D430 Fundamentals of Information Security

bounds checking

to set a limit on the amount of data we expect to receive to set aside storage for that data
*required in most programming languages
* prevents buffer overflows

race conditions

A type of software development vulnerability that occurs when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions

input validation

a type of attack that can occur when we fail to validate the input to our applications or take steps to filter out unexpected or undesirable content

format string attack

a type of input validation attacks in which certain print functions within a programming language can be used to manipulate or view the internal memory of an application

authentication attack

A type of attack that can occur when we fail to use strong authentication mechanisms for our applications

authorization attack

A type of attack that can occur when we fail to use authorization best practices for our applications

cryptographic attack

A type of attack that can occur when we fail to properly design our security mechanisms when implementing cryptographic controls in our applications

client-side attack

A type of attack that takes advantage of weaknesses in the software loaded on client machines or one that uses social engineering techniques to trick us into going along with the attack

XSS (Cross Site Scripting)

an attack carried out by placing code in the form of a scripting language into a web page or other media that is interpreted by a client browser

XSRF (cross-site request forgery)

an attack in which the attacker places a link on a web page in such a way that it will be automatically executed to initiate a particular activity on another web page or application where the user is currently authenticated

SQL Injection Attack

Attacks against a web site that take advantage of vulnerabilities in poorly coded SQL (a standard and common database software application) applications in order to introduce malicious program code into a company's systems and networks.

clickjacking

An attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on something we might not otherwise

server-side attack

A type of attack on the web server that can target vulnerabilities such as lack of input validation, improper or inadequate permissions, or extraneous files left on the server from the development process

Protocol issues, unauthenticated access, arbitrary code execution, and privilege escalation

Name the 4 main categories of database security issues

web application analysis tool

A type of tool that analyzes web pages or web-based applications and searches for common flaws such as XSS or SQL injection flaws, and improperly set permissions, extraneous files, outdated software versions, and many more such items

protocol issues

unauthenticated flaws in network protocols, authenticated flaws in network protocols, flaws in authentication protocols

arbitrary code execution

An attack that exploits an applications vulnerability into allowing the attacker to execute commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements

Privilege Escalation

An attack that exploits a vulnerability in software to gain access to resources that the user normally would be restricted from accessing.
* via SQL injection or local issues

validating user inputs

a security best practice for all software
* the most effective way of mitigating SQL injection attacks

Nikto (and Wikto)

A web server analysis tool that performs checks for many common server-side vulnerabilities & creates an index of all the files and directories it can see on the target web server (a process known as spidering)

burp suite

A well-known GUI web analysis tool that offers a free and professional version; the pro version includes advanced tools for conducting more in-depth attacks

fuzzer

A type of tool that works by bombarding our applications with all manner of data and inputs from a wide variety of sources, in the hope that we can cause the application to fail or to perform in unexpected ways

MiniFuzz File Fuzzer

A tool developed by Microsoft to find flaws in file-handling source code

BinScope Binary Analyzer

A tool developed by Microsoft to examine source code for general good practices

SDL Regex Fuzzer

A tool developed by Microsoft for testing certain pattern-matching expressions for potential vulnerabilities

good sources of secure coding guidelines

CERT, NIST 800, BSI, an organization's internal coding guidelines

OS hardening

the process of reducing the number of available avenues through which our OS might be attacked

attack surface

The total of the areas through which our operating system might be attacked

6 main hardening categories

1. Removing unnecessary software
2. Removing or turning off unessential services
3. Making alterations to common accounts
4. Applying the principle of least privilege
5. Applying software updates in a timely manner
6. Making use of logging and auditing functions

Principle of Least Privilege

states we should only allow a party the absolute minimum permission needed for it to carry out its function

stuxnet

A particularly complex and impactful item of malware that targeted the Supervisory Control and Data Acquisition (SCADA) systems that run various industrial processes; this piece of malware raised the bar for malware from largely being a virtual-based attack to actually being physically destructive

anti-malware tool

A type of tool that uses signature matching or anomaly detection (heuristics) to detect malware threats, either in real-time or by performing scans of files and processes

heuristics

the process of anomaly detection used by anti-malware tools to detect malware without signatures

executable space protection

A hardware and software-based technology that prevents certain portions of the memory used by the operating system and applications from being used to execute code

buffer overflow (overrun)

The act of inputting more data than an application is expecting from a particular input, creating the possibility of executing commands by specifically crafting the excess data

ASLR (Address Space Layout Randomization)

a security method that involves shifting the contents of memory around to make tampering difficult

software firewall

This type of firewall generally contains a subset of the features on a large firewall appliance but is often capable of similar packet filtering and stateful packet inspection activities

HIDS (host-based intrusion detection system)

a system used to analyze the activities on or directed at the network interface of a particular host.
* may communicate with management device by sending regular beacons

scanner

a type of tool that can detect various security flaws when examining hosts

vulnerability assessment tool

A tool that is aimed specifically at the task of finding and reporting network services on hosts that have known vulnerabilities

Nessus

A well-known vulnerability assessment tool that includes a port scanner

exploit framework

A group of tools that can include network mapping tools, sniffers, and exploits

exploits

small bits of software that take advantage of flaws in software/applications in order to cause them to behave in ways that were not intended by their creators

Metasploit, Immunity CANVAS, Core Impact

Name 3 examples of exploit frameworks

security in network design

This method of security involves a well-configured and patched network, and incorporating elements such as network segmentation, choke points, and redundancy

network segmentation

The act of dividing a network into multiple smaller networks, each acting as its own small network (subnet)

choke points

certain points in the network, such as routers, firewalls, or proxies, where we can inspect, filter, and control network traffic

redundancy

a method of security that involves designing a network to always have another route if something fails or loses connection

firewall

a mechanism for maintaining control over the traffic that flows into and out of our networks

packet filtering

A firewall technology that inspects the contents of each packet in network traffic individually and makes a gross determination (based on source and destination IP address, port number, and the protocol being used) of whether the traffic should be allowed to pass

SPI (Stateful Packet Inspection)

a firewall that can watch packets and monitor the traffic from a given connection

DPI (Deep Packet Inspection)

a firewall technology that can analyze the actual content of the traffic that is flowing through

proxy server

a specialized type of firewall that can serve as a choke point, log traffic for later inspection, and provides a layer of security by serving as a single source of requests for the devices behind it

DMZ (demilitarized zone)

a combination of a network design feature and a protective device such as a firewall.
Often used for systems that need to be exposed to external networks but are connected to our own network (such as a web server)

NIDS (Network intrusion detection system)

A system that monitors network traffic and alerts for unauthorized activity

signature-based IDS

An IDS that maintains a database of signatures that might signal a particular type of attack and compares incoming traffic to those signatures

anomaly-based IDS

an IDS that takes a baseline of normal network traffic and activity and measures current traffic against this baseline to detect unusual events

VPN (Virtual Private Network)

an encrypted connection between two points

SSH (Secure Shell)

protocol used to secure traffic in a variety of ways, including file transfers and terminal access. uses RSA encryption (asymmetric encryption)

BYOD (bring your own device)

a phrase that refers to an organization's strategy and policies regarding the use of personal vs. corporate devices

MDM (mobile device management)

a solution that manages security elements for mobile devices in the workplace

kismet

a well-known Linux sniffing tool used to detect wireless access points

NetStumbler

A Windows tool used to detect wireless access points

nmap

A well-known port scanner that can also search for hosts on a network, identify the operating systems those hosts are running, detect the version of the services running on any open ports, and more

packet sniffer (aka network or protocol analyzer)

this type of tool can intercept traffic on a network;
listens for any traffic that the network interface of our computer or device can see

tcpdump (WinDump for Windows)

classic, command-line sniffing tool that monitors network activities, filters traffic, and more
runs on UNIX systems

Wireshark

a graphical interface protocol sniffing tool that is capable of filtering, sorting, & analyzing both wired and wireless traffic
- popular troubleshooting tool

honeypot

A type of tool that deliberately displays vulnerabilities or attractive data so it can detect, monitor, and sometimes tamper with the activities of an attacker

hping3

A tool used to test the security of firewalls and map network topology.
- constructs specially crafted ICMP packets to evade measures to hide devices behind firewall
- scripting functionality to test firewall/IDS

physical security

A type of security that is concerned with the protection of people, equipment, and data

BCP (Business Continuity Plan)

the plans we put in place to ensure that critical business functions can continue operations in the event of an emergency

DRP (Disaster Recovery Plan)

the plans we put in place in preparation for a potential disaster, and what exactly we will do during and after

major categories of physical threats

extreme temperature, gases, living organisms, projectiles, movement, energy anomalies, people, toxins, smoke, and fire

physical security controls

The devices, systems, people, and other methods we put in place to ensure our security in a physical sense

deterrent, detective, preventive

name the 3 main types of physical controls

deterrent controls

Controls designed to discourage those who might seek to violate our security controls

detective controls

controls designed to detect and report undesirable events that are taking place

preventive controls

Controls designed to physically prevent unauthorized entities from breaching our physical security

residual data

Data that is unintentionally left behind on a storage device

Safety, evacuation plans, administrative controls

Name the 3 main considerations for protecting people

availability, residual data, backups

Name the 3 main considerations for protecting data

equipment, facility repair/replacement

Name the considerations for protecting equipment

flash media

storage media that is least sensitive to temperature, humidity, magnetic fields, and impacts

RAID (redundant array of inexpensive disks)

a data storage virtualization technology that combines multiple physical disk drive components into a single logical unit for the purposes of data redundancy, performance improvement, or both.

most common security awareness issues

protecting data, passwords, social engineering, network usage, malware, the use of personal equipment, clean desk, policy knowledge

protecting data

a security awareness issue that is concerned with the criticality of carefully handling data from the perspectives of compliance, as well as reputation and customer retention

passwords

a security awareness issue that involves educating users of the importance of strong passwords and password handling best practices

social engineering

techniques used by an attacker that rely on the willingness of people to help others

pretexting

A technique involving a fake identity & a believable scenario that elicits the target to give out sensitive information or perform some action which they would not normally do for a stranger

phishing

a social engineering technique that uses electronic communications (email, text, phone calls) to convince a potential victim to give out sensitive information or perform some action

spearphishing

a social engineering techniqe that targets a specific company, organization, or person, and involves knowing specifics about the target to appear valid

tailgating (piggybacking)

a method by which a person follows directly behind another person who authenticates to the physical access control measure, thus allowing the follower to gain access without authenticating

network usage

a security awareness issue that involves educating users about security issues around connecting devices to networks, such as connecting outside devices to the corporate network, and connecting corporate resources to a public network

malware

a security awareness issue that involves educating users about malicious software and how to avoid it

use of personal equipment

security awareness issue that is concerned with protecting a company's assets

clean desk policy

a security awareness issue that requires users to protect sensitive information at all times, even when away from one's desk

policy and regulatory knowledge

a security awareness issue that is necessary to maintain compliance throughout the organization

SATE (Security Awareness, Training and Education)

a program that seeks to make users aware of the risk they are accepting through their current actions and attempts to change their behavior through targeted efforts

OPSEC
(Operations Security)

the process we use to protect our information

Sun Tzu

A Chinese military general from 6th century BC who wrote The Art of War, a text that shows early examples of operations security principles