How to Pass Your SY0-701 Security+ Exam

The CompTIA Security+ Advantages

CompTIA stands for Computing Technology Industry Association.

• The most popular
• builds a solid foundation
• Many organizations require some type of certifications
• Knowledge and satisfaction
• Recognition in over 100 countries
• Available in different languages

About this Training Course

• SY0-701
• Released in Nov. 7, 2023
• Smaller video duration
• Quick and easy
• Follows the CompTIA exam objectives
• 90 minutes, max of 90 questions
• Passing score: 750 on a scale of 100-900

Exam Questions

• Multiple Choice
  • Very straightforward
  • Single, multiple answers
• Performance based
  • Complete a task
  • Matching, sorting, drag-and-drop etc.

Security Controls

• Security risks are out there
  • Many categories and types to consider
• Assets are also varied
  • Data, physically property, computer systems
• Prevent security events, minimize the impact, and limit the damage
  • Security controls

Control Categories

• Technical Controls
  • Controls implemented using systems
  • OSes controls
  • Firewalls, anti-viruses
• Managerial Controls
  • Admin controls associated with security design and implementation
  • Security policies, SOPs
• Operational Controls
  • Controls implemented by people instead of systems
  • Security guards, awareness programs
• Physical Controls
  • Limit physical access
  • Guard shack
  • Fences, locks
  • Badge readers

Preventive Control Types

• Preventive
  • Block access to a resource
  • You shall not pass
• Prevent access
  • Firewall rules
  • Follow security policy
  • Guard shack checks all identification
  • Enable door locks

Deterrent Control Types

• Deterrent
  • Discourage an intrusion attempt
  • Doesn’t directly prevent access
• Make an attacker think twice
  • Application splash screens
  • Threat of demotion
  • Front reception desk
  • Posted warning signs

Detective Control Types

• Detective
  • Identify and log an intrusion attempt
  • May not prevent access
• Find the issue
  • Collect and review system logs
  • Review login reports
  • Regularly patrol the property
  • Enable motion detectors

Corrective Control Types

• Corrective
  • Apply a control after an event has been detected
  • Reverse the impact of an event
  • Continue operating with minimal downtime
• Correct the problem
  • Restoring from backups can mitigate a ransomware infection
  • Create policies for reporting security issues
  • Contact law enforcement to manage criminal activity
  • Use a fire extinguisher

Compensating Control Types

• Compensating
  • Control using other means
  • Existing controls aren’t sufficient
  • May be temporary
• Prevent the exploitation of a weakness
  • Firewall blocks a specific application instead of patching the app
  • Implement a separation of duties
  • Require simultaneous guard duties
  • Generator used after power outage

Directive Control Types

• Direct a subject towards security compliance

• A relatively weak security control

• Do this, please!!!

  • Store all sensitive files in a protected folder
  • Create compliance policies and procedures
  • Train users on proper security policy
  • Post a sign for “Authorized Personnel Only”

Managing Security Controls

• These are not inclusive lists
  • There are many categories of control
  • Some organizations will combine types
• There are multiple security controls for each category and type
  • Some security controls may exist in multiple types or categories
  • New security controls are created as systems and processes evolve
  • Your organization may use very different controls

Security Concepts

The CIA Triad

• Combination of principles
  • The fundamentals of security
  • Sometimes referenced as the AIC Triad

1. Confidentiality
   • Prevent disclosure of information to unauthorized individuals or systems
2. Integrity
   • Messages can’t be modified without detection
3. Availability
   • Systems and networks must be up and running

1. Confidentiality

• Certain information should only be known to certain people
  • Prevent unauthorized information disclosure
• Encryption
  • Encode messages so only certain people can read it
• Access Controls
  • Selectively restrict access to a resource
• Two-factor Authentication
  • Additional confirmation before information is disclosed

2. Integrity

• Data is stored and transferred as intended
  • Any modification to the data would be identified.
• Hashing
  • Map data of an arbitrary length to data of a fixed length
• Digital Signatures
  • Mathematical scheme to verify the integrity of data
• Certificates
  • Combine with a digital signature to verify an individual
• Non-repudiation
  • Provides proof of integrity, can be asserted to be genuine!

3. Availability

• Information is accessible to authorized users
  • Always at your fingertips
• Redundancy
  • Build services that will always be available
• Fault Tolerance
  • System will continue to run, even when a failure occurs
• Patching
  • Stability
  • Close security holes

Non-repudiation

• You can’t deny what you have said
  • There is no taking it back
• Signs a contract
  • Your signature adds non-repudiation
  • You really did sign the contract
  • Others can see your signature
• Adds a different perspective for cryptography
  • Proof of integrity
  • Proof of origin, with high assurance of authenticity

Proof of integrity

• Verify data doesn’t change
  • The data remains accurate and consistent
• In cryptography, we use a hash
  • Represents data as a short string of text
  • A message digest, a fingerprint
• If the data changes, the hash changes
  • If the person changes, you get a different fingerprint
• Does not necessarily associate data with an individual
  • Only tells you if the data has changed

Proof of Origin

• Prove the message was not changed
  • Integrity
• Prove the source of the message
  • Authentication
• Make sure the signature isn’t fake
  • Non-repudiation
• Sign with the private key
  • The message doesn’t need to be encrypted
  • Nobody else can sign this (obviously)
• Verify with the public key
  • Any change to the message will invalidate the signature

Verifying a Digital Signature

Authentication, Authorization, and Accounting (AAA) Framework

• Identification
  • This is who you claim to be
  • Usually your username
• Authentication
  • Prove you are who you say you are
  • Password and other authentication factors
• Authorization
  • Based on your identification and authentication, what access do you have?
• Accounting
  • Resources used: Login time, data sent and received, logout time

Authenticating People

Authenticating Systems

• You have to manage many devices
  • Often devices that you will never physically see
• A system can’t type a password
  • And you may not want to store one
• How can you truly authenticate a device
  • Put a digitally signed certificate on the device
• Other business processes rely on the certificate
  • Acess to the VPN from authorized devices
  • Management software can validate the end device

Certificate Authentication

• An organization has a trusted Certificate Authority (CA)
  • Most organizations maintain their own CAs
• The organization creates a certificate for a device
  • And digitally signs the certificate with the organization’s CA
• The certificate can now be included on a device as an authentication factor
  • The CA’s digital signature is used to validate the certificate

Certificate-based Authentication

Authorization Models

• The user or device has now authenticated
  • To what do they now have access?
  • Time to apply an authorization model
• Users and services ⇾ data and applications
  • Associating individual users to access rights doesn’t scale
• Put an authorization model in the middle
  • Define by Roles, Organizations, Attributes, etc.

No Authorization Model

• A simple relationship
  • User ⇾ Resource
• Some issues with this method
  • Difficult to understand why an authorization may exist
  • Doesn’t scale

Using an Authorization Model

• Add an abstraction
  • Reduce complexity
  • Create a clear relationship between the user and the resource
• Administration is streamlined
  • Easy to understand the authorizations
  • Support any number of users or resources

Gap Analysis

• Where you are compared with where you want to be
  • The “gap” between the two
• This may require extensive research
  • There is a lot to consider
• This can take weeks or months
  • An extensive study with numerous participants
  • Get ready for emails, data gathering, and technical research

Choosing the Framework

• Get the baseline of employees
  • Formal experience
  • Current training
  • Knowledge of security policies and procedures
• Examine the current processes
  • Research existing IT systems
  • Evaluate existing security policies

Compare and Contrast

• The comparison
  • Evaluate existing systems
• Identify weakness
  • Along with the most effective processes
• A detailed analysis
  • Examine broad security categories
  • Break those into smaller segments

The Analysis and Report

• The final comparison
  • Detailed baseline objectives
  • A clear view of the current state
• Need a path to get from the current security to the goal
  • This will almost certainly include time, money, and lots of change control
• Time to create the gap analysis report
  • A formal description of the current state
  • Recommendations for meeting the baseline

Gap Analysis Overview

Zero Trust

• Many networks are relatively open on the inside
  • Once you’re through the firewall, there are few security controls
• Zero trust is a holistic approach to network security
  • Covers every device, every process, every person
• Everything must be verified
  • Nothing is inherently trusted
  • Multi-factor authentication, encryption, system permissions, additional firewalls, monitoring, and analytics etc.

Planes of Operation

• Split the network into functional planes
  • Applies to physical, virtual, and cloud components
• Data Plane
  • Process the frames, packets, and network data
  • Processing, forwarding, trunking, encrypting, NAT
• Control Plane
  • Manages the actions of the data plane
  • Define policies and rules
  • Determine how packets should be forwarded
  • Routing tables, session tables, NAT tables

Extend the Physical Architecture

• Separate into functional tasks
  • Incorporate into hardware or software

Controlling Trust

• Adaptive Identity
  • Consider the source and the requested resources
  • Multiple risk indicators — relationship to the organization, physical location, type of connection, IP address, etc.
  • Make the authentication stricter, if needed
• Threat Scope Reduction
  • Decrease the number of possible entry points
• Policy-driven access control
  • Combine the adaptive identity with a predefined set of rules

Security Zone

• Security is more than a one-to-one relationship
  • Broad categorization provide a security-based foundation
• Where are you coming from and where are you going
  • Trusted, untrusted
  • Internal network, external network
  • VPN 1, VPN 5, VPN 11
  • Marketing, IT, Accounting, HR
• Using the zones may be enough by itself to deny access
  • For example, Untrusted to Trusted zone traffic
• Some zones are implicitly trusted
  • For example, Trusted to Internal zone traffic

Policy Enforcement Point

• Subjects and systems
  • End users, applications, non-human entities
• Policy enforcement point (PEP)
  • The gatekeeper
• Allow, monitor, and terminate connections
  • Can consist of multiple components working together

Applying Trust in the Planes

• Policy Decision Point
  • There’s a process for making an authentication decision
• Policy Engine
  • Evaluates each access decision based on policy and other information sources
  • Grant, deny, or revoke
• Policy Administration
  • Communicates with the Policy Enforcement Point
  • Generates access tokens or credentials
  • Tells PEP to allow or disallow access

Zero Trust Across Planes

Physical Security

Barricades/ Bollards

• Prevent access
  • There are limits to the prevention
• Channel people through a specific access point
  • And keep out other things
  • Allow people, prevent cars and trucks
• Identify safety concerns
  • And prevent injuries
• Can be used to an extreme
  • Concrete barriers/bollards
  • Moats (Water ditch around the facility)

Access Control Vestibules

• All doors normally unlocked
  • Opening one door causes others to lock
• All doors normally locked
  • Unlocking one door prevents others from being unlocked
• One door open/others locked
  • When one is open, the other cannot be unlocked
• One at a time, controlled groups
  • Managed control through an area

Fencing

• Build a perimeter
  • Usually very obvious
  • May not be what you’re looking for
• Transparent or opaque
  • See through fence (or not)
• Robust
  • Difficult to cut the fence
• Prevent Climbing
  • Razor wire
  • Build it high

Video Surveillance

• CCTV (Closed circuit television)
  • Can replace physical guards
• Camera features are important
  • Motion recognition can alarm and alert when something moves
  • Object detection can identify a license plate or person’s face
• Often many cameras
  • Networked together and recorded over time

Guards and Access Badges

• Security Guard
  • Physical protection at the reception area of a facility
  • Validate identification of existing employees
• Two-person integrity/control
  • Minimize exposure to an attack
  • No single person has access to a physical asset
• Access badge
  • Picture, name, other details
  • Must be worn at all times
  • Electronically logged

Lighting

• More light means more security
  • Attackers avoid the light
  • Easier to see when lit
  • Non IR cameras can see better
• Specialized design
  • Consider overall light levels
  • Lighting angles may be important
• Avoid shadows and glare

Sensors

• Infrared
  • Detects infrared radiation in both light and dark
  • Common in motion detectors
• Pressure
  • Detects a change in force
  • Floor and window sensors
• Microwave
  • Detects movement across large areas
• Ultrasonic
  • Send ultrasonic signals, receive reflected sound waves
  • Detect motion, collision detection etc.

Deception and Disruption

Honeypots

• Attract the bad guys
  • And trap them there
• The “attacker” is probably a machine
  • Makes for interesting recon
• Honeypots
  • Create a virtual world to explore
• Many options
  • Most are open source and available to download
• Constant battle to discern the real from the fake

Honeynets

• A real network includes more than a single device
  • Servers, workstations, routers, switches, firewalls
• Honeynets
  • Build a larger deception network with one or more honeypots
• More than one source of information
  • Stop spammers — https://projecthoneypot.org

Honeyfiles

• Attract the attackers with more honey
  • Create files with fake information
  • Something bright and shiny
• Honeyfiles
  • Bait for the honeynet (passwords.txt)
  • Add many honeyfiles to files shares
• An alert is sent if the file is accessed
  • A virtual bear trap

Honeytokens

• Track the malicious actors
  • Add some traceable data to the honeynet
  • If the data is stolen, you will know where it came from
• API Credentials
  • Doesn’t actually provide access
  • Notifications are sent when used
• Fake email addresses
  • Add it to a contact list
  • Monitor the internet to see who posts it
• Many other honeytoken examples
  • Database records, browser cookies, web page pixels

Change Management

Change Management

• How to make a change
  • Upgrade software, patch an application, change firewall configuration, modify switch ports
• One of the most common risks in the enterprise
  • Occurs very frequently
• Often overlooked or ignored
  • Did you feel that bit?
• Have clear policies
  • Frequency, duration, installation process, rollback procedures
• Sometimes extremely difficult to implement
  • It’s hard to change corporate culture

Change Approval Process

• A formal process for managing change
  • Avoid downtime, confusion, and mistakes
• A typical approval process
  • Complete the request forms
  • Determine the purpose of the change
  • Identify the scope of the change
  • Schedule a date and time of the change
  • Determine affected systems and the impact
  • Analyze the risk associated with the change
  • Get approval from the change control board
  • Get end-user acceptance after the change is complete

Ownership

• An individual or entity needs to make a change
  • They own the process
  • They don’t (usually) perform the actual change
• The owner manages the process
  • Process updates are provided to the owner
  • Ensures the process is followed, and acceptable
• Address label printers needs to be upgraded
  • Shipping and Receiving department owns the process
  • IT handles the actual change

Stakeholders

• Who is impacted by this change?
  • They’ll want to have input on the change management process
• This may not be as obvious as you might think
  • A single change can include one individual or the entire company
• Upgrade software used for shipping labels
  • Shipping/receiving
  • Accounting reports
  • Product delivery timeframes
  • Revenue recognition — CEO visibility

Impact Analysis

• Determine a risk value
  • high, medium, low etc.
• The risks can be minor or far-reaching
  • The “fix” doesn’t actually fix anything
  • The fix breaks something else
  • OS failures
  • Data corruption
• What’s the risk with NOT making the change?
  • Security vulnerability
  • Application unavailability
  • Unexpected downtime to other services

Test Results

• Sandbox testing environment
  • No connection to the real world or production system
  • A technological safe place
• Use before making a change to production
  • Try the upgrade, apply the patch
  • Test and confirm before deployment
• Confirm the back out plan
  • Move everything back to the original
  • A sandbox cannot consider every possibility

Backout Plan

• The change will work perfectly and nothing will ever go bad
  • Of course it will
• You should always have a way to revert your changes
  • Prepare for the worst, hope for the best
• This isn’t as easy as it sounds
  • Some changes are difficult to revert
• Always have backups
  • Always have good backups

Maintenance Windows

• When is the change happening
  • This might be the most difficult part of the process
• During the workday may not be the best option
  • Potential downtime would affect a large part of production
• Overnights are often a better choice
  • Challenging for 24-hour production schedules
• The time of year may be a consideration
  • Retail networks are frozen during the holiday season

Standard Operating Procedures

• Change management is critical
  • Affects everyone in the organization
• The process must be well documented
  • Should be available on the Internet
  • Along with all standard processes and procedures
• Changes to the process are reflected in the standards
  • A living document

Technical Change Management

• Put the change management process into action
  • Execute the plan
• There is no such thing as a simple upgrade
  • Can have many moving parts
  • Separate events may be required
• Change management is often concerned with “what” need to change
  • The technical team is concerned with “how” to change it

Allow List/Deny List

Any application can be dangerous

• Vulnerabilities, Trojan horses, malware

Security policy can control app execution

• Allow list, deny/block list

Allow list

• Nothing runs unless it’s approved
• Very restrictive

Deny list

• Nothing on the “bad list” can be executed
• Anti-virus, anti-malware

Restricted Activities

The scope of a change is important

• Defines exactly which components are covered

A change approval isn’t permission to make any change

• The change control approval is very specific

The scope may need to be expanded during the change window

• It’s impossible to prepare for all possible outcomes

The change management process determines the next steps

• There are processes in place to make the change successful

Downtime

Services will eventually be unavailable

• The change process can be disruptive
• Usually scheduled during non-production hours

If possible, prevent any downtime

• Switch to secondary system, upgrade the primary, then switch back

Minimize any downtime events

• The process should be as automated as possible
• Switch back to secondary if issues appear
• Should be part of the backout plan

Send emails and calendar updates

Restarts

It’s common to require a restart

• Implement the new configuration
• Reboot the OS, power cycle the switch, bounce the service
• Can the system recover from a power outage?

Services

• Stop and restart the service or daemon
• May take seconds or minutes

Applications

• Close the application completely
• Launch a new application instance

Legacy Applications

Some applications were here before you arrived

• They will here when you leave

Often no longer supported by the developer

• You’re now the support team

Fear of Unknown

• Face your fears and document the system
• It may not be as bad as you think

May be quirky

• Create specific processes and procedures

Become the expert

Dependencies

To complete A, you must complete B

• A service will not start without other active services
• An application requires a specific library version

Modifying one component may require changing or restarting other components

• This can be challenging to manage

Dependencies may occur across systems

• Upgrade the firewall code first
• Then upgrade the firewall management software

Documentation

It can be challenging to keep up with changes

• Documentation can become outdated very quickly
• Require with the change management process

Updating diagrams

• Modifications to network configurations
• Address updates

Updating policies/procedures

• Adding new systems may require new procedures

Version Control

Track changes to a file or configuration data over time

• Easily revert to a previous setting

Many opportunities to manage versions

• Router configurations
• Windows OS patches
• Application registry entries

Not always straightforward

• Some devices and OSes provide version control features
• May require additional management software

Cryptographic Solutions

Public Key Infrastructure (PKI)

Policies, procedures, hardware, software, people

• Digital certificates: create, distribute, manage, store, revoke

This is a big, big, endeavor

• Lots of planning

Also refers to the binding of public keys to people or devices

• The certificate authority (CA)
• It’s all about trust

Symmetric Encryption

A single, shared key

• Encrypt with the key
• Decrypt with the same key
• If it gets out, you’ll need another key

Secret key algorithm

• A shared secret

Doesn’t scale very well

• Can be challenging to distribute

Very fast to use

• Less overhead than asymmetric encryption
• Often combined with asymmetric encryption

Asymmetric Encryption

Public key cryptography

• Two (or more) mathematically related keys

Private Key

• Keep this private

Public Key

• Anyone can see this key
• Give it away

The private key is the only key that can decrypt data encrypted with public key

• You cannot derive the private key from the public key

The Key Pair

Asymmetric encryption

• Public Key Cryptography

Key generation

• Build both the public and private key at the same time
• Lots of randomization
• Large prime numbers
• Lots and lots of math

Everyone can have the public key

• Only Alice has the private key

Asymmetric Encryption

Key Escrow

Someone else holds your decryption keys

• Your private keys are in the hands of a 3^rd Party
• This may be within your own organization

This can be a legitimate business arrangement

• A business might need access to employee information
• Government agencies may need to decrypt partner data

Controversial?

• Of course
• But may still be required

Encrypting Data

Encrypting Stored Data

Protect data on storage devices

• SSD, hard drive, USB drive, cloud storage, etc.
• This is data at rest

Full-disk and partition/volume encryption

• BitLocker, FileVault, etc.

File encryption

• EFS (Encrypting File System), third-party utilities

Database Encryption

Protecting stored data

• And the transmission of that data

Transparent encryption

• Encrypt all database information with a symmetric key

Record-level encryption

• Encrypt individual columns
• Use separate symmetric keys for each column

Example Database:

You can encrypt the entire database

But this adds the extra overhead for database search and lookup. We have to decrypt the data every time we need to pull something from it.

One way to avoid, the overhead is to encrypt only the sensitive portion of the data, leaving rest as unencrypted.

Transport Encryption

Protect data traversing the network

• You are probably doing this now

Encrypting in the application

• Browsers can communicate using HTTPS

VPN (virtual private network)

• Encrypts all data transmitted over the network, regardless of the application
• Client-based VPN using SSL/TLS
• Site-to-site VPN using IPsec

Encryption Algorithms

There are many, many ways to encrypt data

• The proper “formula” must be used during encryption and decryption

Both sides decide on the algorithm before encrypting the data

• The details are often hidden from the end user

There are advantages and disadvantages between algorithms

• Security level, speed, complexity of implementation, etc.

Encryption Algorithm Comparison

Cryptographic Keys

There’s very little that is not known about the cryptographic process

• The algorithm is usually a known entity
• The only thing you don’t know is the key

The key determines the output

• Encrypted data
• Hash value
• Digital signature

Keep your key private

• It’s the only thing protecting your data

Key Lengths

Larger keys tend to be more secure

• Prevent brute-force attacks
• Attackers can try every possible key combination

Symmetric encryption

• 128-bit or larger symmetric keys are common
• These numbers get larger and larger as time goes on

Asymmetric encryption

• Complex calculations of prime numbers
• Larger keys than symmetric encryption
• Common to see key lengths of 3072 bits or larger

Key Stretching

A weak key is a weak key

• By itself, it’s not very secure

Make a weak key stronger by performing multiple processes

• Hash a password. Hash the hash of the password. And continue…
• Key stretching, key strengthening

Brute force attacks would require reversing each of those hashes

• The attacker has to spend much more time, even though the key is small

Key Exchange

A logistical challenge

• How do you share an encryption key across an insecure medium without physically transferring the key?

Out-of-band key exchange

• Don’t send the symmetric key over the network
• Telephone, courier, in-person, etc.

In-band key exchange

• It’s on the network
• Protect the key with additional encryption
• Use asymmetric encryption to deliver a symmetric key

Real-time Encryption/Decryption

There is a need for fast security

• Without compromising the security part

Share a symmetric session key using asymmetric encryption

• Client encrypts a random (symmetric) key with a server’s public key
• The server decrypts this shared key and uses it to encrypt data
• This is the session key

Implement session keys carefully

• Need to be changed often (ephemeral keys)
• Need to be unpredictable

Symmetric Key from Asymmetric Keys

Use public and private key cryptography to create a symmetric key

• Math is powerful

Encryption Technologies

Trusted Platform Module (TPM)

A specification for cryptographic functions

• Cryptography hardware on a device

Cryptographic processor

• Random number generator, key generators

Persistent Memory

• Unique keys burned in during manufacturing

Versatile memory

• Storage keys, hardware configuration information
• Securely store BitLocker keys

Password protected

• No dictionary attacks

Hardware Security Module (HSM)

Used in large environments

• Clusters, redundant power
• Securely store thousands of cryptographic keys

High-end cryptographic hardware

• Plug-in card or separate hardware device

Key backup

• Secure storage in hardware

Cryptographic accelerators

• Offload that CPU overhead from other devices

Key Management System

Services are everywhere

• On-premises, cloud-based
• Many keys for many services

Manage all keys from a centralized manager

• Often provided as third-party software
• Separate the encryption keys from the data

All key management from one console

• Create keys for a specific service or cloud provider (SSL/TLS, SSH, etc.)
• Associate keys with specific users
• Rotate keys on regular intervals
• Log key use and important events

Keeping Data Private

Our data is located in many places

• Mobile phones, cloud, laptops, etc.
• The most private data is often physically closest to us

Attackers are always finding new techniques

• It’s a race to stay one step ahead

Our data is changing constantly

• How do we keep this data protected?

Secure Enclave

A protected area of our secrets

• Often implemented as a hardware processor
• Isolated from the main processor
• Many technologies and names

Provides extensive security features

• Has its own boot ROM
• Monitors the system boot process
• True random number generator
• Real-time memory encryption
• Performs AES encryption in hardware
• And more…

Obfuscation

The process of making something unclear

• It’s now much more difficult to understand

But it’s not impossible to understand

• If you know how to read it

Hid information in plain sight

• Store payment information without storing a credit card number

Hide information inside an image

• Steganography

Steganography

Greek for “concealed writing”

• Security through obscurity

Message is invisible

• But it’s really there

The covertext

• The container document or file

Common Steganography Techniques

Network based

• Embed messages in TCP packets

Use an image

• Embed the message in the image itself

Invisible watermarks

• Yellow dots on printers

Other Steganography Types

Audio steganography

• Modify the digital audio file
• Interlace a secret message within the audio
• Similar techniques to image steganography

Video steganography

• A sequence of images
• Use image steganography on a larger scale
• Manage the signal-to-noise ratio
• Potentially transfer much more information

Tokenization

Replace sensitive data with a non-sensitive placeholder

• SSN 266-12-1112 is no 691-618539

Common with credit card processing

• Use a temporary token during payment
• An attacker capturing the card numbers can’t use them later

This isn’t encryption or hashing

• The original data and token aren’t mathematically related

Data Masking

Data Obfuscation

• Hide some original data

Protects PII

• And other sensitive data

May only be hidden from view

• The data may still be intact in storage
• Control the view based on permissions

Many techniques

• Substituting, shuffling, encrypting, masking out, etc.

Hashing and Digital Signatures

Hashes

Represent data as a short string of text

• A message digest, a fingerprint

One-way trip

• Impossible to recover the original message from the digest
• Use to store passwords/confidentiality

Verify a downloaded document is the same as the original

• Integrity

Can be a digital signature

• Authentication, non-repudiation, and integrity

Collision

Hash functions

• Take an input of any size
• Create a fixed size string
• Message digest, checksum

The hash should be unique

• Different inputs should never create the same hash
• If they do, it’s a collision

MD5 has a collision problem

• Found in 1996
• Don’t use MD5 for anything important

Practical Hashing

Verify a downloaded file

• Hashes may be provided on the download site
• Compare the downloaded files hash with the posted hash value

Password Storage

• Instead of storing the password, store a salted hash
• Compare hashes during the authentication process
• Nobody ever knows your actual password

Adding Some Salt

Salt

• Random data added to a password when hashing

Every user gets their own random salt

• The salt is commonly stored with the password

Rainbow tables won’t work with salted hashes

• Additional random value added to the original password

This slows down the brute force process

• It doesn’t completely stop the reverse engineering

Salting the Hash

Each user gets a different random hash

• The same password creates a different hash

Digital Signature

Prove the message was not changed

• Integrity

Prove the source of the message

• Authentication

Make sure the signature isn’t fake

• Non-repudiation

Sign with the private key

• The message doesn’t need to be encrypted
• Nobody else can sign this (obviously)

Verify with the public key

• Any change in the message will invalidate the signature

Creating a Digital Signature

Blockchain Technology

A distributed ledger

• Keep track of transaction

Everyone on the blockchain network maintains the ledger

• Records and replicates to anyone and everyone

Many practical applications

• Payment processing
• Digital identification
• Supply chain monitoring
• Digital Voting

The Blockchain Process

Certificates

Digital Certificates

A public key certificate

• Binds a public key with a digital signature
• And other details about the keyholder

A digital signature adds trust

• PKI uses Certificate Authorities for additional trust
• Web of Trust adds other users for additional trust

Certificate creation can be built into the OS

• Part of Windows Domain services
• Many 3rd-party options

What’s in a digital Certificate?

X.509

• Standard format

Certificate Details

• Serial number
• Version
• Signature algorithm
• Issuer
• Name of the cert holder
• Public key
• And more…

Root of Trust

Everything associated with IT security requires trust

• A foundational characteristic

How to build trust from something unknown?

• Someone/something trustworthy provides their approval

Refer to the root of trust

• An inherently trusted component
• Hardware, software, firmware, or other component
• Hardware security module (HSM), Secure Enclave, Certificate Authority, etc.

Certificate Authorities

You connect to a random website

• Do you trust it?

Need a good way to trust an unknown entity

• Use a trusted third-party
• An authority

Certificate Authorization (CA) has digitally signed the website certificate

• You trust the CA, therefore you trust the website
• Real-time verification

Third-party Certificate Authorities

Built-in to your browser

• Any browser

Purchase your website certificate

• It will be trusted by everyone’s browser

CA is responsible for vetting the request

• They will confirm the certificate owner
• Additional verification information may be required by the CA

Certificate Signing Requests

Create a key pair, then send the public key to the CA to be signed

• A certificate signing request (CSR)

The CA validates the request

• Confirms DNS emails and website ownership

CA digitally signs the cert

• Returns to the applicant

Private Certificate Authorities

You are your own CA

• Build it in-house
• Your devices must trust the internal CA

Needed for medium-to-large organization

• Many web servers and privacy requirements

Implement as part of your overall computing strategy

• Windows Certificate Services, OpenCA

Self-signed Certificates

Internal certificates don’t need to be signed by a public CA

• Your company is the only one going to use it
• No need to purchase trust for devices that already trust you

Build your own CA

• Issue your own certificates signed by your own CA

Install the CA certificate/trusted chain on all devices

• They will now trust any certificate signed by your internal CA
• Works exactly like a certificate you purchased

Wildcard Certificates

Subject Alternative Name (SAN)

• Extension to an X.509 certificate
• Lists additional identification information
• Allows a certificate to support many domains

Wildcard domain

• Certificates are based on the name of the server
• A wildcard domain will apply to all server names in the domain

Key Revocation

Certificate Revocation List (CRL)

• Maintained by the CA
• Can contain many revocations in a large file

Many reasons

• Changes all the time

April 2014 — CVE-2014-0160

• Heartbleed
• OpenSSL flaw put the private key of affected web servers at risk
• OpenSSL was patched, every web server certificate was replaced
• Older certificates were moved to the CRL

OCSP Stapling

Online Certificate Status Protocol

• Provides scalability for OCSP checks

The CA is responsible for responding to all client OCSP requests

• This may not scale well

Instead, have the certificate holder verify their own status

• Status information is stored on the certificate holder’s server

OCSP status is “stapled” into the SSL/TLS handshake

• Digitally signed by the CA

Getting Revocation Details to the Browser

OCSP (Online Certificate Status Protocol)

• The browser can check certificate revocation

Message usually sent to an OCSP responder via HTTP

• Easy to support over Internet links
• More efficient than downloading a CRL

Not all browsers/apps support OCSP

• Early Internet Explorer versions didn’t support OCSP
• Some support OCSP, but don’t bother checking

Threat Actors

The entity responsible for an event that has an impact on the safety of another entity

• Also called a malicious actor

Threat actor attributes

• Describes characteristics of the attacker

Useful to categorize the motivation

• Why is this attack happening?
• Is this directed or random?

Attributes of Threat Actors

Internal/external

• The attacker is insider the house
• They are outside and trying to get in

Resources/funding

• No money
• Extensive funding

Level of sophistication/capability

• Blindly runs scripts or automated vulnerability scans
• Can write their own attack malware and scripts

Motivations of Threat Actors

What makes them tick?

• There is a purpose to this attack

Motivation include

• Data exfiltration
• Espionage
• Service disruption
• Blackmail
• Financial gain
• Philosophical/political beliefs
• Ethical
• Revenge
• Disruption/chaos
• War

Nation States

External entity

• Government and national security

Many possible motivations

• Data exfiltration, philosophical, revenge, disruption, war

Constant attacks, massive resources

• Commonly an Advanced Persistent Threat (APT)

Highest sophistication

• Military control, utilities, financial control
• United States and Israel destroyed 1000 nuclear centrifuges with the Stuxnet worm

Unskilled Attackers

Run pre-made scripts without any knowledge of what’s really happening

• Anyone can do this

Motivated by the hunt

• Disruption, data exfiltration, sometimes philosophical

Can be internal or external

• But usually external

Not very sophisticated

• Limited resources, if any

No formal funding

• Looking for low-hanging fruit

Hacktivist

A hacker with a purpose

• Motivated by philosophy, revenge, disruption, etc.

Often an external entity

• Could potentially infiltrate to also be an insider threat

Can be remarkably sophisticated

• Very specific hacks
• DoS, website defacing, private documents release

Funding may be limited

• Some organizations have fundraising options

Insider Threat

More than just passwords on sticky notes

• Motivated by revenge, financial gain

Extensive resources

• Using the organization’s resources against themselves

An internal entity

• Eating away from the inside

Medium level of sophistication

• The insider has institutional knowledge
• Attacks can be directed at vulnerable systems
• The insider knows what to hit

Organized Crime

Professional criminals

• Motivated by money
• Almost always an external entity

Very sophisticated

• Best hacking money can buy

Crime that’s organized

• One person hacks, one person manages the exploits, another person sells the data, another handles’ customer support

Lots of capital to fund hacking efforts

Shadow IT

Going rogue

• Working around the internal IT organization
• Builds their own infrastructure

Information Technology can put up roadblocks

• Shadow IT is unencumbered
• Use the cloud
• Might also be able to innovate

Limited resources

• Company budget

Medium sophistication

• May not have IT training or knowledge

Common Threat Vectors

A method used by the attacker

• Gain access or infect to the target
• Also called “Attack Vectors”

A lot of work goes into finding vulnerabilities in these vectors

• Some are more vulnerable than others

IT security professional spend their career watching these vectors

• Protect existing vectors
• Find new vectors

Message-based Vectors

One the biggest (and most successful) threat vectors

• Everyone has at least one of these messaging systems

Email

• Malicious links in an email
• Link to malicious site

SMS (Short Message Service

• Attacks in a text message

Phishing Attacks

• People want to click links
• Links in an email, links send via text or IM

Deliver the malware to the user

• Attach it to the email
• Scan all attachments, never launch untrusted links

Social engineering attacks

• Invoice scams
• Cryptocurrency scams

Image-based Vectors

Easy to identify a text-based threat

• It’s more difficult to identify the threat in an image

Some image formats can be a threat

• The SVG (Scalable Vector Graphic) format
• Image is described in XML (Extensible Markup Language)

Significant security concerns

• HTML injection
• JavaScript attack code

Browsers must provide input validation

• Avoid running malicious code

File-based Vectors

More than just executables

• Malicious code can hide in many places

Adobe PDF

• A file format containing other objects

ZIP/RAR files (or any compression type)

• Contains many files

Microsoft Office

• Documents with macros
• Add-in files

Voice Call Vectors

Vishing

• Phishing over the phone

Spam over IP

• Large-scale phone calls

War dialing

• It still happens

Call tampering

• Disrupting voice calls

Removable Device Vectors

Get around the firewalls

• The USB interface

Malicious software on USB flash drives

• Infect air gapped networks
• Industrial systems, high-security services

USB devices can act as keyboards

• Hacker on a chip

Data exfiltration

• Terabytes of data walk out the door
• Zero bandwidth used

Vulnerable Software Vectors

Client-based

• Infected executable
• Known (or unknown) vulnerabilities
• May require constant updates

Agentless

• No installed executable
• Compromised software on the server would affect all users
• Client runs a new instance each time

Unsupported Systems Vectors

Patching is an important prevention tool

• Ongoing security fixes

Unsupported systems aren’t patched

• There may not even be an option

Outdated OSes

• Eventually, even the manufacturer won’t help

A single system could be an entry

• Keep your inventory and records current

Unsecure Network Vectors

The network connect everything

• Ease of access for the attackers
• View all (non-encrypted) data

Wireless

• Outdated security protocols (WEP, WPA, WPA2)
• Open or rogue wireless networks

Wired

• Unsecure interfaces — No 802.1X

Bluetooth

• Reconnaissance
• Implementation vulnerabilities

Open Service Ports

Most network-based services connect over a TCP or UDP port

• An “open” port

Every open port is an opportunity for the attacker

• Application vulnerability or misconfiguration

Every application has their own open port

• More services expand the attack surface

Firewall rules

• Must allow traffic to an open port

Default Credentials

Most devices have default usernames and passwords

• Change yours!

The right credentials provide full control

• Administrator access

Very easy to find the defaults for your access point or router

• https://www.routerpasswords.com

Supply Chain Vectors

Tamper with the underlying infrastructure

• Or manufacturing process

Managed service providers (MSPs)

• Access many customer networks from one location

Gain access to a network using a vendor

• 2013 Target credit card breach

Suppliers

• Counterfeit networking equipment
• Install backdoors, substandard performance and availability
• 2020 — Fake Cisco Catalyst Switches

Phishing

Social engineering with a touch of spoofing

• Often delivered by email, text, etc.
• Very remarkable when well done

Don’t be fooled

• Check the URL

Usually there’s something not quite right

• Spelling, fonts graphics

Business Email Compromise

We trust email sources

• The attackers take advantage of this trust

Spoofed email addresses

• Not really a legitimate email address
• professor@professormessor.com

Financial fraud

• Send emails with updated bank information
• Modify wire transfer details

The recipient clicks the links

• The attachments have malware

Tricks and Misdirection

How are they so successful?

• Digital slight of hands
• It fools the best of us

Typo squatting

• A type of URL hijacking — https://professormessor.com

Pretexting

• Lying to get information
• Attacker is a character in a situation they create
• Hi, we are calling from Visa regarding an automated payment to your utility service

Phishing with different bait

Vishing (voice phishing) is done over the phone or voicemail

• Call ID spoofing is common
• Fake security checks or bank updates

Smishing (SMS phishing) is done by text message

• Spoofing is a problem here as well
• Forwards links or asks for personal information

Variations on a theme

• The fake check scam, phone verification code scam, Boss/CEO scam, advance-fee scam
• Some great summaries on https://reddit.com/r/Scams

Impersonation

Attackers pretend to be someone they are not

• Halloween for the fraudsters

User some of those details from reconnaissance

• You can trust me, I’m with your help desk

Attack the victim as someone higher in rank

• Office of the Vice President for Scamming

Throw tons of technical details around

• Catastrophic feedback due to the depolarization of the differential magnetometer

Be a buddy

• How about those Cubs

Eliciting Information

Extracting information from the victim

• The victim doesn’t even realize this is happening
• Hacking the human

Often seen with vishing

• Can be easier to get this information over the phone

These are well-documented psychological techniques

• They cannot just ask, “So, what’s your password?”

Identify Fraud

Your identity can be used by others

• Keep your personal information safe!

Credit card fraud

• Open an account in your name, or use your credit card information

Bank Fraud

• Attacker gains access to your account or opens a new account

Loan fraud

• Your information is used for a loan or lease

Government benefits fraud

• Attacker obtains benefits on your behalf

Protect against impersonation

Never volunteer information

• My password is 12345

Don’t disclose personal details

• The bad guys are tricky

Always verify before revealing info

• Call back, verify through 3rd parties

Verification should be encouraged

• Especially if your organization owns valuable information

Watering Hole Attack

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization’s users frequent, and then uses one or more of the websites to distribute malware.

What if your network was really secure?

• You didn’t even plug in that USB key from the parking lot

The attackers can’t get in

• Not responding to phishing emails
• Not opening any email attachments

Have the mountain come to you

• Go where the mountain hangs out
• the watering hole
• This requires a bit of research

Executing the Watering Hole Attack

Determine which websites the victim group uses

• Educated guess — Local coffee or sandwich shop
• Industry-related sites

Infect one of these third-party sites

• Site vulnerability
• Email attachments

Infect all visitors

• But you are just looking for specific victims
• Now you’re in!

Because that’s where the money is

January 2017

Polish Financial Supervision Authority, National Banking and Stock Commission of Mexico, State-owned bank in Uruguay

• The watering hole was sufficiently poisoned

Visiting the site would download malicious JavaScript files

• But only to IP addresses matching banks and other financial institutions

Did the attack work?

• We still don’t know

Watching the Watering Hole

Defense-in-depth

• Layered defense
• It’s never one thing

Firewall and IPS

• Stop the network traffic before things get bad

Antivirus/Anti-malware signature updates

• The Polish Financial Supervision Authority attack code was recognized and stopped by generic signatures in Symantec’s antivirus software

Other Social Engineering Attacks

Misinformation/disinformation

Disseminate factually incorrect information

• Create confusion and division

Influence campaigns

• Sway public opinion on political and social issues

Nation-state actors

• Divide, distract, and persuade

Advertising is an option

• Buy a voice for your opinion

Enabled through Social media

• Creating, sharing, liking, amplifying

The misinformation Process

Brand Impersonation

Pretend to be a well-known brand

• Coca-cola, McDonald’s, Apple, etc.

Create tens of thousands of impersonated sites

• Get into the Google index, click an ad, get a WhatsApp message

Visitors are presented with a pop-up

• You won! Special offer! Download the video!

Malware infection is almost guaranteed

• Display ads, site tracking, data exfiltration

Types of Vulnerabilities

Finding Malware

Malware runs in memory

• Memory forensics can find the malicious code

Memory contains running processes

• DLLs (Dynamic Link Libraries)
• Threads
• Buffers
• Memory management functions
• And much more

Malware is hidden somewhere

• Malware runs in its own process
• Malware injects itself into a legitimate process

Memory Injection

Add code into the memory of an existing process

• Hide malware inside the process

Get access to the data in that process

• And the same rights and permissions
• Perform a privilege escalation

DLL Injection

Dynamic-Link Library

• A Windows library containing code and data
• Many applications can use this library

Attackers inject a path to a malicious DLL

• Runs as part of the target process

One of the most popular memory injection methods

• Relatively easy to implement

Buffer Overflows

Overwriting a buffer of memory

• Spills over into other memory areas

Developers need to perform bounds checking

• The attackers spend a lot of time looking for openings

Not a simple exploit

• Takes time to avoid crashing things
• Takes time to make it do what you want

A really useful buffer overflow is repeatable

• Which means that a system can be compromised

Race Conditions

Race Condition

A programming conundrum

• Sometimes, things happen at the same time
• This can be bad if you’ve not planned for it

Time-of-check to time-of-use attack (TOCTOU)

• Check the system
• When do you use the results of your last check?
• Something might happen between the check and the use

Race Condition Example

Race Conditions can cause big problems

January 2004 — Mars rover “Spirit”

• Reboot when a problem is identified
• Problem is with the file system, so reboot because of the file system problem
• Reboot loop was the result

Pwn2Own Vancouver 2023 — Tesla Model 3

• TOCTOU attack against the Tesla infotainment using Bluetooth
• Elevated privileges to root
• Earned $100,000 US prize, and they keep the Tesla

Malicious Updates

Software Updates

Always keep your operating system and applications updated

• Updates often include bug fixes and security patches

This process has its own security concerns

• Note every update is equally secure

Follow best practices

• Always have a known-good backup
• Install from trusted sources
• Did I mention the backup?

Downloading and updating

Install updates from a downloaded file

• Always consider your actions
• Every installation could potentially be malicious

Confirm the source

• A random pop-up during web browsing may not be legitimate

Visit the developer’s site directly

• Don’t trust a random update button or random downloaded file

Many OSes will only allow signed apps

• Don’t disable your security controls

Automatic Updates

The app updates itself

• Often includes security checks/digital signatures

Relatively trustworthy

• Comes directly from the developer

SolarWinds Orion supply chain attack

• Reported in December 2025
• Attackers gained access to the SolarWinds development system
• Added their own malicious code to the updates
• Gained access to hundreds of government agencies and companies

Operating System Vulnerabilities

Operating Systems

A foundational computing platform

• Everyone has an OS
• This makes the OS a very big target

Remarkably complex

• Millions of lines of code
• More code means more opportunities for a security issues

The vulnerabilities are already in there

• We’ve just not found them yet

A month OS updates

A normal month of Windows updates

• Patch Tuesday — 2nd Tuesday of each month
• Other companies have similar schedules

May 9, 2023 — Nearly 50 security patches

• 8 Elevation of Privilege Vulnerabilities
• 4 Security Feature Bypass Vulnerabilities
• 12 Remote Code Execution Vulnerabilities
• 8 Information Disclosure Vulnerabilities
• 5 Denial of Service Vulnerabilities
• 1 Spoofing Vulnerability

Checkout Microsoft Security Center for latest patches and updates: https://msrc.microsoft.com/

Best Practices for OS Vulnerabilities

Always update

• Monthly or on-demand updates
• It’s a race between you and the attackers

May require testing before deployment

• A patch might break something else

May require a reboot

• Save all data

Have a fallback plan

• Where’s that backup?

SQL Injection

Code Injection

Code Injection

• Adding your own information into a data stream

Enabled because of bad programming

• The application should properly handle input and output

So many data types

• HTML, SQL, XML, LDAP

SQL Injection

SQL — Structured Query Language

• The most common relational database management system language

SQL injection (SQLi)

• Put your own SQL requests into an existing application
• Your application shouldn’t allow this

Can often be executed in a web browser

• Inject in a form or field

Building a SQL Injection

An example of website code:

"SELECT * FROM users WHERE name = '" + userName + "'";

How this looks to the SQL database

"SELECT * FROM users WHERE name = 'Professor'";

Add more information to the query (SQLi):

"SELECT * FROM users WHERE name = 'Professor' OR '1' = '1'";

This could be very bad

• View all database information, delete database information, add users, denial of service, etc.

SQL Injection Demonstration

Source: https://owasp.org/www-project-webgoat/

Cross-site Scripting

XSS

XSS

• Cascading Style Sheets (CSS) are something else entirely

Originally called cross-site because of browser security flaws

• Information from one site could be shared with another

One of the most common web app vulnerabilities

• Takes advantage of the trust a user has for a site
• Complex and varied

XSS commonly uses JavaScript

• Do you allow scripts? Me too.

Non-persistent (reflected) XSS Attack

Website allows scripts to run in user input

• Search box is a common source

Attacker emails a link that takes advantage of this vulnerability

• Runs a script that sends credentials/session IDs/Cookies to the attacker

Script embedded in the URL executes in the victim’s browser

• As if it came from the server

Attacker uses credentials/session IDs/cookies to steal victim’s information without their knowledge

• Very sneaky

Persistent (stored) XSS Attack

Attacker posts a message to a social media

• Includes the malicious payload

It’s now “persistent”

• Everyone gets the payload

No specific target

• All viewers to the page

For social networking, this can spread quickly

• Everyone who views the message can have it posted to their page
• Where someone else can view it and propagate it further

Hacking a Subaru

June 2017, Aaron Guzman

• Security Researcher

When authenticating with Subaru, users get a token

• This token never expires (bad!)

A valid token allowed any service request

• Even adding your email address to someone else’s account
• Now you have full access to someone else’s car

Web front-end included an XSS vulnerability

• A user clicks a malicious link, and you have their token

Protecting Against XSS

Be careful when clicking untrusted links

• Never blindly click in your email inbox, Never.

Consider disabling JavaScript

• Or control with an extension
• This offers limited protection

Keep your browser and applications updated

• Avoid the nasty browser vulnerabilities

Validate input

• Don’t allow users to add their own scripts to an input field

Hardware Vulnerabilities

We are surrounded by hardware devices

• Many don’t have an accessible OS

These devices are potential security issues

• A perfect entry point for an attack

Everything is connecting to the network

• Light bulbs, garage doors, refrigerators, door locks
• IoT is everywhere

The security landscape has grown

• Time to change your approach

Firmware

The software inside the hardware

• The OS of the hardware device

Vendors are the only ones who can fix their hardware

• Assuming they know about the problem
• And care about fixing it

Trane Comfortlink II thermostats

• Control the temperature from your phone
• Trane notified of three vulnerabilities in April 2014
• Two patched in April 2015, one in January 2016

End-of-life

End of life (EOL)

• Manufacturer stops selling a product
• May continue supporting the product
• Important for security patches and updates

End of service life (EOSL)

• Manufacturer stops selling a product
• Support is no longer available for the product
• No ongoing security patches or updates
• May have a premium-cost support option

Technology EOSL is a significant concern

• Security patches are part of normal operation

Legacy Platforms

Some devices remain installed for a long time

• Perhaps too long

Legacy devices

• Older OSes, applications, middleware

May be running end-of-life software

• The risk need to be compared to the return

May require additional security protections

• Additional firewall rules
• IPS signatures for older OSes

Virtualization Vulnerabilities

Virtualization Security

Quite different from non-virtual machines

• Can appear anywhere

Quantity of resources vary between VMs

• CPU, memory, storage

Many similarities to physical machines

• Complexity adds opportunity for the attackers

Virtualization vulnerabilities

• Local privilege escalations
• Command injection
• Information disclosure

VM escape protection

The virtual machine self-contained

• There’s no way out
• Or is there?

Virtual machine escape

• Break out of the VM and interact with the host OS or hardware

Once you escape the VM, you have great control

• Control the host and control other guests VMs

This would be a huge exploit

• Full control of the virtual world

Escaping the VM

March 2017 — Pwn2Own competition

• Hacking contest
• You pwn it, you own it — along with some cash

JavaScript engine bug in Microsoft Edge

• Code execution in the Edge sandbox

Windows 10 kernel bug

• Compromise the guest OS

Hardware simulation bug in VMware

• Escape to the host

Patches were released soon afterward

Resource Reuse

The hypervisor manages the relationship between physical and virtual resources

• Available RAM, storage space, CPU availability, etc.

These resources can be reused between VMs

• Hypervisor host with 4 GB of RAM
• Supports three VMs with 2 GB of RAM each
• RAM is allocated and shared between VMs

Data can inadvertently be shared between VMs

• Time to update the memory management features
• Security patches can mitigate the risk

Cloud Specific Vulnerabilities

Security in the Cloud

Cloud adoption has been nearly universal

• It’s difficult to find a company NOT using the cloud

We have put sensitive data in the cloud

• The attackers would like this data

We are not putting in the right protections

• 76% of organizations aren’t using MFA for management of console users

Simple best-practices aren’t being used

• 63% of code in production is unpatched
• Vulnerabilities rated high or critical (Common Vulnerability Scoring System - CVSS >= 7.0)

Attack the service

Denial of Service (DoS)

• A fundamental attack type

Authentication bypass

• Take advantage of weak or faulty authentication

Directory transversal

• Faulty contiguration put data at risk

Remote code execution

• Take advantage of unpatched systems

Attack the application

Web application attacks have increased

• Log4j and Spring Cloud Function
• Easy to exploit, rewards are extensive

Cross-site scripting

• Take advantage of poor input validation

Out of bound write

• Write to unauthorized memory areas
• Data corruption, crashing, or code execution

SQL injection

• Get direct access to a database

Supply Chain Vulnerabilities

Supply Chain Risk

The chain contains many moving parts

• Raw materials, suppliers, manufacturers, distributors, customers, consumers

Attackers can infect any step along the way

• Infect different parts of the chain without suspicion
• People trust their suppliers

One exploit can infect the entire chain

• There’s a lot at stake

Service Providers

You can control your own security posture

• You can’t always control a service provider

Service providers often have access to internal services

• An opportunity for the attacker

Many types of providers

• Network, utility, office cleaning, payroll/accounting, cloud services, system administration, etc.

Consider ongoing security audits of all providers

• Should be included with the contract

Target Service Provider Attack

Target Corp. breach — November 2013

• 40 million credit cards stolen

Heating and AC firm in Pennsylvania war infected

• Malware delivered in an email
• VPN credentials for HVAC techs were stolen

HVAC vendor was the supplier

• Attackers used a wide-open Target network to infect every cash register at 1800 stores

Hardware Providers

Can you trust your new server/router/switch/firewall/software?

• Supply chain cybersecurity

Use a small supplier base

• Tighter control of vendors

Strict controls over policies and procedures

• Ensure proper security is in place

Security should be part of the overall design

• There’s a limit to trust

Cisco or not Cisco?

All network traffic flows

• A perfect visibility and pivot point

July 2022 — DHS arrests reseller CEO

• Sold more than $1 billion of counterfeit Cisco products
• Created over 30 different companies
• Had been selling these since 2013

Knock-offs made in China

• Sold as authentic Cisco products
• Until they started breaking and catching on fire

Software providers

Trust is a foundation of security

• Every software installation questions our trust

Initial installation

• Digital signature should be confirmed during installation

Updates and patches

• Some software updates are automatic
• How secure are the updates?

Open source is not immune

• Compromising the source code itself

SolarWinds Supply Chain Attack

SolarWinds Orion

• Used by 18000 customers
• Including Fortune 500 and US Federal Government

Software updates compromised in March and June 2020

• Upgrades to existing installations
• Not detected until December 2020

Additional breaches took advantage of the exploit

• Microsoft, Cisco, Intel, Deloitte
• Pentagon, Homeland Security, State Department, Department of Energy, National Nuclear Security Administration, Treasury

Misconfiguration Vulnerabilities

Open Permissions

Very easy to leave a door open

• The hackers will always find it

Increasingly common with cloud storage

• Statistical chance of finding an open permission

June 2017–14 million Verizon records exposed

• Third-party left an Amazon S3 data repository open
• Researcher found the data before anyone else

Many, Many other examples

• Secure your permissions!

Unsecured Admin Accounts

The Linux root account

• The Windows Administrator or superuser account

Can be misconfiguration

• Intentionally configuring an easy-to-hack password
• 123456, ninja, football

Disable direct login to the root account

• Use the su or sudo option

Protect accounts with root or administrator access

• There should not be a lot of these

Insecure Protocols

Some protocols aren’t encrypted

• All traffic sent in the clear
• Telnet, FTP, SMTP, IMAP

Verify with a packet capture

• View everything sent over the network

Use the encrypted versions

• SSH, SFTP, IMAPS

Default Settings

Every application and network device has a default login

• Not all of these are ever changed

Mirai Botnet

• Take advantage of default configurations
• Takes over Internet of Things (IoT) devices
• 60+ default configurations
• Camera, routers, doorbells, garage door openers, etc.

Mirai released as open-source software

• There’s a lot more where that came from

Open Ports and Services

Services will open ports

• It’s important to manage access

Often managed with a firewall

• Manage traffic flows
• Allow or deny based on port number or application

Firewall rulesets can be complex

• It’s easy to make mistake

Always test and audit

• Double and triple check

Mobile Device Vulnerabilities

Mobile Device Security

Challenging to secure

• Often need additional security policies and systems

Relatively small

• Can be almost invisible

Almost always in motion

• You never know where it might be

Packed with sensitive data

• Personal and organizational

Constantly connected to the Internet

• Nothing bad happens on the Internet

Jailbreaking/Rooting

Mobile devices are purpose built systems

• You don’t have access to the OS

Gaining access

• Android — Rooting
• Apple iOS — Jailbreaking

Install custom firmware

• Replaces the existing OS

Uncontrolled access

• Circumvent security features
• The MDM (Mobile Device Management) becomes relatively useless

Sideloading

Malicious apps can be a significant security concern

• One Trojan horse can create a data breach

Manage installation sources

• The global or local app store

Sideloading circumvents security

• Apps can be installed manually without using an app store
• Again, your MDM becomes relatively useless

Zero-day Vulnerabilities

Vulnerabilities

Many applications have vulnerabilities

• We have just not found them yet

Someone is working hard to find the next big vulnerability

• The good guys share these with developers

Attackers keep these yet-to-be-discovered holes to themselves

• They want to use these vulnerabilities for personal gain

Zero-day Attacks

Attackers search for unknown vulnerabilities

• They create exploits against these vulnerabilities

The vendor has no idea the vulnerability exists

• They don’t have a fix for an unknown problem

Zero-day attacks

• An attack without a patch or method of mitigation
• A race to exploit the vulnerability or create a patch
• Difficult to defend against the unknown

Common Vulnerabilities and Exposure (CVE)

• https://cve.mitre.org

Zero-day Attacks in the wild

April 2023 — Chrome zero-day

• Memory corruption, sandbox escape

May 2023 — Microsoft zero-day patch

• Secure boot zero-day vulnerability
• Attackers can run UEFI-level self-signed code

May 2023 — Apple iOS and iPadOS zero-days

• Three zero-day attacks
• Sandbox escape, disclosure of sensitive information, arbitrary code execution
• Active exploitation

An Overview of Malware

Malware

Malicious Software

• These can be very bad

Gather information

• Keystrokes

Show you advertising

• Big money

Viruses and worms

• Encrypt your data
• Ruin your day

Malware Types and Methods

• Viruses
• Worms
• Ransomware
• Trojan Horse
• Rootkit
• Keylogger
• Spyware
• Bloatware
• Logic bomb

How You Get Malware

These all work together

• A worm takes advantage of a vulnerability
• Installs malware that includes a remote access backdoor
• Additional malware may be installed later

Your computer must run a program

• Email link — Don’t click links
• Web page pop-up
• Drive-by download
• Worm

Your computer is vulnerable

• OS — Keep your OS updated
• Applications — Check with the publisher

Your Data is Valuable

Personal Database

• Family pictures and videos
• Important documents

Organization data

• Planning documents
• Employee personally identifiable information (PII)
• Financial records
• Company private data

How much is it worth?

• There’s a number

Ransomware

A particularly nasty malware

• Your data is unavailable until you provide cash

Malware encrypts your data files

• Pictures, documents, music, movies, etc.
• Your OS remains available

You must pay the attackers to obtain the decryption key

• Untraceable payment system
• An unfortunate use of public-key cryptography

Protecting against Ransomware

Always have a backup

• An offline backup, ideally

Keep your OS up to date

• Patch those vulnerabilities

Keep your applications up-to-date

• Security patches

Keep your anti-virus/anti-malware signatures up-to-date

• New attacks every hour

Keep everything up-to-date

Viruses and Worms

Virus

Malware that can reproduce itself

• It needs you to execute a program

Reproduces through file systems or the network

• Just running a program can spread a virus

May or may not cause problems

• Some viruses are invisible, some are annoying

Anti-virus is very common

• Thousands of new viruses every week
• Is your signature file updated?

Virus Types

Program viruses

• It’s part of the application

Boot sector viruses

• Who need an OS?

Script viruses

• OS and browser-based

Macro viruses

• Common in Microsoft Office

Fileless Virus

A stealth attack

• Does a good job of avoiding anti-virus detection

Operates in memory

• But never installed in a file or application

Worms

Malware that self-replicates

• Doesn’t need you to do anything
• Uses the network as a transmission medium
• Self-propagates and spreads quickly

Worms are pretty bad things

• Can take over many systems very quickly

Firewalls and IDS/IPS can mitigate many worms infestations

• Doesn’t help much once the worm gets inside

Wannacry Worm

Spyware and Bloatware

Spyware

Malware that spies on you

• Advertising, identity theft, affiliate fraud

Can trick you into installing

• Peer to peer, fake security software

Browser monitoring

• Capture surfing habits

Keyloggers

• Capture every keystroke
• Send your keystrokes back to the attacker

Protecting Against Spyware

Maintain your anti-virus/anti-malware

• Always have the latest signatures

Always know what you’re installing

• And watch your options during the installation

Where’s your backup?

• You might need it someday
• Cleaning adware isn’t easy

Run some scans

• Malwarebytes

Bloatware

A new computer or phone

• Includes the OS and important apps

Also includes applications you didn’t expect

• And often don’t need

Apps are installed by the manufacturer

• You didn’t get a choice

Uses valuable storage space

• May also add to overall resource usage
• The system may be slower than expected
• Could open your system to exploits

Removing Bloatware

Identify and remove

• This may be easier said than done

Use the built-in uninstaller

• Works for most applications

Some apps have their own uninstaller

• That’s how bad they are

Third-party uninstallers and cleaners

• Probably not the first option
• Always have a backup

Other Malware Types

Keyloggers

Your keystrokes contain valuable information

• Website login URLs, passwords, email messages

Save all of your input

• Send it to the bad guys

Circumvent encryption protections

• Your keystrokes are in the clear

Other data logging

• Clipboard logging, screen logging, instant messaging, search engine queries

Keylogger in action

Logic Bomb

Waits for a predefined event

• Often left by someone with grudge

Time bomb

• Time or date

User event

• Logic bomb

Difficult to identify

• Difficult to recover if it goes off

Real-world Logic Bomb

March 19, 2013, South Korea

• Email wit malicious attachment sent to South Korean organizations
• Posed as a bank email
• Trojan installs a malware

March 20, 2013, 2 PM local time

• Malware time-based logic bomb activates
• Storage and master boot record (MBR) deleted, system reboots

Boot device not found.
Please install an Operating System on your hard disk.

Preventing a Logic Bomb

Difficult to recognize

• Each is unique
• No predefined signatures

Process and procedures

• Formal change control

Electronic monitoring

• Alerts on changes
• Host-based intrusion detection, Tripwire, etc.

Constant auditing

• An administrator can circumvent existing systems

Rootkits

Originally a Unix technique

• The root in rootkit

Modifies core system files

• Part of the kernel

Can be invisible to the OS

• Won’t see it in the Task Manager

Also, invisible to traditional anti-virus utilities

• If you cannot see it, you cannot stop it

Finding and Removing Rootkits

Look for the unusual

• Anti-malware scans

Use a remover specific the rootkit

• Usually built after the rootkit is discovered

Secure boot with UEFI

• Security in the BIOS

Physical Attacks

Physical Attacks

Old school security

• No keyboard, no mouse, no command line

Many ways to circumvent digital security

• A physical approach must be considered

If you have physical access to a server, you have full control

• An OS can’t stop an in-person attack

Door locks keep out the honest people

• There’s always a way in

Brute Force

The physical version

• No password required

Push through the obstruction

• Brawn beats brains

Check your physical security

• Check the windows
• Try the doors

Attackers will try everything

• You should be prepared for anything

RFID Cloning

RFID is everywhere

• Access badges
• Key fobs

Duplicators are on Amazon

• Less than $50

The duplication process takes seconds

• Read one card
• Copy to another

This is why we have MFA

• Use another factor with the card

Environmental Attacks

Attack everything supporting the technology

• The operating environment

Power monitoring

• An obvious attack

HVAC (Heating, Ventilation, and Air conditioning) and humidity controls

• Large data centers must be properly cooled

Fire suppression

• Watch for smoke or fire

Denial of Service

Denial of Service

Force a service to fail

• Overload the service

Take advantage of a design failure or vulnerability

• Keep your system patched!

Cause a system to be unavailable

• Competitive advantage

Create a smokescreen for some other exploit

• Precursor to a DNS spoofing attack

Doesn’t have to be complicated

• Turn off the power

A “Friendly” DoS

Unintentional DoSing

• It’s not always an né’er-do-well

Network DoS

• Layer 2 loop without STP

Bandwidth DoS

• Downloading multi-gigabyte Linux distribution over a DSL line

The water line breaks

• Get a good shop vacuum

Distributed Denial of Service (DDoS)

Launch an army of computers to bring down a service

• Use all the bandwidth or resources — traffic spike

This is why the attackers have botnets

• Thousands or millions of computers at your command
• At its peak, Zeus botnet infected over 3.6 million PCs
• Coordinated attack

Asymmetric threat

• The attacker may have fewer resources than the victim

DDoS Reflection and Amplification

Turn your small attack into a big attack

• Often reflected off another device or service

An increasingly common network DDoS technique

• Turn Internet services against the victim

Uses protocols with little (if any) authentication or checks

• NTP, DNS, ICMP
• A common example of protocol abuse

DNS Attacks

DNS Poisoning

Modify the DNS server

• Requires some crafty hacking

Modify the client host file

• The host file takes precedent over DNS queries

Send a fake response to a valid DNS request

• Requires a redirection of the original request or the resulting response
• Real-time redirection
• This is an on-path attack

DNS Spoofing/Poisoning in Action

Domain Hijacking

Get access to the domain registration, and you have control where the traffic flows

• You don’t need to touch the actual servers
• Determines the DNS names and DNS IP addresses

Many ways to get into the account

• Brute-force
• Social engineer the password
• Gain access to the email address that manages the account
• The usual things

Saturday, October 22, 2016, 1 PM

• Domain name registrations of 36 domains were changes
• Brazilian bank
• Desktop domains, mobile domains, and more

Under hacker control for 6 hours

• The attackers became the bank

5 million customers, $27 billion in assets

• Results of the hack have not been publicly released

URL Hijacking

Make money from your mistakes

• There’s a lot of advertising on the Internet

Sell the badly spelled domain to the actual owner

• Sell a mistake

Redirect to a competitor

• Not as common, legal issues

Phishing site

• Looks like the real site, please log in

Infect with a drive-by download

• You’ve got malware!

Types of URL Hijacking

Typosquatting/brandjacking

• Take advantage of poor spelling

Outright misspelling

• professormesser.com vs. professormessor.com

A typing error

• professormeser.com

A different phrase

• professormessers.com

Different top-level domain

• professormesser.org

Wireless Attacks

It started as a normal day

Surfing along on your wireless network

• And then you’re not

And then it happens again

• and again

You may not be able to stop it

• There’s (almost) nothing you can do
• Time to get a long patch cable

Wireless deauthentication

• A significant wireless denial of service (DoS) attack

802.11 management frames

802.11 wireless includes a number of management features

• Frames that make everything work
• You never see them

Important for the operation of 802.11 wireless

• How to find access points, manage QoS, associate/disassociate with an access point, etc.

Original wireless standards didn’t add protection for management frames

• Sent in the clear, no authentication or validation

Protecting against deauth attacks

IEEE has already addressed the problem

• Updates included with 802.11ac

Some important management frames are encrypted

• Disassociate, deauthenticate, channel switch announcement, etc.

Not everything is encrypted

• Beacons, probes, authentication, association

Radio Frequency (RF) Jamming

Denial of service

• Prevent wireless communication

Transmit interfering wireless signals

• Decrease the signal-to-noise ratio at the receiving device
• The receiving device can’t hear the good signal

Sometimes it’s not intentional

• Interference, not jamming
• Microwave oven, fluorescent lights

Jamming is intentional

• Someone wants your network to not work

Wireless Jamming

Many types

• Constant, random bits/Constant, legitimate frames
• Data sent at random times — random data and legitimate frames
• Reactive jamming — only when someone else tries to communicate

Needs to be somewhere close

• Difficult to be effective from a distance

Time to go fox hunting

• You’ll need the right equipment to hunt down the jam
• Directional antenna, attenuator

On-path Attacks

On-path Network Attack

How can an attacker watch without you knowing?

• Formerly known as man-in-the-middle

Redirects your traffic

• Then passes it on to the destination
• You never know your traffic was redirected

ARP poisoning

• On-path attack on the local IP subnet
• ARP has no security

ARP Poisoning (Spoofing)

On-path Browser Attack

What if the middleman was on the same computer as the victim?

• Malware/Trojan does all the proxy work
• Formerly known as man-in-the-browser

Huge advantages for the attackers

• Relatively easy to proxy encrypted traffic
• Everything looks normal to the victim

The malware in your browser waits for you to log in to your bank

• And cleans you out

Replay Attacks

Replay Attacks

Useful information is transmitted over the network

• A crafty hacker will take advantage of this

Need access to the raw network data

• Network tap, ARP poisoning
• Malware on the victim computer

The gathered information may help the attacker

• Replay the data to appear as someone else

This is not an on-path attack

• The actual replay doesn’t require the original workstation

Pass the Hash

Avoid this type of replay attack with a salt or encryption

• Use a session ID with the password hash to create a unique authentication hash each time

Browser Cookie and Session IDs

Cookies

• Information stored on your computer by the browser

Used for tracking, personalization, session management

• Not executable, not generally a security risk
  • Unless someone gets access to them

Could be considered be a privacy risk

• Lots of personal data in there

Session IDs are often stored in the cookie

• Maintains sessions across multiple browser sessions

Session Hijacking (Sidejacking)

Header Manipulation

Information gathering

• Wireshark, Kismet

Exploits

• Cross-site scripting

Modify header

• Tamper, Firesheep, Scapy

Modify cookie

• Cookies Manager+ (Firefox add-on)

Prevent Session Hijacking

Encrypt end-to-end

• They can’t capture your session ID if they can’t see it
• Additional load on the web server (HTTPS)
• Firefox extension: HTTPS Everywhere, Force TLS
• Many sites are now HTTPS-only

Encrypt end-to-somewhere

• At least avoid capture over a local wireless network
• Still in-the-clear for part of the journey
• Personal VPN

Malicious Code

Exploiting a Vulnerability

An attacker can use many techniques

• Social engineering
• Default credentials
• Misconfiguration

These don’t require technical skills

• The door is already unlocked

There are still ways to get into a well-secured system

• Exploit with malicious code
• Knock the pins out of a door hinge

Malicious Code

The attackers use any opportunity

• The types of malicious code are varied

Many forms

• Executables, scripts, macro viruses, worms, Trojan horses, etc.

Protection comes from different sources

• Anti-malware
• Firewall
• Continuous updates and patches
• Secure computing habits

Malicious Code Examples

WannaCry ransomware

• Executable exploited a vulnerability in Windows SMBv1
• Arbitrary code execution

British Airways cross-site scripting

• 22 lines of malicious JavaScript code placed on checkout pages
• Information stolen from 380,000 victims

Estonian Central Health Database

• SQL injection
• Breached all healthcare information for an entire country

Application Attacks

Application Attacks

Injection Attacks

Code injection

• Adding your own information into a data stream

Enabled because of bad programming

• The application should properly handle input and output

So many injectable data types

• HTML, SQL, XML, LDAP, etc.

Buffer Overflows

Overwriting a buffer of memory

• Spills over into other memory area

Developers need to perform bounds checking

• The attackers spend a lot of time looking for openings

Not a simple exploit

• Takes time to avoid crashing things
• Take time to make it do what you want

A really useful buffer overflow is repeatable

• Which means that a system can be compromised

Replay attack

Useful information is transmitted over the network

• A crafty hacker will take advantage of this

Need to access to the raw network data

• Network tap, ARP poisoning.
• Malware on the victim

The gathered information may help the attacker

• Replay the data to appear as someone else

This is not an on-path attack

• The actual replay doesn’t require the original workstation

Privilege Escalation

Gain higher-level access to a system

• Exploit a vulnerability
• Might be a bug or design flaw

Higher-level access means more capabilities

• This commonly is the highest level access
• This is obviously a concern

These are high-priority vulnerability patches

• You want to get these holes closed very quickly

Horizontal privilege escalation

• User A can access user B resources

Mitigating Privilege Escalation

Patch quickly

• Fix the vulnerability

Updates anti-virus/anti-malware software

• Block known vulnerabilities

Data Execution Prevention

• Only data in executable areas can run

Address space layout randomization

• Prevent a buffer overrun at a known memory address

Elevation of Privilege Vulnerability

CVE-2023-293366

• Win32k Elevation of privilege vulnerability

Win32k Kernel Driver

• Server 2008, 2008 R2, 2012, 2012 R2, 2016
• Windows 10

Attacker would gain SYSTEM privileges

• The highest level access

Cross-site Request

Cross-site requests are common and legitimate

• You visit professormesser.com
• Your browser loads text from the professormesser.com server
• It loads a video from YouTube
• And pictures from Instagram

HTML on professormesser.com directs requests from your browser

• This is normal and expected
• Most of these are unauthenticated requests

The Client and the Server

Website pages consist of client-side code and server-side code

• Many moving parts

Client-side

• Renders the page on the screen
• HTML, JavaScript

Server-side

• Performs requests from the client
• HTML, PHP
• Transfer money from one account to another
• Post a video on YouTube

Cross-site Request Forgery

One-click attack, session riding

• XSRF, CSRF (sea surf)

Takes advantage of the trust that a web application has for the user

• The website trusts your browser
• Requests are made without your consent or your knowledge
• Attacker posts a Facebook status on your account

Significant web application development oversight

• The application should have anti-forgery techniques added
• Usually a cryptographic token to prevent a forgery

Directory Transversal

Directory transversal/path transversal

• Read files from a web server that are outside the website’s file directory
• Users shouldn’t be able to browse the Windows Folder

Web server software vulnerability

• Won’t stop users from browsing past the web server root

Web application code vulnerability

• Take advantage of badly written code

Cryptographic Attacks

Cryptographic Attacks

You’ve encrypted data and sent it to another person

• Is it really secure?
• How do you know?

The attacker doesn’t have the combination (the key)

• So they break the safe (the cryptography)

Finding ways to undo the security

• There are many potential cryptographic shortcomings
• The problem is often the implementation

Birthday Attack

In a classroom of 23 students, what is the chance of two students sharing a birthday?

• About 50%
• For a class of 30, the chance is about 70%

In the digital word, this is a hash collision

• A hash collision is the same hash value for two different plaintexts
• Find a collision through brute force

The attacker will generate multiple versions of plaintext to match the hashes

• Protect yourself with a large hash output size

Collisions

Hash digests are supposed to be unique

• Different input data should not create the same hash

MD5 hash

• Message Digest Algorithm 5
• First published in April 1996

December 2008: Researchers created CA certificate that appeared legitimate when MD5 is checked

• Built other certificates that appeared to be legit and issued by RapidSSL

Downgrade Attack

Instead of using perfectly good encryption, use something that’s not so great

• Force the systems to downgrade their security

SSL stripping

• Combines an on-path attack with a downgrade attack
• Difficult to implement, but big returns for the attacker
• Attacker must sit in the middle of the conversation
• Victims browser page isn’t encrypted
• Strips the S away from HTTPS

Plaintext/Unencrypted Passwords

Some applications store passwords “in the clear”

• No encryption. You can read the stored password
• This is rare, thankfully.

Do not store passwords as plaintexts

• Anyone with access to the password file or database has every credential

What to do if your application saves passwords as plaintext

• Get a better application

Hashing a password

Hashes represent data as a fixed-length string of text

• A message digest, or “fingerprint”

Will not have a collision (hopefully)

• Different inputs will not have the same hash

One-way trip

• Impossible to recover the original message from the digest
• A common way to store passwords

A Hash Example

SHA-256 hash

• Used in many applications

The Password File

Different across OSes and applications

• Different hash algorithms

Spraying Attack

Try to log in with an incorrect password

• Eventually you’ll be locked out

There are some common passwords

• https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

Attack an account with the top three (or more) passwords

• If they don’t work, move to the next account
• No lockouts, no alarms, no alerts

Brute-force

Try every possible password combination until the hash is matched

This might take some time

• A strong hashing algorithm slows things down

Brute-force attacks — Online

• Keep trying the login process
• Very slow
• Most accounts will lock out after a number of failed attempts

Brute-force the hash — Offline

• Obtain the list of users and hashes
• Calculate a password hash, compare it to a stored hash
• Large computational resource requirement

Indicators of Compromise

Indicators of Compromise (IOC)

An event that indicates an intrusion

• Confidence is high
• He’s calling from inside the house

Indicators

• Unusual amount of network activity
• Change to file hash values
• Irregular international traffic
• Changes to DNS data
• Uncommon login patterns
• Spikes of read requests to certain files

Account Lockout

Credentials are not working

• It wasn’t you this time

Exceeded login attempts

• Account is automatically locked

Account was administratively disabled

• This would be a larger concern

This may be part of a larger plan

• Attacker locks account
• Calls support line to reset the password

Concurrent Session Usage

It’s challenging to be two places at one time

• Laws of Physics

Multiple account logins from multiple locations

• Interactive access from a single user
• You don’t have a clone

This can be difficult to track down

• Multiple devices and desktops
• Automated processes

Blocked Content

An attacker wants to stay as long as possible

• Your system has been unlocked
• Keep the doors and windows open

There’s probably a security patch available

• Time to play keep-away

Blocked content

• Auto-update connections
• Links to security patches
• Third-party anti-malware sites
• Removal tools

Impossible Travel

Authentication logs can be telling

• Logon and logoff

Login from Omaha, Nebraska, United States

• The company headquarters

Three minutes later, a login from Melbourne, Victoria, Australia

• Alarm bells should be ringing

This should be easy to identify

• Log analysis and automation

Resource Consumption

Every attacker’s action has an equal and opposite reaction

• Watch carefully for significant changes

File transfers use bandwidth

• An unusual spike at 3 AM

Firewall logs show the outgoing transfer

• IP addresses, timeframes

Often the first real notification of an issue

• The attacker may have been here for months

Resource Inaccessibility

The server is down

• Not responding

Network disruption

• A cover for the actual exploit

Server outage

• Result of an exploit gone wrong

Encrypted data

• A potential ransomware attack begins

Brute force attack

• Locks account access

Out-of-Cycle Logging

Out-of-Cycle

• Occurs at an unexpected time

OS patch logs

• Occurring outside the normal patch day
• Keep that exploited system safe from other attackers!

Firewall log activity

• Timestamps of every traffic flow
• Protocols and applications used

Missing logs

Log information is evidence

• Attackers will try to cover their tracks by removing logs

Information is everywhere

• Authentication logs
• File access logs
• Firewall logs
• Proxy logs
• Server logs

The logs may be incriminating

• Missing logs are certainly suspicious
• Logs should be secured and monitored

Published/Documented

The entire attack and data exfiltration may go unnoticed

• It happens quite often

Company data may be published online

• The attackers post a portion or all data
• This may be in conjunction with ransomware

Raw data may be released without context

• Researchers will try to find the source

Segmentation and Acess Control

Segmenting the Network

Physical, logical, or virtual segmentation

• Devices, VLANs, virtual networks

Performance

• High-bandwidth applications

Security

• Users should not talk directly to database servers
• The only applications in the core are SQL and SSH

Compliance

• Mandated segmentation (PCI compliance)
• Makes change control much easier

Access Control Lists (ACLs)

Allow or disallow traffic

• Groupings of categories
• Source IP, Destination IP, port number, time of day, application, etc.

Restrict access to network devices

• Limit by IP address, or other identifier
• Prevent regular user/non-admin access

Be careful when configuring these

• You can accidentally lock yourself out

List the permissions

• Bob can read files
• Fred can access the network
• James can access network 192.168.1.0/24 using TCP ports 80, 443, 8088

Many OSes use ACLs to provide access to files

• A trustee and the access rights allowed

Application Allow List/Deny List

Any application can be dangerous

• Vulnerabilities, Trojan Horses, malware

Security policy can control app execution

• Allow list, deny/block list

Allow list

• Nothing runs unless it’s approved
• Very restrictive

Deny list

• Nothing on the “bad list” can be executed
• Anti-virus, anti-malware

Examples of Allow and Deny Lists

Decisions are made in the OS

• Often built-in to the OS management

Application hash

• Only allows applications with this unique identifier

Certificate

• Allow digitally signed apps from certain publishers

Path

• Only run applications in these folders

Network Zone

• The apps can only run from this network zone

Mitigation Techniques

Mitigation Techniques

Patching

Incredibly important

• System stability, security fixes

Monthly updates

• Incremental (and important)

Third-party updates

• Application developers, device drivers

Auto-update

• Not always the best option

Emergency out-of-band updates

Encryption

Prevent access to application data files

• File system encryption

File level encryption

• Windows EFS

Full disk encryption (FDE)

• Encrypt everything on the drive
• BitLocker, FileVault, etc.

Application data encryption

• Managed by the app
• Stored data is protected

Monitoring

Aggregate information from devices

• Built-in sensors, separate devices
• Integrated into servers, switches, routers, firewalls, etc.

Sensors

• Intrusion prevention systems, firewall logs, authentication logs, web server access logs, database transaction logs, email logs

Collectors

• Proprietary consoles (IPS, Firewall), SIEM consoles, syslog servers
• Many SIEMs include a correlation engine to compare diverse sensor data

Least Privilege

Rights and permissions should be set to the base minimum

• You only get exactly what’s needed to complete your objective

All user accounts must be limited

• Applications should run with minimal privileges

Don’t allow users to run with administrative privileges

• Limit the scope of malicious behavior

Configuring Enforcement

Perform a posture assessment

• Each time a device connects

Extensive check

• OS patch version
• EDR (Endpoint Detection and Response) version
• Status of firewall and EDR
• Certificate status

Systems out of compliance are quarantined

• Private VLAN with limited access
• Recheck after making corrections

Decommissioning

Should be a formal policy

• Don’t throw your data into the trash
• Someone will find this later

Mostly associated with storage devices

• Hard drive
• SSD
• USB drives

Many options for physical devices

• Recycle the device for use in another system
• Destroy the device

Hardening Techniques

System Hardening

Many and varied

• Windows, Linux, iOS, Android, etc.

Updates

• OS updates/service packs, security patches

User accounts

• Minimum password lengths and complexity
• Account Limitations

Network access and security

• Limit network access

Monitor and secure

• Anti-virus, anti-malware

Encryption

Prevent access to application data files

• File system encryption
• Windows Encrypting Files System (EFS)

Full disk encryption (FDE)

• Encrypt everything on the drive
• Windows BitLocker, macOS FileVault, etc.

Encrypt all network communication

• Virtual Private Network (VPN)
• Application encryption

The Endpoint

The user’s access

• Applications and data

Stop the attackers

• Inbound attacks
• Outbound attacks

Many platforms

• Mobile, Desktop

Protection is multi-faceted

• Defense in depth

Endpoint Detection and Response (EDR)

A different method of threat detection

• Scale to meet the increasing number of threats

Detect a threat

• Signatures aren’t the only detection tool
• Behavior analysis, machine learning, process monitoring
• Lightweight agent on the endpoint

Investigate the threat

• Root cause analysis

Respond to the threat

• Isolate the system, quarantine the threat, rollback to a previous config
• API driven, no user or technician intervention required

Host-based Firewall

Software based firewall

• Personal firewall, runs on every endpoint

Allow or disallow incoming or outgoing application traffic

• Control by application process
• View all data

Identify and block unknown processes

• Stop malware before it can start

Finding Intrusions

Host based Intrusion Prevention System (IPS)

• Recognize and block known attacks
• Secure OS and application configs, validate incoming service requests
• Often built into endpoint protection software

HIPS identification

• Signature, heuristics, behavioral
• Buffer overflows, registry updates, writing files to the Windows folder
• Access to non-encrypted data

Open Ports and Services

Every open port is a possible entry point

• Close everything except required ports

Control access with a firewall

• NGFW would be ideal

Unused or unknown services

• Installed with the OS or from other applications

Applications with broad port ranges

• Open port 0 through 65,535

Use nmap or similar port scanner to verify

• Ongoing monitoring is important

Default Password Changes

Every network device has a management interface

• Critical systems, other device

Many applications also have management or maintenance interfaces

• These can contain sensitive data

Change default settings

• Passwords

Add additional security

• Require additional logon
• Add 3rd-party authentication

Removal of Unnecessary Software

All software contains bugs

• Some of those bugs are security vulnerabilities

Every application seems to have a completely different patching process

• Can be challenging to manage ongoing updates

Remove all unused software

• Reduce your risk
• An easy fix

Architecture Models

Cloud Responsibility Matrix

IaaS, PaaS, SaaS, etc.

• Who is responsible for security?

Security should be well documented

• Most cloud providers provide a matrix of responsibilities
• Everyone knows up front

These responsibilities can vary

• Different cloud providers
• Contractual agreements

Hybrid Considerations

Hybrid cloud

• More than one public or private cloud
• This adds additional complexity

Network protection mismatches

• Authentication across platforms
• Firewall configurations
• Server settings

Different security monitoring

• Logs are diverse and cloud-specific

Data leakage

• Data is shared across public Internet

Third-Party Vendors in the Cloud

You, the cloud provider, and the third parties

• Infrastructure technologies
• Cloud-based appliances

Ongoing vendor risk assessments

• Part of an overall vendor risk management policy

Include third-party impact for incident response

• Everyone is part of the process

Constant monitoring

• Watch for changes and unusual activity

Infrastructure as Code

Describe an infrastructure

• Define servers, network, and applications as code

Modify the infrastructure and create versions

• The same way you version application code

Use the description (code) to build other application instances

• Build it the same way every time based on the code

An important concept for cloud computing

• Build a perfect version every time

Serverless Architecture

Function as a Service (FaaS)

• Applications are separated into individual, autonomous functions
• Remove the OS from the equation

Developer still creates the server-side logic

• Runs in a stateless compute container

May be event triggered and ephemeral

• May only run for one event

Managed by a third-party

• All OS security concerns are at the third party

Microservices and APIs

Monolithic applications

• One big application that does everything

Application contains all decision-making process

• User interface
• Business logic
• Data input and output

Code challenges

• Large codebase
• Change control challenges

APIs

• Application Programming Interface

API is the “glue” for the microservices

• Work together to act as the application

Scalable

• Scale just the microservices you need

Resilient

• Outages are contained

Security and compliance

• Containment is built-in

Network Infrastructure Concepts

Physical Isolation

Devices are physically separate

• Air gap between Switch A and Switch B

Must be connected to provide communication

• Direct connect, or another switch or router

Web servers in one rack

• Database servers on another

Customer A on one switch, customer B on another

• No opportunity for mixing data

Physical Segmentation

Separate devices

• Multiple units, separate infrastructure

Logical Segmentation with VLANs

Virtual Local Area Networks (VLANs)

• Separated logically instead of physically
• Cannot communicate between VLANs without a Layer 3 device/router

SDN (Software Defined Networking)

Networking devices have different functional planes of operation

• Data, control, and management planes

Split the functions into separate logical units

• Extend the functionality and management of a single device
• Perfectly built for the cloud

Infrastructure layer/Data plane

• Process the network frames and packets
• Forwarding, trunking, encrypting, NAT

Control layer/Control plane

• Manages the actions of the data plane
• Routing tables, session tables, NAT tables
• Dynamic routing protocol updates

Application layer/Management plane

• Configure and manage the device
• SSH, browser, API

Extend the Physical Architecture

SDN Data Flows

SDN Security

Other Infrastructure Concepts

Attacks can happen anywhere

Two categories for IT security

• The on-premises data is more secure!
• The cloud-based data is more secure!

Cloud-based security is centralized and costs less

• No dedicated hardware, no data center to secure
• A third party handles everything

On-premises puts the security burden on the client

• Data center security and infrastructure costs

Attackers want your data

• They don’t care where it is

On-premises Security

Customize your security posture

• Full control when everything is in-house

On-site IT team can manage security better

• The local team can ensure everything is secure
• A local team can be expensive and difficult to staff

Local team maintains uptime and availability

• System checks can occur at any time
• No phone call for support

Security changes can take time

• New equipment, configurations, additional costs

Centralized vs. Decentralized

Most organizations are physically decentralized

• Many locations, cloud providers, OSes, etc.

Difficult to manage and protect so many diverse systems

• Centralize the security management

A centralized approach

• Correlated alerts
• Consolidated log file analysis
• Comprehensive system status and maintenance/patching

It’s not perfect

• Single point of failure, potential performance issues

Virtualization

Virtualization

• Run different OSes on the same hardware

Each application instance has its own OS

• Adds overhead and complexity
• Virtualization is relatively expensive

Application Containerization

Container

• Contains everything you need to run an application
• Code and dependencies
• A standardized unit of software

An isolated process in a sandbox

• Self-contained
• Apps can’t interact with each other

Container image

• A standard for portability
• Lightweight, uses the host kernel
• Secure separation between applications

Virtualized vs. Containerized

IoT (Internet of Things)

Sensors

• Heating and cooling, lighting

Smart devices

• Home automation, video doorbells

Wearable technology

• Watches, health monitors

Facility automation

• Temperature, air quality, lighting

Weak defaults

• IOT manufacturers are not security professionals

SCADA/ICS

Supervisory Control and Data Acquisition System

• Large-scale, multi-site Industrial Control Systems (ICS)

PC manages equipment

• Power generation, refining, manufacturing equipment
• Facilities, industrial, energy, logistics

Distributed control systems

• Real-time information
• System control

Requires extensive segmentation

• No access from the outside

RTOS (Real-Time Operating System)

An OS with a deterministic processing schedule

• No time to wait for other processes
• Industrial equipment, automobiles
• Military environments

Extremely sensitive to security issues

• Non-trivial systems
• Need to always be available
• Difficult to know what type of security is in place

Embedded Systems

Hardware and software designed for a specific function

• Or to create as part of a larger system

Is built with only this task in mind

• Can be optimized for size and/or cost

Common examples

• Traffic light controllers
• Digital watches
• Medical imaging systems

High Availability

Redundancy doesn’t mean always available

• May need to be powered on manually

HA (High availability)

• Always on, always available

Many include many components working together

• Active/active can provide scalability advantages

Higher availability almost always means higher costs

• There’s always another contingency you could add
• Upgraded power, high-quality server components, etc.

Infrastructure Consideration

Availability

System uptime

• Access data, complete transactions
• A foundation of IT security

A balancing act with security

• Available, but only to the right people

WE spend a lot of time and money on availability

• Monitoring, redundant systems

An important metric

• We are often evaluated on total available time

Resilience

Eventually, something will happen

• Can you maintain availability?
• Can you recover? How quickly?

Based on many variables

• The root cause
• Replacement hardware installations
• Software patch availability
• Redundant systems

Commonly referenced as MTTR

• Mean Time to Repair

Cost

How much money is required?

• Everything ultimately comes down to cost

Initial installation

• Very different across platforms

Ongoing maintenance

• Annual ongoing cost

Replacement or repair costs

• You might need more than one

Tax implications

• Operating or capital expense

Responsiveness

Request information

• Get a response
• How quickly did that happen?

Especially important for interactive applications

• Humans are sensitive to delays

Speed is an important metric

• All parts of the application contribute
• There’s always the weakest link

Scalability

How quickly and easily can we increase or decrease capacity?

• This might happen many times a day
• Elasticity

There’s always a resource challenge

• What’s preventing scalability?

Needs to include security monitoring

• Increases and decreases as the system scales

Ease of Deployment

An application has many moving parts

• Web server, database, caching server, firewall, etc.

This might be an involved process

• Hardware resources, cloud budgets, change control

This might be very simple

• Orchestration/automation

Important to consider during the product engineering phase

• One missed detail can cause deployment issues

Risk Transference

Many methods to minimize risk

• Transfer the risk to a third party

Cybersecurity insurance

• Attacks and downtime can be covered
• Popular with the rise in ransomware

Recover internal losses

• Outages and business downtime

Protect against legal issues from customers

• Limit the costs associated with legal proceedings

Ease of Recover

Something will eventually go wrong

• Time is money
• How easily can you recover?

Malware infection

• Reload OS from original media — 1 hour
• Reload from corporate image — 10 minutes

Another important design criteria

• This may be critical to the final product

Patch Availability

Software isn’t usually static

• Bug fixes, security updates, etc.

This is often the first task after installation

• Make sure you’re running the latest version

Most companies have regular updates

• Microsoft’s monthly patch schedule

Some companies rarely patch

• This might be a significant concern

Inability to Patch

What if patching wasn’t an option?

• This often happens than you might think

Embedded systems

• HVAC controls
• Time clocks

Not designed for end-user updates

• This is a bit short-sighted
• Especially these days

May need additional security controls

• A firewall for your time clock

Power

A foundational element

• This can require extensive engineering

Overall power requirements

• Data center vs. office building

Primary power

• One or more providers

Backup services

• UPS (Uninterruptible Power Supply)
• Generators

Compute

An application’s heavy lifting

• More than just a single Compute

The compute engine

• More options available in the cloud

May be limited to a single processor

• Easier to develop

Use multiple CPUs across multiple clouds

• Addtional complexity
• Enhanced scalability

Applying Security Principles

Secure Infrastructures

Device Placement

Every network is different

• There are often similarities

Firewalls

• Separate trusted from untrusted
• Provide additional security checks

Other services may require their own security technologies

• Honeypots, jump server, load balancers, sensors

Security Zone

Zone-based security technologies

• More flexible (and secure) than IP address ranges

Each area of the network is associated with a zone

• Trusted, untrusted
• Internal, external
• Inside, Internet, Servers, Databases, Screened

This simplifies security policies

• Trusted to Untrusted
• Untrusted to Screened
• Untrusted to Trusted

Attack Surface

How many ways into your home?

• Doors, windows, basements

Everything can be a vulnerability

• Application code
• Open ports
• Automated process
• Human error

Minimize the surface

• Audit the code
• Block ports on the firewall
• Monitor network traffic in real-time

Connectivity

Everything contributes to security

• Including the network connection

Secure network cabling

• Protect the physical drops

Application-level encryption

• The hard work has already been done

Network-level encryption

• IPsec tunnels, VPN connections

Intrusion Prevention

Intrusion Prevention System (IPS)

Intrusion Prevention System

• Watch network traffic

Intrusions

• Exploits against OSes, applications, etc.
• Buffer overflows, cross-site scripting, other vulnerabilities

Detection vs. Prevention

• Intrusion Detection System (IDS) — Alarm or alert
• Prevention — Stop it before it gets into the network

Failure Modes

We hope for 100% uptime

• This obviously isn’t realistic
• Eventually, something will break

Fail-open

• When a system fails, data continues to flow

Fail-closed

• When a system fails, data does not flow

Device Connections

Active monitoring

• System is connected inline
• Data can be blocked in real-time as it passes by
• Intrusion prevention is commonly active

Passive monitoring

• A copy of the network traffic is examined using a tap or port monitor
• Data cannot be blocked in real-time
• Intrusion detection is commonly passive

Active Monitoring

Malicious traffic is immediately identified

• Dropped at the IPS
• Doesn’t proceed through the network

Passive Monitoring

Examine a copy of the traffic

• Port mirror (SPAN), network tap

No way to block (prevent) traffic

• Common with Intrusion Detection Systems

Network Appliances

Jump Server

Access secure network zones

• Provides an access mechanism to a protected network

Highly-secured device

• Hardened and monitored

SSH/Tunnel/VPN to the jump server

• RDP, SSH, or jump from there

A significant security concern

• Compromise of the jump server is a significant breach

Proxies

• Sits between the users and the external network
• Receives the user requests and sends the request on their behalf (the proxy)
• Useful for caching information, access control, URL filtering, content scanning
• Applications may need to know how to use the proxy (explicit)
• Some proxies are invisible (transparent)
  • Users don’t need to configure anything for the proxy to work on their end

Application Proxies

One of the simplest “proxies” is NAT

• A network level proxy

Most proxies in use are application proxies

• The proxy understands the way the application works

A proxy may only know one application

• HTTP

Many proxies are multipurpose proxies

• HTTP, HTTPS, FTP, etc.

Forward Proxy

An “internal proxy”

• Commonly used to protect and control user access to the Internet

Reverse Proxy

Inbound traffic from the Internet to your internal service

Open Proxy

A third party, uncontrolled proxy

• Can be a significant security concern
• Often used to circumvent existing security controls

Balancing the Load

Distribute the load

• Multiple servers
• Invisible to the end-user

Large-scale implementations

• Web server farms, database farms

Fault tolerance

• Server outages have no effect
• Very fast convergence

Active/active Load Balancing

Configurable load

• Manage across servers

TCP offload

• Protocol overhead

SSL offload

• Encryption/Decryption

Caching

• Fast response

Prioritization

• QoS

Content Switching

• Application-centric balancing

Active/Passive Load Balancing

Some servers are active

• Others are on standby

If an active server fails, the passive server takes its place

Sensors and Collectors

Aggregate information from network devices

• Built-in sensors, separate devices
• Integrated into switches, routers, servers, firewalls, etc.

Sensors

• Intrusion prevention systems, firewall logs, authentication logs, web server access logs, database transaction logs, email logs

Collectors

• Proprietary consoles (IPS, firewall), SIEM consoles, syslog serves
• Many SIEMs include a correlation engine to compare diverse sensor data

Port Security

We have created many authentication methods through the years

• A network administrator has many choices

Use a username and password

• Other factors can be included

Commonly used on wireless networks

• Also works on wired networks

EAP

Extensible Authentication Protocol (EAP)

• An authentication framework

Many ways to authenticate based on RFC standards

• Manufacturers can build their own EAP methods

EAP integrates with 802.1X

• Prevents access to the network until the authentication succeeds

IEEE 802.1X

IEEE 802.1X

• Port-based Network Access Control (NAC)
• You don’t get access to the network until you authenticate

EAP integrates with 802.1X

• Extensible Authentication Protocol
• 802.1X prevents access to the network until the authentication succeeds

Used in conjunction with an authentication database

• RADIUS, LDAP, TACACS+, Kerberos, etc.

IEEE 802.1X and EAP

• Supplicant — The client
• Authenticator — The device that provides access
• Authentication server — Validates the client credentials

Firewall Types

The Universal Security Control

Standard issue

• Home, office, and in your OS

Control the flow of network traffic

• Everything passes through the firewall

Corporate control of outbound and inbound data

• Sensitive materials

Control of inappropriate content

• Not safe for work, parental controls

Protection against evil

• Anti-virus, anti-malware

Network-based Firewalls

Filter traffic by port number or application

• OSI layer 4 vs. OSI layer 7
• Traditional vs. NGFW firewalls

Encrypt traffic

• VPN between sites

Most firewalls can be a layer 3 devices (routers)

• Often sits on the ingresses/egress of the network
• Network Address Translation (NAT) functionality
• Authenticate dynamic routing communication

UTM/ All-in-one Security Appliance

• Unified Threat Management (UTM)/Web Security gateway
• URL filter/Content inspection
• Malware inspection
• Spam filter
• CSU (Channel Service Unit)/DSU (Data Service Unit)
• Router, Switch
• Firewall
• IDS/IPS
• Bandwidth shaper
• VPN endpoint

[! Warning] Using all features at once, will slow down the network. So enable those only you need.

Next-generation Firewall (NGFW)

The OSI Application Layer

• All data in every packet

Can be called different names

• Application layer gateway
• Stateful multilayer inspection
• Deep packet inspection

Requires some advanced decodes

• Every packet must be analyzed and categorized before a security decision is determined

Network-based Firewalls

• Control traffic flows based on the application
  • Microsoft SQL server, Twitter/X, YouTube

Intrusion Prevention Systems

• Identify the application
• Apply application-specific vulnerability signatures to the traffic

Content filtering

• URL filters
• Control website traffic by category

Web Application Firewall (WAF)

Not like a “normal” firewall

• Applies rules to HTTP/HTTPS conversations

Allow or deny based on expected input

• Unexpected input is a common method of exploiting an application

SQL injection

• Add your own commands to an application’s SQL query

A major focus of Payment Card Industry Data Security Standard (PCI DSS)

Secure Communication

VPN

Virtual Private Networks

• Encrypted (private) data transversing a public network

Concentrator

• Encryption/decryption access device
• Often integrated into a firewall

Many deployment options

• Specialized cryptographic hardware
• Software-based options available

Used with client software

• Sometimes built into the OS

Encrypted Tunnel

Keep data private across the public internet

• Encryption is the key

Encrypt your data

• Add new headers and trailers

Decrypt on the other side

• Original data is delivered

SSL/TLS VPN (Secure Sockets Layer VPN)

Uses common SSL/TLS protocol (TCP/443)

• (Almost) No firewall issues

No big VPN clients

• Usually remote access communication

Authenticate users

• No requirement for digital certificates or shared passwords (like IPSec)

Can be run from a browser or from a (usually light) VPN client

• Across many OSes

On-demand access from a remote device

• Software connects to a VPN concentrator

Some software can be configured as always-on

Site-to-site IPsec VPN

Always-on

• Or almost always

Firewalls often act as VPN concentrators

• Probably already have firewalls in place

SD-WAN

Software Defined Networking in a Wide Area Network

• A WAN built for the cloud

The data center used to be in one place

• The cloud has changed everything

Cloud-based applications communicate directly to the cloud

• No need to hop through a central point

Old Datacenters Design:

Cloud First Design:

SW-WAN:

Secure Access Service Edge (SASE)

Update secure access for cloud services

• Securely connect from different locations

Secure Access Service Edge (SASE)

• A “next generation” VPN

Security technologies are in the cloud

• Located close to existing cloud services

SASE clients on all device

• Streamlined and automatic

Selection of Effective Controls

Many security options

• Selecting the right choice can be challenging

VPN

• SSL/TLS VPN for user access
• IPsec tunnels for site-to-site access

SD-WAN

• Manage the network connectivity to the cloud
• Does not adequately address security concerns

SASE

• A complete network and security solution
• Requires planning and implementation

Protecting Data

Data Types and Classification

Data Types

Regulated

• Managed by a third-party
• Government laws and statutes

Trade secret

• An organization’s secret formulas
• Often unique to an organization

Intellectual property

• May be publicly visible
• Copyright and trademark restrictions

Legal information

• Court records and documents, judge and attorney information, etc.
• PII and other sensitive details
• Usually stored in many systems

Financial information

• Internal company financial details
• Customer finances
• Payment records
• Credit card data, bank records, etc.

Human-readable

• Humans can understand the data
• Very clear and obvious

Non-human readable

• Not easily understood by humans
• Encoded data
• Barcodes
• Images

Some formats are a hybrid

• CSV, XML, JSON, etc.

Classifying Sensitive Data

Not all data has the same level of categorization

• License tag numbers vs. health records

Different levels require different security and handling

• Additional permissions
• A different process to view
• Restricted network access

Data Classifications

Proprietary

• Data that is the property of an organization
• May also include trade secrets
• Often data unique to an organization

PII — Personally Identifiable Information

• Data that can be used to identify an individual
• Name, data of birth, mother’s maiden name, biometric information

PHI — Protected Health Information

• Health information associated with an individual
• Health status, health care records, payments for health care, and much more

Sensitive

• Intellectual property, PII, PHI

Confidential

• Very sensitive, must be approved to view

Public/Unclassified

• No restrictions on viewing the data

Private/Classified/Restricted

• Restricted access, may require an NDA

Critical

• Data should always be available

States of Data

Data at rest

The data is on a storage device

• Hard drive, SSD, flash drive, etc.

Encrypt the data

• Whole disk encryption
• Database encryption
• File or folder-level encryption

Apply permissions

• Access control lists
• Only authorized users can access the data

Data in transit

Data transmitted over the network

• Also called data in-motion

Not much protection as it travels

• Many switches, routers, devices

Network-based protection

• Firewall, IPS

Provide transport encryption

• TLS (Transport Layer Security)
• IPsec (Internet Protocol Security)

Data in use

Data is actively processing in memory

• System RAM, CPU registers and cache

The Data is almost always decrypted

• Otherwise, you couldn’t do anything with it

The attackers can pick the decrypted information out of RAM

• A very attractive option

Target Corp. breach — November 2013

• 110 million credit cards
• Data in-transit encryption and data at-rest encryption
• Attackers picked the credit card numbers out of the point-of-sale RAM

Data Sovereignty

Data sovereignty

• Data that resides in a country is subject to the laws of that country
• Legal monitoring, court orders, etc.

Laws may prohibit where data is stored

• GDPR (General Data Protection Regulation)
• Data collected on EU citizens must be stored in the EU
• A complex mesh of technology and legalities

Where is your data stored?

• Your compliance laws may prohibit moving data out of the country

Geolocation

Location details

• Tracks within a localized area

Many ways to determine location

• 802.11, mobile providers, GPS

Can be used to manage data access

• Prevent access from other countries

Limit administrative tasks unless secure area is used

• Permit enhanced access when inside the building

Protecting Data

Geographic Restrictions

Network location

• Identify based on IP subnet
• Can be difficult with mobile devices

Geolocation — determine a user’s location

• GPS — mobile devices, very accurate
• 802.11 wireless, less accurate
• IP address, not very accurate

Geo-fencing

• Automatically allow or restrict access when the user is in a particular location
• Don’t allow this app to run unless you’re near the office

A primary job task

• An organization is out of business without data

Data is everywhere

• ON a storage drive, on the network, in a CPU

Protecting the data

• Encryption, security policies

Data permissions

• Not everyone has the same access

Encryption

Encode information into unreadable data

• Original information is plaintext, encrypted form is ciphertext

This is a two-way street

• Convert between one and the other
• IF you have the proper key

Confusion

• The encrypted data is drastically different from the plaintext

Hashing

Represent data as a short string of text

• A message digest, a fingerprint

One-way trip

• Impossible to recover the original message from the digest
• Used to store passwords/confidentiality

Verify a downloaded document is the same as the original

• Integrity

Can be a digital signature

• Authentication, non-repudiation, and integrity

Will not have a collision (hopefully)

• Different messages will not have the same hash

Obfuscation

Obfuscate

• Make something normally understandable very difficult to understand

Take perfectly readable code and turn it into nonsense

• The developer keeps the readable code and gives you the chicken scratch
• Both sets of code perform exactly the same way

Helps prevent the search for security holes

• Makes it more difficult to figure out what’s happening
• But not impossible

Masking

A type of obfuscation

• Hide some original data

Protects PII

• And other sensitive data

May only be hidden from view

• The data may still be intact in storage
• Control the view based on permissions

Many techniques

• Substituting, shuffling, encrypting, masking out, etc.

Tokenization

Replace sensitive data with a non-sensitive placeholder

• SSN 266-12-1112 is now 691-618539

Common with credit card processing

• Use a temporary token during payment
• An attacker capturing the card numbers can’t use them later

This isn’t encryption or hashing

• The original data and token aren’t mathematically related
• No encryption overhead

Segmentation

Many organizations use a single data source

• One large database

One breach puts all the data at risk

• You’re making it easy for the attacker

Separate the data

• Store it in different locations

Sensitive data should have stronger security

• The most sensitive data should be the most secure

Permission Restrictions

Control access to an account

• It’s more than jut username and password
• Determine what policies are best for an organization

The authentication process

• Password policies
• Authentication factor policies
• Other considerations

Permissions after login

• Another line of defense
• Prevent unauthorized access

Resiliency and Recovery

Resiliency

High Availability

Redundancy doesn’t mean always available

• May need to be powered on manually

HA (high availability)

• always on, always available

May include many components working together

• Active can provide scalability advantages

Higher availability almost always means higher costs

• There’s always another contingency you could add
• Upgraded power, high-quality server components, etc.

Server Clustering

Combine two or more servers

• Appears and operates as a single large server
• Users only see one device

Easily increase capacity and availability

• Add more servers to the cluster

Usually configured in the OS

• All devices in the cluster commonly use the same OS

Load Balancing

Load is distributed across multiple servers

• The servers are often unaware of each other

Distribute the load across multiple devices

• Can be different OSes

The load balancer adds or removes devices

• Add a server to increase capacity
• Remove any servers not responding

Site resiliency

Recovery site is prepped

• Data is synchronized

A disaster is called

• Business processes failover to the alternate processing site

Problem is addressed

• This can take hours, weeks, or longer

Revert back to the primary location

• The process must be documented for both directions

Hot Site

An exact replica

• Duplicate everything

Stocked with hardware

• Constantly updated
• You buy two of everything

Applications and software are constantly updated

• Automated replication

Flip a switch and everything moves

• This may be quite a few switches

Cold Site

No hardware

• Empty building

No data

• Bring it with you

No people

• Bus in your team

Warm Site

Somewhere between cold and hot

• Just enough to get going

Big room with rack space

• You bring the hardware

Geographic Dispersion

These sites should be physically different from the organization’s primary location

• Many disruptions can affect a large area
• Hurricane, tornado, floods, etc.

Can be a logistical challenge

• Transporting equipment
• Getting employee’s on-site
• Getting back to the main office

Platform Diversity

Every OS contains potential security issues

• You can’t avoid them

Many security vulnerabilities are specific to a single OS

• Windows vulnerabilities don’t commonly affect Linux or macOS
• And vice versa

Use many platforms

• Different applications, clients, and OSes
• Spread the risk around

Multi-Cloud Systems

There are many cloud providers

• Amazon Web Services, Microsoft Azure, Google Cloud, etc.

Plan for cloud outages

• These can sometimes happen

Data is both geographically dispersed and cloud service dispersed

• A breach with one provider would not affect the others
• Plan for every contingency

Continuity of Operations Planning (COOP)

Not everything goes according to plan

• Disaster can cause a disruption to the norm

We rely on our computer systems

• Technology is pervasive

There need to be an alternative

• Manual transactions
• Paper receipts
• Phone calls for transactions approvals

These must be documented and tested before a problem occurs

Capacity Planning

Match supply to the demand

• This isn’t always an obvious equation

Too much demand

• Application slowdowns and outages

Too much supply

• You’re paying too much

Requires a balanced approach

• Add the right amount of people
• Apply appropriate technology
• Build the best infrastructure

People

Some services require human intervention

• Call center support lines
• Technology services

Too few employees

• Recruit new staff
• It may be time-consuming to add more staff

Too many employees

• Redeploy to other parts of the organization
• Downsize

Technology

Pick a technology that can scale

• Not all services can easily grow and shrink

Web services

• Distribute the load across multiple web services

Database services

• Cluster multiple SQL servers
• Split the database to increase capacity

Cloud services

• Services on demand
• Seemingly unlimited resources (if you pay the money)

Infrastructures

The underlying framework

• Application servers, network services, etc.
• CPU, network, storage

Physical devices

• Purchase, configure, and install

Cloud-based devices

• Easier to deploy
• Useful for unexpected capacity changes

Recovery Testing

Test yourselves before an actual event

• Scheduled updates sessions (annual, semi-annual, etc.)

Use well-defined rules of engagement

• Don’t touch the production systems

Very specific scenario

• Limited time to run the event

Evaluate response

• Document and discuss

Tabletop Exercises

Performing a full-scale disaster drill can be costly

• And time-consuming

Many of the logistics can be determined through analysis

• You don’t physically have to go through a disaster or drill

Get key players together for a tabletop exercise

• Talk through a simulated disaster

Fail Over

A failure is often inevitable

• It’s “when”, not “if”

We may be able to keep running

• Plan for the worst

Create a redundant infrastructure

• Multiple routers, firewalls, switches, etc.

If one stops working, fail over to the operational unit

• Many infrastructure devices and services can do this automatically

Simulation

Test with a simulated event

• Phishing attack, password requests, data breaches

Going phishing

• Create a phishing email attack
• Send to your actual user community
• See who bites

Test internal security

• Did the phishing get past the filter

Test the users

• Who clicked?
• Additional training may be required

Parallel Processing

Split a process through multiple (parallel) CPUs

• A single computer with multiple CPU cores or multiple physical CPUs
• Multiple computers

Improved performance

• Split complex transactions across multiple processors

Improved recover

• Quickly identify a faulty system
• Take the faulty device out of the list of available processors
• Continue operating with the remaining processors

Backups

Incredibly important

• Recover important and valuable data
• Plan for disaster

Many implementations

• Total amount of data
• Type of backup
• Backup media
• Storage location
• Backup and recovery software
• Day of the week

Onsite vs. Offsite Backups

Onsite backups

• No Internet link required
• Data is immediately available
• Generally less expensive than offsite

Offsite backups

• Transfer data over Internet or WAN link
• Data is available after a disaster
• Restoration can be performed from anywhere

Organizations often use both

• More copies of the data
• More options when restoring

Frequency

How often to back up

• Every week, day, hour?

This may be different between systems

• Some systems may not change much each day

May have multiple backups sets

• Daily, weekly, and monthly

This requires significant planning

• Multiple backup sets across different days
• Lots of media to manage

Encryption

A history of data is on backup media

• Some of this media may be offsite

This makes it very easy for an attacker

• All the data is in one place

Protect backup data using encryption

• Everything on the backup media is unreadable
• The recovery key is required to restore the data

Especially useful for cloud backups and storage

• Prevent anyone from eavesdropping

Snapshots

Became popular on virtual machines

• Very useful in cloud environments

Take a snapshot

• An instant backup of an entire system
• Save the current configuration and data

Take another snapshot after 24 hours

• Contains only the changes between snapshots

Take a snapshot every day

• Revert to any snapshot
• Very fast recovery

Recovery Testing

It’s not enough to perform the backup

• You have to be able to restore

Disaster recovery testing

• Simulate a disaster situation
• Restore from backup

Confirm the restoration

• Test the restored application and data

Perform periodic audits

• Always have a good backup
• Weekly, monthly, quarterly checks

Replication

An ongoing, almost real-time backup

• Keep data synchronized in multiple locations

Data is available

• There’s always a copy somewhere

Data can be stored locally to all users

• Replicate data to all remote sites

Data is recoverable

• Disasters can happen at any time

Journaling

Power goes out while writing data to storage

• The stored data is probably corrupted

Recovery could be complicated

• Remove corrupted files, restore from backup

Before writing to storage, make a journal entry

• After the journal is written, write the data to storage

After the data is written to storage, update the journal

• Clear the entry and get ready for the next

Power Resiliency

Power is the foundation of our technology

• It’s important to properly engineer and plan for outages

We usually don’t make our own power

• Power is likely provided by third-parties
• We can’t control power availability

There are ways to mitigate power issues

• Short power outages
• Long-term power issues

UPS

Uninterruptible Power Supply

• Short-term backup power
• Blackouts, brownouts, surges

UPS types

• Offline/Standby UPS
• Line-interactive UPS
• On-line/Double-conversion UPS

Features

• Auto shutdown, battery capacity, outlets, phone line suppression

Generators

Long-term power backup

• Fuel storage required

Power an entire building

• Some power outlets may be marked as generator-powered

It may take a few minutes to get the generator up to speed

• Use a battery UPS while the generator is starting

Security Techniques

Secure Baselines

The security of an application environment should be well-defined

• All application instances must follow this baseline
• Firewall settings, patch levels, OS file versions
• May require constant updates

Integrity measurements check for the secure baseline

• These should be performed often
• Check against well-documented baselines
• Failure requires an immediate correction

Establish Baselines

Create a series of baselines

• Foundational security policies

Security baselines are often available from the manufacturer

• Application developer
• OS manufacturer
• Appliance manufacturer

Many OSes have extensive options

• There are over 3000 group policy settings in Windows 10
• Only some of those are associated with security

Deploy Baselines

We now have established detailed security baselines

• How do we put those baselines into action?

Deploy the baselines

• Usually managed through a centrally administered console

May require multiple deployment mechanisms

• Active Directory group policy, MDM, etc.

Automation is the key

• Deploy to hundreds or thousands of devices

Maintain Baselines

Many of these are best practices

• They rarely change

Other baselines may require ongoing updates

• A new vulnerability is discovered
• An updated application has been deployed
• A new OS is installed

Test and measure to avoid conflicts

• Some baselines may contradict others
• Enterprise environments are complex

Hardening Targets

No system is secure with the default configurations

• You need some guidelines to keep everything safe

Hardening guides are specific to the software or platform

• Get feedback from the manufacturer or Internet interest group
• They will have the best details

Other general-purpose guides are available online

Mobile Devices

Always-connected mobile technologies

• Phones, tablets, etc.
• Hardening checklists are available from manufacturers

Updates are critical

• Bug fixes and security patches
• Prevent any known vulnerabilities

Segmentation can protect data

• Company and user data are separated

Control with an MDD

• Mobile Device Manager

Workstations

User desktops and laptops

• Windows, macOS, Linux, etc.

Constant monitoring and updates

• OSes, applications, firmware, etc.

Automate the monthly patches

• There’s likely an existing process

Connect to a policy management system

• Active Directory group policy

Remove unnecessary software

• Limit the threats

Network Infrastructure Devices

Switches, routers, etc.

• You never see them, but they’re always there

Purpose-built devices

• Embedded OS, limited OS access

Configure authentication

• Don’t use the defaults

Check with the manufacturer

• Security updates
• Not usually updated frequently
• Updates are usually important

Cloud Infrastructure

Secure the cloud management workstation

• The keys to the kingdom

Least privilege

• All services, network settings, application rights and permissions

Configure Endpoint Detection and Response (EDR)

• All devices accessing the cloud should be secure

Always have backups

• Cloud to Cloud (C2C)

Servers

Many and varied

• Windows, Linux, etc.

Updates

• OS updates/service packs, security patches

User accounts

• Minimum password lengths and complexity
• Account limitations

Network access and security

• Limit network access

Monitor and secure

• Anti-virus, anti-malware

SCADA/ICS

Supervisory Control and Data Acquisition System

• Large-scale, multi-site Industrial Control Systems (ICS)

PC manages equipment

• Power generation, refining, manufacturing equipment
• Facilities, industrial, energy, logistics

Distributed control systems

• Real-time information
• System control

Requires extensive segmentation

• No access from the outside

Embedded Systems

Hardware and software designed for a specific function

• Or to operate as part of a larger system

Can be difficult to upgrade

• Watches and televisions are relatively easy
• Other devices may not be easily modified

Correct vulnerabilities

• Security patches remove potential threats

Segment and firewall

• Prevent access from unauthorized users

RTOS (Real-Time Operating System)

An OS with a deterministic processing schedule

• No time to wait for other processes
• Industrial equipment, automobiles, military environments

Isolate the system

• Prevent access from other areas

Run with the minimum services

• Prevent the potential for exploit

Use secure communication

• Protect with a host-based firewall

IoT Devices

Heating and cooling, lighting, home automation, wearable technology, etc.

Weak defaults

• IoT manufacturers are not security professionals
• Change those passwords

Deploy updates quickly

• Can be a significant security concern

Segmentation

• Put IoT devices on their own VLAN

Securing Wireless and Mobile

Site Surveys

Determine existing wireless landscape

• Sample the existing wireless spectrum

Identify existing access points

• You may not control all of them

Work around existing frequencies

• Layout and plan for interference

Plan for ongoing site surveys

• Things will certainly change

Heat maps

• Identify wireless signal strengths

Wireless Survey Tools

• Signal coverage
• Potential interference
• Built-in tools
• 3rd-party tools
• Spectrum analyzer

Mobile Device Management (MDM)

Manage company-owned and user-owned mobile devices

• BYOD — Bring Your Own Device

Centralized management of the mobile devices

• Specialized functionality

Set policies on apps, data, camera, etc.

• Control the remote device
• The entire device or a “portion”

Manage access control

• Force screen locks and PINs on these single user devices

BYOD

Bring Your Own Device OR Bring Your Own Technology

Employee owns the device

• Need to meet the company’s requirements

Difficult to secure

• It’s both a home device and a work device
• How is data protected?
• What happens to the data when a device is sold or traded in?

COPE

Corporate owned, personally enabled

• Company buys the device
• Used as both a corporate device and a personal device

Organization keeps full control of the device

• Similar to company-owned laptops and desktops

Information is protected using corporate policies

• Information can be deleted at any time

CYOD — Choose Your Own Device

• Similar to COPE, but with the user’s choice of device

Cellular Networks

Mobile devices

• “Cell” phones
• 4G, 5G

Separate land into “cells”

• Antenna coverages a cell with certain frequencies

Security concerns

• Traffic monitoring
• Location tracking
• Worldwide access to a mobile device

Wi-Fi

Local network access

• Local security problems

Same security concerns as other Wi-Fi devices

Data capture

• Encrypt your data!

On-path attack

• Modify and/or monitor data

Denial of service

• Frequency interference

Bluetooth

High speed communication over short distances

• PAN (Personal Area Network)

Connects our mobile devices

• Smartphones, tethering, headsets and headphones, smartwatches, etc.

Do not connect to unknown Bluetooth devices

• There’s a formal pairing process to prevent unauthorized connections

Wireless Security Settings

Securing a Wireless Network

An organization’s wireless network can contain confidential information

• Not everyone is allowed access

Authenticate the users before granting access

• Who gets access to the wireless network?
• Username, password, multifactor authentication

Ensure that all communication is confidential

• Encrypt the wireless data

Verify the integrity of all communication

• The received data should be identical to the original sent data
• A message integrity check (MIC)

The WPA2 PSK Problem

WPA2 has a PSK brute-force problem

• Listen to the four-way handshake
  • Some methods can derive the PSK hash without the handshake
• Compute the hash

With the hash, attackers can brute force the pre-shared key (PSK)

This has become easier as technology improves

• A weak PSK is easier to brute-force
• GPU processing speeds
• Cloud-based password cracking

Once you have the PSK, you have everyone’s wireless key

• There’s no forward secrecy

WPA3 and GCMP

Wi-Fi Protected Access 3 (WPA3)

• Introduced in 2018

GCMP block cipher mode

• Galois/Counter Mode Protocol
• A stronger encryption than WPA2

GCMP security services

• Data confidentiality with AES
• Message Integrity Check (MIC) with Galois Message Authentication (GMAC)

SAE

WPA3 changes the PSK authentication process

• Includes mutual authentication
• Creates a shared session key without sending that key across the network
• No more four-way handshakes, no hashes, no brute force attacks

Simultaneous Authentication of Equals (SAE)

• A Diffie-Hellman derived key exchange with an authentication component
• Everyone uses a different session key, even with the same PSK
• An IEEE standard — the dragonfly handshake

Wireless Authentication Methods

Gain access to a wireless network

• Mobile users
• Temporary users

Credentials

• Shared password/pre-shared key (PSK)
• Centralized authentication (802.1X)

Configuration

• Part of the wireless network connection
• Prompted during the connection process

Wireless Security Modes

Configure the authentication on your wireless access point/wireless router

Open System

• No authentication password is required

WPA3-Personal/WPA3-PSK

• WPA2 or WPA3 with a pre-shared key
• Everyone uses the same 256-bit key

WPA3-Enterprise/WPA3-802.1X

• Authenticates users individually with an authentication server (i.e, RADIUS)

AAA Framework

Identification

• This is who you claim to be
• Usually your username

Authentication

• Prove you are who you say you are
• Password and other authentication factors

Authorization

• Based on your identification and authentication, what access do you have?

Accounting

• Resources use: Login time, data sent and received, logout time

RADIUS (Remote Authentication Dial-in User Service)

One of the more common AAA protocols

• Supported on a wide variety of platforms and devices

Centralize authentication for users

• Routers, switches, firewalls
• Server authentication
• Remote VPN access
• 802.1X network access

RADIUS services available on almost any server operating system

IEEE 802.1X

IEEE 802.1X

• Port-based Network Access Control (NAC)
• You don’t get access to the network until you authenticate

Used in conjunction with an access database

• RADIUS, LDAP, TACACS+

EAP

Extensible Authentication Protocol (EAP)

• An authentication framework

Many ways to authenticate based on RFC standards

• Manufacturers can build their own EAP methods

EAP integrates with 802.1X

• Prevents access to the network until the authentication succeeds

IEEE 802.1X and EAP

Supplicant — the client Authenticator — The device that provides access Authentication server — Validates the client credentials

Application Security

Secure Coding Concepts

A balance between time and quality

• Programming with security in mind is often secondary

Testing, testing, testing

• The Quality Assurance (QA) process

Vulnerabilities will eventually be found

• And exploited

Input Validation

What is the expected input?

• Validate actual vs. expected

Document all input methods

• Forms, fields, type

Check and correct all input (normalization)

• A zip code should be only X characters long with a letter in the X column
• Fix any data with improper input

The fuzzers will find what you missed

• Don’t give them an opening

Cookies

Cookies

• Information stored on your computer by the browser

Used for tracking, personalization, session management

• Not executable, not generally a security risk
  • Unless someone gets access to them

Secure cookies have a Secure attribute set

• Browser will only send it over HTTPS

Sensitive information should not be saved in a cookie

• This isn’t designed to be secure storage

Static Code Analyzers

Static Application Security Testing (SAST)

• Help to identify security flaws

Many security vulnerabilities found easily

• Buffer overflows, database injections, etc.

Not everything can be identified through analysis

• Authentication security, insecure cryptography, etc.
• Don’t rely on automation for everything

Still have to verify each finding

• False positives are an issue

Code Signing

An application is deployed

• Users run application executables or scripts

So many security questions

• Has the application been modified in any way?
• Can you confirm that the application was written by a specific developer?

The application code can be digitally signed by the developer

• Asymmetric encryption
• A trusted CA signs the developer’s public key
• Developer signs the code with their private key
• For internal apps, use your own CA

Sandboxing

Applications cannot access unrelated resources

• They play in their own sandbox

Commonly used during development

• Can be useful production technique

Used in many deployments

• Virtual machines
• Mobile devices
• Browser iframes (Inline Frames)
• Windows User Account Control (UAC)

Application Security Monitoring

Real-time information

• Application usage, access demographics

View blocked attacks

• SQL injection attempts, patched vulnerabilities

Audit the logs

• Find the information gathering and hidden attacks

Anomaly detection

• Unusual file transfer
• Increase in client access

Asset Management

Asset Management

Acquisition/Procurement Process

The purchasing process

• Multi-step process for requesting and obtaining goods and services

Start with a request from the user

• Usually includes budgeting information and formal approvals

Negotiate with suppliers

• Terms and conditions

Assignment/Accounting

A central asset tracking system

• Used by different parts of the system

Ownership

• Associate a person with an asset
• Useful for tracking a system

Classification

• Type of asset
• Hardware (capital expenditure)
• Software (Operating expenditure)

Monitoring/Asset Tracking

Inventory every asset

• Laptops, desktops, servers, routers, switches, cables, fiber modules, tablets, etc.

Associate a support ticket with a device make and model

• Can be more detailed than a user’s description

Enumeration

• List all parts of an asset
• CPU, memory, storage drive, keyboard, mouse

Add an asset tag

• Barcode, RFID, visible tracking number, organization name

Media Sanitization

System disposal or decommissioning

• Completely remove data
• No usable information remains

Different use cases

• Clean a hard drive for future use
• Permanently delete a single file

A one-way trip

• Once it’s gone, it’s really gone
• No recovery with forensics tools

Reuse the storage media

• Ensure nothing is left behind

Physical Destruction

Shredder/pulverizer

• Heavy machinery
• Complete destruction

Drill/Hammer

• Quick and easy
• Platters, all the way through

Electromagnetic (degaussing)

• Remove the magnetic field
• Destroys hard drive data and renders the hard drive unusable

Incineration

• Fire hot

Certificate of Destruction

Destroy is often done by a 3rd-party

• How many drills and degaussers do you have?

Need confirmation that your data is destroyed

• Service should include a certificate

A paper trail of broken data

• You know exactly what happening

Data Retention

Backup your data

• How much and where?
• Copies, versions of copies, lifecycle of data, purging old data

Regulatory compliance

• A certain amount of data backup may be required
• Emails, corporate financial data

Operational needs

• Accidental deletion
• Disaster recovery

Differentiate by type and application

• Recover the data you need when you need it

Vulnerability Management

Vulnerability Scanning

Usually minimally invasive

• Unlike a penetration test

Port scan

• Poke around and see what’s open

Identify system

• And security devices

Test from the outside and inside

• Don’t dismiss insider threats

Gather as much information as possible

• We’ll separate wheat from chaff later

Static Code Analyzer

Static Application Security Testing (SAST)

• Help to identify security flaws

Many security vulnerabilities found easily

• Buffer overflows, database injections, etc.

Not everything can be identified through analysis

• Authentication security, insecure cryptography, etc.
• Don’t rely on automation for everything

Still have to verify each finding

• False positives are an issue

Dynamic Analysis (fuzzing)

Send random input to an application

• Fault-injecting, robustness testing, syntax testing, negative testing

Looking for something out of the ordinary

• Application crash, server error, exception

1988 class project at the University of Wisconsin

• “Operating System Utility Program Reliability”
• Professor Barton Miller
• The Fuzz Generator

Fuzzing Engines and Frameworks

Many fuzzing options

• Platform specific, language specific, etc.

Very time and processor resource heavy

• Many, many iterations to try
• Many fuzzing engines use high-probability tests

Carnegie Mellon Computer Emergency Response Team (CERT)

• CERT Basic Fuzzing Framework (BFF)
• https://professormesser.link/bff

Package Monitoring

Some applications are distributed in a package

• Especially open source
• Supply chain integrity

Confirm the package is legitimate

• Trusted source
• No added malware
• No embedded vulnerabilities

Confirm a safe package before deployment

• Verify the contents

Threat Intelligence

Research the threats

• And the threat actors

Data is everywhere

• Hacker group profiles, tools used by the attackers, and much more

Make decisions based on this intelligence

• Invest in the best prevention

Used by researchers, security operations teams, and others

Open-source Intelligence (OSINT)

Open-source

• Publicly available sources
• A good place to start

Internet

• Discussion groups, social media

Government data

• Mostly public hearings, reports, websites, etc.

Commercial data

• Maps, financial reports, databases

Proprietary/Third-party Intelligence

Someone else has already compiled the threat information

• You can buy it

Threat intelligence services

• Threat analysis
• Correlation across different data sources

Constant threat monitoring

• Identify new threats
• Create automated prevention workflows

Information-sharing Organization

Public threat intelligence

• Often classified information

Private threat intelligence

• Private companies have extensive resources

Need to share critical security details

• Real-time, high-quality cyber threat information sharing

Cyber Threat Alliance (CTA)

• Members upload specifically formatted threat intelligence
• CTA scores each submission and validates across other submissions
• Other members can extract the validated data

Dark Web Intelligence

Dark website

• Overlay networks that use the Internet
• Requires specific software and configurations to access

Hacking groups and services

• Activities
• Tools and techniques
• Credit card sales
• Accounts and passwords

Monitor forums for activity

• Company names, executive names

Penetration Testing

Pentest

• Simulate an attack

Similar to vulnerability scanning

• Except we actually try to exploit the vulnerabilities

Often a compliance mandate

• Regular penetration testing by a 3rd-party

National Institute of Standards and Technology

• Technical Guide to Information Security Testing and Assessment
  • https://professormesser.link/800115 (PDF Download)

Rules of Engagement

An important document

• Defines purpose and scope
• Makes everyone aware of the test parameters

Type of testing and schedule

• On-site physical breach, internal test, external test
• Normal working hours, after 6 PM only, etc.

The rules

• IP address ranges
• Emergency contacts
• How to handle sensitive information
• In-scope and out-of-scope devices or appliances

Exploiting Vulnerabilities

Try to break into the system

• Be careful; this can cause a denial of service or loss of data
• Buffer overflows can cause instability
• Gain privilege escalation

You may need to try many vulnerability types

• Password brute-force
• Social engineering
• Database injections
• Buffer overflows

You will only be sure you’re vulnerable if you can bypass security

• If you can get through, the attackers can get through

The Process

Initial exploitation

• Get into the network

Lateral movement

• Move from system to system
• The inside of the network is relatively unprotected

Persistence

• Once you are there, you need to make sure there is a way back in
• Set up a backdoor, build user accounts, change or verify default passwords

The pivot

• Gain access to systems that would normally not be accessible
• Use a vulnerable system as a proxy or relay

Responsible Disclosure Program

It takes tie to fix a vulnerability

• Software changes, testing, deployment, etc.

Bug bounty programs

• A reward for discovering vulnerabilities
• Earn money for hacking a system
• Document the vulnerability to earn cash

A controlled information release

• Researcher reports the vulnerability
• Manufacturer creates a fix
• The vulnerability is announced publicly

Analyzing Vulnerabilities

Dealing with False Information

False positives

• A vulnerability is identified that doesn’t really exist

This is different from a low-severity vulnerability

• It’s real, but it may not be your highest priority

False negatives

• A vulnerability exists, but you didn’t detect it

Update to the latest signatures

• If you don’t know about it, you can’t see it

Work with the vulnerability detection manufacturer

• They may need to update their signatures for your environment

Prioritizing Vulnerabilities

Not every vulnerability shares the same priority

• Some may not be significant
• Others may be critical

This may be difficult to determine

• The research has probably already been done

Refer to public disclosures and vulnerability databases

• The industry is well versed
• Online discussion groups, public disclosure mailing lists

CVSS

National Vulnerability Database

• https://nvd.nist.gov/
• Synchronized with the CVE list
• Enhanced search functionality

Common Vulnerability Scoring System (CVSS)

• Quantitative scoring of a vulnerability — 0 to 10
• The scoring standards change over time
• Different scoring for CVSS 2.0 vs. CVSS 3.x

Industry collaboration

• Enhanced feed sharing and automation

CVE

The vulnerabilities can be cross-referenced online

• Almost all scanners give you a place to go

National Vulnerability Database

• https://nvd.nist.gov

Common Vulnerabilities and Exposure (CVE)

• https://cve.mitre.org/cve

Microsoft Security Bulletins

• https://msrc.microsoft.com/update-guide

Some vulnerabilities cannot be definitively identified

• You will have to check manually to see if a system is vulnerable
• The scanner gives you a heads-up

Vulnerability Classification

The scanner looks for everything

• Well, not everything — The signatures are the key

Application scans

• Desktop, mobile apps

Web application scans

• Software on a web server

Network scans

• Misconfigured firewalls, open ports, vulnerable devices

Exposure Factor

Loss of value or business activity if the vulnerability is exploited

• Usually expressed as a percentage

A small DDoS may limit access to a service

• 50% exposure factor A buffer overflow may completely disable a service
• 100% exposure factor

A consideration when prioritizing

• Worst possible outcome probably gets priority

Environmental Variables

What type of environment is associated with this vulnerability?

• Internal server, public cloud, test lab

Prioritization and patching frequency

• A device in an isolated test lab
• A database server in the public cloud
• Which environment gets priority?

Every environment is different

• Number and type of users (internal, external)
• Revenue generating application
• Potential for exploit

Industry/Organizational Impact

Some exploits have signal-to-noise consequences

• The type of organization is an important consideration

Tallahassee Memorial Healthcare — February 2023

• Ransomware — closed for two weeks
• Diverted emergency cases, surgeries cancelled

Power utilities — Salt Lake City, Utah and LA County, California — March 2019

• DDoS attacks from an unpatched known vulnerability

Risk Tolerance

The amount of risk acceptable to an organization

• It’s important to remove all risk

The timing of security patches

• Patching immediately doesn’t allow for proper testing

Testing takes time

• While you’re testing, you’re also vulnerable

There’s a middle ground

• May change based on the severity

Vulnerability Remediation

Patching

The most common mitigation technique

• We know the vulnerability exists
• We have a patch file to install

Scheduled vulnerability/patch notices

• Monthly, quarterly

Unscheduled patches

• Zero-day, often urgent

This is an ongoing process

• The patches keep coming
• An easy way to prevent most exploits

Insurance

Cybersecurity insurance coverage

• Lost revenue
• Data recovery costs
• Money lost to phishing
• Privacy lawsuit costs

Doesn’t cover everything

• Intentional acts, funds transfers, etc.

Ransomware has increased popularity of cybersecurity liability insurance

• Applies to every organization

Segmentation

Limit the scope of an exploit

• Separate devices into their own networks/VLANs

A breach would have limited scope

• It’s not as bad as it could be

Can’t patch?

• Disconnect from the world
• Air gaps may be required

Use internal NGFWS

• Block unwanted/unnecessary traffic between VLANs
• Identify malicious traffic on the inside

Physical Segmentation

Separate devices

• Multiple units, separate infrastructure

Logical Segmentation with VLANs

Virtual Local Area Network (VLANs)

• Separated logically instead of physically
• Cannot communicate between VLANs without a layer 3 device/router

Compensating Controls

Optimal security methods may not be available

• Can’t deploy a patch right now
• No internal firewalls

Compensate in other ways

• Disable the problematic service
• Revoke access to the application
• Limit external access
• Modify internal security controls and software firewalls

Provide coverage until a patch is deployed

• Or similar optimal security response

Exceptions and Exemptions

Removing the vulnerability is optimal

• But not everything can be patched

A balancing act

• Provide the service, but also protect the data and systems

Not all vulnerabilities share the same severity

• May require local login, physical access, or other criteria

An exception may be an option

• Usually a formal process to approve

Validation of Remediation

The vulnerability is now patched

• Does the patch really stop the exploit?
• Did you patch all vulnerable systems?

Rescanning

• Perform an extensive vulnerability scan

Audit

• Check remediated systems to ensure the patch was successfully deployed

Verification

• Manually confirm the security of the system

Reporting

Ongoing checks are required

• New vulnerabilities are continuously discovered

Difficult (or impossible) to manage without automation

• Manual checks would be time-consuming

Continuous reporting

• Number of identified vulnerabilities
• Systems patched vs. unpatched
• New threat notifications
• Errors, exception, and exemptions

Security Monitoring

Security Monitoring

The attackers never sleep

• 24/7/365

Monitor all entry points

• Logins, publicly available services, data storage locations, remote access

React to security events

• Account access, firewall rule base, additional scanning

Status dashboards

• Get the status of all systems at a glance

Monitoring Computing Resources

Systems

• Authentication — logins from strange places
• Server monitoring — Service activity, backups, software versions

Applications

• Availability — Uptime and response times
• Data transfers — Increases or decreases in rates

Infrastructure

• Remote access systems — Employees, vendors, guests
• Firewall and IPS reports — Increase or type of attack

Log Aggregation

SIEM or SEM (Security Information and Event Manager)

• Consolidate different logs to a central database
• Servers, firewalls, VPN concentrators, SANs, cloud services

Centralized reporting

• All information in one place

Correlation between diverse systems

• View authentication and access
• Track application access
• Measure and report on data transfers

Scanning

A constantly changing threat landscape

• New vulnerabilities discovered daily
• Many business applications and services
• Systems and people are always moving

Actively check systems and devices

• OS types and versions
• Device driver options
• Installed applications
• Potential anomalies

Gather the raw details

• A valuable database of information

Reporting

Analyze the collected data

• Create “actionable” reports

Status information

• Number of devices up to date/in compliance
• Devices running older OSes

Determine best next steps

• A new vulnerability is announced
• How many systems are vulnerable?

Ad hoc information summaries

• Prepare for the unknown

Archiving

It takes an average of about 9 months for a company to identify and contain a breach

• IBM security report, 2022

Access to data is critical

• Archive over an extended period

May have a mandate

• State for federal law
• Or organizational requirements

Alerting

Real-time notification of security events

• Increase in authentication errors
• Large file transfers

Actionable data

• Keep the right people informed
• Enable quick response and status information

Notification methods

• SMS/text
• Email
• Security console/SOC

Alert Response and Remediation

Quarantine

• A foundational security response
• Prevent a potential security issue from spreading

Alert tuning

• A balancing act
• Prevent false positives and false negatives

An alert should be accurate

• This is an ongoing process
• The tuning gets better as time goes on

Security Tools

Security Content Automation Protocol (SCAP)

Many security tools on the market

• NGFWs, IPS, vulnerability scanners, etc.
• They all have their own way of evaluating a threat

Managed by National Institute of Standards and Technology (NIST)

• https://scap.nist.gov

Allows tools to identify and act on the same criteria

• Validate the security configuration
• Confirm patch installs
• Scan for a security breach

Using SCAP

SCAP content can be shared between tools

• Focused on configuration compliance
• Easily detect applications with known vulnerabilities

Especially useful in large environments

• Many OSes and applications

This specification standard enables automation

• Even between different tools

Automation types

• Ongoing monitoring
• Notification and alerting
• Remediation of noncompliant systems

Benchmarks

Apply security best-practices to everything

• OSes, cloud providers, mobile devices, etc.
• The bare minimum for security settings

Example: Mobile device

• Disable screenshots, disable screen recordings, prevent voice calls when locked, force encryption backups, disable additional VPN profiles, configure a “lost phone” message, etc.

Popular benchmarks — Center for Internet Security (CIS)

• https://www.cisecurity.org/cis-benchmarks

Agents/Agentless

Check to see if the device is in compliance

• Install a software agent onto the device
• Run an on-demand agentless check

Agents can usually provide more details

• Always monitoring for real-time notifications
• Must be maintained and updated

Agentless runs without a formal install

• Performs the check, then disappears
• Does not require ongoing updates to an agent
• Will not inform or alert if not running

SIEM

Security Information and Event Management

• Logging of security events and information

Log collection of security alerts

• Real-time information

Log aggregation and long-term storage

• Usually includes advanced reporting features

Data correlation

• Link diverse data types

Forensic analysis

• Gather details after an event

Anti-virus and Anti-malware

Anti-virus is the popular term

• Refers specifically to a type of malware
• Trojans, worms, macro viruses

Malware refers to the broad malicious software category

• Anti-malware stops spyware, ransomware, fileless malware

The terms are effectively the same these days

• The names are more of a marketing tool
• Anti-virus software is also anti-malware software now
• Make sure your system is using a comprehensive solution

Data Loss Prevention (DLP)

Where’s your data?

• Social Security Numbers, Credit Card Numbers, Medical Records

Stop the data before the attacker gets it

• Data “leakage”

So many sources, so many destinations

• Often requires multiple solutions
• Endpoint clients
• Cloud-based systems
  • Email, cloud storage, collaboration tools

SNMP

Simple Network Management Protocol

• A database of data (MIB) — Management Information Base
• The database contains OIDS — Object identifiers
• Poll devices over udp/161

Request statistics from a device

• Server, firewall, workstation, switch, router, etc.

Graphing with SNMP

SNMP traps

Most SNMP operations expect a poll

• Devices then respond to the SNMP request
• This requires constant polling

SNMP traps can be configured on the monitored device

• Communicates over udp/162

Set a threshold for alerts

• If the number of CRC errors increases by 5, send a trap
• Monitoring station can be reacted immediately

NetFlow

Gather traffic statistics from all the traffic flows

• Shared communication between devices

NetFlow

• Standard collection method
• Many products and options

Probe and collector

• Probe watches network communication
• Summary records are sent to the collector

Usually a separate reporting app

• Closely tied to the collector

Vulnerability Scanner

Usually minimally invasive

• Unlike a penetration test

Port scan

• Poke around and see what’s open

Identify systems

• And security devices

Test from the outside and inside

• Don’t dismiss insider threats

Gather as much information as possible

• We’ll separate wheat from chaff later

Enterprise Security

Firewalls

Network-based Firewalls

Filter traffic by port number of application

• Traditional vs. NGFW

Encrypt traffic

• VPN between sites

Most firewalls can be layered 3 devices (router)

• Often sits on the ingress/egress of the network
• Network Address Translation (NAT)
• Dynamic routing

Next-generation Firewalls (NGFW)

The OSI Application Layer

• Layer 7 firewall

Can be called different names

• Application layer gateway
• Stateful multilayer inspection
• Deep packet inspection

Requires some advanced decodes

• Every packet must be analyzed, categorized, and a security decision determined

Ports and Protocols

Make a forwarding decisions based on protocols (TCP or UDP) and port number

• Traditional port-based firewalls
• Add to an NGFW for additional security policy options

Based on destination protocol and port

• Web server: tcp/80, tcp/443
• SSH server: tcp/22
• Microsoft RDP: tcp/3389
• DNS query: udp/53
• NTP:udp/123

Firewall Security Policies:

Firewall Rules

A logical path

• Usually top-to-bottom

Can be very general or very specific

• Specific rules are usually at the top

Implicit deny

• Most firewalls include deny at the bottom
  • Even if you didn’t put one

Access control lists (ACLS)

• Allow or disallow traffic
• Groupings of categories — Source IP, Destination IP, port number, time of day, application, etc.

Web Server Firewall Ruleset

Screened subnet

An additional layer of security between you and the Internet

• Public access to public resources
• Private data remains inaccessible

IPS Rules

Intrusion Prevention System

• Usually integrated into an NGFW

Different ways to find malicious traffic

• Look at traffic as it passes by

Signature-based

• Look for a perfect match

Anomaly-based

• Build a baseline of what’s “normal”
• Unusual traffic patterns are flagged