Chapter 2: Security Architecture

Chapter 2 Objective 2.1 Firewall → A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Placement: Perimeter Firewall: Positioned at the network boundary to filter traffic between internal and external networks. Internal Firewall: Placed within the network to segment and protect different network segments. Configuration: Rule Setting: Define rules to allow or block traffic based on IP addresses, ports, and protocols. Logging and Monitoring: Enable logging to monitor traffic and detect suspicious activities. Regular Updates: Keep firmware and rules updated to counteract new threats. Intrusion Prevention System (IPS): Placement: Inline Deployment: Positioned directly in the path of network traffic to actively block threats. Configuration: Signature Updates: Regularly update threat signatures. Policy Configuration: Set policies to determine the action on detecting a threat (e.g., block, alert). Integration: Integrate with other security tools for comprehensive threat management. Intrusion Detection System (IDS): Placement: Network-based IDS (NIDS): Deployed at key points within the network. Host-based IDS (HIDS): Installed on individual devices to monitor local activities. Configuration: Signature and Anomaly Detection: Configure for both known and unknown threat detection. Alerting: Set up alerting mechanisms to notify administrators of potential threats. Log Management: Ensure detailed logging for forensic analysis. Vulnerability Scanner: Placement: Internal Scanner: Deployed within the network to identify internal vulnerabilities. External Scanner: Placed outside the network to identify external vulnerabilities. Configuration: Regular Scans: Schedule scans to run at regular intervals. Custom Policies: Configure scan policies tailored to the organization’s needs. Integration: Integrate with patch management systems for remediation. Virtual Private Network (VPN): Placement: VPN Gateway: Positioned at the network edge to handle VPN connections. Configuration: Encryption Protocols: Configure strong encryption protocols (e.g., AES-256). Authentication Methods: Implement robust authentication (e.g., multi-factor authentication). Access Controls: Define access controls based on user roles. Network Access Control (NAC): Placement: Edge Deployment: Positioned at network access points such as switches and wireless access points. Configuration: Policy Definition: Define policies for device compliance (e.g., antivirus, patches). Quarantine: Configure quarantine networks for non-compliant devices. Continuous Monitoring: Implement continuous monitoring of devices for compliance. Web Application Firewall (WAF): Placement: In Front of Web Servers: Positioned in front of web servers to inspect incoming and outgoing traffic. Configuration: Rule Configuration: Define rules to block common web attacks (e.g., SQL injection, XSS). Logging: Enable detailed logging for traffic analysis. Updates: Regularly update rules and signatures. Proxy: Placement: Between Clients and Servers: Positioned between client devices and external servers. Configuration: Caching: Configure caching to improve performance. Access Control: Implement access controls to restrict web access. Logging: Enable logging for monitoring web activity. Reverse Proxy: Placement: In Front of Web Servers: Positioned in front of web servers to handle client requests. Configuration: Load Balancing: Configure to distribute traffic across multiple servers. SSL Termination: Implement SSL termination to offload encryption tasks. Caching: Enable caching to improve response times. API Gateway: Placement: In Front of APIs: Positioned in front of API endpoints. Configuration: Rate Limiting: Implement rate limiting to control the number of API requests. Authentication and Authorization: Set up mechanisms to authenticate and authorize API consumers. Monitoring: Enable monitoring and logging of API usage. Taps: Placement: In-Line with Network Links: Positioned directly on network links to capture traffic. Configuration: Non-Intrusive: Ensure non-intrusive capturing without affecting network performance. Aggregation: Aggregate traffic for centralized monitoring. Security: Secure captured data to prevent unauthorized access. Collectors: Placement: Distributed Across Network: Deployed on key network nodes and devices. Configuration: Source Configuration: Configure sources from which logs are collected. Centralized Storage: Set up centralized storage for collected data. Integration: Integrate with SIEM systems for analysis. Content Delivery Network (CDN): Placement: Globally Distributed: Deployed across multiple geographic locations. Configuration: Content Caching: Configure caching of static content to improve load times. Load Distribution: Implement load distribution to balance traffic. Security Features: Enable security features like DDoS protection and SSL. Availability and Integrity Design Considerations Load Balancing → Load balancing is the process of distributing network or application traffic across multiple servers to ensure no single server becomes overwhelmed, thereby improving availability and performance. Recoverability → Ability to restore systems, applications, and data to a previous state after a failure or disaster. Interoperability → Refers to the ability of different systems, applications, and services to work together seamlessly. Ex. A healthcare system using HL7 standards and APIs to ensure interoperability between electronic health record (EHR) systems and laboratory information systems. Geographical Considerations → Geographical considerations involve planning for the physical location of systems and data to optimize performance, compliance, and disaster recovery. Vertical vs. Horizontal Scaling → Scaling refers to the ability to increase the capacity of a system to handle more load. Vertical scaling (scaling up) involves adding more power (CPU, RAM) to an existing server, while horizontal scaling (scaling out) involves adding more servers to a system. Persistence vs. Non-Persistence → Refers to the ability of data and applications to retain their state across sessions, while non-persistence involves systems that do not retain state, resetting after each session. Objective 2.2 Security Requirements Definition Functional Requirements → Functional security requirements specify what a system should do to ensure security. These requirements outline specific behaviors and actions that the system must perform to maintain its security posture. Ex. A functional requirement for a banking application might specify that user login sessions must expire after 10 minutes of inactivity to protect against unauthorized access. Non-Functional Requirements → Non-functional security requirements define the quality attributes, performance, and constraints of the security mechanisms in a system. These requirements ensure that the system’s security measures are effective and sustainable. Ex. A non-functional requirement might state that the system must detect and log 95% of all access attempts within one second to ensure timely responses to potential security incidents. Security vs. Usability Trade-Off → The security vs. usability trade-off involves balancing the need for robust security measures with the need to maintain a user-friendly experience. Strong security often introduces complexity that can impact usability, and vice versa. Implementing multi-factor authentication (MFA) improves security but may inconvenience users. Balancing this could involve offering convenient authentication methods (e.g., biometrics) to reduce friction. Software Assurance Static Application Security Testing (SAST) → SAST is a method of analyzing source code or binaries to identify security vulnerabilities without executing the application. Ex. A SAST tool scanning a Java application’s source code and identifying SQL injection vulnerabilities before the code is deployed. Dynamic Application Security Testing (DAST) → DAST involves testing a running application to identify vulnerabilities by simulating external attacks. Ex. A DAST tool simulating attacks on a web application to identify vulnerabilities like cross-site scripting (XSS). Interactive Application Security Testing (IAST) → IAST combines elements of SAST and DAST by analyzing applications in real-time during normal operation to identify vulnerabilities. Real-time Analysis: Provides real-time security insights. Context-aware: Offers detailed context about the application’s state during vulnerabilities. Integration: Can be integrated with development and testing workflows. Ex. An IAST tool monitoring a web application during testing and identifying an insecure data handling practice. Runtime Application Self-Protection (RASP) → RASP protects applications by detecting and blocking attacks in real-time while the application is running. Deploy RASP, monitor execution, block attacks Immediate protection, self-defending, detailed logging Ex. A RASP tool embedded in a web application that detects and blocks an SQL injection attempt in real-time. Vulnerability Analysis → Vulnerability analysis involves identifying, categorizing, and assessing vulnerabilities in an application or system. Ex. A vulnerability analysis revealing several high-severity vulnerabilities in a web application, leading to prioritized remediation. Software Composition Analysis (SCA) → SCA identifies and manages security risks in the open-source and third-party components used in an application. Scan components, identify vulnerabilities, manage risks Dependency Management: Tracks and manages dependencies. License Compliance: Ensures compliance with open-source licenses. Security Visibility: Offers visibility into the security of all components. Ex. An SCA tool identifying a vulnerable version of a library used in an application and suggesting an upgrade to a secure version. Software Bill of Materials (SBoM) → SBoM is a comprehensive list of all components, libraries, and modules that make up a software application. Ex. An organization maintaining an SBoM for its software products to ensure transparency and manage supply chain risks. Formal Methods → Formal methods involve using mathematical and logical techniques to specify, develop, and verify software systems. Ex. Using formal methods to verify the correctness of an algorithm used in a critical safety system, ensuring it behaves as expected under all conditions. Continuous Integration/Continuous Deployment (CI/CD) Coding Standards and Linting → Coding standards are guidelines and best practices for writing code, ensuring consistency, readability, and maintainability. Linting involves using tools to automatically check the code for adherence to these standards and potential errors. Ex. Using ESLint to check JavaScript code against predefined coding standards in every pull request. Branch Protection → Branch protection involves implementing rules and policies to protect important branches (e.g., main, master) from unintended changes, ensuring code quality and stability. Ex. Requiring at least two code reviews and passing CI checks before merging changes into the main branch. Continuous Improvement → Continuous improvement is an ongoing effort to enhance processes, tools, and practices in the CI/CD pipeline to increase efficiency, quality, and performance. Ex. Regularly reviewing CI/CD pipeline metrics and implementing automation to reduce build times and increase test coverage. Testing Activities → Testing activities in CI/CD involve various types of tests to ensure code quality, functionality, and performance before deployment. These tests include canary, regression, integration, automated test and retest, and unit tests. Canary Testing: A technique where a new software version is gradually rolled out to a small subset of users before a full deployment, to detect any issues early. Steps: Deploy Incrementally: Release new code to a small subset of users. Monitor Feedback: Collect performance and error metrics. Gradual Rollout: Gradually increase the user base if no issues are detected. Functionalities: Risk Mitigation: Reduces risk by limiting exposure to new changes. Real-time Validation: Validates changes in a live environment. Example: Deploying a new feature to 5% of users and monitoring for errors before a full rollout. Regression Testing: The process of re-testing software after changes (e.g., updates or fixes) to ensure that the new code does not negatively affect existing functionality. Steps: Identify Test Cases: Select test cases that cover existing functionalities. Automate Tests: Automate regression tests in the CI/CD pipeline. Run Tests: Execute regression tests after every code change. Functionalities: Stability: Ensures new changes do not break existing functionalities. Automation: Provides automated validation of past functionalities. Example: Running automated regression tests on an e-commerce application to ensure checkout functionality remains unaffected by new updates Integration Testing: Testing in which individual software modules are combined and tested as a group to ensure they work together correctly. Integration testing is used to test individual components of a system together to ensure that they interact as expected Steps: Define Test Scenarios: Identify scenarios that test the interaction between components. Automate Tests: Implement automated integration tests. Run Tests: Execute integration tests in the CI/CD pipeline. Functionalities: Component Interaction: Validates that different components work together as expected. Early Detection: Identifies issues in the integration phase. Example: Testing the integration between the user authentication service and the payment gateway in a web application. Automated Test and Retest: The use of automated tools to execute tests repeatedly, often used in continuous integration/continuous deployment (CI/CD) pipelines to ensure that changes do not introduce new bugs. Steps: Create Test Scripts: Develop automated test scripts. Integrate with CI/CD: Integrate automated tests into the CI/CD pipeline. Retest: Automatically retest after every code change or deployment. Functionalities: Consistency: Ensures consistent and repeatable testing. Efficiency: Reduces manual testing effort and speeds up feedback. Example: Automated retesting of critical workflows after each deployment in a CI/CD pipeline. Unit Testing: The testing of individual components or functions of a software application in isolation from the rest of the system to verify that each part works correctly. Unit testing is used to test a particular block of code performs the exact action intended and provides the exact output expected. Steps: Write Unit Tests: Develop unit tests for individual components or functions. Automate Execution: Automate unit tests to run with every code change. Analyze Results: Review unit test results to identify and fix issues. Functionalities: Isolated Testing: Tests individual components in isolation. Early Detection: Catches issues early in the development cycle. Example: Writing and automating unit tests for a function that calculates user discounts in an e-commerce application. Supply Chain Risk Management Software Supply Chain Risk Management → Managing risks associated with the acquisition, integration, and deployment of software components from external sources. Steps: Identify Dependencies: Catalog all third-party software components. Evaluate Vendors: Assess the security practices and reliability of software vendors. Monitor and Audit: Continuously monitor and audit software components for vulnerabilities. Patch Management: Ensure timely application of patches and updates. Functionalities: Transparency: Maintain visibility into software dependencies. Risk Assessment: Evaluate the potential risks posed by third-party software. Security Assurance: Ensure software components are secure and reliable. Ex. Using a Software Composition Analysis (SCA) tool to identify vulnerabilities in open-source libraries and manage their updates. Hardware Supply Chain Risk Management → Managing risks associated with the acquisition, integration, and deployment of hardware components from external sources. Steps: Vendor Assessment: Evaluate the security and reliability of hardware vendors. Component Validation: Verify the authenticity and integrity of hardware components. Supply Chain Monitoring: Monitor the supply chain for potential risks, such as counterfeit components. Incident Response: Develop and implement a response plan for hardware-related incidents. Functionalities: Authentication: Ensure the authenticity of hardware components. Integrity Checking: Verify that hardware components have not been tampered with. Continuous Monitoring: Monitor the supply chain for emerging threats. Ex. Implementing a process to verify the integrity of hardware components using cryptographic techniques before deployment. Hardware Assurance Certification and Validation Process → Hardware assurance through certification and validation involves evaluating and verifying that hardware components meet specific security, quality, and performance standards. This process ensures that hardware is reliable, secure, and free from tampering or defects. Ex. A manufacturer certifies its processors with the Trusted Computing Group (TCG) to ensure they meet rigorous security and reliability standards. End-of-Life (EOL) Considerations End-of-life considerations encompass the strategies and actions taken when a product is no longer supported by the manufacturer, ensuring security, compliance, and minimal disruption during the transition. Steps: Assessment: Identify and assess products nearing EOL. Notification: Inform stakeholders about EOL timelines and implications. Support and Maintenance: Plan for continued support and security measures. Replacement Planning: Develop a strategy for replacing or upgrading EOL products. Data Migration: Ensure safe migration of data from EOL products. Disposal: Securely dispose of EOL hardware or decommission software. Ex. A company plans for the end-of-life of its Windows 7 workstations by upgrading to Windows 10 before the EOL date to ensure continued support and security. Objective 2.3 Attack Surface Management and Reduction Attack surface management and reduction involve identifying, assessing, and mitigating potential entry points for attackers within an organization’s IT infrastructure. Vulnerability Management → A process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and software. Ex. Using a vulnerability scanner like Nessus to identify and patch vulnerabilities in a network. Hardening → refers to the process of securing a system by reducing its surface of vulnerability. This involves configuring system settings and implementing security controls to minimize potential attack vectors. Ex. Hardening a web server by disabling unused ports and services, and applying secure configurations according to best practices. Defense-in-Depth → A security strategy that employs multiple layers of defense to protect against potential threats. Each layer serves as a backup in case one defensive measure fails. Ex. Implementing a defense-in-depth strategy that includes firewalls, network segmentation, antivirus software, and encryption. Legacy Components within an Architecture → Legacy components are outdated or obsolete hardware and software systems that are still in use within an organization’s IT infrastructure. Ex. Using virtual patching and network segmentation to secure a legacy database system until it can be replaced. Detection and Threat-Hunting Enablers Detection and threat-hunting enablers are critical components that enhance an organization’s ability to identify, monitor, and respond to potential threats. Centralized Logging → Centralized logging involves aggregating log data from various sources (e.g., servers, applications, network devices) into a single, centralized system for easier analysis and monitoring. Ex. Using a SIEM (Security Information and Event Management) system like Splunk or LogRhythm to centralize and analyze logs from web servers, firewalls, and endpoints. Continuous Monitoring → An ongoing observation of an organization’s IT environment to detect and respond to security threats and vulnerabilities in real-time. Ex. Using an EDR (Endpoint Detection and Response) solution like CrowdStrike Falcon to continuously monitor endpoint activities for suspicious behavior. Alerting → Alerting involves setting up notifications to inform security teams of potential security incidents or anomalies detected within the IT environment. Configuring a SIEM system to send email alerts to the security team when unusual login activities are detected. Sensor Placement → Sensor placement involves strategically deploying sensors throughout the IT environment to capture and monitor security-relevant data. Ex. Deploying network intrusion detection sensors at the network perimeter and key internal segments to monitor for malicious traffic. Information and Data Security Design Classification Models → Classification models are frameworks used to categorize data based on its sensitivity and importance, defining how data should be handled and protected. Ex. A company classifies its data into four levels: public, internal, restricted, and confidential. Public data is freely accessible, while confidential data is heavily restricted and encrypted. Data Labeling → Data labeling involves assigning labels or tags to data that indicate its classification level, ownership, and other relevant attributes. Ex. Using a data classification tool to automatically label documents containing personal identifiable information (PII) as “confidential” and apply appropriate access controls. Tagging Strategies → Tagging strategies involve the systematic use of metadata tags to organize, manage, and protect data. Tags can include information about data classification, ownership, usage, and security requirements. Ex. Implementing a tagging strategy where all financial data is tagged with “financial” and “restricted,” ensuring it is stored securely and only accessible by authorized personnel. Data Loss Prevention (DLP) At Rest → DLP at rest involves protecting data stored on devices, servers, databases, or other storage media. Ex. Encrypting a company’s customer database and restricting access to it using role-based access control (RBAC). In Transit → DLP in transit refers to protecting data as it moves across networks, whether between devices, within internal networks, or over the internet. Ex. Using TLS to secure email communications and prevent interception of sensitive information. Data Discovery → Data discovery involves locating, identifying, and classifying sensitive data across the organization’s data repositories. Ex. Using a data discovery tool to scan company servers and identify files containing personally identifiable information (PII). Hybrid Infrastructures Hybrid infrastructure combines on-premises data centers, private clouds, and public clouds to create a cohesive and flexible IT environment. Ex. A company uses a hybrid infrastructure where critical applications run on-premises for better control and compliance, while development and testing workloads are hosted on a public cloud to take advantage of scalability and cost savings. Third-Party Integrations Third-party integrations refer to the incorporation of external services, applications, or systems into an organization’s existing infrastructure to extend capabilities and improve efficiency. Ex. Integrating a third-party payment gateway (like PayPal or Stripe) into an e-commerce platform to handle online transactions securely and efficiently. Control Effectiveness Control effectiveness refers to the degree to which security controls achieve their intended objectives and mitigate risks to an acceptable level. Assessments: Definition: Evaluating the design and operation of security controls. Steps: Define assessment criteria. Conduct control reviews. Document findings and recommend improvements. Example: Regularly reviewing access control mechanisms to ensure only authorized personnel have access to sensitive data. Scanning: Definition: Using automated tools to identify vulnerabilities and weaknesses in systems. Steps: Schedule regular scans. Analyze scan results. Remediate identified issues. Example: Running a vulnerability scan on network devices to detect and patch security flaws. Metrics: Definition: Quantitative measures used to evaluate the performance of security controls. Steps: Define relevant metrics. Collect and analyze data. Use metrics to inform decision-making. Example: Tracking the number of security incidents detected and responded to within a specified time frame. Objective 2.4 Provisioning/De-provisioning Provisioning is the process of creating and granting access to new accounts De-provisioning involves revoking access and removing accounts when they are no longer needed. Credential Issuance → A process of providing users with the necessary authentication information, such as usernames and passwords, to access systems and applications. Ex. An IT department generates a unique username and password for a new employee and securely sends the credentials via a secure email or a secure portal. Self-Provisioning → Allows users to create and manage their own accounts and access rights through an automated system, often within defined policies and guidelines. Ex. A company allows employees to use a self-service portal to request access to specific applications, which are then approved based on predefined policies. Federation Notes Single sign-on (SSO) An authentication process that allows a user to access multiple applications with one set of login credentials. Ex. A user logs into their company’s SSO portal and gains access to email, HR systems, and other internal applications without re-entering their credentials. Conditional Access Notes Identity Provider An identity provider (IdP) is a system that creates, maintains, and manages identity information and provides authentication services within a federation or SSO system. Ex. A company uses an IdP to authenticate employees accessing internal and external applications. Service Provider A service provider (SP) is an entity that provides services or applications to users and relies on an identity provider to authenticate users. Ex. An online application that allows users to log in using their corporate credentials managed by an external IdP. Attestations Attestations are statements or assertions made by a trusted entity (like an identity provider) about a user’s identity or attributes. Verify Attributes: Provide verified information about users. Trust-Based: Rely on the trustworthiness of the asserting entity. Enhance Security: Ensure user information is accurate and trustworthy. Ex. An identity provider asserts that a user has a specific role within their organization, which is used to grant access to certain resources. Policy Decision and Enforcement Points Policy decision points (PDP) and policy enforcement points (PEP) are components in an access control system. PDPs decide if a user should be granted access, while PEPs enforce that decision. Policy Decision Point (PDP): Evaluates access requests against policies. Policy Enforcement Point (PEP): Enforces access decisions made by PDPs. Centralized Control: Separates decision-making from enforcement for better control. Ex. A PDP evaluates if a user can access a secure application based on their role, and the PEP enforces this decision by allowing or denying access. Access Control Models Notes Logging and Auditing Logging → Logging involves the continuous recording of events, activities, and transactions within a system or network to provide a detailed record of actions and changes. Ex. A server logs every user login attempt, including successful and failed attempts, along with the timestamp and IP address of the user. Auditing → Auditing is the systematic examination and evaluation of logs and other records to ensure compliance with policies, detect anomalies, and improve security posture. Ex. An auditor reviews the access logs of a financial system to ensure that only authorized personnel accessed sensitive financial data and investigates any anomalies. Public Key Infrastructure (PKI) Architecture A framework that enables secure, encrypted communication and authentication over networks It uses a pair of cryptographic keys, public and private, along with digital certificates to validate identities and ensure data integrity. Certificate Extensions → Certificate extensions provide additional information about the certificate and its intended use, enhancing the basic functionality of a digital certificate. Ex. A certificate extension may indicate that the certificate can be used for both email protection and client authentication. Certificate Types → Different types of certificates are used within a PKI to serve various purposes, each providing a specific function or level of assurance. Ex. An organization uses an end-entity certificate to secure its web server and a code signing certificate to validate its software updates. Online Certificate Status Protocol (OCSP) Stapling → OCSP stapling is a method to provide real-time certificate status information to clients, improving performance and security. Ex. A web server includes a current OCSP response when presenting its certificate, allowing clients to quickly verify its validity. Certificate Authority/Registration Authority (CA/RA) → A Certificate Authority (CA) issues and manages digital certificates, while a Registration Authority (RA) assists the CA by handling registration and identity verification of certificate applicants. Ex. A CA issues a digital certificate to an employee after the RA verifies their identity through company records and personal identification. Templates → Templates are predefined configurations for creating certificates, ensuring consistency and adherence to organizational policies. Ex. An organization uses a template to issue employee certificates with predefined attributes, such as validity period and key usage. Deployment/Integration Approach → The deployment and integration approach outlines how PKI components are implemented and integrated into an organization’s existing infrastructure. Ex. An organization integrates PKI with its existing Active Directory to manage user certificates and implement single sign-on (SSO) capabilities. Access Control Systems Access control systems are mechanisms that restrict access to resources based on user identity and predefined policies. Physical → Physical access control systems manage access to physical spaces such as buildings, rooms, and secured areas through various methods like keycards, biometrics, and security guards. Ex. An office building uses a keycard system where employees must swipe their keycards at entry points to gain access to different floors and rooms. Logical → Logical access control systems regulate access to computer systems, networks, and data through user authentication and authorization mechanisms. Ex. A company network requires employees to log in with their username and password, with additional access to sensitive data protected by multi-factor authentication. Objective 2.5 Cloud Access Security Broker (CASB) NOTES Shadow IT Detection Shadow IT refers to the use of IT systems, devices, software, applications, and services without explicit IT department approval. Ex. Using a CASB to monitor and detect unauthorized use of cloud services by employees, identifying unsanctioned applications being accessed. Shared Responsibility Model A security framework that delineates the responsibilities of cloud service providers and customers in securing cloud environments. Provider Responsibilities: Secure the cloud infrastructure, including hardware, software, networking, and facilities. Customer Responsibilities: Secure everything they put in the cloud, including data, applications, and operating systems. Collaboration: Both parties work together to ensure overall security. Ex. In AWS, AWS is responsible for the security of the cloud (physical infrastructure), while the customer is responsible for securing their data and applications within the cloud. CI/CD Pipeline A method to automate the process of software delivery, enabling continuous integration, continuous delivery, and continuous deployment. Ex. Using Jenkins to automate the CI/CD pipeline for deploying web applications, ensuring faster and more reliable software releases. Terraform An open-source infrastructure as code (IaC) tool that allows users to define and provision data center infrastructure using a high-level configuration language. Infrastructure as Code: Define infrastructure using declarative configuration files. Provisioning: Automate the creation and management of infrastructure. Scalability: Easily scale infrastructure up or down as needed. Ex. Using Terraform scripts to provision and manage AWS resources such as EC2 instances, S3 buckets, and VPCs. Ansible An open-source automation tool used for IT tasks such as configuration management, application deployment, and task automation. Agentless: Operates without needing agents on target machines. Playbooks: Uses YAML files to describe automation tasks. Scalability: Manages large-scale environments efficiently. Ex. Using Ansible playbooks to automate the deployment and configuration of web servers across multiple environments. Package Monitoring The practice of monitoring software packages for vulnerabilities, updates, and compliance. Ex. Using tools like Snyk or Dependabot to monitor and manage dependencies in a project, ensuring they are secure and up-to-date. Container Security The process of implementing security measures to protect containerized applications and their environments. Image Security: Use trusted base images and scan for vulnerabilities. Runtime Security: Monitor container behavior and enforce security policies. Network Security: Implement network segmentation and control access. Ex. Using tools like Aqua Security or Twistlock to scan Docker images for vulnerabilities and monitor running containers for suspicious activities. Container Orchestration Automating the deployment, management, scaling, and networking of containers. Ex. Using Kubernetes to orchestrate and manage containerized applications, ensuring high availability and scalability. Serverless Computing Serverless computing is a cloud computing execution model where the cloud provider dynamically manages the allocation and provisioning of servers. Users can run code without managing the underlying infrastructure. Workloads → Workloads in serverless computing refer to the tasks or processes that are executed by serverless functions. These workloads can vary widely, from simple data processing tasks to complex, event-driven applications. Ex. Processing images uploaded to an S3 bucket using a serverless function to resize and store them in a different bucket. Functions → Functions in serverless computing are small, single-purpose pieces of code that execute in response to events. They are the core component of serverless architectures. Ex. An AWS Lambda function that triggers when a new record is added to a DynamoDB table, processes the record, and sends a notification. Resources → Resources in serverless computing refer to the cloud infrastructure components and services that serverless functions interact with or depend on. Ex. An AWS Lambda function that processes data from an S3 bucket and stores results in a DynamoDB table, using API Gateway to expose the function as an HTTP endpoint. API Security Authorization → Authorization in API security refers to the process of determining if a user or system has the appropriate permissions to access or perform actions on resources. Ex. Using OAuth 2.0 to grant a web application access to a user’s Google Drive files, specifying that the application can only read files and not modify them. Logging → Logging involves recording API interactions, including requests, responses, and errors, to monitor, troubleshoot, and audit API activities. Ex. Using AWS CloudWatch Logs to collect and monitor API request logs for an application, setting up alerts for suspicious activities like failed login attempts. Rate Limiting → Rate limiting controls the number of API requests a client can make within a specific timeframe to protect the API from abuse and ensure fair usage. Ex. Implementing rate limits to allow a maximum of 1000 API requests per hour per user to prevent abuse and ensure service availability. Cloud vs. Customer-Managed Encryption Keys → Encryption keys are used to encrypt and decrypt data to protect it from unauthorized access. In a cloud environment, the management of these keys can either be handled by the cloud provider (cloud-managed) or by the customer (customer-managed). Cloud-Managed Encryption Keys → Cloud-managed encryption keys are created, stored, and managed by the cloud service provider. Customers use these keys to encrypt data, but the management and rotation of keys are handled by the provider. Ex. Using AWS S3 with server-side encryption managed by AWS Key Management Service (KMS), where AWS handles key management and rotation. Pros: Reduced Administrative Burden: Cloud provider handles all aspects of key management. Automatic Key Rotation: Providers often offer automatic key rotation features. Integrated Security: Cloud providers have robust security practices and compliance certifications. Cons: Limited Control: Less control over key management and rotation. Shared Responsibility: Security is shared between customer and provider. Customer-Managed Encryption Keys → Customer-managed encryption keys are created, stored, and managed by the customer. This approach gives customers full control over key lifecycle and access policies. Ex. Using Azure Key Vault to create and manage encryption keys for encrypting data stored in Azure Blob Storage. Pros: Full Control: Complete control over key management and policies. Custom Policies: Ability to implement custom key management practices. Enhanced Security: Can meet stricter compliance and security requirements. Cons: Increased Administrative Burden: Requires more effort to manage keys and policies. Manual Rotation: Key rotation and lifecycle management are the customer’s responsibility. Licenses → Licenses are agreements that allow customers to use specific software, services, or resources. In the context of cloud and customer-managed environments, licenses can be managed by either the cloud provider or the customer. Cloud-Managed Licenses → Cloud-managed licenses are included in the cloud service offerings, where the cloud provider handles the acquisition, management, and compliance of software licenses. Ex. Using Office 365 where Microsoft handles all software licensing, updates, and compliance as part of the subscription. Pros: Simplified Management: The provider handles all licensing aspects. Included Costs: Licenses are included in the subscription or service fee. Automated Updates: Software updates and compliance are managed by the provider. Cons: Limited Control: Less control over license management and updates. Fixed Costs: Costs are tied to the service subscription model. Customer-Managed Licenses → Customer-managed licenses are acquired, managed, and renewed by the customer. This approach provides customers with control over their software licenses. Ex. Purchasing and managing software licenses for on-premises applications like Adobe Creative Suite. Pros: Full Control: Greater flexibility and control over licenses and their usage. Custom Agreements: Ability to negotiate terms and conditions with vendors. Tailored Licensing: Can manage licenses specific to organizational needs. Cons: Administrative Effort: Requires more work for managing licenses and compliance. Separate Costs: Licensing costs are additional and separate from cloud service costs. Cloud Data Security Considerations Data Exposure → Data exposure refers to situations where sensitive information is accessible to unauthorized individuals or entities, either accidentally or maliciously. Ex. A cloud database with publicly accessible settings that exposes customer personal information to the internet. Data Leakage → Data leakage occurs when sensitive information unintentionally leaves the organization or is exposed to unauthorized parties. Ex. Sensitive information being exposed through misconfigured cloud storage buckets. Data Remanence → Data remanence refers to the residual data left on storage media after deletion or decommissioning, which can potentially be recovered by unauthorized parties. Ex. Data on decommissioned hard drives that could be recovered using data recovery tools. Unsecured Storage Resources → Unsecured storage resources are cloud storage services or resources that are not properly secured, exposing data to unauthorized access. Ex. An S3 bucket configured with public read access, allowing unauthorized users to access stored files. Cloud Control Strategies Proactive Controls → Proactive controls aim to prevent security incidents before they occur by identifying and mitigating risks early. Ex. Implementing automated vulnerability scans and proactive monitoring. Detective Controls → Detective controls focus on identifying security incidents and breaches as soon as they occur. Ex. Using centralized logging and security information and event management (SIEM) tools. Preventative Controls → Preventative controls aim to minimize the likelihood of security incidents through proactive measures. Ex. Configuring access controls, encryption, and implementing firewall rules. Customer-to-Cloud Connectivity Customer-to-cloud connectivity refers to the methods and mechanisms used to establish and manage secure connections between a customer’s on-premises environment and cloud service providers. Ex. Setting up a Virtual Private Network (VPN) connection to securely connect an on-premises network to a cloud service. Cloud Service Integration Cloud service integration refers to the process of connecting various cloud services and applications to work together seamlessly. Ex. Integrating AWS Lambda functions with Amazon S3 and DynamoDB to process data events. Cloud Service Adoption Cloud service adoption involves the process of selecting, implementing, and managing cloud services to meet organizational needs. Ex. Adopting a cloud-based CRM solution for managing customer relationships. Objective 2.6 Continuous Authorization Continuous authorization involves ongoing evaluation and validation of user and device access permissions to ensure they remain valid over time. Using a Security Information and Event Management (SIEM) system to continuously monitor and review user activities and adjust access permissions based on real-time threats. Ensures access permissions are continually reviewed. Context-Based Re-authentication Context-based re-authentication requires users to re-authenticate based on changes in their context or behavior, ensuring that access remains secure under varying conditions. Ex. Requiring users to re-authenticate if they attempt to access sensitive information from a new device or location. Reduces the risk of unauthorized access based on changes in context. Network Architecture Network Segmentation → Network segmentation involves dividing a network into smaller, isolated segments to limit the scope of security breaches and improve overall network security. Ex. Dividing a network into separate segments for users, applications, and servers to control access and contain potential threats. Micro-segmentation → Micro-segmentation is the practice of creating isolated, smaller network segments within a larger segment to enforce granular security controls. Provide more granular access controls and limit the lateral movement of threats. Ex. Implementing policies that restrict communication between different applications or services within a single network segment. VPN → NOTES Always-On VPN → NOTES API Integration and Validation API integration involves connecting different systems or applications to enable data exchange and functionality. API validation ensures that APIs operate securely and as expected, protecting against potential security risks. Ex. Integrating a third-party payment gateway into your application while validating the API for secure transactions and proper error handling. Asset Identification, Management, and Attestation Asset identification, management, and attestation involve discovering, classifying, managing, and verifying the integrity of assets in an IT environment. Objective: Maintain an accurate inventory of assets, manage them securely, and perform attestation to ensure compliance and integrity. Ex. Identifying all hardware and software assets in your environment, managing them through a centralized system, and performing regular audits for compliance and security. Security Boundaries Security boundaries are points or layers in an architecture where security controls are applied to protect data and system components. These boundaries help define where to implement policies and controls to ensure a Zero Trust security model. Data Perimeters → Data perimeters define the boundaries around data to ensure its security and integrity. In a Zero Trust model, data perimeters help to manage and protect data access and movement. Objective: Establish boundaries to protect data from unauthorized access and ensure data security. Approach: Define and enforce access controls, encryption, and monitoring at the data level. Ex. Creating a data perimeter around sensitive customer information to control access and ensure data protection. Secure Zones → Secure zones are isolated areas within a network that are protected by security controls to safeguard different types of data or services. Objective: Create isolated areas for different security needs to manage risks and protect sensitive resources. Approach: Design and implement secure zones with appropriate controls and access mechanisms. Ex. Creating a secure zone for the finance department to ensure that financial data is isolated from other parts of the organization. System Components → System components are the individual elements of a network or application infrastructure that need to be protected as part of the overall security strategy. Objective: Ensure that all system components are secure and operate according to security policies. Approach: Apply security measures to individual components and manage their interactions. Ex. Securing components like servers, databases, and applications by implementing appropriate security measures and controls. Deperimeterization Deperimeterization refers to the practice of shifting security controls from the traditional network perimeter to a more granular, identity-based approach that enforces security policies at the level of users, devices, and applications. Secure Access Service Edge (SASE) → SASE is a security framework that integrates network and security functions into a unified cloud-delivered service to support the needs of modern, distributed workforces. Objective: Provide secure, scalable access to applications and resources from anywhere, without relying on traditional network perimeters. Approach: Combine SD-WAN and security services (like secure web gateways, CASB, and firewall as a service) into a single, cloud-native platform. Ex. Using a SASE solution to provide secure, scalable access to cloud applications for remote employees. Software-Defined Wide Area Network (SD-WAN) → SD-WAN is a technology that simplifies the management of WAN networks by abstracting and virtualizing network functions. Objective: Enhance WAN management for improved performance, reliability, and security. Approach: Use centralized management to optimize connectivity and apply security policies across the WAN. Ex. Deploying SD-WAN to connect branch offices with headquarters and cloud services in a cost-effective and secure manner. Software-Defined Networking (SDN) → https://heydc7.github.io/obsinote/Prep/Security-Plus/#infrastructure-as-code SDN is a network architecture approach that separates the network control plane from the data plane to enable more flexible and programmable network management. Objective: Improve network management through centralized control and automation. Approach: Use SDN to manage network resources dynamically and apply security policies. Ex. Using SDN to dynamically adjust network resources for different applications and enforce security policies. Defining Subject-Object Relationships n a Zero Trust architecture, subject-object relationships refer to the interactions between entities (subjects) like users or devices (subjects) and resources or services (objects) they want to access. Properly defining these relationships involves ensuring that access controls, authentication, and authorization mechanisms are in place to enforce security policies effectively. RBAC, ABAC Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs) → PEPs are components that enforce security policies, while PDPs evaluate and decide on access requests based on policies. Objective: Separate the decision-making and enforcement of access control policies. Approach: Use PEPs to enforce policies and PDPs to make decisions. Ex. A firewall (PEP) enforces access control rules decided by a security policy server (PDP). Zero Trust Network Access (ZTNA) → ZTNA is a security model where access to resources is granted based on strict verification processes rather than relying on perimeter security. Objective: Provide secure access to resources based on verification of every request. Approach: Ensure all access requests are verified and authorized regardless of the request’s origin. Ex. Using a ZTNA solution to verify a user’s identity and device security posture before granting access to corporate applications.

July 23, 2024 · 33 min · Dhanraj Chavan

Chapter 3: Security Engineering

Chapter 3 Objective 3.1 Subject Access Control Subject access control involves defining and managing the permissions and access rights for different entities (subjects) in an IT environment, such as users, processes, devices, and services. User Access Control → User access control manages the permissions and access rights of individual users based on their roles and responsibilities. Objective: Ensure users have appropriate access based on their roles. Approach: Use role-based access control (RBAC) and attribute-based access control (ABAC). Ex. A finance user has access to financial records but not to HR data. Process Access Control → Process access control involves managing the permissions and access rights of system processes to ensure they can access necessary resources while preventing unauthorized actions. Objective: Control process access to resources based on their needs. Approach: Implement least privilege and process isolation. Ex. A backup process has read-only access to sensitive data for backup purposes. Device Access Control → Device access control manages the permissions and access rights of devices connecting to the network, ensuring that only authorized devices can access resources. Objective: Ensure only authorized devices can access network resources. Approach: Use device authentication and network access control (NAC). Ex. Only company-issued laptops can connect to the corporate network. Service Access Control → Service access control manages the permissions and access rights of services and applications, ensuring they can interact securely with other services and resources. Objective: Control service interactions and access to resources. Approach: Use service accounts and API security measures. Ex. A web application can access a database service but not other services. Biometrics https://heydc7.github.io/obsinote/Prep/Security-Plus/#biometrics Secrets Management Tokens → Tokens are digital keys used for authentication and authorization, often in API communication. Ex. OAuth tokens used to grant access to a web application. Certificates → Certificates are digital documents used to prove the identity of a server or user and establish encrypted connections. Ex. SSL/TLS certificates used for secure web communication. Passwords → Passwords are secret strings used for authenticating users to systems and applications. Ex. User passwords for accessing enterprise applications. Keys → Keys are cryptographic elements used for encryption, decryption, and signing. Ex. Encryption keys for securing database data. Rotation → Rotation involves regularly updating secrets to limit exposure risk. Deletion → Deletion involves securely removing secrets that are no longer needed. Ex. Regularly rotating API tokens and securely deleting obsolete encryption keys. Conditional Access Conditional access is a security approach that restricts access to resources based on specific conditions or criteria, ensuring that access is granted only when these conditions are met. User-to-Device Binding → User-to-device binding ensures that a specific user can only access resources from a specific, trusted device. Purpose: Enhance security by restricting access to trusted devices. Best Practices: Register and manage trusted devices, enforce device compliance policies. Ex. A user can only access corporate resources from their company-issued laptop. Geographic Location → Restricting access based on the geographic location of the user or device. Purpose: Prevent unauthorized access from unusual or high-risk locations. Best Practices: Use geo-fencing, monitor login patterns, and block access from certain regions. Ex. Blocking access to corporate resources from outside the country. Time-Based Access → Controlling access based on specific time frames or schedules. Purpose: Restrict access to certain hours or days to reduce risk. Best Practices: Implement time-based policies, monitor access logs. Ex. Allowing access to corporate resources only during business hours. Configuration → Ensuring that conditional access policies are correctly configured and applied. Purpose: Correct configuration of policies ensures effective enforcement and security. Best Practices: Regularly review and update configurations, test policies. Ex. Configuring multi-factor authentication (MFA) for high-risk activities. Attestation Attestation is the process of verifying the integrity, identity, and compliance status of a device, application, or user before granting access to resources. Purpose: Ensure that only trusted entities can access resources. Best Practices: Use strong verification mechanisms, regularly update attestation policies. A device attests to its compliance status before accessing sensitive data. Cloud IAM Access and Trust Policies Cloud IAM access and trust policies define the permissions and trust relationships between different entities (users, applications, services) in a cloud environment. Purpose: Control access to cloud resources and establish trust relationships. Best Practices: Use least privilege principles, regularly review and update policies. Ex. Defining a trust policy between a cloud service provider and an enterprise application. Logging and Monitoring Logging and monitoring involve the continuous recording and analysis of activities within the IAM environment to detect and respond to security incidents. Purpose: Detect suspicious activities, ensure compliance, and troubleshoot issues. Best Practices: Implement centralized logging, use automated monitoring tools. Ex. Monitoring login attempts to detect unusual patterns or potential breaches. Privileged Identity Management (PIM) PIM involves managing and controlling access to privileged accounts and roles to minimize the risk of security breaches. Purpose: Protect sensitive resources by restricting and monitoring privileged access. Best Practices: Enforce just-in-time (JIT) access, use multi-factor authentication (MFA) for privileged accounts. Ex. Granting temporary administrative access to a user for a specific task. Authentication and Authorization Mechanisms Security Assertions Markup Language (SAML) → SAML is an open standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). NOTES Purpose: Enable single sign-on (SSO) by allowing users to authenticate once and access multiple services. Best Practices: Ensure accurate clock synchronization between IdP and SP, validate SAML assertions Ex. Using SAML to provide SSO for a user accessing multiple enterprise applications. OpenID → OpenID is an authentication protocol that allows users to authenticate to multiple sites without needing multiple credentials. Purpose: Simplify user login processes and enhance security by using a single set of credentials. Best Practices: Implement robust security measures to protect OpenID credentials. Ex. Allowing users to log in to multiple online services using their Google account. Multifactor Authentication (MFA) → MFA adds an additional layer of security by requiring users to provide two or more verification factors to gain access to resources. Ex. Requiring users to enter a password and a code sent to their mobile device. Single Sign-On (SSO) → SSO is an authentication process that allows a user to access multiple applications with one set of login credentials. Ex. Logging into a corporate portal and automatically accessing email, CRM, and other tools. Kerberos → Kerberos is a network authentication protocol designed to provide strong authentication for client-server applications by using secret-key cryptography. NOTES Purpose: Securely authenticate users to network services. Best Practices: Ensure correct configuration of the Key Distribution Center (KDC) and tickets. Using Kerberos to authenticate a user to a database service within a corporate network. Simultaneous Authentication of Equals (SAE) → SAE is a method used in Wi-Fi Protected Access 3 (WPA3) to provide a more secure authentication process for wireless networks. WPA3 Privileged Access Management (PAM) → PAM solutions help manage and secure access to privileged accounts within an organization. NOTES Purpose: Control and monitor access to critical systems and data. Best Practices: Implement just-in-time (JIT) access, use MFA for privileged accounts. Ex. Granting temporary administrative access to a user for a specific task. Open Authorization (OAuth) → OAuth is an open standard for access delegation, allowing users to grant third-party applications access to their resources without sharing credentials. Ex. Allowing a third-party app to access a user’s Google Drive files. Extensible Authentication Protocol (EAP) → EAP is a framework for providing multiple authentication methods for network access. NOTES Identity Proofing → Identity proofing is the process of verifying the identity of a person before granting access to resources. Ex. Verifying a user’s identity during the account creation process. IEEE 802.1X → IEEE 802.1X is a standard for port-based Network Access Control (NAC), providing authentication to devices attempting to connect to a network. Purpose: Enhance network security by ensuring only authorized devices can connect. Best Practices: Implement robust authentication methods (e.g., EAP). Ex. Using IEEE 802.1X to authenticate devices on an enterprise network. Federation → Federation is the establishment of a trust relationship between different organizations or domains, enabling users to access resources across domains using a single set of credentials. Purpose: Simplify user authentication and access across multiple domains or organizations. Best Practices: Implement robust security measures to protect federated identities. Ex. Allowing users from one organization to access resources in another organization’s domain. NOTES Objective 3.2 Application Control Application control involves managing which applications can be executed on an endpoint to prevent unauthorized software from running. Purpose: Prevent malware and unauthorized applications from running on endpoints. Best Practices: Implement whitelisting and blacklisting policies, regularly update application lists. Ex. Using Microsoft AppLocker to control which applications can be run on a Windows machine. Endpoint Detection and Response (EDR) EDR solutions provide continuous monitoring and response to threats on endpoints. NOTES Purpose: Detect, investigate, and respond to advanced threats on endpoints. Best Practices: Implement real-time monitoring, use machine learning for threat detection. Ex. Using CrowdStrike Falcon for EDR in an enterprise environment. Event Logging and Monitoring Event logging involves recording system and application activities, while monitoring involves analyzing these logs for signs of security incidents. Purpose: Track activities for security incidents and compliance. Best Practices: Implement centralized logging, use log analysis tools. Ex. Using Splunk to collect and analyze logs from various endpoints. Endpoint Privilege Management Endpoint privilege management involves controlling and limiting user privileges on endpoints to reduce the attack surface. Purpose: Minimize the risk of privilege escalation and unauthorized access. Best Practices: Implement least privilege principles, regularly review and adjust privileges. Ex. Using BeyondTrust for managing and limiting user privileges on endpoints. Attack Surface Monitoring and Reduction Attack surface monitoring involves identifying and reducing the potential entry points for attackers on endpoints. Purpose: Minimize the exposure of endpoints to potential attacks. Best Practices: Regularly scan and review endpoints for vulnerabilities and unnecessary services. Ex. Using Tenable Nessus for vulnerability scanning and attack surface reduction. HIPS/HIDS NOTES Anti-malware Anti-malware solutions detect, prevent, and remove malicious software from endpoints. Purpose: Protect endpoints from malware infections. Best Practices: Regularly update anti-malware definitions and conduct full system scans. Ex. Using Symantec Endpoint Protection to safeguard against malware. SELinux NOTES SELinux (Security-Enhanced Linux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. Purpose: Enforce mandatory access control policies on Linux systems. Best Practices: Configure and tune SELinux policies to minimize security risks. Host-based Firewall NOTES Browser Isolation Browser isolation separates browsing activity from the endpoint to protect against web-based threats. Purpose: Prevent web-based malware and phishing attacks from affecting endpoints. Best Practices: Use browser isolation technologies to create a secure browsing environment. Ex. Using Menlo Security for browser isolation in an enterprise environment. Configuration Management Configuration management involves maintaining the consistency of an endpoint’s configuration to ensure security and functionality. NOTES Mobile Device Management (MDM) Technologies MDM technologies allow organizations to manage and secure mobile devices used by employees. NOTES Threat-Actor Tactics, Techniques, and Procedures (TTPs) Injections → Injection attacks involve injecting malicious code into a vulnerable application to manipulate its execution. Ex. XSS, CMDI, SQLI Privilege Escalation → Privilege escalation involves exploiting vulnerabilities to gain elevated access to resources that are normally restricted. Credential Dumping → Credential dumping involves extracting authentication credentials from compromised systems to use for further attacks. Unauthorized Execution → Unauthorized execution involves running malicious code or commands on a system without authorization. Lateral Movement → Lateral movement involves moving across a network to gain access to additional systems and data. Defensive Evasion → Defensive evasion involves techniques to avoid detection and mitigation by security controls. Objective 3.3 Network Misconfigurations Configuration Drift → Configuration drift occurs when a network device’s configuration deviates from the intended baseline configuration over time. Issues: Unauthorized changes to network settings. Unmanaged changes leading to inconsistencies. Troubleshooting: Audit Configuration Changes Implement Configuration Management Monitor for Unauthorized Changes Routing Errors → Routing errors occur when packets are misrouted due to incorrect or suboptimal routing table entries. Issues: Incorrect route configurations. Missing or erroneous routing entries. Troubleshooting: Verify Routing Tables Check Routing Protocols Test Connectivity Switching Errors → Switching errors occur when network switches are misconfigured, leading to issues like loops, broadcast storms, or VLAN misconfigurations. Issues: Incorrect VLAN configurations. Network loops or broadcast storms. Troubleshooting: Check VLAN Configurations Verify Spanning Tree Protocol (STP) Monitor for Broadcast Storms Un-secure Routing → Un-secure routing involves the use of routing protocols or configurations that do not adequately protect against attacks like route hijacking or spoofing. Issues: Insecure routing protocol configurations. Absence of route authentication. Troubleshooting: Verify Routing Protocol Security Check Route Filtering Monitor for Route Anomalies VPN/Tunnel Errors → VPN/tunnel errors occur when VPN or other tunneling configurations are incorrect, leading to connectivity issues or unsecure tunnels. Issues: Misconfigured VPN settings. Connection issues. Troubleshooting: Verify VPN Configuration Test VPN Connectivity Check Tunnel Health IPS/IDS Issues Rule Misconfigurations → Rule misconfigurations occur when IPS/IDS rules are incorrectly set up, leading to ineffective threat detection or unnecessary alerts. Issues: Incorrect rule syntax or logic. Misconfigured rule priorities or actions. Troubleshooting: Review Rule Configuration Check Rule Priorities Update and Validate Rules Lack of Rules → A lack of rules means there are insufficient or outdated rules to detect current threats. Issues: Outdated threat signatures. Missing rules for new vulnerabilities or attack vectors. Troubleshooting: Review Existing Rules Add New Rules Regularly Update Signatures False Positives/False Negatives → False positives are incorrect alerts for benign activities, while false negatives are missed threats. Issues: Incorrect rule configurations. Insufficient tuning of detection parameters. Placement → Placement refers to where the IPS/IDS devices are positioned within the network for optimal security coverage. Issues: Suboptimal locations leading to missed detections or performance issues. Troubleshooting: Evaluate Placement Strategies Check for Network Visibility Assess Performance Impact Observability Observability refers to the extent to which the internal state of a network or system can be inferred from the external outputs. In network security, it involves collecting, analyzing, and interpreting data from various sources to understand the network’s health and security posture. Common Components: Logs: Detailed records of events occurring within the network. Metrics: Quantitative data that reflects the performance and health of network components. Traces: Information that shows the path and behavior of network traffic and requests. Alerts: Notifications of events or conditions that may indicate a security issue. DNS Security Domain Name System Security Extensions (DNSSEC) → DNSSEC is a suite of specifications to secure information provided by the Domain Name System (DNS) by enabling DNS responses to be verified for authenticity. NOTES Authenticates: Adds digital signatures to DNS data to verify its origin. Integrity: Ensures data has not been altered. Trust Chain: Uses a chain of trust from root DNS servers down to individual domains. Ex. A user tries to access example.com. With DNSSEC, the DNS resolver verifies that the response from example.com’s DNS server is authentic and has not been tampered with, using a digital signature. DNS Poisoning → DNS poisoning (or cache poisoning) is an attack that introduces corrupt DNS data into the resolver’s cache, causing the resolver to return an incorrect IP address and diverting traffic to malicious sites. NOTES Ex. An attacker poisons the cache of a DNS resolver, making it return the IP address of a phishing site when a user requests example.com. Sinkholing → Sinkholing is a technique where malicious traffic is redirected to a controlled environment, typically to analyze and mitigate malicious activities. Ex. A security team sets up a sinkhole to redirect traffic intended for a known command and control server used by malware, allowing them to monitor and block malicious activity. Zone Transfers → Zone transfers are processes where the DNS information (zone data) for a domain is copied from a primary DNS server to a secondary DNS server. Replication: Copies DNS records between servers. Secondary Server: Ensures redundancy and load balancing. Security Risk: Unauthorized zone transfers can expose sensitive DNS data. Ex. An attacker performs an unauthorized zone transfer to download all DNS records of example.com, exposing the network’s structure and potentially sensitive information. Email Security Domain Keys Identified Mail (DKIM) → DKIM is an email authentication method that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. It uses a digital signature, which is included in the email header. Authentication: Ensures the email content is legitimate and unaltered. Signature: Adds a digital signature to the email header. Public Key: The receiver verifies the signature using the sender’s public key published in DNS. Ex. When [email protected] sends an email to [email protected], the email is signed with DKIM. Bob’s email server verifies the signature using the public key from example.com’s DNS records, ensuring the email is authentic. Sender Policy Framework (SPF) → SPF is an email validation system designed to detect and block email spoofing by allowing the receiving mail server to verify that incoming mail from a domain comes from a host authorized by that domain’s administrators. Domain Verification: Specifies which mail servers are allowed to send email on behalf of your domain. DNS Records: Uses DNS TXT records to list authorized IP addresses. Anti-Spoofing: Helps prevent email spoofing. Ex. example.com publishes an SPF record specifying that only emails sent from 192.0.2.1 and 198.51.100.1 are authorized. When [email protected] receives an email claiming to be from [email protected], the server checks the SPF record to verify the sending IP address. Domain-based Message Authentication Reporting & Conformance (DMARC) → DMARC is an email authentication protocol that allows domain owners to protect their domain from unauthorized use by specifying policies for SPF and DKIM checks and providing a way to report on email authentication activity. Policy Specification: Defines policies for handling emails that fail SPF or DKIM checks. Reporting: Provides feedback about email authentication. Enforcement: Helps ensure emails are properly authenticated. example.com publishes a DMARC policy in DNS specifying that emails failing SPF or DKIM checks should be rejected and generates reports for the domain owner. Secure/Multipurpose Internet Mail Extension (S/MIME) → S/MIME is a standard for public key encryption and signing of MIME data to secure email communication. Encryption: Encrypts email content to ensure confidentiality. Digital Signatures: Signs emails to verify the sender’s identity and ensure message integrity. Certificates: Uses X.509 certificates for encryption and signing. Ex. Alice sends an encrypted email to Bob using S/MIME. Bob decrypts the email using his private key, ensuring the message was securely transmitted. Transport Layer Security (TLS) Errors TLS is a cryptographic protocol designed to provide secure communication over a computer network. Connection Security: Ensures data privacy and integrity. Common Errors: Certificate validation failures, protocol mismatches. Troubleshooting: Verify certificate validity, check TLS versions, inspect configurations. Ex. A client fails to connect to a server because the server’s TLS certificate is expired. Cipher Mismatch Occurs when the client and server cannot agree on a common cipher suite for encryption. Ex. A client cannot establish a secure connection because the server only supports outdated ciphers. PKI Issues Problems related to the public key infrastructure, including certificate issuance, validation, and management. Ex. A website is not trusted because the intermediate certificate is missing from the trust chain. Issues with Cryptographic Implementations Flaws or misconfigurations in cryptographic algorithms and their implementations. Ex. A vulnerability in an outdated version of OpenSSL exposes systems to potential attacks. DoS/Distributed Denial of Service (DDoS) An attack aimed at making a machine or network resource unavailable by overwhelming it with traffic. A web server becomes unresponsive due to a flood of HTTP requests from multiple sources. Network Access Control List (ACL) Issues Problems with ACLs, which are used to permit or deny traffic based on specified criteria. Ex. A legitimate service is unreachable because an ACL rule mistakenly blocks its traffic. Objective 3.4 Roots of Trust Trusted Platform Module (TPM) → NOTES Hardware Security Module (HSM) → An HSM is a dedicated hardware device used to manage and store cryptographic keys securely and perform cryptographic operations. NOTES Ex. A bank uses an HSM to securely store and manage the cryptographic keys used for processing transactions, ensuring high security and compliance with regulatory requirements. Virtual Trusted Platform Module (vTPM) → A vTPM is a software-based implementation of a TPM that provides similar security functionalities in a virtualized environment. Virtual Environment: Provides TPM functionalities within virtual machines (VMs). Isolation: Ensures that each VM has its own isolated vTPM instance. Flexibility: Allows for TPM functionalities without the need for physical hardware. Ex. A cloud service provider uses vTPMs to offer secure cryptographic services to virtual machines running on its infrastructure, allowing customers to benefit from TPM functionalities in a cloud environment. Security Coprocessors Central Processing Unit (CPU) Security Extensions → CPU security extensions are hardware-based features integrated into modern CPUs to enhance security by providing isolated execution environments and protecting sensitive data. Isolated Execution: Creates secure areas within the CPU where code can run in isolation from other processes. Memory Encryption: Encrypts memory contents to protect data from being accessed or tampered with by unauthorized entities. Enhanced Authentication: Provides mechanisms for stronger user authentication and secure key management. Ex. Intel’s Software Guard Extensions (SGX) create secure enclaves within the CPU, allowing sensitive code to run in a protected environment, shielding it from external threats even if the main operating system is compromised. Secure Enclave → A secure enclave is a dedicated area within a CPU that provides an isolated environment for processing sensitive data, enhancing security by ensuring that data within the enclave cannot be accessed or modified by unauthorized software or hardware. Isolation: Provides a secure environment separate from the main operating system. Secure Data Processing: Ensures that sensitive data is processed securely and remains protected from external threats. Tamper Resistance: Designed to resist physical and software-based attacks. Ex. Apple’s Secure Enclave, integrated into its processors, handles sensitive tasks such as biometric authentication and encryption key management, ensuring that these operations are isolated from the rest of the system. Virtual Hardware Virtual hardware refers to virtualized versions of physical hardware components, allowing multiple virtual machines (VMs) to run on a single physical server. Resource Allocation: Allocates hardware resources (CPU, memory, storage) to VMs. Isolation: Ensures that VMs are isolated from each other, enhancing security. Scalability: Easily scales by adding more virtual hardware components. Ex. Using VMware or Hyper-V, an organization can create multiple virtual servers on a single physical server, each with its own virtual hardware configuration. Host-Based Encryption Host-based encryption involves encrypting data on a host machine, ensuring that data at rest is protected from unauthorized access. Data Protection: Encrypts files, directories, or entire disk volumes. Transparent Operation: Operates transparently to users and applications. Key Management: Relies on strong key management practices to secure encryption keys. Ex. Using BitLocker on Windows or FileVault on macOS to encrypt the entire disk, protecting data even if the physical device is stolen. Self-Encrypting Drive (SED) An SED is a storage device that automatically encrypts all data written to it and decrypts data read from it using built-in hardware encryption. Automatic Encryption: Encrypts data on the fly without impacting performance. Built-in Security: Includes dedicated encryption hardware within the drive. Key Management: Requires secure management of encryption keys, often stored within the drive. Ex. A company uses SEDs in its laptops to ensure that all data stored on the devices is automatically encrypted, protecting sensitive information in case of theft. NOTES Secure Boot Secure Boot is a security standard designed to ensure that a device boots using only software that is trusted by the device manufacturer. NOTES Measured Boot Measured Boot is a security feature that logs the boot process, recording each component that loads, to ensure the integrity of the system boot sequence. NOTES Self-Healing Hardware Self-healing hardware is designed to detect and correct faults automatically, ensuring continuous operation and minimizing downtime. Fault Detection: Detects hardware faults or failures. Automatic Correction: Attempts to correct faults automatically without user intervention. Resilience: Enhances system resilience and reliability by maintaining operational integrity. Ex. A self-healing network switch can detect and correct internal configuration errors, ensuring that network connectivity is maintained without manual intervention. Tamper Detection and Countermeasures Tamper detection and countermeasures involve mechanisms to detect and respond to physical or logical tampering attempts on hardware devices. Detection Mechanisms: Includes sensors and circuits to detect physical tampering. Response Actions: Takes actions such as erasing sensitive data or alerting administrators upon tamper detection. Enhanced Security: Protects against unauthorized physical access and tampering. Ex. An ATM equipped with tamper detection will erase encryption keys and lock itself down if it detects unauthorized access to its internals. Threat-actor Tactics, Techniques, and Procedures (TTPs) Firmware Tampering → Firmware tampering involves modifying the firmware of a device to introduce malicious code or alter its functionality. Infection: Inserting malicious code into device firmware. Persistence: Achieving long-term persistence on a device. Detection: Often difficult to detect due to low-level operation. Ex. An attacker modifies the firmware of a network router to create a backdoor, allowing unauthorized access to the network. Shimming → Shimming involves inserting a small piece of code between an application and the operating system to intercept and potentially alter API calls. NOTES Ex. An attacker uses a shim to intercept and log keystrokes from a secure login application, capturing credentials. USB-Based Attacks → USB-based attacks exploit vulnerabilities in USB devices or use malicious USB devices to compromise systems. Malicious USB Devices: USB sticks with embedded malware. Exploitation: Exploiting auto-run or driver vulnerabilities. Payload Delivery: Delivering malware or executing arbitrary code. Ex. A malicious USB drive left in a public place installs malware on any computer it is plugged into. BIOS/UEFI → BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface) are firmware interfaces that initialize hardware during the boot process and provide runtime services. Initialization: Initializing hardware components during boot. Firmware Exploits: Exploiting vulnerabilities in BIOS/UEFI to gain control over the system. Persistence: Achieving persistence by modifying boot firmware. Ex. An attacker flashes a modified UEFI firmware to maintain control over a system even after OS reinstalls. Memory → Memory-based attacks target the system’s RAM to manipulate or steal data, execute malicious code, or cause system instability. Buffer Overflow: Overwriting memory to execute arbitrary code. Memory Scraping: Reading sensitive data from memory. Memory Corruption: Causing system crashes or unpredictable behavior. Ex. A buffer overflow attack allows an attacker to execute shellcode and gain unauthorized access to a system. Electromagnetic Interference (EMI) → EMI involves the disruption of electronic devices through electromagnetic signals, potentially causing malfunctions or data corruption. Disruption: Interfering with electronic signals. Malfunctions: Causing devices to malfunction or behave erratically. Data Corruption: Leading to data loss or corruption. Ex. An attacker uses an EMI device to disrupt the signals of a nearby wireless network, causing connectivity issues. Electromagnetic Pulse (EMP) → An EMP is a burst of electromagnetic radiation that can disrupt or destroy electronic equipment and data. High-Intensity Pulse: Generating a powerful electromagnetic pulse. Device Disruption: Disrupting or damaging electronic devices. Data Loss: Causing loss or corruption of data stored in affected devices. Ex. A targeted EMP attack disables the electronic systems of a critical infrastructure facility, causing a service outage. Objective 3.5 Operational Technology (OT) Supervisory Control and Data Acquisition (SCADA) → SCADA systems are used for monitoring and controlling industrial processes, such as power generation, water treatment, and manufacturing. Components: Sensors, programmable logic controllers (PLCs), human-machine interfaces (HMIs), communication infrastructure. Functions: Monitoring: Collecting real-time data from sensors. Control: Sending commands to PLCs and other control devices. Data Analysis: Analyzing data to optimize processes and detect anomalies. Security Measures: Network Segmentation: Isolating SCADA networks from corporate networks. Access Control: Implementing strict access controls to SCADA systems. Encryption: Encrypting data in transit and at rest. Regular Updates: Applying security patches and updates to SCADA components. Ex. A power plant uses a SCADA system to monitor and control its electricity generation and distribution processes. Security measures include isolating the SCADA network, implementing multi-factor authentication, and encrypting communication between SCADA components. Industrial Control System (ICS) → ICS encompasses various control systems used in industrial environments, including SCADA systems, distributed control systems (DCS), and PLCs. Components: SCADA, DCS, PLCs, sensors, actuators, communication networks. Functions: Control: Managing industrial processes. Automation: Automating repetitive tasks and processes. Data Collection: Gathering data for analysis and optimization. Security Measures: Network Isolation: Segregating ICS networks from other networks. Intrusion Detection: Deploying ICS-specific intrusion detection systems. Authentication: Enforcing strong authentication mechanisms. Physical Security: Protecting ICS components from physical tampering. Incident Response: Developing and testing incident response plans specific to ICS. Ex. A chemical plant uses an ICS to automate and control its production process. Security measures include isolating the ICS network, implementing intrusion detection, and enforcing strong authentication protocols for access to ICS components. Heating Ventilation and Air Conditioning (HVAC)/Environmental → HVAC systems control the heating, ventilation, and air conditioning in buildings to maintain environmental comfort and air quality. Components: Thermostats, sensors, air handlers, chillers, boilers, ductwork, control systems. Functions: Temperature Control: Maintaining desired temperature levels. Air Quality: Ensuring proper ventilation and air filtration. Energy Efficiency: Optimizing energy use for cost savings. Security Measures: Access Control: Restricting access to HVAC control systems. Network Segmentation: Isolating HVAC systems from corporate IT networks. Monitoring: Continuous monitoring for anomalies and potential breaches. Patch Management: Regularly updating and patching HVAC software. Physical Security: Securing HVAC equipment against unauthorized access. Ex. A corporate office building uses an HVAC system to maintain comfortable temperatures and air quality. Security measures include isolating the HVAC network, restricting access to authorized personnel, and monitoring the system for anomalies. Internet of Things (IoT) IoT refers to a network of physical devices embedded with sensors, software, and other technologies to connect and exchange data with other devices and systems over the internet. System-on-Chip (SoC) NOTES SoC is an integrated circuit that consolidates all components of a computer or other electronic system into a single chip, including the CPU, memory, input/output ports, and secondary storage. Embedded Systems Embedded systems are specialized computing systems that perform dedicated functions within larger systems, often with real-time computing constraints. Ex. An automotive anti-lock braking system (ABS) uses an embedded system to control braking functions. Security measures include access control, data encryption, and secure coding practices. Wireless Technologies/Radio Frequency (RF) Wireless technologies use radio frequency (RF) waves to transmit data over distances without the need for physical connections. Ex. A Wi-Fi network in a corporate office uses RF technology to provide wireless internet access. Security measures include WPA3 encryption, device authentication, and intrusion detection systems to protect the network. Security and Privacy Considerations Segmentation → Segmentation involves dividing a network or system into isolated zones to control and limit access based on security policies. Purpose: Isolate different parts of a network to enhance security. Types: Network Segmentation: Dividing a network into sub-networks. System Segmentation: Isolating applications or systems. Physical Segmentation: Using hardware to enforce segmentation. Techniques: Firewalls: Control traffic between segments. Virtual LANs (VLANs): Logical segmentation within a network. Subnetting: Dividing IP address spaces. Ex. In a manufacturing plant, the network is segmented to separate the production control systems from the corporate IT network to prevent potential attacks from impacting operational systems. Monitoring → Monitoring involves continuously observing systems and networks to detect and respond to security threats. Purpose: Ensure the ongoing security and integrity of systems. Techniques: Log Collection: Gathering logs from various sources. Real-Time Analysis: Analyzing logs and data in real-time. Alerting: Generating alerts for suspicious activities. Incident Response: Reacting to security incidents. Ex. A Security Information and Event Management (SIEM) system monitors network traffic for unusual patterns and generates alerts for potential security incidents. Aggregation → Aggregation involves collecting and combining data from various sources for analysis and decision-making. Purpose: Provide a comprehensive view of security and operational data. Techniques: Data Centralization: Collect data from multiple systems. Data Correlation: Link related data points. Reporting: Generate reports for analysis and decision-making. Ex. An organization aggregates logs from firewalls, IDS/IPS, and servers into a centralized SIEM system for comprehensive security monitoring and analysis. Hardening → Hardening involves strengthening systems and applications to reduce vulnerabilities and improve security. Purpose: Minimize potential attack surfaces. Techniques: Patch Management: Apply security patches and updates. Configuration Management: Apply secure configurations. Service Management: Disable unnecessary services. Access Control: Restrict user permissions. Ex. A web server is hardened by disabling unused ports, applying the latest security patches, and setting strict access controls. Data Analytics → Data analytics involves examining data to uncover patterns, trends, and insights for informed decision-making. Purpose: Gain insights from security and operational data. Techniques: Log Analysis: Review logs for suspicious activities. Threat Intelligence: Analyze data to understand threat trends. Behavioral Analysis: Detect anomalies based on historical data. Ex. An organization uses data analytics to review historical security incident data to identify trends and improve future incident response strategies. Environmental → Environmental considerations involve addressing physical and environmental factors that affect the security of systems. Purpose: Protect systems from physical threats and environmental factors. Techniques: Physical Security: Secure access to facilities. Environmental Controls: Maintain appropriate temperature and humidity. Disaster Recovery: Plan for environmental threats like fires or floods. Ex. A data center implements physical security controls like surveillance cameras and access controls, and environmental controls like HVAC systems to ensure the stability of the equipment. Regulatory → Regulatory considerations involve complying with laws and standards that govern data protection and privacy. Purpose: Ensure compliance with legal and regulatory requirements. Techniques: Compliance Audits: Regularly review adherence to regulations. Policy Development: Create policies for legal and regulatory compliance. Training: Educate employees on regulatory requirements. Ex. A healthcare organization ensures compliance with HIPAA regulations by conducting regular audits and training staff on data protection practices. Safety → Safety considerations involve ensuring that systems operate reliably and protect both data and users from harm. Purpose: Protect users and systems from accidents and failures. Techniques: Safety Policies: Establish guidelines for safe system operations. Testing: Conduct safety tests and simulations. Documentation: Maintain safety procedures and protocols. Ex. An industrial control system includes safety protocols for emergency shutdowns and regular safety drills to ensure personnel are prepared for system failures. Industry-Specific Challenges Utilities: Challenges: Operational Continuity: Ensuring consistent operation of critical infrastructure like power and water. SCADA Systems: Securing Supervisory Control and Data Acquisition (SCADA) systems that control and monitor infrastructure. Regulatory Compliance: Adhering to regulations like NERC CIP for cybersecurity in the energy sector. Legacy Systems: Many utilities use outdated technology that lacks modern security features. Solutions: Segmentation: Use network segmentation to isolate SCADA systems from corporate networks. Monitoring: Implement continuous monitoring and anomaly detection for SCADA systems. Patching: Regularly update and patch systems, while planning for potential disruptions. Access Controls: Implement strict access controls and multi-factor authentication for critical systems. Ex. A power plant segments its control systems from its administrative network, monitors SCADA traffic for unusual activities, and regularly updates its control systems while ensuring minimal impact on operations. Transportation: Challenges: Safety and Security: Protecting systems that manage transportation infrastructure, such as traffic lights and signaling systems. Integration: Ensuring secure integration between different transportation systems and services. Data Privacy: Protecting passenger data and transportation schedules. Legacy Equipment: Many transportation systems use outdated technology prone to vulnerabilities. Solutions: Network Security: Implement firewalls and intrusion detection/prevention systems for transportation networks. Encryption: Use strong encryption for data in transit and at rest. Access Management: Secure access to transportation control systems with robust authentication mechanisms. Incident Response: Develop and test incident response plans specific to transportation systems. Ex. A city’s traffic management system uses firewalls to protect its control network, encrypts traffic data between sensors and control centers, and has an incident response plan for potential disruptions. Healthcare: Challenges: Data Privacy: Protecting patient health records under regulations like HIPAA. Medical Devices: Securing medical devices and ensuring they do not become entry points for attacks. Compliance: Meeting stringent regulatory requirements for data protection and patient privacy. Legacy Systems: Many healthcare facilities rely on old systems that are difficult to update. Solutions: Device Security: Implement security measures for medical devices, including network isolation and regular updates. Data Protection: Use encryption and access controls to protect patient data. Compliance Audits: Regularly perform audits to ensure adherence to HIPAA and other regulations. Training: Provide training for staff on data protection and security best practices. Ex. A hospital uses encryption to protect patient records, isolates medical devices from the main network, and conducts regular HIPAA compliance audits. Manufacturing: Challenges: Industrial Control Systems (ICS): Securing ICS and SCADA systems used in manufacturing processes. Intellectual Property: Protecting proprietary manufacturing processes and designs. Legacy Systems: Many manufacturing systems run on outdated software or hardware. Supply Chain Risks: Managing security risks associated with third-party suppliers. Solutions: ICS Security: Implement robust security measures for ICS, including firewalls, segmentation, and intrusion detection. IP Protection: Use access controls and encryption to protect intellectual property. Supply Chain Management: Vet suppliers for security practices and implement secure supply chain protocols. System Updates: Plan and test updates for legacy systems to minimize risks. Ex. A manufacturing plant secures its ICS systems with firewalls and intrusion detection systems, uses encryption for intellectual property protection, and evaluates supplier security practices. Financial: Challenges: Fraud Prevention: Protecting against financial fraud and cyber-attacks. Regulatory Compliance: Adhering to financial regulations like PCI-DSS for payment card security. Data Security: Ensuring the security of sensitive financial data and transactions. Legacy Systems: Managing and securing outdated financial systems. Solutions: Fraud Detection: Implement advanced fraud detection systems and anomaly detection mechanisms. Regulatory Adherence: Regularly review and update practices to comply with PCI-DSS and other financial regulations. Data Encryption: Use strong encryption methods for financial transactions and sensitive data. System Modernization: Develop a plan for modernizing or securely integrating legacy systems. Ex. A bank uses fraud detection algorithms to monitor transactions, ensures compliance with PCI-DSS, encrypts financial data, and develops a strategy for modernizing legacy systems. Government/Defense: Challenges: National Security: Protecting sensitive and classified information related to national defense. Regulatory Requirements: Complying with regulations such as FISMA and NIST standards for federal agencies. Threat Landscape: Defending against sophisticated state-sponsored and advanced persistent threats (APTs). Legacy Systems: Many defense systems use outdated technologies that are difficult to secure. Solutions: Advanced Threat Protection: Employ advanced threat detection and response solutions. Regulatory Compliance: Ensure adherence to FISMA and NIST standards. Data Protection: Use multi-layered security measures for classified information. Modernization: Plan for the gradual replacement of legacy systems with modern technologies. Ex. A defense agency implements advanced threat protection solutions, follows FISMA guidelines, and develops a roadmap for replacing outdated defense systems. Characteristics of Specialized/Legacy Systems Unsecurable: Characteristics: Security Limitations: The system’s design inherently lacks the ability to be secured due to outdated technology or design flaws. Fixed Architecture: Systems often have a rigid architecture that doesn’t allow for modern security enhancements. Limited Patching Capabilities: Older systems may lack the capability to be patched or updated to fix vulnerabilities. Challenges: Inherent Vulnerabilities: The system may have security flaws that cannot be mitigated with updates or patches. Compliance Issues: Difficulty in meeting modern regulatory standards due to outdated technologies. Security Measures: Isolation: Place unsecurable systems on isolated networks to minimize exposure to threats. Compensating Controls: Implement additional security measures such as strong firewalls, intrusion detection systems (IDS), and strict access controls. Application of Layered Security: Use a multi-layered defense approach with segmentation and network monitoring to protect the system. Ex. A legacy financial transaction system that cannot be patched or updated is isolated from the rest of the network and protected by a series of firewalls and IDS systems. Obsolete: Characteristics: Outdated Technology: The technology used is no longer supported or manufactured. End-of-life (EOL): The vendor no longer provides updates or support for the system. Compatibility Issues: The system may be incompatible with modern security tools and standards. Challenges: Lack of Updates: No updates or patches available to address known vulnerabilities. Integration Problems: Difficulties in integrating with new technologies or systems. Security Measures: Vulnerability Management: Conduct thorough vulnerability assessments and apply compensating controls. Upgrade or Replace: Evaluate the feasibility of upgrading or replacing the system with modern alternatives. Backup and Recovery: Ensure that robust backup and disaster recovery plans are in place. Ex. A legacy SCADA system with no vendor support is assessed for vulnerabilities, and compensating controls such as additional firewalls and a detailed backup plan are implemented. Unsupported: Characteristics: No Vendor Support: The vendor no longer offers technical support, updates, or documentation. Documentation Scarcity: Limited or no available documentation for troubleshooting and maintenance. Challenges: Technical Support: Lack of vendor support for troubleshooting issues or applying fixes. Documentation Gaps: Difficulty finding or interpreting documentation for maintenance and security tasks. Security Measures: Document Knowledge: Create and maintain internal documentation and knowledge repositories. Community Support: Engage with user communities or forums for support and advice. Expert Consultation: Seek assistance from third-party experts or consultants with experience in the technology. Ex. An unsupported industrial control system has its internal knowledge documented by staff and receives periodic security assessments from third-party experts. Highly Constrained: Characteristics: Limited Resources: The system has constraints on processing power, memory, and storage. Restricted Access: The system may have limited access mechanisms and features. Fixed Functionality: The system performs a specific, fixed set of functions. Challenges: Resource Constraints: Limited ability to implement advanced security measures due to hardware or software limitations. Functional Limitations: The system can only perform specific tasks, limiting security enhancements. Security Measures: Optimize Existing Security Measures: Implement the most effective security measures within the constraints of the system. Minimize Attack Surface: Limit the system’s exposure to potential threats by disabling unnecessary functions and services. Monitor and Log: Use available resources to implement monitoring and logging for security events. Ex. A constrained embedded system used in an industrial setting has minimized its attack surface by disabling unused services and using lightweight monitoring solutions. Objective 3.6 Scripting PowerShell → PowerShell is a task automation framework consisting of a command-line shell and scripting language, built on the .NET framework, primarily used in Windows environments. Bash → Bash (Bourne Again Shell) is a Unix shell and command language written for the GNU Project as a free software replacement for the Bourne shell. It is widely used in Linux and Unix environments. Python → Python is a high-level, interpreted programming language known for its readability and versatility, widely used for web development, data analysis, automation, and scripting. Cron/Scheduled Tasks Cron is a time-based job scheduler in Unix-like operating systems, used to schedule scripts or commands to run at specified times. Ex. Automated Backups: Scheduling a cron job to back up critical data daily at midnight. 0 0 * * * /path/to/backup_script.sh Event-Based Triggers Event-based triggers are mechanisms that execute predefined actions in response to specific events or conditions. Ex. Security Incident Response: Using an event-based trigger to isolate a compromised machine when suspicious activity is detected. Infrastructure as Code (IaC) Infrastructure as Code (IaC) is the process of managing and provisioning computing infrastructure through machine-readable scripts rather than physical hardware configuration or interactive configuration tools. Automated Provisioning: Automates the setup and management of infrastructure. Version Control: Allows infrastructure to be versioned and treated like application code. Consistency: Ensures consistent configurations across environments. Ex. Provisioning Cloud Resources: Using Terraform to define and deploy cloud infrastructure. Configuration Files Yet Another Markup Language (YAML) → YAML is a human-readable data serialization format commonly used for configuration files. Human-Readable: Easy to read and write. Hierarchical: Represents data in a nested, structured format. Used in: DevOps tools (e.g., Ansible, Kubernetes). Ex. Kubernetes Deployment: A YAML configuration file to deploy an application. Extensible Markup Language (XML) → XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. Structured Data: Uses tags to define elements. Widely Used: In web services, configuration files, and data exchange. Verbose: More extensive than JSON and YAML. Ex. Web Configuration: An XML file for a web application’s configuration. JavaScript Object Notation (JSON) → JSON is a lightweight data-interchange format that is easy for humans to read and write and easy for machines to parse and generate. Ex. API Response: A JSON configuration for an API response. Tom’s Obvious, Minimal Language (TOML) → TOML is a data serialization language designed to be easy to read due to its minimal syntax. Readable: Combines the simplicity of INI files with the expressiveness of YAML. Sections and Tables: Organized into sections and tables. Used in: Configuration files for modern applications. Ex. Application Config: A TOML file for configuring an application. Cloud APIs and Software Development Kits (SDKs) Cloud APIs → Cloud APIs are interfaces that allow interaction with cloud services, enabling the automation of tasks, integration of services, and management of resources. Ex. AWS API: Use AWS SDK to automate the deployment of EC2 instances. Generative AI Code Assist → Code assist refers to the use of AI tools to help developers write, debug, and optimize code more efficiently. Automated Suggestions: AI tools provide real-time code suggestions and autocompletions. Error Detection: Identifies and suggests fixes for syntax and logical errors. Code Generation: Generates code snippets based on natural language descriptions or incomplete code. Ex. GitHub Copilot: Uses AI to suggest code snippets and complete lines of code. Documentation → Generative AI can automatically generate comprehensive documentation for codebases, APIs, and systems, ensuring that documentation is always up-to-date and thorough. Auto-generated Descriptions: Creates detailed descriptions for functions, classes, and modules. Example Generation: Provides usage examples and scenarios. Update Consistency: Ensures documentation is synchronized with code changes. Ex. AI Documentation Tool: Automatically generates documentation for a Python module. Containerization Containerization is the process of encapsulating an application and its dependencies into a container that can run consistently across various computing environments. Isolation: Containers provide isolated environments for applications, ensuring they run independently. Consistency: Ensures applications run the same regardless of the underlying infrastructure. Efficiency: Containers are lightweight and consume fewer resources compared to virtual machines. Ex. Docker: A popular containerization platform that allows developers to package applications into containers. Automated Patching Automated patching involves the use of tools and scripts to automatically apply software updates and security patches to systems and applications. Schedule: Regularly scheduled patch deployments to ensure systems are up-to-date. Compliance: Ensures compliance with security policies and regulations. Reduced Downtime: Minimizes downtime by automating the patching process. Ex. Ansible Playbook: Automates the patching of a fleet of servers. Auto-containment Auto-containment refers to the automatic isolation of potentially malicious activities or applications within a controlled environment to prevent them from affecting the broader system. Real-time Isolation: Automatically isolates suspicious processes. Sandboxing: Runs untrusted applications in a secure sandbox. Threat Mitigation: Prevents the spread of malware and minimizes the impact of security breaches. Ex. Comodo Auto-Containment: Automatically isolates unknown files in a virtual container to prevent them from causing harm. Security orchestration, automation, and response (SOAR) NOTES Vulnerability Scanning and Reporting Vulnerability scanning and reporting involve using automated tools to identify, classify, and report security vulnerabilities in systems, applications, and networks. Automated Scans: Regularly scheduled scans to detect vulnerabilities. Classification: Prioritization of vulnerabilities based on severity. Reporting: Generation of detailed reports for remediation planning. Ex. Nessus: A popular vulnerability scanner that identifies potential vulnerabilities and provides reports. Security Content Automation Protocol (SCAP) Open Vulnerability Assessment Language (OVAL) → OVAL is a standard used to represent system security information in a structured format, allowing for automated analysis of the system state. Language: Defines system characteristics and vulnerabilities. Repositories: Stores definitions for security content. Automation: Facilitates automated system assessments. Ex. OVAL Definitions: Scripts to check for specific vulnerabilities or misconfigurations. Extensible Configuration Checklist Description Format (XCCDF) → XCCDF is a standard for creating security checklists and benchmarks in a machine-readable format, aiding in automated compliance checking. Checklists: Defines configuration policies and security benchmarks. Benchmarking: Automates compliance assessments. Reporting: Generates compliance reports. Ex. XCCDF Benchmarks: Checklists for system configurations. Common Platform Enumeration (CPE) → CPE is a standardized method for naming and describing IT products and platforms, enabling consistent identification across different tools and databases. Naming Convention: Standardized names for IT products. Identification: Facilitates platform identification. Interoperability: Enhances data sharing across tools. Ex. CPE Names: Identifiers for software and hardware products. Common Vulnerabilities and Exposures (CVE) → CVE is a list of publicly known cybersecurity vulnerabilities and exposures, each assigned a unique identifier for reference. Unique Identifiers: Standard IDs for vulnerabilities. Database: Central repository of vulnerabilities. Reference: Used in security tools for vulnerability identification. Ex. CVE ID: CVE-2023-1234 Common Vulnerability Scoring System (CVSS) → CVSS is a standard for assessing the severity of security vulnerabilities, providing a numerical score that reflects their impact. Scoring: Assigns severity scores to vulnerabilities. Metrics: Base, temporal, and environmental metrics. Impact Assessment: Helps prioritize vulnerability management. Ex. CVSS Score: CVSS 3.1 Base Score: 7.5 Workflow Automation Workflow automation uses software to automate complex processes, reducing the need for manual intervention and ensuring consistent execution of tasks. Task Automation: Automates repetitive and manual tasks. Process Integration: Integrates different tools and systems for seamless workflows. Consistency: Ensures tasks are performed the same way every time, reducing errors. Ex. Jenkins: An automation server used for continuous integration and continuous deployment (CI/CD). Objective 3.7 Post-Quantum Cryptography (PQC) Post-Quantum vs. Diffie-Hellman and Elliptic Curve Cryptography (ECC) → Post-quantum cryptography refers to cryptographic algorithms that are secure against the potential threats posed by quantum computers. Unlike traditional algorithms such as Diffie-Hellman and ECC, post-quantum algorithms are designed to withstand quantum attacks. Diffie-Hellman and ECC: Based on: Mathematical problems like discrete logarithms and elliptic curves. Vulnerability: Susceptible to quantum attacks via Shor’s algorithm. Ex. Diffie-Hellman Key Exchange: Uses modular arithmetic for secure key exchange, vulnerable to quantum attacks. Post-Quantum Cryptography: Based on: Lattice problems, hash functions, and error-correcting codes. Goal: Provide security against quantum computing capabilities. Ex. Post-Quantum Key Exchange: Uses lattice-based algorithms (e.g., NTRUEncrypt) to secure key exchange, resistant to quantum attacks. Resistance to Quantum Computing Decryption Attack → Resistance to quantum computing decryption attack involves developing cryptographic methods that cannot be easily broken by quantum computers, which have the capability to solve certain mathematical problems much faster than classical computers. Quantum Threat: Quantum computers can efficiently solve problems like integer factorization and discrete logarithms. Post-Quantum Security: Algorithms resistant to known quantum attacks, ensuring long-term data security. Key Algorithms: Lattice-based, hash-based, code-based, multivariate polynomial, and supersingular elliptic curve isogeny. Ex. Quantum-Safe Algorithms: Lattice-based: Uses complex lattice problems (e.g., Learning With Errors - LWE). Hash-based: Utilizes hash functions (e.g., Merkle Trees). Emerging Implementations → Emerging implementations refer to the development and deployment of new cryptographic algorithms designed to be secure against quantum computers. Standardization Efforts: Organizations like NIST are working on standardizing post-quantum cryptographic algorithms. Algorithm Candidates: Various algorithms are being tested for efficiency, security, and practicality. Integration: Implementation in existing systems, focusing on compatibility and performance. Ex. NIST Post-Quantum Cryptography Standardization: Aims to select one or more quantum-resistant algorithms for standard use. Example Algorithms: Kyber: Lattice-based key encapsulation mechanism (KEM). Dilithium: Lattice-based digital signature scheme. Key Stretching Key stretching is a technique used to make a weak key (like a password) more secure by increasing the computational effort required to brute-force it. Purpose: Enhances security by making keys more resistant to brute-force attacks. Methods: Techniques such as PBKDF2, bcrypt, and scrypt. Steps: Apply a hash function multiple times. Use a salt to prevent rainbow table attacks. Increase the computational workload. Ex. PBKDF2: Uses HMAC with a pseudorandom function to iteratively process the password and salt. Key Splitting Key splitting involves dividing a key into multiple parts, which need to be combined to reconstruct the original key. Purpose: Increases security by ensuring no single entity has access to the complete key. Methods: Secret sharing schemes (e.g., Shamir’s Secret Sharing). Steps: Split key into n parts. Require k parts to reconstruct the key. Distribute parts to different parties. Shamir’s Secret Sharing: Split a secret key into parts. Use a threshold scheme to reconstruct the key. Homomorphic Encryption Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, producing encrypted results that, when decrypted, match the result of operations performed on the plaintext. Purpose: Enables secure data processing in an encrypted form. Types: Partially, somewhat, and fully homomorphic encryption. Steps: Encrypt data. Perform computations on encrypted data. Decrypt result. Ex. Paillier Encryption: Supports addition operations on ciphertexts. Forward Secrecy Forward secrecy ensures that session keys will not be compromised even if the server’s private key is compromised in the future. Purpose: Protects past communications from future key compromises. Methods: Diffie-Hellman key exchange. Steps: Generate ephemeral session keys. Discard keys after session ends. Ex. TLS: Uses ephemeral Diffie-Hellman keys for forward secrecy. Hardware Acceleration Hardware acceleration uses specialized hardware to perform cryptographic operations more efficiently than software alone. Purpose: Enhances performance and security of cryptographic processes. Methods: Hardware Security Modules (HSM), AES-NI instructions. Steps: Offload cryptographic operations to hardware. Use hardware features to speed up computations. Ex. AES-NI: Intel’s AES New Instructions for faster AES encryption/decryption. Envelope Encryption Envelope encryption is a method of encrypting data where a data key encrypts the data, and a master key encrypts the data key. Purpose: Separates data encryption from key management. Methods: Use two layers of encryption. Steps: Encrypt data with a data key. Encrypt the data key with a master key. Store both the encrypted data and encrypted key. Ex. AWS KMS: Uses envelope encryption for securing data in the cloud. Performance vs. Security Balancing performance and security involves choosing cryptographic methods that provide sufficient security without overly compromising system performance. Purpose: Achieve optimal trade-off between security strength and operational efficiency. Considerations: Algorithm complexity, hardware capabilities, use case requirements. Steps: Assess security needs. Evaluate performance impact. Choose appropriate algorithms. Ex. TLS Configuration: Choose between AES-256 (higher security, lower performance) and AES-128 (lower security, higher performance). Secure Multiparty Computation (SMC) SMC allows parties to jointly compute a function over their inputs while keeping those inputs private. Purpose: Enable collaborative computation without data sharing. Methods: Secret sharing, garbled circuits. Steps: Split data into shares. Perform computation on shares. Combine results. Ex. Yao’s Garbled Circuits: A technique for secure two-party computation. Authenticated Encryption with Associated Data (AEAD) AEAD provides both confidentiality and integrity for data, ensuring that data is both encrypted and authenticated. Purpose: Prevent unauthorized access and modification. Methods: GCM, CCM modes of operation. Steps: Encrypt data. Authenticate associated data. Ex. AES-GCM: AES encryption with Galois/Counter Mode for authenticated encryption. Mutual Authentication Mutual authentication ensures that both parties in a communication verify each other’s identities. Purpose: Prevents impersonation attacks. Methods: Use certificates, Kerberos, TLS. Steps: Each party presents credentials. Verify each other’s credentials. Establish secure communication. Ex. TLS Mutual Authentication: Both client and server present and verify certificates. Objective 3.8 Use Cases Data at Rest → Data at rest refers to inactive data stored physically in any digital form (e.g., databases, storage drives). Use case → Encrypt sensitive data stored on hard drives, SSDs, or backup tapes to prevent unauthorized access. Ex. Encryption Tool: BitLocker encrypts the entire hard drive to protect data at rest. Data in Transit → Data in transit refers to data actively moving from one location to another (e.g., over the internet or internal networks). Use case → Secure data transmission between clients and servers to prevent interception and tampering. Encrypted Tunnels: TLS (Transport Layer Security), VPN (Virtual Private Network), IPSec. Ex. TLS Encryption: HTTPS ensures that data sent between a web browser and server is encrypted. Data in Use/Processing → Data in use refers to data being actively processed or manipulated in memory or during computations. Use case → Ensure that data remains confidential and secure while being processed. Homomorphic Encryption: Allows computations on encrypted data. Ex. A cloud service provider processes encrypted client data without decrypting it. Secure Email → Secure email protects the confidentiality and integrity of email communications. Use case → Protect email messages from unauthorized access and ensure authenticity. Ex. S/MIME: Encrypts and signs email messages to ensure only the intended recipient can read them. Immutable Databases/Blockchain → Immutable databases and blockchain ensure that data cannot be altered or deleted once written. Use case → Maintain a permanent, unchangeable record of transactions or events. Ex. Blockchain: Records cryptocurrency transactions in a tamper-proof ledger. Non-Repudiation → Non-repudiation ensures that a party cannot deny the authenticity of their actions. Use case → Prove that a message was sent or a transaction was executed. Ex. Digital Signature: Signing a contract digitally to prove the sender’s agreement. Privacy Applications → Privacy applications protect personal data from unauthorized access and misuse. Use Case → Ensure the confidentiality of personal information and compliance with privacy regulations. Ex. Data Anonymization: Anonymizing user data for research without revealing identities. Legal/Regulatory Considerations → Legal and regulatory considerations ensure that cryptographic practices meet legal requirements and standards. Use case → Implement cryptographic measures to comply with laws and regulations. Ex. GDPR Compliance: Using encryption and access controls to protect personal data. Resource Considerations → Resource considerations involve evaluating the impact of cryptographic techniques on system performance and resources. Use case → Balance security needs with system performance and resource availability. Ex. Performance vs. Security: Choosing between AES-GCM (performance) and RSA (security) for encryption. Data Sanitization → Data sanitization involves securely deleting or erasing data to prevent recovery. Use case → Ensure that sensitive data is completely removed from storage devices. Ex. Data Wiping: Using tools like DBAN (Darik’s Boot and Nuke) for secure data deletion. Data Anonymization → Data anonymization involves altering data to prevent the identification of individuals. Use case → Protect individual identities while using data for analysis or sharing. Ex. Data Masking: Replacing sensitive data fields with fictional data. Certificate-Based Authentication → Certificate-based authentication uses digital certificates to verify identities. Use case → Authenticate users, devices, or services securely. Ex. TLS Certificates: Validating a website’s identity and encrypting traffic. Passwordless Authentication → Passwordless authentication eliminates the need for passwords by using alternative methods. Use case → Enhance security and user convenience. Ex. WebAuthn: Using a fingerprint scanner for user login. Software Provenance → Software provenance involves verifying the origin and integrity of software. Use Case: Ensure software is genuine and untampered. Ex. Code Signing: Verifying the integrity and source of software updates. Software/Code Integrity → Software/code integrity ensures that code has not been altered or tampered with. Use Case: Verify that code and software updates are secure and authentic. Ex. Checksum Verification: Comparing downloaded software hashes to the official ones. Centralized vs. Decentralized Key Management → Centralized key management involves a single entity controlling encryption keys, while decentralized management distributes key control. Use Case: Decide between single-point key management versus distributed approaches. Ex. AWS KMS: Centralized management for encryption keys. Techniques Tokenization → Tokenization replaces sensitive data with unique identification symbols (tokens) that retain essential information about the data without compromising security. Use Case: Protect sensitive data such as credit card numbers or personal information in storage and during transactions. Ex. Tokenization: Replacing a credit card number with a token for processing payments. Code Signing → Code signing involves digitally signing software to verify its authenticity and integrity. Use Case: Ensure that software or updates are from a trusted source and have not been tampered with. Ex. Code Signing: A developer signs their software to verify that it has not been altered. Cryptographic Erase/Obfuscation → Cryptographic erase and obfuscation techniques ensure that data is securely erased or obscured to prevent unauthorized recovery. Use Case: Securely erase sensitive data from storage devices. Ex. Cryptographic Erase: Encrypting and then deleting data on a hard drive. Digital Signatures → Digital signatures verify the authenticity and integrity of digital messages or documents. Use Case: Authenticate documents and ensure they have not been tampered with. Ex. Digital Signatures: Signing a PDF document to ensure it is from the claimed sender. Obfuscation → Obfuscation makes data or code difficult to understand or reverse-engineer. Use Case: Protect intellectual property and obscure sensitive information. Ex. Code Obfuscation: Transforming source code to protect against reverse engineering. Serialization → Serialization converts data structures into a format that can be easily stored or transmitted. Use Case: Convert complex data structures for storage or transmission. Ex. Serialization: Converting a data structure into JSON for API responses. Hashing → Hashing produces a fixed-size string from input data of any size to ensure data integrity. Use Case: Verify the integrity of data or passwords. Ex. Hashing: Generating a hash for file verification. One-Time Pad → One-time pad is an encryption technique using a random key that is as long as the message. Use Case: Provide unbreakable encryption for highly sensitive information. Ex. One-Time Pad: Encrypting a military message with a one-time pad. Symmetric Cryptography → ymmetric cryptography uses the same key for encryption and decryption. Use Case: Fast and efficient encryption for data transmission and storage. Ex. AES Encryption: Encrypting data in transit. Asymmetric Cryptography → Asymmetric cryptography uses a pair of keys (public and private) for encryption and decryption. Use Case: Secure communications, digital signatures. Ex. RSA Encryption: Encrypting a message using the recipient’s public key. Lightweight Cryptography → Lightweight cryptography is designed for constrained environments with limited resources. Use Case: Cryptographic solutions for IoT devices and embedded systems. Ex. ChaCha20: Using ChaCha20 for encrypted communications on IoT devices.

July 23, 2024 · 48 min · Dhanraj Chavan

Chapter 4: Security Operations

Chapter 4 Objective 4.1 Security Information and Event Management (SIEM) NOTES Event Parsing → Event parsing is the process of interpreting and normalizing raw event data from various sources into a consistent format. Scenario: An organization receives logs from various devices (e.g., firewalls, routers, servers). Action: Use a SIEM tool to parse and normalize these logs into a standardized format for easier analysis. Event Duplication → Event duplication occurs when identical or similar events are recorded multiple times, leading to redundant data and potential alert fatigue. Scenario: A firewall generates multiple identical alerts for the same incident. Action: Configure SIEM rules to deduplicate these events and provide a single alert. Non-Reporting Devices → Non-reporting devices are those that fail to send logs or event data to the SIEM system, potentially missing critical security information. Scenario: A critical server stops sending logs to the SIEM system. Action: Set up heartbeat monitoring to alert administrators when the server fails to report. Retention → Retention refers to the period for which event data is stored within the SIEM system. Scenario: An organization must retain event logs for seven years to comply with regulatory requirements. Action: Configure SIEM retention policies to archive and store logs accordingly. Event False Positives/False Negatives → False Positives: Legitimate activity incorrectly flagged as a threat. False Negatives: Malicious activity that goes undetected. Scenario: An intrusion detection rule generates numerous false alerts for normal network traffic. Action: Refine the rule to reduce false positives and accurately detect actual threats. Aggregate Data Analysis Correlation → Correlation involves linking related events across different sources and systems to identify patterns and detect complex threats. Scenario: A user logs into the network from a foreign location, followed by multiple failed login attempts on various servers. Action: Use correlation rules to link the login event with the failed attempts, triggering an alert for potential account compromise. Audit Log Reduction → Audit log reduction involves filtering and summarizing logs to remove redundant or irrelevant data, making it easier to identify significant events. Scenario: Thousands of routine system logs are generated daily, making it difficult to identify important events. Action: Implement log filtering to exclude routine logs and summarize repetitive events. Prioritization → Prioritization involves ranking events based on their potential impact and urgency to focus on the most critical incidents first. Scenario: Multiple security alerts are generated, but resources are limited to address them all immediately. Action: Use severity scoring to prioritize alerts based on their potential impact and urgency. Trends → Identifying trends involves analyzing historical data to detect patterns and predict future security incidents. Scenario: An increase in phishing emails is observed over the past few months. Action: Perform trend analysis to identify the pattern and implement preventive measures. Behavior Baselines and Analytics Network Behavior Baselines → Establishing normal network activity patterns to detect unusual behaviors that may signify security threats. Scenario: An increase in outbound traffic to an unknown external IP address is detected. Action: Compare the current traffic with the baseline. If it deviates significantly, trigger an alert for potential data exfiltration. System Behavior Baselines → Establishing normal operating patterns for systems to identify unusual activities that could indicate security issues. Scenario: A sudden spike in CPU usage on a critical server is observed. Action: Compare the spike with the system’s performance baseline to determine if it’s an anomaly, possibly indicating a DDoS attack or malware. User Behavior Baselines → Establishing normal user activity patterns to detect anomalies that could indicate compromised accounts or insider threats. Scenario: A user account is accessing sensitive data outside of normal working hours. Action: Compare the access times with the established baseline. If it deviates significantly, investigate for potential account compromise. Applications/Services Behavior Baselines → Establishing normal operating patterns for applications and services to detect unusual activities that could indicate security threats. Scenario: An application experiences a sudden increase in error rates. Action: Compare the error rates with the application’s baseline. If it deviates significantly, investigate for potential security issues such as exploitation attempts. Incorporating Diverse Data Sources Third-Party Reports and Logs → Data and logs provided by external organizations, often including security reports, audit logs, and compliance assessments. Threat Intelligence Feeds → Data streams that provide information about current threats, including indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs). Vulnerability Scans → Automated scans that identify vulnerabilities in systems, applications, and networks Common Vulnerabilities and Exposures (CVE) Details → A list of publicly disclosed information security vulnerabilities and exposures. Bounty Programs → Programs that incentivize external researchers to find and report vulnerabilities in your systems. Data Loss Prevention (DLP) Data → Data collected from DLP tools that monitor and protect sensitive information from unauthorized access and exfiltration. Endpoint Logs → Logs collected from endpoints, including desktops, laptops, and mobile devices. Infrastructure Device Logs → Logs from network devices such as routers, switches, firewalls, and load balancers. Application Logs → Logs generated by applications, capturing detailed information about their operation and user interactions. Cloud Security Posture Management (CSPM) Data → Data from CSPM tools that assess and monitor the security posture of cloud environments. Alerting False Positives and False Negatives → False Positives: Alerts that incorrectly indicate a security incident. False Negatives: Missed alerts that fail to detect an actual security incident. Scenario: You receive a high number of false positives from your intrusion detection system (IDS). Action: Analyze the IDS rules and thresholds, adjusting them to reduce false positives while maintaining detection accuracy. Alert Failures → Situations where alerts are not generated or delivered as expected. Scenario: Alerts from your SIEM system are not reaching the incident response team. Action: Investigate and resolve communication issues within the SIEM and alerting infrastructure. Prioritization Factors: Criticality: The importance of the affected asset or system. Impact: The potential consequences of the incident. Asset Type: The nature and function of the asset (e.g., server, workstation). Residual Risk: The remaining risk after controls have been applied. Data Classification: The sensitivity of the data involved (e.g., public, confidential). Scenario: You receive an alert about potential malware on a critical server hosting confidential data. Action: Prioritize the alert based on the server’s criticality, the impact of potential data exposure, and the data classification. Malware Alerts → Alerts indicating the presence of malware on a system. Vulnerability Alerts → Alerts indicating the presence of vulnerabilities in systems or applications. Reporting and Metrics Visualization → The process of representing data in graphical or pictorial format to enhance understanding and analysis. Dashboards → Interactive interfaces that display real-time data and metrics from various sources, providing an overview of the current security status. Objective 4.2 Vulnerabilities and Attacks Injection → Attackers insert malicious code into a vulnerable program, typically through user inputs. Ex. SQL injection, Command injection Cross-Site Scripting (XSS) → Attackers inject malicious scripts into web pages viewed by other users. Ex. Stored XSS, Reflected XSS Unsafe Memory Utilization → Poor memory management can lead to vulnerabilities such as buffer overflows. Ex. Buffer overflow, Use-after-free Race Conditions → Flaws that occur when the timing of actions impacts the system’s behavior. Time-of-check to time-of-use (TOCTOU) bugs Cross-Site Request Forgery (CSRF) → Attackers trick users into executing unwanted actions on a different site where they are authenticated. Server-Side Request Forgery (SSRF) → Attackers manipulate server-side requests to access internal resources. Unsecure Configuration → Poorly configured systems can lead to vulnerabilities. Embedded Secrets → Hard-coded credentials or keys within the source code Outdated/Unpatched Software and Libraries → Using outdated components with known vulnerabilities. End-of-Life Software → Software that is no longer supported with security updates. Poisoning → Manipulating data to affect the behavior of systems or models. Directory Service Misconfiguration → Poor configuration of directory services leading to unauthorized access. Overflows → Buffer or integer overflows that lead to arbitrary code execution. Deprecated Functions → Usage of outdated and insecure functions in the code. Vulnerable Third Parties → Dependencies on third-party services or software with vulnerabilities. Time of Check, Time of Use (TOCTOU) → Discrepancies between the time a condition is checked and the time it is used. Deserialization → Insecure deserialization leading to arbitrary code execution. Weak Ciphers → Usage of outdated or weak cryptographic algorithms. Confused Deputy → When a program inadvertently misuses its authority on behalf of an attacker. Implants → Malicious code inserted into a system to maintain unauthorized access. Mitigations Input Validation → Ensuring that all input data is validated against expected formats and values to prevent malicious data from being processed. Output Encoding → Encoding data before rendering it to ensure that it is safely interpreted by the browser or application. Safe Functions → Utilizing functions that are designed to handle operations safely, avoiding common vulnerabilities. Security Design Patterns → Implementing established design patterns that promote security best practices. Updating/Patching → Regularly applying updates and patches to fix known vulnerabilities. Implement automated patch management for operating systems, software, hypervisors, firmware, and system images. Least Privilege → Granting users and processes the minimal level of access necessary to perform their functions. Fail Secure/Fail Safe → Designing systems to default to a secure state in the event of a failure. Secrets Management → Properly managing secrets like API keys, passwords, and certificates to ensure they are kept secure. Least Function/Functionality → Limiting the functionality of systems to the minimum required to reduce the attack surface. Defense-in-Depth → Implementing multiple layers of security controls to protect against attacks. Dependency Management → Properly managing software dependencies to ensure they are secure and up-to-date. Code Signing → Using digital signatures to verify the integrity and authenticity of software code. Encryption → Using cryptographic techniques to protect data confidentiality and integrity. Indexing → Organizing data to improve searchability and access control. Allow Listing → Permitting only known and trusted entities or actions, blocking everything else by default. Objective 4.3 Internal Intelligence Sources Adversary Emulation Engagements → Simulating real-world attack techniques and tactics to evaluate the effectiveness of security controls and incident response capabilities. Internal Reconnaissance → Gathering information from within the organization to identify potential vulnerabilities and areas of risk. Hypothesis-Based Searches → Developing and testing hypotheses about potential threats based on available data and intelligence. Honeypots → Deploying decoy systems designed to attract attackers, gather intelligence, and analyze attack techniques. Honeynets → Creating a network of honeypots to simulate a larger, more complex environment for detecting and analyzing sophisticated threats. User Behavior Analytics (UBA) → Analyzing user behavior patterns to detect anomalies that may indicate insider threats or compromised accounts. External Intelligence Sources Open-Source Intelligence (OSINT) → Gathering information from publicly available sources to identify potential threats and vulnerabilities. Dark Web Monitoring → Monitoring the dark web for discussions, leaked data, and other information relevant to potential threats. Information Sharing and Analysis Centers (ISACs) → Collaborating with industry-specific organizations that share threat intelligence and best practices. Reliability Factors → Evaluating the trustworthiness and accuracy of external threat intelligence sources. Counterintelligence and Operational Security Counterintelligence → Actions and strategies designed to detect, prevent, and mitigate espionage and intelligence activities conducted by adversaries. Operational Security (OpSec) → Processes and practices to protect information and activities from adversaries who might seek to exploit them. Threat Intelligence Platforms (TIPs) and Third-Party Vendors Threat Intelligence Platforms (TIPs) → TIPs are tools designed to collect, aggregate, analyze, and disseminate threat intelligence data to improve an organization’s security posture. Indicator of Compromise (IoC) Sharing Structured Threat Information eXchange (STIX) → NOTES Trusted automated exchange of indicator information (TAXII) → NOTES Rule-Based Languages Sigma → Sigma is a standardized open-source format for writing and sharing detection rules across different SIEM systems. YARA → YARA is a tool for identifying and classifying malware samples and other indicators of compromise (IoCs). Rita → Rita (Real Intelligence Threat Analytics) is an open-source tool for analyzing network traffic and detecting anomalies. Snort → Snort is a widely used open-source network intrusion detection system (NIDS) that uses rules for traffic analysis. Indicators of Attack (IoAs) TTPs describe the behaviors and methods used by adversaries to achieve their objectives. The MITRE ATT&CK Framework is a valuable resource for understanding TTPs. Tactics: The high-level goals of an attacker (e.g., Initial Access, Execution). Techniques: The methods used to achieve those goals (e.g., Phishing for Initial Access). Procedures: The specific implementations of techniques used in attacks. Objective 4.4 Malware Analysis Detonation → Involves running the malware in a controlled environment to observe its behavior. Techniques: Static Analysis: Examining the malware’s code without executing it. Dynamic Analysis: Observing the malware’s behavior during execution. IoC Extractions → Involves identifying indicators from the malware analysis for detection and mitigation. Techniques: File Hashes: MD5, SHA1, SHA256 Network Indicators: IP addresses, domains, URLs File Indicators: Filenames, paths Registry Keys: Specific registry modifications Behavioral Indicators: System changes, processes Sandboxing → Involves running the malware in an isolated environment to observe its behavior without affecting production systems. Techniques: Automated Sandboxes: Provides automated analysis and reports. Manual Sandboxes: Allows for controlled manual analysis. Code Stylometry → Used to analyze the code’s writing style to identify variants and potential authors. Techniques: Variant Matching: Identifying similar variants of malware. Code Similarity: Comparing code to detect similar malware families. Malware Attribution: Linking malware to known threat actors based on code style. Reverse Engineering Disassembly → Involves converting machine code into assembly language to understand how a program works. Decompilation → Converts machine code into high-level language code to understand program logic. Binary Analysis → Involves examining executable files to identify malicious behaviors, vulnerabilities, or hidden functionalities. Bytecode Analysis → The examination of compiled intermediate code for applications, especially useful for Java and .NET. Storage Analysis Volatile Storage Analysis → Refers to data that exists temporarily, such as RAM. Analyzing volatile storage provides real-time insights into system activities. Techniques: Memory Dump Analysis: Collecting and analyzing the contents of system memory. Process Analysis: Identifying running processes, their states, and associated information. Network Connections: Investigating open network connections and their endpoints. Registry Analysis: Extracting and examining registry keys for information on system configuration and activities. Non-Volatile Storage Analysis → Refers to data that persists after a system is powered off, such as hard drives or SSDs. Techniques: File System Analysis: Examining files, directories, and metadata. Log File Analysis: Reviewing system and application logs. Disk Forensics: Recovering deleted files and examining file system structures. Network Analysis Involves examining network traffic to detect and investigate suspicious activities. Techniques: Traffic Capture: Collecting network packets for analysis. Network Monitoring: Observing network traffic for anomalies. Protocol Analysis: Understanding network protocols and detecting misuse. Metadata Analysis Email Header Analysis → Email headers contain metadata that provides information about the path an email took from sender to recipient, as well as technical details about the email’s origin and any intermediate servers. Techniques: Header Parsing: Extracting header fields such as Received, From, To, Subject, and Date. Trace Email Path: Tracking the path of the email through different servers. Identify Spoofing: Checking discrepancies in the From address or routing information. Analyze DKIM/SPF/DMARC: Verifying email authentication mechanisms. Image Metadata Analysis → Image metadata can provide details about the creation, modification, and camera settings of an image. Techniques: EXIF Data Extraction: Extracting metadata such as camera make, model, and GPS coordinates. Tamper Detection: Checking for signs of image manipulation. GPS Information: Analyzing location data embedded in the image. Audio/Video Metadata Analysis → Audio and video files contain metadata that can include information about the file’s creation, codec details, and modification history. Techniques: Extract Metadata: Reviewing details such as codec, duration, and bit rate. Analyze Content: Checking for hidden or embedded data. Verify Authenticity: Ensuring that the media file is genuine. File/Filesystem Metadata Analysis → Analyzing the metadata of files and filesystems involves inspecting attributes like timestamps, file permissions, and file structure. Techniques: File Metadata Extraction: Reviewing file attributes such as creation and modification dates. Filesystem Analysis: Examining filesystem structures for evidence of tampering or hidden files. File Integrity Checking: Verifying that files have not been altered. Hardware Analysis Joint Test Action Group (JTAG) → JTAG is a hardware debugging standard used for testing and programming hardware devices. It provides access to the internal states of a system’s components through a set of test access ports. JTAG Setup for Incident Response: Connecting to the Target Device: Attach a JTAG adapter to the device’s JTAG port. Accessing the JTAG Interface: Use software tools to communicate with the target device via JTAG. Extracting Data: Read the contents of memory, registers, and configuration settings. Analyzing Hardware Components: Check for signs of tampering or unauthorized modifications. Host Analysis Host Analysis involves investigating individual systems to find evidence of malicious activity. Techniques: System Inspection: Checking system configurations and installed software. Event Log Analysis: Reviewing system logs for unusual activities. File Integrity Monitoring: Checking for unauthorized changes to files. Data Recovery and Extraction Data Recovery and Extraction involve retrieving lost or corrupted data and extracting relevant information. Techniques: File Carving: Recovering files from unallocated disk space. Data Extraction: Pulling specific data from a disk or storage device Threat Response Threat Response encompasses the strategies and actions taken to address and mitigate threats. Techniques: Incident Containment: Limiting the scope of the threat. Eradication: Removing the threat from the environment. Recovery: Restoring systems to normal operation. Post-Incident Review: Evaluating the incident and response efforts. Preparedness Exercises Preparedness Exercises involve activities designed to test and improve incident response plans. Techniques: Tabletop Exercises: Simulated scenarios for team discussion and planning. Red Team/Blue Team Exercises: Offensive (Red Team) and defensive (Blue Team) exercises. Timeline Reconstruction Timeline Reconstruction involves creating a timeline of events to understand the sequence of an attack. Techniques: Event Correlation: Linking events from different sources. Log Analysis: Using log data to piece together events. Root Cause Analysis Root Cause Analysis (RCA) identifies the underlying cause of security incidents to prevent future occurrences. Techniques: 5 Whys Technique: Asking “why” repeatedly to identify the root cause. Fishbone Diagram: Visual tool for identifying potential causes. Cloud Workload Protection Platform (CWPP) Cloud Workload Protection Platform (CWPP) secures cloud environments and applications. Techniques: Cloud Security Configuration: Ensuring proper security settings for cloud services. Vulnerability Management: Identifying and mitigating vulnerabilities in cloud environments. Insider Threat Insider Threat refers to threats posed by individuals within the organization. Techniques: Behavioral Monitoring: Observing employee activities for suspicious behavior. Access Control Management: Ensuring appropriate access permissions.

July 23, 2024 · 15 min · Dhanraj Chavan

Chapter 1: Attacks, Threats, and Vulnerabilities

Chapter 1 Objective 1.1 Phishing → Practice of sending email to trick users to submit personal information or click a link Can be done to install malware, validate email address, get money Smishing → SMS Phishing Vishing → Phone Phishing → Phishing over Voice over IP (VoIP) Spam → Unwanted / Solicited Email SPIM → Unwanted messages over Instant Messaging Channels Spear Phishing → Phishing target on specific group of people or even a single user Mitigation → Use digital signatures Dumpster diving → Practice of searching through trash & recycling to gain info from discarded items Mitigation → Shredding or Burning Paper instead of throwing it away Shoulder surfing → Looking over shoulder of someone to gain information Mitigation → Use screen filters Pharming → Manipulates DNS server or client to redirect users to different websites Changes DNS entries on a local PC or on a trusted local DNS server Tailgating → Practice of one person following closely behind another person without showing credentials Mitigation → Access Control Vestibules (Mantraps) → Allows only single person to pass at a time Eliciting information → Act of getting information without asking for it directly Active Listening → Target is encouraged to keep talking Reflective Questioning → Repeat statements as a question & encourages to talk more False Statement → Give false info hoping that the target corrects it Bracketing → Try to get specific info by stating a specific number or range of numbers Whaling → Phishing targeted on high level executives Prepending → Add something to the beginning of something else. Ex. [SAFE] [EXTERNAL] Pretexting → Adding a fictitious scenario to a conversation to make more believable request Identity Theft → When someone steals personal info about you Identity Fraud → Criminals use stolen identity information to commit identity fraud Invoice Scams → Trick people or organizations into paying for goods or services they didn’t request & usually didn’t receive Credential Harvesting → Collect usernames & passwords from users Phishing Email → Link to a website → Login with credentials → Redirect to original website & showing password is incorrect MFA helps to limit the impact of credential harvesting attacks Reconnaissance → Gathering information about target Hoax → Security threat that simply doesn’t exists Impersonation → Act of pretending to be another person Watering Hole Attack → Attempts to discover which websites people are likely to visit & infect those websites with malware that can infect the visitors Typosquatting → URL Hijacking → Occurs when someone buys a domain name that is close to the legitimate domain name Smurf Attack → A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power. Occurs when the attacker floods the target network with infinite ICMP request packets A smurf attack is a DDoS attack in which an attacker attempts to flood a targeted server with Internet control message protocol (ICMP) packets. Influence campaigns → Uses variety of sources to influence public perception Hybrid Warfare → Military strategy that blends conventional warfare with unconventional methods to influence people Social Media → To spread misinformation Principles of Social Engineering Authority Impersonation → Impersonate others to get people to do something Whaling → Executives respect authorities such as legal entities Vishing → Use phone to impersonate authority Intimidation → Scaring or Bullying an individual into taking a desired action Consensus → When attacker convinces victims that they can be trusted People tend to want to do what others are doing to persuade themselves to take action → “Social Proof” Ex. Everyone in the department has clicked on the link, Then I should also Fake Testimonials → People are more willing to like something that other people like Scarcity → People are encouraged to act when they think there is limited quantity of items Urgency → Use urgency as a technique to encourage people to act Familiarity → Attackers attempts to use likability to get victim to complete the request Companies hire well-liked celebrities Trust → Attackers attempts to build a trust relationship with victim Objective 1.2 Malware Ransomware → Malware that takes control of user’s system & encrypts user’s data using Cryptomalware & demand ransom from companies Trojans → Looks like something beneficial but actually it’s malicious Rogueware masquerades as a free antivirus program. Backdoor → Methods or Tools that provide access that bypasses normal authentication & authorization procedures, allowing attackers access to systems, devices, apps, etc. Detection → Checking for unexpected open ports & services Remote access Trojan (RAT) → Malware that allows attackers to control systems from remote locations Also called as stalkerware → Used in intimate relationships to spy on their partners Worms → Self replicating malware that travels throughout the network without assistance of host application or user interaction Potentially Unwanted Programs(PUP) → Programs that users may not want it, but user is consented to download it. Some PUP are legitimate, Some are malicious like RAT Ex. Spyware, Adware, Browser Toolbar Tracking Programs, Fileless Virus → Malicious software that runs in the memory Scripts that are injected into malicious programs Memory Code Injection, Script based techniques, Windows Registry Manipulation Spread via methods like spam email & malicious websites & they exploit flaws in browser plugins & web browsers themselves Command and control → Resources used to control infected computers Cryptomalware → Malware used to encrypt user’s data Logic bombs → Script or Code that will execute in response to an event Rootkit → A group of programs that hides the fact that system has been infected by malicious code Rootkit hides its running processes to avoid detection to antivirus scans Rootkit have system level access to systems Integrity checking & data validation can be useful for rootkit detection Botnet → Remotely controlled systems or devices that have malware infection Uses command & control to operate in client-server mode Beaconing → A call home message is an indicator of compromise known as beaconing. It indicates that a workstation or server is infected and is trying to communicate with the attacker’s command and control server. A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667 Investigative authorities use DNS sinkholes to disrupt botnets and malware. Botnet Models Command & Control → Client-Server Model Peer-To-Peer → Connects bots to each other, making it harder to take down a single central server or known IP of bots Many botnets use Flux DNS → Flux DNS uses many IP addresses that are used to answer queries for one or more fully qualified DNS names Taking down the domain names is the best way to defeat Flux-DNS Virus Types Memory Resident Viruses → Remain in memory while system is running Non-Memory Resident → Execute, spread & then shut down Boot Sector Virus → Reside inside boot sector of drive or storage media Macro Virus → Use macros or code inside tools to spread Email Virus → Spread via emails via attachments or as part of email itself using flaws within email clients Spyware → Malware that is designed to obtain information about an individual, organization or a system Keylogger → Program that captures keystrokes from keyboards, although some keyloggers also capture other input like mouse movement, touchscreen inputs & credit card swipes from attached devices Rogue Anti-Virus → Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer, and to pay money for a fake malware removal tool (that actually introduces malware to the computer) Password Attacks Spraying → Single password tried on every account on the list Dictionary → List of words Brute force → Try all possible combinations of passwords Rainbow Table → Attempt to discover password from Hash Plaintext → If attacker have both plaintext & ciphertext, attacker can use it to perform plaintext attack Physical Attacks Malicious USB Cable → It has embedded WiFi Controller capable of receiving commands Malicious Flash Drive → Includes malware configured to infect a computer when a drive is plugged in Card Cloning → Making a copy of credit card Skimming → Capturing credit card data at Point of Sale (POS) Adversarial AI Adversarial AI attempts to fool AI models by supplying it with deceptive input Tainted Data for ML → Use tainted data to cause AI & ML to give inconsistent results Indicator → Sudden unexpected activity While training ML model for baselining of network, it is important to ensure that no malicious activity is occurring while baseline data capture to ensure data is not tainted Security of ML Algos → Prevent unauthorized disclosure of algorithms; Attackers can use this info to attack Best Practices to secure AIML Understand the quality & security of source data Work with the AI & ML developers to ensure that they are working in secure environments & that data sources, systems & tools are maintained in secure manner Ensure that changes to AI & ML algorithms are reviewed, tested & documented Encourage reviews to prevent intentional or unintentional bias in algorithms Engage domain experts whenever possible Supply Chain Attacks A supply chain become an attack vector if attacker can disrupt the supply chain Cloud-based vs. on-premises attacks On-Premises → Organization retains the complete control over all cloud based resources Off-Premises → Organization doesn’t know where the data is stored → Legal Implications Cryptographic Attacks Brute force → Involves trying every possible key Frequency Analysis → Refers to looking at the blocks of an encrypted message to determine if any common pattern exists Known Plaintext → This attack relies on the attacker having pairs of known plaintext along with corresponding cipher text Chosen Plaintext → Attacker attempts to derive the key used & thus decrypt other messages encrypted with that key Birthday → Attacker attempts to create a password that produces the same hash as the user’s actual password → Also known as Hash Collision Collision → Hashing algorithm creates the same hash from different inputs Downgrade → Forces a system to downgrade its security → TLS → Down → SSL Objective 1.3 Injections Dynamic-Link Library (DLL) Injection → Attack that injects a DLL into a system’s memory & causes it to run LDAP Injection → Possible when web application used to query LDAP based database Parameter Pollution → Attacker sends more than one value for the same input variable to bypass input validation Ex. http://www.mycompany.com/status.php?account=12345&account=12345'OR1=1;-- Pointer/Object Dereference → When object is null, it can cause problems if the program later tries to access the object Java → NullPointerException error C / C++ → Memory Leak in runtime Mitigation → Verify the value is not null before using it Race Conditions → Two or more applications tries to access a program at a same time, it can cause a conflict that is known as race condition Attackers exploit time of check to time of use (TOCTOU) → This is called State Attack Error Handling → Applications should show generic error messages but log detailed error messages in logging system. Replay Attack → Replay attacks capture data in a session to impersonate one of the parties in the session. Mitigation → Timestamps and sequence numbers Buffer Overflow → Writes more data to a buffer than it can hold ASLR → Address Space Layout Randomization A security technique used to prevent memory corruption vulnerabilities such as buffer overflow It randomizes the memory address used by the system & application processes, making it difficult for attackers to predict the location of functions, libraries & system calls Buffer overflows are most easily detected by conducting a static code analysis Integer Overflow → Occurs when an application receives a numeric value that is too big for application to handle Memory Leak → Causes application to consume more & more memory the longer it runs Indicator → system running slower & slower until it reboots Mitigation → A static code analyzer can check to see if all memory allocation commands (malloc, alloc , etc.) have a matching deallocation command. SSL Striping → Changes HTTPS connection to HTTP connection Driver Manipulation → Shimming → Provides a solution that makes it appear that older drivers are compatible Driver shim is additional code to be run instead of original driver → When app attempts to call the older driver, system intercepts the call & redirects it to run the shim code instead Refactoring → Process of rewriting the code’s internal processing without changing its external behavior Pass the Hash → Attacker discovers the hash of user’s password & uses it to log in to the system as the user Indicator → Event ID 4624 in Windows Security Log Objective 1.4 Wireless Evil Twin → Rogue Access Point with same SSID used to capture & exfiltrate data Rogue Access Point → An access point placed in the network without official authorization Bluetooth Attacks: Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device Bluebugging → Gains access to the phone & install a backdoor Disassociation → Removes a wireless client from wireless network RFID Attacks: Sniffing / Eavesdropping → Attacker can collect RFID data by listening Replay → Replay captured data DOS → If attacker knows the RFID frequency, attacker can launch a jamming or interference attack, flooding the frequency with noise Initialization vector (IV) → IV is the number used by encryption systems & a wireless IV attack attempts to discover the pre-shared key after discovering the IV Some wireless protocol use IV by combining it with pre-shared key to encrypt data in transit When an encryption system reuses the IV, IV attack can discover the IV easily On-Path Attack Also known as Man-In-The-Middle Attack A form of active eavesdropping SSH gives warning if previously established keys are changed Layer 2 Attacks ARP Poisoning → An attack that misleads computers or switches about the actual MAC address of a system ARP poisoning sometimes used in On-Path attacks MAC Flooding → An attack against the switch that attempts to overload it with different MAC addresses associated with each physical port Switch runs out of memory & enters a fail-open state Mitigation → Use flood guard to limit amount of memory for each port Flood guard sends Simple Network Management Protocol(SNMP) trap or error message in response to the alert. It can also disable port. MAC Cloning → Changing a system’s MAC address Domain Name System (DNS) DNS data is frequently logged to help identify compromised systems or systems that have visited known phishing sites. DNS logs can be used along with IP reputation and known bad hostname lists to identify issues like these. Domain Hijacking → Attacker changes a domain name registration without permission from owner DNS Poisoning → Attempts to modify or corrupt DNS data Mitigation → Use DNSSEC to protect DNS records & DNS poisoning attacks Domain Reputation → It helps ISP to determine the likelihood that an email being sent by a legitimate organization or is it a malicious email. Split Horizon DNS → Deploys distinct DNS servers for two or more environments, ensuring that those environments receive DNS information appropriate to the DNS view that their clients should receive. a term used when two zones for the same domain are created one zone is used by the internal network the other by the external network (usually the internet) DNS Blackholing → A method used to prevent access to malicious domains by redirecting malicious queries for those domains to a non-routable IP address, effectively blackholing the traffic Suppose an organization wants to block access to a known malicious domain malicious.example.com. They can configure their DNS server to return 127.0.0.1 for any query to malicious.example.com. DDOS SYN Flood Attacks → Attacker never completes the TCP Handshake It is a resource exhaustion attack Half-Open connection consumes server’s resources & it can crash the server Once the limit is reached, server won’t accept new connections, blocking the legitimate users Mitigation → Linux use iptables to set threshold for SYN packets → Although it protects the system from crashing, it also denies the service to legitimate users Malicious Script or Code Execution Powershell → Use verb-noun pair for command → Invoke-Command Bash → Calls /bin/bash or /bin/sh Python → Runs .py* files is a potential indicator of malicious scripts Macros → Short instruction that will run longer set of instructions. Attackers can edit macros & replace with malicious steps Visual Basic for Application (VBA) → Runs as internal programming language for Microsoft Applications such as Microsoft Words Objective 1.5 Actors & Threats Advanced Persistent Threat(APT) → A group of organized threat actors that engage in targeted attacks against organizations. Typically sponsored by nation-states or governments APT members are State Actors Shadow IT → Any unauthorized systems or applications installed on a network without authorization or approval. Insider Threat → Behavioral assessments are very useful when you are attempting to identify insider threats. An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Threat intelligence sources Closed/Proprietary intelligence → Trade secrets as an intellectual property Proprietary intelligence → This refers to the information that is owned, controlled & often generates by organization for its own use. Owned & controlled by the organization Closed intelligence → Refers to the information that is not freely accessible to public Owned by external entities → Accessed through subscriptions / permissions OSINT → Types: Vulnerability databases → National Vulnerability Database (NVD), Common Vulnerability Exposures (CVEs) maintained by MITRE corp. Automated indicator sharing (AIS): Trusted Automated eXchange of Indicator Information → TAXII → Open standard that defines a set of services & message exchanges used to share information. It provides a standard way for organizations to exchange cyber threat information but it does not specify what information organizations should exchange. TAXII is designed to support STIX data exchange Structured Threat Information eXpression (STIX) → Open Standard that identifies what cyber threat information organizations should share. It provides a common language for addressing wide range of cyber threat information. STIX data is shared via TAXII STIX is based on XML language Threat Maps → Visual Representation of active threats Objective 1.6 Third-party risks Vendor management → Vendor management systems include limiting system integration & understanding when vendor support stops Vendor Diversity → Provides cybersecurity resilience → Using more than one vendor for the same supply reduces the organizations’s risk if the vendor no longer provide the product or service Outsourced code development → Some organizations hire developers or outsource code development Legacy platforms → Primary risk is that the vendor doesn’t support them Objective 1.7 Threat Hunting It is a process of actively looking for threats within a network before an automated tool detects & reports on the threat Threat Feeds → Provides subscribers with up-to-date information about current threats Advisories and bulletins → Regularly release information on threats & vulnerabilities Adversary Tactics, Techniques & Procedures → Refers to attackers’ methods when exploiting a target Intelligence fusion → Combines all the data to create a picture of likely threats & risks for an organization Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden Vulnerability Scans Vulnerability Management → Identify, prioritize & remediate vulnerabilities Credentialed Scan → Allows the scan to check security issues at much deeper level Credentialed scans only require read-only access to target servers. Configuration review → A Configuration Compliance Scanner performs a configuration review of systems to verify that they are configured properly → Configuration Validation It is done with Credentialed Scan Vulnerability Scanner is passive, non-intrusive & has little impact on the system during test Penetration tests are active & intrusive, can potentially compromise a system. Penetration testing is more invasive that a vulnerability scan Controls that can affect vulnerability scan results: Firewall Settings Network Segmentation IDS & IPS Network Vulnerability Scanners: Nessus → Well-known widely used network vulnerability scanner Qualys → Commercial network vulnerability scanner that offers management console to run scans Nexpose → Commercial network vulnerability scanner OpenVAS → Free alternative for commercial vulnerability scanners Application Scanning Static Testing → Analyzes code without executing it Dynamic Testing → Executes code as part of a test, providing it with a input Interactive Testing → Combines static & dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces Web Application Scanning Nikto → Web application scanning tool → Vulnerability Scanning Arachni → Web application scanning tool → Used to access security of web applications CVSS → Common Vulnerability Scoring System → Industry standard for assessing the severity of security vulnerabilities 0 → None 0.1 - 3.9 → Low 4.0 - 6.9 → Medium 7.0 - 8.9 → High 9.0 - 10.0 → Critical Security Information & Event Management (SIEM) It provides a centralized solution for collecting, analyzing & managing data from multiple sources. It combines services of security event management (SEM) & security information management (SIM) solutions SEM → Provides real-time monitoring, analysis & notification of security events, such as suspected security events SIM → Provides long term storage of data, along with methods of analyzing the data looking for trends or creating reports needed to verify compliance with laws & regulations SIEM systems use scripts to automate the monitoring & reporting Capabilities: Log Collectors → SIEM collects log data from different devices throughout the network & stores these loges in searchable database Data Inputs → Firewalls, routers, network intrusion detection Log Aggregation → SIEM system collects data from multiple systems, SIEM systems can aggregate the data & store it so that it is easy to analyze & search Correlation Engine → Used to collect & analyze event log data from various systems within the network. It aggregates the data looking for common attributes It uses advanced analytics tools to detect patterns of potential security events & raise alerts. Reports → SIEM systems include built-in reports Packet Capture → SIEM includes protocol analyzer capabilities to capture network traffic User Behavior Analysis → UBA focuses what users are doing, monitor critical files looking for who accessed them & what they did & how frequently they access it. Typically looks for abnormal patterns of activity that may indicate malicious intent Sentiment Analysis → Use UBA technologies to observe user behaviors to detect unwanted behaviors Relies on AI to analyze large datasets Security Monitoring → Provides predefined alerts which can provides continuous monitoring of systems & provide notification of suspicious events If it detect a new port on server, it will send email to admin Automated Triggers → Trigger can cause an action in response to a predefined number of repeated events A SIEM includes the ability to modify predefined triggers & create new ones Time Synchronization → All servers sending data to the SIEM should be synchronized with the same time. Event Deduplication → Process of removing duplicate entities Logs / WORM → SIEM includes methods to prevent anyone from modifying log entries Elements of SIEM Dashboard: Sensors → Collects logs from devices & send it to SIEM system Alerts → Sends out an alert when trigger fires Sensitivity → Setting sensitivity levels to limit false positives while avoiding false negatives Correlation → SIEM correlates & analyzes the data Trends → By analyzing the data, SIEM can identify trends Security Orchestration, Automation & Response (SOAR) Integrates with various security tools and automate responses to threats Used to respond to low-level security events automatically SOAR tools respond automatically which frees up administrators to focus on their administrative & cybersecurity tasks. SOAR tool can open attachments within a sandbox & observe the activity SOAR can perform steps to automatically verify the threat is real or not, implement the appropriate steps to mitigate it. SOAR platform use playbook & runbooks Playbook → Provides checklist of things to check for suspected incidents It is a set of rules that determine what actions will be performed when an event occurs Runbook → Implements the playbook checklist using available tools within an organization Functions: Security Orchestration → SOAR platforms integrate with various security tools, systems, and applications, such as SIEM, firewalls, endpoint protection, and threat intelligence feeds. Automation → Automates repetitive security tasks to improve efficiency and reduce manual workload. Incident Response → Facilitates and manages the response to security incidents, including the coordination of actions across different teams and tools. Case Management → Provides a centralized system for tracking and managing security incidents, including documentation and workflow management. Threat Intelligence Management → Aggregates and analyzes threat intelligence data to provide context for incidents and improve detection capabilities. Reporting & Analysis → Generates reports and dashboards to provide insights into security operations and incident trends. SOAR Vs SIEM SOAR → Automation of incident response, workflow management, playbooks Orchestrating and automating security operations and incident response Uses data from SIEMs and other security tools to automate responses SIEM → Log collection, event correlation, threat detection Aggregating and analyzing security event data for threat detection Collects and correlates log data from multiple sources SOAR collects data and alerts security teams using a centralized platform similar to SIEM, but SIEM only sends alerts to security analysts SOAR adds automation and response capabilities to the alerts it sends. SIEM focuses on alerting and logging without automated response. SOAR uses automated playbooks and workflows to respond to incidents. SIEM: Detects suspicious activity and sends an alert for manual investigation. SOAR: Automatically isolates an infected machine and removes a phishing email based on predefined playbooks. Objective 1.8 Penetration Testing Unknown Environment → Black box testing Known Environment → White box testing Partially Known environment → Gray box testing Lateral movement → Refers to the way attackers maneuver throughout the network Persistence → Attackers ability to maintain presence in the network Cleanup → Removing all traces of penetration tester’s activities It’s common for testers to create a log of what they’re doing as they’re doing it. This makes easier to reverse all their actions Pivoting → Process of using various tools to gain additional information It is process of using exploited system to target other systems. Passive and Active Reconnaissance War Driving → Attackers use war driving to discover wireless networks they can exploit Admins use war driving as a part of wireless audit: A wireless audit is a detective control & examines the signal footprint, antenna placement & encryption of wireless traffic. Ex. Detect rogue access points & evil twins by war driving Done by walking or driving around War Flying → People fly around in private planes / Drone Same function as War Driving Footprinting → Wireless footprinting creates a detailed diagram of APs, hotspots & dead spots within an organization. Exercise Types Red Team → Attacks Blue Team → Defends Purple Team → Can either do blue team or red team activities White Team → Establishes rules of engagement for a test & oversee the testing

June 23, 2024 · 22 min · Dhanraj Chavan

Chapter 2: Architecture and Design

Chapter 2 Objective 2.1 Configuration Management It helps organizations to deploy systems with secure configurations Diagrams → Some organizations use diagrams to show processes in config management These sometimes use flowchart to document decision-making process involving in modifying a configuration. Naming Conventions → Large organizations use naming conventions to identify standard configuration Ex. department or location, and the version → Desktop_Sales_3.0 Baseline Configuration → A baseline is a known starting point & organizations commonly use secure baseline to provide known starting points for systems. Primary Benefit → improve overall security posture of systems The use of baseline works in 3 steps: Initial Baseline Configuration → Admins use various tools to deploy systems consistently in secure state Integrity Measurements for Baseline Deviation → Automated tools monitor the systems for any baseline changes, which is a common security issue. Some tools report any changes they detect Other tools automatically reconfigure the systems to baseline config when they detect changes Remediation → NAC methods can detect changes to baseline settings & automatically isolate or quarantine systems in a remediation network Configuration Management Database (CMDB) → A centralized database that stores information about the configuration items in an organization’s IT infrastructure Data Sovereignty Refers to legal implications when data is stored off-site. If the backups are stored in other country, they are subject to that country’s laws. Data Protection Data Loss Prevention(DLP) → Techniques & Technologies used to prevent data loss Ex. Block the use of USB & control the use of removable media Admins configure the DLP to look for specific words, phrases, character strings All documents associated with the project includes a specific keyword. The DLP includes this keyword in the searches. When it detects the keyword within an email or an attachment, it blocks it DLP Systems work in two different environments: Host-based DLP → Uses software agents installed on systems that search those systems for the presence of sensitive information It can also monitor system configuration & user actions (can block undesirable actions) Network-based DLP → Sit on network & monitor outbound network traffic that contains sensitive information It can block sensitive transmissions to prevent loss of sensitive information DLP Mechanisms: Pattern Matching → Watch for the REGEX signs of sensitive information. Ex. “Confidential” Watermarking → Systems or Admins apply electronic tags to sensitive documents & then the DLP system can monitor systems & networks for unencrypted content containing those tags Watermarking technology is commonly used in Digital Rights Management (DRM) Rights Management → Refers to the technologies used to provide copyright protection from copyrighted works. → Also known as Digital Rights Management Copyright laws protects original creative works Data Masking → Refers to modifying data to hide the original content Primary reason is to protect sensitive information as PII Substitution is the one method in data masking 1234-5678-9101-1121 → 1234-5678-XXXX-XXXX Data Minimization → A process of ensuring that only data that is required for business functions is collected and maintained. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet the business purpose Data at rest → Any data stored on media Data in Transit → Data in motion → Any data sent over the network Data in processing → Data in use → Refers to data being used by a computer Anonymization → Modifies data to protect the privacy of individuals by removing all PII within a data set Pseudo-Anonymization → Replace PII data & other data with pseudonyms or artificial identifiers Anyone with separate data with matching the pseudonyms with original data set can reverse & re-create the original data Anonymization is used to anonymize the data permanently. In contrast, pseudo-anonymization is used when an organization also needs the ability to reverse the process & access the original data Tokenization → Data tokenization replaces the sensitive data with a token. The token is substitute value used in place of the sensitive data A tokenization system can convert the token back into its original form Credit Card Number: 1234-5678-9101-1121 → Token: 87654321 Geographical Considerations Off-site storages → At least one copy of backups stored off-site Distance → Many organizations have specific requirements related to the distance between the main site & off-site Location Selection → The location is often dependent on environmental issues Legal Implications → The legal implications related to backups depends on the data stored in the backups Data sovereignty → Legal Implications when data is stored off-site. If backups are stored in the different country, they are subject to that country’s laws. Response and recovery controls Attempt to reverse the impact of an incident or problem after it has occurred API Considerations Authentication → Strong authentication methods will prevent unauthorized entities from using the APIs Authorization → Authorization methods secure access to the API. Transport Level Security → The API should use strong security, such as TLS when transferring any traffic over the Internet. Hashing MD5 → Message Digest Algorithm 5 Produces a 128-bit hash value (32 hexadecimal characters). Widely used in the past for checksums and verifying data integrity Considered insecure due to vulnerabilities to collision and pre-image attacks. SHA-1 → Secure Hash Algorithm 1 Produces a 160-bit hash value (40 hexadecimal characters). Once popular for digital signatures and certificates but now considered insecure due to collision vulnerabilities. SHA-2 → Secure Hash Algorithm 2 A family of hash functions that includes SHA-224, SHA-256, SHA-384, and SHA-512 Produces hash values of varying lengths (224, 256, 384, or 512 bits) Currently considered secure and widely used in many security protocols. SHA-256: Produces a 256-bit hash value. SHA-512: Produces a 512-bit hash value. SHA-3 → Secure Hash Algorithm 3 The latest member of the Secure Hash Algorithm family, designed as an alternative to SHA-2 Uses a different construction method called Keccak and produces hash values of varying lengths similar to SHA-2 (224, 256, 384, or 512 bits). TLS/SSL inspection involves intercepting encrypted traffic between the client and server. TLS interception devices act as an on-path attack and decrypt traffic to scan and analyze it, often for malware or other signs of attacks, and then encrypt it to send it on to its destination. Site Resiliency A recovery site is an alternate processing site that organization uses for site resiliency. If one site suffers a catastrophic failure, an alternate site can take over after the disaster. Hot Site → Would be up 24 x 7 Days a week & would be able to takeover the functionality from primary site quickly after a failure It will include all equipment, software & communication capabilities of the primary site & all the data would be up to date → Mirrors the primary site’s infrastructure, including servers, networking equipment, and data storage. In many cases, copies of backup tapes are stored at the Hot Site as the off-site location Hot site is another active business location that has the capabilities to resume operations during a disaster ETA: Few minutes to an Hour → It is ready to take over operations immediately after a disaster. Hot site is the most effective disaster recovery solution for high-availability requirements. A hot site is the most expensive to maintain and keep up to date. Cold Site → Requires power & connectivity The organization brings all the equipment, software & data to the site when they activate it. → - Basic infrastructure such as power, cooling, and physical space but lacks IT equipment. Minimalistic off-site facility with basic infrastructure. → Requires significant setup and configuration before it can be used. A cold site is the cheapest to maintain, but it is also the most difficult to test. Warm Site → A warm site provides a compromise that an organization can tailor to meet its needs. Contains hardware such as servers, network infrastructure, and storage but may lack up-to-date data. Requires some setup and configuration before it becomes operational. Hot sites are generally too expensive for most organizations, and cold sites sometimes take too long to configure for full operation. Mobile Site → A self-contained transportable unit with all the equipment needed for specific requirements. Mirrored Site → Identical to the primary location and provide 100 percent availability. They use real-time transfers to send modifications from the primary location to the mirrored site. Although a hot site can be up and operational within an hour, the mirrored site is always up and operational. Restoration Order → Organizations return the least critical functions to the primary site first. Deception & Disruption Honeypots → a sweet-looking server Deceive the attackers and divert them from the live network. Allow observation of an attacker Honeynets → A group of honeypots within a separate network or zone but accessible from an organization’s primary network. If the attacker is in the honeynet, he isn’t attacking the live network and administrators can observe the attacker’s actions. Honeyfiles → A file designed to attract the attention of an attacker (passwords.txt) Fake Telemetry → Corrupts the data sent over to monitoring systems & can disrupt a system DNS Sinkhole → A DNS server that gives incorrect results for one or more domain names Investigative authorities have used sinkholes to disrupt botnets and malware. Objective 2.2 Cloud Models Software as a Service (SaaS) → Includes any software or application provided to users over a network such as the Internet Software that is hosted and managed by a service provider and made available to customers over the internet. Google Workspace, Microsoft Office 365, Salesforce, Dropbox Platform as a Service (PaaS) → provides customers with a fully managed platform, including hardware, operating systems, and limited applications. The vendor keeps systems up to date with current patches. A platform allowing customers to develop, run, and manage applications without dealing with the infrastructure. Google App Engine, Microsoft Azure, Heroku, AWS Elastic Beanstalk Infrastructure as a Service (IaaS) → Allows an organization to outsource its equipment requirements, including the hardware and all support operations. Provides virtualized computing resources over the internet, such as virtual machines, storage, and networks. The IaaS service provider owns the equipment, houses it in its data center, and performs all the required hardware maintenance. Customers are responsible for all operating system updates and patches. IaaS is often used as a serverless architecture. A serverless architecture allows an organization to build and run applications without managing the infrastructure. IaaS Cloud Service Providers do not allow direct access to the underlying hardware in most instances Ex. Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), IBM Cloud Anything as a Service (XaaS) → Refers to cloud-based services other than SaaS, PaaS, or IaaS. XaaS includes services such as communications, databases, desktops, storage, security, and more. Public Cloud → Available from third-party companies, such as Amazon, Google, Microsoft, and Apple Shared infrastructure among multiple tenants Managed by the cloud service provider AWS, Microsoft Azure, Google Cloud Private Cloud → Set up for specific organizations → Host its own servers and make these servers available to internal employees through the Internet. Dedicated infrastructure for one organization Managed internally or outsourced On-premises data centers, VMware Private Cloud Hybrid Cloud → A combination of two or more clouds. Mix of public and private infrastructures Managed by both organization and provider Mix of AWS and on-premises infrastructure Community Cloud → Communities with shared concerns (such as shared goals, security requirements, or compliance considerations) can share cloud resources Shared infrastructure for a specific community Managed collaboratively by community members Government agencies, research institutions sharing resources Multi Cloud → A cloud deployment model where the cloud consumer uses multiple public cloud services Cost Comparison → Public cloud < Community cloud < Hybrid cloud < Private cloud Security Comparison → Public Cloud < Community Cloud < Hybrid Cloud < Private Cloud Scalability Comparison → Private Cloud < Community Cloud < Hybrid Cloud < Public Cloud Deployment Speed → Private Cloud < Community Cloud < Hybrid Cloud < Public Cloud Managed Service Provider & Managed Security Service Provider MSSP is a third-party vendor that provides security services for an organization MSP provides any IT services needed by an organization, including security services provided by an MSSP. Edge Computing The practice of storing & processing data close to the devices that generate & use the data. Fog Computing Almost same as edge computing Fog computing uses a network close to the device & may have multiple nodes sensing & processing data within the fog network. Edge computing stores & processes the data on single nodes or appliances. Thin Client A computer with enough resources to boot & connect to a server to run specific applications or desktops A thin client is a lightweight computing device that relies on a server to perform most of its processing tasks Unlike traditional desktops or laptops, thin clients are designed to connect to a centralized server or a virtual desktop infrastructure (VDI) to access applications, data, and processing power. Virtual Desktop Infrastructure (VDI) → hosts a user’s desktop OS on a server. A technology that allows the hosting of desktop environments on a centralized server Users can access these virtual desktops from various devices, providing a consistent and secure desktop experience regardless of the user’s physical location. Containers Container virtualization runs services or applications within isolated containers or application cells Containers doesn’t host an OS. Instead, host’s OS & kernel run the service or app within each of the containers. None of the apps or services can interfere with services or apps in other containers Benefit → It uses fewer resources & can be more efficient than a system using traditional tye II hypervisor virtualization Drawback → Containers must use the OS of the host Microservices Microservices are the code modules designed to do one thing well Small code receives a value & responds with a value Ex. Shipping Tracker Infrastructure as Code Refers to managing & provisioning data centers to define VMs & virtual networks It reduces the complexity of creating virtual objects by allowing admins to run a script to create them. Software Defined Networking (SDN) → Uses virtualization technologies to route the traffic instead of using hardware routers & switches An SDN separates the data planes & control planes within a network SDN separates the logic used to forward or block traffic (the data plane) & the logic used to identify the path to take (the control plane) SDN implements the data plane with the software & virtualization technologies, allowing organization to move away from proprietary hardware SDN can still use a routing protocols like OSPF & BGP but without the hardware routers Attribute Based Access Control is commonly used in SDNs that allows admins to create data plane policies to route traffic (Use plain language instead of complex rules in ACL) Software Defined Visibility (SDV) → Refers to technologies used to view all network traffic By adding SDV capabilities, it ensures that all traffic is viewable & can be analyzed Serverless Architecture A serverless architecture allows an organization to build & run applications without managing the infrastructure ...

June 23, 2024 · 38 min · Dhanraj Chavan

Chapter 3: Implementation

Chapter 3 Objective 3.1 Insecure Protocols Telnet → Port 23 → Telnet transmits data in plaintext, vulnerable to MITM & Eavesdropping Secure Alternative → SSH → Port 22 → SSH provides encrypted communication FTP → Port 21 → FTP transmits data in plaintext, vulnerable to interception & tampering Secure Alternative → FTPS (FTP Secure) → Port 990 / 989 → Uses SSL / TLS for encryption SFTP (SSH File Transfer Protocol) → Port 22 → Uses SSH for file transfer HTTP → Port 80 → HTTP transmits data in plaintext Secure Alternative → HTTPS → HTTP Secure → Port 443 → Uses SSL / TLS SMTP → Port 25 → SMTP transmits emails in plaintext, vulnerable to interception & unauthorized access Secure Alternative → SMTPS → SMTP Secure → Port 465 → use SSL/TLS to encrypt email communications SMTP with STARTTLS → Port 587 → use SSL/TLS to encrypt email communications POP3 → Port 110 → POP3 transmits emails in plaintext, vulnerable to eavesdropping Secure Alternative → POP3S → POP3 Secure → Port 995 → uses SSL/TLS IMAP → Port 143 → IMAP transmits data in plaintext, vulnerable to interception Secure Alternative → IMAPS (IMAP Secure) → Port 993 → uses SSL / TLS SNMP v1/v2 → Port 161/162 → Lacks encryption, vulnerable to interception & tampering Secure Alternative → SNMPv3 → Port 161/162 → Adds encryption, authentication & integrity protection to data LDAP → Port 389 → LDAP transmits data in plaintext, vulnerable to interception & tampering Secure Alternative → LDAPS (LDAP Secure) → Port 636 → Uses SSL/TLS for encrypt directory service Protocols DNS Security Extensions (DNSSEC) → Provides validation for DNS responses It adds Resource Record Signature (RRSIG) (Digital Signature) to each record RRSIG provides data integrity & authentication for DNS replies Helps to prevent DNS poisoning attack S/MIME → Secure/Multipurpose Internet Mail Extensions Used to digitally sign & encrypt an email Uses both asymmetric & symmetric encryption SRTP → Secure Real Time Protocol → Uses port 5004 RTP → Real Time Protocol → Delivers audio & video over IP networks SRTP provides encryption, message authentication & integrity for RTP LDAPS → LDAP over TLS uses port 636 FTPS → FTP, Secure → uses TLS to encrypt FTP traffic SNMPv3 → Simple Network Management Protocol → Monitors & manages network devices such as routers & switches Uses port 161/162 Can modify devices’ configuration & can check device report status SNMPv3 agents installed on devices send information to SNMP manager via notifications known as traps Flood guard sends SNMP trap messages in response to an alert SNMP Usage → Commonly used to gather information from routers, switches, and other network devices → It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device IPSec → Used to encrypt IP traffic Authentication Header → IPSec uses AH to allow each conversation hosts to authenticate with each other before exchanging the data AH provides authentication & integrity Encryption → IPSec includes Encapsulating Security Payload (ESP) to encrypt data & provide confidentiality IPSec uses Internet Key Exchange (IKE) to authenticate clients in the IPSec conversation → Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel. Modes: Transport Mode → Only the payload (the data being transmitted) of the IP packet is encrypted and/or authenticated. The IP header remains intact. Typically used for end-to-end communication between two hosts or devices. Tunnel Mode → The entire IP packet (including the original IP header and payload) is encapsulated within a new IP packet with a new IP header Commonly used for site-to-site VPN connections where entire packets need to be protected. Post Office Protocol (POP3) → Transfers emails from servers down to clients POP3 → Port 110 POP3S → Port 995 IMAP → Internet Message Access Protocol → Used to store email on the server & it allows users to organize & manage emails in folders on the server IMAP → Port 143 IMAP Secure → Port 993 Use Cases Voice and video → Real Time Protocol (RTP) → a network protocol designed for delivering audio and video over IP networks Secure Real Time Protocol (SRTP) → An extension of RTP that provides encryption, message authentication, and integrity, as well as replay protection for RTP data. SRTP ensures secure transmission of real-time audio and video communications. Session Initiation Protocol (SIP) → A signaling protocol used to initiate, maintain, modify, and terminate real-time sessions that involve video, voice, messaging, and other communications applications and services. Time Synchronization → Network Time Protocol (NTP) → A protocol used to synchronize the clocks of computers over a network. Simple Network Time Protocol (SNTP) → A simplified version of NTP, used for less complex and less demanding synchronization needs It provides time synchronization but with reduced accuracy and fewer features compared to NTP. Email and Web → Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), HTTP, HTTPS File Transfer → File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), SSH, SSL, TLS, IPSec, SFTP, FTPS Directory Services → LDAP Remote Access → Remote Desktop Protocol (RDP) → Uses port 3389 Domain Name Resolution → DNSSEC Network Address Allocation → IPv4, IPv6 Objective 3.2 Endpoint Protection Endpoint Detection & Response (EDR) → Provides continuous monitoring of endpoints Performs a deep investigation of all activity on endpoints Collect and analyze data from endpoints to detect anomalies, provide visibility into potential threats, and facilitate timely responses to incidents. Incident response, threat hunting, forensic analysis Data Loss Prevention (DLP) → Prevent data loss Next-Generation Firewall (NGFW) → An advanced firewall that adds capabilities that aren’t available in first generation or second generation firewalls NGFW performs deep packet inspection, adding application level inspection as a core feature NGFW can identify application commands & detect potentially malicious traffic Features → Deep Packet Inspection (DPI), Integrated IPS, Identifies and controls applications, Sandboxing, malware detection, SSL/TLS decryption, Built-in URL filtering Comparison First Gen → Packet Filtering → Based on IP addresses, ports, and protocols Second Gen → Stateful Packet Inspection → Tracks active connections and the state of the connection NGFW → Deep Packet Inspection (DPI) → Identifies applications, users, and content HIDS → Host-Based Intrusion Detection System An additional software installed on a system such as workstation or a server For HIDS, the traffic passes through the network interface card (NIC) HIDS can help to detect malicious software (malware) that traditional antivirus can miss Boot Integrity UEFI → Unified Extensible Firmware Interface → Performs many of same functions as BIOS but provides some enhancement A specification for a software program that connects a computer’s firmware to its operating system (OS) BIOS → provides instructions on starting → It runs some basic checks, locates the OS & boots BIOS & UEFI can be upgraded with using flashing → Flashing overwrites the software within the chip with newer software BIOS vs UEFI BIOS → Initializes hardware components and boots the OS Generally slower boot times due to the sequential initialization process. UEFI → More complex initialization process with support for modern hardware and boot methods Faster boot times due to parallel initialization processes and optimized boot methods Measured Boot → Goes through enough boot process to perform these checks without allowing a user to interact with a system. If it detects that system has lost integrity & can no longer be trusted, the system won’t boot A security feature that helps ensure the integrity of the boot process by recording each step in the boot sequence and storing the measurements in a secure location, typically in a Trusted Platform Module (TPM) Boot Attestation → Signature Key Files used to boot the computer Boot attestation requires that systems record and measure the boot process, and subsequently verify to a system that the process was secure. Measured Boot Vs Secure Boot Measured Boot → Ensure integrity of the boot process through measurements Records and stores measurements of each boot component in TPM Can provide remote attestation of system integrity Useful for environments requiring verifiable integrity Secure Boot → Ensure only trusted code is executed during boot Verifies digital signatures of each boot component Does not provide remote attestation Useful for environments requiring strict execution control Trusted Boot → Verifies the operating system kernel signature and starts the ELAM(Early Launch Anti-Malware) process. Cryptographically verifies each boot stage Verifies each stage using digital signatures Integrity and authenticity of entire boot process Devices requiring complete boot process security Database Tokenization → Replaces sensitive elements with a token A tokenization can convert the token back into its original form Salting → Adds random texts to passwords before hashing them Used to prevent rainbow table attacks, brute force & dictionary attack Application Security Secure Cookies → Cookie that has the secure attribute set When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Code Signing → Identifies author & the hash verifies that code hasn’t modified Verifies the originator of the component & thus make malware less likely SED & FDE Full Disk Encryption (FDE) → Encrypts the entire disk Users typically need to enter a password or use a cryptographic key stored on a separate device (like a smart card or USB token) to unlock the disk and access its contents. Ex. Veracrypt, BitLocker (Windows), FileVault (macOS), LUKS (Linux). Self Encrypting Drive (SED) → Also known as hardware based FDE drives Automatically encrypts & decrypts data on a drive without user interaction A storage device that automatically encrypts data before it is written to the drive and decrypts it when read, without requiring any action from the operating system or user. SED doesn’t need authentication Opal → Set of specifications for SEDs It defines what hardware vendors must do to ensure SEDs are configured to prevent unauthorized access Opal-Compliant drives requires users to enter credentials to unlock the drive while booting the system Trusted Platform Module TPM is hardware chip on computer’s motherboard that stores cryptographic keys used for encryption TPM provides Full Disk Encryption capabilities It keeps the hard drives locked or sealed until the system completes the system verification & authentication process TPM supports boot attestation process → When TPM is configured, it captures signature of key files used to boot the computer & stores the report of signatures within the TPM Uses burned-in cryptographic keys & Includes built-in protections against brute-force attacks Secure Boot → When system boots, the secure boot process checks the files against the stored signatures to ensure that they haven’t changed → If it detects that files have been modified, it blocks the boot process to protect the data on the drive Remote Attestation → It uses a separate system instead of checking boot files reports in TPM It captures the signatures of key files & sends it to remote system Hardware root of trust → When private key matched with the public key, it provides hardware root of trust also known as Known Secure Starting Point A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust Objective 3.3 Load Balancing Active/Active → Can optimize & distribute data loads across multiple computers / networks Distributes traffic equally among all the servers in the web farm Scheduling → Load balancers use a scheduling technique to determine where to send a new request. They use Round-Robin algorithm to send request Persistence → Load balancers use source address affinity to direct the request Source affinity sends requests to the same server based on the requester’s IP address & provides the user with persistence Load balancers can detect when a server fails → If server stops responding, load balancers will not send request to this server → Contributes to high availability Active/Passive → One server is active & another server is inactive If active server fails, the inactive server takes over Two servers have a monitoring connection to each other to check each other’s health Load Balancer Algorithms Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions Round Robin → simply distributes requests to each server in order Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server. Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted. Network segmentation Virtual Local Area Networks (VLAN) → Separates or Segments traffic on physical networks A logical network segment within a physical network infrastructure that allows devices to be grouped together even if they are not physically connected on the same network switch. We can create multiple VLANs with a single Layer 3 Switch A VLAN can locally group several computers together or logically separate computers without regard their physical location VLANs are used to separate various traffic types (voice, data) Screened Subnet → Buffer zone between internet & intranet (internal network) It allows to access services while segmenting access to internal network An additional layer of security is implemented to protect internal networks from external threats East-West → Refers to traffic between servers Intranet → Internal Network Extranet → Part of the network that can be accessed by authorized entities from outside of network Zero Trust → A network that doesn’t trust any devices by default, even if it’s previously verified Helps to reduce attacks from internal clients Zero trust in not technology, instead it is a security model based on principle of zero trust VPN SSL/TLS → Some tunneling protocols use TLS to secure VPN channels Provides the easiest way for users to use VPN since it does not require a client. (most user-friendly) Split Tunnel → A VPN admin determines what traffic should use the encrypted tunnel Full Tunnel → All traffic goes through the encrypted tunnel while the use is connected to VPN Site-to-Site VPN → Includes two VPN servers that acts as a gateways for two networks separated geographically IPSec VPNs are used for site-to-site VPNs Ex. Users in the remote office can connect to the servers in the HQ location easily Always-On → Create a VPN connection as soon as user’s device connect to the internet Layer 2 tunneling protocol (L2TP) → L2TP is tunneling protocol → Uses port 1701 Uses IPsec for encryption, providing confidentiality and integrity of data transmission. Combines the features of PPTP (Point-to-Point Tunneling Protocol) and L2F (Layer 2 Forwarding) to create a tunnel between two endpoints. HTML5 VPN Portal → Allows users to connect to the VPN using their web browser It uses TLS to encrypt the session → Can be resource intensive SSTP → Secure Socket Tunneling Protocol A VPN protocol developed by Microsoft for creating secure, encrypted connections over the internet SSTP is designed to provide secure remote access to networks by tunneling Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel. → Port 443 TCP Network access control (NAC) Refers to a set of technologies and policies used by organizations to ensure that devices connecting to their networks are secure and compliant with established security policies Features: Verifies the identity of users and devices attempting to connect to the network. Checks endpoints (devices) for compliance with security policies and configurations before granting network access. Defines rules and policies that dictate who and what can access specific parts of the network. Automatically corrects or isolates non-compliant devices to remediate security issues before allowing access. Monitors connected devices continuously to detect anomalies or suspicious behavior. Integrates with existing security solutions such as firewalls, IPS/IDS, SIEM Helps organizations improve network security by controlling access, enforcing policies, and detecting/responding to security threats in real-time. Agent NAC → NAC uses agent when the client attempts to log on remotely A permanent agent installed on the client & stays on client Agentless NAC → A dissolvable agent is downloaded & runs on client when clients logs on remotely It collect the information it needs, identifies the client as healthy or non-healthy & reports the status back to NAC system NAC agents remove themselves immediately after they report to the NAC system Other NAC agents remove themselves after session ends An agentless NAC system scans a client remotely without installing code on the client Port Security Port security limits the computers that can connect to physical ports on a switch MAC Filtering → Restricts access to switch ports based on the MAC (Media Access Control) address of devices connected to the port. Ex. Each physical port is assigned to a single specific MAC address → MAC Address Sticky Port security filters by MAC address, allowing whitelisted MAC addresses to connect to the port and blocking blacklisted MAC addresses. Broadcast Storm → Caused when two ports of a switch connected together Spanning Tree Protocol (STP) & Rapid STP (RSTP) helps to prevent broadcast storm & loop prevention for switches BPDU Guard → Bridge Protocol Data Unit Guard STP sends BPDU in the network to detect loops When the loops are detected, STP blocks the traffic from switch ports sending redundant traffic DHCP Snooping → DHCP snooping is a preventive measure When DHCP snooping is enabled, the switch only send DHCP broadcast traffic (DHCP Discover Message) to trusted ports Prevents rogue DHCP servers as well as malicious or malformed DHCP traffic. It also allows the capture and collection of DHCP binding information to let network administrators know who is assigned what IP address. Network Appliances Jump Servers → Also called Jump box → A hardened server used to access & manage devices in another network with a different security zone A jump server is places between different security zones It can provide secure access to devices in screened subnet from internal network Proxy Servers → Forwards requests from clients for services like HTTP or HTTPS → Forward Proxy Server Improves performance by caching content Can restrict users’ access to inappropriate websites by filtering content A proxy server is located on the edge of the network bordering the internet & intranet A web proxy can be used to block certain websites. Transparent Proxy → Accepts & forwards requests without modifying them Non-Transparent Proxy → Use URL filters to restrict access to certain sites Both types of proxy log user activity Reverse Proxy Server → Accepts requests from internet for a single web server It appears as a web server to clients but it forwards requests to the web server & serves pages returned by web server Reverse proxy is configured to protect the web server Reverse proxy server can be used for a web farm of multiple servers → When it is used with web farm → It can act as a load balancer Forward Proxy Vs Reverse Proxy Forward Proxy → A forward proxy regulates client access to the internet, enhancing security and policy enforcement within an internal network It sits between the client and the internet and forwards client requests to the internet. In a corporate network, a forward proxy may be used to control access to the internet and enforce security policies. Reverse Proxy → A reverse proxy, manages external requests to servers, offering load balancing and concealing server identities for added security It sits in front of servers and directs client requests to the appropriate backend servers. A reverse proxy can distribute incoming web requests to multiple web servers in a server farm. NIDS / NIPS Signature-based Detection → Detects known malware based on signature definitions Heuristic-Based Detection → Detects previously unknown malware based on behavior Can detects unknown anamalies Inline → An IPS placed inline with traffic can detect, react to & prevent attacks Passive → Collects data passively Heuristic vs Anomaly-based detection Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity. Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature. Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations Hardware Security Module (HSM) → A security device that can added to a system to manage, generate & securely store cryptographic keys HSM supports security methods of TPM Many server based applications use an HSM to protect keys Aggregators → Store log entries from dissimilar systems Firewalls Stateful → Inspects traffic & makes decisions based on the traffic context or state Unified Threat Management (UTM) → A single solution that combines multiple security controls UTM will reduce the workloads of admins without sacrificing security URL Filtering → Performs same job as a proxy server → Block access to sites based on the URL Admins can configure URL filters to allow / block access to specific sites Malware Inspection → Screens incoming data for known malware & blocks it Content Inspection → Monitors incoming data streams & attempts to block any malicious content Includes spam filter to inspect incoming emails Can block specific type of transmissions such as audio or video & file types such as .zip DDOS Mitigator → Attempts to detect DDOS attacks & blocks them Common security issue of UTM is misconfigured content filter Key Features → Firewall, IPS/IDS, Antivirus & Anti-malware, Content Filtering, Spam Filtering, Application Control, Web Filtering, DLP, Logging, Reporting Network Address Translation (NAT) Gateway → NAT is a protocol that translates public IP addresses to private IP addresses & private addresses back to public. NAT gateway hosts NAT & provides internal clients with private IP addresses a path to internet Benefits: Public IP addresses don’t need to be purchased for all clients NAT hides internal computers from the internet Hides the internal network structure, making it harder for attackers to target specific devices. Static NAT → Uses single public IP address in one-to-one mapping Dynamic NAT → Uses multiple public IP addresses in one-to-many mapping Quality of service (QoS) → Refers to technologies running on a network that measure & control different traffic types It allows admins to prioritize certain types of traffic over others Implications of IPv6 → All devices on internal network don’t support IPv6 natively Port Mirroring → Port Spanning → Port Tap → Allows admins to configure the switch to send all traffic the switch receives to a single port Port Mirroring is not passive (active) Network Tap → Network taps copy all traffic to another destination, allowing traffic visibility without a device inline. Network tapping is completely passive File Integrity Monitor (FIM) → Some antivirus scanners use file integrity monitors to detect modified system files by calculating hash of systems files as a baseline Objective 3.4 Cryptographic Protocols WEP → RC4 stream cipher → 64-bit or 128-bit Vulnerable to various attacks (e.g., IV attacks, dictionary attacks) WiFi Protected Access (WPA) → Introduced to address the weaknesses of WEP. Introduced to address the weaknesses of WEP. TKIP (Temporal Key Integrity Protocol) Uses 802.1X for enterprise or PSK (Pre-Shared Key) for home networks WiFi Protected Access 2 (WPA2) → WPA2 can operate in open, enterprise or Pre-Shared key (PSK) mode Utilizes Advanced Encryption Standard (AES) for encryption Supports both 802.1X (EAP) and PSK authentication methods. Open Mode → Doesn’t use any security → All data transferred in cleartext PSK or Enterprise Mode → Users access the wireless network anonymously with a PSK or passphrase Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network Enterprise mode uses 802.1X server, often implemented as RADIUS server (Authentication) WiFi Protected Access 3 (WPA3) → Newest wireless cryptographic protocol It uses Simultaneous Authentication of Equals (SAE) instead of PSK used with WPA2 SAE is a variant of Dragonfly Key Exchange which is based on Diffe-Hellman A password-based authentication and key exchange protocol used primarily in wireless networks WPA3 is replacement for WPA2 WPA3 also supports enterprise mode → Uses RADIUS server & requires users to authenticate SAE helps to prevent brute-force attacks against keys by making attackers interact with the network before each authentication attempt. This slows down brute-force attacks. Comparison → WPA3 > WPA2 > WPA > WEP Counter-mode/CBC-MAC Protocol (CCMP) → WPA2 uses strong cryptographic protocols such as AES & Counter Mode/CBC-MAC Protocol (CCMP) An encryption protocol used in WiFi networks to provide confidentiality, integrity & authentication. Simultaneous Authentication of Equals (SAE) → WPA3 uses SAE instead of PSK Authentication Protocols Extensible Authentication Protocol (EAP) → EAP provides method for two systems to create a secure encryption key also known as Pairwise Master Key Systems use this key to encrypt all data transmitted in between the devices AES based CCMP uses this key Used with WPA-Enterprise or WPA2-Enterprise. Lightweight EAP (LEAP) → LEAP is an early EAP method developed by Cisco Systems Uses a variant of MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol) for authentication. Deprecated due to security vulnerabilities. Protected EAP (PEAP) → Provides an extra layer of protection for EAP PEAP protects the communication channel by encapsulating & encrypting the EAP conversation in TLS tunnel PEAP requires a certificate on the server but not on the client Ex. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) Used in enterprise Wi-Fi networks with server-side certificates. EAP-FAST → EAP - Flexible Authentication via Secure Tunneling → Replacement for lightweight EAP (LEAP) EAP fast supports certificates, but they’re optional Uses a Protected Access Credential (PAC) to establish a TLS tunnel between the client and the authentication server. Provides mutual authentication and protection against man-in-the-middle attacks. Used in environments requiring lightweight and secure authentication. EAP-TLS → EAP-TLS requires certificates on the 802.1X server & clients EAP-TLS is an EAP method that uses TLS for mutual authentication between the client and the server. Used in environments requiring strong mutual authentication and encryption. EAP-TTLS → EAP-TTLS is an extension of PEAP EAP-TTLS is an EAP method that encapsulates EAP methods within a TLS tunnel. Allows systems to use older authentication methods such as password authentication protocol (PAP) within a TLS tunnel Used in environments where user credentials are stored centrally. RADIUS Federation → Creates a federation using 802.1X & RADIUS servers Methods WiFi Protected Setup (WPS) → Allows users to configure wireless devices without typing in the passphrase Users can configure devices by pressing buttons or by entering a short eight-digit PIN WPS is susceptible to brute force attacks Captive portals → A technical solution that forces clients using web browsers to complete a specific process before it allows them to the network Free internet access, paid internet access Alternative to 802.1X, as 802.1X can be expensive & sometimes not feasible to organizations Installation Considerations Site Survey → Examines the wireless environment to identify potential issues, such as areas with noise or other devices operating on the same frequency bands Admins can periodically perform site survey to verify that environment hasn’t changed & detect potential security issues Heat Maps → Gives you a color-coded representation of wireless signals Color red shows where the wireless signals are strongest Color blue shows where the wireless signals are weakest Also it shows dead spots WiFi Analyzers → Identifies activity on channels within the wireless spectrum & analyze activity in 2.4 & 5 GHz frequency ranges Allows you to analyze one frequency range at a time & see each channel’s activity on a graph BSSID → Basic Service Set Identifier → Unique identifier used in 802.11 WiFi networks to identify a specific access point within a Basic Service Set (BSS) Objective 3.5 Mobile Device Management (MDM) Vendors sell Unified Endpoint Management (UEM) solutions to manage mobile devices Application Management → Can restrict what applications can run on mobile devices Use allow list to control applications & prevent unapproved application from installing Full Device Encryption → Organizations use full device encryption on corporate-devices to provide device security, application & data security Storage Segmentation → Used to isolate data Users might required to use external storage for any corporate data to reduce the risk of data loss if device is lost Content Management → Can force user to authenticate again when accessing data within the encrypted segment Containerization → Organizations can encrypt a container in mobile devices without encrypting the entire device Running organization application in container isolates & protects the application & data Useful when employees use their own device Geolocation → Includes GPS capabilities to identify the location of the device & device movement Geofencing → Organization use GPS to create a virtual fence or geographical boundary GPS Tagging → Adds geographical information to the files such as pictures when posting them on social media Context-Aware Authentication → Uses multiple elements to authenticate a user & mobile device It can include user’s identity, geolocation & verification that the device is within a geofence, time of day & type of device These elements help prevent unauthorized users from accessing the app & data SEAndroid → Security-Enhanced Android (SEAndroid) uses Security-Enhanced Linux (SELinux) to enforce access security It operates using default denial principle → Anything not allowed is denied Enforces Mandatory Access Control (MAC) SELinux supports two modes: Enforcing Mode → This mode enforces SELinux policy. Any activity that is denied by the policy is blocked & logged Permissive Mode → This mode doesn’t enforce SELinux Policy but it does log all activity that policy would block if it was in enforce mode Admins use this mode to verify that policy works as intended before changing it to enforcing mode Enforcement and Monitoring Jailbreaking → Refers to removing all software restrictions from Apple Devices Rooting → Process of modifying an Android device to give the user a root level access to device Sideloading → Process of copying apk to the device & then activating / installing it Over-The-Air (OTA) Updates → Updates to the OS overwrites the firmware using OTA updates ad hoc → In ad hoc mode, wireless devices connect to each other without access point Objective 3.6 Solutions Cloud Access Security Broker (CASB) → A software tool or service deployed between an organization’s network & the cloud provider It provides security by monitoring traffic & enforcing security policies Functions: Visibility → Identifies and monitors cloud applications, data flows, and user activities. Data Security → Protects data through DLP, encryption, tokenization, and access controls. Threat Protection → Detects and blocks malware, identifies anomalies, and integrates threat intelligence. Compliance → Enforces regulatory policies, provides audit trails, and supports legal holds. IAM → Integrates SSO, MFA, and automates user provisioning and deprovisioning. Shadow IT Control → Discovers, assesses, and mitigates risks associated with unauthorized cloud services. Security Configuration → Manages and monitors cloud service configurations to ensure compliance with security policies. Collaborating & Sharing Control → Controls and monitors data sharing and collaboration within cloud platforms. Next Generation Secure Web Gateway (SWG) → A combination of proxy server & stateless firewall Clients are configured to access all internet resources via the SWG & it filters the traffic to prevent threats from infiltrating the network SWG Includes: URL filtering → prevent users from visiting unauthorized sites Stateless Packet Filtering → To detect & block malicious traffic Malware detection & filtering to block malware Network-based Data Loss Prevention (DLP) Sandboxing to check for threats Objective 3.7 Identity Identity provider (IdP) → Creates, maintains & manages identity information for principles Account Types Personal or End-User Account → Admins create these accounts & assign appropriate privileges based on user’s responsibilities Basic credential policy Administrator & Root Accounts → Privileges accounts that have additional rights & privileges beyond what regular user has Credential policy requires stronger authentication such as MFA Service Accounts → Some application & services need to run under the context of account Admins create a regular user account for service like SQL, provide appropriate privileges & configure a SQL server to this account This account is like a regular user account but the difference is it is used by service or application not by user Credential policies may require long, complex passwords for this accounts & passwords should not expire It is common practice to prohibit interactive logins to a GUI or shell for service accounts. Use of a service account for interactive logins or attempting to log in as one should be immediately flagged and alerted on as an indicator of compromise (IoC). Device Accounts → Computers & other devices also have accounts Ex. Microsoft Active Directory only allows users to log on to computers joined to the domain Third-party Accounts → Accounts from external entities that have access to the network Strong Credential Policy Guest Accounts → Useful if you want to grant someone limited access to compute or network without creating a new account Admins commonly disable guest accounts & only enable it in special situations Sponsored Authentication for Guest Accounts → Requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest’s need for access, which is known as sponsoring the guest. Shared / Generic Account / Credentials → Organizations create a regular user account that temporary workers will share. If a temporary agency sending a different person everyday, a shared account may provide better solution than guest account because the access can be tailored for the shared account Basic credential policy Account Policies Time-based Logins → Referred as time of the restrictions → Ensure that users can only log on to computers during specific times Objective 3.8 Authentication Management Knowledge-based authentication → Organization use KBA to prove the identity of individuals Static KBA → Used to verify the identity when you’ve forgotten your password Ex. Your first dog’s name Dynamic KBA → identifies individuals without account Organizations use this for high risk transactions such as financial institutions or healthcare industry The site queries public & private data source such as credit reports It craft MCQ questions that only the user would know & users typically have limited amount of time to answer these questions → This limits the amount of time an attacker can do searches on the Internet to identify accurate answers Cognitive password attack → A form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, then this type of password can easily be bypassed. Authentication / Authorization Password Authentication Protocol (PAP) → Used with Point-To-Point protocol (PPP) to authenticate clients A significant weakness of PPP is that it sends passwords over network in cleartext Susceptible to sniffing attacks Challenge-Handshake Authentication Protocol (CHAP) → Uses PPP & authenticates remote users, but it is more secure than PAP The goal of CHAP is to allow the client to pass credentials over a public network without allowing attackers to intercept the data & later use it in attack CHAP uses an encrypted challenge & three-way handshake to send credentials Prevents session hijacking RADIUS → Remote Authentication Dial-In Service → Centralized Authentication Service It is a networking protocol used for centralized authentication, authorization, and accounting (AAA) management in computer networks. RADIUS servers are commonly used to authenticate users accessing network resources, such as Wi-Fi networks, VPNs, and other network services. Uses port 1812 / 1813 Instead of each VPN server needing a separate database to identify & authenticate, VPN servers forwards the authentication requests to central RADIUS server RADIUS can be also used with 802.1X server with WPA2 Enterprise Mode Each VPN server is configured with a shared secret & the RADIUS server is configured with the matching shared secret for each of the VPN servers Centralized RADIUS servers holds a centralized database of user accounts → LDAP Server RADIUS uses UDP which provides best delivery mechanism RADIUS only encrypts password by default & can be used with EAP to encrypt the entire session TACACS+ → Terminal Access Controller Access-Control System Plus → RADIUS alternative Uses port 49 Uses TCP to provide Authentication, Authorization & Accounting services It provides two essential security benefits over RADIUS It encrypts the entire authentication process It uses multiple challenges & responses between the client & server It is authentication service for network devices & it can be used with Kerberos SAML → Security Assertion Markup Language → an XML based format used for SSO on web browsers If organization trust each other, they can use SAML as a federated identity management system Users authenticate with one website & are not required to authenticate again when accessing the second website Many web based portal use SAML for SSO SAML defines three roles: Principal → Principal is typically a user → User log once & if necessary, principal requests an identity from identity provider Identity Provider (IdP) → Creates, maintains & manages identity information for principals Service Provider → An entity that provides services to principals Kerberos → A network authentication protocol used within Windows Active Directory domains & some unix environments known as realms It provides mutual authentication that can help to prevent on-path attacks & uses tickets to prevent replay attacks Uses port 88 Kerberos includes several requirement to work properly: A method of issuing tickets used for authentication: A key distribution center uses a complex process of issuing ticket-granting tickets (TGTs) & other tickets Tickets provide authentication for users when they access resource such as files on the file server These tickets sometimes referred as tokens Time Synchronization → Kerberos v5 requires all systems to be synchronized within 5 minutes of each other Helps to prevent replay attacks A database of subjects or users → DB of users When users log on to Kerberos, KDC issues a ticket to the user, typically with a lifetime of 10 hours to be useful for single workday When users try to access resource, they present ticket for authentication & user is issues a ticket to access the resource Kerberos uses symmetric key cryptography to prevent unauthorized disclosure & to ensure confidentiality Kerberos does not send the users password across the network. → When the user’s name is sent to the authentication service, the service retrieves the hash of the user’s password from the database → then uses that as a key to encrypt data to be sent back to the user. → The user’s machine takes the password that the user entered, hashes it, and then uses that as a key to decrypt what was sent back by the server. Access Control Schemes Attribute-based Access Control (ABAC) → Evaluates attributes & grants access based on the value of those attributes Attributes can be characteristics of user, the environment & the resource ABAC uses policies to evaluate attributes & grants access when the system detects a match in the policy Ex. Homer is nuclear safety inspector → Attributes → employee, inspector, nuclear aware Many Software Defined Networks (SDNs) use ABAC schemes ABAC policy statements typically include 4 elements: Subject → Typically a user Object → Resource such as file, database or application Action → Action is what user is attempting to do such as reading or modifying file Environment → Includes everything outside of subject & object attributes ABAC system has a lot of flexibility & can enforce both MAC & DAC scheme Role-based Access Control (RBAC) → Uses roles to manage rights & permissions for users Useful for users within a specific department who perform same job functions Admins create roles & assigns specific rights & permissions to the roles Role-based Access Control is also called hierarchy-based or job-based A matrix is planning document that matches the roles with the required privileges Group-based Privileges → Reduce the administrative workload of access management Admins put user accounts into security groups & assign privileges to the group Users within the group automatically inherit the privileges assigned to the group Rule-based Access Control (Rule-BAC) → Uses rules → Ex. Firewalls / Routers Routers & Firewalls use rules within access control lists (ACLs) It is based on set of approved instructions such as ACL Some Rule-BAC uses rules that trigger in response to an event, such as modifying ACL after detecting an attack or granting additional permissions to a user in a certain situations Mandatory Access Control (MAC) → Uses labels (sometimes referred as sensitivity labels or security labels) to determine access Security admins assign labels to both subjects (users) & objects (files / folders) When the labels match, the system can grant access to subject for the object It is commonly used when access needs to be restricted based on need to know Security labels often reflect classification levels of data & clearances granted to individuals Discretionary Access Control (DAC) → In DAC, objects have an owner & owner establishes access for the objects Many operating systems such as Windows & Unix-based systems use DAC scheme Ex. New Technology File System (NTFS) → Provides security by allowing users & admins to restrict access to files & folders with permissions DAC scheme is more flexible than MAC scheme Conditional Access → Conditional Access policies use signals, which are similar to attributes in ABAC scheme Some common signals are: User / Group membership, IP Location, Device Privileged Access Management (PAM) → Allows an organization to apply more stringent security controls over accounts with elevated privileges such as admin / root account PAM implements the concept of just in-time administration → Admins won’t have administrative privileges until they need them → When they need them, they send a request for the elevated privileges PAM system grant the request, typically by adding the account to a group with elevated privileges After a pre-set time (such as 15 minutes), their account is automatically removed from the group, revoking the privileges PAM Capabilities: Allows users to access the privileged account without knowing the password Automatically change privileges account passwords periodically Limit the time users can use the privileged account Allow users to check out credentials Log all access of credentials It reduces opportunities for attackers to user administrative privileges Filesystem Permissions → NTFS Permissions: Write Read Read & Execute Modify Full Control Objective 3.9 Public Key Infrastructure (PKI) Key Management → Manage public & private keys within PKI Certificate Authority (CA) → Issues, manages, validates & revokes certificates Intermediate CA → Root CA issues certificates to Intermediate CAs & Intermediate CAs issues certificates to child CAs → Child CAs issues certificates to devices or end users Registration Authority (RA) → Assists the CA by collecting registration information RA never issues certificates, instead it only assist in registration process The registration authority works with the certificate authority to identify and authenticate the certificate requester. Certificate Revocation List (CRL) → CAs use CRL to revoke certificates CRL is version 2 certificate that includes a list of revoked certificates identified by their serial numbers Since public keys are distributed via certificates, adding certificate in CRL is best way to deauthorize a public key Certificate Elements: Serial Number → Uniquely identifies the certificate Issuer → Identifies the CAs that issued the certificate Validity Dates → Includes “Valid From” & “Valid To” dates Subject → Identifies the owner of the certificate Public Key → Asymmetric encryption uses the public key in combination with the matching private key Usage → Some certificates are only for encryption or authentication Certificates Attributes: CN → Common Name → fully qualified domain name (FQDN) o → Organization L → Locality S → State or Province C → Country Online Certificate Status Protocol (OCSP) → Allows client to query the CA with the serial number of the certificate to determine if it is valid Indicates if certificate is good, revoked or unknown OCSP is a protocol used by the browser to check the revocation status of a certificate DV (Domain Validation) Certificate → CA verifies that the certificate subject has control of the domain name EV (Extended Validation) Certificate → prove that the X.509 certificate has been issued to the correct legal entity. Certificate Signing Request (CSR) → Used to request a certificate The certificate signing request is sent with the public key to the certificate authority Once the certificate information has been verified, the CA will digitally sign the public key certificate. Subject Alternative Name (SAN) → SAN certificate is used for multiple domains that have different names but are owned by the same organization → Ex. x.google.com, x.android.com Certificate Formats Distinguished Encoding Rules (DER) → Canonical Encoding Rules (CER) & DER are the best formats of certificates CER → Used for ASCII certificates DER → Used for binary certificates PEM → Privacy Enhanced Mail (PEM) → Can be used for any certificate purpose → Most Commonly Used Certificate Format P7B → Use PKCS version 7 format & they are CER-based Used to share public keys with proof of identity of the certificate holder P12 → Use PKCS version 12 format & they are DER based Commonly used to store private key with a certificate Personal Information Exchange (PFX) → Predecessor to the P12 certificate & it has same usage Binary Format Admins use this format on Windows Systems to import or export certificates Concepts Online Versus Offline CAs → Online CA → Accessible over network Offline CA only accept CSR manually Large organizations keep root CA offline to reduce the risk of compromise Stapling → Alternative of OCSP The certificate presenter appends the certificate with a timestamped digitally signed OCSP response from the CA This reduces OCSP traffic to & from the CA Allows client to validate the certificate without contacting the OSCP server Pinning → Helps to prevent attackers from impersonating a web site with a fraudulent certificate The web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions Trust Model → CAs are trusted by placing a copy of their root certificate into a trusted root CA store Key Escrow → The process of placing a copy of a private key in a safe environment If the original key is lost, the organization retrieves the copy of the key to access the data Certificate Chaining → Combines all certificates from the root CA down to the certificate issued to end user

June 23, 2024 · 37 min · Dhanraj Chavan

Chapter 4: Operations and Incident Response

Chapter 4 Objective 4.1 Network Reconnaissance and Discovery pathping → Combines ping & tracert command Admins use it to locate potential problems between two systems hping → This command is similar to ping command but it can send the ping using TCP, UDP & ICMP packets Useful to identify if firewall is blocking ICMP traffic theHarvester → Passive recon CLI tool → Uses OSINT methods to gather data such as emails, employee names, host IPs, & URLs It uses popular search engine for queries & give you a report sn1per → Automated scanner used for vulnerability assessment & to gather info on targets during penetration test scanless → Python based CLI tool used to scan ports dnsenum → Enumerate DNS records for domains It can perform many Domain Name System (DNS)-related functions, including querying A records, nameservers, and MX records, as well as performing zone transfers, Google searches for hosts and subdomains, and net range reverse lookups. It can work in automated fashion Cuckoo → Open Source automated software analysis system / Sandbox Primary purpose → Analyze suspicious files Forensics dd → Disk Imaging Tool (Open Source Tool) memdump → Can dump any addressable memory space to the terminal or redirect the output to the dump file WinHex → Windows-based hexadecimal editor used for evidence gathering, data analysis, editing, recovering of data & data removal It can work directly with the memory FTK imager → A part of Forensic Toolkit (FTK) sold by AccessData (Proprietary Tool) FTK Imager is a free tool that can image both systems and memory It can capture an image of a disk as a single file or multiple files & save the image in various formats Autopsy → GUI Digital Forensic Platform → Forensic Utilities Objective 4.2 Incident Response Plan This plan provides details about incident response policy It provides organizations with a formal, coordinated plan than personnel can use when responding to the event Elements: Definitions of Incident Types → Helps to identify difference between an event & an actual incident Incident Response Team → This team is composed of employees with expertise in different areas Also referred as → A computer incident response team (CIRT), Security Incident Response Team, Computer Emergency Response Team (CERT) Roles & Responsibilities → Many incident plan identify specific roles for incident response team along with their responsibilities Communication Communication is a part of incident response plan & it provides directions on how to communicate issues related to an incident Communication Plan includes: First Responders → Initial responders should know when to inform incident response entities & who to contact Internal Communication → Incident Response Team should know when to inform senior personnel of an incident Reporting Requirements → Laws requires reporting requirements External Communication → Media Law Enforcement → Provides teams with Digital Forensics tools & knowledge Customer Communication → Laws indicate that when an organization must inform their customers regarding data breach Incident Response Process Preparation → This phase occurs before an incident & provides guidance to personnels on how to respond to an incident Identification → Verify it is a actual incident or not Containment → After identifying an incident, security personnel attempt to isolate or contain it This protects critical systems while maintaining business operations The goal of isolation is to prevent the problem from spreading to other areas in network Eradication → After containing the incident, it’s necessary to remove components from the attack Includes deleting or disabling the infected accounts Recovery → During the recovery process, admins return all affected systems to normal operation & verify they are operating normally Lessons Learned → After personnel handle an incident, security personnel perform the lessons learned review This incident may provide some valuable lessons & organizations might modify procedures or add additional controls to prevent reoccurrence of the incident Exercises Tabletop Exercise → Also known as Desktop Exercise → Discussion Based Exercise A coordinator gathers participants in a room & leads them through one or more hypothetical scenarios such as cyber-attack or natural disaster The coordinator introduces each stage of the scenario & the participants identify how they would respond based on organization’s plan This exercise validates the plan & sometimes reveals flaws Walkthroughs → Workshops or orientation seminars that train team members about their roles & responsibilities Helps the personnel to plan tabletop exercise to develop a formal tabletop test plan Simulations → Functional exercises that allow personnel to test the plan in a simulated operational environment → Hands-On Exercises Attack Frameworks MITRE ATT&CK → Adversarial Tactics, Techniques And Common Knowledge It is a knowledge base of tactics, techniques used in real-world attacks The Diamond Model of Intrusion Analysis → Focus on understanding the attacker by analyzing four key components of every intrusion event: Adversary → Can be identified by email addresses, handles used in online forums Capabilities → Refers to malware, exploits & other hacker tools used in intrusion Infrastructure → Refers to internet domain names & IP addresses used by adversary Victim → Victims can be identified by their names, emails or network identifiers Cyber Kill Chain → Includes seven elements of tracking attack from recon to performing actions to achieve attacker’s objectives Lockheed Martin cyber kill chain → Implicitly assumes a unidirectional workflow It fails to consider that an adversary may retreat during an attack Workflow: Reconnaissance → Information gathering about the target Weaponization → Creating the malicious payload Delivery → Sending the malicious payload to the target Exploitation → Executing the malicious payload Installation → Installing malware to maintain access Command and Control (C2) → Establishing communication with the compromised system Actions on Objectives → Performing final objectives like data exfiltration or further compromise Stakeholder Management Stakeholder management involves working with stakeholders, or those who have an interest in the event or impacted systems or services Disaster Recovery Plan It identifies how to recover critical systems after a disaster & often prioritizes services to restore after an outage Testing validates the plan The final phase of disaster recovery includes a review to identify any lessons learned & may include an update to the plan Disaster recovery is a part of an overall business continuity plan Business Continuity Plan (BCP) Helps an organization to predict & plan for potential outages of critical services or functions The goal is to ensure that critical business operations continue & organization can survive the outage Continuity of Operations Planning (COOP) Focuses on restoring mission-essential functions at recovery site after a critical outage Site Resiliency → If one site suffers a catastrophic failure, an alternate site can take over after the disaster. Ensures critical functions can continue or be rapidly resumed during and after disruptions COOP planning enhances organizational resilience, reduces financial losses, and helps maintain trust and confidence among stakeholders. Retention Policies This policy identifies how long data is retained & sometimes specifies how it is stored Some laws mandates the retention of data for specific time frames. Proper data governance practices ensure that these time frames are known & followed Objective 4.3 syslog → This protocol specifies general log entry format & details on how to transport log entries Originators → Any systems that sends syslog messages Collector → Originators send syslog log entries to the collector → syslog server Syslog protocol only specifies how to format the syslog messages & send them to the collector Linux systems include the syslogd daemon which is the service that handles the syslog messages → etc/syslog.conf → var/syslog Syslog-ng → Extends syslogd, allowing a system to collect logs from any source It provides correlation, routing abilities to route log entries, rich filtering capabilities, content-based filtering, It supports TCP & TLS Rsyslog → Improvement for syslog-ng → Ability to send log entries directly into database engines It supports TCP & TLS NXLog → Log Management Tool similar to rsyslog & syslog-ng → Supports Linux & Windows It functions as a log collector & can be integrated with SIEM systems journalctl → Command that displays several log entries from different sources on Linux system Bandwidth Monitors → By comparing captures taken at different times, investigators can determine changes in network traffic. PRTG and Cacti are both network monitoring tools that can provide bandwidth monitoring information. Bandwidth monitors can help identify exfiltration, heavy and abnormal bandwidth usage, and other information that can be helpful for both incident identification and incident investigations. NetFlow → A feature available on many routers & switches that can collect IP traffic statistics & send them to NetFlow collector Analysis software of NetFlow allows admins to view & analyze network traffic Netflow data provides detailed information about the network traffic → Metadata → source and destination IP addresses, ports, protocols, timestamps, and the amount of data transferred sFlow → A sampling protocol → Provides traffic information based on a preconfigured sample rate Ex. It may capture 1 packet out of 10 packets & send this sample data to the collector As it captures & send only sample data, it is less likely to impact the device’s performance, allowing it to work on devices with high volume of data IP Flow Information Export (IPFIX) → Similar to NetFlow v9 → Replacement to NetFlow Objective 4.5 Documentation / Evidence Legal Hold → Refers to a court order to maintain different types of data as evidence Data retention policy applies here Admissibility → When collecting documentation & evidence, it’s essential to follow specific procedures to ensure that the evidence is admissible in a court of law Chain of custody → A process that provides assurances that evidence has been controlled & appropriately handled after collection Forensics experts establish chain of custody when they first collect the evidence It provides a record of every person who was in possession of a physical asset collected as a evidence → Chain of custody forms are forms that list every person who has worked with or who has made contact with the evidence that is a part of an investigation A proper chain of custody procedure ensures that evidence presented in the court of law is the same evidence that security professionals collected A well-documented chain of custody can help establish provenance for data, proving where it came from, who handled it, and how it was obtained. Provenance → Refers to tracing something back to its origin The provenance of a forensic artifact includes the chain of custody, including ownership and acquisition of the artifact, device, or image Tags → A tag is places on evidence items when they are identified Sequence of Events Timestamps Time Offset → Provides info about how the timestamps are recorded Reports → After analyzing all the relevant evidence, digital forensics experts create a report documenting their findings Includes TTPs of attackers Acquisition and Preservation Order of Volatility → Refers to the order in which you should collect evidence You should collect evidence starting with most volatile & moving to least volatile Order of volatility from most to least: Registers, Cache → The contents of CPU cache and registers are extremely volatile, since they are changing all of the time. Literally, nanoseconds make the difference here. An examiner needs to get to the cache and register immediately and extract that evidence before it is lost. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory Temporary File Systems Disk Remote Logging and Monitoring Data that is Relevant to the System in Question Physical Configuration, Network Topology, and Archival Media Old: Cache → Data in cache memory including the processor & hard drive cache RAM → Data in RAM used by OS & applications Swap / Pagefile → Swap (pagefile) is the system disk drive → Extension of RAM & stored on hard drive Disk → Data files stored on local disk drives & they remain there after rebooting Attached Devices → USB drive also holds data when system is powered down Network → Servers & shared folders accessible by users & used to store log files Data Acquisition → Snapshot → Forensic experts use snapshots to capture data for forensics analysis Artifacts → Forensics artifacts are the pieces of data on a device that regular users are unaware of, but digital forensic experts can identify & extract Web History Recycle Bin Windows Error Reporting Remote Desktop Protocol (RDP) cache When artifacts are acquired as part of an investigation, they should be logged and documented as part of the evidence related to the investigation. On-Premises Versus Cloud Concerns Right to Audit Clauses → Allows customers to hire an auditor & review the cloud provider’s record Auditing helps customer to ensure that the cloud provider is implementing adequate security Many cloud service providers do not allow customer-driven audits, either by the customer or a third party. They also commonly prohibit vulnerability scans of their production environment to avoid service outages. Instead, many provide third-party audit results in the form of a service organization controls (SOC) report or similar audit artifact. Regulatory Jurisdiction → The company must comply with relevant laws Data Breach Notification Laws → This law requires organizations to notify customers about a data breach & take steps to mitigate the loss Integrity Provenance → Refers to tracing something back to its origin Others eDiscovery → Electronic Discovery → It is the identification & collection of electronically stored information Strategic Intelligence and Counterintelligence → Refers to collecting, processing & analyzing information to create long-term plans & goals Counterintelligence activities assume that attackers are also using strategic intelligence methods.

June 23, 2024 · 11 min · Dhanraj Chavan

Chapter 5: Governance, Risk, and Compliance

Chapter 5 Objective 5.1 Category Managerial Controls → Primarily administrative in function & are typically documented in an organization’s written security policy They use planning & assessment methods to provide an ongoing review of the organization’s ability to reduce & mange risk Administrative controls dictate how security policies should be executed to accomplish the company’s security goals Ex. Risk Assessments, Vulnerability Assessments Operational Controls → Ensures that the day-to-day operations of an organization comply with their overall security plan Primarily implemented & executed by people instead of systems Ex. Awareness & Training, Configuration Management, Media Protection, Physical & Environmental Protection Technical Controls → Use technology such as hardware, software & firmware to reduce vulnerabilities Admins installs & configures a technical control & technical controls provide the protection automatically Ex. Encryption, Antivirus, IDS, IPS, Firewalls, Least Privilege Control types Preventive Controls → Attempt to prevent security incidents Ex. Hardening systems, Training, Security guards, Change Management, Account Disablement Policy, Intrusion Prevention System (IPS) Detective Controls → Attempt to detect when vulnerabilities have been exploited, resulting in a security incident Ex. Log monitoring, SIEM systems, Security Audits, Video Surveillance, Motion Detection, Intrusion Detection System (IDS) Corrective & Recovery Controls → Attempts to reverse the impact of an incident or problem after it has occurred Ex. Backups & System Recovery, Incident handling processes, Antivirus Physical Controls → Controls that you can physically touch Ex. Barricades, Control Vestibules (Mantraps) Deterrent Controls → Attempt to discourage a threat → Attempt to discourage potential attackers from attacking & attempt to discourage from violating security policy Ex. Cable locks, Physical locks Compensating Controls → Alternate controls used instead of primary control Organizations adopt compensating controls to address a temporary exception to a security requirement. Doesn’t prevent attack but restores using other means Ex. Re-image or Restore from backup, Hot Site, Backup Power System Ex. PCI DSS Conditions: The control must meet the intent & rigor of the original requirement The control must provide similar level of defense as the original requirement The control must be “above & beyond” other PCI DSS requirements Response Controls → Incident Response Control → Controls designed to prepare for security incidents & respond them when they occur Objective 5.2 Regulations, Standards, and Legislation General Data Protection Regulation (GDPR) → This mandates the protection of privacy data for individuals who live in EU. Requires a data protection officer (DPO) to oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR. Payment Card Industry Data Security Standard (PCI DSS) → When using credit cards, company should comply with PCI DSS Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard) → Send notification to your credit card processor Key Frameworks Center for Internet Security (CIS) → Identify, develop, validate, promote & sustain best practice solutions for cyber defense & build & lead communities to enable environment of trust in cyberspace National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF) → Used to mitigate risks The NIST RMF’s process is. Prepare Categorize system Select controls Implement controls Assess controls Authorize system Monitor controls Cloud Security Alliance (CSA) → A non-profit organization that promotes best practices related to the cloud CSA’s Cloud Control Matrix → Maps existing standards(COBIT, HIPAA, FedRAMP) to common control descriptions allowing control requirements to be compared and validated across many standards and regulations Reference architecture → A document or set of documents that provides a set of standards Objective 5.3 Personnel Acceptable Use Policy (AUP) → It describes the purpose of computers systems & networks, how users can access them, and the responsibilities of users when they access the systems Job rotation → A concept that has employees rotate through different jobs to learn the processes & procedures in each job. Helps to prevent or expose dangerous shortcuts or even fraudulent activity Mandatory Vacation → Helps to detect when employees are involved in malicious activity such as fraud These policies help to deter fraud and discover malicious activities while the employee is away. Separation of Duties → A principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process Two people perform separate actions to prevent inventory fraud This helps prevent potential fraud, such as if a single person prints and signs checks. Least Privilege → Specifies that individuals and processes are granted only the privileges needed to perform assigned tasks or functions, but no more Dual Control → A security mechanism that requires two individuals to simultaneously verify and approve an action or access to a system Job Rotation vs Separation of Duties Vs Dual Control Job Rotation → Periodic movement of employees between roles Skill enhancement, reduce fraud risk, reduce monotony Separation of Duties → Dividing tasks and privileges among multiple individuals Minimize risk of fraud and errors Dual Control → Requiring two individuals to simultaneously verify an action Prevent unauthorized access or actions Third-Party Risk Management Vendors → Implement vendor diversity to provide cybersecurity resilience end of life (EOL) → Refers to the date when a product will no longer be offered for sale. end of service life (EOSL) → Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product. Service level agreement (SLA) → An agreement between a company & vendor that stipulates performance expectations, such as minimum uptime & maximum downtime levels Memorandum of understanding (MOU) → Expresses an understanding between two or more parties indicating their intention to work together toward a common goal. Business partners agreement (BPA) → A written agreement that details the relationship between business partners, including their obligations toward the partnership. Measurement Systems Analysis (MSA) → Evaluates the processes & tools used to make measurements Interconnection Security Agreement(ISA) → A formal agreement between organizations that governs the security requirements and responsibilities when connecting their information systems or networks. Non-Disclosure Agreement (NDA) → Non-disclosure agreement (NDA) is the legal basis for protecting information assets. Non-disclosure agreements (NDAs) are legally binding agreements to keep information confidential If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. Objective 5.4 Risk management strategies Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level Risk Awareness → Acknowledgement that risk exists & must be addressed to mitigate them Inherent Risk → Refers to the risk that already exists before the controls are in place to manage the risk Residual Risk → It is the amount of risk that remains after managing or mitigating risk to an acceptable level Control Risk → Refers to the risk that exists if in-place controls do not adequately manage risks Control risks specifically apply to financial information, where they may impact the integrity or availability of the financial information. Risk Appetite → Refers to amount of risk an organization is willing to accept Risk Avoidance → Organization can avoid risk by not providing a service or not participating in a malicious activity Risk Mitigation → The organization implements controls to reduce risks. These controls reduce the vulnerabilities or reduce the impact of threat Ex. Patching systems immediately after the release of patches, which helps to mitigate the risk of known security vulnerabilities being exploited by malicious actors Risk Acceptance → The amount of risk that organization willing to accept Risk Transference → The organization transfers the risk to the another entity or at least shares the risk with another entity Cybersecurity Insurance → Helps to protect businesses & individuals from losses related to cybersecurity incidents such as data breaches & network damage Risk Analysis Risk Register → Lists all known risks for a system or an organization Risk Matrix → Plots the risks onto a graph or a chart Heat Map → Similar to Risk Matrix, but instead of using words, it uses colors such as green, red Risk control assessment → Examines organization’s known risks & evaluates the effectiveness of in-place controls risk control self-assessment → Risk control assessment performed by employees Internal Risk → Risks that the organization itself creates are internal risks. External Risk → External risks are those created by factors outside the organization’s control. Multiparty Risk → A multiparty risk involves multiple organizations. Legacy System Risk → A legacy system risk is created by a system or process that is no longer supported or updated IP Theft Risk → An intellectual property (IP) theft risk occurs when proprietary information or trade secrets might be exposed or lost. Regulations that affect risk posture: Health Insurance Portability and Accountability Act (HIPAA) → Mandates organization to protect the health information Gramm-Leach Bliley Act (GLBA) → Financial Services Modernization Act → Includes financial privacy rules a critical legislation safeguarding consumers’ financial privacy This requires financial institutions to provide customers with a privacy notice explaining what information they collect & how it is used Sarbanes-Oxley Act (SOX) → SOX requires the executives within an organization take individual responsibility for the accuracy of financial reports Mandates financial and IT controls to protect against corporate fraud. General Data Protection Regulation (GDPR) → EU mandates the protection of privacy data for the individuals that live in EU HITECH → Health Information Technology for Economic and Clinical Health Act This act extends HIPAA’s privacy and security requirements and encourages healthcare organizations to invest in strong cybersecurity measures FISMA → Federal Information Security Management Act Establishes a comprehensive framework for ensuring the security of information and information systems for all executive branch agencies Sets standards for securing federal government information systems. COPPA → Children’s Online Privacy Protection Act Regulates online collection of personal information from children under 13. CCPA → California Consumer Privacy Act Grants California residents rights over their personal data collected by businesses. CISA → Cybersecurity Information Sharing Act Encourages sharing of cybersecurity threat information between the government and private sector. Risk assessment types Quantitative Risk Assessment → Measures the risk using a specific monetary amount. It is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have This monetary amount makes it easy to prioritize risks Single Loss Expectancy (SLE) → Cost of any single loss Annual Rate of Occurrence (ARO) → Indicates how many times the loss will occur in a year Annual Loss Expectancy (ALE) → SLE x ARO = ALE Qualitative Risk Assessment → Uses judgements to categorize risks based on likelihood of occurrence (probability) & impact. Qualitative risk assessment is the process of ranking which risk poses the most danger using ratings like low, medium, and high. Business Impact Analysis It is important part of Business Continuity Plan (BCP) It helps organization to identify critical systems & components that are essential to the organization’s success It helps to identify vulnerable business processes, which are mission essential functions It identifies maximum downtime limits for these systems & components, various scenarios that can impact these systems & components, and the potential losses from an incident Recovery Time Objective (RTO) → Identifies the maximum amount of time it can take to restore a system after an outage Recovery Point Objective (RPO) → Identifies a point in time where the data loss is acceptable It is the period of time a company can tolerate lost data being unrecoverable between backups Mean time between failures (MTBF) → Provides a measure of a system’s reliability & usually represented in hours → Identifies the average time between failures A measurement to show how reliable a hardware component is a prediction of how often a repairable system will fail. Mean Time to Failure (MTTF) → MTTF is the average time to failure for a non-repairable system or component. It measures the expected operational lifetime before failure. Helps in predicting the lifespan and planning replacements. Mean time to repair (MTTR) → Identifies the average time it takes to restore a failed system Also called Mean time to recover Assessing and improving maintenance efficiency Disaster recovery plan (DRP) → Identifies how to recover critical systems after a disaster and often prioritizes services to restore after an outage. The first step to developing an effective disaster recovery plan is to identify the assets. Functional Recovery Plan → A recovery plan focused on a specific technical and business function

June 23, 2024 · 10 min · Dhanraj Chavan

Improvement Notes

Implicit Deny → It ensures that anything not specifically allowed in the rules is blocked Private IP Addresses 10.x.x.x → 10.0.0.0/8 → 255.0.0.0 → Class A 172.16.x.x to 172.31.x.x → 172.16.0.0/12 → 255.240.0.0 → Class B 192.168.x.x → 192.168.0.0/16 → 255.255.0.0 → Class C Difference between Dictionary & Rainbow table Dictionary → List of potential passwords (words) Rainbow Table → Precomputed table containing hash of potential passwords Skimming vs Card Cloning Skimming → Capturing credit card data at Point of Sale (POS) Card Cloning → Making a copy of credit card STIX & TAXII → Threat Feed Refer Notes Difference between SOAR & SIEM Security orchestration, automation, and response (SOAR) services are designed to integrate with a broader range of both internal and external applications. SOAR includes security operations automation Windows SAM → Database in Windows that stores user account information, including usernames & hashed passwords. Intelligence Fusion → Combines all this data to create a picture of likely threats and risks for an organization Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden Types of DDOS → Operational, Network, Application Application (DDoS) → aimed at applications Network DDOS → A network DDoS would be aimed at network technology, either the devices or protocols that underly networks. OT DDOS → An operational technology (OT) DDoS targets SCADA, ICS, utility or similar operational systems. Difference between Vulnerability Scan & Penetration Testing Vulnerability Scan → Vulnerability scans use automated tools to look for known vulnerabilities in systems and applications and then provide reports to assist in remediation activities. Penetration Testing → Penetration tests seek to actually exploit the vulnerabilities and break into systems. Security audits → Security audits usually focus on checking policies, incident reports, and other documents. Known Vs Unknown Environment An unknown environment test is also called black-box or a zero-knowledge test because it does not provide information beyond the basic information needed to identify the target. A known environment, or white-box test, involves very complete information being given to the tester. SOAR Functionalities Bluejacking vs Bluesnarfing vs Bluebugging Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device Bluebugging → Gains access to the phone & install a backdoor Spyware & Adware are both common examples of PUPs Pharming Attack Techniques changing the local hosts file exploiting a trusted DNS server. Fileless viruses often take advantage of PowerShell to perform actions once they have used a vulnerability in a browser or browser plug-in to inject themselves into system memory. Cross-site request forgery (XSRF or CSRF) takes advantage of the cookies and URL parameters legitimate sites use to help track and serve their visitors. A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667 LDAP focuses on input validation & filtering the output rather than parameterization SSL stripping attack is a on-path attack → An SSL stripping attack requires attackers to persuade a victim to send traffic through them via HTTP while continuing to send HTTPS encrypted traffic to the legitimate server by pretending to be the victim. U.S. Trusted Foundry program → Intended to prevent supply chain attacks by ensuring end-to-end supply chain security for important integrated circuits and electronics. Information Sharing and Analysis Centers (ISACs) help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and share actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency Filesystem Permissions: 0 → — → No permission 1 → –x → Execute 2 → -w- → Write 3 → -wx → Write + Execute 4 → r– → Read 5 → r-x → Read + Execute 6 → rw- → Read + Write 7 → rwx → Read + Write + Execute Threat Actors Vs Threat Vectors Threat Actors → Individuals or entities initiating attacks Threat Vectors → Methods used to carry out attacks Subnet Calculation Formula /32 → 1 /31 → 2 /30 → 4 /29 → 8 Power Outage → PDU, UPS, Generator Power Distribution Unit (PDU) → A device that distributes electrical power to multiple devices from a single source. No battery backup; power is only distributed. May provide surge protection, overload protection, and monitoring capabilities. Uninterruptible Power Supply (UPS) → A device that provides emergency power to connected equipment when the input power source fails. Continues to supply power to connected devices during short-term outages. Generator → A device that converts mechanical energy into electrical energy. Typically used as a backup power source for extended outages. Provides long-term backup power during extended outages. Air Gap is more efficient than separating in VLAN for preventing the malware. Using both server-side execution and validation requires more resources but prevents client-side tampering with the application and data. An Arduino is a microcontroller well suited for custom development of embedded systems. They are small, inexpensive, and commonly available. If key length is increased by 1, potential factors will increase in factors of 2 (Twice as much) Prime factorization algorithms and elliptic curve cryptography are believed to be vulnerable to future quantum computing–driven attacks against cryptographic systems. Account Usage Auditing → Provide a warning that someone’s account is being used when they are not actually using it Both Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are block ciphers. RADIUS provides AAA Datacenter Hot aisle/cold aisle is a layout design for server racks and other computing equipment in a datacenter. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing airflow. An infrared camera will detect heat levels on the aisles. Although the rest of the options are potential issues for a datacenter, an infrared camera won’t help with them. Software-defined networking (SDN) makes the network very scalable. A cloud access security broker (CASB) is used to monitor cloud activity and usage and to enforce security policies on users of cloud services. Microservice architectures build applications as a set of loosely coupled services that provide specific functions using lightweight protocols. Infrastructure as code (IaC) is the process of managing and provisioning computer datacenters through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. RTOS Security → Using secure firmware, as well as using an RTOS with time and space partitioning, are both common methods to help ensure RTOS security. Homomorphic encryption can perform computations on the ciphertext without access to the private key that the ciphertext was encrypted with. Tape backups are the most common solution for cold backups off-site. An advantage of compiling software is that you can perform static code analysis. Version Numbering → ensures that the proper current version of software components is included in new releases and deployments NIC Teaming → Greater throughput and fault tolerance USB data blockers are used to ensure that cables can only be used for charging, and not for data transfer. The Linux kernel uses user-driven events like keystrokes, mouse movement, and similar events to generate randomness (entropy). OpenID vs OAuth OpenID → OpenID is an authentication protocol that allows users to log in to multiple applications or websites using a single set of credentials. Logging in to different websites using a Google or Facebook account. → Single sign-on (SSO) OAuth → OAuth is an authorization protocol used for providing client applications delegated access to server resources on behalf of a user. Allowing a mobile app to access your Google Drive files without sharing your Google password. FIDO U2F → An open standard provided by the Fast IDentity Online Alliance, is a standard for security keys Load Balancer Algorithms Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions Round Robin → simply distributes requests to each server in order Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server. Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted. Global Positioning System (GPS) data and data about local Wi-Fi networks are the two most commonly used protocols to help geofencing applications determine where they are. Hashing → Hashing is commonly used in databases to increase the speed of indexing and retrieval since it is typically faster to search for a hashed key rather than the original value stored in a database Secrets management services provide the ability to store sensitive data like application programming interface (API) keys, passwords, and certificates The three channels that do not overlap are 1, 6, and 11 in the U.S. installations of 2.4 GHz Wi-Fi networks Infrared (IR) is the only line-of-sight method on the list Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests. Microsoft System Center Configuration Manager (SCCM) → provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. Heuristic vs Anomaly-based detection Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity. Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature. Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations Checksum vs Hash Windows Log Files & Linux Log Files Containment vs Isolation Types of dashboard in SIEM Multiple files could have the same checksum value, whereas a hashing algorithm will be unique for each file that it is run against. → Hashing > Checksum CentOS and Red Hat both store authentication log information in /var/log/secure instead of /var/log/auth.log used by Debian and Ubuntu systems. grep "Failed password" /var/log/auth.log → Command used check for bruteforce attack in Linux systems Mapping networks using ping relies on pinging each host, and then uses time-to- live (TTL) information to determine how many hops exist between known hosts and devices inside a network. When TTLs decrease, another router or switch typically exists between you and the device. Zero-wiping a drive can be done using dd → dd if=/dev/zero of=/dev/sda bs=4096 The Content-Addressable Memory (CAM) tables on switches contain a list of all the devices they have talked to. Content Filter → A content filter is specifically designed to allow organizations to select both specific sites and categories of content that should be blocked. The Windows swapfile is saved in the root of the drive by default. → C:/pagefile.sys A system crash, or system dump, file contains the contents of memory at the time of the crash The infamous Windows blue screen of death results in a memory dump to a file, allowing analysis of memory contents. Anti-forensics activities follow lateral movement in the Cyber Kill Chain model. It helps to remember that after an attacker has completed their attack, they will attempt to hide traces of their efforts, and then may proceed to denial-of-service or exfiltration activities in the model. Jurisdictional boundaries exist between states and localities, as well as countries, making it challenging for local law enforcement to execute warrants and acquire data from organizations outside of their jurisdiction in many cases. Virtual machine forensics typically rely on a snapshot gathered using the underlying virtualization environment’s snapshot capabilities. This will capture both memory state and the disk for the system and can be run on an independent system or analyzed using forensic tools. The Volatility framework is a purpose-built tool for the acquisition of random access memory (RAM) from a live system. Standards: ISO 27001 → International standard for information security management systems (ISMS) Specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO 27002 → An international standard for implementing and maintaining information security systems Provides guidelines and best practices for organizational information security standards and information security management practices. ISO 27017 → An international standard for cloud security Provides guidelines for information security controls applicable to the provision and use of cloud services. ISO 27018 → Establishes guidelines to protect personal data in cloud computing environments. ISO 27019 → Provides guidelines for information security management in the energy utility industry, focusing on process control systems. ISO 27031 → Provides guidelines for ICT readiness for business continuity to ensure information and communication technology systems can support business operations in the event of disruptions. ISO 27032 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure. ISO 27033 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure. ISO 27701 → extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy ISO 29100 → Establishes a high-level framework for protecting personally identifiable information (PII) and provides a privacy framework. NIST 800-12 → A general security standard and it is a U.S. standard, not an international one NIST 800-14 → A standard for policy development, and it is also a U.S. standard, not an international one ISO 22301 → An international standard that outlines how organizations can ensure business continuity and protect themselves from disaster NIST CSF → Cybersecurity Framework A voluntary framework that provides a set of standards, guidelines, and best practices for managing cybersecurity risks. Offers a risk-based approach for managing and reducing cybersecurity risks, focusing on critical infrastructure. NIST SP 800-37 → Outlines the Risk Management Framework (RMF) for federal information systems to ensure they are secure and risk-managed. NIST SP 800-115 → Provides technical guidance on conducting security testing and assessments. NIST SP 800-122 → Offers guidelines for protecting the confidentiality of personally identifiable information (PII). NIST SP 800-128 → Details best practices for security-focused configuration management of information systems. NIST SP 800-137 → Provides guidance for continuous monitoring of information systems and organizations to maintain security posture. NIST SP 800-145 → Defines cloud computing and its essential characteristics, service models, and deployment models. Change management is the process of documenting all changes made to a company’s network and computers. Privacy Roles: Data Owner → Responsible for the data’s overall management and governance, including its security and integrity. Data owners assign labels such as top secret to data A data controller or data owner is the organization or individual who collects and controls data. Determines data usage policies, sets data access permissions, and is accountable for the data’s accuracy and appropriateness. Ultimate responsibility for maintaining confidentiality, integrity, and availability Ex. Department head deciding access to datasets Data Processor → An entity or individual that processes data on behalf of the data controller Data processors are service providers that process data for data controllers. Follows data controller instructions, ensures regulatory compliance Ex. Cloud service provider handling client data Data Steward → Ensures data quality and fitness for purpose A data steward carries out the intent of the data controller and is delegated responsibility for the data. Oversees data governance policies, ensures data quality, and manages data assets to ensure they meet business needs. Ex. A data quality analyst who reviews data entries for accuracy and consistency. Data Custodians → Responsible for the safe custody, transport, storage of data, and the implementation of business rules. Custodians assign security controls to data. Manages and protects data, ensures proper handling and safeguarding of data, and maintains data integrity and availability. Ex. IT professional managing data backups Privacy Officer → A privacy officer ensures that companies comply with privacy laws and regulations. Ex. Compliance officer ensuring adherence to GDPR/HIPAA System administrators are responsible for the overall functioning of IT systems. Security program administrators often use different types of training to ensure that trainees who react and respond differently to training are given training that helps them. Customer data can include any information that a customer uploads, shares, or otherwise places in or creates via a service. Standard for Attestation Engagements (SSAE) SOC 2 engagement assesses the security and privacy controls that are in place, and a Type 2 report provides information on the auditor’s assessment of the effectiveness of the controls that are in place. An SOC 1 report assesses the controls that impact the accuracy of financial reporting. Type 1 reports a review auditor’s opinion of the description provided by management about the suitability of the controls as designed. Predictive analysis for Threat Intelligence come from: Large Security Datasets Behavior Patterns Current Security Trends Polymorphism → Technique created by malware creators to shift the signature of malware to prevent detection by antivirus tools. ISACs (Information Sharing and Analysis Centers) → Collaborative industry organizations that analyze and share cybersecurity threat information within their industry verticals in USA Shimming & Refactoring DVR → Ability to record video in CCTV IP Spoofing is a technique used by attackers to create IP packets with a forged source IP address. → MITM Attack Use secure firmware to secure RTOS CIA & DAD Triad Confidentiality → Disclosure Integrity → Alteration Availability → Denial Breach Impact Financial Risk → Risk of monetary damage to the organization as a result of data breach Reputational Risk → Occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers & stakeholders Identity Theft → Use of exposed PII information in attacks Strategic Risk → Risk that organization will become less effective in meeting its major goals & objectives as a result of the breach Strategic risk affects business plans Operational Risk → Risk to the organization’s ability to carry out its day-to-day operations Operational risk affects inefficiency & delay within the organization Compliance Risk → Occurs when a security breach causes an organization to violate legal or regulatory requirements Ex. HIPAA → Health Information Security Groups → Works as a virtual firewall for instances allowing rules to be applied to traffic between instances SSH Tunneling → also known as SSH port forwarding A technique used to securely transmit data between a local and a remote host over an unsecured network It leverages the Secure Shell (SSH) protocol’s encryption capabilities to create an encrypted tunnel for transmitting network traffic. Difference between MDM & UEM MDM → Primarily manages mobile devices such as smartphones and tablets. Functions → Device Inventory, Device Configuration, Security Management, App Management, Monitoring UEM → Manages a wide range of endpoint devices, including mobile devices, desktops, laptops, IoT devices, and wearables. Functions → Device Management, Application Management, Content Management, Identity Management, Policy Management, Automation Asymmetric Vs Symmetric Encryption Advantages & Disadvantages Symmetric Advantages Faster compared to asymmetric encryption due to simpler algorithms and operations. More efficient for bulk encryption and large data sets. Shorter key lengths provide equivalent security levels compared to asymmetric encryption. Widely used for securing data in transit and at rest. Symmetric Disadvantages Key Distribution Challenges in managing and storing keys securely. Less scalable for secure communication among multiple parties compared to asymmetric encryption. Does not inherently provide mechanisms for verifying sender identity or message integrity without additional protocols. Asymmetric Advantages No need to securely distribute keys; each user has a public-private key pair. Offers better security because the private key never leaves the owner’s possession. Provides digital signatures for verifying the sender’s identity and integrity of the message. Supports secure communication between multiple parties without requiring pre-shared secrets. Asymmetric Disadvantages Slower compared to symmetric encryption due to more complex algorithms. Requires longer key lengths for equivalent security levels compared to symmetric encryption. Less efficient for bulk encryption and large data sets. Which is the most commonly used certificate format → PEM 802.11x vs CHAP vs Kerberos 802.1X → Wi-Fi Authentication EAP Methods (EAP-TLS, PEAP, etc.) Network Access Control (NAC) When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end authentication server is a centralized user database such as Active Directory. CHAP → Network Authentication Challenge-Response Authentication for point-to-point connections Mutual authentication, challenge-response mechanism Kerberos → Network Authentication Network authentication protocol Ticket-based authentication, SSO, mutual authentication RADIUS → Centralized authentication, authorization, and accounting Centralized management, extensibility, supports various authentication methods CSA’s Cloud Control Matrix → A framework designed to provide fundamental security principles to guide cloud vendors and customers in assessing the overall security risk of a cloud service Smart Card vs Proximity Cards Proximity Cards → A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at a mantrap) Hash Algorithm Sizes Cynthia needs to prevent drones from flying over her organization’s property. What can she do? When you are concerned about application security, what is the most important issue in memory management? Yasmine wants to implement a cloud-based authorization system. What protocol is she most likely to apply? What is the purpose of Unified Extensible Firmware Interface (UEFI) Secure Boot? What is the size of the wrapper applied by TKIP around the WEP encryption utilizing a key that is derived from the MAC address of the machine and the packet’s serial number? ...

June 23, 2024 · 24 min · Dhanraj Chavan

Intro

Intro Hi everyone, I have passed my Comptia Security+ 601 exam recently. In this blog, I will share my notes(objective-wise) & insights about this exam. Resources CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide: Link Professor Messer’s SY0-601 CompTIA Security+ Practice Exams: Link Passmall Security+ Practice Exams: Link Jason Dion - CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs: Link Outro Please forgive if you find any spelling mistakes or grammatical mistakes. I wish you all the best for your exams!! ...

June 23, 2024 · 1 min · Dhanraj Chavan