InfoSec Midterm
InfoSec Midterm
The Threat Environment: consists of the types of attackers and attacks that
companies face.
Security goals (CIA):
Confidentiality: unauthorized people can’t read sensitive information,
either while it is on a computer or while it’s traveling across a network.
Integrity: attackers can’t change or destroy information, either while it is
on a computer or while it’s traveling across a network. Or at least, if
information is changed or destroyed, then the receiver can detect the
change or restore destroyed data.
Availability: people who are authorized to use information aren’t
prevented from doing so.
Countermeasures (safeguards, protections, controls): tools used to thwart
(prevent) attacks. Types: preventative, deterring (ran de), deflective, detective,
corrective.
Employee & ex-employee are dangerous: know the internal system, have
permissions to access systems, know how to avoid detection, generally are
trusted.
Employee sabotage: destruction of hardware, software, or data.
Employee Hacking: intentionally accessing a computer resource without
authorization >> Authorization is key
Employee Financial theft: theft of money
Employee Theft of Intellectual Property: copyrights & patents. Trade secrets:
plans, product formulations,...
Employee extortion (tống tiền)
Internet abuse: download pornography, pirated software,..., excessive personal
use of internet at work.
Malware: “evil software”
Viruses: programs that attach themselves to legitimate programs on the victim’s
machine. Spread by email, message, file transfer,...
Worms: full programs that don’t attach themselves to other programs. Can jump
from 1 computer to another without human intervention. Computer must have a
vulnerability for direct-propagation to work > can spread extremely rapidly
because they don’t have to wait for user to act.
Trojan: malicious code hidden in a legitimate program > user have to
download/interact with it.
Payloads: pieces of code that do damage (heavy damage). Implemented by
viruses and worms after propagation.
Nonmobile malware: placed on computer by hackers. Nonmobile malware
refers to malicious software that is designed to infect and compromise computer
systems, but it does not have the inherent ability to spread to other systems on
its own.
Trojan horses: a malicious program hidden inside another program:
Remote Access Trojans (RATs): remotely control the victim’s PC
Downloader: small trojan horses that download larger trojan horses after
the downloader is installed.
Spyware: programs that gather information about you and make it
available to the adversary. Cookies store too much sensitive personal
information…
Rootkits: take control of the super user account (root, admin,...). Can hide
themselves/malware from the file system detection. Extremely difficult to
detect.
Blended threats: malware propagates in several ways - worms, viruses,
compromised webpages containing mobile code, etc.
Mobile code: executable code on a webpage, executed automatically when the
webpage is downloaded. Can do damage if computer has vulnerability.
Social engineering in malware: attempt to trick users into doing sth that goes
against security policies (spam, phishing, spear phishing, hoazes).
Traditional hackers: motivated by thrill, validation of skills, sense of power.
Anatomy of a Hack:
The exploit: the specific attack method that the attacker uses to break
into the computer is called the attacker’s exploit. The act of implementing
the exploit is called exploiting the host.
Chain of attack computers: the attacker attacks through a chain of victim
computers. Probe and exploit packets contain the source IP address of the last
computer in the chain. The final attack computer receives replies and passes
them back to the attacker. The victim can trace back to the final attack computer.
Risk Analysis
Risk analysis weighs the probable cost of compromises against the costs of
countermeasures:
Asset Value (AV) x Exposure Factor (EF - percentage loss in asset value if a
compromise occurs) = Single Loss Expectancy (SLE - expected loss in case of a
compromise)
SLE x Annualized Rate of Occurance (ARO - annual probability of a
compromise) = Annualized Loss Expectancy (ALE - expected loss per year from
this type of compromise).
-> Always choose the one has higher Annualized Net Countermeasure
Value.
Total cost of incident (TCI): exporsure factor in classic risk analysis assumes
that a percentage of the asset is lost. In most cases, damage doesn’t come from
asset lost.
Many-to-Many relationships between Countermeasure and Resources:
Single countermeasures (firewall) often protect many resources
Single resources (data on a server) are often protected by multiple
countermeasures.
Problems with Classic risk analysis calculations:
Impossible to know the Annualized Rate of Occurence (no simple way to
estimate)
Impossible to do it perfectly, must be done as well as possible, identifies
key considerations.
Responding to Risk:
Risk reduction: install countermeasures
Risk Acceptance: in case countermeasures are too expensive.
Risk transference: buy insurance against security-related losses. Good
for rare but extremely damaging attacks.
Risk avoidance: not take risky action
Technical security architecures: how countermeasures are organized.
Must upgrade legacy technologies (put in place previously) if seriously
impairs security.
Defense in depth: resource is guarded by several countermeasures
Weakest link: a single countermeasure with multiple interdependent
components >> Weaker than Defense in depth
avoiding single points of vulnerability > can have drastic consequences
Minimizing security burdens
Elements of Technical Security Architecture:
Border management
Internal site management
Remote connection
Interorganizational systems with other firms
Centralized security management:
Increases the speed of actions
Reduces the cost of actions
Policies: statements of what’s to be done > clarity and direction
Chapter 3: Cryptography
Hybrid Encryption: use public key encryption to share a secret key between parties >
then use that key & secret key encryption for the communication.
Hash Functions:
Hashing is used to transform a bit string of any length into a fixed-length
hash.
Hash functions serve various purposes, including generating signatures
and message authentication codes (MACs).
Message Authentication Codes (MACs): authenticating a message using a
secret key (use hash to create).
Signatures: Authenticate a message, in a public-key setting (generate key pair
Ks and Kv).
Hybrid signature to create digital signature: Signing a long message
can be time-consuming. To speed up the process, a hash function is
used to create a shorter "message digest." This digest is then signed
instead of the entire long message. Because the digest is shorter, both the
signing and verification processes are faster.
To test this digital signature: hash the received plaintext with the same
hashing algorithm, which gives the message digest > verify the digital
signature with the true party’s public key, which gives the message digest
if sender has the true party’s private key >> match > message is
authenticated
Cryptographic system stages:
2 parties agree on a cryptographic system to use
Each cryptographic system dialogue beings with 3 brief hanshaking stages:
Handshaking stage 1: initial negotiation of security parameters -
choosing cipher suite: The strongest Cipher suite: SHA256
Handshaking stage 2: initial authentication (usually mutual):
1. Client send credentials (password) to server (now both knows
password)
2. Server sends a challenge message to the client
3. Client add password to challenge message >> hash the result >>
hash result becomes response message
4. Client sent to server the response message.
5. Server did the same thing with challenge message >> hash >>
compare the results >> should match.
Handshaking stage 3: keying (secure exchange of keys and other
secrets): create a random key and send it using public key encryption
(RSA). generate a key together (Diffie-Hellman).
Message-by-Message Authentication
Bring Message Integrity - message can’t be altered, otherwise, authentication
method will fail.
Digital signature: use public key for authentication >> very strong but expensive.
Key-Hash Message Authentication Codes: use hashing, much less expensive
than digital signature authentication, much more widely used.
SMURF Attack: is a type of Distributed Denial of Service (DDoS) attack that takes
advantage of a feature in Internet Control Message Protocol (ICMP). In a SMURF attack:
1. The attacker sends ICMP Echo Request (ping) packets to an intermediate
network, known as a "broadcast address," with the source IP address spoofed to
be the victim's IP address.
2. All devices on that network then respond to the spoofed source IP address,
flooding the victim's IP address with ICMP Echo Replies.
3. The victim's network becomes overwhelmed by this flood of ICMP responses,
causing a denial of service as its resources are consumed handling these
packets.
>>> SMURF attacks are a form of amplification attack because a single attacker
can amplify the traffic sent to the victim by exploiting the broadcast nature of the ICMP
Echo Request packets. To mitigate SMURF attacks, network administrators should
disable the ability for their networks to respond to broadcast ICMP requests and
implement ingress filtering to prevent IP address spoofing.
SYN flood is a type of Denial of Service (DoS) attack that targets a server's
ability to establish new connections. In a SYN flood attack:
1. The attacker sends a large number of TCP connection requests (SYN
packets) to the target server.
2. These SYN requests are crafted with spoofed source IP addresses,
making it difficult for the server to distinguish legitimate requests from the
flood of malicious ones.
3. The server, in response to each incoming SYN request, allocates some
resources to track the connection attempt and awaits an acknowledgment
(ACK) from the client to complete the handshake.
4. Because the attacker doesn't send the expected ACK responses, these
half-open connections consume server resources and eventually exhaust
them.
5. Legitimate users are unable to establish new connections with the
server because its resources are tied up with the flood of half-open
connections.
>>> SYN flood attacks aim to overwhelm a server's ability to handle incoming
connection requests, rendering it unavailable to legitimate users. To mitigate
SYN flood attacks, servers often implement techniques like SYN cookies or rate
limiting to limit the impact of these malicious connection requests.
Bots: are automated software programs that can be used for malicious
purposes. Bot-master can update the software to change the type of attack, can
update to fix bugs, can control bots via a handler
1. Attacker sends command to bots to flood victim
2. Victim is flooded with ICMP, SYN, UDP requests
3. Victims allocates resources for connections and becomes overwhelmed.
DDoS Attack:
1. Attacker sends command to handler
2. Handler forwards command to bots to flood victim
3. Victim is flooded with application layer requests (HTTP, IRC, SPARM)
4. Victims allocates resources for connections and becomes overwhelmed.
Address Resolution Protocol (ARP) Poisoning is an attack that manipulates a network's ARP
tables, causing local area network (LAN) traffic to be rerouted. The attacker needs a computer on
the LAN to carry out this attack. It compromises both the functionality and confidentiality of the
network.
ARP is a protocol used to match 32-bit IP addresses with 48-bit MAC addresses in a LAN. The
problem is that ARP requests and replies lack authentication or verification, meaning all hosts
trust ARP replies. ARP spoofing involves sending false ARP replies to associate any IP address
with any MAC address. The attacker continuously sends unsolicited ARP replies.
In an ARP DoS (Denial of Service) Attack, the attacker sends fake ARP replies to all internal
hosts, claiming that the network's gateway is at a false MAC address. Hosts record this false
information, and as a result, network traffic cannot reach its intended destination. To prevent
ARP Poisoning, organizations can manually set static ARP tables, but this is often impractical.
Limiting local access to trusted hosts can also help mitigate the risk
Wireless Network Security: The lecture discusses wireless network security,
including open networks accessible by anyone, private networks requiring
specific authorization, and secured networks with security protocols enabled. The
Marriott FCC WiFi fine incident is mentioned.
Wireless Encryption Protocol (WEP): uses a shared key >> problem > should
be changed frequently, but can only be changed manually
Chapter 6: Firewalls
Basic Firewall Operation:
Firewall examines each packet goes through it. If packet is a “provable attack
packet” > Firewall drops. If it’s not > pass the packet to its destination >>
Pass/Deny decision.
Even with a firewall, it's crucial to "harden" or strengthen individual devices (like
servers and PCs) against possible attacks that the firewall might not catch.
Hardening involves implementing various security measures on these devices to
make them more resistant to potential threats.
Firewalls record information about each dropped packet in a log file > logging >>
review to understand the attacks.
Border firewall: sits at the boundary between the corporate site and the external
Internet. Internal firewall: filter traffic passing between different parts of the
site’s internal network.
Ingress filtering: firewalls examine packets entering the network from the
outside (Internet) >> stop attacks from entering
Egress filtering: filter packets when they leaving the network: to prevent
infected devices within the network from sending harmful data outside. It also
ensures that sensitive company information doesn't leave the network without
authorization.
Traffic Overload:
Issues with Filtering: Firewalls may drop packets they can't process, creating a
self-inflicted denial of service (DoS) attack by blocking legitimate traffic.
Firewall Capacity: Firewalls must handle incoming traffic volume, especially
during heavy attacks, at the maximum speed of data.
Filtering Mechanisms: Different types of firewall filtering mechanisms exist, with
a focus on stateful packet inspection (SPI).
This mechanism examines packets one by one and can efficiently stop certain
types of attacks but has limitations in preventing various attacks.
Certain attacks: ICMP Echo packets, outgoing responses to scanning probe
packets, packets with spoofed IP address, …
Different Connection States: Stateful firewalls use different filtering rules for
distinct connection states: opening, ongoing communication, and closing.
SPI for a Packet that doesn’t attempt to Open a Connection:
IDSs identify suspicious traffic, but unlike firewalls, they cannot drop packets.
They send alerts if they detect serious threats.
Managing IDS Challenges: IDS systems face challenges like false positives and
heavy processing requirements because of deep packet inspection, packet
stream analysis.
Intrusion Prevention Systems (IPSs): use IDS to filter > Application-specific
integrated circuits (ASICs) provide the needed processing power.
Actions Against Threats: Firewalls can drop packets or limit bandwidth for
certain types of traffic to manage risks associated with suspicious traffic.
Unified Threat Management (UTM) Firewalls: These go beyond traditional
firewalls by integrating various security features like antivirus filtering, VPNs, DoS
protection, etc.
Firewall Architecture: Firms deploy multiple firewalls at different levels, from
screening border routers to host firewalls on individual devices, and they need to
work together effectively.
DMZs (Demilitarized Zones): These are subnets for servers and application
proxy firewalls accessible via the internet, requiring special hardening due to their
exposure to potential attackers.
Hosts in DMZs: DMZs host public servers, application proxy firewalls, and
external DNS servers, all requiring stringent security measures due to their
exposure to the internet.
backing up data,
restricting physical access,
configuring the operating system securely,
minimizing applications,
managing users and permissions,
encrypting data,
using host firewalls,
regularly checking system logs for suspicious activity
conducting vulnerability tests.
4. Security Baselines and Disk Images: Highlights the use of security baselines that
guide the hardening process by specifying steps to secure different operating systems
and versions. Disk images can be created as a secure implementation for various
server functions and operating system versions, simplifying deployment on new servers.
7. Challenges with Patching: must find the matching OS for patches, the
overwhelming number of patches, time and cost of installation, prioritization based on
criticality, and risks associated with patch installation.
9. Data Security Policies: Highlights policies for sensitive data, emphasizing data
encryption, limiting data storage on mobile devices, and conducting audits.
3. Vulnerabilities in Applications:
- Buffer overflow attacks occur when data overflows a buffer's allocated memory
space.
- Login screen bypass attacks allow unauthorized access by manipulating URLs. It
involves bypassing or circumventing the authentication mechanisms in a login system,
allowing unauthorized users to enter the system without proper credentials. Attackers
exploit weaknesses in the login system, such as flaws in authentication protocols or
input validation, to trick the system into granting access without the correct credentials.
- Cross-Site Scripting (XSS) is a type of cyber attack that targets web applications. It
involves injecting malicious scripts into web pages viewed by other users. Attackers
inject scripts, typically JavaScript, into web pages that are then executed within the
browsers of other users visiting the affected site. These scripts can steal sensitive data,
session tokens, or cookies, redirect users to malicious sites, or modify the appearance
of the web page. XSS attacks commonly exploit vulnerabilities in input fields or poorly
validated user inputs on websites.
5. Client-Side Attacks:
- PCs are targets for attacks via browsers, and users may unwittingly execute
malicious code.
- Malicious links, file reading, executing commands, automatic redirection, and cookie-
based attacks are common.
6. Database Security:
Require additional security precautions > avoid SQL injection attacks
Restrict Access to Data, granularity (level of detail), information about DB
structure.
Database Access Control: restrict access to DB, rename admin account,
disable guest/public account, lowest possible permissions necessary.
Database Auditing: collect info about users’ interaction with databases: logins,
changes to database, warnings, exceptions, and special access.
Encryption: make data unreadable to who doesn’t have key > prevent theft >
might reduce legal liability if lost or stolen data is encrypted.
Key Escrow: stores a copy of key in a safe place >> central key escrow on a
corporate server is better.
1. Incident Severity:
Successful attacks are called security incidents, breaches, or compromises.
False alarms = false positive: compromises are not real >> wastes time.
Major incidents: beyond capabilities of the on-duty staff > bring together a
Computer Security Incident Response Team (CSIRT)
Disasters: fires, floods, hurricanes, major terrorist attacks
Must assure business continuity: maintain day-to-day operations > headed
by senior manager, core permanent staff will facilitate activities.
IT disaster response is restoring IT services
Office computers: holds corporation’s data & analysis > need new computers if
old are destroyed > new software, well-synchronized data backup is critical