Confidentialy: ensures that unauthorized indiv are not able to gain access to sensitive info
Integrity: ensures that there are not unathorized modifications to info or systems
Availbility: ensures that info and systems are ready to meet the needs of legitimate users
Vulnerability: is a weakness in a device, system , app or proccess that might allow an attack to take place
Threat: Outside force that may exploit a vulnerability
Risk: is the combination of a threat and a corresponding vuln. both of this factors must be present before a situation pose a risk!
Risk= Threat X Vuln
- Identify threat sources and events
- Identify Vuln and predisposing conditions
- Determinate likelihood of Occurence
- Determinate Magnitude of Impact
- Determinate Risk
Identify Threats:
- APT
- Accidental Threats
- Structural Thteats
- Environmental Threats
Determinate Likelihood, Impact and Risk:
- Low, medium, high
- Risk acceptance, risk transference, risk avoidence
- Network Acces Control (NAC) uses 802.1x protocol
- Supplicant= request and authenticator= on network switch or AP, use RADIUS
NAC
- NAC criterias: Role, Location, Time of Day, System Health
FIREWALLS
-
Firewall: triple-homed means ONE firewall connects 3 networks
-
Type of Firewals:
- Packet filtering: check each packet againts firewall rules
- Statuful Inspection: Check packets and retain info about each state of passing connections
- NGFWs: packet check + state info + contextual imformation
- WAFs: Protec againts SQLinjection and CXSS scripting
DNS SINKHOLES: feed false info to malicious software that had compromised the network.
- Planing: timing, scope, Authorization,
- Discovery: Port scans, checking public material, web app testers
- Attack: Gaining access, Escalating Priv, System Brownsing, Install additional tools
- Reporting
Reverse Engineering: Decomposition
Isolation and Sanboxing: Sanboxing systems/solutions search systems and network for unknown code or strange behavior flagged as code detonation and sandbox it
Fingerprint Software: use of hash prevent code tampering
Active Recon: Uses host scanning tools to gather info about systems, services ,and vuln. Mapping network and discovering topology NMAP:
- Service and Version: banner grabbing (nmap -sV).
- OS Fingerprinting: nmap -O
- Nmap TCP SYN: most popular type of scan method. quick and unobtrusive
Passive Recon:
- Network-Logs
- Netflow: is a cisco protocol that collects IP traffic infonetowkr monitoring.
- Netstat: gather local host network info.
- DHCP-logs and DHCP Server Configuration: quick way to identify the number of host in the network.
- Firewall-logs: for ACL
- System-logs: linux var/log
Windows log types:
- Aplication logs........event logs ofr programs
- Security logs..........login events, resources and right usage
- Setup logs.............capture setup apps
- System logs............loged events by windows components
- ForwardEvent logs......events for remote pc's
Harvesting Data from WHOIS
IP to human readable NSLOOKUP
Traceroute: usuful for mapping the external network of a company
Domain names are managed by REGISTRARS....TDL:Top level domain.....ccTLD...country top level domain
DIG: useful for querying a DNS server
ZONE TRANSFERS: used for replicating DNS databases between DNS servers.Ex host -t axfr domain.name dns-server.
Exif data: tag data from photos Metadata scrubbing: sensitive metadata like geolocation,timestamp creator of file
SOCIAL ENGINEERING creepy: geolocation tool that uses social media and file metadata Social Enginerring toolkit Metasploit
NETWORK TRAFFIC ANALYSIS: Using IDS, HIDSs and NIDSs you can perform:
- Packet analysis
- Protocol Analysis
- Traffic and Flow analysis
- Device and System logs
- SIEM
- Security Device Log
Anomaly Analysis: Look for differences on common patterns or expected behaviors. System Admin set what is normal to build the threat model that IDS will use
Trend Analysis: Focus on predicting behaviors base on current data.
Signature Analysis: uses a fingerprint or signature to detec threats based on other events. the signature has to exist first before it can be detected
Heuristic/Behavior Analysis: detects threats based on their behavior. heuristic detection can detect unknown threats
Manual Analysis: human expertise and instinc can be useful when analyzing data.
- Blacklisting systems or networks that abuse service
- Using CAPTCHAs to prevent bots
- Implementing rate limit to fight lookups at high speed
- Hide zone transfer info.
Regulates the way that healthcare providers, insurance companies and their bussiness handle protected health info.
Regulates how financial institutions may handle customer financial records.
- Company must run internal and external vuln scans.
- Scans must be run at least on a quaterly basis and after any significant change in the network.
- Internal scans must be run by qualified personnel.
- External scans must be run by an Approved Scanning Vendor (ASV)
Requires goverment agencies and goverment contractors to comply with a series of security standards.
NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations |
---|
A. Scans for vuln in the info system and hosted applications |
B. Employs vuln scanning tools and techniques that facilitate interoperability among tools and automate parts of the vuln management proccess |
C. Analyze vuln scan reports and results from security control assessments |
D. Remediates legitimate vuln in accordance with an organizational assessment of risk |
E. Shares information obtained from the vuln scanning proccess and security control assesssments to hel eliminate similar vuln in other systems |
Willingness to tolerate risk within the environment.
PCI DSS or FISMA may indicate a minimun frequency for vuln scans
may limit the frequency of scanning.Ex scannings can only be done for a certain amount per day.
may limit the organization from conducting resource intense scans during periods of high business activity to avoid disruption of critical proccess|
may curtail bandwidth consumed by the scanner.