6: Security Assessment & Testing
-
flaws in software code can lead to security vulnerabilities
-
vulnerabilty patch process
- vendor learns about a vulnerability
- developers analyze and develop a patch
- vendor releases a patch to customers
- customers apply patch
- most orgs have many different components and systems that need patches
- vulnerability management detects, remediates and reports vulnerabilities
- to maintain a secure system
- to comply w/ org policy
- to comply w/ regulatory requirements
- examples
- PCI DSS requirements
- quarterly internal and external vulnerability scans
- new scans after any significant changes
- use approved scanning vendors (ASV)
- remediate and rescan until acheiving a clean report
- FISMA
- conduct vulnerabiltiy scans regularly
- analyze scans
- remediate legitimate vulnerabilities
- share info w/ other agencies
- PCI DSS requirements
- examples
-
network
-
application web application
-
orgs should supplement vulnerability scans w/ configuration and log reviews
-
need to develop a list of specific systems and devices to scan
-
asset inventory
- starting point for vulnerability scanning
- may use org inventory management tools
- vulnerabilty scanners can also generate system inventories
- need an asset inventory even if you choose to scan all of your systems
-
Nessus is an example of a vulnerability scanner
-
some scanners can create network maps of discovered assets
-
impact
- highest level of data stored, processed and transmitted by the system?
-
likelihood
- what is the system’s network exposure?
- what services are exposed?
-
criticality
- what impact does the system have on business operations?
- many things to look at and consider
- target
- IP address, IP address range
- ports
- scans based on system type
- confidential, sensitive, etc
- frequency
- daily, weekly, etc.
- safe scanning
- who to alert
- reduce false alarms
- target
- network location affects scan results
- example
- scanner in the DMZ will see systems in the DMZ
- however, the firewall may drop scans going to the network
- example
- different perspectives are valuable to analysts
- for example, a scanner in the Internet zone can provide an attacker’s view of an org
- firewalls, IDS/IPS rules and network segmentation can affect scan results
- installs scanning software on a target device
- reports vulnerabilities on server
- looks at configurations, services, installed applications, etc.
- can provide great insight
- is more complex
- software needs to be installed on all servers
- can be difficult to manage
- uses passwords to log into systems
- can then scan w/ logged in account
- need to present different info to different audiences
- more detailed / tech-focused
- engineers
- developers
- admins
- broad overview
- business leaders
- management
- more detailed / tech-focused
- vulnerabily severity
- system criticality
- info sensitivity
- remediation difficulty
- system exposure
- confirm accuracy
- is it a false positive report?
- review details of scanner report
- does the system run the reported OS or application?
- is the vulnerability a documented exception?
| vulnerability reported | vulnerability not reported | |
|---|---|---|
| exists | true positive | false negative |
| doesn’t | false positive | true ne |
exam tip:
there may be questions on exam asking to identify vulnerabilties using these terms.
-
should correlate results w/other sources
-
industry standards, best practices, compliance requirements
- may provide specific guidance
-
info from other sources in the org
- configuration management systems
- log repos
- other data sources
-
trend analysis
- recurring vulnerability?
- investigate root cause
- recurring vulnerability?
-
security professionals are placed in the role of an attacker
-
goal is to defeat security controls
-
rules of engagement
- need to document scope of testing
- what tools are valid to use
- what systems can be targeted
- need to document scope of testing
- full knowledge
aka whitebox- attackers have full access to info before starting the test
- simulates an insider attack
- partial knowledge
aka grey box- attackers have limited access to info before starting
- zero knowledge
aka black box- attackers have no access to info about the target
- simulates an outsider attack
-
discovery phase
- recon
- gather information about the organization through various means
- whois
- company website
- social engineering
- gather information about the organization through various means
- OSINT
- footprinting
- map the network (nmap)
- ICMP ping sweeps
- DNS zone transfers
- wardriving
- warflying
- recon
-
attack phase
- gain access
- escalate privileges
- system browsing - lateral movement
- installing additional tools
- additional discovery throughout the phase
-
cleanup phase
- restore system to previous state
- uninstall software
- pivot
- after exploiting a vulnerability in a system
- use system as a base to attack other systems on the network
- persistence
- after exploiting a vulnerability
- installation of tool on the system that allows future access to system/network
- sometime can even be used after vulnerabilities are fixed
- system that automates pen testing
- injects threat indicators on to systems and networks
- suspicious logs, files, etc.
- system doesn’t wage an attack, just leaves traces of one
- tests security controls
- aometimes we discover new undocumented vulnerabilites during our work
- this is powerful and dangerous
- Uncle Ben: “with great power, comes great responsibility”
-
new vulnerability w/ no public knowledge
- no patch because unknown
-
window of vulnerability
- time between discovery and successful patch
-
keep knowledge secret and use for personal use or sale
-
share privately w/ vendor
- w/o public pressure, vendor might not fix
- bad press for admitting their is a bug
- w/o public pressure, vendor might not fix
-
share publicly w/ security community
-
responsible disclosure
- share privately w/ vendor
- provide deadline
- vendor can fix before deadline
- afterwards, if vulnerability not fixed, it will be publically disclosed
-
opens security testing to the public
- encourages attackers to report vulnerabilities in a responsible manner
- often rewards reported vulnerabilities
- allows orgs to harness attackers for good
- encourages attackers to report vulnerabilities in a responsible manner
-
vendors can be used
- can be fully-mananged by the vendor or self-managed by the org
-
increases strength of security defenses
- exercises that are team-based competitions
- similar to pen testing
- identifies vulnerabilities
- also provides individuals w/ experience
- attacking and defending
- red team
- attacks systems
- blue team
- defends systems
- white team
- observers
- judge competitors
- ensure that rules of engagement are being followed
- purple team
- combine knowledge gained by red and blue teams
- merged team during lessons learned / AAR
- walks through steps taken
-
capture-the-flag events are a popular exercise
-
sandboxing
- orgs can set up separate environments for cybersecurity exercises
- limits the possibility of damage to production systems
- network / netflow
- DNS logs
- system logs
- application logs
- authentication logs
- other sources
- VoIP
- dump files
- vulnerability scans and reports
-
standard logging format
-
components
- header (timestamp, source address)
- facility (source of the message on the sending system)
- severity (importance values of 0–7)
- message (details of the alert)
-
severity levels
- admins can set based on levels
0 emergency 1 alert 2 critical 3 error 4 warning 5 notice 6 informal 7 debug
- admins can set based on levels
-
standard logging on Unix/Linus distros
-
versions
- syslog
- original version
- rarely used
- syslog
-
syslog-ng
- 1998
- added security and delivery enhancements
-
rsyslog
- 2004
- added further enhancements
-
journalctl
- uses a binary format
-
log retention needs to balance out security and cost
- necessary for security investigations
- all has a cost for storage and maintaining systems
-
tagging
- helps w/ searching, filtering and analysis
- adds metadata about systems, users, locations, etc.
-
NXLog
- centralizes management of log sources
- Linux, Windows, etc.
- AI can help w/ security data overload
- has access to logs across the org
- performs log correlation
- example: might gather logs from firewall, web server and database, which can be used to see trands
- central secure collection point for logs
- all systems send logs to SIEM
- source of AI
- detects patterns that other systems might miss
- provide a centralized view of security info
- can generate alerts
- facilitate in trand analysis
- can build graphs, etc.
- offer adjustible sensitivity
-
super SIEM
-
can use playbooks and runbooks to have automated responses to security events
-
playbooks
- process-focused response to security events
- includes human and automated responses
- process-focused response to security events
-
runbooks
- automated responses to security events
- executes immediately
- can aid human investigators
- automated responses to security events
- use peer analysis to assess code
-
planning
- leader prepares for code review
- prepares materials
- identifies participants
- schedules review
- leader prepares for code review
-
overview
- leader assigns roles to participants
- provides overview of software
-
preparation
- participants review code individually
- make note of issues
- participants review code individually
-
meeting
- formal meeting w/ participants
- developers discuss defects
-
rework
- developers correct defects
-
followup
- leadership confirms that defects are fixed
-
most orgs use a much less formal process
- use technology to test software
- uses automated technology to analyze code for errors
- doesn’t run code
- like an automated version of a code review
-
automated testing that actually executes code
-
verifies that the code is functioning correctly
-
synthetic transaction
- developers supply inputs to code w/ known expected outputs
tip:
code reviews, static testing and dynamic testing are complementary.
they are not competing, and can be used together.\
- software testing technique that feed many different input values into a program
- attempts to cause unpredictable states ot unauthorized access
-
developer-supplied input
-
developer-supplied script that generates input
-
generation fuzzing
- fuzz testing app generates random input
-
mutation fuzzing
- fuzz testing app analyzes real input and generates input from that
-
remember to avoid looking like a hacker
- fuzz testing should only be done w/ permission
- conplex systems need to rely on multiple independent components
- these need standardized interfaces to connect between different systems
-
defines interactions between systems
-
must be tested
- systems using APIs are often business critical
- APIs can introduce serious security problems
-
UIs and physical interfaces should be tested too
-
evaluates software from an attackers point of view
-
software often expects users to behave normally
-
attacker will not behave normally, will attempt to break the “rules” of software
-
teams should brainstorm to develop misuse cases
- should bring in developers not working on software to gain a fresh perspective
-
misuse case examples
- unexpected input
- size and type
- missing input
- injection attacks
- unavailable funds
- for example, attempts to deposit -$500 into an account
- unexpected input
-
percentage of software that has been tested
-
computing test coverage
- test coverage = cases tested ÷ total cases
-
variables
- use cases
- checking all use cases for the software
- use cases
-
functions
- checking that all functions in the code have been tested
-
lines of code
- making sure all lines of code have been tested
-
conditional branching
- checking each IF branch w/ true and false conditions
-
automated test packages can compute test coverage
- can identify areas of untested code
- core responsibility of cybersec professionals
- controls are designed to keep business running in the face of adversity
- sometimes called COOP (continuity of operations plan)
- primary control for maintaining availability
- what business activities should be covered?
- what systems should be covered?
- what controls should be considered?
-
goal
- identify and prioritize risk
-
results
- list of risks and ALE
-
BCP in the cloud is a partnership between the org. and cloud provider
-
redundancy protects against a failure of a single component
-
single point of failure (SPOF) analysis
-
identifies and removes SPOF
- examples:
- web server → replace w/ cluster
- firewall → add another for high availability pair
- examples:
-
continues until cost of addressing risk outweighs benefits of implementing fix
-
analysis should consider multiple risks
-
remember to perform succession planning for staff as well
- who would replace someone if they left?
-
- multiple systems protect against a service failure
- protect services against disruption from small failures
- spreads demand across systems
-
power supplies
- moving parts (fans, etc.)
- high failure rates
- can be redundant
- two PSUs on one server
- data centers can use multiple power suppliers
-
storage
- RAID
- RAID-1: stores same data on two disks
- RAID-5 data striping with parity, 3+ disks
- RAID provides fault tolerance, it is not a backup plan
- RAID
-
networking
- multiple ISPs
- NIC teaming
- redundant networking
- multi-path networking (especially storage)
- use diverse…
- technologies
- vendors
- cryptography
- security controls
-
business continuity plans can fail sometimes
-
DR is the capability to restore normal operations as soon as possible
-
DR is a subset of business continuity
-
triggered by disasters
- environmental, or
- man-made
- contain damage caused by the incident
- recover whatever capabilies may be immediately restored
- includes a variety of duties
- depend on the nature of the disaster
- employee responsibilities can drastically change during disaster recovery
- team members should recieve regular training on their responsibities
-
initial activation of the DR team
-
regular status updates
-
tactical communications
-
after danger passes, move to an assessment stage
- RTO (recovery time objective)
- maximum acceptable amount of time it should take to recover a service after a disaster
- RPO (recovery point objective)
- maximum acceptable time period of data that can be lost after a disaster
- RSL (recovery service level)
- acceptable percentage of service available during a disaster
-
after developing a plan, execute it
-
disaster recovery only ends when the org is operating back in its primary environment
- one of the most important portions of a recovery plan
- act as a data safety net
- tape backup
- old and slow, but still in use
- disk-to-disk
- cloud backup
- provides geo-diversity
- cloud service may also create their own backups
- include a complete copy of all data
- snapshots and images are also a type of full backup
- includes all data modified since the last full backup
- includes all data modified since the last full backup or incremental backup
-
can take some time
- for largescale restoration and/or recovery efforts, the order of restoration is important
- org should prioritize the recovery of critical assets
-
non-persistance
- allows us to back up only unique data
- i.e. don’t need to backup copies of Windows system files for every server, just the data on the server
-
backups aren’t only used for massive disaseters
- configuration problems may be fixed be reverting to last good known states
- backups can be used to revert accidental changes to systems
-
live boot media
- allows for recovery from devices w/ corrupt OSes
- hot site
- fully operational data center
- stocked w/ equipment and data
- available w/in minutes
- very expensive
- cold site
- empty data center
- stocked w/ basic equipment (network, power, server racks, etc.)
- available in weeks or a month
- relatively inexpensive
- warm site
- stocked w/ necessary equipment
- not maintained in parallel w/ production environment
- available in hours or days
- similar expense to a hot site
- consider using alternate business processes in DR plans when considering DR sites
- example: temporarily using paper records, etc.
- geographically distant from main operations
- provide site resliency
- manual transfer or site replication via SAN or VM
- may use online or offline backups
- validates that the plan works
- identifies needed plan updates and weaknesses
-
read-through
- team members review the DRP individually
-
walk-through
tabletop exercise- teams gather for a review, and talk through the plan
-
simulation
- teams gather and go through a practice secenario
-
parallel
- activate the DRP
- doesn’t switch over operations to the DR site
-
full interruption
- activates the DRP
- switches over operations to the DR site
- can be very disruptive to the business
-
testing strategies frequently use a combination of all test types
-
formal review after a BC or DR event
-
should be conducted after _every_BD or DR event
- even if the even was successful
-
executive summary
- provides a background into the event
- should be broad enough for anyone to understand
-
detailed summary
- should answer all key questions about the event
- who was involved?
- what contributed to the success/failure of the BC/DR?
- when did it happen?
- why was the BCP or DRP activated?
- etc
- should answer all key questions about the event
-
lessons learned
- what to start?
- what to stop?
- what to continue?
-
conclusion
- include next steps
-
management and operational controls supplement technical controls
-
unlike technical controls, theses aren’t automatically logged by systems
-
security process data
- records about management controls
-
security process records should be maintained consistently
- backups
- user access reviews
- training
- etc.
-
should use consistent, repeatable processes for gathering security info
- act as a check-and-balance
- double check to verify accuracy and compliance
- create a culture of oversight
- harder to commit malicious acts when you know that reviews happen regularly
- privileged users can override normal security controls
- this needs careful management oversight
- should vet and authorize
- reviews may be a 100% check or a random sampling, depending on the size of the org
- mangers verify that…
- each user account aligns w/ a current employee
- permissions assigned are appropriate for each employee’s role
- changes made since the last review were authorized and documented
- used to evaluate the effectiveness of a security program
- should be defined in advance
-
demonstrate the success of a security program
-
present a historical look on security
-
example
- ITIL KPIs
- decrease in breaches
- decrease in breach impact
- increase in strong SLAs
- number of new controls
- etc.
- ITIL KPIs
-
predict the likelihood of a future security issue happening
-
presents a forward look on security
-
example
- ISACA KRI Criteria
- business impact
- effort to implement, measure and support
- reliability
- sensitivity
- ISACA KRI Criteria
-
verify that security controls function properly
-
evaluates security controls
-
provides a report
-
should always begin with a planning process
- outlines scope of engagement
- timeline for completion
- expected deliverables
- reduces the likelihood of misunderstandings later
-
assessments vs. audits
- assessment
- usually requested internally
- IT staff, management, etc.
- usually requested internally
- audit
- often imposed by external requirements
- board of directors, regulators, etc.
- often imposed by external requirements
- assessment
-
auditor types
- internal auditors
- work for the org
- report independently from area being audited
- work at the request of org. leadership
- internal auditors
-
external auditors
- independent firms
- work at the request of external groups (board, regulators)
-
third party
- government agencies or industry groups
- perform regulatory audits
-
audits should always have clearly defined scopes
-
user access reviews
- validate rights and permissions of users’ accounts
-
gap analysis
- provides a roadmap of future work
- provides a list of controls that are missing or not functioning
-
orgs must perform routine management of controls
-
orgs should test security controls regularly
- routine and automated
-
almost every rule has an exception
- orgs should have a process to request exceptions
- orgs should also have a process to approve exceptions
-
compensating controls
- mitigate the risk caused by exceptions
- vulnerability assessment
- not always technical
- physical
- administrative
- logical
- identify weaknesses
- passive
- not attempting an exploit
- not always technical
- penetration testing
- ethical hacking to validate discovered weaknesses
- red team (attacking team) vs. blue team (defending team)
- NIST SP 800-42 Guideline on Security Testing
- identifies
- active hosts
- active ports and services
- applications
- OSes
- vulnerabilities with associated OSes and applications
- misconfigured
- tests compliance with host application usage and security policies
- establishes a foundation for the pen test
- Recon
- gather information about the organization through various means
- whois
- company website
- social engineering
- gather information about the organization through various means
- Footprinting
- map the network (nmap)
- ICMP ping sweeps
- DNS zone transfers
- Fingerprinting
- identify host information
- perform port scans
- Vulnerability Assessment
- identify weaknesses in system configurations
- discover unpatched software
- Attack!
- penetration
- privilege escalation
- “Run as…”
- SU
- install rootkits
- collection of tools to maintain access
- backdoor software
- can update kernel of OS
- difficult to detect
- collection of tools to maintain access
- cover tracks
- trojaned programs: attacker replaces default utilities with ones that masquerade as system utilities… that don’t identify backdoor software
- log scrubbers
- why test?
- risk analysis
- certification
- accreditation
- security architecture
- policy development
- develop a cohesive, well-planned and operational security testing program
- three basic requirements
- meet with senior management to determine the goal of the assessment
- document the rules of engagement
- get sign off from senior management
- major issue
- could disrupt productivity and production systems
- overall purpose
- determine system’s ability to withstand an attack
- determine effectiveness of the current security measures
- testers should…
- determine effectiveness of safeguards
- identify areas to improve
- NOT suggest remediation steps
- this violates separation of duties!
- testers only test!
- the following should be identified
- specific IP addresses / ranges to be tested
- restricted hosts (i.e. the CEO’s laptop)
- list of acceptable testing techniques
- times for testing
- PoCs for pen test team, targeted systems admins, network admins
- measures to prevent law enforcement acting on false alarms
- how information gathered should be handled
- specific IP addresses / ranges to be tested
- physical
- administrative
- technical
- don’t rely on a single method
- get creative
- path of least resistance
- start with users
- break the rules
- even if the company follows rules, procedures, policies… hackers don’t have to!
- attempt the unexpected
- don’t rely on high tech tools
- stealth may be required
- don’t damage systems or data
- don’t overlook small weaknesses while looking for a big one
- have a toolkit ready
- list of active hosts
- network services
- ICMP
- TCP, UDP
- port scanner
- nmap
- fingerprinting
- banner grabbing
- goal is to identify weak ones
- passwords are generally stored / transmitted as a hash
- password cracking requires capture of passwords hases
- hashes can be intercepted on the wire, or
- hashes can be retrieved from a target system
- dictionary attack: uses a list of passwords in a file (not a literal dictionary)
- bruteforce: systematically going through all combinations of characters
- hybrid: a combination of using bruteforce and a dictionary
- LanMan password hashes
- theoretically, all passwords are crackable
- rainbow tables:
- basics
- unauthorized DHCP server can be used to redirect hosts to a rogue DNS server
- rogue DNS server can redirect traffic to spoofed hosts
- DNS zone transfer information contains a lot of information about a network and its configuration
- countermeasures
- secure physical access to the network
- require DHCP servers to require authentication
- use DHCP reservations and MAC addresses to control IP address assignment
- secure DNS zone transfers only to specific hosts
- goal is to find modems
- provide a way of bypassing most—if not all—security measures
- attacker dials large blocks of phone numbers looking for a modem
- countermeasures
- removal, if possible, if not…
- block inbound calls to modem
- keep remote access server phone number out of normal office numbers
- think: all campus numbers are 393-xxxx, pick 229-xxxx for modem
- investigate and disconnect unauthorized hosts
- disable / remove unnecessary and vulnerable services
- modify vulnerable hosts
- restrict access to vulnerable services to limited number of hosts
- modify firewalls to restrict access to vulnerable services
- upgrade / patch vulnerable systems
- deploy countermeasures
- improve configuration management program and procedures
- assign staff to:
- monitor vulnerability alerts / emails
- examine if applicable to environment
- make appropriate changes to system
- modify security procedures and architecture
- remember: all of the above must happen by going through change management!
- aka side channel analysis
- watch traffic and its patterns to try to determine if something is happening
- generating extra network traffic to make traffic analysis harder
- attempts to keep traffic consistent so no information can be gained
-
aka sniffer
-
promiscuous mode - on NIC on the system that acts as a sniffer
-
bridging/switching can affect packet capture
-
port span / port mirroring mode: port on a switch acts like a hub — all traffic goes out it
-
sniffer + analysis engine = intrusion detection system
- tool in a layered security model
- purpose is to:
- identify suspicious activity
- log activity
- respond (alert admins)
- needs a NIC in promiscuous mode
- needs a port with port span/mirroring enabled to view traffic on the switch
- Host Intrusion Detection System (HIDS) — host-based
- Network Intrusion Detection System (NIDS) — network-based
- sensor: data collector
- on the network segment (NIDS)
- on the host (HIDS)
- analysis engine: analyzes data from the sensor and determines if there is suspicious activity on the network/host
- signature database: used by the analysis engine. defines signatures of previous known attacks
- UI and reports: way that the system is used by admins
- things that a HIDS can look at:
- logins
- system log / audit files
- application log / audit files
- file activity
- configuration file changes
- process stops / starts
- use of certain applications
- CPU use
- network traffic
- advantages
- can be application and OS specific — might have information/knowledge of latests attacks that can occur against that application or OS
- can look at decrypted data (network traffic is often encrypted)
- disadvantages
- only protects one machine
- uses system resources
- can’t see what’s on other machines in the organization / network
- scalability
- HIDS can be disabled, rendering it useless
- placed in the DMZ of a network
- looks at:
- source / destination IP addresses
- source / destination port #s
- protocol
- data content
- often will look for:
- DoS attacks
- port scans
- malicous content
- vulnerability tests
- tunneling
- bruteforce attacks
- can also look for violations of an organization’s network policy (ex. instant messaging, streaming video)
- disadvantages
- data must be unencrypted to be analyzed
- many protocols are encrypted
- switches need to have port spanning/mirroring on the port the NIDS is on
- if on the perimeter of a network, can miss things internally
- must be able to handle lots of data quickly
- cannot see what’s going on on servers and hosts directly
- data must be unencrypted to be analyzed
- things that a HIDS can look at:
- IDS: passive
- IPS: active
- can activate firewall rules dynamically
- can shut down TCP traffic
- aka signature-based
- most network attacks have a distinct signature
- signature-based NIDSs have a database of known signature
- alert on traffic/conditions that match known signature in database
- concerns
- need to pay for signature database from vendor
- need to keep application and signature database up-to-date
- no protection from zero day attacks
- aka anomoly, behavior, heuristic
- looks for changes in “normal” behavior on the network
- learns after observing for days/weeks to create a baseline of what is “normal”
- alerts for things out of the ordinary compared to the baseline
- advantages
- can possibly detect zero day attacks
- can detect behavioral changes that might not be a technical attack (i.e. someone preparing to embezzle funds)
- disadvantages
- can produce false positives
- which get ignored (boy who cried wolf)
- engines require a skilled analyst to tweak and hone in
- can produce false positives
- depoyment
- pseudo-flaw: a loophole added to OSes or applications to entice and trap an intruder
- sacrificial lamb on a network
- admins hope to catch intruders on the honeypot system instead of their production applications / systems
- enticing because of open ports and vulnerable services
- remember enticement vs. entrapment
- concept used in programming
- a sandbox is created with separate memory and storage for an application to use
- similar to a virtual machine
- also used by IDSes
- intruder is moved to a padded cell without their knowledge
- simulated environment keeps intruder at bay and occupied
- intruder leaves production systems alone
- aka: self-mutating honeypot, tarpit