Jim’s CISSP Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

3: Security Architecture & Engineering


Secure Design

Secure design principles

security engineering ensures that systems meet business objectives and security requirements

  • security should be a design element

    • bolt-on security rarely works
    • can’t effectively retrofit after the fact
    • should be a part of the design from the start
  • security requirements of information systems are driven by security policy of the org., using the system

    • system: a group of components working together towards a goal
  • incorporate abstract goals of security policy into an info system’s architecture. will need to use security models.

Subject/object model

  • subject → object
  • user → file
  • process → memory
  • clearly designating subjects and objects improves the design process

Failure modes

  • fail open
    • failed security controls automatically bypassed
    • ex. fire doors, IDSs
  • fail closed/secure
    • failed security controls block access
    • ex. firewall

Isolation and segmentation

  • design where different components can’t communicate with each other unless absolutely necessary
    • network segmentation
    • process isolation
    • memory segmentation
    • virtual machine isolation

Security models

Multilevel security

  • systems designed to operate at different security levels at the same time
  • enforces confidentiality and integrity
  • restricts access between security levels

Bell-LaPadula Model

  • enforces confidentiality

    • simple security rule
      • no “read up”
    • *-property
      • no “write down”
    exam tip:
    Bell-LaPadula is rarely used outside of the DoD / government.

Biba Model

  • enforces integrity
    • simple integrity property
      • no “read down”
    • *-integrity property
      • no “write up”
exam tip:
Bell-LaPadula and Bell models are needed for the exam, but rarely used in the real world.

Clark-Wilson Model

  • integrity model
  • enforces well-formed transactions through the use of access triple:
    user ➝ transformation procedure ➝ CDI
    • CDI
      • constrained data item
  • deals with all three integrity goals
  • has a separation of duties
    • prevent unauthorized users from making modifications
    • prevent authorized users from making improper modifications
    • maintains internal and external consistency - reinforces separation of duties

Brewer-Nash

  • commercial model
  • aka Chinese Wall — ethical wall
  • developed to combat conflicts of interest in databases housing competitor information
    • ex. stock exchange database with information about competing companies (i.e. Microsoft, Apple, Google)
  • published in 1989 to ensure fair competition
  • defines a wall and a set of rules to ensure that no subject has access objects on the other side of the wall
  • way to separate competitor data within the same integrated database

Security evaluation models

  • cybersec programs first appeared w/in government agencies

  • why evaluate?

    • to carefully examine security-related components of a system
  • trust

    • function of the product — what does it do?
  • assurance

    • reliability of the process
  • CMMI (Capability Maturity Model Integrated)

    • evaluates developer’s processes, good developer processes lead to good products

Trusted Computer System Evaluation Criteria (TCSEC)

  • AKA the “Orange Book”
  • contained DoD computer security requirement
    • developed by National Computer Security Center (NCSC)
  • based on Bell-Lapadula
  • uses hierarchically ordered series of evaluation classes
  • defines trust and assurance, but doesn’t allow for them to be evaluated independently
  • evaluations:
    • ratings — grade type system
      • A: verified
      • B: mandatory
      • C: discretionary
      • D minimal

ITSEC

  • 1991, collection of European nations
  • first criteria, to evaluate functionality (trust) and assurance separately
  • ratings:
    • F1 – F10 rates for functionality
    • E1 – E6 rates for assurance

Common Criteria

  • ISO 15408

  • unified evaluation process

  • protection criteria (PC)

    • requirements from an agency or a customer
  • target of evaluation (ToE)

    • system designed by a vendor
  • security target (ST)

    • documentation describing how the ToE meets the PP
  • evaluation assurance level (EAL 1-7)

    • describes the level to which the ToE meets the PP
ISO 15408

EAL Ratings
EAL 1 functionally tested
EAL 2 structurally tested
EAL 3 methodically tested and documented
EAL 4 methodically designed, tested and reviewed
EAL 5 semi-formally designed and tested
EAL 6 semi-formally verified, designed and tested
EAL 7 formally verified, designed and tested

Certification and Accreditation

  • certification
    • determines that a system meets security criteria
  • accreditation
    • approves uses of a system in a specified environment
  • accreditation decisions
    • authorization to operate (ATO)
    • interim authorization to operate (IATO)
    • interim authorization to test (IATT)
    • denial authorization to operate (DATO)
exam tip
certification and accreditation are different.
accreditation and authorization are the same.

Separation of duties

  • no individual should possess permissions that when combined allow them to perform a highly sensitive action
    • ex. accountant creating a new vendor and cutting checks to that vendor
  • infosec pros are often called on to create controls for separation of duties
  • infosec pros are often the subject of separation of duties

Two person control

  • aka dual control

  • requires authorization of two individuals to perform a sensitive action

    • examples
      • missile launches
      • checks that require two signators
  • separation of duties and two person control reduce the likelihood of fraud

    • must collude to commit fraud

Selecting security controls

Security controls

  • processes and mechanisms that an organization puts in place to manage security risks
  • designed to keep risk profile in lines w/ risk appetite

Defense-in-depth

  • multiple controls for one objective

  • controls can be categorized by purpose or mechanism of action

    • purpose

      • preventative controls

        • stop a security issue from stopping in the first place
        • ex. fences, gates, firewalls
      • detective controls

        • identify a potential security issue that has already happened
        • ex. log reviews, CCTV reviews
      • corrective controls

        • remediate a security issue that has occured
        • ex. AV software
      • deterrent controls

        • prevent an attacker from seeking to violate security polices
        • ex. guard dog, fences
      • physical controls

        • impact the physical world
        • ex. fence, gate, lighting
      • compensating controls

        • designed to fill in a known gap in an environment
        • ex. guard at a turnstile
    • mechanism of action

      • technical controls

        • use technology to achieve security control objectives
      • operational controls

        • human-driven procedures to manage technology in a secure manner
        exam tip
        technical controls are implemented by technology, operational controls are implemented by people.
      • management controls

        • improve the security of the risk management program itself

Privacy by design

  • seeks to incorporate privacy practices into the design and implementation of systems

  • not bolting it on afterwards

  • seven foundational principles:

    1. proactive, not reactive; prevent, not remediate
      systems should be designed w/ privacy protections, not to respond to privacy issues

    2. privacy as a default setting
      systems should default to protecting privacy unless the user opts to be less private

    3. privacy embedded into design
      privacy should be a core requirement of a system, not a bolted on afterthought

    4. full functionality: positive sum, not zero sum
      privacy should shouldn’t be a trade off

    5. end-to-end security — full life cycle protection
      security practices should occur during all stages of the info lifecycle

    6. visibility and transparency — keep it open
      components should be open to users and customers

    7. respect for user privacy — keep it user-centric
      privacy should be focused on the user

Secure defaults

Secure defaults

  • ensure that a system runs in a secure more unless we configure it not to
    • default to secure
    • example: a firewall defaults to deny all until configured

KISS (Keep it simple, shithead)

  • complexity increases the likelihood of failure

Zero trust

  • applies the least privilege concept to network access
  • doesn’t grant access based on IP / MAC addresses
  • replaces network-based focused access control w/ strong user focused authentication
  • trust, but verify
    • employees
    • customers
    • vendors

Virtualization and Cloud Computing

What is the cloud?

  • Mike Chapple
    • delivering computer resources to a remote customer over a network
    • examples:
      • accessing web-based email
      • building servers in AWS
      • running scripts on Salesforce
  • NIST

    a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be readily provisioned and released with minimal management effort or service provider interaction

Cloud computing roles

people and orgs play different roles in cloud computing

Cloud service provider

  • offers cloud computing services to third parties
  • run infrastructure

Cloud customer

  • consumer of cloud services
  • purchases cloud computing services from one or more cloud service provider
  • nature of relationship with provider can vary
    • self-service
    • one-on-one support w/ managed account

Cloud service partner

  • provides add-on services
    • might assist org in implementing cloud for org
    • might offer security monitoring

Cloud access security brokers (CASBs)

  • provide IAM services

  • can add a third party security layer between an org. and their cloud service provider

    • network-based CASBs

      • intercepts network traffic between the org and cloud
      • monitors traffic for security issues
      • can block access if issue discovered
    • API-based CSABs

      • queries cloud service by API and monitors
      • may be limited by API access and what information is available from API

Reasons for usingcloud computing

  • on-demand self-service

    • resources are available when the org needs them
    • can spin up servers on demand using preconfigured images
  • scalability

    • can increase capacity on demand
    • horizontal scaling
      • adding additional servers to a pool to meet increased demand
    • vertical scaling
      • adding more resources (CPU, memory, storage) to a server on demand
  • elasticity

    • the ability to expand and contract quickly
  • broad network access

    • provide anywhere anytime access
  • measured service

    • pay only for what you consume

Multitenant computing

  • multitenancy

    • sharing computing resources
    • allows for oversubscription
      • oversubscription
        • when sold capacity exceeds total available capacity
  • isolation

    • users don’t impact one another
    • users can’t see other users’ information
    • when isolation breaks down, performance suffers

Virtualization

History

  • mainframes dominated data centers of past decades
  • client/server model emerged in the ’80s / ’90s as desktop machines became more powerful
  • now, data centers are leveraging virtualization technolgies

Virtualization

  • a host machine runs on physical hardware

  • the host machine provides services to multiple virtualized guest machines

  • a hypervisor on the host machine tricks each virtual machine into thinking that it is running on real hardware

  • Hypervisor types

    • Type 1 hypervisor

      • runs on bare metal server
    • Type 2 hypervisor

      • runs as a program on an OS

Virtualization security

  • VM isolation is critical to security

  • each VM must only have access to its own memory and storage

  • VM escape attacks

    • attempt to break out of the guest environment
  • virtualuzation platforms must be patched against vulnerabilities to protect all guest machines

VM sprawl

  • it is easy to spin up a virtual machine and forget about it
  • unused and unmaintained servers are…
    • wasteful
    • security risk

Desktop and application virtualization

VDI

  • provides network-based access to a desktop computing environment

Application virtualization

  • streams an application to a user’s desktop

  • both VDIs and application virtualization all users to use thin clients with minimal specs

Cloud compute resources

  • virtualized servers run in cloud data centers

  • high availability

    • can use resources across multiple zones
    • ex. DigitalOcean NYC and San Fransisco
  • instance awareness

    • reduce VM sprawl

Containerization

Containers

  • lightweight application virtualization
  • alternate to virtual servers
  • contain application code and dependencies
  • run on a containerization platform
    • ex. Docker
  • containerization platform runs on host machine OS
  • isolation is the most important security issue for containers

Cloud activities and the Cloud Reference Architecture

Cloud Reference Architecture

  • ISO 17789: Cloud Computing Reference Architecture

    exam tip
    the reference architecture is a helpful framework, but is just a starting point.
  • defines cloud computing activities

    • customer activities

      • user cloud services
      • perform service trials
      • monitor services
      • administer security
      • provide billing reports
      • handle problems
      • administer tenancies
      • perform business admin
      • select services
      • request audit reports
    • cloud service provider activities

      • prepare systems and services
      • monitor services
      • manage assets
      • provide audit data
      • manage customer relationships
      • perform peering
      • ensure compliance
      • provide connectivity
    • partner activities

      • design, create, maintain services
      • test services
      • perform audits
      • set up legal agreements
      • acquire and assess customers
      • assess the market

CSA Cloud Security Matrix

  • designed to help cloud providers and customers understand the detailed security controls that may be used to achieve cloud security objectives

Cloud deployment models

Private cloud

  • org uses a dedicated cloud infrastructure

Public cloud

  • org uses multitenancy info structure
  • public cloud computing uses a shared responsibility model

Hybrid cloud

  • org uses both private and public cloud

Community cloud

  • cloud created by a consortium or group or orgs
  • example: PASSHE makes a cloud for all state universities
exam tip
no cloud model is superior, it all depends on context and the org’s needs.

Cloud service categories

  • XaaS
    • x as a service

Software as a service

  • customers purchase an entire application
  • often run through a browser
    • compatibility is less of an issue
    • example: Gmail, Boxer, O365, OneDrive, etc.
  • can be specialized
    • example: credit card processing software, Square, etc.

Infrastructure as a service

  • customers purchase servers or storage
  • example: AWS, GCP, Azure

Platform as a service

  • customer purchases an application platform

Function as a service

Security responsibility

  • depends on the level of the service
IaaS PaaS SaaS
data customer customer customer
app customer customer vendor
OS customer vendor vendor
hardware vendor vendor vendor
data center vendor vendor vendor
exam tip
understanding the shared responsibility model is important for infosec professionals.

Edge and fog computing

  • IoT and embedded systems are transforming computing
  • industries are starting to use both in new ways
  • however this can have issues in remote areas

    Edge computing

    • computing at the endpoint
    • data is processed by remote sensor prior to being sent
    • allows for small bursts of pre-computed data to be sent to the cloud
    • useful when bandwidth limitations are a concern

    Fog computing

    • computing near an endpoint
    • a gateway near the remote sensors gathers data from all of the remote sensors
    • data is correlated by the gateway and then send to the cloud

Embedded Systems Security

Industrial control systems (ICS)

  • monitor and control industrial processes
    • utilities such as electrical, gas, water, sewage treatment
    • manufacturing, industrial facilities, production operations
    • building automation systems
    • workflow automation systems
    • process automation systems

Hackers ❤︎ ICS

  • ICS are lucrative targets
    • attacks have dramatic, high visibility outcomes
    • systems are usually not well secured
    • systems are less likely to be current on patches
      • a city can’t turn off the water for an hour to patch the water treatment plant’s ICS

ICS types

  • supervisory control and data acquisition (SCADA)

    • remote monitoring
      • gas lines, power lines
    • remote telemetry
    • report back to control systems
    • multiple points of attack
  • distributed control system (DCS)

    • focus on controlling processes
    • use sensors and feedback systems
    • multiple points of attack
  • programmable logic controller (PLC)

    • handles specialized input / output
    • rugged
    • ensures uninterrupted processing
    • connects to human-machine interface
  • Intro to PLCs, ICS and SCADA

  • modbus protocol

    • serial interface communication

Internet of Things

Smart devices

  • computer controlled and network connected
  • began w/ desire to have wireless network connectivity for devices
    • example: printers, Xboxes, etc.

Sensors and facilities automation

  • hospital/medical facilities
  • utilities and smart meters
  • aircraft and drones

Security challenge

  • difficult to update software and OS
    • updates can be disruptive to service provided by smart device
  • devices connect to same wifi in the home as other personal devices such as laptops, desktops, etc.
    • hacked smart devices have access to personal devices on the network
  • devices connect back to cloud services for command and control
    • attackers can expolit this and move from the cloud into homes/businesses via smart devices

Securing smart devices

  • regular updates

    • automatic updates
    • manual updates
    • need to know which devices get automatic vs. manual updates
  • weak default admin and system passwords

    • change admin/password!
  • (for orgs):

    • firmware version control

      • updates should be applied in an orderly fashion
      • use change management for smart devices
    • security wrappers

      • vet requests for embedded systems
      • like a mini firewall for the device
  • use diverse and redundant security controls to protect embedded devices

Secure networking for smart devices

  • smart devices require secure networks

  • segmenting smart devices increases network security

    • isolated DMZ w/ restricted access
    exam tip
    network segmentation is the most important control for embedded devices.
  • application firewalls provide added protections for embedded devices

    • can help protect against web attacks (SQL injection, XSS, etc.)
  • embedded device controls are also effective for mainframes

Embedded systems

  • tech components of an IoT device that place a full computer inside a larger system
  • examples
    • printers and mulitfunction devices contain embedded systems
      • print server, scanner/image processing, email server, web server, etc.
    • cameras
      • embedded system w/ image processing software, networking software
    • cars
      • self-driving “smart” cars
      • modern vehicles with OBDII and embedded systems controlling engine management, lighting, braking, radio, etc.

Systems on a chip (SoC)

  • combine a processor, memory, other system components on a single chip
  • examples: Raspberry Pi, Arduinos

Field-programmable gate array (FPGA)

  • integrated circuit designed to be configured by a customer or a designer after manufacturing
  • allows dynamic reprogramming
  • example: IBM’s eFUSE

Realtime operating systems (RTOS)

  • provide reliable and secure computing for IoT devices

CAN bus

  • CAN: controller area network
  • robust vehicle bus standard
  • allows microcontrollers and devices to communicate with each other’s applications without a host computer

Embedded systems constraints

  • limited power

  • limited computing capacity

    • makes cryptography difficult or impossible
  • limited network capacity

  • patching

  • assess embedded devices authentication practices carefully

Communications for embedded devices

  • devices often have to connect under conditions
  • many different solutions are used in lieu of traditional wired / wireless connections
    • cell networks

      • provide 4G / 5G when wifi / network not available
        • SIM cards (traditional or eSIM) are required to communicate over cellular network
        • can be expensive
    • Zigbee/Zwave

      • provides short distance communication / mesh networks for home automation
    • radio frequency

      • provide near communications when cellular is not available
    • satellite

      • provide communications almost anywhere
        • can be extremely expensive

Hardware Security

Memory protection

memory is a shared resource that must be protected

  • memory types

    • ROM (read only memory)

      • written to memory chip
      • cannot be changed by applications or OS
    • RAM (random access memory)

      • contents may be changed by applications or OS
  • OSes need to have memory management

Memory management

  • tracks which applications are using what memory
  • grants requests from applications for additional memory
  • frees up memory that’s no longer in use

Memory protection

restricts access to memory segments

  • segmentation faults

    • error when an application tries to request access to a memory segment that it’s not authorized to use
  • memory leaks

    • application accumulate memory over time
    • application fail to release memory when no longer needed
    • application proceeds to slowly take up all memory on the system

Hardware encryption

protects sensitive data by transforming it so it can’t be read w/o a decryption key

  • AES crypt

    • open source file encryption
  • full disk encryption (FDE)

    • protects entire drive
  • hardware security module (HSM)

    • dedicated hardware to perform encryption
    • trusted platform module (TPM)
      • brings hardware encryption to typical consumer computers
  • self-encrypting drives (SED)

    • performs encryption automatically
    • Trusted Computing Group (TCG) produces a Opal Storage Spec for SEDs

Hardware and firmware security

  • OSs must be loaded from disk during the boot process

  • this is done via the use of BIOS or UEFI

  • BIOS (basic input/output system)

    • lightweight OS stored in firmware
    • provides basic functionality needed to load the full OS from disk
    • BIOS attacks can give attackers full control of a device
  • UEFI (unified extensible firmware interface)

    • replaced BIOS with a flexible alternative
    • secure boot
      1. reads bootloader from disk
      2. computes a hash of the bootloader
      3. decrypts bootloader’s digital signature
      4. verifies that the signature is accurate
        • booting will abort if bootloader’s signature fails verification
  • measured boot

    • definititions don’t match notes… (Wikipedia)

Server Security Issue

Server and database security

require careful attention as both store and handle massive amounts of sensitive data

Data flow controls

  • controlling bandwidth consumption
    • use network devices and server OSes to control or limit resources
  • understand sensitive data flow
    • need to know where sensitive data is flowing
    • use data flow maps to know where to apply security controls

Database focused attacks

  • aggregation

    • putting together low-level facts to determine more high-level / sensitive info
  • inference

    • figuring out sensitive facts with facts available to an individual

NoSQL databases

  • relational databases rely on SQL to manage

NoSQL

  • NoSQL databases use key-value stores

  • key

    • unique value used to identify and locate info stored in the table
  • value

    • data stored for later retrieval that is associated with the key
  • each key may have a different structure of values (int, string, etc.)

NoSQL permissions

  • examples from DynamoDB:
    • AllItemAction (\*): full databases access
    • GetItem: retrieve a single item
    • BatchGetItem: retrieve multiple items
    • PutItem: store a single item
    • etc.
  • other NoSQL databases have similar permissions
  • important for admins to ensure that applications and users have the appropriate permissions

Distributed and high performance computing

used for specialized applications

Client/server model

  • client makes requests to server
  • server takes requests, performs actions and calculations, retrieves data and sends info back to the client

Large-scale parallel data

  • some computing problems are too big for a single server or set of servers
  • these problems are broken down into pieces and handled by distributed computing systems
  • examples
    • SETI: search for extraterrestrial intelligence
    • BOINC: Berkley Open Infrastructure for Network Computing

Grid computing

  • assembles unused processing power of many computers (CPU-scavenging)
  • form a virtual supercomputer with a centralized controller

Peer-to-peer (P2P) computing

  • diverse network of computers offering services without a centralized controller

  • nodes have an equal importance

  • examples

    • Bittorrent
    • Bitcoin
    • Tor
  • security concerns

    • untrusted P2P participants could gain access to sensitive info
    • participants could lose control of systems to a malicious P2P agent
    • P2P nodes could be subject to law enforcement investigations
  • other high performance computing (HPC) applications take advantage of super computer technologies

Web Security Issues

OWASP Top Ten

Open Web Application Security Project maintains a list of common web security issues

  1. Injection flaws

    • attacker inserts unwanted transacation code
  2. Broken authentication

    • exploitation of session management
  3. Sensitive data exposure

    • disclosure of sensitive info
  4. XML external entities

    • allows for remote code execution
  5. Broken access control

    • allows unauthoritzed access
  6. Security misconfigurations

    • occurs in many locations (Apache, PHP, Python, firewall, etc.)
  7. Cross-site scripting

    • inserts malicious scripts onto sites
  8. Insecure deserialization

    • allows for API exploitation
  9. Using vulnerable components

    • jeopardizes web application security
  10. Insufficient logging * prevents security analysis

SQL injection

SQL injection

  • dynamic web applications rely on backend databases to store user info, product info, etc.

  • attackers can exploit input fields to inject SQL commands into a database as part of a normal action

  • Bobby Tables!

  • prevention

    • input validation

      • checks user input on server prior to executing SQL commands
      • checks must be server-side; attackers can easily bypass client-side checks
    • parameterized SQL

      • precompiles SQL code on the database server
      • prevents user input from altering query structure

Cross-site scripting (XSS)

  • attacker embed malicious code into third party websites that is later run by innocent users

  • XSS attackers commonly embed scripts into sites via user input

    • via <script> tags
  • prevention

    • use input validation
      • don’t allow users to submit fields with <script> tags

Cross-site request forgery (CSRF)

  • similar to XSS, but more dangerous

  • use one site to trick browsers into sending malicious requests to another site

  • leverage the fact that users are logged into multiple websites

    • persistant cookies keep users logged in for periods of time
  • XSRF secretly send requests to other websites

    • usually through images
  • prevention

    • orgs:
      • rearchitect websites
      • prevent HTTP GET requests
      • leverage Access-Control-Allow-Origin
      • educate users
      • auto-log users out of site after period of time
    • users
      • log out of sites
  • server-side request forgery

    • manipulate servers into retrieving malicious data from what it thinks is a reputable source

Directory traversal attacks

attack allows an attacker to manipulate a web server’s file directory

  • Unix file system directory referneces

    • ./ current directory
    • ../ one directory up
  • attacker users file system references to look for files on the server

  • prevention

    • input validation
    • strict file system access controls — user running web server should only have access to web server files

Overflow attacks

  • developers often set aside memory buffers for user input when developing applications

  • attackers input a string much larger than the buffer

  • the server can then inadvertantly return information outside of the buffer

  • prevention

    • input validation

Session hijacking

  • cookies are used for web authentication

  • cookie guessing

    • guessable cookie jeopardize security
    • cookie values (such as session ID) should be random, not based on a guessable pattern
  • session replay

    • cookies are susceptible to replay attacks
    • cookies should be sent over an encrypted connection to prevent eavesdropping

Privilege escalation

  • gain admin access

  • often exploit buffer overflow attacks

  • prevention

    • input validation
    • enforce least privilege
    • keep OS, platform, apps patched
    • use data execution prevention (DEP) and address space layout randomization (ASLR) technology

Encryption

  • very testable subject area
  • cryptography can be difficult, but there is always a “right” answer and “wrong” answers. there are no “given x_, which is the best…” questions._

Cryptography History

Caesar Cipher

  • simple substitution cipher (see below)

Scytale

  • used by the Spartans
  • wrapped tape around a rod
  • secret key is to know the diameter of the rod
    • key is out of band

Vignere

  • first polyalphabetic cipher
  • keyword is agreed upon beforehand
  • first letter of the key is matched with the first letter of the message

Enigma Machine / Purple Machine

  • used by the Nazis / Japanese in WWII
  • machine based on rotary spool
  • breaking codes used by these machines is credited with shortening the length of WWII

Vernam Cipher

  • one time keypad
  • keypad…
    • is only used once
    • must be…
      • as long as the message
      • statistically unpredictable
      • delivered / stored securely

Basics

  • cryptography is used to protect sensitive info from unauthorized disclosure

  • uses mathematical algorithms to transform info (plaintext) into an encrypted form (ciphertext)

  • encryption

    • transforming plaintext into ciphertext
  • decryption

    • transforming ciphertext into plaintext
  • algorithms

    • set of mathemathical steps used to reach a result
    • a “math recipe”
    • i.e. the steps to convert F to C
  • encryption algorithms

    • input: plaintext P, encryption key K
    • performs encryption using P and K
    • output: ciphertext C
  • decryption algorithms

    • input: ciphertext C, decryption key K
    • performs decryption using C and K
    • output: plaintext P
  • think of encrytion as:

    encrypt (plaintext, key):
        // encryption algorithms happen
        return(cyphertext);
    

Symmetric and asymmetric cryptography

remember:
symmetry refers to the keys.

Symmetric cryptography

encrypts and decrypts using the same key

  • need a shared secret key between two people
  • number of keys need represented by the formula:
    n(n - 1) / 2
  • the number of keys required for large groups becomes unmanageable
  • asymmetric crytography solves this problem using key pairs

Asymmetric cryptography

encrypts and decrypts using different keys from the same pair

  • key pairs
    • public key
      • freely distributed to communications partners
    • private key
      • kept secret
  • anything encrypted w/ one key from a pair can be decrypted w/ the other key from the pair
exam tip
keys used to encrypt/decrypt using asymmetric cryptography must be from the same pair.
  • asymmetric encryption is slower
  • however, only two keys are needed per user

Goals of cryptography

  • confidentiality

    • no unauthorized access
    • no one can read messages w/o keys
  • integrity

    • no unwanted changes
    • messages can’t be changed while encrypted
  • authentication

    • proof of identity claims
  • obfuscation

    • hiding of sensitive data
    • taking sensitive data and representing it in a less sensitive manner
  • non-repudiation

    • verfication of origin
      • provided by digital certificates
      • only possible w/ asymmetric encryption

Codes and ciphers

exam tip
codes and ciphers are related concepts, but different.

Code

  • system that substitutes one word or phrase for another
  • intended to provide secrecy and/or efficiency
  • examples:
    • “10” codes: 10-4, 10-7, 10-9, etc. provide efficiency
    • “pretty good” provided secrecy

Cipher

  • system that uses math algorithms to encrypt / decrypt messages

  • stream cipher

    • operate on one char or bit of a message at a time, one after the next
  • block cipher

    • operate on large segments (blocks) of a message at the same time
  • substitution cipher

    • changes characters in a message
    • also known as a rotation cipher
    • usually designated by “ROT” and the number of letters to rotate to, i.e. ROT13
    • ex. ABC → NOP
    • subject to pattern analysis
      • ex. E is the most common letter in the English language, can look for the most common letter in the cipher text
  • transposition cipher

    • rearrange characters in a message
    • ex. ABC → CAB

Cryptographic math

math plays a critical role

Exclusive Or (XOR)

evaluates as true when one and only one variable is true

X Y X ⊕ Y
T T F
T F T
F T T
F F F

Randomness

  • cryptography relies on pseudorandom numbers
  • we lack a real source of random numbers
    • a random number generator has to start from somewhere… which isn’t random

Confusion, diffusion, obfuscation

  • confusion
    • every bit of the ciphertext must depend on more than one bit of the encryption key
  • diffusion
    • changing one single bit of plaintext should change about 50% of the ciphertext
  • obfuscation
    • using crytography to hide source code from users

Avalanche, permutations

  • avalanche
    • chaining
    • output from one function is the input for the next function
    • used in CBC mode (see below)
  • permutations
    • multiple rounds
    • going through algorithms multiple times
    • encrypting multiple times
    • used by 3DES (see below)

Choosing encryption algorithms

requires careful thought

exam tip
don’t try to build your own encryption algorithm.
you’re really dumb and don’t know what you’re doing.

same thing goes for vendors.
if they have their own in-house custom encryption algorithim, that’s pretty sus.

  • security through obscurity

    • when the security of an algorithm depends on the secrecy of the approach
  • select and use an encryption algorithm that’s proven to be secure

  • openness

    • algorithm used is open to the public

    • community is invited to make the algorithm stronger.

    • Kerchhoff’s Principle

      • you need to only keep either the algorithm or the key secret
      • US military doesn’t believe in this principle
        • the public doesn’t know how anything above Sensitive is encrypted
  • choosing key lengths

    • longer is better and stronger
    • longer is also slower
    • must balance security w/ performance
      • perform cost-benefit analysis to find the sweet spot for the org

One-time pads

unbreakable encryption algorithm

  • aka Vernam Cipher

  • sender and reciever have identical pads

    • pads have multiple keys
    • keys must be at least as long as the messages
  • treat the plaintext message and key as numbers (i.e. A=1, B=2, … Z=26) and add the plaintext to the key to generate the ciphertext

  • decryption works by using the same process, but subtracting the key from the ciphertext to generate the plaintext

  • encryption is unbreakable becuase the pad is totally random

  • using it in practice is very difficult

    • pad exchange is a pain

The cryptographic lifecycle

manages the use of encryption materials over time

  • as cryptographic algorithms age, they often become insecure
  1. initiation

    • org gathers requirements for new cryptography system
  2. development and acquisition

    • org finds an appropriate combination of hardware, software, algorithm the meets org’s requirements/needs
  3. implementation and assessment

    • org configures and tests cryptography system
  4. operations and maintenance

    • org ensures that continued secure operation of the cryptography system
  5. sunset

    • org phases out the cryptography system and destroys/archives old keys

Symmetric Cryptography

Data Encryption Standard

Key facts
symmetric 56-bit key
64-bit block not secure
  • designed by IBM in the ’70s
    • federal standard for unclassified encryption
  • replaced untested standards used by agencies
    • enhanced interoperability of agencies
  • uses 16 rounds of encryption operation called Feistel function
    • each F-box performs a combination of substitution and transposition operations
  • no longer considered secure

Triple DES

Key facts
symmetric 112-bit key
64-bit block weak

allowed for use of old DES cryptographic equipment once DES was dicovered to be insecure

  • applies DES encryption three times

  • uses three keys: K1, K2, K3

    • P → DES(P, K1) → C1 → DES(C1, K2) → C2 → DES(C2, K3) → C
  • keying options

    1. K1 ≠ K2 ≠ K3

      • effectively 112-bit key
    2. K1 = K3, K1 ≠ K2, K2 ≠ K3

      • 80-bit key
    3. K1 = K2 = K3

      • just an insecure as DES
      • only used for backwards compatibility
  • 3DES is considered weak and is being phased out

exam tip:
double DES isn’t more secure than DES. it’s susceptible to meet-in-the-middle attacks

Advanced Encryption Standard

Key facts
symmetric 128/192/256-bit key
128-bit block secure
  • competition was held to replace DES
  • Rijndael algorithm won and became AES
  • in the public domain
  • use substitution and transcription
  • doesn’t use Feistel cipher

Blowfish

Key facts
symmetric 32-448-bit key (variable length)
64-bit block not secure
  • uses Feistel network
  • in the public domain
  • use substitution and transcription
  • no longer considered secure

Twofish

Key facts
symmetric 128/192/256-bit key
128-bit block secure
  • in the public domain
  • use substitution and transcription

RC4

Key facts
symmetric 40-2048-bit key (variable length)
stream not secure

symmetric stream cipher

  • was a trade secret from 1987 invention unil 1994 leak
  • used for various network encryptions
    • WEP
    • WPA
    • SSL
    • TLS
  • no longer considered secure
    • rumored to be breakable to the US Government

Cipher modes

describes how an algorithm encrypts / decrypts plaintext

Electronic Code Book mode

  • breaks plaintext into blocks that are the same length as the key
  • encrypts blocks w/ the same key
    • using the same block w/ the same key results in the same ciphertext block
      • makes cryptanalytic attacks easier

ECB

Cipher Block Chaining mode

  • still breaks plaintest into key-length blocks

  • first plaintext block is XORed with an initialization vector

    • XORed plaintext block is encrypted with key to create the first ciphertext block
  • all subsequent plaintext blocks use the previous ciphertext block as an initialization vector

    • all subsequent plaintext is XORed with previous ciphertext block
    • XORed plaintext is then encrypted with key to create next ciphertext block

CBC

Counter mode

exam tip:
CTR mode allows a block cipher to act more like a stream cipher.
  • uses a nonce and a counter

  • plaintext is still broken into key-length blocks

  • a nonce and counter are added together, then encrypted with the key

  • the plaintext and the encrypted nonce/counted are then XORed to create a ciphertext block

  • the counter is incremented and the process is completed again for the next plaintext block

CTR

Steganography

hiding data inside large files

  • often use innocent looking high-resolution photos
    • can also be used with audio or video files
  • can slightly modify pixels in an image to hide info in the file
    • because modifications are only minor, they are not visible to the naked eye
  • images can then be posted in plainsight w/ embedded info

Asymmetric Cryptography

RSA

Key facts
asymmetric 1024-4096-bit key (variable)
secure
  • developed by Rivest, Shamir and Adelman in 1971

  • RSA keys

    • users create key pairs using long prime numbers
    • can distribute public key freely, but keep the private key secure
    • senders encrypt messages w/ the recipient’s public key
    • recipients decrypt messages w/ their own private key
  • prime factorization

    • remember that primes are numbers that are divisible only by themselves and 1
    • prime factorization is the process of attempting to determine what two prime numbers were multiplied together to create a much larger number
    • finding a way to efficiently do this would break modern cryptography
  • RSA drawbacks

    • it’s slow
      • more commonly used to exchange symmetric keys
    • was patented
      • patent has expired

PGP and GnuPG

  • PGP

    • developed by Zimmerman in 1991
    • uses public and private keys
    • combines symmetric and asymmetric cryptography
    • framework
      • relies on other encryption algorithms
  • PGP encryption

    • plaintext message is encrypted with a randomly generated key
    • the randomly generated key is encrypted with the recipient’s public key
    • the ciphered message and key are both sent to the recipient
  • PGP decryption

    • recipient decrypts the ciphered key with their own private key
    • recipient decrypts the ciphered message with the now decrypted randomly generated key
  • PGP is a commercial product

  • OpenPG is open source and freely available for use

Elliptic-curve cyrptography

  • use elliptic-curve discrete logarithm problems
exam tip
you don’t need to know how ECC works, just that it doesn’t use primes.

Quantum cryptography

  • uses quantum mechanics principles
  • ECC can’t protect against quantum attacks
  • quantum cryptography may end up to be stronger than all modern approaches

Key Management

Key exchange

  • symmetric algorithms depend on shared keys

    • users need to agree upon and share those keys
  • out-of-band key exchange

    • use different communications channels
      • in-person meetings
      • voice calls
      • snail mail
    • can be difficult and time consuming
  • in-band key exchange

    • securely exchanges keys digitally

Diffie-Hellman key exchange

  • provides a means of exchanging symmetric keys digitally

  • ECDH

    • elliptic-curve Diffie-Hellman
    • similar approach to D-H, but uses an EC problem

Key escrow

  • strong encryption presents a problem for law enforcement

  • encryption key escrows:

    • allow the government to have access to keys
    • no reasonable wat to securely implement
    • Clipper chip included technology that would allow the government to access encryption keys
      • EFF and other security firms/groups fought against use
        • they won
      • was later found to not be effective
  • recovery agents

    • allow internal access to lost keys

Key stretching

  • takes a relatively insecure value

    • like a password
  • uses math techniques to strengthen

    • makes it harder to crack
  • salting

    • adding a value to an encryption key to make it more complex
  • hashing

    • adds time to the verification process by requiring more mathematical operations
  • verifying one key is fast, however, guessing millions is slow

  • PBKDF2

    • password-based key derivation function version 2
    • uses hashing and salting to stretch keys
    • should be used 4,000+ times
  • Bcrypt

    • key stretching w/ Blowfish algorithm

Hardware security modules

  • cryptography uses significant computing power

  • HSMs:

    • manage cryptography keys
    • perform cryptpgraphic operations
    • can create and manage keys w/o human interaction
    • cloud service providers can also provide cloud-based HSMs
  • FIPS 140-2

    • detailed requirements for government use of HSMs
    • has three different security levels
    • useful for guaging cloud provider’s HSMs
Level Controls
Security Level 1 standard operating systems; no physical security
Security Level 2 EAL2 software and firmware; tamper-evident seals
Security Level 3 EAL3 software and firmware; tamper-resistant controls
Security Level 4 EAL4 software and firmware; strict physical security

Public Key Infrastructure (PKI)

Trust models

  • strong cryptography depends on some degree of trust

  • requirements of a key exchange

    • confidence that users are really connecting w/ each other
      • neither one is an imposter
    • confience that no one is eavesdropping on the key exchange
    • Diffe-Hellman helps, but not enough…
  • asymmetric cryptography

    • users don’t need to share private keys
    • users can instead share public keys
    • eavesdropping protection isn’t needed during the key exchange
    • still needs protection against imposters
  • trust models

    • personal knowledge
    • web of trust
    • PKI
  • web of trust

    • relies on indirect relationships
    • participants digitally sign public keys of people that they know personally
    • trust is built on people vouching for one another
    • issues
      • decentralized approach
      • high burden to entry
      • requires technical knowledge
  • PKI

    • build on the idea of web of trust

PKI, certificate authoritied and digital certificates

  • PKI depends on trusted certificate authorities (CAs)

  • CAs

    • trusted third party orgs
    • verify the identity of individuals and orgs
    • issue digital certificates to those individuals and orgs
  • digital certificates

    • contain identification info and the subject’s public key
    • like an ID card for the digital world
    • anyone recieving a digital certificate can verify the authenticity of it by checking for the CA’s digital signature

Hash functions

  • one-way functions that take a variable length input to make a fixed length output

  • output is the hash value

  • message digest is another term for hash

  • requirements

    • one way function that can’t be reversed
    • output must always be fixed length
    • no two outputs should create the same output (hashing collision)

MD5

  • developed by Rivest in 1991
  • fifth in series
  • produces a 128-bit hash
  • no longer secure

SHA (secure hashing algorithm) series

  • SHA-1
    • produces 160-bit hash
    • no longer considered secure
  • SHA-2
    • produces 224, 256, 384, 512-bit hashes
    • similar to SHA-1 and MD5
    • considered weak
  • SHA-3
    • uses different hash generation approach than SHA-2
    • produces user-slected hashes

RIPEMD

  • alternate to government-sponsored hashing function
  • produces 128, 160, 256, 320-bit hashes
    • 128-bit hashes not longer considered secure

HMAC

  • hash-based message authentication code

  • combines cryptography and hashing

  • provides authentication and integrity

  • creates and verifies message authentication codes by using a secret key with a hashing function

  • hashing functions used w/ asymmetric cryptography for digital signatures and digital certificates

Digital signatures

  • use asymmetric cryptography to acheive integrity, authentication and non-repudiation

  • signed message reciepients know that:

    • owner of the public key is the person that signed the message (authentication)
    • the message wasn’t altered after it was signed (integrity)
    • that they can prove those facts to a third party (non-repudiation)
  • digitial signatures depend on a

    • collission-reistant hashing function
    • asymmetric cryptography
  • sender uses their private key to create a digitial signature

    • the digitial signature is an encrypted version of the hash of the message
  • recipients user the sender’s public key to confirm that the message was sent by the sender

Digital Signatures

  • remember: digital signatures don’t provide confidentiality

Digital signature standard

  • FIPS std 186-4
  • NIST
  • approved digitial signature standards
    • DS

      • digitial signature standard
      • similar to ElGamal
    • RSA

      • ANSI X9.31
      • PKCS 1 (public key cryptography standard)
    • ECDSA

      • elliptic-curve digital signature algorithm
      • ANSI X9.62
    • all three are considered secure

Certification creation, revocation and stapling

Creating a digitial certificate

  • digital certificates follow X.509 standard

  • process:

    • subject

      • creates a public/private key pair
      • creates a certificate signing request (CSR)
        • CSR countains public key and subject info (CN, OU, O, etc.)
      • responds to any requests from the CA for more info
    • CA

      • recieves CSR
      • requests info from the subject to verify their ID
      • takes the subject’s public key and info, and adds to the cert
      • signs the cert by using the CA’s private key (adds CA’s digital signature to the key)
  • digitial certs will include:

    • subject’s public key
    • cert expiration date
    • cn
    • SANS (subject alternative names) for the subject

Revoking a digital certificate

  • one of two methods (both maintained by the CA)

    • CRL (certificate revocation list)

      • CA maintains a list of the serial numbers of revoked certs
      • users download CRL lists
      • is time-consuming
      • has a large overhead for the CA
    • OCSP (online cert status protocol)

      • provides realtime cert status
      • most browsers use OCSP
        • except Chrome, which uses its own cert verification technology

Certificate stapling

  • allows web servers to attach an OCSP validation to the certificate they send to users
  • OCSP places burden on CA’s OCSP servers
  • certificate stapling reduces this burden
  • web server makes request to CA to have cert stapled
  • CA provides staples cert which can be provided to users
    • future users can reuse the stapled cert
    • stapled cert is frequently valid for 24 hours

Certificate authorities

  • charge fees for their services when creating a new cert

  • self-signed certs

    • issued by an internal CA
  • cert chaining

    • allows the use of intermediate CAs
    • browsers verify each CA in the chain
  • offline CAs

    • protect sensitive root keys

Certificate subjects

  • owner of the public key
  • can be:
    • most common: web servers
    • any server: SSH, web, file, email
    • devices: SAN devices, routers, switches, VPNs, wireless APs
    • individuals: name, email
    • developers: for use in signing code
exam tip
you may find questions about cert object identifiers (OIDs).
  • cert pinning
    • ties a subject to a cert for a period of time

Certificate types

  • root certs

    • protect the CA’s private keys
  • wildcard certs

    • cover an entire domain
    • *.jpmck.com → mail.jpmck.com, cool.jpmck.com, cissp.jpmck.com
    • only goes one level deep
    • commonly used for load balancers
  • CAs issuing certs are vouching for the subject’s identification

    • DV

      • domain validation
      • verifies domain ownership (I’ve got this one)
    • OV

      • organization validation
      • verifies the business name
    • EV

      • extended validation
      • requires an extensive validation

Certificate formats

distinguished encoding rules

  • binary format
  • .der, .crt, .cer file extensions

privacy enhanced email

  • ASCII version of DER certs
  • can be converted to/from DER w/ tools like SSL
  • .pem, .crt file extensions

personal info exchange

  • binary
  • commonly used by Windows
  • .pfx, .p12 file extensions
  • ASCII version of PFX
  • commonly used by Windows
  • .p7b file extension
exam tip
you can’t tell if a .crt file is a PEM or DER file without looking at it.
binary version binary file extension text version text file extension
DER .der, .crt, .cer PEM .pem, .crt
PFX .pfx, .p12 P7B .p7b

Cryptanalytic Attacks

Brute force attacks

  • also known as known ciphertext attacks
  • simplest form of attack: attacker repeatedly guesses keys

Keyspace

  • set of all possible keys usable w/ an algorithm

    • example: rotation ciphers’ keyspace are only 25
  • modern algorithms are really susceptible to this kind of attack because of their keyspaces

  • example:

    • 56-bit DES’s keyspace is 72,057,594,037,927,936 (72 quadrillion)
    • 128-bit AES’s keyspace is 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 undecillion)
  • one caveat: flawed algorithms may be more vulnerable to bruteforce attacks

    • if the algorithm inadvertantly limits the keyspace

Knowledge-based attacks

attacks can be more effective with some knowledge

Frequency analysis

  • detects patterns in ciphertext
  • certain letters are more common than others (R, S, T, L, N, E)
  • certain pairs of letters (digraphs) are more common: TH, HE, IN, ER
  • attackers can use these common factors to look at frequently occuring letters in a ciphertext

Known plaintext

  • attacker has access to plaintext and ciphertext

Chosen known plaintext

  • attacker can create a message of their choice

Birthday attack

  • tries to find two inputs w/ the same hash value

Eavesdropping attacks

  • rely on compromised communications pathways
    • network device tapping
    • DNS or ARP poisoning

Man-in-the-middle attacks

  • tricks a sender at the beginning of communications w/ a recipient

    • user unknowingly sets up commincations w/ attacker
    • attacker acts a relay between the sender and reciever, taking all data along the way
  • man-in-the-browser attacks

    • similar to MitM attacks, but w/ browser plugins

Replay attacks

  • uses previously captured data

  • attacker can’t see the actual credentials, just encoded version

  • prevention

    • include unique characteristics in communications
      • tokens
      • timestamps

SSL stripping attacks

  • variation of eavesdropping
  • tricks a browser into downgrading to using unencrypted communications

Implementation attacks

  • cryptography systems can have implementation flaws that can be exploited

Fault injection

  • use external forces to cause an error
    • RFI, EMI, etc.
  • may cause a system to not encrypt or encrypt incorrectly

Side channel attacks

  • measure encryption footprint
  • how much power is used, frequencies released by chips

Timing attacks

  • measures encryption times

Encryption algorithms limits

  • all encryption algorithms have weaknesses

  • some are faster than others

    • asymmetric is slower
  • keys

    • longer keys
      • provide stronger encryption
      • use more computing power and time
    • some key choices may have inherent flaws
    • reusing the same keys facilitate cryptanalitic analysis
  • cryptography algorithms and keys have a limited longevity

  • entropy reduces the predictability of a cryptography method

    • high entropy → less predictable algorithm
  • downgrade attacks can remove or weaken encryption

Ransomware

  • attack that encrypts data

  • makes a system unusable by regular users

  • attackers demand payment in exchange for the encryption keys

  • highly orchestrated by human attackers

  • target characteristics

    • orgs w/ vulnerable systems, and
    • orgs w/ the ability to pay ransom
  • typical attack process

    • attackers perform recon on the org
      • probe systems
        • use mimikatz
          • steals passwords from memory
        • find domain admin passwords
    • use gathered accounts and passwords to grain control over a large portion of the network
    • attack all at once, encrypting as many systems as possible
    • demand payout for decryption keys
  • lessons learned

    • backups
      • provide a safety net for data
    • paying ransoms
      • rewards criminal activity
      • no guarantee that the key will be delivered
        • generally, keys are delivered
      • may encourage others to perfrom attack again
      • paying sometimes may be the most expedient solution for the org
    • antimalware
      • protects against infections
exam tip
specific call out on exam objectives, expect some questions on ransomware.

Physical Security

Site and facility design

  • physical security is important to protecting info and systems
  • data centers contain massive amounts of sensitive data and computing resources
  • server rooms
    • usually less secure than data centers
    • often grow organically in small orgs
  • media storage locations
    • especially if media / backups are stored off-site
    • locations should have at least equal — if not better — physical security than a data center
  • evidence storage locations
    • chain of custody must be preserved
  • wiring closets
    • unauthorized access can result in eavesdropping and network device tampering
    • distribution cabling should be protected as well
  • operations centers and other sensitive areas

Data center environmental controls

Cooling requirements

  • data centers have significant cooling requirements
  • excessive heat can reduce the life of equipment
  • old school data centers used to be very cool
    • great expense to the org and environment
  • equipment is now less sensitive
  • explanded environmental envelope
    • 64.4°F – 80.6°F

Humidity requirements

  • condensation can form if humidity is too high
  • static electricity can happen if humidity is too low
  • dew point 41.9° – 50.0°F

HVAC and hot aisle/cool aisle

  • HVAC systems keep temperature and humidity in control

  • hot aisle/cold aisle

    • servers draw in cool air from the front and expel hot air out the back
    • using this idea, one can line up server racks back to back, creating cool air aisles and hot air aisles
      exam tip
      watch for questions that indirrectly ask about hot aisle/cold aisle strategies.

Data center environmental protection

natural disasters put data centers at risk

Fire

  • fire is a grave threat
  • fire requires:
    • oxygen
    • heat
    • fuel
  • depriving a fire of any of these three requirements will extinguish it

Fire extinguishers

Class Type Examples
A common combustibles wood, cloth, trash, paper, etc.
B flammable liquids gasoline, kerosene, oil
C electrical wiring, server racks
D heavy metal iron, nickle, Metallica
K kitchen fats, oil, grease
  • labels on fire extinguishers contain info about the class and type of fires it can extinguish
exam tip
be able to identify fire extinguisher classes.

Fire suppression systems

  • building-wide fire suppression systems
    • wet pipe approach

      • contain water in pipes that are ready to deploy in a fire
      • can be dangerous to data centers if they leak
    • dry pipe approach

      • contain pipes that only fill if a valve opens during a fire alarm
    • chemical fire suppression systems

      • deprive a fire of oxygen of fire
      • dangerous to humans!

Sensors

  • fire detection sensors

    • temperature sensors
    • smoke detectors
    • incipient detectors
  • moisture sensors

Flooding

  • data centers should be protected against the risk of flooding
    • natural
      • flood plains, location w/in the building
    • man-made
      • burst pipes, etc.
      • consider layout of pipes w/in building if possible

EFI

  • generated by all electrical equipment
  • can interfere w/ other equipment
  • can be used by attackers to eavesdrop
  • faraday cages can protect against EMI

Power control

data centers rely on massive amounts of power

  • UPS

    • uninterruptible power supply
    • contains batteries which can power equipment for a short amount of time
  • backup generators

    • supply power during a longer outage
    • usually powered by gas, diesel, etc.
  • undervoltage conditions

    • blackout

      • complete service disruption
    • sag

      • momentary voltage drop
      • can usually handled by equipment
    • brownout

      • longer voltage drop
  • overvoltage conditions

    • spike

      • brief period of high voltage
      • can usually be handled by equipment
    • surge

      • longer period of high voltage
  • power conditioning

    • manages under- and overvoltage conditions

Physical access control

Locks and entrances

  • locks

    • restrict access through a portal (i.e. a window or door)

    • preset lock

      • use a hardware lock
      • need correct key to open
      • should use key management to keep track of keys
    • cipher lock

      • use a physical or electronic keypads
    • biometric locks

      • use a person’s physical features
        • fingerprint, voice, retina
    • card-based locks

      • use a card
        • magstripe, RFID, smart
  • tailgating

    • following another authorized user into an area
  • mantraps *

  • remember to carefully maintain ACLs!

Facilities monitoring

  • use motion and noise detection systems
  • video surveillance systems
    • act as deterrent and detective controls
    • IR video may be useful in dark environments
    • can play an important role in investigations

Other controls

  • fences can block traffic on foot or vehicles
    • bollards can allow foot traffic but protects entrances from vehicles
  • cages can be used to protect equipment
    • important in shared data centers
  • lighting increases intruder detection and acts as a deterrent
  • signage can provide legal recource
  • inducstrial camoflauge
    • useful for making data centers non-descript
    • drones and UAVs make it important that buildings are camoflauged from the ground and from the air

Visitor management

  • visitor management procedures protect against intrusions
  • visitor procedures should
    • describe allowable visit purposes
    • explain visitation approval authority
    • describe requirements for unescorted access
    • role of vistor escorts
  • all visitors should be logged
  • all visitors should be idendified w/ distinct badges
    • if necessary badges should include “ESCORT REQUIRED”
  • cameras can provide extra monitoring of visitor areas

Physical security personnel

  • security guards are important to physical security

    • receptionists can act as security guards
    • menacing looking guards can also be used
  • robotic sentinels may be used in place of humans

  • two-person integrity

    • requires two people to enter a sensitive are together
    • discourages malicious activity in that area
      • requires collusion with other person
    • think of two people needing to enter a bank vault
  • two-person control

    • aka dual control
    • requires authorization of two individuals to perform a sensitive action
      • examples
        • missile launches
        • checks that require two signators

Threat Modeling

Threat intelligence

  • set of activities that an org takes to…
    • educate itself about the threat landscape
    • adapt security controls to threats
  • allows the security team to stay current on cybersec threats

Open source intel

  • uses publicly available info from various open sources
    • security websites
    • vulnerability databases
    • news media
    • social media
    • darkweb
    • info sharing centers
    • file repos
    • code repos
    • security researchers

Closed source intel

  • many security companies offer proprietary threat intel solutions
    • these solutions may feed into firewalls, proxy servers, IDSs, etc.
  • criteria for evaluating these solutions
    • timeliness
    • accuracy
    • reliability

Managing threat indicators

Threat indicators

  • properties that describe a threat

    • example: IP address, malicious file signatures
  • threat info is only useful if it can be shared

Frameworks

  • CybOX

    • common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity
  • STIX

    • language for having a standardized communication for the representation of cyberthreat information
  • TAXII

    • specifications for exchanging cyberthreat information
  • all three work together

  • facilitated by the Department of Homeland Security

  • OpenIOC

    • open indicators of compromise framework
    • Mandient
  • security tools and services should support these info exchange standards

Intelligence sharing

  • use TAXII, STIX, CybOX
  • functions supported by intelligence:
    • incidence response
    • vulnerability management
    • risk management
    • security engineering
    • detection and monitoring

ISACs (Information Sharing and Analysis Centers)

  • bring together teams from competing businesses to share intelligence
  • usually non-profit organizations

Threat research

  • uses threat intel to get inside the mind of attackers

  • reputational threat research

    • identifies potential attackers based on past use of IP addresses, domains, email addresses
  • behavioral threat research

    • identifies potential attackers based on past behaviors
  • research sources

    • vendor websites
    • vulnerability feeds
    • threat feeds
    • cybersec conferences
    • academic journals
    • RFCs
    • local industry groups
    • social media
    • adversary tactics, techniques and procedures (TTPs)

Identifying threats

  • threat modeling identifies and prioritizes threats

  • use a structured approach for identification

    • don’t just think of ways that things can go wrong
  • ways to approach:

    • asset-focsued

      • use asset inventory for basis
      • go through each asset and identify threats to it
    • threat-focused

      • identify specific threats that may affect each info. system
      • think of threats (known agents, contractors, etc) and how they might affect org
    • service-focused

      • identify impact of threats on a specific service
      • think of each API and threats that could occur to them

Automating threat intelligence

  • automating blacklisting of IP addresses from threat feeds

  • automating blocking can disrupt services

    • start in alert-only mode
    • after testing, then can move to a blocking mode
  • combinging different threat feeds into intelligence

  • incident response

    • can be a manual process
    • can be aided with data enrichment
    • data enrichment
      • automated supplements to incident data
      • examples
        • perform source address recon
        • retrieve related logs
        • trigger vulnerability scans
      • all done in realtime at the time of the incident
  • SOAR (security, orchestration, automation and response) frameworks enhance SIEM capabilities

  • machine learning allows for automated creation of malware signatures

Threat hunting

  • cybersec used to see role as building an impenetrable defense

    • that’s a naïve approach
    • need to make the assumption of compromise
      • accept it as a given that systems are compromised and search for signs of suspicious activity
  • threat hunting

    • organized systemic approach to seeking out indicators of compromise using expertise and analytic techniques
    • threat hunters must think like attacker
    • develop a hypothesis, then think of indicators of compromise
  • indicators of a compromise

    • unusual binary files
    • unexpected processes running or system consumption (CPU, RAM)
    • deviation in network traffic
    • unexplained log entries
    • unapproved configuration changes
  • after discovering a compromise, move into incident response

Software Security Architecture

SOAP and REST

  • APIs

    • application programming interface
    • interface that allows users and programs to interact with a service programmatically
  • API standards

    • SOAP

      • XML format
      • no longer popular or widely used
    • REST

      • uses HTTPS protocol
      • overwhelmingly popular
  • API security

    • API communications should be encrypted w/ HTTPS
    • API keys should be securely distributed, stored and transmitted

SOA and microservices

Service-oriented architecture (SOA)

  • design philosophy encourages orgs to create discrete services

  • services may be accessed by customers and other users

    • but in a black box fashion
    • users don’t need to know how service works
    • just need to know what the service does and how to access it
  • characteristics

    • logical representation of repeatable business processes w/ specific outcomes
    • self-contained
    • may be composed of other services
    • black-box nature
  • popular w/ developers because they facilitate integration of services

Microservices

  • fine grained services
  • common w/ FaaS

Cryptography

Security Services Provided by Cryptography

  • privacy: prevents unauthorized disclosure of information
  • authenticity: verification of a claimed identity
  • integrity: detects modification / corruption of information
  • non-repudiation: a combination of authenticity and integrity. a sender can’t deny sending a message or it’s contents.
  • privacy, integrity and authenticity do not guarantee each other… for example, the knowing the authenticity of a sender doesn’t guarentee that the message is private.

Cryptography Definitions and Concepts

Initialization vector

  • adding randomness at the beginning

Algorithm

  • math functions that transform text
  • key aligns with the functions
  • long key = perform more functions on the text

Principles of Secure Design

Security Model

  • lays out a framework and mathematical models that act as security-related specs for a system architecture
  • think of it as a book on a shelf telling you how to implement a part of a System

System Architecture

  • overall design of the components — hardware, software, applications, network, etc. — of an information system
  • design should meet what is laid out in the security model

Security Models

  • State Machine

  • Bell-LaPadula

  • Biba

  • Clark-Wilson

  • Brewer & Nash

  • Information Flow

  • Non-Interference

  • Lattice

Bell-LaPadula and Biba are 100% going to be on the exam and are testable.
Clark-Wilson and Brewer & Nash are very testable as well

State Machine Model

(the basis of other models)

  • a system/machine can be thought of being in a certain state
  • start-up, functioning, shut-down
    • start-up is the most vulnerable: all security modules haven’t loaded yet

Bell-LaPadula

  • confidentiality model
  • designed by the US government to protect state secrets
  • model focuses on data confidentiality and access to classified information
  • divides an information system into subjects and objects
  • built on the concept of a state machine with different allowable states
  • three rules to enforce confidentiality:
    • Simple Security Property: “no read up”
      subject can’t read data from a security level higher than the subject’s security level
    • * Security Property**: “no write down”**
      subject can’t write data to a security level lower than the subject’s security level
      use “it is written in the stars_” to remember * Security Property._
    • Strong * Property: “no read/write up or down”
      subject can’t read/write data on a security level lower than the subject’s security level
  • tranquility property: security labels can’t be arbitrarily changed
  • model only applies once a user/subject has been authenticated

Biba Model

  • integrity model
  • no subject can depend on an object of lesser integrity
  • based on a hierarchical lattice of integrity levels
  • users must perform correct and safe procedures to ensure data integrity
  • three rules to enforce integrity:
    • Simple Integrity Rule: “no read down”
    • * Integrity Rule: “no write up”
    • Invocation Property: a subject cannot invoke (call upon) subjects at a higher integrity level

Information Flow

  • data compartmentalized based on classification and a need to know
  • seeks to eliminate covert channels
  • ensures that information always flows from lower security or integrity levels to higher levels
  • whatever component directly affects information flow must dominate all components involved with the flow

Non-Interference

  • encourages isolation / separation

(insert more from slides)

Security Architecture

  • directs how components in the system architecture should be organized to meet security requirements
  • should include:
    • description of locations where security measures should be placed
    • description of how components should interact to ensure security
    • security specifications to follow when designing and delivering the system

Computer Architecture

  • program: an application

  • process: a program loaded into memory

  • thread: each individual instruction in a process

  • program → process → thread

  • multiprogramming: appearance of multiple programs running. no true isolation. ex. Windows 3.1

  • multitasking: multiple processes running. isolation. each program has its own stuff — memory, processing time, etc.

  • multiprocessing: more than one CPU

  • multithreading: in the past more than one CPU was required. now handled by multi-core CPUs

CPU Modes and Protection Rings

  • protection rings
    • ring 0: trusted computing base (TCB) — OS kernel
    • ring 1: remaining parts of the OS
    • ring 2: OS and I/O drivers and OS utilities
    • ring 3: applications and user activity

(insert drawing…)

System Architecture

  • defined subset of subjects and objects
  • trusted computing base (TCB)
  • security perimeter (TCB is inside the perimeter)
  • reference monitor: law of the system
  • security kernel: police of the system
    • enforces the reference monitor
    • must…
      • facilitate the isolation of processes
      • be invoked at every access attempt
      • be small enough to be tested and verified
  • security policy: set of rules on how resources are managed within a computer system
  • least privilege: processes have no more privileges then they need

Secure Modes of Operation

  • when you see the word “state” think “classification”
  • single state: system that handles one classification — think of a lockbox
  • multiple state: a system that handles more than one classification — think of a filing cabinet
  • compartmented: handling need to know information — think of inboxes for people
  • dedicated
  • you can combine modes:
    • single-state, compartmented
    • single-state, dedicated
    • multi-state, compartmented
    • multi-state, dedicated