CbSec

Project Design (vulnerability)

• During makeing requirements and architecture design.

• Even if code is perfect system will be vurneable

  • Eg. forget about a situation where communication can be observed - lack of encryption there

Developement (vulnerability)

• During developement - coding errors

• Eg. Lack of input validation resulting in SQL injection or BuffOverflow

Operational (vulnerabilities)

• During (after) deployment - configuration errors

• Issues in runtime environment

• Eg. Old library with bugs, using default credidentials

CVE

Common Vulnerabilities Exposures - catalog of specific vulnerabilities found in different versions of softwares, every record has unique id etc

CWE

Common Weakness Enumeration - Catalog of TYPES of vulnerabilities. Describes certain categories of errors not specyfic bugs.

CIA - Confidentiality

• Only right people/systems (with permissions) can see the data

• Eg. Unauthorised user opens file they shouldnt have access to

CIA - Integrity

• Data stays correct and it is not changed without permission

• Eg. SQL injection changes data in database

CIA - Availability

• Systems and data are always reachable when needed.

• If this is broken legitimate users cannot access system

• Eg. Serer crash due to DDoS attack

Data Breach

Intentional Cyber attack with direct goal to access protected data and use it.

Data Leak

Event when confidential data is exposed due to workers error not beacues of attack. Eg. sending email with data to wrong person

Ransomware

Type of attack when they take control of data or system and demand ransom (they encrypt data or threaten to delete it)

Software Supply Chain

Attack where third-party components are targeted rather than application itself. Relatinoship between organisation and supplier is used.

Low level Languages

• Allow for manual memory management and adress arithmetics limited only by operating system

• Faster more efficient but that makes them more dangerous

• It can lead to read/write operation on wrong memmory BufferOverflow

• Assembly, C, C++

High Level Languages

• they run in controled virtual environments

• It separates and protects OS

• Ensures safety of types memmory and execution

• Rust, python, Java

BufferOverflow

• When program writes data to buffer (space) but writes more data than buffer can hold

• Memmory beyond buffer is overwritten

• It can be used for crashing system or executing malicious code

• Eg. insert bad code in ‘data’ space and change return address of execution to point to the bad code

To mitigate: secure code and check before copying data

Address space layout randomization in RAM

“canaries” use OS to det4ect if mem was overwritten

Heart Bleed Bug

Specific Buffer-Overread where attacker send short word to server and tricks it to think data us long, than server overreads mem and sends response with data beyond typical response buffer reading other data

Code Injection

Attack where malicious code is sent to application as eg. user input and app runs it unintentionally cuz lack of validation. Can be made by BufferOverflow.

Mitigation - validate user input data, Nonexecutable stack - prevent execution of code inside “data” memory area

ShellShock

• Vulnerability in BASH shell program

• BASH executed by mistake commands at the end of Env. Variable

• Eg. Send HTTP request with “cat /etc/passwd” and server would create variable and execute command which was redirected as out to user

XSS

Cross Site Scripting - classified as injection flaw

• attacker inject code into trusted website (through eg. comment)

• website sends weboage with code to clients browser which automaticlly executes it

• can lead to session hijacking, stealing cookies etc.

SAST

Static App. Sec. Testing

• static code analysys to find vulnerablities without execution

• fast, a lot of false positives

• Eg. detect unsanitaized tainted data

Tainted Data

• data that is from outside source

• it wasnt sanitized / validated

• it is considered vulnerability in system if they reach Sink

Source

Point where untrusted data enters application

Sink

Point where untrusted (tainted) data enters sensitive operation function (eg. sql query)

Taint Analysis

• static code analysis

• marks variables as tainted when they come from outside source without sanitation

CodeQl

• semantic code analysis engine

• creates database from source code which allows to query it using sql like language

• Variant Analysis - if you find threat in code you can query to find simmilar ones

Variant Analysis

When we know systems vulnerabylity we can search project to find simmilar ones

DAST

Dynamic App Sec. Testing

• Black-Box tests

• Attack Injection

• performed on running app

• monitoring systems response for injecting many different attacks

Attack Injection

Sending many attacks, malformed data to system and monitoring its response

Fuzzing

• Techinque for automatic detection of vulnerabilities and bugs

• Generates a lot of malformed junk and malicious data to the system and monitoring its behavior

• It indends to find unknown vulnerabilities

Fuzzing Recursive

Fuzzing with different combinations on given alphabet

Fuzzing Replacive

Replaces given data formats with known malicious strings (predefined list)

OWASP ZAP

Zero Attack Proxy

works like proxy between web browser and server, intercepts all traffic and allows to modify the content on fly (in transit).

• Safe Mode - passive analyse of traffic - use on any website

• Attack Mode - agresive attack injection using known attacks, use only on apps you have permission to

ZAP and HTTPS

Modern browsers encrypt traffic using safe HTTPS protocol so zap cannot decode content.

ZAP generates new Certificate that is signed by OWASP ROOT CA - it must be installed on system.

OWASP ASVS

App Sec. Verification Standard

Framewor checklist to verify if app meets security requirements it has 3 levels: Basic / Sensitive / Critical

Trusted Computing

• Way of building computer systems to behave the way they should even if attacked or unwanted ingeration.

• Security is quaranteed not only by software but also and most important by hardware which is much harder to crack.

• OS and antivirus soft is not trusted but hardware cant lie.

• TPM chip is crucial in implementing this

TPM

Trusted Platform Module

• Cryptographic co-processor that ensures safety by hardware - stores keys, performs encryption

• Passive - receives commands from CPU, small capacity for data

• Hardware ensures Root of Trust

TPM Root of Trust

• Measurements - TPM creates Hash of software during boot (bios, boot loader, kernel) if it changes during work we can detect it. Saved in PCR

• Sealing - data is encrypted with PCR hash if it is different when reading than in writing, read will be blocked

• Remote Attestation - remote server can ask TPM if it is compomised or not, it returns PCR registers raport

PCR

Platform Config Register

• boot hash is stored here

• cant be rewritten

• new hash is added to the old one

Trusted Boot

• verification during startup

• hashes every phase and checks if it is correct with PCR

• If hash is not valid system will run but unsealing data or remote attestation will be blocked by TPM

Secure Boot

• verification before startup

• checks digital code signature

• if it is not valid it blocks system startup

TEE

Trusted Execution Environment

• isolated safe execution environment inside CPU

• ensures process/code/app safety during execution in real time

• Code run in TEE is safe (invisible) for OS and Hipervisor therfore cannot be changed from outside of TEE

• Data inside is encrypted and safe

• Like enclaves in Intel SGX

Hipervisor

Virtual machine monitor

• software layer that enables running multiple OS on one machine

• Works over hardware or OS layer and handles resources like CPUs, Memmory, Drives

REE

Rich Execution Environment

• normal world execution

• opposite of TEE

• OS is considered untrustable

Intel SGX

Software Guard Extension

• implements TEE, it is set of instruction for CPU for the trusted part

• Can make protected memmory regions for safe code execution (Enclaves)

• Data is decrypted on fly by TEE so even if OS is comrpomised code is safe

• Programmer decides what part of code is to go to Enclave

SGX Sealing

Encrypting data inside enclave so it can be stored on untrusted drive and later read by only the same enclave, this is required cuz enclave runs in RAM so it is lost between app execution.

Intel SGX - (differences)

• Small protected region inside app

• Isolates only specific part of code

• In/Ou Peripherials not supported

• For Computers, Servers, Cloud

ARM Trust-Zone

• System-wide isolation

• Splits SoC (System on Chip - CPU, GPU, RAM on 1 chip) to 2 Worlds: Normal and Secure

• Hardware enforces that normal world cant access secure one

• NS-Bit on System Bus enforces 2 world isolation

• Secure Monitor - runs contex switch between 2 worlds

• Can assign IO devices exclusively to secure world

ARM Trus-Zone - (diffrences)

• For embedded systems

• Entire system is split into 2 modes

• Uses NS-Bit for access

• Mobile, IoT, Embedded

• 2 seperate computers in one (normal/secure)

Side Channel Attack

• extract secrets by observing physical side-effects of computing:

• execution time, energy consumption, ele-magn pulses

• Data from this obervations can be connected to system secrets

• Mitigate: constant time programming, masking energy consumption, isolation of resources

Covert Channel

• Side Channel is unintentional leak of information

• Covert is when communication is made by media that was not intended to allow communication

• Interaction is hidden from the system, w sides try to hide from system administration

• Eg. Morse code with Power Diode

Modern Perimiter

• Boundary between internal and untrusted external network

• its endangered because of eg. VPN - users connecting from home PCs

• also because of WiFi - it goes through walls and can be overheard

Defense in depth

• dont rely on single point of failure eg. just firewall

• Security must be layered

Network Zones

• Secure network is divided into zones with diff. trust levels controlled by firewalls

• Zero Trust Policy - we dont trust any device in net treat with firewall always

ARP Spoofing

Attacker tricks their mac addr. with another host and redirects trafic to itself.

ICMP Redirect

Forging ICMP redirect message to trick Host that the better route to dest is through the attacker

DHCP Spoofing

Attecker enters net as false DHCP server an tries to give IP addr to host befora real DHCP server. Boost his signal than redirects and captures/modifies traffic

Static (stateless) Firewall

• dont remember previous packets

• analyse each packet seperately

• best for managing traffic from certain IPs, Ports, Flags

• Bad with complicated protocols like FTP

Dynamic (statefull) Firewall

• maintains state table to track open connections

• if packet belongs to open connection it is accepted else it is checked with ACL (Access Control List)

• Firewalls cannot inspect payload or encrypted traffic

• if attacker hacked internal host firewall is useless

NIDS

Network Intrusion Detect System

• passively observes net to detect attacks

• has copy of all traffic and compares it to database of known atack signatures

• Only detects and alerts

NIPS

Network Intrusion Prevention System

• active system that sits inline with traffic

• inspects packet statefull and can drop connection instantly

• can be static or dynamic

• high false positive risk

UTM

Unified Threat Management

• All in one device Firewall, NIPS, VPN, AntiVirus

• Easy to manage but risky cuz single point of failure

VPN

Virtual Private Network

• creates save encrypted tunnel over less secure network

• traffic i portected and host looks like it is physically in another network

• Encapsulation: packet → encryption over VPN → decryption in company VPN

• Client to Site - for remote access to company net

• Site to Site - routers are connected via VPN looks as server is next door

IPSec (vpn)

• standard in big corporation

• mainly for site to site

• all traffic encrypted or just payload

SSL / TLS (vpn)

• Easy to use every webbrowser

• uses TCP

• good for remote access

OpenVPN

• opensource

• versatile

• hard to block with firewall

WireGuard (vpn)

• new fast

• least latency

• lightweight

WiFi WEP

Wire Equivalent Privacy

• first attempt to secure wifi using static key password shared by every host in wifi

• encrytpiuon using key an IV only 2 bits easy to crack

WiFi WPA/WPA2

Wifi Protected Acces

• temporary fix to WEP

• changing encryption keyfor every packet

• uses AES for encryption

WiFi WPA3

WiFi Modern Standard

• SAE which makes attacker cant record session of handshake and guess password offline

• they must do it online with routers which takes longer

• protects traffic even if there is no wifi password

Evil Twin Attack

Attacker sets WiFi clone with same ssid and boosts signal to make users conect to it than makes man in the middle attack

Secure Network

• know every asset in net

• defense layers (VPN, Firewall, etc)

• Proxy for web servers

• Layers of trust

• zero trust policy

GDPR

General Data Protection Regulation

• Right to be forgotten

• Privacy by design, protection from day one

• Pseudonymization - dont store sensitive data as ist is encrypt it so that it cannot be used alone, eg. store ids not social security numbers, store them in secure db outside

• breach notification in 72 h

• legally required to use encryption, pseudonymization and backups

• Train employees and security audits

NIS / NIS2

Network and Information Security

• EU law to ensure highlevel of cybersecurity for critical public systems

• Power grids, ospitals, food waste supply, water supply etc

• strict 24h incident reporting

• ceos can be held accountable for negligence

CSIRT

Computer Security Response Team

• Every EU country must have one

• take action within country but also coordinate actions across boarders

SOC

Security Operations Center

• 24/7 monitoring and detecting attacks

• Informs CSIRT to take action when detects

• Passive