Sec+ preparation #6

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Metasploit

• One of the best exploitation framework

Security Audits

There can be:

• Internal audits

  • Your own people will not want to find problems.

• External audits

• Independent third-party audits

  • This one is the most effective

Vulnerability Life Cycle (will be in exam)

Identification → Analysis → Response and Remediation → Validation of Remediation → Reporting

After this cycle you do it again.

This is not a process that you want, but the process that you do continuously. (will be in exam)

Application Security

Application needs to be secure. WWW is a broad field and there has to be some kind of security servers for your application.

OWASP (The Open Web Application Security Project)

• If you need experience for job, you can volunteer in OWASP projects.

• They do really good things.

• It’s a non profit organization

• All materials available for FREE

• They developed many tools such as OWASP ZAP.

• OWASP TOP10 is important in cybersecurity field.

Protecting Data on Devices

• Hierarchical Storage Management (HSM)

  • Move data to low cost devices for long term

  • May need to encrypt the data to protect it

    • You should encrypt the data!!!

  • Also called tiered storage

• USB Encryption

  • Look for devices that provides protection on the key

  • Some useful links are:

    • IronKey

    • Maxell

    • Centon

    • Axiom

• Full hard drive encryption

Data encryption

• It’s a last layer of Protection

  • Full disk encryption

    • You loose the device, you don’t expose the data

  • Database

    • Encrypted tables or records for sensitive data

  • Individual Files

    • Soft for that - PGP, AXCrypt

  • Removable Media

    • Easy to loose, small size, often times in clear text

  • Mobile Devices

    • Large amount of storage, may contain business data.

Software Security Downfalls

• Most attacks take advantage of a weakness (vulnerability)

• Most vulnerabilities are in 99% of software. It’s everywhere.

• More complex the software, more vulnerabilities it has.

• Software is changing faster than software security

• Businesses make money when they release new versions. New versions means new vulnerabilities.

Software Security Challenges

• Security is not crucial during development stages

• Many programmers do not practice secure coding

• Focus is on functionality and not security

• Fuzzing, also known as fuzz testing, is a software testing technique that involves feeding a program with random or invalid inputs to uncover bugs, security vulnerabilities, and crashes.

  • Responsible companies does that

Software Development Methods

Project Development (will be in exam)

Security within software development:

• Security should be planned from first step.

  • At the initiation of the project is the best time. Remember this.

• Everyone has to follow security policies. Starting from junior dev, ending with CEO.

• Security controls should not be added after the fact.

Types of development methods:

• Waterfall (will be in exam)

  • Traditional Model

  • Completion of one task leads to start of another

  • Long term projects

• Agile (will be in exam)

  • Heavy interaction with stakeholders

  • Evolutionary software development

  • Multiple software releases.

  • It’s an iteration based method:

    • 1. Plan

         2. Design

         3. Develop

         4. Test

         5. Deploy

         6. Review

  • It’s most popular method

Software development life cycle (SDLC)

• Different models with similar processes:

  • Project initiation (in this stage security should come in, but usually is skipped. It will always be asked in exam. First step is security. Remember it.)

    • Identify security requirements

    • Perform an initial risk analysis

      • Analyze threats

      • Estimate costs and benefits per countermeasure

      • Determine service level agreement (SLA)

  • Functional design analysis and planning

    • Define security requirements

    • Propose security checkpoints in plan

    • Preliminary security test plans

    • Formal functional baseline includes security requirements

  • System Design specifications

    • Define security specifications

    • Update test plans

    • Security specifications

  • Software Development

    • Write programming code to meet specifications

    • Implement security withing code

    • Unit tests

  • Installation/Test/Implementation

    • Test system components

    • User acceptence testing

    • Install system

    • Create manuals

    • Accept system

  • Operational/Maintenance

    • Maintain system through service level agreement (SLA)

    • After changes, re-certify

    • Audit an test security components periodically

      • Must be done continuously

  • Disposal

    • Properly dispose of system

    • Repeat full cycle with new initiation

    • Data moved to another system

You must follow best practices if there are defined ones. Doesn’t matter what industry you’re in. You must follow best practices! If you tell that you did everything according to your industries best practices, you’re safe.

Verification vs. Validation

Verification

• Determining if the product accurately represents the developer’s description and specifications

• Follows structure and logic of the product

Validation

• Determining the degree to which the model represents a real world use

Change Control (always in exam)

You must document changes in your system and there has to be process to manage it.

If you want to change something, you need to make a request for permission to do it and you have to wait for approval.

It’s a really important thing.

• Without proper change control, a project can take longer that appropriate to complete.

• Apps should be centrally managed

• Security controls must always be protected

• Changes should be made to development environment and not production.

Procedures of change control

1. Request for change

2. Analyze request

   1. Develop the implementation strategy

   2. Calculate the cost of this implementation

   3. Review any security implications

3. Record change request

4. Submit change request approval

5. Develop change

6. Re-code segments of the product, modify it’s functionality

7. Link these changes in the code to the formal request

8. Submit software for testing and QA

9. Repeat until quality is adequate

10. Make version changes

11. Report changes to management

12. Establish a baseline setting

Privilege Escalation

User has to get minimum privilege to do the job. Not more than they need.

It’s an important aspect.You can

• Vertical Privilege escalation

  • Privilege elevation

  • Where lower privilege user accesses functions or content reserved for higher privilege users.

• Horizontal privilege escalation

  • For example moving from developer to HR, because they have lots of info.

• Privilege De-escalation:

  • Where high privileged users downgrade their access to access normal user functions

Always attempt to give the least amount of privileges to applications, users, and processes.

Practice exam

There’s a place for good practice exams:

BOSON - it costs 99$ for practice exam

Denial of Service (DoS)

Basically it is an exhaustion attacks.

• Exploit some form of weakness or limitation.

• Sending a large amount of data

  • SYN flooding

  • Mail bomb

  • ICMP smurf attack

• Making a processor to use 100% load

Distributed Denial of Service (DDoS)

Usually many devices performing DoS. Usually botnets.

• One master

• Some of the botnets today have over 1 million hosts

Replay attacks

• Similar to Man In The Middle Attack (MITM)

• Could be credentials that have been captured

  • Username and passwords

  • Security token

• Could be against cryptographic tools

• Digital signature

Wireless connections are going by the air. They can be captured and replayed. This is where SDR steps in.

Wired connection is safer.

• Unsecured cookie can reveal credentials

Replay Attacks Protection

• Update software with latest security patches (most important)

• Use encryption, digital signature or VPN, SSL, SSH

• Use timestamps

• Secure Network entry points

  • Disable unused ports

• Monitor network for suspicious activities

Application attacks

• Cross site scripting (CSS or XSS)

• SQL injection

• LDAP injection

• XML injection (markup language to transfer data)

• Directory Traversal / Comman Injection (this is the easiest)

• Buffer overflow

Input Validation to prevent attacks

It checks what you sending to the system is legit.

Make sure that input validation is set up.

Fuzzing

It helps to check if input validation is correctly set up.

It just writes random data into inputs.

OWASP offers these tools for fuzzing:

1. WebScarab

2. JBroFuzz

3. WSFuzzer

Cross Site Scripting

You put a script into webpage.

Input validation defends against XSS

It can lead to:

• SQL Injection

• DNS redirect

• DoS

• Cookie hijack

• Remote shell

Cross Site Request Forgery (CSRF)

• Forces users to execute unwanted actions

  • Changing user passoword, address, email address

• Social engineering is usually needed

• Can compromise data

• It inherits the identity and privileges of victim

Injection Attacks

Injection attacks are one of the most popular attacks, so input validation could save you against trouble.

• SQL Injection

• LDAP Injection

• XML Injection

• Directory Traversal

Additional info

It is really important to know about OWASP TOP 10.