CISSP Session 05
CISSP Session 05
the CISSP
Bootcamp
Your instructor:
Michael J Shannon
CISSP #42221 / #524169,
CCNP-Security, PCNSE7,
AWS Certified Security – Specialty, Class will begin at 10:00
OpenFAIR, and A.M. Central Standard
ITIL 4 Managing Professional Time (CST)
• Private - Deployed within the organization by the organization for the organization –
can be on-premises or hosted
• Public - Deployed by a provider within their organization for other organizations to use
• Community - Private or public but only shared between trusted groups
• Hybrid - Combination of public and/or private and/or community
Virtualization Fundamentals
Hypervisor
Hardware
Type 2 Hypervisor
APP APP …
Hardware
VM Sprawl
• VM sprawl occurs when the number
of VMs overwhelms the
administrator’s ability to manage
them
• Can also be “ghost IT” and
unauthorized VM software,
operating systems, and applications
• VM sprawl avoidance
• Enforce a strict process for deploying VMs
• Have a library of standard VM images
• Archive or recycle under-utilized VMs
• Implement a Virtual Machine Lifecycle
Management tool
VM Escape
• VM escape - When a process
running in the VM interacts directly
with the host OS
• VM escape protection
• Patch VMs and VM software regularly
• Only install what you need on the host
and the VMs
• Install verified and trusted applications
only
• Use strong passwords
• Control VM access
Secure By Design
• Attack forces an end user to perform undesirable actions in a web application in which
they are authenticated
• An effective CSRF attack can force users to perform state-changing requests such as
• Transferring funds
• Changing their e-mail address
• Changing their password
• If the victim is an administrative account, the CSRF attack can compromise the entire
web application
Clickjacking
UI Redress Attack and Typosquatting
• Attacker uses several transparent layers to
trick users into clicking on a button or link
on one page, which then hijacks the user's
session and routes them to a different page
• Uses cleverly modified iFrames, style sheets,
and text boxes
• To counter, send the correct X-Frame-
Options HTTP response headers to tell the
browser not to allow framing from other
domains
• Also use defensive code in the UI to make
certain that the current frame is the most
top-level window
Cookie Problems
• Cookies were originally poorly designed
• Out of sync with browser same-origin
policy (SOP)
• SOP is important as the web browser allows
scripts stored in a first web page to access
data in a second web page, but only if both
web pages have the same origin
• Normalization
• Ensuring there is no redundancy in data,
and that like items are stored together
• Stored procedures
• Precompiled groups of code, statements,
and commands that can be called later
Secure Coding
Principles
• Code signing and encryption
• Digitally signing code to prove author
and ensure integrity
• Ensure the confidentiality of the code in
transit, at rest, and in use
• Obfuscation/camouflage
• Deliberately use code that humans have
a hard time understanding
• Memory management
• Allocate memory/buffer when needed,
release it for re-use when no longer
needed
• WS-Security (WSS)
• A SOAP extension to enforce web
confidentiality and integrity security
• Burp Suite
• Enterprise web application vulnerability
scanner
Software Assurance
• The key objective of the Software Assurance Program is to shift the security paradigm
from patch management to software assurance
• Encourage developers to raise overall software quality and security from the start
• Emphasize the usage of tested standard libraries and modules
• Employ industry-accepted approaches that recognize that software security is
fundamentally a software engineering issue that must be addressed systematically
throughout the software development life cycle
Security Requirements Traceability Matrix
(SRTM)
• A SRTM can provide a template for a software or system design document and
requirements definition
• It is a grid that provides visibility into the requirements for software or system security
• Traceability matrixes can be used for any type of project as they allow requirements and
tests to be easily traced
• The matrix is a way to ensure accountability for all processes and helps confirm that all
security tasks are completed
Security Requirements Traceability Matrix
(SRTM)
Enterprise Mobility BYOD
Management
Deployment Models - BYOD
• Corporate-owned Personally-enabled
(COPE)
• Company gives employees mobile
devices
• Users can handle as if they were their
own
• Prevents the need for two smartphones
• Programs should use containerization
tools
• Organizations must securely configure and implement each
layer of the technology stack, including mobile hardware,
Enterprise firmware, O/S, management agent, and the apps used for
business
Mobility
• Solution should reduce risk, so employees are able to access
Management the necessary data from nearly any location, over any
(EMM) network, using a wide variety of mobile devices
• Enterprise mobility management is the combination of
mobile device management (MDM) and mobile application
management (MAM)
Mobile Device Management (MDM)
• Technology to enable the management and control
of mobile devices used to access business
resources
• Enrolling devices for management
• Provisioning settings like digital certificates and profiles
• Monitoring, measuring, and reporting device compliance
• Removing corporate data from devices (data leak
prevention)
• Geolocation
• Know your policy for enabling geolocation as this is a vulnerability for certain sectors
• Geotagging
• There is a risk of social surveillance by GPS with geotagging
• Geofencing
• Geofencing can be used to put restrictions on where a
mobile device can be actively used based on GPS
• It could be based on RFID tagging
Mobility Security and Privacy Concerns
• Spectrum management
• New bandwidths opening up that could be
used in an unauthorized manner
Tethering and Other
Challenges
• USB On The Go (USB OTG)
• Allows mobile devices to directly connect to
one another
• As a host, additional hardware (storage,
keyboards, cameras, and more) can work
together with your USB OTG handset
• Mobile payment
• Near-field communication (NFC) enabled
• Mobile wallet
• Peripheral-enabled payments
(credit card reader)
Containerization and
Sandboxing
• Provides protection, isolation, and
integrity functionality to get better levels
of overall data isolation
• Containerization is technically a (MAM)
technique that limits the environments in
which certain code can run
• Users can continue to chat, text, and
tweet without affecting business
functions since sensitive apps and data
remain protected within sandboxed
containers with separate controls and
higher security levels
Application Wrapping