middle of a field – Useful in areas not often in use – Rounds / Periodic checks – Wireless is the limiting factor • Duress – An emerging technology • Crypto – Triggered by a person - The big red – Limited hardware options button Biometrics – Difficult to change or modify • Biometric authentication cryptography features Signs – Fingerprint, retina, voiceprint • Inability to patch • Clear and specific instructions • Usually stores a mathematical – Some IoT devices have no field- – Keep people away from restricted areas representation upgradable options – Consider visitors of your biometric – Upgrade options may be limited or • Consider personal safety – Your actual fingerprint isn’t usually difficult to install – Fire exits saved • Authentication – Warning signs • Difficult to change – Security features are often an – Chemicals – You can change your password afterthought – Construction – You can’t change your fingerprint – Limited options, no multi-factor, limited – Medical resources • Used in very specific situations integration • Informational – Not foolproof with existing directory services – In case of emergency, call this number • Range Door access controls Video surveillance • Conventional - Lock and key • Deadbolt - Physical bolt – Commonly replaced with Dupont FM- – Focus the cooling • Electronic - Keyless, PIN 200 – Lower energy costs • Token-based – RFID badge, magnetic swipe card, or key Sensors Drones fob • Motion detection • Quickly cover large areas • Biometric - Hand, fingers or retina – Identify movement in an area – More than just one building • Multi-factor - Smart card and PIN • Noise detection • More than physical security – Recognize an increase in sound – Site surveys, damage assessments Cable locks • Proximity reader • On-board sensors • Temporary security – Commonly used with electronic door – Motion detection – Connect your hardware to something locks – Thermal sensors solid – Combined with an access card • Video evidence • Cable works almost anywhere • Moisture detection – High resolution video capture – Useful when mobile – Useful to identify water leaks • Most devices have a standard connector • Temperature Faraday cage – Reinforced notch – Monitor changes over time • Blocks electromagnetic fields • Not designed for long-term protection – Discovered by Michael Faraday in 1836 – Those cables are pretty thin 2.7 - Secure Areas • A mesh of conductive material – The cage cancels the electromagnetic USB data blocker Secure areas field’s • Don’t connect to unknown USB • Physically secure the data effect on the interior interfaces – As important as the digital security – The window of a microwave oven – Even if you need a quick charge • An important part of a security policy • Not a comprehensive solution – Prevent “juice jacking” – Not a question to leave unanswered – Not all signal types are blocked • Use a USB data blocker • Secure active operations – Some signal types are not blocked at all – Allow the voltage, reject the data – Prevent physical access to the systems • Can restrict access to mobile networks • Use your power adapter • Secure offline data – Some very specific contingencies would – Avoid the issue entirely – Backups are an important security need to be in place for emergency calls concern Proper lighting Screened subnet • More light means more security Air gap • Formerly known as a demilitarized zone – Attackers avoid the light • Physical separation between networks (DMZ) – Easier to see when lit – Secure network and insecure network – An additional layer of security between – Non IR cameras can see better – Separate customer infrastructures the • Specialized design • Most environments are shared Internet and you – Consider overall light levels – Shared routers, switches, firewalls – Public access to public resources – Lighting angles may be important – Some of these are virtualized – Facial recognition • Specialized networks require air gaps Protected distribution – Avoid shadows and glare – Stock market networks • Protected Distribution System (PDS) – Power systems/SCADA – A physically secure cabled network Fencing – Airplanes • Protect your cables and fibers • Build a perimeter – Nuclear power plant operations – All of the data flows through these – Usually very obvious conduits – May not be what you’re looking for Vaults and safes • Prevent cable and fiber taps • Transparent or opaque • Vault – Direct taps and inductive taps – See through the fence (or not) – A secure reinforced room • Prevent cable and fiber cuts • Robust – Store backup media – A physical denial of service (DoS) – Difficult to cut the fence – Protect from disaster or theft • Hardened protected distribution system • Prevent climbing – Often onsite – Sealed metal conduit, periodic visual – Razor wire • Safe inspection – Build it high – Similar to a vault, but smaller – Less expensive to implement 2.7 - Secure Data Destruction Fire suppression – Space is limited - Install at more • Electronics require unique responses to locations Data destruction and media sanitization fire • Disposal becomes a legal issue – Water is generally a bad thing Hot and cold aisles – Some information must not be • Detection • Data centers destroyed – Smoke detector, flame detector, heat – Lots and lots of equipment – Consider offsite storage detector – This equipment generates heat • You don’t want critical information in • Suppress with water • Optimize cooling the trash – Where appropriate – Keep components at optimal – People really do dumpster dive • Suppress with chemicals temperatures – Recycling can be a security concern – Halon - No longer manufactured • Conserve energy – Physically destroy the media – Destroys ozone – Data centers are usually very large • Reuse the storage media rooms – Sanitize the media for reuse – Ensure nothing is left behind – One-off or industrial removal and Asymmetric encryption destroy • Public key cryptography Protect your rubbish – Two (or more) mathematically related • Secure your garbage - Fence and a lock Cryptography keys • Shred your documents • Greek: “kryptos” • Private key - Keep this private – This will only go so far – Hidden, secret • Public key - Anyone can see this key - – Governments burn the good stuff • Confidentiality Give it away • Burn documents - No going back – It’s a secret • The private key is the only key that can • Pulp the paper • Authentication and access control decrypt data encrypted with the public – Large tank washing to remove ink – I know it’s you. I REALLY know it’s you. key – Paper broken down into pulp • Non-repudiation - You said it. You can’t – You can’t derive the private key from – Creates recycled paper deny it. the public key • Integrity - Tamper-proof Physical destruction 2.8 - Symmetric and Asymmetric • Shredder / pulverizer Cryptography terms The key pair – Heavy machinery, complete destruction • Plaintext - An unencrypted message (in • Asymmetric encryption • Drill / Hammer the clear) – Public Key Cryptography – Quick and easy - Platters, all the way • Ciphertext - An encrypted message • Key generation through • Cipher - The algorithm used to encrypt – Build both the public and private key at • Electromagnetic (degaussing) and/or decrypt the same time – Remove the magnetic field • Cryptanalysis – Lots of randomization – Destroys the drive data and renders the – The art of cracking encryption – Large prime numbers drive unusable – Researchers are constantly trying to find – Lots and lots of math • Incineration - Fire hot. weaknesses in ciphers • Everyone can have the public key – A mathematically flawed cipher is bad – Only Alice has the private key Certificate of destruction for everyone • Destruction is often done by a 3rd party Elliptic curve cryptography (ECC) – How many drills and degaussers do you 2.8 - Cryptography Concepts • Asymmetric encryption have? Cryptographic keys – Need large integers composed of two or • Need confirmation that your data is • Keys more large prime factors destroyed – Add the key to the cypher to encrypt • Instead of numbers, use curves! – Service should include a certificate – Larger keys are generally more secure – Uses smaller keys than non-ECC • A paper trail of broken data • Some encryption methods use one key asymmetric – You know exactly what happened – Some use more than one key encryption – Every method is a bit different – Smaller storage and transmission Sanitizing media requirements • Purge data Give weak keys a workout – Perfect for mobile devices – Remove it from an existing data store • A weak key is a weak key – Delete some of the data from a – By itself, it’s not very secure Key stretching libraries database • Make a weak key stronger by • Already built for your application • Wipe data performing – No additional programming involved – Unrecoverable removal of data on a multiple processes • bcrypt storage device – Hash a password. Hash the hash of the – Generates hashes from passwords – Usually overwrites the data storage password. And continue… – An extension to the UNIX crypt library locations – Key stretching, key strengthening – Uses Blowfish cipher to perform – Useful when you need to reuse or • Brute force attacks would require multiple continue using the media reversing each of those hashes rounds of hashing – The attacker has to spend much more • Password-Based Key Derivation Function Data security time, even though the key is small 2 (PBKDF2) • July 2013 - UK National Health Service – Part of RSA public key cryptography Surrey Symmetric encryption standards – Provided hard drives to a 3rd-party to be • A single, shared key (PKCS #5, RFC 2898) destroyed – Encrypt with the key – Contained 3,000 patient records – Decrypt with the same key Lightweight cryptography – Received a destruction certificate, but – If it gets out, you’ll need another key • Powerful cryptography has traditionally not • Secret key algorithm required strength actually destroyed. – A shared secret – A powerful CPU and lots of time – Sold on eBay. Buyer contacted • Doesn’t scale very well • Internet of Things (IoT) devices have authorities, – Can be challenging to distribute limited power fined £200,000 • Very fast to use – Both watts and CPU • File level overwriting – Less overhead than asymmetric • New standards are being created – Sdelete – Windows Sysinternals encryption – National Institute of Standards and • Whole drive wipe secure data removal – Often combined with asymmetric Technology (NIST) leading the effort – DBAN - Darik’s Boot and Nuke encryption – Provide powerful encryption – Physical drive destruction - – Include integrity features – Keep costs low – Random data added to a password when hashing Key exchange Homomorphic encryption (HE) • Every user gets their own random salt • A logistical challenge • Encrypted data is difficult to work with – The salt is commonly stored with the – How do you transfer an encryption key – Decrypt the data password across an insecure medium without – Perform a function • Rainbow tables won’t work with salted having an encryption key? – Encrypt the answer hashes – Additional random value added • Out-of-band key exchange • Homomorphic encryption to the original password – Don’t send the symmetric key over the – Perform calculations of data while it’s • This slows things down the brute force ‘net encrypted process – Telephone, courier, in-person, etc. – Perform the work directly on the – It doesn’t completely stop the reverse encrypted data engineering Real-time encryption/decryption – The decrypted data can only be viewed • Each user gets a different random hash • There’s a need for fast security with – The same password creates a different – Without compromising the security part the private key hash • Share a symmetric session key using • Many advantages asymmetric encryption – Securely store data in the cloud Digital signatures – Client encrypts a random (symmetric) – Perform research on data without • Prove the message was not changed key with a server’s public key viewing the data – Integrity – The server decrypts this shared key and 2.8 - Hashing and Digital Signatures • Prove the source of the message uses it to encrypt data Hashes – Authentication – This is the session key • Represent data as a short string of text - • Make sure the signature isn’t fake • Implement session keys carefully A message digest – Non-repudiation – Need to be changed often (ephemeral • One-way trip • Sign with the private key keys) – Impossible to recover the original – The message doesn’t need to be – Need to be unpredictables message from the digest encrypted – Used to store passwords / – Nobody else can sign this (obviously) Symmetric key from asymmetric keys confidentiality • Verify with the public key • Use public and private key cryptography • Verify a downloaded document is the – Any change in the message will to create a symmetric key same as the original invalidate the signature – Math is powerful – Integrity • In-band key exchange • Can be a digital signature – It’s on the network Traditional web server encryption – Authentication, non-repudiation, and – Protect the key with additional • SSL/TLS uses encryption keys to protect integrity • Will not have a collision encryption web (hopefully) – Use asymmetric encryption to deliver server communication – Different messages will not have the a symmetric key – Traditionally, this has been based on the same hash web server’s RSA key pair 2.8 - Cryptographic Keys – One key that encrypts all symmetric Collision Cryptographic Keys keys • Hash functions – Take an input of any • There’s very little that isn’t known about • This server’s private key can rebuild size - Create a fixed size string the cryptographic process everything – Message digest, checksum- – The algorithm is usually a known entity – If you capture all of the traffic, you can • The hash should be unique – The only thing you don’t know is the decrypt all of the data – Different inputs should never create the key • One point of failure for all of your web same hash • The key determines the output site encryption – If they do, it’s a collision – Encrypted data • MD5 has a collision problem – Found in – Hash value Perfect Forward Secrecy (PFS) 1996 - Don’t use MD5 – Digital signature • Change the method of key exchange • Keep your key private! – Don’t use the server’s private RSA key Practical hashing – It’s the only thing protecting your data • Elliptic curve or Diffie-Hellman • Verify a downloaded file ephemeral – Hashes may be provided on the Key strength – The session keys aren’t kept around download site – Compare the downloaded • Larger keys tend to be more secure • Can’t decrypt with the private server key file hash with the posted hash value – Prevent brute-force attacks – Every session uses a different private • Password storage – Attackers can try every possible key key for the exchange – Instead of storing the password, store a combination • PFS requires more computing power salted hash • Symmetric encryption – Not all servers choose to use PFS – Compare hashes during the – 128-bit or larger symmetric keys are • The browser must support PFS authentication process common – These numbers get larger as – Check your SSL/TLS information for – Nobody ever knows your actual time goes on details password • Asymmetric encryption – Complex calculations of prime numbers Obfuscation Adding some salt – Larger keys than symmetric encryption • The process of making something • Salt – Common to see key lengths of 3,072 bits unclear or larger – It’s now much more difficult to • Breaks our existing encryption • Block cipher modes of operation understand mechanisms – Avoid patterns in the encryption • But it’s not impossible to understand – Quickly factor large prime numbers – Many different modes to choose from – If you know how to read it • This would cause significant issues • Make source code difficult to read – None of the existing cryptography could Block cipher mode of operation – But it doesn’t change the functionality be trusted • Encrypt one fixed-length group of bits at of the code – No financial transactions would be safe a time • Hide information inside of an image – No data would be private – A block – Steganography • Peter Shor invented Shor’s algorithm in • Mode of operation 1994 – Defines the method of encryption Steganography – Given an integer N, find its prime factors – May provide a method of authentication • Greek for “concealed writing” – Traditional computers would take longer • The block size is a fixed size – Security through obscurity than the – Not all data matches the block size • Message is invisible lifetime of the universe perfectly – But it’s really there – Shor’s algorithm would theoretically be – Split your plaintext into smaller blocks • The covertext much, – Some modes require padding before – The container document or file much faster encrypting • Time for updated cryptography 2.8 - Steganography – Not vulnerable to quantum computer ECB (Electronic Code Book) Common steganography techniques based attacks • The simplest encryption mode • Network based • NTRU – Too simple for most use cases – Embed messages in TCP packets – A cryptosystem using lattice theory • Each block is encrypted with the same • Use an image – Relies on the “closest-vector” problem key – Embed the message in the image itself – Instead of finding the prime – Identical plaintext blocks create identical • Invisible watermarks factorizations of ciphertext blocks – Yellow dots on printers large numbers Quantum communication ECB (Electronic Code book) cipher mode Other steganography types • Protect against eavesdropping using Post-quantum cryptography • Audio steganography quantum • Breaks our existing encryption – Modify the digital audio file cryptography mechanisms – Interlace a secret message within the – Quantum Key Distribution (QKD) – Quickly factor large prime numbers audio • Create unbreakable encryption • This would cause significant issues – Similar technique to image – Send a random stream of qubits (the – None of the existing cryptography could steganography key) across a quantum network channel be trusted • Video steganography • Both sides can verify the key – No financial transactions would be safe – A sequence of images – If it’s identical, the key was not viewed – No data would be private – Use image steganography on a larger during • Peter Shor invented Shor’s algorithm in scale transmission 1994 – Manage the signal to noise ratio • An attacker eavesdropping on the – Given an integer N, find its prime factors – Potentially transfer much more communication would modify the data – Traditional computers would take longer information stream than the lifetime of the universe – The attacker would have to violate – Shor’s algorithm would theoretically be 2.8 Quantum Computing quantum physics much, Quantum computing much faster • Computers based on quantum physics 2.8 - Stream and Block Ciphers • Time for updated cryptography – This is not an upgrade to your existing Stream ciphers – Not vulnerable to quantum computer computer • Encryption is done one bit or byte at a based attacks – This is a new computing technology time • NTRU • Classical mechanics – High speed, low hardware complexity – A cryptosystem using lattice theory – Smallest form of information is a bit • Used with symmetric encryption – Relies on the “closest-vector” problem – Bits are zeros and ones – Not commonly used with asymmetric – Instead of finding the prime • Quantum mechanics encryption factorizations of – Smallest form of information is a qubit • The starting state should never be the large numbers – Bits are zeros, ones, and any same twice • We will need to consider our options for combination – Key is often combined with an future cryptography in-between, at the same time initialization vector (IV) – This is a problem that can be easily seen – This is called quantum superposition and • Search quickly through large databases Block ciphers addressed – Index everything at the same time • Encrypt fixed-length groups • Simulate the quantum world – Often 64-bit or 128-bit blocks – Medical advances, weather prediction, – Pad added to short blocks CBC (Cipher Block Chaining) astrophysics, and much more – Each block is encrypted or decrypted • A popular mode of operation - Relatively independently easy to implement Post-quantum cryptography • Symmetric encryption • Each plaintext block is XORed with the – Similar to stream ciphers previous ciphertext block – Adds additional randomization – Encrypted data hides the active malware – Reusing the same key reduces – Use an initialization vector for the first code complexity block – Decryption occurs during execution – Less cost and effort to recertify keys • Authentication – Less administrative overhead CTR (Counter) – Password hashing – If the key is compromised, everything • Block cipher mode / acts like a stream – Protect the original password using that key is at risk cipher – Encrypts successive values of a – Add salt to randomize the stored – IoT devices often have keys embedded “counter” password hash in the firmware • Plaintext can be any size, since it’s part • Non-Repudiation • Resource vs. security constraints of the XOR i.e., 8 bits at a time (streaming) – Confirm the authenticity of data – IoT devices have limited CPU, memory, instead of a 128-bit block – Digital signature provides both integrity and power and non-repudiation – Real-time applications can’t delay GCM (Galois/Counter Mode) – Difficult to maintain and update security • Encryption with authentication 2.8 - Cryptography Limitations components – Authentication is part of the block mode – Combines Counter Mode with Finding the balance 3.1 - Secure Protocols – Galois authentication • Cryptography isn’t a perfect solution Voice and video • Minimum latency, minimum operation – It can have significant limitations • SRTP overhead • Not all implementations are the same – Secure Real-Time Transport Protocol / – Very efficient encryption and – Different platforms, different Secure RTP authentication cryptographic options • Adds security features to RTP • Commonly used in packetized data • Cryptography can’t fix bad technique – Keep conversations private – Network traffic security (wireless, IPsec) – Hashing easily guessed passwords • Encryption – SSH, TLS without a salt – Uses AES to encrypt the voice/video • Every situation is different flow 2.8 - Blockchain Technology – Do your homework • Authentication, integrity, and replay Blockchain protection • A distributed ledger Limitations – HMAC-SHA1 - Hash-based message – Keep track of transactions • Speed authentication code using SHA1 • Everyone on the blockchain network – Cryptography adds overhead maintains the ledger – A system needs CPU, CPU needs power Time synchronization – Records and replicates to anyone and – More involved encryption increases the • Classic NTP has no security features everyone load – Exploited as amplifiers in DDoS attacks • Many practical applications • Size – NTP has been around prior to 1985 – Payment processing – Typical block ciphers don’t increase the • NTPsec – Digital identification size of – Secure network time protocol – Supply chain monitoring encrypted data – Began development in June of 2015 – Digital voting – AES block size is 128 bits/16 bytes • Cleaned up the code base – Encrypting 8 bytes would potentially – Fixed a number of vulnerabilities 2.8 - Cryptography Use Cases double the storage size Finding the balance • Weak keys Email • Low power devices – Larger keys are generally more difficult • S/MIME – Mobile devices, portable systems to brute force – Secure/Multipurpose Internet Mail – Smaller symmetric key sizes – The weak IV in RC4 resulted in the WEP Extensions – Use elliptic curve cryptography (ECC) for security issues – Public key encryption and digital signing asymmetric encryption • Time of mail content • Low latency – Encryption and hashing takes time – Requires a PKI or similar organization of – Fast computation time – Larger files take longer keys – Symmetric encryption, smaller key sizes – Asymmetric is slower than symmetric • Secure POP and Secure IMAP • High resiliency • Longevity – Use a STARTTLS extension to encrypt – Larger key sizes – A specific cryptographic technology can POP3 with SSL or use IMAP with SSL – Encryption algorithm quality become less secure over time • SSL/TLS – Hashing provides data integrity – Smaller keys are easier to brute force, – If the mail is browser based, always larger keys take long er to process encrypt with SSL Use cases – Key retirement is a good best practice • Confidentiality • Predictability and entropy Web – Secrecy and privacy – Random numbers are critical for secure • SSL/TLS – Encryption (file-level, drive-level, email) cryptography – Secure Sockets Layer/Transport Layer • Integrity – Hardware random number generators Security – Prevent modification of data can • HTTPS – Validate the contents with hashes be predictable – HTTP over TLS / HTTP over SSL / HTTP – File downloads, password storage – A passphrase needs to be appropriately Secure • Obfuscation random • Uses public key encryption – Modern malware • Key reuse – Private key on the server – Symmetric session key is transferred file transfer features – May require an additional public key using configuration asymmetric encryption Domain name resolution – Set up a trust relationship – Security and speed • DNS had no security in the original – Certificates, IP addresses design 3.2 - Endpoint Protection IPSec (Internet Protocol Security) – Relatively easy to poison a DNS The endpoint • Security for OSI Layer 3 • DNSSEC • The user’s access - Applications and data – Authentication and encryption for every – Domain Name System Security • Stop the attackers - Inbound attacks, packet Extensions outbound attacks • Confidentiality and integrity/anti-replay • Validate DNS responses • Many different platforms - Mobile, – Encryption and packet signing – Origin authentication desktop • Very standardized – Data integrity • Protection is multi-faceted - Defense in – Common to use multi-vendor • Public key cryptography depth implementations – DNS records are signed with a trusted • Two core IPSec protocols third party Anti-virus and anti-malware – Authentication Header (AH) – Signed DNS records are published in • Anti-virus is the popular term – Encapsulation Security Payload (ESP) DNS – Refers specifically to a type of malware – Trojans, worms, macro viruses File transfer Routing and switching • Malware refers to the broad malicious • FTPS • SSH - Secure Shell software category – FTP over SSL (FTP-SSL) – Encrypted terminal communication – Anti-malware stops spyware, – File Transfer Protocol Secure • SNMPv3 - Simple Network ransomware, – This is not SFTP – Management Protocol version 3 fileless malware • SFTP – Confidentiality - Encrypted data • The terms are effectively the same these – SSH File Transfer Protocol – Integrity - No tampering of data days – Provides file system functionality – Authentication - Verifies the source – The names are more of a marketing tool – Resuming interrupted transfers, • HTTPS – Anti-virus software is also anti-malware directory listings, remote file removal – Browser-based management software now – Encrypted communication – Make sure your system is using LDAP (Lightweight Directory Access – a comprehensive solution Protocol) Network address allocation • Protocol for reading and writing • Securing DHCP Endpoint detection and response (EDR) directories over an IP network – DHCP does not include any built-in • A different method of threat protection – An organized set of records, like a phone security – Scale to meet the increasing number of directory – There is no “secure” version of the DHCP threats • X.500 specification was written by the protocol • Detect a threat International Telecommunications Union • Rogue DHCP servers – Signatures aren’t the only detection tool (ITU) – In Active Directory, DHCP servers must – Behavioral analysis, machine learning, – They know directories! be authorized process monitoring • DAP ran on the OSI protocol stack – Some switches can be configured with – Lightweight agent on the endpoint – LDAP is lightweight, and uses TCP/IP “trusted” interfaces • Investigate the threat • LDAP is the protocol used to query and – DHCP distribution is only allowed from – Root cause analysis update an X.500 directory trusted interfaces • Respond to the threat – Used in Windows Active Directory, – Cisco calls this DHCP Snooping – Isolate the system, quarantine the Apple OpenDirectory, OpenLDAP, etc. – DHCP client DoS - Starvation attack threat, rollback to a previous config – Use spoofed MAC addresses to exhaust – API driven, no user or technician Directory services the DHCP pool intervention required • LDAP (Lightweight Directory Access – Switches can be configured to limit the Protocol) number of MAC addresses per interface Data Loss Prevention (DLP) • LDAPS (LDAP Secure) – Disable an interface when multiple MAC • Where’s your data? – A non-standard implementation of LDAP addresses are seen – Social Security numbers, credit card over SSL numbers, • SASL (Simple Authentication and Subscription services medical records Security Layer) • Automated subscriptions • Stop the data before the attacker gets it – Provides authentication using many – Anti-virus / Anti-malware signature – Data “leakage” different updates • So many sources, so many destinations methods, i.e., Kerberos or client – IPS updates – Often requires multiple solutions certificate – Malicious IP address databases / – Endpoint clients Firewall updates – Cloud-based systems Remote access • Constant updates – Email, cloud storage, collaboration tools • SSH (Secure Shell) – Each subscription uses a different – Encrypted terminal communication update method Next-generation firewall (NGFW) – Replaces Telnet (and FTP) • Check for encryption and integrity • The OSI Application Layer - All data in – Provides secure terminal checks every packet communication and • Can be called different names – Application layer gateway • Persistent memory – Device provides an operational report to – Stateful multilayer inspection, deep – Comes with unique keys burned in a packet inspection during production verification server • Broad security controls • Versatile memory – Encrypted and digitally signed with the – Allow or disallow application features – Storage keys, hardware configuration TPM – Identify attacks and malware information • Attestation server receives the boot – Examine encrypted data • Password protected report – Prevent access to URLs or URL – No dictionary attacks – Changes are identified and managed categories Boot integrity 3.2 - Database Security Host-based firewall • The attack on our systems is constant Database security • Software-based firewall – Techniques are constantly changing • Protecting stored data – Personal firewall, runs on every • Attackers compromise a device – And the transmission of that data endpoint – And want it to stay compromised • Intellectual property storage • Allow or disallow incoming or outgoing • The boot process is a perfect infection – Data is valuable application traffic point • Compliance issues – Control by application process – Rootkits run in kernel mode – PCI DSS, HIPAA, GDPR, etc. – View all data – Have the same rights as the operating • Keep the business running • Identify and block unknown processes system – Security provides continuity – Stop malware before it can start • Protecting the boot process is important • Breaches are expensive - Keep costs low • Manage centrally – Secure boot, trusted boot, and measured boot Tokenization Finding intrusions – A chain of trust • Replace sensitive data with a non- • Host-based Intrusion Detection System sensitive placeholder (HIDS) UEFI BIOS Secure Boot – SSN 266-12-1112 is now 691-61-8539 – Uses log files to identify intrusions • Secure Boot • Common with credit card processing – Can reconfigure firewalls to block – Part of the UEFI specification – Use a temporary token during payment • Host-based Intrusion Prevention System • UEFI BIOS protections – An attacker capturing the card numbers (HIPS) – BIOS includes the manufacturer’s public can’t use them later – Recognize and block known attacks key • This isn’t encryption or hashing – Secure OS and application configs, – Digital signature is checked during a – The original data and token aren’t validate BIOS update mathematically related incoming service requests – BIOS prevents unauthorized writes to – No encryption overhead – Often built into endpoint protection the flash software • Secure Boot verifies the bootloader Hashing a password • HIPS identification – Checks the bootloader’s digital signature • Hashes represent data as a fixed-length – Signatures, heuristics, behavioral – Bootloader must be signed with a string of text – Buffer overflows, registry updates, trusted certificate – A message digest, or “fingerprint” writing files to the Windows folder – Or a manually approved digital signature • Will not have a collision (hopefully) – Access to non-encrypted data – Different inputs will not have the same Trusted Boot hash 3.2 - Boot Integrity • Bootloader verifies digital signature of • One-way trip Hardware root of trust the OS kernel – Impossible to recover the original • Security is based on trust – A corrupted kernel will halt the boot message – Is your data safely encrypted? process from the digest – Is this web site legitimate? • The kernel verifies all of the other – A common way to store passwords – Has the operating system been startup components infected? – Boot drivers, startup files Adding some salt • The trust has to start somewhere • Just before loading the drivers, • Salt – Trusted Platform Module (TPM), – ELAM (Early Launch Anti-Malware) starts – Random data added to a password – Hardware Security Module (HSM) – Checks every driver to see if it’s trusted when hashing – Designed to be the hardware root of the – Windows won’t load an untrusted driver • Every user gets their own random salt trust – The salt is commonly stored with the • Difficult to change or avoid Measured Boot password – It’s hardware • Nothing on this computer has changed • Rainbow tables won’t work with salted – Won’t work without the hardware – There have been no malware infections hashes – How do you know? – Additional random value added to the Trusted Platform Module (TPM) • Easy when it’s just your computer original • A specification for cryptographic – More difficult when there are 1,000 password functions • UEFI stores a hash of the firmware, boot • This slows things down the brute force – Hardware to help with encryption drivers, and everything else loaded during process functions the Secure Boot and – It doesn’t completely stop the reverse • Cryptographic processor – Trusted Boot process engineering – Random number generator, key – Stored in the TPM generators • Remote attestation 3.2 - Application Security Secure coding concepts • This isn’t designed to be secure storage • Static Application Security Testing (SAST) • A balance between time and quality • Help to identify security flaws • Programming with security in mind is HTTP secure headers • Many security vulnerabilities found often secondary • An additional layer of security easily • Testing, testing, testing • Add these to the web server • Buffer overflows, database injections, • The Quality Assurance (QA) process configuration etc. • Vulnerabilities will eventually be found • You can’t fix every bad application • Not everything can be identified through • And exploited • Enforce HTTPS communication analysis • Ensure encrypted communication • Authentication security, insecure Input validation • Only allow scripts, stylesheets, or images cryptography, etc. • What is the expected input? from • Don’t rely on automation for everything • Validate actual vs. expected the local site • Still have to verify each finding • Document all input methods • Prevent XSS attacks • False positives are an issue • Forms, fields, type • Prevent data from loading into an inline • Check and correct all input frame 3.2 - Application Hardening (normalization) (iframe) Static code analyzer results • A zip code should be only X characters • Also helps to prevent XSS attacks Application hardening long • Minimize the attack surface with a letter in the X column Code signing – Remove all possible entry points • Fix any data with improper input • An application is deployed • Remove the potential for all known • The fuzzers will find what you missed • • Users run application executable or vulnerabilities Don’t give them an opening scripts • So many security questions – As well as the unknown • Has the application been modified in • Some hardening may have compliance Dynamic analysis (fuzzing) any way? mandates • Send random input to an application • Can you confirm that the application – HIPAA servers, PCI DSS, etc. • Fault-injecting, robustness testing, was written by a specific developer? • There are many different resources syntax testing, negative testing • The application code can be digitally – Center for Internet Security (CIS) • Looking for something out of the signed by the developer – Network and Security Institute (SANS) ordinary • Application crash, server error, • Asymmetric encryption – National Institute of Standards and exception • A trusted CA signs the developer’s public Technology (NIST) • 1988 class project at the University of key Wisconsin • Developer signs the code with their Open ports and services • “Operating System Utility Program private key • Every open port is a possible entry point Reliability” • For internal apps, use your own CA – Close everything except required ports • Professor Barton Miller • Control access with a firewall • The Fuzz Generator Allow list / deny list – NGFW would be ideal • Any application can be dangerous • Unused or unknown services Fuzzing engines and frameworks • Vulnerabilities, trojan horses, malware – Installed with the OS or from other • Many different fuzzing options • Security policy can control app applications • Platform specific, language specific, etc. execution • Applications with broad port ranges • Very time and processor resource heavy • Allow list, deny/block list – Open port 0 through 65,535 • Many, many different iterations to try • Allow list • Use Nmap or similar port scanner to • Many fuzzing engines use high- • Nothing runs unless it’s approved - Very verify probability tests restrictive – Ongoing monitoring is important • Carnegie Mellon Computer • Deny list • Emergency Response Team (CERT) • Nothing on the “bad list” can be Registry • CERT Basic Fuzzing Framework (BFF) executed • The primary configuration database for • https://professormesser.link/bff • Anti-virus, anti-malware Windows – Almost everything can be configured Secure cookies Examples of allow and deny lists from the registry • Cookies • Decisions are made in the operating • Useful to know what an application • Information stored on your computer by system modifies the • Often built-in to the operating system – Many third-party tools can show registry browser management • Application hash changes • Used for tracking, personalization, • Only allows applications with this unique • Some registry changes are important session identifier • Certificate security settings management • Allow digitally signed apps from certain – Configure registry permissions • Not executable, not generally a security publishers – Disable SMBv1 risk • Path - Only run applications in these • Unless someone gets access to them folders Disk encryption • Secure cookies have a Secure attribute • Network zone • Prevent access to application data files set • The apps can only run from this network – File system encryption • Browser will only send it over HTTPS zone • Full disk encryption (FDE) • Sensitive information should not be – Encrypt everything on the drive saved in a cookie Static code analyzers – BitLocker, FileVault, etc. • Self-encrypting drive (SED) • Caching Logical segmentation with VLANs – Hardware-based full disk encryption – Fast response • Virtual Local Area Networks (VLANs) – No operating system software needed • Prioritization – Separated logically instead of physically • Opal storage specification – QoS – Cannot communicate between VLANs – The standard for of SED storage • Content switching without – Application-centric balancing a Layer 3 device / router Operating system hardening • Many and varied Scheduling Screened subnet – Windows, Linux, iOS, Android, et al. • Round-robin • Previously known as the demilitarized • Updates – Each server is selected in turn zone (DMZ) – Operating system updates/service • Weighted round-robin – An additional layer of security between packs, – Prioritize the server use the Internet and you security patches • Dynamic round-robin – Public access to public resources • User accounts – Monitor the server load and distribute – Minimum password lengths and to the server with the lowest use Extranet complexity • Active/active load balancing • A private network for partners – Account limitations – Vendors, suppliers • Network access and security Affinity • Usually requires additional – Limit network access • Affinity authentication • Monitor and secure – A kinship, a likeness – Only allow access to authorized users – Anti-virus, anti-malware • Many applications require communication to the same instance Intranet Patch management – Each user is “stuck” to the same server • Private network - Only available • Incredibly important – Tracked through IP address or session internally – System stability, security fixes IDs • Company announcements, important • Monthly updates – Source affinity / sticky session / session documents, other company business – Incremental (and important) persistence – Employees only • Third-party updates • No external access – Application developers, device drivers Active/passive load balancing – Internal or VPN access only • Auto-update - Not always the best • Some servers are active option – Others are on standby East-west traffic • Emergency out-of-band updates • If an active server fails, the passive • Traffic flows within a data center – Zero-day and important security server takes its place – Important to know where traffic starts discoveries and ends 3.3 - Network Segmentation • East-west Sandboxing Segmenting the network – Traffic between devices in the same • Applications cannot access unrelated • Physical, logical, or virtual segmentation data center resources – Devices, VLANs, virtual networks – Relatively fast response times – They play in their own sandbox • Performance • North-south traffic • Commonly used during development – High-bandwidth applications – Ingress/egress to an outside device – Can be a useful production technique • Security – A different security posture than east- • Used in many different deployments – Users should not talk directly to west traffic – Virtual machines database servers – Mobile devices – The only applications in the core are SQL Zero-trust – Browser iframes (Inline Frames) and SSH • Many networks are relatively open on – Windows User Account Control (UAC) • Compliance the inside – Mandated segmentation (PCI – Once you’re through the firewall, there 3.3 - Load Balancing compliance) are few security controls Balancing the load – Makes change control much easier • Zero trust is a holistic approach to • Distribute the load network security – Multiple servers Physical segmentation – Covers every device, every process, – Invisible to the end-user • Devices are physically separate - Air gap every person • Large-scale implementations between Switch A and Switch B • Everything must be verified – Web server farms, database farms • Must be connected to provide – Nothing is trusted • Fault tolerance communication – Multifactor authentication, encryption, – Server outages have no effect – Direct connect, or another switch or system permissions, additional firewalls, – Very fast convergence router monitoring and analytics, etc. • Web servers in one rack - Database Load balancer servers on another 3.3 - Virtual Private Networks • Configurable load • Customer A on one switch, customer B VPNs – Manage across servers on another • Virtual Private Networks • TCP offload – No opportunity for mixing data – Encrypted (private) data traversing a – Protocol overhead • Separate devices public network • SSL offload – Multiple units, separate infrastructure • Concentrator – Encryption/Decryption – Encryption/decryption access device – Often integrated into a firewall • Hash of the packet and a shared key • Not used in IPv6 • Many deployment options – SHA-2 is common – Focus on multicast – Specialized cryptographic hardware – Adds the AH to the packet header – Software-based options available • This doesn’t provide encryption Broadcast storm control • Used with client software – Provides data integrity (hash) • The switch can control broadcasts – Sometimes built into the OS – Guarantees the data origin – Limit the number of broadcasts per (authentication) second SSL VPN (Secure Sockets Layer VPN) – Prevents replay attacks (sequence • Can often be used to control multicast • Uses common SSL/TLS protocol numbers) and unknown unicast traffic (tcp/443) – Tight security posture – (Almost) No firewall issues! Encapsulation Security Payload (ESP) • Manage by specific values or by • No big VPN clients • Encrypts and authenticates the tunneled percentage – Usually remote access communication data – Or the changeover normal traffic • Authenticate users – Commonly uses SHA-2 for hash, AES for patterns – No requirement for digital certificates or encryption shared – Adds a header, a trailer, and an Integrity Loop protection passwords (like IPSec) Check Value • Connect two switches to each other • Can be run from a browser or from a • Combine with Authentication Header – They’ll send traffic back and forth (usually light) VPN client (AH) for integrity and authentication of forever – Across many operating systems the outer header – There’s no “counting” mechanism at • On-demand access from a remote the MAC layer device – Software connects to a VPN IPsec Transport mode and Tunnel mode • This is an easy way to bring down a concentrator • Tunnel mode is the most common network • Some software can be configured as – Transport mode may not even be an – And somewhat difficult to troubleshoot always-on option – Relatively easy to resolve • IEEE standard 802.1D to prevent loops in AH (Authentication Header) HTML5 VPNs bridged (switched) networks (1990) • Data integrity • Hypertext Markup Language version 5 – Created by Radia Perlman • Origin authentication – The language commonly used in web – Used practically everywhere • Replay attack protection browsers • Keyed-hash mechanism • Includes comprehensive API support BPDU Guard • No confidentiality/encryption – Application Programming Interface • Spanning tree takes time to determine if – Web cryptography API a switch port should forward frames ESP (Encapsulating Security Payload) • Create a VPN tunnel without a separate – Bypass the listening and learning states • Data confidentiality (encryption) VPN application – Cisco calls this PortFast • Limited traffic flow confidentiality – Nothing to install • BPDU (Bridge Protocol Data Unit) • Data integrity • Use an HTML5 compliant browser – The spanning tree control protocol • Anti-replay protection – Communicate directly to the VPN • If a BPDU frame is seen on a PortFast concentrator configured interface (i.e., a workstation), AH and ESP shut down the interface • Combine the data integrity of AH 3.3 - Port Security – This shouldn’t happen - Workstations with the confidentiality of ESP Port security don’t send BPDUs • There’s a lot of security that happens at L2TP the DHCP Snooping • Layer 2 Tunneling Protocol physical switch interface • IP tracking on a layer 2 device (switch) – Connecting sites over a layer 3 network – Often the first and last point of – The switch is a DHCP firewall as if they were connected at layer 2 transmission – Trusted: Routers, switches, DHCP • Commonly implemented with IPsec • Control and protect servers – L2TP for the tunnel, IPsec for the – Limit overall traffic – Untrusted: Other computers, unofficial encryption – Control specific traffic types DHCP servers – L2TP over IPsec (L2TP/IPsec) – Watch for unusual or unwanted traffic • Switch watches for DHCP conversations • Different options are available – Adds a list of untrusted devices to a IPSec (Internet Protocol Security) – Manage different security issues table • Security for OSI Layer 3 • Filters invalid IP and DHCP information – Authentication and encryption for every Broadcasts – Static IP addresses packet • Send information to everyone at once – Devices acting as DHCP servers • Confidentiality and integrity/anti-replay – One frame or packet, received by – Other invalid traffic patterns – Encryption and packet signing everyone • Very standardized – Every device must examine the MAC filtering – Common to use multi-vendor broadcast • Media Access Control implementations • Limited scope - The broadcast domain – The “hardware” address • Two core IPSec protocols • Routing updates, ARP requests - Can add • Limit access through the physical – Authentication Header (AH) up quickly hardware address – Encapsulation Security Payload (ESP) • Malicious software or a bad NIC – Keeps the neighbors out Authentication Header (AH) – Not always normal traffic – Additional administration with visitors • Easy to find working MAC addresses – Voice traffic needs to have priority over • Windows - SFC (System File Checker) through wireless LAN analysis YouTube • Linux - Tripwire – MAC addresses can be spoofed • Many host-based IPS options – Free open-source software QoS (Quality of Service) • Security through obscurity • Prioritize traffic performance 3.3 - Firewalls – Voice over IP traffic has priority over The universal security control 3.3 - Secure Networking web-browsing • Standard issue Domain Name Resolution – Prioritize by maximum bandwidth, – Home, office, and in your operating • DNS had no security in the original traffic rate, system design VLAN, etc. • Control the flow of network traffic – Relatively easy to poison a DNS • Quality of Service – Everything passes through the firewall • DNSSEC – Describes the process of controlling • Corporate control of outbound and – Domain Name System Security traffic flows inbound data Extensions • Many different methods – Sensitive materials • Validate DNS responses – Across many different topologies • Control of inappropriate content – Origin authentication – Not safe for work, parental controls – Data integrity IPv6 security is different • Protection against evil • Public key cryptography • More IP address space – Anti-virus, anti-malware – DNS records are signed with a trusted – More difficult to IP/port scan (but not third party impossible) Network-based firewalls – Signed DNS records are published in – The tools already support IPv6 • Filter traffic by port number or DNS • No need for NAT application – NAT is not a security feature – Traditional vs. NGFW firewalls Using a DNS for security • Some attacks disappear • Encrypt traffic - VPN between sites • Stop end users from visiting dangerous – No ARP, so no ARP spoofing • Most firewalls can be layer 3 devices sites • New attacks will appear (routers) – The DNS resolves to a sinkhole address – For example, Neighbor Cache – Often sits on the ingress/egress of the • A query to a known-malicious address Exhaustion network can identify infected systems • IPsec built in / IPsec ready – Network Address – And prevent further exploitation – Translation (NAT) functionality • Content filtering Taps and port mirrors – Authenticate dynamic routing – Prevent DNS queries to unwanted or • Intercept network traffic communication suspicious sites – Send a copy to a packet capture device • Physical taps Stateless firewall Out-of-band management – Disconnect the link, put a tap in the • Does not keep track of traffic flows • The network isn’t available middle – Each packet is individually examined, – Or the device isn’t accessible from the – Can be an active or passive tap regardless of past history network • Port mirror – Traffic sent outside of an active session • Most devices have a separate – Port redirection, SPAN (Switched Port will management interface Analyzer) traverse a stateless firewall – Usually a serial connection / USB – Software-based tap • Connect a modem – Limited functionality, but can work well Stateful firewall – Dial-in to manage the device in a pinch • Stateful firewalls remember the “state” • Console router / comm server of the session – Out-of-band access for multiple devices Monitoring services – Everything within a valid flow is allowed – Connect to the console router, then • Constant cybersecurity monitoring choose – Ongoing security checks UTM / All-in-one security appliance where you want to go – A staff of cybersecurity experts at a • Unified Threat Management (UTM) / Security Operations Center (SoC) • Web security gateway The need for QoS • Identify threats • URL filter / Content inspection • Many different devices – A broad range of threats across many • Malware inspection – Desktop, laptop, VoIP phone, mobile different • Spam filter devices organizations • CSU/DSU • Many different applications • Respond to events • Router, Switch – Mission critical applications, streaming – Faster response time • Firewall video, • Maintain compliance • IDS/IPS streaming audio – Someone else ensures PCI DSS, HIPAA • Bandwidth shaper • Different apps have different network compliance, etc. • VPN endpoint requirements Next-generation firewall (NGFW) – Voice is real-time FIM (File Integrity Monitoring) • The OSI Application Layer – Recorded streaming video has a buffer • Some files change all the time – All data in every packet – Database application is interactive – Some files should NEVER change • Can be called different names • Some applications are “more important” • Monitor important operating system – Application layer gateway than others and application files – Stateful multilayer inspection – Identify when changes occur – Deep packet inspection • Requires some advanced decodes – Host-based firewalls are application- Proxies – Every packet must be analyzed and aware and can view non-encrypted data • Sits between the users and the external categorized before a security decision is – Virtual firewalls provide valuable network determined East/West • Receives the user requests and sends network security the request NGFWs on their behalf (the proxy) • Network-based Firewalls 3.3 - Network Access Control • Useful for caching information, access – Control traffic flows based on the Edge vs. access control control, application • Control at the edge URL filtering, content scanning – Microsoft SQL Server, Twitter, YouTube – Your Internet link • Applications may need to know • Intrusion Prevention Systems – Managed primarily through firewall how to use the proxy (explicit) – Identify the application rules • Some proxies are invisible (transparent) – Apply application-specific vulnerability – Firewall rules rarely change signatures to the traffic • Access control Application proxies • Content filtering – Control from wherever you are - Inside • One of the simplest “proxies” is NAT – URL filters or outside • A network-level proxy – Control website traffic by category – Access can be based on many rules • Most proxies in use are application – By user, group, location, application, etc. proxies Web application firewall (WAF) – Access can be easily revoked or changed • The proxy understands the way the • Not like a “normal” firewall – Change your security posture at any application works – Applies rules to HTTP/HTTPS time • A proxy may only know one application conversations • HTTP • Allow or deny based on expected input Posture assessment • Many proxies are multipurpose proxies – Unexpected input is a common method • You can’t trust everyone’s computer • HTTP, HTTPS, FTP, etc. of – BYOD (Bring Your Own Device) exploiting an application – Malware infections / missing anti- Forward Proxy • SQL injection malware • An “internal proxy” – Add your own commands to an – Unauthorized applications • Commonly used to protect and control application’s • Before connecting to the network, user access to the Internet SQL query perform a health check • A major focus of Payment Card Industry – Is it a trusted device? Open Proxy – Data Security Standard (PCI DSS) – Is it running anti-virus? Which one? Is it • A third-party, uncontrolled proxy updated? • Can be a significant security concern Firewall rules – Are the corporate applications installed? • Often used to circumvent existing • Access control lists (ACLs) – Is it a mobile device? security controls – Allow or disallow traffic based on tuples – Is the disk encrypted? – Groupings of categories – The type of device doesn’t matter - Reverse Proxy – Source IP, Destination IP, port number, Windows, Mac, Linux, iOS, Android • Inbound traffic from the Internet to your time of day, application, etc. internal service • A logical path Health checks/posture assessment – Usually top-to-bottom • Persistent agents 3.3 - Intrusion Prevention • Can be very general or very specific – Permanently installed onto a system NIDS and NIPS – Specific rules are usually at the top – Periodic updates may be required • Intrusion Detection System / • Implicit deny • Dissolvable agents – Intrusion Prevention System – Most firewalls include a deny at the – No installation is required – Watch network traffic bottom – Runs during the posture assessment • Intrusions – Even if you didn’t put one – Terminates when no longer required – Exploits against operating systems, • Agentless NAC applications, etc. Firewall characteristics – Integrated with Active Directory – Buffer overflows, cross-site scripting, • Open-source vs. proprietary – Checks are made during login and logoff other – Open-source provides traditional – Can’t be scheduled vulnerabilities firewall functionality • Detection vs. Prevention – Proprietary features include application Failing your assessment – Detection – Alarm or alert control and high-speed hardware • What happens when a posture – Prevention – Stop it before it gets into • Hardware vs. software assessment fails? the network – Purpose-built hardware provides – Too dangerous to allow access efficient and • Quarantine network, notify Passive monitoring flexible connectivity options administrators • Examine a copy of the traffic – Software-based firewalls can be – Just enough network access to fix the – Port mirror (SPAN), network tap installed issue • No way to block (prevent) traffic almost anywhere • Once resolved, try again • Appliance vs. host-based vs. virtual – May require additional fixes Out-of-band-response – Appliances provide the fastest • When malicious traffic is identified, throughput 3.3 - Proxies – IPS sends TCP RST (reset) frames – After-the-fact – Limited UDP response available • Authenticate the users before granting • Once you have the PSK, you have access everyone’s Inline monitoring – Who gets access to the wireless wireless key • IDS/IPS sits physically inline network? – There’s no forward secrecy – All traffic passes through the IDS/IPS – Username, password, multi-factor authentication SAE In-band response • Ensure that all communication is • WPA3 changes the PSK authentication • Malicious traffic is immediately confidential process identified – Encrypt the wireless data – Includes mutual authentication – Dropped at the IPS • Verify the integrity of all communication – Creates a shared session key without – Does not proceed through the network – The received data should be identical to sending that key across the network the – No more four-way handshakes, no Identification technologies original sent data hashes, • Signature-based – A message integrity check (MIC) no brute force attacks – Look for a perfect match – Adds perfect forward secrecy • Anomaly-based Wireless encryption • Simultaneous Authentication of Equals – Build a baseline of what’s “normal” • All wireless computers are radio (SAE) • Behavior-based transmitters and receivers – A Diffie-Hellman derived key exchange – Observe and report – Anyone can listen in with an authentication component • Heuristics • Solution: Encrypt the data - Everyone – Everyone uses a different session key, – Use artificial intelligence to identify has an encryption key even with the same PSK • Only people with the right key can – An IEEE standard - the dragonfly 3.3 - Other Network Appliances transmit and listen handshake Hardware Security Module (HSM) – WPA2 and WPA3 • High-end cryptographic hardware 3.4 - Wireless Authentication Methods – Plug-in card or separate hardware WPA2 and CCMP Wireless authentication methods device • Wi-Fi Protected Access II (WPA2) • Gain access to a wireless network • Key backup – WPA2 certification began in 2004 – Mobile users – Secured storage • CCMP block cipher mode – Temporary users • Cryptographic accelerators – Counter Mode with Cipher Block • Credentials – Offload that CPU overhead from other Chaining – Shared password / pre-shared key (PSK) devices – Message Authentication Code Protocol, – Centralized authentication (802.1X) • Used in large environments Clusters, or • Configuration redundant power – Counter/CBC-MAC Protocol – Part of the wireless network connection • CCMP security services – Prompted during the connection process Jump server – Data confidentiality with AES • Access secure network zones – Message Integrity Check (MIC) with CBC- Wireless security modes – Provides an access mechanism to a MAC • Configure the authentication on your protected network wireless • Highly-secured device WPA3 and GCMP access point / wireless router – Hardened and monitored • Wi-Fi Protected Access 3 (WPA3) - • Open System • SSH / Tunnel / VPN to the jump server Introduced in 2018 – No password is required – RDP, SSH, or jump from there • GCMP block cipher mode • WPA3-Personal / WPA3-PSK • A significant security concern – Galois/Counter Mode Protocol – WPA3 with a pre-shared key – Compromise to the jump server is a – A stronger encryption than WPA2 – Everyone uses the same key significant breach • GCMP security services – Unique WPA3 session key is derived – Data confidentiality with AES from the PSK using SAE Sensors and collectors – Message Integrity Check (MIC) with (Simultaneous Authentication of Equals) • Aggregate information from network – Galois Message Authentication Code • WPA3-Enterprise / WPA3-802.1X devices (GMAC) – Authenticates users individually with an – Built-in sensors, separate devices authentication server (i.e., RADIUS) – Integrated into switches, routers, The WPA2 PSK problem servers, firewalls, etc. • WPA2 has a PSK brute-force problem Captive Portal • Sensors – Listen to the four-way handshake • Authentication to a network - Common – Intrusion prevention systems, firewall – Some methods can derive the PSK hash on wireless networks logs, without the handshake • Access table recognizes a lack of authentication logs, web server access – Capture the hash authentication logs, database transaction logs, email logs • With the hash, attackers can brute force – Redirects your web access to a captive • Collectors the portal page pre-shared key (PSK) • Username / password - And additional 3.4 - Cryptography • This has become easier as technology authentication factors Securing a wireless network improves • Once proper authentication is provided, • An organization’s wireless network can – A weak PSK is easier to brute force the contain confidential information – GPU processing speeds web session continues – Not everyone is allowed access – Cloud-based password cracking – Until the captive portal removes your authenticate access • Used in conjunction with an access EAP-TTLS database • EAP Tunneled Transport Layer Security – Using WPS – RADIUS, LDAP, TACACS+ Support other authentication protocols in • Wi-Fi Protected Setup a TLS tunnel • Requires a digital certificate – Originally called Wi-Fi Simple Config IEEE 802.1X and EAP on the AS – Does not require digital • Allows “easy” setup of a mobile device • Supplicant – The client certificates on every device – A passphrase can be complicated to a • Authenticator – Builds a TLS tunnel using this digital novice – The device that provides access certificate • Use any authentication • Different ways to connect • Authentication server method inside the TLS tunnel – PIN configured on access point must be – Validates the client credentials – Other EAPs entered on the mobile device – MSCHAPv2 – Push a button on the access point EAP-FAST – Anything else – Near-field communication - • EAP Flexible Authentication via Secure – Bring the mobile device close to the Tunneling RADIUS Federation access point – Authentication server (AS) and • Use RADIUS with federation supplicant share a protected access – Members of one organization can The WPS hack credential (PAC) (shared secret) authenticate to the network of another • December 2011 - WPS has a design flaw • Supplicant receives the PAC organization – It was built wrong from the beginning • Supplicant and AS mutually authenticate – Use their normal credentials • PIN is an eight-digit number and • Use 802.1X as the authentication – Really seven digits and a checksum negotiate a Transport Layer Security (TLS) method – Seven digits, 10,000,000 possible tunnel – And RADIUS on the backend - EAP to combinations • User authentication occurs over the TLS authenticate • The WPS process validates each half of tunnel • Driven by eduroam (education roaming) the PIN • Need a RADIUS server – Educators can use their normal – First half, 4 digits. Second half, 3 digits. – Provides the authentication database authentication when visiting a different – First half, 10,000 possibilities, and campus second half, 1,000 possibilities EAP-FAST services – https://www.eduroam.org/ • It takes about four hours to go through 3.4 - Installing Wireless Networks all of them PEAP Site surveys – Most devices never considered a lockout • Protected Extensible Authentication • Determine existing wireless landscape function Protocol – Sample the existing wireless spectrum – Brute force lockout features are now the – Protected EAP • Identify existing access points norm – Created by Cisco, Microsoft, and RSA – You may not control all of them Security • Work around existing frequencies 3.4 - Wireless Authentication Protocols • Also encapsulates EAP in a TLS tunnel – Layout and plan for interference Wireless authentication – AS uses a digital certificate instead of a • Plan for ongoing site surveys • We’ve created many authentication PAC – Things will certainly change methods – Client doesn’t use a certificate • Heat maps - Identify wireless signal through the years • User authenticates with MSCHAPv2 strengths – A network administrator has many – Authenticates to Microsoft’s MS- choices • Use a username and password CHAPv2 databases Wireless survey tools – Other factors can be included • User can also authenticate with a GTC • Signal coverage • Commonly used on wireless networks – – Generic Token Card, hardware token • Potential interference Also works on wired networks generator • Built-in tools • 3rd-party tools EAP EAP-TLS • Spectrum analyzer • Extensible Authentication Protocol (EAP) • EAP Transport Layer Security – An authentication framework – Strong security, wide adoption Wireless packet analysis • Many different ways to authenticate – Support from most of the industry • Wireless networks are incredibly easy to based on • Requires digital certificates on the AS monitor RFC standards and – Everyone “hears” everything – Manufacturers can build their own EAP all other devices • You have to be quiet methods – AS and supplicant exchange certificates – You can’t hear the network if you’re • EAP integrates with 802.1X for busy transmitting – Prevents access to the network until the mutual authentication • Some network drivers won’t capture authentication succeeds – TLS tunnel is then built for the user wireless information authentication process – You’ll need specialized IEEE 802.1X • Relatively complex implementation adapters/chipsets and drivers • IEEE 802.1X – Need a public key infrastructure (PKI) • View wireless-specific information – Port-based Network Access Control – Must deploy and manage certificates to – Signal-to-noise ratio, channel (NAC) all wireless clients information, etc. • Try it yourself! - – You don’t get access to the network – Not all devices can support the use of https://www.wireshark.org until you digital certificates Channel selection and overlaps • On-path attack – USB, Lightning, or proprietary on your • Overlapping channels – Modify and/or monitor data phone – Frequency conflicts - use non- • Denial of service • Physical access is always a concern overlapping channels – Frequency interference – May be easier to gain access than over a – Automatic or manual configurations remote connection Bluetooth • A locked device is relatively secure Access point placement • High speed communication over short – Always auto-lock • Minimal overlap distances • Mobile phones can also exfiltrate – Maximize coverage, minimize the – PAN (Personal Area Network) – Phone can appear to be a USB storage number of access points • Connects our mobile devices device • Avoid interference – Smartphones, tethering, headsets and – Electronic devices (microwaves) headphones, health monitors, automobile Global Positioning System (GPS) – Building materials and • Created by the U.S. Department of – Third-party wireless networks phone integration, smartwatches, Defense • Signal control external speakers – Over 30 satellites currently in orbit – Place APs where the users are • Precise navigation – Avoid excessive signal distance RFID (Radio-frequency identification) – Need to see at least 4 satellites • It’s everywhere • Determines location based on timing Wireless infrastructure security – Access badges differences • Wireless controllers – Inventory/Assembly line tracking – Longitude, latitude, altitude – Centralized management of wireless – Pet/Animal identification • Mobile device location services and access points – Anything that needs to be tracked geotracking – Manage system configuration and • Radar technology – Maps, directions performance – Radio energy transmitted to the tag – Determine physical location based on • Securing wireless controllers – RF powers the tag, ID is transmitted GPS, – Control access to management console back – WiFi, and cellular towers – Use strong encryption with HTTPS – Bidirectional communication – Automatic logout after no activity – Some tag formats can be 3.5 - Mobile Device Management • Securing access points active/powered Mobile Device Management (MDM) – Use strong passwords • Manage company-owned and user- – Update to the latest firmware Near field communication (NFC) owned mobile devices • Two-way wireless communication – BYOD - Bring Your Own Device 3.5 - Mobile Networks – Builds on RFID • Centralized management of the mobile Point-to-point • Payment systems devices • One-to-one connection – Google wallet, Apple Pay – Specialized functionality – Conversation between two devices • Bootstrap for other wireless • Set policies on apps, data, camera, etc. • Connections between buildings – NFC helps with Bluetooth pairing – Control the remote device – Point-to-point network links • Access token, identity “card” – The entire device or a “partition” • Wi-Fi repeaters – Short range with encryption support • Manage access control – Extend the length of an existing network – Force screen locks and PINs on these NFC security concerns single user devices Point-to-multipoint • Remote capture • One of the most popular communication – It’s a wireless network Application management methods 802.11 wireless – 10 meters for active devices • Managing mobile apps are a challenge • Does not imply full connectivity • Frequency jamming - Denial of service – Mobile devices install apps constantly between nodes • Relay / Replay attack - Man in the • Not all applications are secure middle – And some are malicious Cellular networks • Loss of RFC device control - Stolen/lost – Android malware is a rapidly growing • Mobile devices phone security concern – “Cell” phones • Manage application use through allow • Separate land into “cells” IR (Infrared) lists – Antenna coverages a cell with certain • Included on many smartphones, tablets, – Only approved applications can be frequencies and smartwatches installed • Security concerns – Not really used much for printing – Managed through the MDM – Traffic monitoring • Control your entertainment center • A management challenge – Location tracking – Almost exclusively IR – New applications must be checked and – Worldwide access to a mobile device • File transfers are possible added • Other phones can be used to control Wi-Fi your IR devices Content management • Local network access • Mobile Content Management (MCM) – Local security problems USB (Universal Serial Bus) – Secure access to data, protect data from • Same security concerns as other Wi-Fi • Physical connectivity to your mobile outsiders devices device • File sharing and viewing • Data capture – USB to your computer – On-site content (Microsoft Sharepoint, – Encrypt your data! file servers) – Cloud-based storage (Box, Office 365) – Only the company information is • Data sent from the mobile device Passwords and PINs deleted – DLP (Data Loss Prevention) prevents • The universal help desk call – Personal data is retained copy/paste of sensitive data – I need to reset my password – Keep your pictures, video, music, email, – Ensure data is encrypted on the mobile • Mobile devices use multiple etc. device authentication methods • Managed from the mobile device – Password/passphrase, PINs, patterns Full device encryption manager (MDM) • Recovery process can be initiated from • Scramble all of the data on the mobile the device Remote wipe – Even if you lose it, the contents are safe • Remove all data from your mobile MDM • Devices handle this in different ways device – Password reset option is provided on – Strongest/stronger/strong ? – Even if you have no idea where it is the • Encryption isn’t trivial – Often managed from the MDM mobile device – Uses a lot of CPU cycles • Connect and wipe from the web – “What is the name of your favorite car – Complex integration between hardware – Nuke it from anywhere maiden and software • Need to plan for this cat’s color?” • Don’t lose or forget your password! – Configure your mobile device now • MDM also has full control – There’s no recovery • Always have a backup – Completely remove all security controls – Often backed up on the MDM – Your data can be removed at any time – Not the default or best practice – As you are walking out the door 3.5 - Mobile Device Security Biometrics MicroSD HSM Geolocation • You are the authentication factor • Shrink the PCI Express • Precise tracking details - Tracks within – Fingerprint, face – Hardware Security Module - Now in a feet • May not be the most secure microSD card form • Can be used for good (or bad) authentication factor • Provides security services – Find your phone, find you – Useful in some environments – Encryption, key generation, digital • Most phones provide an option to – Completely forbidden in others signatures, disable • Availability is managed through the authentication – Limits functionality of the phones MDM • Secure storage • May be managed by the MDM – Organization determines the security of – Protect private keys - Cryptocurrency the device storage Geofencing • Can be managed per-app • Some MDMs allow for geofencing – Some apps require additional biometric Unified Endpoint Management (UEM) – Restrict or allow features when the authentication • Manage mobile and non-mobile devices device is in a particular area – An evolution of the Mobile Device • Cameras Context-aware authentication Manager (MDM) – Might only work when outside the office • Who needs 2FA? • End users use different types of devices • Authentication – The attackers can get around anything – Their use has blended together – Only allow logins when the device is • Authentication can be contextual • Applications can be used across located in a particular area – If it walks like a duck… different platforms • Combine multiple contexts – Work on a laptop and a smartphone Screen lock – Where you normally login (IP address • All of these devices can be used from • All mobile devices can be locked – Where you normally frequent (GPS anywhere – Keep people out of your data information) – User’s don’t stay in one place • Simple passcode or strong passcode – Other devices that may be paired – Numbers vs. Alphanumeric (Bluetooth, etc.) Mobile Application Management (MAM) • Fail too many times? • And others • Provision, update, and remove apps – Erase the phone – An emerging technology – Keep everyone running at the correct • Define a lockout policy – Another way to keep data safe version – Create aggressive lockout timers • Create an enterprise app catalog – Completely lock the phone Containerization – Users can choose and install the apps • Difficult to separate personal from they need Push notification services business • Monitor application use • Information appears on the mobile – Especially when the device is BYOD – Apps used on a device, devices with device screen – Owned by the employee unauthorized apps – The notification is “pushed” to your • Separate enterprise mobile apps and • Remotely wipe application data device data – Securely manage remote data • No user intervention – Create a virtual “container” for company – Receive notifications from one app data SEAndroid when using a completely different app – A contained area - limit data sharing • Security Enhancements for Android • Control of displayed notifications can be – Storage segmentation keeps data – SELinux (Security-Enhanced Linux) managed from the MDM separate in the Android OS – Or notifications can be pushed from the • Easy to manage offboarding – Supports access control security policies MDM • A project from the US National Security • The operating system of a mobile device – From a security perspective, it’s too Agency (NSA) is convenient – Based on the NSA’s SELinux constantly changing - Similar to a desktop • Addresses a broad scope of system computer Recording microphone security • Updates are provided over the air (OTA) • Audio recordings – Kernel, userspace, and policy – No cable required – There are microphones on every mobile configuration • Security patches or entire operating device • Enabled by default with Android version system updates • Useful for meetings and note taking 4.3 – Significant changes without connecting – A standard for college classes – July 2013 the device • A legal liability – Protect privileged Android system • This may not be a good thing – Every state has different laws daemons – The MDM can manage what OTA – Every situation is different – Prevent malicious activity updates are allowed • Disable or geo-fence - Manage from the • Change from Discretionary Access MDM Control (DAC) to Mandatory Access Camera use Control (MAC) • Cameras are controversial Geotagging / GPS tagging – Move from user-assigned control to – They’re not always a good thing • Your phone knows where you are object labels and minimum user access – Corporate espionage, inappropriate use – Location Services, GPS – Isolates and sandboxes Android apps • Almost impossible to control on the • Adds your location to document • Centralized policy configuration device metadata – Manage Android deployments – No good way to ensure the camera – Longitude, latitude - Photos, videos, etc. won’t be used • Every document may contain geotagged 3.5 - Mobile Device Enforcement • Camera use can be controlled by the information Third-party app stores MDM – You can track a user quite easily • Centralized app clearinghouses – Always disabled • This may cause security concerns – Apple App Store – Enabled except for certain locations – Take picture, upload to social media – Google Play (geo-fencing) • Not all applications are secure WiFi Direct/ad hoc – Vulnerabilities, data leakage SMS/MMS • We’re so used to access points • Not all applications are appropriate for • Short Message Service / Multimedia – SSID configurations business use Messaging Service • The wireless standard includes an ad hoc – Games, instant messaging, etc. – Text messages, video, audio mode • MDM can allow or deny app store use. • Control of data can be a concern – Connect wireless devices directly – Outbound data leaks, financial – Without an access point Rooting/jailbreaking disclosures • WiFi Direct simplifies the process • Mobile devices are purpose-built – Inbound notifications, phishing attempts – Easily connect many devices together systems • MDM can enable or disable SMS/MMS – Common to see in home devices – You don’t need access to the operating – Or only allow during certain timeframes • Simplicity can aid vulnerabilities system or locations – Invisible access to important devices • Gaining access - Android - Rooting / Apple iOS - Jailbreaking External media Hotspot/tethering • Install custom firmware • Store data onto external or removable • Turn your phone into a WiFi hotspot – Replaces the existing operating system drives – Your own personal wireless router • Uncontrolled access – SD flash memory or USB/lightning drives – Extend the cellular data network to all of – Circumvent security features, sideload • Transfer data from flash your devices apps without using an app store – Connect to a computer to retrieve • Dependent on phone type and provider – The MDM becomes relatively useless • This is very easy to do – May require additional charges and data – Limit data written to removable drives costs Carrier unlocking – Or prevent the use of them from the • May provide inadvertent access to an • Most phones are locked to a carrier MDM internal network – You can’t use an AT&T phone on Verizon – Ensure proper security / passcode – Contract with a carrier subsidizes the USB OTG cost of the phone • USB On-The-Go - Connect devices Payment methods • You can unlock the phone directly together • Send small amounts of data wirelessly – If your carrier allows it – No computer required, only a cable over – A carrier lock may be illegal in your • The mobile device can be both a host a limited area (NFC) country and a device – Built into your phone • Security revolves around connectivity – Read from an external device, then act – Payment systems, transportation, in- – Moving to another carrier can as person circumvent the MDM a storage device itself information exchange – Preventing a SIM unlock may not be – No need for a third-party storage device • A few different standards possible on a personal device • A USB 2.0 standard - Commonly seen on – Apple Pay, Android Pay, Samsung Pay Android devices • Bypassing primary authentication would Firmware OTA updates • Extremely convenient allow payment – Use proper security - or disable – Each AZ has independent power, HVAC, – One permission mistake can cause a completely and networking data breach • Build applications to be highly available – Accenture, Uber, US Department of 3.5 - Mobile Deployment Models (HA) Defense BYOD – Run as active/standby or active/active • Public access • Bring Your Own Device / Bring Your Own – Application recognizes an outage and – Should not usually be the default Technology moves to the other AZ • Many different options • Employee owns the device • Use load balancers to provide seamless – Identity and Access Management (IAM) – Need to meet the company’s HA – Bucket policies requirements – Users don’t experience any application – Globally blocking public access • Difficult to secure issues – Don’t put data in the cloud unless it – It’s both a home device and a work really device Resource policies needs to be there – How is data protected? • Identity and access management (IAM) – What happens to the data when a – Who gets access, what they get access Encryption device is to • Cloud data is more accessible than non- sold or traded in? • Map job functions to roles cloud data – Combine users into groups – More access by more people COPE • Provide access to cloud resources • Server-side encryption • Corporate owned, personally enabled – Set granular policies - Group, IP address, – Encrypt the data in the cloud – Company buys the device date and time – Data is encrypted when stored on disk – Used as both a corporate device and a • Centralize user accounts, synchronize • Client-side encryption personal device across all platforms – Data is already encrypted when it’s sent • Organization keeps full control of the to the cloud device Secrets management – Performed by the application – Similar to company-owned laptops and • Cloud computing includes many secrets • Key management is critical desktops – API keys, passwords, certificates • Information is protected using corporate • This can quickly become overwhelming Replication policies – Difficult to manage and protect • Copy data from one place to another – Information can be deleted at any time • Authorize access to the secrets – Real-time data duplication in multiple • CYOD - Choose Your Own Device – Limit access to the secret service locations – Similar to COPE, but with the user’s • Manage an access control policy • Disaster recovery, high availability choice of device – Limit users to only necessary secrets – Plan for problems • Provide an audit trail – Maintain uptime if an outage occurs Corporate owned – Know exactly who accesses secrets and – Hot site for disaster recovery • The company owns the device when • Data analysis – And controls the content on the device – Analytics, big data analysis • The device is not for personal use Integration and auditing • Backups – You’ll need to buy your own device for • Integrate security across multiple – Constant duplication of data home platforms • Very specific security requirements – Different operating systems and 3.6 - Securing Cloud Networks – Not able to mix business with home use applications Cloud Networks • Consolidate log storage and reporting • Connect cloud components VDI/VMI – Cloud-based Security Information and – Connectivity within the cloud • Virtual Desktop Infrastructure / Virtual Event – Connectivity from outside the cloud Mobile Management (SIEM) • Users communicate to the cloud Infrastructure • Auditing - Validate the security controls – From the public Internet – The apps are separated from the mobile – Verify compliance with financial and – Over a VPN tunnel device user data • Cloud devices communicate between – The data is separated from the mobile each other device 3.6 - Securing Cloud Storage – Cloud-based network • Data is stored securely, centralized Cloud storage – East/west and north/south • Physical device loss - Risk is minimized • Data is on a public cloud communication • Centralized app development – But may not be public data – No external traffic flows – Write for a single VMI platform • Access can be limited • Applications are managed centrally – And protected Virtual networks – No need to update all mobile devices • Data may be required in different • A cloud contains virtual devices geographical locations – Servers, databases, storage devices 3.6 - Cloud Security Controls – A backup is always required • Virtual switches, virtual routers HA across zones • Availability is always important – Build the network from the cloud • Availability zones (AZ) – Data is available as the cloud changes? console – Isolated locations within a cloud region – The same configurations as a physical (geographical location) Permissions device – AZ commonly spans across multiple • A significant cloud storage concern • The network changes with the rest of regions the infrastructure – On-demand – Individual addresses – How do you keep everything secure? – Rapid elasticity – CIDR block notation – The organization already has well- – IPv4 or IPv6 defined Public and private subnets security policies • Private cloud Dynamic resource allocation • How do you make your security policies – All internal IP addresses • Provision resources when they are work in the cloud? – Connect to the private cloud over a VPN needed – Integrate a CASB – No access from the Internet – Based on demand - Provisioned – Implemented as client software, local • Public cloud automatically security – External IP addresses • Scale up and down appliances, or cloud-based security – Connect to the cloud from anywhere – Allocate compute resources where and solutions • Hybrid cloud when they are needed • Visibility – Combine internal cloud resources with – Rapid elasticity – Determine what apps are in use external – Pay for only what’s used – Are they authorized to use the apps? – May combine both public and private • Ongoing monitoring • Compliance subnets – If CPU utilization hits a particular – Are users complying with HIPAA? PCI? threshold, provision a new application • Threat prevention Segmentation instance – Allow access by authorized users, • The cloud contains separate VPCs, prevent attacks containers, Instance awareness • Data security and microservices • Granular security controls – Ensure that all data transfers are – Application segmentation is almost – Identify and manage very specific data encrypted guaranteed flows – Protect the transfer of PII with DLP • Separation is a security opportunity – Each instance of a data flow is different – Data is separate from the application • Define and set policies Application security – Add security systems between – Allow uploads to the corporate box.com • Secure cloud-based applications application file share – Complexity increases in the cloud components • Corporate file shares can contain PII • Application misconfigurations • Virtualized security technologies • Any department can upload to the – One of the most common security issues – Web Application Firewall (WAF) corporate file share – Especially cloud storage – Next-Generation Firewall (NGFW) – Deny certain uploads to a personal • Authorization and access • Intrusion Prevention System (IPS) box.com file share – Controls should be strong enough for • Allow graphics files access API inspection and integration • Deny any spreadsheet from anywhere • Microservice architecture is the • Deny files containing credit card • API security - Attackers will try to exploit underlying application engine numbers interfaces and APIs – A significant security concern • Quarantine the file and send an alert • API calls can include risk Next-Gen Secure Web Gateway (SWG) – Attempts to access critical data Virtual private cloud endpoints • Protect users and devices – Geographic origin • Microservice architecture is the VPC – Regardless of location and activity – Unusual API calls gateway endpoints • Go beyond URLs and GET requests • API monitoring – Allow private cloud subnets to – Examine the application API – View specific API queries communicate to other cloud services – Dropbox for personal use or corporate – Monitor incoming and outgoing data • Keep private resources private use? – Internet connectivity not required • Examine JSON strings and API requests 3.6 - Securing Compute Clouds • Add an endpoint to connect VPC – Allow or disallow certain activities Compute cloud instances resources • Instance-aware security • The IaaS component for the cloud – A development instance is different than computing Container security production environment • Containers have similar security – Amazon Elastic Compute Cloud (EC2) concerns as any other application 3.6 - Cloud Security Solutions (continued) – Google Compute Engine (GCE) deployment method Firewalls in the cloud – Microsoft Azure Virtual Machines – Bugs, insufficient security controls, • Control traffic flows in the cloud • Manage computing resources misconfigurations – Inside the cloud and external flows – Launch a VM or container • Use container-specific operating • Cost – Allocate additional resources systems – Relatively inexpensive compared to – Disable/remove a VM or container – A minimalist OS designed for containers appliances • Group container types on the same host – Virtual firewalls Security groups – The same purpose, sensitivity, and – Host-based firewalls • A firewall for compute instances threat posture • Segmentation – Control inbound and outbound traffic – Limit the scope of any intrusion – Between microservices, VMs, or VPCs flows • OSI layers • Layer 4 port number 3.6 - Cloud Security Solutions – Layer 4 (TCP/UDP), Layer 7 (Application) – TCP or UDP port Cloud access security broker (CASB) • Layer 3 address • Clients are at work, data is in the cloud Security controls • Cloud-native security controls – Public/private keys - Critical for – Not the default - Removed from – Integrated and supported by the cloud automation Windows 10 build 10159 provider • Key management is critical – Many configuration options – Centralize, control, and audit key use Service accounts – Security is part of the infrastructure • SSH key managers - Open source, • Used exclusively by services running on – No additional costs Commercial a computer • Third-party solutions – No interactive/user access (ideally) – Support across multiple cloud providers SSH key-based authentication – Web server, database server, etc. – Single pane of glass • Create a public/private key pair • Access can be defined for a specific – Extend policies outside the scope of the – ssh-keygen service cloud provider • Copy the public key to the SSH server – Web server rights and permissions will – More extensive reporting – ssh-copy-id user@host be different than a database server • Try it out • Commonly use usernames and 3.7 - Identity Controls – ssh user@host passwords Identity provider (IdP) – No password prompt! – You’ll need to determine the best policy • Who are you? for – A service needs to vouch for you 3.7 - Account Types password updates – Authentication as a Service User accounts • A list of entities • An account on a computer associated Privileged accounts – Users and devices with a • Elevated access to one or more systems • Commonly used by SSO applications or specific person – Administrator, Root an – The computer associates the user with a • Complete access to the system authentication process specific identification number – Often used to manage hardware, – Cloud-based services need to know who • Storage and files can be private to that drivers, and you are user software installation • Uses standard authentication methods – Even if another person is using the same • This account should not be used for – SAML, OAuth, OpenID Connect, etc. computer normal • No privileged access to the operating administration Attributes system – User accounts should be used • An identifier or property of an entity – Specifically not allowed on a user • Needs to be highly secured – Provides identification account – Strong passwords, 2FA • Personal attributes • This is the account type most people will – Scheduled password changes – Name, email address, phone number, use Employee ID – Your user community 3.7 - Account Policies • Other attributes Account policies – Department name, job title, mail stop Shared and generic accounts • Control access to an account • One or more attributes can be used for • Shared account – It’s more than just username and identification – Used by more than one person password – Combine them for more detail – Guest login, anonymous login – Determine what policies are best for an • Very difficult to create an audit trail organization Certificates – No way to know exactly who was • The authentication process • Digital certificate - Assigned to a person working – Password policies, authentication factor or device – Difficult to determine the proper policies, other considerations • Binds the identity of the certificate privileges • Permissions after login - Another line of owner to a • Password management becomes defense public and private key difficult – Encrypt data, create digital signatures – Password changes require notifying Perform routine audits • Requires an existing public-key everyone • Is everything following the policy? infrastructure (PKI) – Difficult to remember so many password – You have to police yourself – The Certificate Authority (CA) is the changes • It’s amazing how quickly things can trusted entity – Just write it down on this yellow sticky change – The CA digitally signs the certificates paper – Make sure the routine is scheduled • Best practice: Don’t use these accounts • Certain actions can be automatically Tokens and cards Guest accounts identified • Smart card • Access to a computer for guests – Consider a tool for log analysis – Integrates with devices - may require a – No access to change settings, modify PIN applications, view other user’s files, and Auditing • USB token - Certificate is on the USB more • Permission auditing device – Usually no password – Does everyone have the correct • This brings significant security permissions? SSH keys challenges – Some Administrators don’t need to be • Secure Shell (SSH) - Secure terminal – Access to the userspace is one step there communication closer to an exploit – Scheduled recertification • Use a key instead of username and • Must be controlled • Usage auditing - How are your resources password used? – Are your systems and applications Password keys 3.8 - PAP and CHAP secure? • Hardware-based authentication PAP (Password Authentication Protocol) – Something you have • A basic authentication method Password complexity and length • Helps prevent unauthorized logins and – Used in legacy operating systems • Make your password strong - Resist account takeovers – Rare to see singularly used brute-force attack – The key must be present to login • PAP is in the clear • Increase password entropy • Doesn’t replace other factors – Weak authentication scheme – No single words, no obvious passwords – Passwords are still important – Non-encrypted password exchange • What’s the name of your dog? – We didn’t require encryption on analog – Mix upper and lower case and use Password vaults dialup lines special characters • Password managers – The application would need to provide • Don’t replace a o with a 0, t with a 7 – All passwords in one location any encryption • Stronger passwords are at least 8 – A database of credentials characters • Secure storage CHAP – Consider a phrase or set of words – All credentials are encrypted • Challenge-Handshake Authentication • Prevent password reuse – Cloud-based synchronization options Protocol – System remembers password history, • Create unique passwords – Encrypted challenge sent over the requires – Passwords are not the same across sites network unique passwords • Personal and enterprise options • Three-way handshake – Corporate access – After link is established, server sends a Account lockout and disablement challenge • Too many incorrect passwords will cause Trusted Platform Module (TPM) – Client responds with a password hash a lockout • A specification for cryptographic calculated from the challenge and the – Prevents online brute force attacks functions password – This should be normal for most user – Hardware to help with all of this – Server compares received hash with accounts encryption stuff stored hash – This can cause big issues for service • Cryptographic processor • Challenge-Response continues accounts – Random number generator, key – Occurs periodically during the • You might want this generators connection • Disabling accounts • Persistent memory – User never knows it happens – Part of the normal change process – Comes with unique keys burned in – You don’t want to delete accounts during production MS-CHAP • At least not initially • Versatile memory • Microsoft’s implementation of CHAP • May contain important decryption keys – Storage keys, hardware configuration – Used commonly on Microsoft’s information – Point-to-Point Tunneling Protocol (PPTP) Location-based policies • Password protected – MS-CHAP v2 is the more recent version • Network location – No dictionary attacks • Security issues related to the use of DES – Identify based on IP subnet – Relatively easy to brute force the 256 – Can be difficult with mobile devices Hardware Security Module (HSM) possible keys to decrypt the NTLM hash • Geolocation - determine a user’s • High-end cryptographic hardware – Don’t use MS-CHAP! location – Plug-in card or separate hardware – Consider L2TP, IPsec, 802.1X or some – GPS - mobile devices, very accurate device other secure authentication method – 802.11 wireless, less accurate • Key backup – IP address, not very accurate – Secured storage 3.8 - Identity Access Services • Geofencing • Cryptographic accelerators RADIUS (Remote Authentication Dial-in – Automatically allow or restrict access – Offload that CPU overhead from other User Service) when the user is in a particular location devices • One of the more common AAA protocols – Don’t allow this app to run unless you’re • Used in large environments – Supported on a wide variety of near the office – Clusters, redundant powers platforms and devices • Geotagging – Not just for dial-in – Add location metadata to a document or Knowledge-based authentication (KBA) • Centralize authentication for users file • Use personal knowledge as an – Routers, switches, firewalls, server – Latitude and longitude, distance, time authentication factor authentication, remote VPN access, stamps – Something you know 802.1X network access • Location-based access rules • Static KBA • RADIUS services available on almost any – Your IP address is associated with an IP – Pre-configured shared secrets server OS block in Russia – Often used with account recovery – We don’t have an office in Russia – What was the make and model of your TACACS – You were in Colorado Springs an hour first car? • Terminal Access Controller ago • Dynamic KBA – Access-Control System – Permission not granted – Questions are based on an identity – Remote authentication protocol • Time-based access rules verification service – Created to control access to dial-up lines – Nobody needs to access the lab at 3 AM – What was your street number when you to ARPANET lived in Pembroke Pines, Florida? • XTACACS (Extended TACACS) 3.8 - Authentication Management – A Cisco-created (proprietary) version of – Extensible Authentication Protocol • The operating system limits the TACACS – 802.1X prevents access to the network operation on an object – Additional support for accounting and until the authentication succeeds – Based on security clearance levels auditing • Used in conjunction with an access • Every object gets a label • TACACS+ database – Confidential, secret, top secret, etc. – The latest version of TACACS, not – RADIUS, LDAP, TACACS+ • Labeling of objects uses predefined rules backwards – The administrator decides who gets compatible 3.8 - Federated Identities access to – More authentication requests and Federation what security level response codes • Provide network access to others – Users cannot change these settings – Released as an open standard in 1993 – Not just employees - Partners, suppliers, customers, etc. Discretionary Access Control (DAC) Kerberos – Provides SSO and more • Used in most operating systems • Network authentication protocol • Third-parties can establish a federated – A familiar access control model – Authenticate once, trusted by the network • You create a spreadsheet system – Authenticate and authorize between the – As the owner, you control who has – No need to re-authenticate to two access everything organizations – You can modify access at any time – Mutual authentication - the client and – Login with your Facebook credentials • Very flexible access control the server • The third-parties must establish a trust – And very weak security – Protect against on-path or replay attacks relationship • Standard since the 1980s – And the degree of the trust Role-based access control (RBAC) – Developed by the Massachusetts • You have a role in your organization Institute of Security Assertion Markup Language – Manager, director, team lead, project Technology (MIT) (SAML) manager • Microsoft starting using Kerberos in • Open standard for authentication and • Administrators provide access based on Windows 2000 authorization the role of the user – Based on Kerberos 5.0 open standard – You can authenticate through a third- – Rights are gained implicitly instead of – Compatible with other operating party to gain access explicitly systems and devices – One standard does it all, sort of • In Windows, use Groups to provide role- • Not originally designed for mobile apps based SSO with Kerberos – This has been SAML’s largest roadblock access control • Authenticate one time – You are in shipping and receiving, so you – Lots of backend ticketing OAuth can – Cryptographic tickets • Authorization framework use the shipping software • No constant username and password – Determines what resources a user will – You are the manager, so you can review input! be shipping logs – Save time able to access • Only works with Kerberos • Created by Twitter, Google, and many Attribute-based access control (ABAC) – Not everything is Kerberos-friendly others • Users can have complex relationships to • There are many other SSO methods – Significant industry support applications and data – Smart-cards, SAML, etc. • Not an authentication protocol – Access may be based on many different – OpenID Connect handles the single sign- criteria RADIUS, TACACS+, or Kerberos? on • ABAC can consider many parameters • Three different ways to communicate to authentication – A “next generation” authorization model an – OAuth provides authorization – Aware of context authentication server between applications • Combine and evaluate multiple – More than a simple login process • Relatively popular parameters • Often determined by what is at hand – Used by Twitter, Google, Facebook, – Resource information, IP address, time – VPN concentrator can talk to a RADIUS – LinkedIn, and more of day, desired action, relationship to the server data, etc. – We have a RADIUS server 3.8 - Access Control • TACACS+ Access control Rule-based access control – Probably a Cisco device • Authorization • Generic term for following rules • Kerberos – The process of ensuring only authorized – Conditions other than who you are – Probably a Microsoft network rights are exercised • Access is determined through system- • Policy enforcement enforced rules IEEE 802.1X – The process of determining rights – System administrators, not users • IEEE 802.1X • Policy definition • The rule is associated with the object – Port-based Network Access Control • Users receive rights based on – System checks the ACLs for that object (NAC) – Access Control models • Rule examples – You don’t get access to the network – Different business needs or mission – Lab network access is only available until you requirements between 9 and 5 authenticate – Only Chrome browsers may complete • EAP integrates with 802.1X Mandatory Access Control (MAC) this web form • Distribution • The entity requesting the certificate File system security – Make the key available to the user needs to be verified • Store files and access them • Storage – The RA identifies and authenticates the – Hard drive, SSDs, flash drives, DVDs, part – Securely store and protect against requester of most OSs unauthorized use • Approval or rejection • Accessing information • Revocation – The foundation of trust in this model – Access control list – Manage keys that have been • Also responsible for revocations – Group/user rights and permissions compromised – Administratively revoked or by request – Can be centrally administered and/or • Expiration • Manages renewals and re-key requests users can manage files they own – A certificate may only have a certain – Maintains certificates for current cert • The file system handles encryption and “shelf life” holders decryption Digital certificates Important certificate attributes Conditional access • A public key certificate • Common Name (CN) • Difficult to apply old methods of – Binds a public key with a digital – The FQDN (Fully Qualified authentication to new methods of signature – Domain Name) for the certificate working – And other details about the key holder • Subject alternative name – Mobile workforce, many different • A digital signature adds trust – Additional host names for the cert devices, – PKI uses Certificate Authority for – Common on web servers constantly changing cloud additional trust – professormesser.com and • Conditions – Web of Trust adds other users for www.professormesser.com – Employee or partner, location, type of additional trust • Expiration application accessed, device • Certificate creation can be built into the – Limit exposure to compromise • Controls OS – 398 day browser limit (13 months) – Allow or block, require MFA, provide – Part of Windows Domain services limited access, require password reset – 3rd-party Linux options Key revocation • Administrators can build complex access • Certificate Revocation List (CRL) rules Commercial certificate authorities – Maintained by the Certificate Authority – Complete control over data access • Built-in to your browser (CA) – Any browser • Many different reasons Privileged access management (PAM) • Purchase your web site certificate – Changes all the time • Managing superuser access – It will be trusted by everyone’s browser • April 2014 - CVE-2014-0160 – Administrator and Root • Create a key pair, send the public key to – Heartbleed – You don’t want this in the wrong hands the CA to be signed – OpenSSL flaw put the private key of • Store privileged accounts in a digital – A certificate signing request (CSR) affected vault • May provide different levels of trust and web servers at risk – Access is only granted from the vault by additional features – OpenSSL was patched, every web server request – Add a new “tag” to your web site certificate was replaced – These privileges are temporary – Older certificates were moved to the • PAM advantages Private certificate authorities CRL – Centralized password management • You are your own CA – Enables automation – Build it in-house Getting revocation details to the browser – Manage access for each user – Your devices must trust the internal CA • OCSP (Online Certificate Status Protocol) – Extensive tracking and auditing • Needed for medium-to-large – The browser can check certificate organizations revocation 3.9 - Public Key Infrastructure – Many web servers and privacy • Messages usually sent to an OCSP Public Key Infrastructure (PKI) requirements responder via HTTP • Policies, procedures, hardware, • Implement as part of your overall – Easy to support over Internet links software, people computing strategy • Not all browsers/apps support OCSP – Digital certificates: create, distribute, – Windows Certificate Services, OpenCA – Early Internet Explorer versions did not manage, support OCSP store, revoke PKI trust relationships – Some support OCSP, but don’t bother • This is a big, big, endeavor • Single CA checking – Lots of planning – Everyone receives their certificates from 3.9 - Certificates • Also refers to the binding of public keys one authority Web server SSL certificates to people or devices • Hierarchical • Domain validation certificate (DV) – The certificate authority – Single CA issues certs to intermediate – Owner of the certificate has some – It’s all about trust CAs control over a DNS domain – Distributes the certificate management • Extended validation certificate (EV) The key management lifecycle load – Additional checks have verified the • Key generation – Easier to deal with the revocation of an certificate – Create a key with the requested intermediate CA than the root CA owner’s identity strength using the proper cipher – Browsers used to show a green name on • Certificate generation Registration authority (RA) the – Allocate a key to a user address bar – Promoting the use of SSL is now – Often devices that you’ll never – Letters and numbers outdated physically see – Easy to email, readable • Subject Alternative Name (SAN) • How can you truly authenticate a – Extension to an X.509 certificate device? PKCS #12 – Lists additional identification – Put a certificate on the device that you • Public Key Cryptography Standards #12 information signed – Personal Information Exchange Syntax – Allows a certificate to support many • Other business processes rely on the Standard different domains certificate – Developed by RSA Security, now an RFC • Wildcard domain – Access to the remote access standard – Certificates are based on the name of – VPN from authorized devices • Container format for many certificates the server – Management software can validate the – Store many X.509 certificates in a single – A wildcard domain will apply to all end device .p12 or .pfx file server names in a domain – Often used to transfer a private and – *.professormesser.com Email certificates public key pair • Use cryptography in an email platform – The container can be password Code signing certificate – You’ll need public key cryptography protected • Developers can provide a level of trust • Encrypting emails • Extended from Microsoft’s .pfx format – Applications can be signed by the – Use a recipient’s public key to encrypt – Personal Information Exchange (PFX) developer • Receiving encrypted emails – The two standards are very similar • The user’s operating system will – Use your private key to decrypt – Often referenced interchangeably examine • Digital signatures the signature – Use your private key to digitally sign an CER (Certificate) – Checks the developer signature email • Primarily a Windows X.509 file extension – Validates that the software has not been – Non-repudiation, integrity – Can be encoded as binary DER format or modified as the ASCII PEM format • Is it from a trusted entity? User certificates • Usually contains a public key – The user will have the opportunity to • Associate a certificate with a user – Private keys would be transferred in the stop the – A powerful electronic “id card” .pfx file format application execution • Use as an additional authentication • Common format for Windows factor certificates Root certificate – Limit access without the certificate – Look for the .cer extension • The public key certificate that identifies • Integrate onto smart cards the root CA (Certificate Authority) – Use as both a physical and digital access PKCS #7 – Everything starts with this certificate card • Public Key Cryptography Standards #7 • The root certificate issues other • Cryptographic Message Syntax Standard certificates 3.9 - Certificate Formats – Associated with the .p7b file – Intermediate CA certificates Certificate file formats • Stored in ASCII format – Any other certificates • X.509 digital certificates – Human-readable • This is a very important certificate – The structure of the certification is • Contains certificates and chain – Take all security precautions standardized certificates – Access to the root certificate allows for – The format of the actual certificate file – Private keys are not included in a .p7b the can take many different forms file creation of any trusted certificate • There are many certificate file formats • Wide platform support – You can convert between many of the – Microsoft Windows Self-signed certificates formats – Java Tomcat • Internal certificates don’t need to be – Use openssl or a similar application to signed by a public CA view the certificate contents Email certificates – Your company is the only one going to • Use cryptography in an email platform use it DER (Distinguished Encoding Rules) – You’ll need public key cryptography – No need to purchase trust for devices • Format designed to transfer syntax for • Encrypting emails that already trust you data structures – Use a recipient’s public key to encrypt • Build your own CA – A very specific encoding format • Receiving encrypted emails – Issue your own certificates signed by – Perfect for an X.509 certificate – Use your private key to decrypt your own CA • Binary format • Digital signatures • Install the CA certificate/trusted chain – Not human-readable – Use your private key to digitally sign an on all devices • A common format email – They’ll now trust any certificates signed – Used across many platforms – Non-repudiation, integrity by – Often used with Java certificates your internal CA User certificates – Works exactly like a certificate you PEM (Privacy-Enhanced Mail) • Associate a certificate with a user purchased • A very common format – A powerful electronic “id card” – BASE64 encoded DER certificate • Use as an additional authentication Machine and computer certificates – Generally the format provided by CAs factor • You have to manage many devices – Supported on many different platforms – Limit access without the certificate • ASCII format • Integrate onto smart cards – Use as both a physical and digital access information card – Government agencies may need to ipconfig and ifconfig decrypt • Most of your troubleshooting starts with 3.9 - Certificate Concepts partner data your IP address Online and offline CAs – Ping your local router/gateway • A compromised certificate authority It’s all about the process • Determine TCP/IP and network adapter – A very, very bad thing • Need clear process and procedures information – No certificates issued by that CA can be – Keys are incredibly important pieces of – And some additional IP details trusted information •ipconfig – Windows TCP/IP • Distribute the load • You must be able to trust your 3rd-party configuration – Then take the root CA offline and – Access to the keys is at the control of •ifconfig – Linux interface protect it the configuration 3rd-party OCSP stapling • Carefully controlled conditions Nmap • Online Certificate Status Protocol – Legal proceedings and court orders • Network mapper – Provides scalability for OCSP checks – Find and learn more about network • The CA is responsible for responding to Certificate chaining devices all • Chain of trust • Port scan client OCSP requests – List all of the certs between the server – Find devices and identify open ports – This does not scale well and the root CA • Operating system scan • Instead, have the certificate holder • The chain starts with the SSL certificate – Discover the OS without logging in to a verify their own status – And ends with the Root CA certificate device – Status information is stored on the • Any certificate between the SSL • Service scan certificate holder’s server certificate – What service is available on a device? • OCSP status is “stapled” into the SSL/TLS and the root certificate is a chain Name, version, details handshake certificate • Additional scripts – Digitally signed by the CA – Or intermediate certificate – Nmap Scripting Engine (NSE) • The web server needs to be configured • Extend capabilities, vulnerability scans Pinning with • You’re communicating over TLS/SSL to a the proper chain ping server – Or the end user may receive an error • Test reachability – How do you really know it’s a legitimate – Determine round-trip time server? 4.1 - Reconnaissance Tools – Uses Internet Control Message Protocol • “Pin” the expected certificate or public traceroute (ICMP) key to an application • Determine the route a packet takes to a • One of your primary troubleshooting – Compiled in the app or added at first run destination tools • If the expected certificate or public key – Map the entire path – Can you ping the host? doesn’t match, the application can decide •tracert (Windows) or traceroute • Written by Mike Muuss in 1983 what to do (POSIX) – The sound made by sonar – Shut down, show a message • Takes advantage of ICMP Time to Live – Not an acronym for Packet INternet Exceeded error message Groper PKI trust relationships – The time in TTL refers to hops, not – A backronym • Single CA seconds or minutes – Everyone receives their certificates from – TTL=1 is the first router, TTL=2 is the pathping one authority second router, etc. • Combine ping and traceroute • Hierarchical • Not all devices will reply with – Included with Windows NT and later – Single CA issues certs to intermediate ICMP Time Exceeded messages • First phase runs a traceroute CAs – Some firewalls filter ICMP – Build a map • Mesh – ICMP is low-priority for many devices • Second phase – Cross-certifying CAs - Doesn’t scale well – Measure round trip time and packet loss • Web-of-trust nslookup and dig at each hop – Alternative to traditional PKI • Lookup information from DNS servers – Canonical names, IP addresses, cache hping • Mutual Authentication timers, etc. • TCP/IP packet assembler/analyzer – Server authenticates to the client and •nslookup – A ping that can send almost anything the client authenticates to the server -Both Windows and POSIX-based – Lookup • Ping a device names and IP addresses – Deprecated – ICMP, TCP, UDP Key escrow (use dig instead) – #hping3 --destport 80 • Someone else holds your decryption •dig or DiG (Domain Information 10.1.10.1 keys Groper) • Send crafted frames – Your private keys are in the hands – More advanced domain information – Modify all IP, TCP, UDP, and ICMP values of a 3rd-party – Probably your first choice • A powerful tool • This can be a legitimate business – Install in Windows: – It’s easy to accidentally flood and DoS arrangement https://professormesser.link/ – Be careful! – A business might need access to employee digwin netstat • Network statistics – A list of email contacts – The tail, or end, or the file – Many different operating systems • DNS brute force – tail [OPTION] … [FILE] … •netstat -a – Find those unknown hosts; vpn, chat, • Use -n to specify the number of lines – Show all active connections mail, partner, etc. – tail -n 5 syslog •netstat -b – Show binaries sn1per cat •netstat -n • Combine many recon tools into a single • Concatenate – Do not resolve names framework – Link together in a series – dnsenum, metasploit, nmap, • Copy a file/files to the screen netcat theHarvester, and much more – cat file1.txt file2.txt • “Read” or “write” to the network • Both non-intrusive and very intrusive • Copy a file/files to another file – Open a port and send or receive some scanning options – cat file1.txt file2.txt > traffic – You choose the volume both.txt • Many different functions • Another tool that can cause problems grep – Listen on a port number – Brute force, server scanning, etc • Find text in a file – Transfer data – Make sure you know what you’re doing – Search through many files at a time – Scan ports and send data to a port •grep PATTERN [FILE] – grep • Become a backdoor scanless failed auth.log – Run a shell from a remote device • Run port scans from a different host • Other alternatives and OSes - Ncat – Port scan proxy chmod • Many different services • Change mode of a file system object IP scanners – Choose the option for scan origination – r=read, w=write, x=execute • Search a network for IP addresses – Your IP is hidden as the scan source – Can also use octal notation – Locate active devices – Set for the file owner (u), the group(g), – Avoid doing work on an IP address that dnsenum others(o), or all(a) isn’t there • Enumerate DNS information – chmod mode FILE • Many different techniques – Find host names – chmod 744 script.sh – ARP (if on the local subnet) • View host information from DNS servers •chmod 744 first.txt – ICMP requests (ping) – Many services and hosts are listed in – User; read, write execute – TCP ACK DNS – Group; read only – ICMP timestamp requests • Find host names in Google – Other; read only • A response means more recon can be – More hosts can probably be found in the •chmod a-w first.txt done index – All users, no writing to first.txt – Keep gathering information - Nmap, •chmod u+x script.sh hping, etc. Nessus – The owner of script.sh can execute the • Industry leader in vulnerability scanning file Address Resolution Protocol – Extensive support • Determine a MAC address based on an – Free and commercial options logger IP address • Identify known vulnerabilities • Add entries to the system log – You need the hardware address to – Find systems before they can be – syslog communicate exploited • Adding to the local syslog file •arp -a • Extensive reporting – logger “This information is – View local ARP table – A checklist of issues added to syslog” route – Filter out the false positives • Useful for including information in a • View the device’s routing table local or remote syslog file – Find out which way the packets will go Cuckoo – Include as part of an automation script • Windows: route print • A sandbox for malware – Log an important event • Linux and macOS: netstat -r – Test a file in a safe environment curl • A virtualized environment 4.1 - Shell and Script Environments • Client URL – Windows, Linux, macOS, Android SSH (Secure Shell) – Retrieve data using a URL • Track and trace • Encrypted console communication - – Uniform Resource Locator – API calls, network traffic, memory tcp/22 – Web pages, FTP, emails, databases, etc. analysis • Looks and acts the same as Telnet • Grab the raw data – Traffic captures – Search – Screenshots Windows PowerShell – Parse • Command line for system administrators – Automate 4.1 - File Manipulation Tools – .ps1 file extension head – Included with Windows 8/8.1 and 10 theHarvester • View the first part of a file • Extend command-line functions • Gather OSINT – The head, or beginning, of the file – Uses cmdlets (command-lets) – Open-Source Intelligence – head [OPTION] … [FILE] … – PowerShell scripts and functions • Scrape information from Google or Bing • Use -n to specify the number of lines – Standalone executables – Find associated IP addresses – head -n 5 syslog • Automate and integrate • List of people from LinkedIn – System administration – Names and titles tail – Active Domain administration • Find PGP keys by email domain • View the last part of a file Python – dd if=/tmp/sda-image.img • Online cracking • General-purpose scripting language of=/dev/sda – Try username/password combinations – .py file extension memdump • Offline cracking • Popular in many technologies • Copy information in system memory to – Brute force a hash file – Broad appeal and support the standard output stream • Limitations – Everything that happens is in memory – Password complexity / strength OpenSSL – Many third-party tools can read a (entropy) • A toolkit and crypto library for SSL/TLS memory dump – Hashing method and CPU power – Build certificates, manage SSL/TLS • Copy to another host across the network – Graphics processors are useful hardware communication – Use netcat, stunnel, openssl, etc. tools • Create X.509 certificates – Manage certificate signing requests Winhex Data sanitization (CSRs) and certificate revocation lists • A universal hexadecimal editor for • Completely remove data (CRLs) Windows OS – No usable information remains • Message digests • Edit disks, files, RAM • Many different use cases – Support for many hashing protocols – Includes data recovery features – Clean a hard drive for future use • Encryption and Decryption • Disk cloning – Permanently delete a single file – SSL/TLS for services – Drive replication • A one-way trip • Much more • Secure wipe – Once it’s gone, it’s really gone – Hard drive cleaning – No recovery with forensics tools 4.1 - Packet Tools • Much more Tcpreplay – A full-featured forensics tool 4.2 - Incident Response Process • A suite of packet replay utilities Security incidents – Replay and edit packet captures FTK imager • User clicks an email attachment and – Open source • Access Data forensic drive imaging tool executes malware • Test security devices – Includes file utilities and read-only – Malware then communicates with – Check IPS signatures and firewall rules image mounting external servers • Test and tune IP Flow/NetFlow devices – Windows executable • DDoS – Send hundreds of thousands of traffic • Widely supported in many forensics – Botnet attack flows tools • Confidential information is stolen per second – Third-party analysis – Thief wants money or it goes public • Evaluate the performance of security • Support for many different file systems • User installs peer-to-peer software and devices and full disk allows external access to internal servers – Test throughput and flows per second encryption methods – Investigator still needs the password Roles and responsibilities tcpdump • Can also import other image formats • Incident response team • Capture packets from the command line – dd, Ghost, Expert Witness, etc. – Specialized group, trained and tested – Display packets on the screen • IT security management – Write packets to a file Autopsy – Corporate support • Perform digital forensics of hard drives, • Compliance officers Wireshark smartphones – Intricate knowledge of compliance rules • Graphical packet analyzer – View and recover data from storage • Technical staff – Get into the details devices – Your team in the trenches • Gathers frames on the network • Extract many different data types • User community – Or in the air – Downloaded files – They see everything • Sometimes built into the device – Browser history and cache – View traffic patterns – Email messages NIST SP800-61 – Identify unknown traffic – Databases • National Institute of Standards and – Verify packet filtering and security – Much more Technology controls – NIST Special Publication 800-61 Rev. 2 • Extensive decodes Exploitation frameworks – Computer Security Incident – View the application traffic • A pre-built toolkit for exploitations – Handling Guide 4.1 - Forensic Tools – Build custom attacks • The incident response lifecycle: dd – Add more tools as vulnerabilities are – Preparation • A reference to the DD command in found – Detection and Analysis – IBM mainframe JCL (Job Control – Increasingly powerful utilities – Containment, Eradication, and Recovery Language) • Metasploit – Post-incident Activity – Data Definition (ASCII to EBCDIC – Attack known vulnerabilities converter) • The Social-Engineer Toolkit (SET) Preparing for an incident • Create a bit-by-bit copy of a drive – Spear phishing, Infectious media • Communication methods – Used by many forensics tools generator – Phones and contact information • Create a disk image • Incident handling hardware and – dd if=/dev/sda of=/tmp/sda- Password crackers software image.img • The keys to the kingdom – Laptops, removable media, forensic • Restore from an image – Find the passwords software, digital cameras, etc. Recovery after an incident Tabletop exercises • Incident analysis resources • Get things back to normal • Performing a full-scale disaster drill can – Documentation, network diagrams, – Remove the bad, keep the good be costly baselines, • Eradicate the bug – And time consuming critical file hash values – Remove malware • Many of the logistics can be determined • Incident mitigation software – Disable breached user accounts through analysis – Clean OS and application images – Fix vulnerabilities – You don’t physically have to go through • Policies needed for incident handling • Recover the system a – Everyone knows what to do – Restore from backups disaster or drill – Rebuild from scratch • Get key players together for a tabletop The challenge of detection – Replace compromised files exercise • Many different detection sources – Tighten down the perimeter – Talk through a simulated disaster – Different levels of detail, different levels of perception Reconstitution Walkthrough • A large amount of “volume” • A phased approach • Include responders – Attacks are incoming all the time – It’s difficult to fix everything at once – A step beyond a tabletop exercise – How do you identify the legitimate • Recovery may take months – Many moving parts threats? – Large-scale incidents require a large • Test processes and procedures before • Incidents are almost always complex amount of work an event – Extensive knowledge needed • The plan should be efficient – Walk through each step – Start with quick, high-value security – Involve all groups Incident precursors changes – Reference actual response materials • An incident might occur in the future • Patches, firewall policy changes • Identifies actual faults or missing steps – This is your heads-up – Later phases involve much “heavier – The walkthrough applies the concepts • Web server log lifting” from the tabletop exercise – Vulnerability scanner in use • Infrastructure changes, large-scale • Exploit announcement security Simulation – Monthly Microsoft patch release, rollouts • Test with a simulated event – Adobe Flash update – Phishing attack, password requests, data • Direct threats Lessons learned breaches – A hacking group doesn’t like you • Learn and improve • Going phishing – No system is perfect – Create a phishing email attack Incident indicators • Post-incident meeting – Send to your actual user community • An attack is underway – Invite everyone affected by the incident – See who bites – Or an exploit is successful • Don’t wait too long • Test internal security • Buffer overflow attempt – Memories fade over time – Did the phishing get past the filter? – Identified by an intrusion – Some recommendations can be applied • Test the users detection/prevention system to the – Who clicked? • Anti-virus software identifies malware next event – Additional training may be required – Deletes from OS and notifies administrator Answer the tough questions Stakeholder management • Host-based monitor detects a • What happened, exactly? • Keeping an good ongoing relationship configuration change – Timestamp of the events with – Constantly monitors system files • How did your incident plans work? customers of IT • Network traffic flows deviate from the – Did the process operate successfully? – These can be internal or external norm • What would you do differently next customers – Requires constant monitoring time? – An incident response will require – Retrospective views provide context teamwork Isolation and containment • Which indicators would you watch next – Without the stakeholder, IT would not • Generally a bad idea to let things run time? exist their course – Different precursors may give you better • Most of this happens prior to an – An incident can spread quickly alerts incident – It’s your fault at that point – Ongoing communication and meetings • Sandboxes 4.2 - Incident Response Planning – Exercises should include the customers – An isolated operating system Exercise • Continues after the incident – Run malware and analyze the results • Test yourselves before an actual event – Prepare for the next event – Clean out the sandbox when done – Scheduled update sessions (annual, • Isolation can be sometimes be semi-annual, etc.) Communication plan problematic • Use well-defined rules of engagement • Get your contact list together – Malware or infections can monitor – Do not touch the production systems – There are a lot of people in the loop connectivity • Very specific scenario • Corporate / Organization – When connectivity is lost, everything – Limited time to run the event – CIO / Head of Information Security / could be • Evaluate response Internal deleted/encrypted/damaged – Document and discuss Response Teams • Internal non-IT – Human resources, public affairs, legal • Response and intelligence teams need – You’ll have to check manually to see if a department assistance system is vulnerable • External contacts – Gather and maintain ongoing – But the scanner gives you a heads-up – System owner, law enforcement reconnaissance – US-CERT (for U.S. Government agencies) • Understand attacks Vulnerability scan results – Many different vectors • Lack of security controls Disaster recovery plan • Assess the risk in an organization – No firewall • If a disaster happens, IT should be ready – Determine if a risk exists – No anti-virus – Part of business continuity planning – Use appropriate mitigation – No anti-spyware – Keep the organization up and running • Misconfigurations • Disasters are many and varied MITRE ATT&CK framework – Open shares – Natural disasters • The MITRE corporation – Guest access – Technology or system failures – US not-for-profit based in • Real vulnerabilities – Human-created disasters Massachusetts and Virginia – Especially newer ones • A comprehensive plan – Supports several U.S. government – Occasionally the old ones – Recovery location agencies – Data recovery method • The MITRE ATT&CK framework Dealing with false positives – Application restoration – https://attack.mitre.org/ • False positives – IT team and employee availability • Determine the actions of an attacker – A vulnerability is identified that doesn’t – Identify point of intrusion really exist Continuity of operations planning (COOP) – Understand methods used to move • This is different than a low-severity • Not everything goes according to plan around vulnerability • Disasters can cause a disruption to the – Identify potential security techniques to – It’s real, but it may not be your highest norm block future attacks priority • We rely on our computer systems • False negatives • Technology is pervasive Diamond Model of Intrusion Analysis – A vulnerability exists, but you didn’t • There needs to be an alternative • Designed by the intelligence community detect it • Manual transactions – • Update to the latest signatures • Paper receipts https://apps.dtic.mil/docs/citations/ADA5 – If you don’t know about it, you can’t see • Phone calls for transaction approvals 86960 it • These must be documented and tested – Guide analysts to help understand • Work with the vulnerability detection before intrusions manufacturer a problem occurs – Integrates well with other frameworks – They may need to update their • Apply scientific principles to intrusion signatures Incident response team analysis for your environment • Receives, reviews, and responds – Measurement, testability, and – A predefined group of professionals repeatability 4.3 - SIEM Dashboards • Determine what type of events require a – Appears simple, but is remarkably SIEM response complex • Security Information and Event – A virus infection? Ransomware? DDoS? • An adversary deploys a capability over Management • May or may not be part of the some – Logging of security events and organizational structure infrastructure against a victim information – Pulled together on an as-needed basis – Use the model to analyze and fill in the • Security alerts • Focuses on incident handling details – Real-time information – Incident response, incident analysis, • Log aggregation and long-term storage incident reporting Cyber Kill Chain – Usually includes advanced reporting • Seven phases of a cyber attack features Retention policies – A military concept • Data correlation • Backup your data – Link diverse data types – How much and where? Copies, versions 4.3 - Vulnerability Scan Output • Forensic analysis of copies, lifecycle of data, purging old Identify vulnerability – Gather details after an event data • The scanner looks for everything • Regulatory compliance – Well, not _everything_ Getting the data – A certain amount of data backup may be – The signatures are the key • Sensors and logs required • The vulnerabilities can be cross- – Operating systems • Operational needs referenced online – Infrastructure devices – Accidental deletion, disaster recovery – Almost all scanners give you a place to – NetFlow sensors • Differentiate by type and application go • Sensitivity settings – Recover the data you need when you – National Vulnerability Database: – Easy to be overwhelmed with data need it http://nvd.nist.gov/ – Some information is unnecessary – Microsoft Security Bulletins: – Informational, Warning, Urgent 4.2 Attack Frameworks – https://docs.microsoft.com/en- Attacks and responses us/security-updates/ Viewing the data • A constantly moving chessboard • Some vulnerabilities cannot be • Trends – The rules are also constantly changing definitively identified – Identify changes over time – Easily view constant attack metrics – Rsyslog -“Rocket-fast System for log • Alerts DNS log files processing” – Identify a security event • View lookup requests – syslog-ng - A popular syslog daemon – View raw data – And other DNS queries with additional filtering and storage – Visualize the log information • IP address of the request options • Correlation – The request FQDN or IP – NXLog - Collection from many diverse – Combine and compare • Identify queries to known bad URLs log types – View data in different ways – Malware sites, known command and control domains Journalctl 4.3 - Log files • Block or modify known bad requests • Linux has a lot of logs Network log files at the DNS server – The OS, daemons, applications, etc. • Switches, routers, access points, VPN – Log the results • System logs are stored in a binary concentrators – Report on malware activity format – And other infrastructure devices – Optimized for storage and queries • Network changes Authentication log files – Can’t read them with a text editor – Routing updates • Know who logged in (or didn’t) • Journalctl provides a method for – Authentication issues – Account names querying the system journal – Network security issues – Source IP address – Search and filter – Authentication method – View as plain text System log files – Success and failure reports • Operating system information • Identify multiple failures Bandwidth monitors – Extensive logs – Potential brute force attacks • The fundamental network statistic – File system information • Correlate with other events – Percentage of network use over time – Authentication details – File transfers • Many different ways to gather this • Can also include security events – Authentications to other devices metric – Monitoring apps – Application installation – SNMP, NetFlow, sFlow, IPFIX protocol – Brute force, file changes analysis, software agent • May require filtering Dump files • Identify fundamental issues – Don’t forward everything • Store all contents of memory into a – Nothing works properly if bandwidth is diagnostic file highly utilized Application log files – Developers can use this info • Specific to the application • Easy to create from the Metadata – Information varies widely – Windows Task Manager • Metadata • Windows - Event Viewer / Application – Right-click, Create dump file – Data that describes other data sources Log • Some applications have their own dump • Email • Linux / macOS - /var/log file process – Header details, sending servers, • Parse the log details on the SIEM – Contact the appropriate support team destination address – Filter out unneeded info for • Mobile - Type of phone, GPS location, additional details • Web - Operating system, browser type, Security log files IP address • Detailed security-related information VoIP and Call Manager logs • Files - Name, address, phone number, – Blocked and allowed traffic flows • View inbound and outbound call info title – Exploit attempts – Endpoint details, gateway – Blocked URL categories communication NetFlow – DNS sinkhole traffic • Security information • Gather traffic statistics from all traffic • Security devices – Authentications, audit trail flows – IPS, firewall, proxy • SIP traffic logs – Shared communication between devices • Critical security information – Session Initiation Protocol • NetFlow – Documentation of every traffic flow – Call setup, management, and teardown – Standard collection method – Summary of attack info – Inbound and outbound calls – Many products and options – Correlate with other logs – Alert on unusual numbers or country • Probe and collector codes – Probe watches network communication Web log files – Summary records are sent to the • Web server access 4.3 - Log Management collector – IP address, web page URL Syslog • Usually a separate reporting app • Access errors • Standard for message logging – Closely tied to the collector – Unauthorized or non-existent – Diverse systems create a consolidated folders/files log IPFIX • Exploit attempts • Usually a central logging receiver • IP Flow Information Export – Attempt to access files containing – Integrated into the SIEM (Security – A newer, NetFlow-based standard known Information and Event Manager) – Evolved from NetFlow v9 vulnerabilities • Each log entry is labeled • Flexible data support • Server activity – Facility code (program that created the – Templates are used to describe the data – Startup and shutdown notices log) and severity level – Restart messages • Syslog daemon options sFlow • sFlow (Sampled Flow) – Only run applications in these folders – Limit the scope of a breach – Only a portion of the actual network • Network zone traffic – The apps can only run from this network SOAR – So, technically not a flow zone • Security Orchestration, Automation, and • Usually embedded in the infrastructure Response – Switches, routers 4.4 - Security Configurations – Integrate third-party tools and data – Sampling usually occurs in Configuration changes sources hardware/ASICs • Firewall rules – Make security teams more effective • Relatively accurate statistics – Manage application flows • Runbooks – Useful information regarding video – Block dangerous applications – Linear checklist of steps to perform streaming and high-traffic applications • Mobile Device Manager (MDM) – Step-by-step approach to automation – Enable or disable phone and tablet – Reset a password, create a website Protocol analyzer output functionality certificate, • Solve complex application issues – Regardless of physical location back up application data – Get into the details • Data Loss Prevention (DLP) • Playbooks • Gathers packets on the network – Block transfer of personally identifiable – Conditional steps to follow; a broad – Or in the air information (PII) or sensitive data process – Sometimes built into the device – Credit card numbers, social security – Investigate a data breach, recover from • View detailed traffic information numbers, etc. ransomware – Identify unknown traffic • Content filter/URL filter – Verify packet filtering and security – Limit access to untrusted websites 4.5 - Digital Forensics controls – Block known malicious sites Digital forensics – View a plain-language description of the – Large blocklists are used to share • Collect and protect information relating application data suspicious site URLs to an intrusion • Updating or revoking certificates – Many different data sources and 4.4 - Endpoint Security Configuration – Manage device certificates to verify protection The endpoint trust mechanisms • The end user device – Revoking a certificate effectively • RFC 3227 - Guidelines for – Desktop PC, laptop, tablet, phone, etc. removes access – Evidence Collection and Archiving • Many ways to exploit a system – A good set of best practices – OS vulnerability, malware, user Isolation • Standard digital forensic process intervention • Administratively isolate a compromised – Acquisition, analysis, and reporting • Security team has to cover all of the device from everything else • Must be detail oriented bases – Prevent the spread of malicious – Take extensive notes – Recognize and react to any malicious software activity – Prevent remote access or C2 (Command Legal hold and Control) • A legal technique to preserve relevant Application approved/deny lists • Network isolation information • Any application can be dangerous – Isolate to a remediation VLAN – Prepare for impending litigation – Vulnerabilities, trojan horses, malware – No communication to other devices – Initiated by legal counsel – Security policy can control app • Process isolation • Hold notification execution – Limit application execution – Records custodians are instructed to • Approved list – Prevent malicious activity but allow preserve data – Nothing runs unless it’s approved device • Separate repository for electronically – Very restrictive management stored • Blocklist / deny list information (ESI) – Nothing on the “bad list” can be Containment – Many different data sources and types executed • Application containment – Unique workflow and retention – Anti-virus, anti-malware – Run each application in its own sandbox requirements • Quarantine – Limit interaction with the host operating • Ongoing preservation – Anything suspicious can be moved to a system and other applications – Once notified, there’s an ongoing safe area – Ransomware would have no method of obligation to preserve data infection Examples of application approval lists • Contain the spread of a multi-device Capture video • Decisions are made in the operating security • A moving record of the event system event, i.e., ransomware – Gathers information external to the – Often built-in to the operating system – Disable administrative shares computer management – Disable remote management and network – Application hash – Disable local account access and change • Captures the status of the screen and • Only allows applications with this local other unique identifier administrator password volatile information • Certificate – Today’s mobile video devices are – Allow digitally signed apps from certain Segmentation remarkable publishers • Separate the network • Don’t forget security cameras and your • Path – Prevent unauthorized movement phone • The video content must also be archived • Core operating system – May have some of the most important Reports – Executable files and libraries record • Document the findings – Can be compared later to known-good of information – For Internal use, legal proceedings, etc. files • Summary information – Usually captured with a drive image Admissibility – Overview of the security event • Other OS data • Not all data can be used in a court of law • Detailed explanation of data acquisition – Logged in users – Different rules in different jurisdictions – Step-by-step method of the process – Open ports • Legal authorization • The findings – Processes currently running – Search and seizure of information – An analysis of the data – Attached device list • Procedures and tools • Conclusion – The correct tools used the correct way – Professional results, given the analysis Device • Laboratories • Mobile devices and tablets – Proper scientific principles used to 4.5 - Forensics Data Acquisition – A more challenging forensics task analyze Order of volatility • Capture data the evidence • How long does data stick around? – Use an existing backup file • Technical and academic qualifications – Some media is much more volatile than – Transfer image over USB – Competence and qualifications of others • Data experts – Gather data in order from the most – Phone calls volatile to – Contact information Chain of custody less volatile – Text messages • Control evidence – Email data – Maintain integrity Disk – Images and movies • Everyone who contacts the evidence • Copy everything on a storage drive – Use hashes – Hard drive, SSD, flash drive Firmware – Avoid tampering • Drive image preparation • Extract the device firmware • Label and catalog everything – Power down to prevent changes – Rootkits and exploited hardware device – Digitally tag all items for ongoing – Remove storage drive – A reprogrammed firmware or ROM documentation • Connect to imaging device • Specific to the platform – Seal and store – With write-protection – Firmware implementations vary widely • Forensic clone • Attacker gains access to the device Recording time offsets – Bit-for-bit copy – Maintains access through OS updates • The time zone determines how the time – Preserve all data (even the “deleted” • Data discovery is displayed data) – Exploit data – Document the local device settings – Firmware functionality • Different file systems store timestamps Random access memory (RAM) – Real-time data differently • A difficult target to capture – FAT: Time is stored in local time – Changes constantly Snapshot – NTFS: Time is stored in GMT – Capturing data changes the data • Generally associated with virtual • Record the time offset from the • Memory dump machines (VMs) operating system – Grab everything in active RAM – A point-in-time system image – The Windows Registry – Many third-party tools • Incremental between snapshots – Many different values (daylight saving • Important data – Original image is the full backup time, – Browsing history – Each snapshot is incremented from the time change information, etc.) – Clipboard information last – Encryption keys – Restoring requires the original and all Event logs – Command history snapshots • System logs • Contains all files and information about – Documents important operating system Swap/pagefile a VM and • Used by different operating systems – Similar to a system image application events – Slightly different usage in each – Operating system, applications, user • Export and store for future reference • A place to store RAM when memory is data, etc. – Filter and parse depleted • Log store – There’s a lot more space on the storage Cache – Linux: /var/log drive • Store data for use later – Windows: Event Viewer – Transfer pages of RAM to a storage drive – Often used to increase performance • Can also contain portions of an – Many different caches (CPU, disk, Interviews application Internet, etc.) • Who might have seen this? – Page out portions that aren’t in use • Can contain specialized data – You won’t know until you ask • Contains data similar to a RAM dump – CPU cache is very short-term instruction • Interview and document – Anything active on the system storage – These folks might not be around later • Some data may never be used • Not all witness statements are 100% Operating system – Erased after a specified timeframe or accurate • OS files and data when the cache is full – Humans are fallible – May have been modified – Browser caches are often long-lived • Data • Data stored in cloud may not be located – The e-discovery process obtains a – URL locations in the same country storage drive – Browser page components (text, – Location of the data center may – Data on the drive is smaller than images) determine how data can be treated expected • Location of the data is critical – Forensics experts determine that data Network – Legal frameworks vary widely between was deleted and attempt to recover the • Gather information about and from the countries data network – Some countries don’t allow electronic – Network connections, packet captures searches outside of their borders Data recovery • Inbound and outbound sessions • Extract missing data without affecting – OS and application traffic Data breach notification laws the • Packet data • Notification laws integrity of the data – Capture raw network data – If consumer data is breached, the – Requires training and expertise – May include long-term packet captures consumer must be informed • The recovery process can vary • Third-party packet captures • Many data breach notification laws – Deleted files – Firewalls, IPS, etc. – Vary widely across countries and – Hidden data localities – Hardware or software corruption Artifacts – If you’re in the cloud, you’re a global – Storage device is physically damaged • Digital items left behind entity – Every contact leaves a trace • Notification requirements also vary Non-repudiation – May not be obvious to access – Type of data breached • Proof of data integrity and the origin of • Artifact locations – Who gets notified the data – Log information – How quickly – The data is unchanged and really did – Flash memory come from the sender – Prefetch cache files 4.5 - Managing Evidence – Hashing the data – Recycle Bin Integrity • Authentication that is genuine with high – Browser bookmarks and logins • Hashing confidence – Cryptographic integrity verification – The only person who could have sent 4.5 - On-Premises vs. Cloud Forensics – A digital “fingerprint” the data is the sender Forensics in the cloud • Checksums • Message Authentication Code (MAC) • Adding complexity to the digital – Protects against accidental changes – The two parties can verify non- forensics process during transmission repudiation – Cloud technologies – A relatively simple integrity check • Digital Signature • Technical challenges – Not designed to replace a hash – The non-repudiation can be publicly – Devices are not totally in your control • Provenance verified – There may be limited access – Documentation of authenticity – Associate data with a specific user – A chain of custody for data handling Strategic intelligence/counterintelligence • Legal issues – Blockchain technology • Strategic intelligence – Laws are different around the world – A focus on key threat activity for a – The rules may not be immediately Preservation domain obvious • Handling evidence – Business sectors, geographical regions, Right to audit clauses – Isolate and protect the data countries • Common to work with business partners – Analyze the data later without any – Gather information from internal threat – Data sharing alterations reports, – Outsourcing • Manage the collection process third-party data sources, and other data • Cloud computing providers – Work from copies inputs – Can hold all of the data – Manage the data collection from mobile – Determine the threat landscape based – Manage Internet access devices on the trends – Are they secure? • Live collection has become an important • Strategic counterintelligence (CI) • Right-to-audit should be in the contract skill – Prevent hostile intelligence operations – A legal agreement to have the option to – Data may be encrypted or difficult to – Discover and disrupt foreign intelligence perform a security audit at any time collect after powering down threats – Everyone agrees to the terms and • Follow best practices to ensure – Gather threat information on foreign conditions admissibility of data in court intelligence operations – Ability to verify security before a breach – What happens now affects the future occurs E-discovery 5.1 - Security Controls • Electronic discovery Security controls Regulatory/jurisdiction – Collect, prepare, review, interpret, and • Security risks are out there • Cloud computing technology appeared produce electronic documents – Many different types to consider relatively quickly • E-discovery gathers data required by the • Assets are also varied – The legal world is scrambling to catch up legal process – Data, physical property, computer • Forensics professionals must know their – Does not generally involve analysis systems legal rights – There’s no consideration of intent • Prevent security events, minimize the – Data in a different jurisdiction may be • Works together with digital forensics impact, bound by very different regulations and limit the damage – Security controls GDPR - General Data Protection • National Institute of Standards and Regulation Technology Control categories • European Union regulation – Risk Management Framework (RMF) • Managerial controls – Data protection and privacy for – Mandatory for US federal agencies and – Controls that address security design individuals in the EU organizations that handle federal data and implementation – Name, address, photo, email address, • Six step process – Security policies, standard operating bank details, posts on social networking – Step 1: Categorize - Define the procedures websites, medical information, a environment • Operational controls computer’s IP address, etc. – Step 2: Select - Pick appropriate controls – Controls that are implemented by • Controls export of personal data – Step 3: Implement - Define proper people – Users can decide where their data goes implementation – Security guards, awareness programs • Gives individuals control of their – Step 4: Assess - Determine if controls • Technical controls personal data are working – Controls implemented using systems – A right to be forgotten – Step 5: Authorize - Make a decision to – Operating system controls • Site privacy policy authorize a system – Firewalls, anti-virus – Details all of the privacy rights for a user – Step 6: Monitor - Check for ongoing compliance Control types PCI DSS • Preventive • Payment Card Industry NIST CSF – Physically control access – Data Security Standard (PCI DSS) • National Institute of Standards and – Door lock – A standard for protecting credit cards Technology – Security guard • Six control objectives – Cybersecurity Framework (CSF) – Firewall – Build and maintain a secure network – A voluntary commercial framework • Detective and • Framework Core – May not prevent access systems – Identify, Protect, Detect, Respond, and – Identifies and records any intrusion – Protect cardholder data Recover attempt – Maintain a vulnerability management • Framework Implementation Tiers – Motion detector, program – An organization’s view of cybersecurity IDS/IPShttps://ProfessorMesser.com – Implement strong access control risk and processes to manage the risk • Corrective measures • Framework Profile - The alignment of – Designed to mitigate damage – Regularly monitor and test networks standards, guidelines, and practices to the – IPS can block an attacker – Maintain an information security policy Framework Core – Backups can mitigate a ransomware infection 5.2 - Security Frameworks ISO/IEC frameworks – A backup site can provide options when Security frameworks • International Organization for a storm hits • Secure your data. Standardization • Deterrent – Where do you start? What are the best – International Electrotechnical – May not directly prevent access practices? Commission – Discourages an intrusion attempt – If only there was a book. • ISO/IEC 27001 – Warning signs, login banner • Often a complex problem – Standard for an Information Security • Compensating – Unique organizational requirements Management System (ISMS) – Doesn’t prevent an attack – Compliance and regulatory • ISO/IEC 27002 – Restores using other means requirements – Code of practice for information security – Re-image or restore from backup – Many different processes and tools are controls – Hot site available • ISO/IEC 27701 – Backup power system • Use a security framework – Privacy Information Management • Physical – Documented processes Systems (PIMS) – Fences, locks, mantraps – A guide for creating a security program • ISO 31000 – Real-world security – Define tasks and prioritize projects – International standards for risk management practices Compliance Center for Internet Security (CIS) • Compliance • Center for Internet Security SSAE SOC 2 Type I/II – Meeting the standards of laws, policies, – Critical Security Controls for • The American Institute of Certified and regulations – Effective Cyber Defense Public Accountants (AICPA) auditing • A healthy catalog of regulations and – CIS CSC standard Statement on Standards for laws • Improve cyber defenses Attestation Engagements number 18 – Across many aspects of business and life – Twenty key actions (the critical security (SSAE 18) – Many are industry-specific or situational controls) • SOC 2 - Trust Services Criteria (security • Penalties – Categorized for different organization controls) – Fines, incarceration, loss of employment sizes – Firewalls, intrusion detection, and multi- • Scope • Designed for implementation - Written factor authentication – Covers national, territory, or state laws for IT professionals • Type I audit – Domestic and international – Includes practical and actionable tasks – Tests controls in place at a particular requirements point in time NIST RMF • Type II – Tests controls over a period of at least • Programming languages, runtime – Limit the exposure of sensitive data to six libraries, etc. third-parties consecutive months – Usually between the web server and the database Least privilege Cloud Security Alliance (CSA) – Middleware • Rights and permissions should be set to • Security in cloud computing • Very specific functionality the bare minimum – Not-for-profit organization – Disable all unnecessary services – You only get exactly what’s needed to • Cloud Controls Matrix (CCM) • Operating system updates complete your objective – Cloud-specific security controls – Security patches • All user accounts must be limited – Controls are mapped to standards, best • File permissions and access controls – Applications should run with minimal practices, and regulations – Limit rights to what’s required privileges • Enterprise Architecture – Limit access from other devices • Don’t allow users to run with – Methodology and tools administrative privileges – Assess internal IT groups and cloud Network infrastructure devices – Limits the scope of malicious behavior providers • Switches, routers, firewalls, IPS, etc. – Determine security capabilities – You never see them, but they’re always Background checks – Build a roadmap there • Background checks • Purpose-built devices – Pre-employment screening 5.2 - Secure Configurations – Embedded OS, limited OS access – Verify the applicant’s claims Secure configurations • Configure authentication – Discover criminal history, workers • No system is secure with the default – Don’t use the defaults compensation claims, etc. configurations • Check with the manufacturer – Legalities vary by country – You need some guidelines to keep – Security updates • Adverse actions everything safe – Not usually updated frequently – An action that denies employment • Hardening guides are specific to the – Updates are usually important based on the background check software or platform – May require extensive documentation – Get feedback from the manufacturer or 5.3 - Personnel Security – Can also include existing employees Internet interest group Acceptable use policies (AUP) – They’ll have the best details • What is acceptable use of company Personnel security procedures • Other general-purpose guides are assets? • NDA (Non-disclosure agreement) available online – Detailed documentation – Confidentiality agreement / Legal – May be documented in the Rules of contract Web server hardening Behavior – Prevents the use and dissemination of • Access a server with your browser • Covers many topics confidential information – The fundamental server on the Internet – Internet use, telephones, computers, • Social media analysis – Microsoft Internet Information Server, mobile devices, etc. – Gather data from social media Apache HTTP Server, et al. • Used by an organization to limit legal – Facebook, Twitter, LinkedIn, Instagram • Huge potential for access issues liability – Build a personal profile – Data leaks, server access – If someone is dismissed, these are the – Another data point when making a • Secure configuration well documented reasons why hiring decision – Information leakage: Banner information, directory browsing Business policies On-boarding – Permissions: Run from a non-privileged • Job rotation • Bring a new person into the organization account, configure file permissions – Keep people moving between – New hires or transfers – Configure SSL: Manage and install responsibilities • IT agreements need to be signed certificates – No one person maintains control for – May be part of the employee handbook – Log files: Monitor access and error logs long periods of time or • Mandatory vacations a separate AUP Operating system hardening – Rotate others through the job • Create accounts • Many and varied - Windows, Linux, iOS, – The longer the vacation, the better – Associate the user with the proper Android, et al. chance groups • Updates to identify fraud and departments – Operating system updates/service – Especially important in high-security • Provide required IT hardware packs, environments – Laptops, tablets, etc. - Preconfigured security patches • Separation of duties and ready to go • User accounts – Split knowledge – Minimum password lengths and • No one person has all of the details Off-boarding complexity • Half of a safe combination • All good things… (But you knew this day – Account limitations – Dual control would come) • Network access and security • Two people must be present to perform • This process should be pre-planned – Limit network access the business function – You don’t want to decide how to do • Monitor and secure • Two keys open a safe (or launch a things at this point – Anti-virus, anti-malware missile) • What happens to the hardware and the • Clean desk policy data? Application server – When you leave, nothing is on your desk • Account information is usually • Target didn’t segment the vendor – Don’t make decisions based on incorrect deactivated network data! – But not always deleted from the corporate – Used with quality management systems, – The attackers jumped from the vendor i.e., Six Sigma User training to the – Assess the measurement process • Gamification Target network – Calculate measurement uncertainty – Score points, compete with others, • The corporate network was not • Business Partnership Agreement (BPA) collect badges segmented from point of sale (POS) – Going into business together • Capture the flag (CTF) terminals – Owner stake – Security competition – Once on the inside, it was relatively easy – Financial contract – Hack into a server to steal data (the flag) to get to your credit card numbers – Decision-making agreements – Can involve highly technical simulations – (110 million card numbers) – Prepare for contingencies – A practical learning environment • Phishing simulation Supply chain Product support lifetime – Send simulated phishing emails • The system involved when creating a • End of life (EOL) – Make vishing calls product – Manufacturer stops selling a product – See which users are susceptible to – Involves organizations, people, – May continue supporting the product phishing attacks activities, and resources – Important for security patches and without being a victim of phishing • Supply chain assessment updates • Computer-based training (CBT) – Get a product or service from supplier to • End of service life (EOSL) – Automated pre-built training customer – Manufacturer stops selling a product – May include video, audio, and Q&A – Evaluate coordination between groups – Support is no longer available for the – Users all receive the same training – Identify areas of improvement product experience – Assess the IT systems supporting the – No ongoing security patches or updates operation – May have a premium-cost support Role-based security awareness training – Document the business process changes option • Before providing access, train your users • New laptops arrive with bundled • Technology EOSL is a significant concern – Detailed security requirements malware – Security patches are part of normal • Specialized training – Lenovo, August 2014 through early 2015 operation – Each user role has unique security – Superfish software added a self-signed responsibilities root cert (!) Non-disclosure agreement (NDA) • Also applies to third-parties – Allowed for on-path attacks when • Confidentiality agreement between – Contractors, partners, suppliers browsing any site, including over HTTPS parties • Detailed documentation and records – Information in the agreement should – Problems later can be severe for Business partners not everyone • Much closer to your data than a vendor be disclosed – May require direct access • Protects confidential information 5.3 - Third-party Risk Management – May be a larger security concern than an – Trade secrets Vendors outside hacker – Business activities • Every organization works with vendors • Often involves communication over a – Anything else listed in the NDA – Payroll, customer relationship trusted connection • Unilateral or bilateral (or multilateral) management, – More difficult to identify malicious – On-way NDA or mutual NDA email marketing, travel, raw materials activity • Formal contract • Important company data is often shared • Partner risk management should be – Signatures are usually required – May be required for cloud-based included services – Requirements for best practices, data 5.3 - Managing Data • Perform a risk assessment handling, intellectual property Data governance – Categorize risk by vendor and manage • Include additional security between • Rules, processes, and accountability the risk partners associated with an organization’s data • Use contracts for clear understanding – Firewalls and traffic filters – Data is used in the right ways – Make sure everyone understands the • Data steward expectations Common agreements – Manages the governance processes – Use the contract to enforce a secure • Service Level Agreement (SLA) – Responsible for data accuracy, privacy, environment – Minimum terms for services provided and security – Uptime, response time agreement, etc. – Associates sensitivity labels to the data Target credit card breach - November – Commonly used between customers and – Ensures compliance with any applicable 2013 service providers laws and standards • Every point of sale terminal infected • Memorandum of Understanding (MOU) • Formal rules for data – A third-party was allowed in through – Both sides agree on the contents – Everyone must know and follow the lapses in of the memorandum processes security policy – Usually includes statements of • A vendor was infected through an email confidentiality Data classification attachment – Informal letter of intent; not a signed • Identify data types – The vendor didn’t have or follow a contract – Personal, public, restricted, etc. security policy for their workstations • Measurement system analysis (MSA) – Use and protect data efficiently • Associate governance controls to the – Cloud platforms for payroll, enterprise • Have clear policies classification levels resource planning, etc. – Frequency, duration, installation – How the data class should be managed • Third-party access to corporate systems process, • Data compliance – Access can come from anywhere fallback procedures – Laws and regulations regarding certain • Add additional layers of security • Sometimes extremely difficult to types of data – 2FA (two factor authentication) implement – GDPR - General Data Protection – Audit the security posture of third- – It’s hard to change corporate culture Regulation parties • Don’t allow account sharing Change control Data retention – All users should have their own account • A formal process for managing change • Keep files that change frequently for – Avoid downtime, confusion, and version control Device accounts mistakes – Files change often • Access to devices • Nothing changes without the process – Keep at least a week, perhaps more – Mobile devices – Determine the scope of the change • Recover from virus infection • Local security – Analyze the risk associated with the – Infection may not be identified – Device certificate change immediately – Require screen locks and unlocking – Create a plan – May need to retain 30 days of backups standards – Get end-user approval • Often legal requirements for data – Manage through a Mobile Device – Present the proposal to the change retention Manager (MDM) control board – Email storage may be required over • Add additional security – Have a backout plan if the change years – Geography-based doesn’t work – Some industries must legally store – Include additional authentication factors – Document the changes certain data types – Associate a device with a user – Different data types have different Asset management storage requirements Service accounts • Identify and track computing assets – Corporate tax information, customer PII, • Used exclusively by services running on – Usually an automated process tape backups, etc. a computer • Respond faster to security problem – No interactive/user access (ideally) – You know who, what, and where 5.3 - Credential Policies – Web server, database server, etc. • Keep an eye on the most valuable assets Credential management • Access can be defined for a specific – Both hardware and data • All that stands between the outside service • Track licenses world and – Web server rights and permissions will – You know exactly how many you’ll need all of the data be • Verify that all devices are up to date – The data is everything different than a database server – Security patches, anti-malware signature • Passwords must not be embedded in the • Commonly use usernames and updates, etc. application passwords – Everything needs to reside on the – You’ll need to determine the best policy 5.4 - Risk Management Types server, not the client for Risk assessment • Communication across the network password updates • Identify assets that could be affected by should be encrypted Administrator/root accounts an attack – Authentication traffic should be • Elevated access to one or more systems – Define the risk associated with each impossible to see – Super user access asset • Complete access to the system – Hardware, customer data, intellectual Personnel accounts – Often used to manage hardware, property • An account on a computer associated drivers, and • Identify threats with software installation – Loss of data, disruption of services, etc. a specific person • This account should not be used for • Determine the risk - High, medium, or – The computer associates the user with a normal low risk specific identification number administration • Assess the total risk to the organization • Storage and files can be private to that – User accounts should be used – Make future security plans user • Needs to be highly secured – Even if another person is using the same – Strong passwords, 2FA Risk assessments computer – Scheduled password changes • External threats • No privileged access to the operating – Outside the organization system 5.3 - Organizational Policies – Hacker groups, former employees – Specifically not allowed on a user Change management • Internal threats account • How to make a change – Employees and partners • This is the account type most people will – Upgrade software, change firewall – Disgruntled employees use configuration, modify switch ports • Legacy systems – Your user community • One of the most common risks in the – Outdated, older technologies enterprise – May not be supported by the Third-party accounts – Occurs very frequently manufacturer • Access to external third-party systems • Often overlooked or ignored – May not have security updates – Did you feel that bite? – Depending on the age, may not be easily Audit risk model – New storage requirements, network accessible • Inherent risk security, – Impact + Likelihood protect against threats Multi-party risk – Risk that exists in the absence of • GDPR - General Data Protection • Breaches involving multiple parties controls Regulation – Often trusted business relationships – Some models include the existing set of – European Union data protection and – Events often involve many different controls privacy parties • Residual risk – Personal data must be protected and • May 2019 - American Medical Collection – Inherent risk + control effectiveness managed for privacy Agency – Risk that exists after controls are – Provided debt collection for many considered Qualitative risk assessment different – Some models base it on including • Identify significant risk factors organizations additional controls – Ask opinions about the significance – Data breach disclosed personal • Risk appetite – Display visually with traffic light grid or information on 24 million individuals – The amount of risk an organization is similar method – Twenty-three healthcare organizations willing to take affected by this single breach Quantitative risk assessment – A single breach can cause a ripple effect Risk control assessment • Likelihood • Risk has been determined – Annualized Rate of Occurrence (ARO) Risk assessments – Heat maps have been created – How likely is it that a hurricane will hit? • Intellectual Property (IP) theft • Time to build cybersecurity In Montana? In Florida? – Theft of ideas, inventions, and creative requirements • SLE (Single Loss Expectancy) expressions – Based on the identified risks – What is the monetary loss if a single – Human error, hacking, employees with • Find the gap event occurs? access, etc. – Often requires a formal audit – Laptop stolen (asset value or AV) = – Identify and protect IP – Self-assessments may be an option $1,000 – Educate employees and increase • Build and maintain security systems • ALE (Annualized Loss Expectancy) security based on the requirements – ARO x SLE • Software compliance/licensing – The organizational risk determines the – Seven laptops stolen a year (ARO) x – Operational risk with too few licenses proper $1,000 (SLE) = $7,000 – Financial risk with budgeting and over- controls • The business impact can be more than allocated licenses • Determine if existing controls are monetary – Legal risk if proper licensing is not compliant or noncompliant – Quantitative vs. qualitative followed – Make plans to bring everything into compliance Disaster types Risk management strategies • Environmental threats • Acceptance Risk awareness – Tornado, hurricane, earthquake, severe – A business decision; we’ll take the risk! • A constantly changing battlefield weather • Risk-avoidance – New risks, emerging risks • Person-made threats – Stop participating in a high-risk activity – A nearly overwhelming amount of – Human intent, negligence, or error • Transference information – Arson, crime, civil disorder, fires, riots, – Buy some cybersecurity insurance – Difficult to manage a defense etc. • Mitigation • Knowledge is key • Internal and external – Decrease the risk level – Part of every employee’s daily job role – Internal threats are from employees – Invest in security systems – Part of the onboarding process for – External threats are from outside the employees organization 5.4 - Risk Analysis and partners Evaluating risk • Maintaining awareness 5.4 - Business Impact Analysis • Risk register – Ongoing group discussions Recovery – Every project has a plan, but also has – Presentations from law enforcement • Recovery time objective (RTO) risk – Attend security conferences and – Get up and running quickly – Identify and document the risk programs – Get back to a particular service level associated • Recovery point objective (RPO) with each step Regulations that affect risk posture – How much data loss is acceptable? – Apply possible solutions to the identified • Many of them – Bring the system back online; how far risks – Regulations tend to regulate back – Monitor the results • Regulations directly associated to does data go? • Risk matrix / risk heat map cybersecurity • Mean time to repair (MTTR) – View the results of the risk assessment – Protection of personal information, – Time required to fix the issue – Visually identify risk based on color disclosure of information breaches • Mean time between failures (MTBF) – Combines the likelihood of an event – Requires a minimum level of – Predict the time between outages with information security the potential impact • HIPAA - Health Insurance Portability and Functional recovery plans – Assists with making strategic decisions Accountability Act • Recover from an outage – Privacy of patient records – Step-by-step guide • Contact information – Applications • Almost everything can affect privacy – Someone is on-call – Personnel – New business relationships, product – Keep everyone up to date – Equipment updates, website features, service offering • Technical process – Work environment • Privacy risk needs to be identified in – Reference the knowledge base each initiative – Follow the internal processes 5.5 - Privacy and Data Breaches – How could the process compromise • Recover and test Information life cycle customer privacy? – Confirm normal operation • Creation and receipt • Advantages – Create data internally or receive data – Fix privacy issues before they become a Removing single points of failure from a third-party problem • A single event can ruin your day • Distribution - Records are sorted and – Provides evidence of a focus on privacy – Unless you make some plans stored – Avoid data breach • Network configuration • Use – Shows the importance of privacy to – Multiple devices (the “Noah’s Ark” of – Make business decisions, create everyone networking) products • Facility / Utilities and services Notices – Backup power, multiple cooling devices • Maintenance • Terms of service • People / Location – Ongoing data retrieval and data – Terms of use, terms and conditions – A good hurricane can disrupt personnel transfers (T&C) travel • Disposition – Legal agreement between service • There’s no practical way to remove all – Archiving or disposal of data provider and user points of failure – User must agree to the terms to use the – Money drives redundancy Consequences service • Reputation damage • Privacy notice, privacy policy Disaster recovery plan (DRP) – Opinion of the organization becomes – May be required by law • Detailed plan for resuming operations negative – Documents the handling of personal after a disaster – Can have an impact on products or data – Application, data center, building, services – May provide additional data options and campus, region, etc. – Can impact stock price contact information • Extensive planning prior to the disaster • Identity theft – Backups – Company and/or customers information 5.5 - Data Classifications – Off-site data replication becomes public Labeling sensitive data – Cloud alternatives – May require public disclosure • Not all data has the same level of – Remote site – Credit monitoring costs sensitivity • Many third-party options • Fines – License tag numbers vs. health records – Physical locations – Uber • Different levels require different security – Recovery services • Data breach in 2016 wasn’t disclosed and handling • Uber paid the hackers $100,000 instead – Additional permissions Impact • Lawsuit settlement was $148 million – A different process to view • Life - The most important consideration – Equifax – Restricted network access • Property - The risk to buildings and • 2017 data breach assets • Government fines were approximately Data classifications • Safety - Some environments are too $700 million • Proprietary dangerous to work • Intellectual Property (IP) theft – Data that is the property of an • Finance - The resulting financial cost – Stealing company secrets organization • Reputation – Can put an organization out of business – May also include trade secrets – An event can cause status or character – Often data unique to an organization problems Notification • PII - Personally Identifiable Information • Internal escalation process – Data that can be used to identify an Mission-essential functions – Breaches are often found by technicians individual • If a hurricane blew through, what – Provide a process for making those – Name, date of birth, mother’s maiden functions would be essential to the findings known name, organization? • External escalation process biometric information – That’s where you start your analysis – Know when to ask for assistance from • PHI - Protected Health Information – These are broad business requirements external resources – Health information associated with an • What computing systems are required – Security experts can find and stop an individual for these mission-essential business active breach – Health status, health care records, functions? • Public notifications and disclosures payments for health care, and much more – Identify the critical systems – Refer to security breach notification • Public / Unclassified laws – No restrictions on viewing the data Site risk assessment – All 50 US states, EU, Australia, etc. • Private / Classified / Restricted / Internal • All locations are a bit different – Delays might be allowed for criminal use only – Even those designed to be similar investigations – Restricted access, may require a non- • Recovery plans should consider unique disclosure agreement (NDA) environments Privacy impact assessment (PIA) • Sensitive - Intellectual property, PII, PHI • Confidential - Very sensitive, must be • Protects PII • Data protection officer (DPO) approved to view – And other sensitive data – Responsible for the organization’s data • Critical - Data should always be available • May only be hidden from view privacy • Financial information – The data may still be intact in storage – Sets policies, implements processes and – Internal company financial information – Control the view based on permissions procedures – Customer financial details • Many different techniques • Government data – Substituting, shuffling, encrypting, – Open data masking out, etc. – Transfer between government entities – May be protected by law Pseudo-anonymization • Customer data • Pseudonymization – Data associated with customers – Replace personal information with – May include user-specific details pseudonyms – Legal handling requirements – Often used to maintain statistical relationships 5.5 - Enhancing privacy • May be reversible Tokenization – Hide the personal data for daily use or in • Replace sensitive data with a non- case of breach sensitive placeholder – Convert it back for other processes – SSN 266-12-1112 is now 691-61-8539 • Random replacement • Common with credit card processing – James Messer -> Jack O’Neill -> Sam – Use a temporary token during payment Carter -> Daniel Jackson – An attacker capturing the card numbers • Consistent replacements can’t use them later – James Messer is always converted to • This isn’t encryption or hashing George Hammond – The original data and token aren’t mathematically related 5.5 - Data Roles and Responsibilities – No encryption overhead Data responsibility • High-level data relationships Data minimization – Organizational responsibilities, not • Minimal data collection always technical – Only collect and retain necessary data • Data owner • Included in many regulations – Accountable for specific data, often a – HIPAA has a “Minimum Necessary” rule senior officer – GDPR - “Personal data shall be – VP of Sales owns the customer adequate, relevant and not excessive in relationship data relation to the purpose or purposes for – Treasurer owns the financial information which they are processed.” • Some information may not be required Data roles – Do you need a telephone number or • Data controller address? – Manages the purposes and means by • Internal data use should be limited which – Only access data required for the task personal data is processed • Data processor Anonymization – Processes data on behalf of the data • Make it impossible to identify individual controller data – Often a third-party or different group from a dataset • Payroll controller and processor – Allows for data use without privacy – Payroll department (data controller) concerns defines • Many different anonymization payroll amounts and timeframes techniques – Payroll company (data processor) – Hashing, masking, etc. processes payroll • Convert from detailed customer and stores employee information purchase data – Remove name, address, change phone Additional data roles number to ### ### #### • Data custodian/steward – Keep product name, quantity, total, and – Responsible for data accuracy, privacy, sale date and security • Anonymization cannot be reversed – Associates sensitivity labels to the data – No way to associate the data to a user – Ensures compliance with any applicable laws Data masking and standards • Data obfuscation – Manages the access rights to the data – Hide some of the original data – Implements security controls