SECURITY OPERATION CENTER

ISD/NS/SOC

By Abdulaziz

NOV 2018
 Introduction

 SOC is a centralized unit that deals with security issues on an

organizational and technical level.
 A SOC is the keystone of an organization’s security management program.
 The main mission of a SOC is to monitor, recognize and escalate
significant information security events to protect the Confidentiality,
Integrity and Availability of the organizations.
 Appropriate security tools and strong incident management process are
mandatory.
 What is Information Security ?

 Is the protection of information and systems and hardware that use, store,
and transmit that information.
 Is the protection of Organizational valuable information assets from
attack .
 Used to ensure the confidentiality, integrity, and availability of data or
resources.
 Confidentiality, integrity, and availability, often known as CIA, Triad are
the building blocks of information or Objective of Security
 THE CIA TRIAD

 Confidentiality:
 Prevent the disclosure and access of information from unauthorized
people, resources, and processes
 Keeping the secrets secret
 Integrity
 The protection of information from improper modification or
destruction.
 Integrity affected or compromised by any addition or subtraction of
data during transit
 Availability
 Ensuring timely and reliable access and use of Information or System
by authorized users when needed.
 Various attacks on Confidentiality, Integrity and Availability

 Attacks that affect Confidentiality :Packet sniffing, password cracking,

dumpster diving, wiretapping, keylogging.
 Attacks that affect Integrity: Salami attacks, data diddling attacks,
session hijacking, man-inthe-middle attack.
 Attacks that affect Availability : DoS and DDoS attacks, SYN flood
attacks, physical attacks
 How CIA Implemented

 CIA was implemented through Access Controls and cryptography and

Redundancy or co-location
Access Controls: -security guard (firewall, antivirus, gateway etc..)
-permission to access data
-password policy etc..
Cryptography :-is the process of Encryption and/or Decryption of data
Redundancy or co-location:-having duplicated information or copy of
data in different location.
 Threats, risks, vulnerabilities and Countermeasure

 Threat: is Any potential danger that exploit vulnerabilities to introduce

loss.
 Threat agent: is an entity that causes loss.
 They can also be natural or manmade like fire, earthquake, flood,
system failure, human error (due to a lack of training or ignorance), and
power outage.
 Vulnerability: is a weakness that could be exploited to violate a system or
the information it contains.
 An opportunity for threat agent.
 If a vulnerability exists, then it is possible for a threat to be realized
successfully unless effective countermeasures are in place.
 Cont’d

 Risk: is the possibility or likelihood that a threat will exploit a

vulnerability to cause harm to an asset.
 Risk: is an event that could possibly lead to the damage of assets within
an organization.
 When written as a formula, risk can be defined as follows:
 risk = threat * vulnerability
 Thus, reducing either the threat agent or the vulnerability directly results in
a reduction of risk.
 Exposure : is an attack surface or exploitable area.
 Cont’d

Countermeasure
 Is control for reducing or eliminating vulnerabilities
 An administrative, technical and physical mitigation against potential
risk(s).

 Administrative Control: rules ,police and laws

 Technical control: permission, encryption ,password, anti-virus ,firewall
rule etc..
 Physical control :security guard ,cameras ,firewall device etc..
 Threats, risks, vulnerabilities and Countermeasure
Relation
Give rise to
Threat Agent

Exploits
Threat

Leads to
Vulnerability
Indirectly affects

Risk
Reduces/
Eliminates

Asset
Can damage

Exposure
And causes an

Counter
measure
Can be countered by a
 Database vulnerabilities

 Database is a key target for cybercriminals due to the valuable information

locked inside.
Deployment Failures
 Is vulnerabilities caused due to a lack of care at the moment they are
deployed.
 Any database should tested for functionality and to make sure it is doing
what the databases is designed to do.
Data Leaks
 Data leakage often occurs because of poor business processes or database
design.
 Databases also contain a networking interface, and so hackers are able to
capture this type of traffic to exploit it.
 To avoid such a pitfall, administrators should use SSL- or TLS-encrypted
communication platforms
 Cont’d

Excessive User Privileges

 Unfortunately, this increases overall risk because some workers may
eventually abuse their permissions.
 So ,we have to be careful when we grant privilege to employees.
The abuse of database features
 Hacker can gain access through legitimate credentials before forcing the
service to run arbitrary code.
 Future abuse can be limited by removing unnecessary features.
 Cont’d

A lack of segregation
 The separation of administrator and user powers, as well as the segregation
of duties, can make it more difficult for fraud undertaken by internal staff.
 limiting the power of user accounts may give a hacker a harder time in
taking complete control of a database.
SQL injections
 SQL injection is a code injection technique that might destroy database.
 In which an attacker attempts to use SQL command or Query to access or
corrupt database content.
 The best ways to protect against these threats are to protect web-facing
databases with firewalls and to test input variables for SQL injection
during development.
 Database security

 Digital Certificate : is a unique identifier given to an entity to provide

authentication of a computer, document, or webpage.
 Encryptions : alter the data so unauthorized users cannot view data
information.
 Firewalls : protect a network from unauthorized access from the
internet.
 Proxy Servers : protect the requests between the client computers
inside a private network and the internet.
 Security Socket Layer connects and transmits encrypted data.
 S-HTTP (secure hypertext transport protocol) transmits web pages
securely.
 So, by configuring these features with internet and network components, it
is possible to provide privacy and security to reduce database security
vulnerabilities.
 Web Application vulnerabilities

 Hacking web applications is similar to hacking other systems.

 Hackers follow a five-step process: They scan a network, gather
information , test different attack scenarios, and finally plan and launch an
attack.
The stages of a web application attack
 Web Application vulnerabilities

SQL INJECTIONS
 SQL injection is one of the most prevalent types of web application
security vulnerabilities.
 In which an attacker attempts to use SQL command or Query to access or
corrupt database content.
 If successful, this allows the attacker to create, read, update, alter, or delete
data stored in the back-end database.
CROSS SITE SCRIPTING (XSS)
 XSS allows attackers to execute JavaScript in the victim's browser which
can hijack user sessions, deface websites, or redirect the user to
malicious sites.
 Validating input
 Use escaping syntax
 Cont’d

BROKEN AUTHENTICATION & SESSION MANAGEMENT

 Occurs due to insecure password and username verification.
 Due to application timeout set problem.
 If authentication credentials and session identifiers are not protected at all
times an attacker can hijack an active session and assume the identity of a
user.
INSECURE DIRECT OBJECT REFERENCES
 Occurs when a web application exposes a reference to an internal
implementation object.
 Internal implementation objects include files, database records, directories,
and database keys. When an application exposes a reference to one of these
objects in a URL hackers can manipulate it to gain access to a user's personal
data.
 Cont’d

SECURITY MISCONFIGURATION
 Gives hackers to access private data or features and can result in a
complete system compromise.
 Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages,
accounts, or privileges).
 Remove or do not install unused features and frameworks.
 A secure configuration must be defined and deployed for the application,
frameworks, application server, web server, database server, and platform.
 CROSS-SITE REQUEST FORGERY (CSRF)
 Is a malicious attack where a user is tricked into performing an action he
or she didn't intend(plan) to do.
 A third-party website will send a request to a web application that a user is
already authenticated against.
 Targets web applications like social media, in browser email clients,
online banking, and web interfaces for network devices.
 Website protection

 Keep your Software Up-To-Date

 Enforce Strong Password Policy
 Encrypt Your Login Page
 Use Secure Host
 Backup your Data
 Scan your Website for Vulnerabilities
 Hire a Security Expert
 SOC Tools

 Qradar
 WAF (web Application firewall)
 CERT
 App scan
 Cont’d

QRadar
 IBM® Security QRadar® SIEM is a network security management
platform that provides situational awareness and compliance support. 
 It performs immediate normalization and correlation activities on raw data
to distinguish real threats from false positives.
It has three layers
 Data collection layer
-Event and flow where collected from network.
 Data processing layer
-where event data and flow data are run through the Custom Rules Engine
(CRE), which generates offenses and alerts.
 Data searches layer
- Data that is collected and processed by QRadar is available to users for
searches, analysis, reporting, and alerts or offense investigation. 
 Cont’d

Appscan
 An integrated application security management dashboard
 Monitor and protect deployed applications
 Identify and fix vulnerabilities
Reduce risk exposure by identifying vulnerabilities early in the software
development lifecycle.
 Maximize remediation efforts
Classify and prioritize application assets based on business impact and
identify high-risk areas.
 Decrease probability of attacks
Test applications prior to deployment and for ongoing risk assessment in
production environments.
 Cont’d

WAF
 Web application firewall (WAF) is a firewall that monitors, filters or
blocks data packets as they travel to and from a web application.
 Provide authentication and authorization services with or without cookie
encryption
 Cross-site scripting (XSS) protection
 Session timeout management
CERT
Computer Emergency Response Team (CERT) are expert groups that
handle computer security incidents. Alternative names for such groups
include computer emergency readiness team and computer security incident
response team (CSIRT). In many organizations the CERT team evolves into
a information security operations center (SOC)
THANK YOU!!!