Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017

FRSecure 2017 CISSP Mentor ProgramEVAN FRANCEN, PRESIDENT & CEO – FRSECURE

BRAD NIGH, SENIOR INFORMATION SECURITY ANALYST - FRSECURE

CLASS SESSION #10

CISSP Mentor Program Session #10Domain 4: Communication and Network Security - Review• Network Scanning Tools

• Secure Communications

• Wireless Local Area Networks

• Remote Access

We finished Domain 4!

CISSP Mentor Program Session #10Domain 5: Identity and Access Management - Review• Cornerstone access control concepts

• Access control models

• Authentication Methods• Type 1

• Type 2

• Type 3

• Single Sign-On (SSO)

Now for the Domain 4 Quiz…

CISSP Mentor Program Session #10Domain 4: Communication and Network Security Quiz Review


1. Which protocol should be used for an audio streaming server, where some loss is acceptable?

a. IP

b. ICMP

c. TCP

d. UDP

D


2. What network topology uses fixed-length cells to carry data?

a. ARCNET

b. ATM

c. Ethernet

d. FDDI

B


3. Secure Shell (SSH) servers listen on what port and protocol?

a. TCP port 20

b. TCP port 21

c. TCP port 22

d. TCP port 23

C


4. What network cable type can transmit the most data at the longest distance?

a. Coaxial

b. Fiber optic

c. Shielded Twisted Pair (STP)

d. Unshielded Twisted Pair (UTP)

B


5. Which device operates at Layer 2 of the OSI model?

a. Hub

b. Firewall

c. Switch

d. Router

C


6. What are the names of the OSI model layers, in order from bottom to top?

a. Physical, Data Link, Transport, Network, Session, Presentation, Application

b. Physical, Network, Data Link, Transport, Session, Presentation, Application

c. Physical, Data Link, Network, Transport, Session, Presentation, Application

d. Physical, Data Link, Network, Transport, Presentation, Session, Application

C


7. Which of the following authentication protocols uses a three-way authentication handshake?

a. CHAP

b. EAP

c. Kerberos

d. PAP

A


8. Restricting Bluetooth device discovery relies on the secrecy of what?

a. MAC address

b. Symmetric key

c. Private key

d. Public key

B


9. Which wireless security protocol is also known as the RSN (Robust Security Network), and implements the full 802.11i standard?

a. AES

b. WEP

c. WPA

d. WPA2

D


10. What is the difference between a stateful firewall and a proxy firewall?

a. Stateful firewalls have state, proxy firewalls do not

b. Proxy firewalls have state, stateful firewalls do not

c. Stateful firewalls terminate connections, proxy firewalls do not

d. Proxy firewalls terminate connections, stateful firewalls do not

D


11. Which transmission mode is supported by both HDLC and SDLC?

a. Asynchronous Balanced Mode (ABM)

b. Asynchronous Response Mode (ARM)

c. Normal Balanced Mode (NBM)

d. Normal Response Mode (NRM)

D


12. What is the most secure type of EAP?

a. EAP-TLS

b. EAL-TLLS

c. LEAP

d. PEAP

A


13. What WAN protocol has no error recovery, relying on higher level protocols to provide reliability?

a. ATM

b. Frame Relay

c. SMDS

d. X.25

B


14. What is the most secure type of firewall?

a. Packet filter

b. Stateful firewall

c. Circuit-level proxy firewall

d. Application-layer proxy firewall

D


15. Accessing an IPv6 network via an IPv4 network is called what?

a. CIDR

b. NAT

c. Translation

d. Tunneling

D

CISSP Mentor Program Session #10Domain 5: Identity and Access Management

Single Sign-On (SSO)

As outlined in the IBM article, “Build and Implement a Single Sign-On Solution” by Chris Dunne, September 30, 2003, SSO is an important access control and can offer the following benefits:• “Improved user productivity. Users are no longer bogged down by multiple logins and they are not

required to remember multiple IDs and passwords. Also, support personnel answer fewer requests to reset forgotten passwords.”

• “Improved developer productivity. SSO provides developers with a common authentication framework. In fact, if the SSO mechanism is independent, then developers do not have to worry about authentication at all. They can assume that once a request for an application is accompanied by a username, then authentication has already taken place.”

• “Simplified administration. When applications participate in a single sign-on protocol, the administration burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication. So, applications may still require user-specific attributes (such as access privileges) to be set up.”


Single Sign-On (SSO)

The disadvantages of SSO are listed below and must be considered before implementing SSO on a system:• “Difficult to retrofit. An SSO solution can be difficult, time consuming, and expensive

to retrofit to existing applications.”• “Unattended desktop. Implementing SSO reduces some security risks, but increases

others. For example, a malicious user could gain access to a user’s resources if the user walks away from his machine and leaves it logged in. Although this is a problem with security in general, it is worse with SSO because all authorized resources are compromised. At least with multiple logons, the user may only be logged into one system at the time and so only one resource is compromised.”

• “Single point of attack. With single sign-on, a single, central authentication service is used by all applications. This is an attractive target for hackers who may decide to carry out a denial of service attack.”


Access Provisioning Lifecycle• After an access control model has been

chosen.

• Identity Lifecycle – provisioning, maintenance (passwords/rights/privileges), changes, re-provisioning, reconciliation/audit


Access Provisioning LifecycleIBM describes the following identity lifecycle rules:• “Password policy compliance checking

• Notifying users to change their passwords before they expire

• Identifying life cycle changes such as accounts that are inactive for more than 30 consecutive days

• Identifying new accounts that have not been used for more than 10 days following their creation

• Identifying accounts that are candidates for deletion because they have been suspended for more than 30 days

• When a contract expires, identifying all accounts belonging to a business partner or contractor’s employees and revoking their access rights”


User Entitlement, Access Review and Audit• Authorization creep• occurs when subjects not only maintain old access rights but gain new ones as they

move from one role to another within an organization

• User rights (or entitlements) must be routinely reviewed


Single Sign-On (SSO)• Identity as a service (IDaaS) - Gartner Inc., divides IDaaS services into

two categories: • Web access software for cloud-based applications such as software as a service

(SaaS)

• Web-architected applications; and cloud-delivered legacy identity management services.

• LDAP – Lightweight Directory Access Protocol – common, open protocol for interfacing and querying directory service information over a network. TCP/UDP port 389. LDAPS (LDAP over TLS); TCP 636 & 3269


Single Sign-On (SSO) - Kerberos• A third-party authentication service that may be used to support Single

Sign-On• Kerberos (http://www.kerberos.org/) was the name of the three-

headed dog that guarded the entrance to Hades (also called Cerberus) in Greek mythology

• The three heads of the mythical Kerberos were meant to signify the three “A”s of AAA systems: authentication, authorization, and accountability

• The original Kerberos mainly provided authentication

http://www.kerberos.org/


Single Sign-On (SSO) - Kerberos• Kerberos FAQ (see http://www.faqs.org/faqs/kerberos-faq/user/)

states:• Kerberos is a network authentication system for use on physically insecure

networks

• Based on the key distribution model presented by Needham and Schroeder

• Allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks

• Provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES (Data Encryption Standard)

The Needham–Schroeder Symmetric Key Protocol is based on a symmetric encryption algorithm. It forms the basis for the Kerberos protocol. This protocol aims to establish a session key between two parties on a network, typically to protect further communication.

http://www.faqs.org/faqs/kerberos-faq/user/


Single Sign-On (SSO) - Kerberos• Uses secret key encryption• Provides mutual authentication of both clients and servers• Protects against network sniffing and replay attacks• Current version of Kerberos is version 5, described by RFC 4120 (http://www.ietf.org/rfc/rfc4120.txt) • Kerberos has the following components:• Principal: Client (user) or service

• Realm: A logical Kerberos network

• Ticket: Data that authenticates a principal’s identity

• Credentials: a ticket and a service key

• KDC: Key Distribution Center, which authenticates principals

• TGS: Ticket Granting Service

• TGT: Ticket Granting Ticket

• C/S: Client Server, regarding communications between the two

http://www.ietf.org/rfc/rfc4120.txt


Single Sign-On (SSO) - Kerberos


Single Sign-On (SSO) - Kerberos• Strengths:• Provides mutual authentication of client and server

• If a rogue KDC pretended to be a real KDC, it would not have access to keys

• mitigates replay attacks (where attackers sniff Kerberos credentials and replay them on the network) via the use of timestamps


Single Sign-On (SSO) - Kerberos• Weaknesses:• KDC stores the plaintext keys of all principals (clients and servers)

• A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the Kerberos realm

• KDC and TGS are single points of failure: if they go down, no new credentials can be issued

• Replay attacks are still possible for the lifetime of the authenticator (An attacker could sniff an authenticator, launch a denial-of-service attack against the client, and then assume or spoof the client’s IP address)

• Any user may request a session key for another user

• Kerberos does not mitigate a malicious local host: plaintext keys may exist in memory or cache


Single Sign-On (SSO) - SESAME• Secure European System for Applications in a Multi-vendor Environment

• A single sign-on system that supports heterogeneous environments

• Can be thought of as a sequel of sorts to Kerberos

• It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys

• Uses Privilege Attribute Certificates (PACs) in place of Kerberos’ tickets

• More information on SESAME is available at: https://www.cosic.esat.kuleuven.be/sesame/

https://www.cosic.esat.kuleuven.be/sesame/


Access Control Protocols And Frameworks - RADIUS• Remote Authentication Dial In User Service (RADIUS) protocol

• A third-party authentication system

• Described in RFCs 2865 and 2866

• Uses the User Datagram Protocol (UDP) ports 1812 (authentication) and 1813 (accounting)

• Formerly used the (unofficially assigned) ports of 1645 and 1646 for the same respective purposes; some continue to use those ports

• Considered an “AAA” system• Authenticates a subject’s credentials against an authentication database

• Authorizes users by allowing specific users’ access to specific data objects

• Accounts for each data session by creating a log entry for each connection made


Access Control Protocols And Frameworks - RADIUS• Request and response data is carried in Attribute Value Pairs (AVPs)

• According to RFC 2865 (http://tools.ietf.org/html/rfc2865), RADIUS supports the following codes:• Access-Request

• Access-Accept

• Access-Reject

• Accounting-Request

• Accounting-Response

• Access-Challenge

• Status-Server (experimental)

• Status-Client (experimental)

http://tools.ietf.org/html/rfc2865


Access Control Protocols And Frameworks - RADIUS


Access Control Protocols And Frameworks - Diameter• RADIUS’ successor

• Designed to provide an improved Authentication, Authorization, and Accounting (AAA) framework

• Also uses Attribute Value Pairs, but supports many more:• RADIUS uses 8 bits for the AVP field (allowing 256 total possible AVPs)

• Diameter uses 32 bits for the AVP field (allowing billions of potential AVPs)

• Uses a single server to manage policies for many services, as opposed to RADIUS which requires many servers to handle all of the secure connection protocols

• Provides AAA functionality

• More reliable by using the Transmission Control Protocol (TCP)

• Currently a draft standard, first described by RFC 3588 (http://tools.ietf.org/html/rfc3588)

http://tools.ietf.org/html/rfc3588


Access Control Protocols And Frameworks - TACACS and TACACS+• Terminal Access Controller Access Control System (TACACS)

• Centralized access control system that requires users to send an ID and static (reusable) password for authentication

• TACACS uses UDP port 49 (and may also use TCP)

• Reusable passwords have security vulnerability: the improved TACACS+ provides better password protection by allowing two-factor strong authentication

• TACACS+ is not backwards compatible with TACACS

• TACACS+ uses TCP port 49 for authentication with the TACACS+ server

• The actual function of authentication is similar to RADIUS

• RADIUS only encrypts the password (leaving other data, such as username, unencrypted); TACACS+ encrypts all data below the TACACS+ header


PAP and CHAP• Password Authentication Protocol (PAP)• Defined by RFC 1334 (http://tools.ietf.org/html/rfc1334#section-2) • Not a strong authentication method• User password and it is sent across the network in clear text• When received by the PAP server, it is authenticated and validated

• Challenge Handshake Authentication Protocol (CHAP)• Defined by RFC 1994 (http://www.faqs.org/rfcs/rfc1994.html) • Provides protection against playback attacks• Uses a central location that challenges remote users• “CHAP depends upon a ‘secret’ known only to the authenticator and the peer. The secret is not sent over the

link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual authentication.”

• A sniffer that views the entire challenge/response process will not be able to determine the shared secret

http://tools.ietf.org/html/rfc1334#section-2

http://www.faqs.org/rfcs/rfc1994.html


Access Control Protocols And Frameworks - Microsoft Active Directory Domains• Microsoft Windows Active Directory uses the concept of domains as the primary means to

control access

• For authentication purposes, Microsoft bases their authentication of trust relationships on RFC 1510, the Kerberos Authentication Protocol, and it is fully integrated into Microsoft Windows operating systems since Windows 2000.

• Each domain has a separate authentication process and space

• Each domain may contain different users and different network assets and data objects

• If a two-way trust between domains is created, then the users and data objects from each domain can be accessed by groups belonging to either domain.


Access Control Protocols And Frameworks - Microsoft Active Directory Domains

As stated by Microsoft,

• “How a specific trust passes authentication requests depends on how it is configured; trust relationships can be one-way, providing access from the trusted domain to resources in the trusting domain, or two way, providing access from each domain to resources in the other domain. Trusts are also either nontransitive, in which case trust exists only between the two trust partner domains, or transitive, in which case trust automatically extends to any other domains that either of the partners trusts.”

• Microsoft trust relationships fall into two categories; nontransitive and transitive. Nontransitive trusts only exist between two trust partners. Transitive trusts exist between two partners and all of their partner domains. For example, if A trusts B, in a transitive trust, A will trust B and all of B’s trust partners.


DONE!

On to Domain #6: Security Assessment and Testing

A new domain…

CISSP Mentor Program Session #10Domain 6: Security Assessment and Testing• Assessing Access Control• Software Testing Methods

Unique Terms & Definitions:• Dynamic Testing – Tests code while executing it• Fuzzing – A type of black box testing that submits random, malformed data as inputs

into software programs to determine if they will crash• Penetration Testing – Authorized attempt to break into an organization’s physical or

electronic perimeter (and sometimes both)• Static Testing – Tests code passively: the code is not running.• Synthetic Transactions – Also called synthetic monitoring: involves building scripts or

tools that simulate activities normally performed in an application

CISSP Mentor Program Session #10Domain 6: Security Assessment and Testing

Penetration Testing - Black Hats and White Hats • Black hat attackers are malicious hackers, sometimes called crackers.• “Black” derives from villains in fiction: Darth Vader wore all black

• Lack ethics, sometimes violate laws, and break into computer systems with malicious intent, and may violate the confidentiality, integrity, or availability of organization’s systems and data

• White hat hackers are the “good guys”• Professional penetration testers who break into systems with permission

• Malware researches who research malicious code to provide better understanding and ethically disclose vulnerabilities to vendors, etc.

• Also known as ethical hackers; they follow a code of ethics and obey laws

• Gray hat hackers fall somewhere between black and white hats• Exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the

owners

• Unlike a black hat, a gray hat acts without malicious intent

• The goal of a gray hat is to improve system and network security


Penetration Testing• A penetration tester is a white hat hacker who receives authorization to attempt to break into an

organization’s physical or electronic perimeter (and sometimes both)• Penetration tests (called “pen tests” for short) are designed to determine whether black hat hackers

could do the same• A narrow test• Penetration tests may include the following tests:• Network (Internet)

• Network (internal or DMZ)

• Wardialing

• Wireless

• Physical (attempt to gain entrance into a facility or room)

• Wireless

• Network attacks may leverage client-side attacks, server-side attacks, or Web application attacks


Penetration Testing• War dialing uses modem to dial a series of phone numbers, looking for an answering

modem carrier tone (the penetration tester then attempts to access the answering system); the name derives from the 1983 movie WarGames

• Social engineering uses the human mind to bypass security controls• May be used in combination with many types of attacks, especially client-side attacks or physical tests

• An example of a social engineering attack combined with a client-side attack is emailing malware with a Subject line of “Category 5 Hurricane is about to hit Florida!”

• A physical social engineering attack (used to tailgate an authorized user into a building)


Penetration Testing• A zero-knowledge (also called black box) test is “blind”; the penetration tester begins

with no external or trusted information, and begins the attack with public information only

• A full-knowledge test (also called crystal-box) provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers

• Partial-knowledge tests are in between zero and full knowledge: the penetration tester receives some limited trusted information

• Most penetration tests have a scope that includes a limitation on the time spent conducting the test


Penetration Testing Tools and Methodology

• Penetration testing tools:

•Open source Metasploit (http://www.metasploit.org)

• Closed source Core Impact (http://www.coresecurity.com) and Immunity Canvas (http://www.immunitysec.com)

• Top 125 Network Security Tools (http://sectools.org/)

• Custom tools

http://www.metasploit.org/

http://www.coresecurity.com/

http://www.immunitysec.com/

http://sectools.org/


Penetration Testing Tools and Methodology• Penetration testers use the following methodology:• Planning• Reconnaissance• Scanning (also called enumeration)• Vulnerability assessment• Exploitation• Reporting

• Black hat hackers typically follow a similar methodology• Black hats will also cover their tracks (erase logs and other signs of

intrusion), and frequently violate system integrity by installing back doors (in order to maintain access)


Assuring Confidentiality, Data Integrity, and System Integrity• Penetration testers must ensure the confidentiality of any sensitive data that

is accessed during the test• Testers will often request that a dummy file containing no regulated or

sensitive data (sometimes called a flag) be placed in the same area of the system as the credit card data, and protected with the same permissions

• If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data

• Penetration testers must be sure to ensure the system integrity and data integrity of their client’s systems

• The risk of encountering signs of a previous or current successful malicious attack (discuss this before starting a test)


Vulnerability Testing• Vulnerability scanning (also called vulnerability testing) scans a

network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching

• Nessus (http://www.nessus.org), OpenVAS (http://www.openvas.org), Qualys, and Rapid 7/Nexpose

• Missing patches and configuration errors• Common Vulnerability Scoring System (CVSS) -

https://nvd.nist.gov/cvss.cfm

http://www.nessus.org/

http://www.openvas.org/

https://nvd.nist.gov/cvss.cfm


Security Audits• Testing against a published standard

• PCI-DSS compliance

• SOC 2, Type 1 and SOC 2, Type 2

• Purpose is to validate/verify that an organization meets the requirements as stated in the published standard


Security Assessments• A holistic approach to assessing the effectiveness of access control• Broad scope• Security assessments view many controls across multiple domains, and may

include the following:• Policies, procedures, and other administrative controls• Assessing the real world-effectiveness of administrative controls• Change management• Architectural review• Penetration tests• Vulnerability assessments• Security audits


Security Assessments• Key words… “assessing the effectiveness”

• Where there are gaps in control (weakness/vulnerability), what are the applicable threats?

• Vulnerabilities + Threats = Likelihoods & Impacts = RISK

• FRSecure specializes in assessments – FISA™


Security Assessments• FRSecure specializes in assessments – FISA™ is at our core.


Internal and 3rd-Party Audits• Internal audit• Structured audits – external audience, validate compliance, etc.

• Unstructured audits – internal audience, improve security, etc.

• 3rd-Party audits• Experts (hopefully)

• Adds credibility

• Teach


Security Audit Logs• According to “Five mistakes of Log Analysis” by Anton Chuvakin (see

http://www.computerworld.com/s/article/96587/Five_mistakes_of_log_analysis), audit record management typically faces five distinct problems:• Log are not reviewed on a regular and timely basis.

• Audit logs and audit trails are not stored for a long enough time period.

• Logs are not standardized or viewable by correlation toolsets—they are only viewable from the system being audited.

• Log entries and alerts are not prioritized.

• Audit records are only reviewed for the “bad stuff.”

http://www.computerworld.com/s/article/96587/Five_mistakes_of_log_analysis


Security Audit Logs• Reviewing security audit logs within an IT system is one of the easiest ways to verify that

access control mechanisms are performing adequately• Reviewing audit logs is primarily a detective control• According to NIST Special Publication 800-92 (http://csrc.nist.gov/publications/nistpubs/800-

92/SP800-92.pdf), the following log types should be collected:• Network Security Software/Hardware:• Antivirus logs• IDS/IPS logs• Remote Access Software (such as VPN logs)• Web proxy• Vulnerability management• Authentication servers• Routers and firewalls

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf


Security Audit Logs• According to NIST Special Publication 800-92

(http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf), the following log types should be collected:• Operating System:• System events• Audit records• Applications• Client requests and server responses• Usage information• Significant operational actions

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf


Security Audit Logs – Centralized Logging• Assists in log retention (sufficient for legal/regulatory compliance

and investigation)• Assists in log protection (integrity & availability)• SIEM• Log protection• Log aggregation• Log correlation• Dashboard reporting


Software Testing Methods• Static testing tests the code passively: the code is not running. This includes walkthroughs,

syntax checking, and code reviews.• Dynamic testing tests the code while executing it.• White box software testing gives the tester access to program source code, data structures,

variables, etc.• Black box testing gives the tester no internal details: the software is treated as a black box that

receives inputs.• Traceability Matrix (sometimes called a Requirements Traceability Matrix, or RTM) can be used

to map customer’s requirements to the software testing plan: it “traces” the “requirements,” and ensures that they are being met.

• Fuzzing (also called fuzz testing) is a type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash.

• Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs.


Software Testing Methods• Static testing tests the code passively: the code is not running. This

includes walkthroughs, syntax checking, and code reviews.

• analysis of computer software that is performed without actually executing programs

• In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code

• List of tools for static code analysis (https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis)

https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis


Software Testing Methods• Traceability Matrix

(or Requirements Traceability Matrix or RTM)


Software Testing Levels• Unit Testing: Low-level tests of software components, such as

functions, procedures or objects• Installation Testing: Testing software as it is installed and first operated• Integration Testing: Testing multiple software components as they are

combined into a working system. Subsets may be tested, or Big Bang integration testing tests all integrated software components

• Regression Testing: Testing software after updates, modifications, or patches

• Acceptance Testing: testing to ensure the software meets the customer’s operational requirements. When this testing is done directly by the customer, it is called User Acceptance Testing.


Fuzzing• Black box testing that enters random, malformed data as inputs into

software programs to determine if they will crash.• Typical causes are boundary checking issues, leading to possible buffer

overflows• Typically automated, repeatedly presenting random input strings as

command line switches, environment variables, and program inputs attack

• List of good fuzzers; http://sectools.org/tag/fuzzers/.• Burp Suite https://portswigger.net/burp/

http://sectools.org/tag/fuzzers/

https://portswigger.net/burp/


Other Software Testing Terms• Misuse Case Testing - derived from and is the inverse of use case

testing; describes the process of executing a malicious act against a system, while use case can be used to describe any action taken by the system

• Test Coverage Analysis

• Interface Testing – testing of all interfaces exposed by the application.

• Combinatorial software testing - a black-box testing method that seeks to identify and test all unique combinations of software inputs.


DONE!

On to Domain #7: Security Operations

Adomain…

CISSP Mentor Program Session #10Domain #7: Security Operations• Administrative Security• Forensics• Incident Response Management• Operational Preventive and Detective Controls• Asset Management• Continuity of Operations• BCP and DRP Overview and Process• Developing a BCP/DRP• Backups and Availability• DRP Testing, Training and Awareness• Continued BCP/DRP Maintenance• Specific BCP/DRP Frameworks

CISSP Mentor Program Session #10Domain #7: Security Operations

Unique Terms and Definitions• Business Continuity Plan (BCP)—a long-term plan to ensure the

continuity of business operations• Collusion—An agreement between two or more individuals to subvert

the security of a system• Continuity of Operations Plan (COOP)—a plan to maintain operations

during a disaster.• Disaster—any disruptive event that interrupts normal system

operations• Disaster Recovery Plan (DRP)—a short-term plan to recover from a

disruptive event


Unique Terms and Definitions• Mean Time Between Failures (MTBF)—quantifies how long a new or

repaired system will run on average before failing• Mean Time to Repair (MTTR)—describes how long it will take to

recover a failed system• Mirroring—Complete duplication of data to another disk, used by some

levels of RAID.• Redundant Array of Inexpensive Disks (RAID)—A method of using

multiple disk drives to achieve greater data reliability, greater speed, or both

• Striping—Spreading data writes across multiple disks to achieve performance gains, used by some levels of RAID


Administrative security• Administrative Security provides the means to control people's

operational access to dataLeast Privilege or Minimum Necessary Access• Dictates that persons have no more than the access that is strictly

required for the performance of their duties• May also be referred to as the principle of minimum necessary

access• Discretionary Access Control (DAC) – most often applicable


Need to know

• Mandatory Access Control (MAC)

• Access determination is based upon clearance levels of subjects and classification levels of objects

• An extension to the principle of least privilege in MAC environments is the concept of compartmentalization:• A method for enforcing need to know goes beyond the reliance upon

clearance level and necessitates simply that someone requires access to information.


Separation of Duties

• Prescribes that multiple people are required to complete critical or sensitive transactions

• Goal of separation of duties is to ensure that in order for someone to be able to abuse their access to sensitive data or transactions; they must convince another party to act in concert• Collusion is the term used for the two parties conspiring to undermine the security

of the transaction


Rotation of Duties/Job Rotation• Also known as job rotation or rotation of responsibilities• Provides a means to help mitigate the risk associated with any one individual having

too many privileges• Requires that critical functions or responsibilities are not continuously performed by

the same single person without interruption• “hit by a bus” or “win the lottery” scenario

Exam Warning: Though job or responsibility rotation is an important control, this, like many other controls, is often compared against the cost of implementing the control. Many organizations will opt for not implementing rotation of duties because of the cost associated with implementation. For the exam, be certain to appreciate that cost is always a consideration, and can trump the implementation of some controls.


Mandatory Leave/Forced Vacation

• Also known as forced vacation

• Can identify areas where depth of coverage is lacking

• Can also help discover fraudulent or suspicious behavior

• Knowledge that mandatory leave is a possibility might deter some individuals from engaging in the fraudulent behavior in the first place


Non-Disclosure Agreement

• A work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an individual or organization appreciates their legal responsibility to maintain the confidentiality of sensitive information.

• Often signed by job candidates before they are hired, as well as consultants or contractors

• Largely a directive control


Background Checks• Also known as background investigations or preemployment screening• Majority of background investigations are performed as part of a

preemployment screening process• The sensitivity of the position being filled or data to which the individual will

have access strongly determines the degree to which this information is scrutinized and the depth to which the investigation will report

• Ongoing, or postemployment, investigations seek to determine whether the individual continues to be worthy of the trust required of their position

• Background checks performed in advance of employment serve as a preventive control while ongoing repeat background checks constitute a detective control and possibly a deterrent.


Privilege Monitoring

• Heightened privileges require both greater scrutiny and more thoughtful controls

• Some of the job functions that warrant greater scrutiny include: account creation/modification/deletion, system reboots, data backup, data restoration, source code access, audit log access, security configuration capabilities, etc.


Digital Forensics• Provides a formal approach to dealing with investigations and evidence

with special consideration of the legal aspects of the process• Forensics is closely related to incident response• Main distinction between forensics and incident response is that forensics is

evidence-centric and typically more closely associated with crimes, while incident response is more dedicated to identifying, containing, and recovering from security incidents

• The forensic process must preserve the “crime scene” and the evidence in order to prevent unintentionally violating the integrity of either the data or the data's environment


Digital Forensics• Prevent unintentional modification of the system• Antiforensics makes forensic investigation difficult or impossible• One method is malware that is entirely memory-resident, and not installed on the disk drive. If an

investigator removes power from a system with entirely memory-resident malware, all volatile memory including RAM is lost, and evidence is destroyed.

• Valuable data is gathered during the live forensic capture• The main source of forensic data typically comes from binary images of secondary

storage and portable storage devices such as hard disk drives, USB flash drives, CDs, DVDs, and possibly associated cellular phones and mp3 players

• A binary or bit stream image is used because an exact replica of the original data is needed

• Normal backup software will only capture the active partitions of a disk, and only that data which is marked as allocated


Digital Forensics

The four types of data that exist:• Allocated space—portions of a disk partition which are marked as

actively containing data.

• Unallocated space—portions of a disk partition that do not contain active data. This includes memory that has never been allocated, and previously allocated memory that has been marked unallocated. If a file is deleted, the portions of the disk that held the deleted file are marked as unallocated and available for use.


Digital ForensicsThe four types of data that exist:• Slack space—data is stored in specific size chunks known as clusters. A cluster

is the minimum size that can be allocated by a file system. If a particular file, or final portion of a file, does not require the use of the entire cluster then some extra space will exist within the cluster. This leftover space is known as slack space: it may contain old data, or can be used intentionally by attackers to hide information.

• “Bad” blocks/clusters/sectors—hard disks routinely end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will be ignored by the operating system since no data could be read in those defective portions. Attackers could intentionally mark sectors or clusters as being bad in order to hide data within this portion of the disk.


Digital Forensics• Numerous tools that can be used to create the binary backup including free

tools such as dd and windd as well as commercial tools such as Ghost (when run with specific nondefault switches enabled), AccessData's FTK, or Guidance Software's EnCase.

• The general phases of the forensic process are:• the identification of potential evidence;• the acquisition of that evidence;• analysis of the evidence;• production of a report

• Hashing algorithms are used to verify the integrity of binary images• When possible, the original media should not be used for analysis


Live Forensics• Forensics investigators have traditionally removed power from a

system, but the typical approach now is to gather volatile data. Acquiring volatile data is called live forensics.

• The need for live forensics has grown tremendously due to non-persistent tools that don’t write anything to disk

• One example from Metasploit…


Live Forensics - Metasploit• Popular free and open source exploitation framework

• Metasploit framework allows for the modularization of the underlying components of an attack, which allows for exploit developers to focus on their core competency without having to expend energy on distribution or even developing a delivery, targeting, and payload mechanism for their exploit

• Provides reusable components to limit extra work

• A payload is what Metasploit does after successfully exploiting a target


Live Forensics – Metasploit & Meterpreter• One of the most powerful Metasploit payloads• Can allow password hashes of a compromised computer being dumped to an

attacker's machine• The password hashes can then be fed into a password cracker• Or the password hashes might be capable of being used directly in Metasploit's

PSExec exploit module, which is an implementation of functionality provided by Sysinternal's (now owned by Microsoft) PSExec, but bolstered to support Pass the Hash functionality.

Information on Microsoft's PSExec can be found at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx. Further details on Pass the Hash techniques can be found at http://oss.coresecurity.com/projects/pshtoolkit.htm

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

http://oss.coresecurity.com/projects/pshtoolkit.htm


Live Forensics – Metasploit & Meterpreter• Dumping password hashes with Meterpreter.• In addition to dumping password hashes, Meterpreter provides features such

as:• command execution on the remote system• uploading or downloading of files• screen capture• keystroke logging• disabling the firewall• disabling antivirus• registry viewing and modification

• Meterpreter's capabilities are updated regularly


Live Forensics – Metasploit & Meterpreter• Dumping password hashes with Meterpreter.


Live Forensics – Metasploit & Meterpreter• Dumping the registry with Meterpreter.

• Meterpreter was designed with detection evasion in mind

• Meterpreter can provide almost all of the functionalities listed above without creating a new file on the victim system

• Runs entirely within the context of the exploited victim process, and all information is stored in physical memory rather than on the hard disk.


Live Forensics – Metasploit & Meterpreter• Dumping the registry with Meterpreter.


Live Forensics – Metasploit & Meterpreter• If the forensic investigator removed the power supply from the

compromised machine, destroying volatile memory: there would be little to no information for the investigator to analyze

Questions?We made it through Class #10!

Check it out…

We finished Domain 5: Identity and Access Management, went all the way through it through Domain 6: Security Assessment and Testing, and started Domain 7: Security Operations!

Homework for Tuesday (5/2)◦ Catch-up with reading; we’re going to finish Domain 7 on Tuesday.◦ Take a spin through the Access Control quiz.

Have a great mid-week!

Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017

Education

Transcript of Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017