Common TCP/UDP Ports
HTTP - 80
FTP - 21 and 20
Telnet - 23
SMTP - 25
SNMP - 161 and 162
DNS - UDP 53
HTTPS - 443
POP - 110
IMAP - 143
HTTP
80
FTP
21 & 20
Telnet
23
SMTP
25
SNMP
161 & 162
DNS
UDP 53
HTTPS
443
POP
110
IMAP
143
ARP Spoofing
Sending falsified ARP messages over a LAN.
Resulting in linking the attacker's MAC address with IP address of a legit computer/server on the network
ARP Poisoning
The attacker sends a forged ARP packt to the source device, substituting the attacker's computer MAC address
TCP Syn Flood
Form of DoS in which attacker sends succession of SYN requests in an attempt to consume enough server to make the system unresponsive to legit traffic
DHCP
Dynamic Host Configuration Protocol
Dynamically assigns IP addresses to hosts
Rogue DHCP
Not under admin control staff
Can Compromise Network
MAC flooding
Attacker overflow switch's address table with fake MAC addresses, forcing it to act like a hub, sending packets to all devices
MAC Address Impersonation
Two devices have the same MAC address, a switch can send frames to each device. An attacker can change the MAC address on their device to match the target device's MAC address
Port Mirroring
When an attacker connects his device to the switch's mirror port
Network Tap
Connected to the network to intercept frames
DNS Poisoning
Exploits vulnerabilities in the DNS to divert Internet traffic away from legit servers and towards fake ones
VoIP
Uses Session Initiation Protocol (SIP) to set up and break down call sessions
User Agent Client (UAC)
Application that creates the SIP requests
User Agent Server (UAS)
SIP server handles the routing and signaling involved in VoIP calls
VoIP Threats
SIP suffers from lack of encrypted call channels and authentication of control signals
Attackers can spoof identifies by redirecting SIP control packets
SPIT- SPam over Internet Technology
Types of Firewalls
Packet Filtering
Application
Stateful
Dynamic Packet Filtering
Kernal Proxy
Packet Filtering
1st Generation Firewall
Uses ACLs to control flow
Not stateful, just looks at network and transport layer packets
Network Firewall
Application Level Proxy
2nd Generation Firewall
Understand app data in packet
Allowing it to inspect for malware or unauthorized sites
All (net/app firewall)
Stateful Inspection Firewalls
3rd Generation Firewall
Aanalyzes at all OSI layers
High security and scalability
Keeps state table
Network/all
Dynamic Packet Filtering
4th Generation
Allowing any type of outbound traffic and permitting only response traffic inbound
Application level
Kernel Proxy Firewalls
5th Generation
Dynamic an customized TCP/IP stacks when a packet needs to be created
Firewall Best Practices
Block unnecessary ICMP traffic
Keep ACLS simple
Deny all, grant by exception
Disallow source routed packets
Close unnecessary ports
Disable unused interfaces
Block directed IP broadcasts
Block incoming packets with internal addresses
Enable logging
Block
Wireless Security Issues
Unauthorized Access
Sniffing
War Driving
WEP points
War Driving
Walk around with a wireless device to identify APS and break into them
Mobile Phone Security - attacks and countermeasures
Attacks:
Cell phone cloning - stolen and reprogrammed with someone else's credentials
False base stations can be created
Confidential data can be stolen
Remote enabling of voice and camera
Access to the Internet
Spamming
Malicious code attacks
Weak encryp
Types of wireless encryption protocols
WEP
WPA/PSK
WPA2
WPA/WPA2 ENT
Bluetooth
802.15 Standard
1-3 Mbps transfer rate - short range (10 meters)
Network of Bluetooth devices is a piconet
Bluetooth Modes
-Discovery Mode
-Automatic Pairing
Bluejacking
Sending forged message to nearby bluetooth device
Bluesnarfing
Copies information off of remote devices
Bluebugging
Allows full use of phone
Bluetooth Countermeasures
Disable if you are not using it
Disable auto-discovery
Disable auto-pairing
IoT Issues
50 billion devices by 2020 (more vulnerabilities)
Implementation issues (security not built in)
New protocols will have vulnerabilities (many connected to internal networks)
HSPD-12
Federal Agencies are required under HSPD-12 (Homeland Security Presidential Directive: 12) to use multi-factor authentication for network access to privileged and non- privileged accounts and for local access to privileged accounts
Race Conditioning
When 2 or more processes share the same resource and the sequences of steps in the software can be carried out in improper order
What is an example of a race condition?
An attacker forces authorization step before the authentication step to gain unauthorized access to the resource
Cognitive biometrics
Related to how an individual's though processes - or how they respond when presented with certain stimuli
FRR
False Rejection Rate
Type 1 errors
too many burdens Help Desk/Support Services
FAR
False Acceptance Rate
Type 2 errors
compromise CIA
CER
Crossover Error Rate
Point where FRR and FAR are equal
Which of the following statements about Crossover Error Rate (CER) is true:
A. This is the point where False Reject Rate and False Accept Rate are equal
B. This is the point where False Reject Rate and False Accept Rate add to 100%
C. This is the point wh
This is the point where False Reject Rate and False Accept Rate are equal
A security engineer has recently installed a biometric system and needs to tune it. Currently the system is rejecting too many valid, registered users. What adjustment does the security engineer need to make?
A. Increase the False Accept Rate
B. Reduce th
Reduce the False Reject Rate
Password Best Practices
Use strong/complex passwords
Replace default passwords
Display last date of successful logon
Set clipping level (# of failed login attempts before lockout)
Log successful and failed attempts
Password Aging (set password history and minimum/maximum passwor
What is password "clipping levels?
# of failed login attempts before lockout
Attacks on passwords
Electronic Monitoring
Accessing password file
Dictionary attacks
Brute force attacks
Rainbow tables
Social engineering attacks
Electronic Monitoring
Sniffers to capture password or password hash
Accessing the Password File
SAM or etc/passwd file
Dictionary Attack
Hashes of thousands of words are compared to hashes found either in password file or captured during transmission
Brute Force Attacks
Randomly generates password hashes
Rainbow Tables
Tables with millions of precalculated hashes
Tables contain chains beginning with the initial password
Password file stored on Windows Server
SAM
Password files stored on Unix system
/etc/passwd
Common Password Crackers
John the Ripper
ElcomSoft PPA
L0phtCrack
Smart Card Attacks
Fault generation
Side channel attacks
Software attacks
Microprobing
Fault Generation
Attempts to reverse engineer the encryption keys by introducing errors into authentication process
Side-Channel Attacks
Non-intrusive attacks
- Different power analysis on power emitted during use
- Electromagnetic analysis - examining the frequencies used
Software Attacks
Noninvasive attacks to input software on card or read content of card
Microprobing
Needles and ultrasonic vibration is used to remove the out protective material on circuits to access and manipulate chip's ROM
Kerberos Weaknesses
Single point of failure
Secret keys stored on workstations
Session keys stored on workstations
Network traffic not protected if not encrypted
If keys are short, vulnerable to brute force attacks
Kerberos
Key Distribution Center (KDC) - holds all user keys and provides authentication services to "principals" (users, applications, network services)
Ticket Granting Service (TGS) on the KDC issues "tickets
Kerberos controls/countermeasures
Kerberos clients and servers need to be synchronized
default settings in windows need to be changed in the GPO
SESAME
Secure European System for Applications in a Multi-vendor Environment
Extends Kerberos
Uses both symmetric and asymmetric cryptographic algorithms (Like KDC)
Uses digitally signed PACs
Authorization Creep
Result of an employee moving from department to department and previous access is not removed when new access is provided
Centralized Access Control Administration
Single department or individual controls access to all resources
- Diameter
- RADIUS
Which of the following is NOT an authentication protocols?
A. Diameter
B. RADIUS
C Lightweight Directory Authentication Protocol
D. Lightweight Directory Access Protocol
C Lightweight Directory Authentication Protocol
Diameter
Protocol that addresses RADIUS shortcomings
Secures communications among diameter entities
Extensions allow various authentication technologies to tie with other services
RADIUS
Remote Authentication Dial-In User Service
Uses UDP, only encrypts user password
TACAS+
uses TCP
-enables multi-factor authentication. Encrypts all data between client and server
Decentralized Access Controls
Provides ability for access controls to be managed closer to the resource.
Discretionary Access Control (DAC)
Owners have control of the resource and can specify which other subjects can access the resource
Access is restricted based on the authorization granted to the users, most commonly through the use of Access Control Lists (ACLs)
Windows uses this access co
Mandatory Access Control (MAC)
Users (subjects) are assigned a security clearance (secret, top secret, etc.) with data classified in the same manner
Most Restrictive model
Role-Based Access Control (RBAC)
Nondiscretionary access controls
Centrally-administered set of controls based on the role the user holds
Hierarchical RBAC
Reflects organizational structures and functional delineations
Advantage to higher hierarchy - allow separation of duties and we can put some restriction in place
Audit Log Best Practices
Must be secured
Must be reviewed
Must be monitored
Must be collected as part of regular business practice if used for evidence
Must be restricted to authorized individuals (do NOT want your administrators managing the audit logs)
Which role is the most likeliest to not get caught when it comes to audit logs?
The administrator
Emanation Security Controls
TEMPEST
White Noise
Control Zones
TEMPEST
Standardization technology that suppresses emanations with shielding material
White Noise
Random signal nose generated over full spectrum
Control Zone
Block electrical signals
Identity Management
Encompasses the use of different products to identify, authenticate, and authorize users through automated means.
Requires management of the identity attributes, credentials, and entitlements.
Directory
Meta-Directory
Virtual Directory
User provisioning,
Directory
Database of organization's resources
Directories allow us to keep all of our identity objects (user IDs) centralized, however we can delegate management functions
Meta-Directories
Aggregate the information from multiple sources, physically storing them in a single location
Virtual Directory
Pointer to where the attributes are located, rather than centralizing their location
User Provisioning
Creation , Maintenance, and Deactivation of user objects and attributes as they exist in one or more systems, directories, or applications - based on business needs/processes
Password Management
Password Synchronization
Self-Service Password reset
Assisted Password Reset
Password Synchronization
When a password is changed in one system, it'll change it everywhere else such as changing blackboard passwords, it also changes patriot web password.
Single Sign On
Sign-on only once and logged into everything else
Federated Identity
Portable identity (across multiple systems owned by different owners
Multiple providers who agree to provide access to their system to identities authenticated by a participating member of the federation
Identity Management (3 key aspects)
Uniqueness - identifiers are specific to an individual to provide for accountability
Nondescriptive - neither ID or credential should indicate the purpose of that account (i.e. "Administrator")
Issuance - provided by another authority as a means of provin
If I posted a file of Social Security Numbers on my Web site (let's say, ten or twenty thousand of them), have I committed a crime or can this lead to identity theft ?
No. its just list of numbers.
PII is personal data that uniquely identifies an individual
RMF Steps
1. Categorize System
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize System
6. Monitor Security Controls
RMF Guidance Documents
NIST SP 800-39
NIST SP 800-37
NIST SP 800-30
NIST SP 800-53
NIST SP 800-137
NIST SP 800-60
NIST SP 800-39
Managing Information Security Risk
NIST SP 800-37
Risk Management Framework
NIST SP 800-30
Risk Assessment
NIST SP 800-53
Cybersecurity Controls and Enhancements
NIST SP 800-137
Continuous Monitoring
FIPS 199
A government document that describes how to categorize government data, so that a security baseline of controls can then be applied.
NIST SP 800-60
Mapping Types of Information Security Categories
Black Box Testing
Tester has no knowledge of the environment
Method of software testing that examines the functionality of an application without peering into its internal structures or workings
White Box Testing
Tester has full knowledge of the environment
Testing software that tests internal structures of an application, as opposed to functionality
Dynamic Testing vs Static Testing: In dynamic testing system under test is observed which is not the case in static box testing
TRUE
Manual Testing
Conducted by humans
Automated Testing
Done with the help of applications, which automate the whole test.
Regression Testing
Provide assurance that a change has not created problems elsewhere in the software or system
The determination of the impact of a change based on review of the relevant documentation to identify the necessary regression tests to be run
Making sure the new
Unit Testing
Individual units/ components of a software are tested
Integration Testing
Phase in software testing in which individual software modules are combined and tested as a group
Information Security Continuous Monitoring (ISCM)
Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions
Remote Access Security - best practices
Encrypt all authentication information to the server - use a VPN tunnel, in fact, for everything
Critical systems should ONLY be administered locally
Uniquely identify administrators, and limit who can administer a system remotely
Multi-factor authenticat
Continuity of Operations
Availability
- MTBF (Mean Time Between Failure)
- MTTR (Mean Time to Repair)
Service Level Agreements (SLA) - stipulates expectations regarding expected service standards (bandwidth, response times, etc.)
Fault Tolerance
RAID
Redundant Array of Inexpensive Disks
RAID 0
Data striped over several drives.
No redundancy or parity involved.
RAID 1
Mirroring of drives. Data are written on two drives at once. If one fails the other is available.
RAID 2
Not commercially viable for hard disks so not used
Requires either 14 or 39 hard disks and special control
Writes out Hamming Codes to dedicated drives
RAID 3
Striping with fault tolerance (of a sort)
Data is striped at the byte level across multiple disks
Extra drive is allocated to store the partiy information
If the parity drive fails - you loose the ability to recover
RAID 4
Same as RAID 3, except strips data at the block, instead of byte, level
RAID 5
Striped Set with Distributed Parity
Data are written in disk sector units to all drives. No single point of failure.
RAID 6
Similar to level 5 but with added fault tolerance, which is a second set of parity data written to all drives.
RAID 10
Data are simultaneously mirrored and striped across several drives and can support multiple drive failures.
Email Security
Ensure that server has email rely disabled
Content filter for disclosure of sensitive information
Block certain file attachments
Enable anti-virus software at email server
Monitor for anomalous protocols
Which security principle is used to detect fraud that occurs with users remaining too long in a position?
Job Rotation
Newman waits until his victim establishes a connection to the organization's FTP server. Then, he executes a program that allows him to take over the established session. What type of attack has taken place?
Session Hijack
Which RAID level only stripes data across all of the drives?
RAID 0
Attackers are always looking for ways to identify systems. One such method is to send a TCP SYN to a targeted port. What would an attacker expect to receive in response to indicate an open port?
SYN ACK
Computer Forensics
The procedural preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis - often with the goal of prosecution
3 A's of Computer Forensics
Acquire the evidence without altering or damaging the original
Authenticate that your recovered evidence is the same as the originally seized data
Analyze the data without modifying it
Incident Response
Incident Response
Event - negative occurrence that can be observed, verified, and documented
Incident - series of events that negatively affects the company and/or impacts its security posture
3 A's of Computer Forensics
Acquire the evidence without altering or damaging the original
Authenticate that your recovered evidence is the same as the originally seized data
Analyze the data without modifying it
5 Rules of Evidence
authentic
complete
sufficient
accurate
admissible
Logs and "Best Evidence
U.S. Title 28, Section 1732 - provides that log files are admissible as evidence if they are collected in the regular course of business
Rule 803(6) of Federal Rules of Evidence provides that logs that otherwise might be considered hearsay are admissible
Incident Response Life Cycle
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
Incident Response Plan - components
Policy
Reporting agencies
Roles and responsibilities
Call tree
Steps on how to secure and preserve evidence
Reporting templates and procedures
Who would you include in the Incident Response Team?
Should consist of representatives from all departments (HR, communications, IT, legal, etc.)
Three Types of Teams:
Virtual - "other duties as assigned". Slower response
Permanent team - dedicated to this task (CIRT/CERT employees as an example). Expensive
Three types of IR Teams
Virtual - "other duties as assigned". Slower response
Permanent team - dedicated to this task (CIRT/CERT employees as an example). Expensive!
Hybrid - obviously, a combination
CISSP IR Procedures
triage - what do we treat first
investigation - collect relevant data
containment - quarantine the attack
analysis - who did it happen
tracking - internal/external?
recovery - implement fixes
How does a forensic duplication differ from a disk copy?
Uses bit-by-bit (binary) images, not data copy - of information on a hard disk in order to capture data hidden in slack space, running processes, network connections
order of volatility
Registers and cache
Process tables, routing tables, ARP cache
Contents of system memory
Temporary file systems
Data on the disk
chain of custody
A history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court
All evidence must be labeled with information indicating who secured and validated it
network monitoring
Allows investigator to track the attacker, gaining additional evidence
Provides assurance that there are no recurrences of similar incidents during recovery
types of analysis
network
-log
-path tracing
media
-disk imaging
-MAC
-content analysis
software
-reverse engineering
-code review
slack space
Most files don't use all of the clusters allocated, so the contents of previous files remain on the disk even when the cluster is overwritten by a new file
disaster
Any disruptive event (natural or man-made) that interrupts normal system in such a significant way that a considerable and coordinated effort is required to achieve a recovery
hot site
fully configured with equipment and lines. Data retrieved and loaded from backup site
(not owned by company)
high availability
expensive
cold site
supplies basic environment (electrical, AC, plumbing) but no systems - can also just be a reciprocal agreement
lowest availability
least expensive
warm site
anywhere in between
less expensive
not immediately available
business resumption plan
Focus on necessary business processes instead of IT procedures
Configuration Management concepts
Developing a consistent system security configuration
Continuity of Operations Plan (COOP)
Establishes management and headquarters after a disaster. Outlines roles and authorities, orders of succession, and individual role tasks.
IT Contingency Plan (ITCP)
Plan for restoring systems, networks, major apps after a disruption at the original facility.
Crisis Communications Plan
Provides procedures for disseminating internal and external communications; means to provide critical status information and control rumors.
Cyber Incident Response Plan
Provides procedures for mitigating and correcting a cyber attack - addresses mitigation and isolation of affected systems, clean up, and loss minimization
Disaster Recovery Plan (DRP)
How to recover IT mechanisms after a disaster. Focuses on disasters that require IT processing to take place at another facility.
redundant site
Site is equipped and configured exactly like the production site - data - data can be streamed live
multiple processing centers
distributed through multiple locations
rolling hot site
Large truck or trailer is turned into a work area
First step in BCP
business impact analysis
Steps required to restore normal business operations/mission after recovery from a disruptive event
Business Continuity Plan (BCP)
BCP vs DRP
Business Continuity Plan (BCP) Ensures that the business will continue to operate before (includes a focus on prevention), during, and after an event. A strategic (long-term) plan
Disaster Recovery Plan (DRP) - Tactical, shorter-term plan that focuses on
BCP Steps
Project Initiation
Business Impact Analysis
Recovery Strategy
Plan design and development
Implementation
Testing
Continual Maintenance
Recovery Point Objective (RPO)
Level of data/work loss or system inaccessibility
Mean Time between Failures (MBTF)
average amount of time a system or device is running before it fails
Mean Time to Repair (MTTR)
length of time to recover a failed device or system
Recovery Time Objective (RTO)
- maximum time allowed to recover business or IT systems (from disaster onset to resumption of businesses processes)
Work Recovery Time (WRT)
- time required to configure a recovered system
MTD
MTD=RTO+WRT
BCP/DRP Countermeasures
Plans updated whenever there is a change to the environment
Plans reviewed for updates at least annually if no changes
Track and document all planned changes and implement a formal approval process for all substantial changes
Changes must be auditable!
Recovery Strategy Steps
1 Business process recovery
2 Facility recovery
3 Supply and technology recovery
4 User environment recovery
5 Data recovery
3 types of disruptions
Nondisasters - disruption in service due to a device malfunction or failure
Disasters - An event causes the loss of the entire facility for a day or longer
Catastrophes - major disruption that destroys the facility, requiring moving operations to offsite
Three different types of recovery and restoration teams
Damage assessment team - Determines the cause of the disaster, potential for further damage, and whether or not to activate the BCP
Restoration team - responsible for getting the alternate site into a working and functioning environment
Salvage Team - res
What are the common reasons that DRPs fail?
Lack of management support
No coordination with vendors
Lack of testing
Lack of prioritization
Lack of training and awareness
DRP training "Best Practices
Determine how frequently (at least annually)
Good idea to train different roles more regularly
Train so that everyone knows the initial steps and where to find the plans
First aid and CPR
Starting emergency power
Call tree
data warehouse
data is extracted from different databases and combined to a central location, where it is normalized (redundancy is stripped out and the formats/fields are made the same) - requires stringent security!
Data mining
massaging the aggregated data in a data warehouse using automated tools to find trends, correlations, relationships, etc., that wouldn't normally be apparent.
metadata
result of data mining
software escrow
Third party keeps a copy of the source code that it will release to the customer only if certain circumstances arise
Expert systems versus artificial neural networks
Otherwise known as knowledge-based systems, these use artificial intelligence (AI) to solve complex problems. They are systems that emulate the decision-making ability of a human expert. Artificial neural network (ANN) A mathematical or computational mode
Database security: Issues
Aggregation
Inference
Aggregation
Combining information from different sources that forms new information to which you would otherwise not have the rights to access individually
To control - place objects into a container that is classified at a higher level than the individual components
Inference
Intended results of aggregation - when information is deduced from other information
To control - prevent the subject from indirectly gaining access to the inferable information.