Chapter 2 : Computer Systems Security Part 1 (Malware)

Types of Malware

- Viruses

Malicious code executed by the user, lives on a file

> Boot Sector : Placed in first hard drive sector

> Macro : Placed into documents > Program : Infects executables

> Encrypted : Avoids detection through encryption

> Polymorphic : Decryption module changes with every infection

> Metamorphic : Whole virus code changes with every infection

> Stealth

> Armored : Misdirects antivirus away from its actual location

> Multipartite : Hybrid of boot sector and program

- Worms

Malicious code that replicates, standalone program, may spread automatically

- Trojans

Appear to be beneficial but contain malicious code

> Keygens

> RAT Trojans

- Ransomware

Encrypts files and data and demands payment to unlock Often propagates as a Trojan or a worm

- Spyware

Usually hidden inside third party applications Logs various user activities and sends it to attacker

Also associated with Adware and Grayware

- Rootkits

Designed to gain administrative control over a machine

Hard to detect b/c it targets low level(UEFI/BIOS, kernel etc)

Activates before Antivirus/OS

- Spam

Abuse of electronic messaging system

Malware Delivery

Treat Vector vs Attack Vector

- Software, Messaging and Media

> Emails, FTP, P2P/torrent file downloads

> Removable Media

- Typosquatting

- Exploit kit

- Botnets and Zombies

> Also used for DDOS or financial gain

- Active Interception (MITM)

- Privilege Escalation

- Backdoor

> Authentication bypass mechanisms built into the program itself

- Logic Bombs

> Triggers malware on certain condition(date, OS type etc)

Malware Prevention / Troubleshooting

Common Symptoms : Slow computer speed, crashes, incorrect home page, popups

Common Prevention

> Antivirus : Regular updates and scans Detects

: worms, viruses and Trojans Does not detect : Botnet activity, rootkits, logic bombs

> Firewalls and Regular OS updates

> Separation of OS and data

> Hardware + Software based firewall (e.g. router + Windows Firewall)

> Encryption for confidentiality (Windows EFS)

Common Steps to Malware Removal

1. Identify Symptoms

2. Quarantine infected system / drive to clean machine

3. Disable System Restore

4. Remediate affected system > Update AV / Scan and removal

5. Schedule scans and run update

6. Enable system restore and set new restore point

7. Educate end user

Worms and Trojans

> Antivirus, Regular maintenance and vigilance

Spyware

> Antivirus, browser security settings, remove unnecessary application

> End user education

Rootkits

> Antivirus, Rootkit detectors (USB bootable OS)

> Use UEFI over BIOS (GPT over MBR)

> Wipe the entire drive & reinstall OS Spam

> Spam filter, whitelisting/blacklisting, close open mail relays

Chapter 3 : Computer Systems Security Part 2

Security Applications

- Personal Firewalls (Host based firewalls)

> Windows Firewall

> ZoneAlarm

> Packet Filter and IP Firewall (Mac OSX)

> iptables (Linux)

- IDS (Intrusion Detection System)

Host Based :

Loaded onto individual machine

Analyzes and monitors that one machine state

Can interpret encrypted traffic

Network Based :

Either loaded onto a machine or standalone device

Monitors every packet going through network interface

Monitors multiple devices, less expensive

Cannot monitor what happens in an OS

Monitoring Types

– Statistical Anomaly vs Signature

> Statistical Anomaly Establishes baseline and compares current performance

> Signature Network traffic analyzed to find predetermined patterns

HIDS examples

> Trend Micro OSSEC (freeware)

> Verisys (Commercial, Windows)

> Tripwire (Commercial)

* Make sure to protect HIDS database with encryption and access control

- Popup Blockers

Ad filtering & Content filtering

- DLP (Data Loss Prevention)

Monitors data in use / in motion / at rest

Prevents unauthorized use and leakage of data

Types of DLP

> Endpoint DLP : Runs on single machine, software based

> Network DLP : Software/hardware, installed on network perimeter

> Storage DLP : Installed in data centers/server rooms

Securing Computer Hardware and Peripherals

Examples of peripherals: USB flash drives, SATA external HDD, optical disks

Securing BIOS

- Flashing (Updating) BIOS firmware

- BIOS password

- Configure BIOS Boot order

- Secure boot (disables unsigned device drivers, UEFI)

* UEFI and Root of Trust, secure/measured boot, attestation

Securing Storage Devices

- Removable Storage

> Typically prohibits all removable storage besides specific ones

> Removable Media Controls

USB Lockdown (BIOS), limit USB use, malware scans, audits

- NAS (Network Attached Storage)

> Built for high availability (no downtime)

> Commonly implemented as RAID array (levels depend on situation)

> Use encryption, authentication, secure logging etc

- Whole Disk Encryption

> Requires either self encrypting or full disk encryption SW

> Windows BitLocker requirements

1) TPM or External USB key with encrypted keys

2) Hard drive with 2 volumes(1 for boot, 1 to be encrypted)

> Double Encryption – BitLocker + EFS

- HSM (Hardware Security Modules)

Vs TPM

TPM handles key storage with limited cryptographic function

HSM handles mainly quick crypto functions with key storage Found in USB attachment or network attached device

Securing Wireless Peripherals

- Force devices to use AES or WPA2 encryption for data transmission

Securing Mobile Devices

General Security

- Keep phone number secure and do not respond to unsolicited calls

- Update mobile device OS

- Complex password and limit downloads to device

Malware

- Install & update mobile device AV

- Take use of built in security features

- Avoid following links, don’t store information on device

- Don’t post info on social media

Botnet Activity

- Follow anti-malware procedures

- Avoid rooting / jailbreaking phones

SIM Cloning

- A cloned SIM redirects all calls and texts to its own device

- Able to hijack messages intended for original SIM card owner

Wireless Attacks

- Bluejacking

- Bluesnarfing

Theft

- Full device encryption(FDE)

- Set up GPS tracking

- Remote lock & Remote wipe technology

Mobile Application

- Mobile key management : use Third party software (Verisign)

- Application whitelisting / blacklisting

- Strong SMS application and endpoint security

- Mobile payment : avoid public networks, user education

- Geotagging : Disable GPS depending on situation

- BYOD concerns

> Storage Segmentation : divide corporate vs private data storage

> Mobile Device Management systems for corporations

Chapter 4 : OS Hardening and Virtualization

OS Hardening

Motivation :

Out of the box OS is vulnerable by default, Need to customize settings to make it more secure

Concept of Least Functionality

- Restrict and remove any functionality not required for operation

- NIST CM-7 control procedures

- Target features

> Applications

> Ports

> Services (daemons)

- Consider backwards compatibility when removing obsolete applications

- SCCM (System Center Configuration Manager) for multiple machines

- Application blacklisting / whitelisting

- Service configuration commands

> Windows : services.msc, net stop, sc stop

> Linux : /etc/init.d/ stop, service stop etc

> OSX : kill command

Update, Patches, Hotfixes

- TOS (Trusted Operating System)

: Certified OS considered secure by gov standards

- Update Categories

> Security Update : Product specific, security related

> Critical Update : critical, non security related bug fix

> Service Pack : Cumulative set of updates, now discontinued

> Windows Update : Noncritical fixes, new features and updates

> Driver Update : Beware driver shimming / refactoring

- Hotfixes and patches are now used interchangeably

* Disable automatic updates to synchronize versions and updates

Patch Management

- Process of planning, testing, implementing and auditing patches

> Planning : Deciding which patches are required

Checking Compatibility

Plan how the patch will be tested / deployed

> Testing : Test the patch on one machine / small system

> Implement : Patch deployment to all machines

Use SCCM or other centralized management system

> Auditing : Confirm patch is live on system

Check for any failures or changes due to the patch

Group Policies, Security Templates, Configuration Baselines

Group Policy : Used in Windows to set group configurations

* gpedit.msc

Hardening File Systems and Hard Drives

a) Use a secure file system

> NTFS for Windows, allows encryption, ACLs, logging Use chkdsk and convert commands

> ext4 for Linux Use fdisk –l or df –T

b) Hide important files (System files, personal etc)

c) Manage hard drives

> Delete temp files

> Periodically verify system files integrity

> Defrag hard drives

> Backup data

> Restore points

> Whole disk encryption

> Separate OS system and personal data

Virtualization

Virtualization : Creation of virtual machines housed in an OS

VM(Virtual Machines) and VDE(Virtual Desktop Environment)

- Pros

> Flexible and portable

> Safe testing of malware in a controlled environment

- Cons

> Resource intensive

> Vulnerable to hardware failures VM Categories

1. System virtual machine : Runs an entire OS

2. Process virtual machine : Runs a single application (browser)

* Virtualization ↔ Emulation ↔ Simulation

* Virtual Appliance ↔ Image ↔ Virtual Machine

Other forms of virtualization

> VPN (Virtual Private Network)

> VDI (Virtual Desktop Infrastructure)

> VLAN (Virtual Local Area Network)

Hypervisor (Virtual Machine Manager)

- Allows multiple virtual OS to run concurrently

Type 1 vs Type 2 Hypervisor

- Type 1 - Native

> Runs directly on host hardware

> Flexible and efficient

> Strict hardware/software restrictions, less common

- Type 2 – Hosted

> One level removed from host hardware

> More available to most OS and hardware

> Resource intensive

Application Containerization

- Runs distributed applications w/o running an entire VM

- Efficient but less secure

Securing Virtual Machines

Generally equivalent to securing regular OS, but with little more work

1. Update virtual machine software (e.g. VirtualBox)

2. Be wary of VM-VM and VM-host network connections

3. Protect NAS and SAN from virtual hosts

4. Disable unnecessary USB and external ports on VMs

5. Alter boot priority for virtual BIOS

6. Limit and monitor VM resource usage to prevent DOS attacks

7. Protect raw virtual machine image

> Snapshots, Encryption, Access permission and signatures

Virtualization Sprawl : When there are too many VMs to manage at once

> Employ a VMLM (Virtual Machine Lifecycle Management) tool

Chapter 5 : Application Security

Securing Web Browsers

- Avoid newest versions and disable auto update (new versions are unstable)

- Consider organizational requirements and OS

- General Browser Security Procedures

> Implement Policies Hand written, browser settings, GPO(Windows), OS setting etc

> Train Users

> Use proxy and content filter

Proxy serves as an intermediate cache between server and client

Configured in browser settings / domain controller

Beware of malicious proxy configurations

> Secure against malicious code

Configure Java, ActiveX, Javascript, Flash media etc

- Web Browser Concerns and Security Methods

Basic Methods

> Timely Updates

> Adblock, pop up blocking

> Implement security zones

> Control ActiveX/Java/Plugins

> Avoid jailbreaking (mobile)

Cookies

> Configure and control through browser settings

> Related threat : Session Hijacking

LSO(Locally Shared Objects - Flash)

> Flash version of cookies, may be used to track users

> Configure and control in Flash Player Settings Manager

Addons / Plugins

> Inherent security risk, disable all

> Most IE plugins made with vulnerable ActiveX

Advanced Browser Security

> Browser temp files – configure to automatically flush

> Disable saved passwords

> Configure a minimum version limit on TLS/SSL

> Disable all 3rd party plugins

> Consider using a VPN or virtual machine for extra separation

Securing Other Applications

Principle of Least Functionality – don’t give tools users don’t need

User Account Control (Windows)

- Keeps everyone on regular user level of access by default

- Prompts required to access any admin right required things

Create Policies (Prioritize app. Whitelisting over blacklisting)

Securing common Windows programs

1. Outlook

> Install latest update, upgrade to newer version of Office

> Use email whitelisting to remove junk email

> Read email in text format instead of HTML

> Enable attachment blocking

> Use encryption - SPA (Secure Password Authentication), PGP, SSL

2. Word

> Using passwords for opening/modifying documents

> Read only settings

> Digital certificates

3. Excel

> Password protected worksheets, no macro

> Excel encryption

Mobile Applications

- Disable GPS

- Configure strong passwords

Server Applications

- e.g. FTP, Email, Web, SQL database

- Change default username / passwords

- Don’t consolidate multiple services into single machine

Secure Programming

SDLC (Software Development Life Cycle)

- Waterfall

> Traditional method

> Requirements are decided before development

- Agile

> RAD (Rapid Application Development) approach

> Relatively new, Breaks development down to incremental changes

> Requires high dedication from members

- DevOps

> Deployment tool, often used together with Agile method

Core SDLC and DevOps Principles

- Preserving CIA of software development

- Secure code review

> In depth code review for security bugs

> Included before fuzzing or penetration testing

- Threat Modeling

> Identifying and prioritizing potential threats

- Common Security Principles

1. Least Privilege

2. Defense in Depth

3. Never trust user input

4. Minimizing attack surface

5. Secure defaults

6. Provide authenticity and integrity (program signatures)

7. Fail securely (Error handling)

8. Thorough testing of security fixes and patches

Program Testing Methods

1. White box vs Black box testing

> white box, black box, gray box, stress testing, pentesting etc

2. Compile time vs runtime errors

> Reminder that both software and hardware has runtime errors

> SHE (Structured Exception Handling) deals with both SW/HW

3. Input Validation

> Perform on both client and server side

> Key factor of SQL injections and XSS

4. Static vs Dynamic code analysis

> Static : No code execution, examines code with automated tools

> Dynamic : Runtime examination of code behavior for bugs

* Fuzzing is a form of dynamic code analysis

5. Fuzz Testing

> Input of large amounts of random data until code errors

Program Vulnerability and Attacks

1. Backdoors

> Preprogrammed authentication bypasses built into system

> Updates usually remove these, job rotation, code cross checking

2. Memory / Buffer Vulnerabilities

> Buffer overflows (Stack, heap)

> Integer overflows (integer wrapping)

> Memory leaks : Degrades system performance

> Nullptr dereference

> ASLR and DEP is common defense against buffer overflows

3. Arbitrary and Remote Code Execution

> Shellcode injections

> Strong input validation, fuzz testing

4. XSS / XSRF

> Common browser based attacks, uses HTML code injection

5. Other Code injections

> SQL Injection

> LDAP Injection

> XML Injection

6. Directory Traversal

7. Zero Days

Chapter 6 : Network Design Elements

Network Design

OSI Model

- Goals

1. Explain network connection between hosts on LAN/WAN

2. Present a categorization system for communication protocols

3. Shows how different protocol suits communicate -

Overview

Devices

- Switch

> Central connection device, replaces hubs and bridges

> Translates MAC and MAC+IP into physical ports to route messages

> Attacks

1. MAC Flooding : Uses up the CAM to force switch into broadcast

2. MAC Spoofing : Masks network adapter MAC with different value

3. Physical Tampering : Vulnerable management ports, Looping

* Use hierarchial router structure or spanning tree protocol to prevent looping

- Bridges

> Used to separate physical LAN into two logical networks

> Works on layer 2 (Data link), now obsolete

- Router

> Used to connect two or more networks

> Works on network 3 (Network)

> Various forms : SOHO, servers configures as routers, Cisco black box

> Attacks : DOS, malware intrusions etc

> Defenses

1. Secure configurations

2. Firewalls

3. IPS

4. Secure VPN Connectivity

5. Content filtering

6. ACL (Access Control Lists)

NAT (Network Address Translation), Private vs Public Addresses

- NAT : Process of changing IP in transit

- Motivation

> Allow a large private address space mapped to a smaller public one

> Firewall effect (hides internal IPs)

* Static NAT : Only one machine uses the router that does NAT

- Private IP

> Invisible to public(internet)

> Assigned automatically by SOHO router or DHCP server

> Within predetermined range

- Public IP

> Visible to public, anyone can attempt connection

> Assigned by ISP DHCP servers

* IPv6 Vulnerability

> By default attempts to automatically connect to other IPv6 addresses

> Make sure to secure both IPv4 and IPv6

Network Zones and Interconnections

- LAN (Local Area Network)

> Group of interconnected computers contained in a small space

> Usually uses private IPs behind a firewall

> By default does not have internet access, but may connect to an Internet proxy to do so

- WAN (Wide Area Network)

> Network of two or more interconnected LANS

> Covers a larger geographical area

> Requires telecomm/datacomm service company

- Internet

> Worldwide interconnected network

> Must secure all transmission that happens over the internet

- DMZ (Demilitarized Zone)

> Special subnetwork designed for external client access

> Common web/FTP/email/database etc services reside in DMZ

> Can also be accessed by LAN clients

> Often placed in a separate LAN network from the rest of system

> Common 3-leg perimeter configuration

- Intranets & Extranets

> Used to share company data securely through the internet

> One company = intranet, multiple companies involved = extranet

> Never store confidential+ data in these networks

> Crucial to properly implement firewall

NAC (Network Access Control)

- Denies network access until client obtains proper security measures

- Antivirus, system updates etc

- Preinstalled clientside software (agent) or remote scan (agentless)

- Persistent vs Dissolvable agents

> Persistent : Designed for multiple use

> Dissolvable : Designed for one time authentication

- Agentless offers less control for more flexibility

- Cisco offers hardware solutions

Subnetting

- Process of creating logical subnetworks through IP manipulation

- Benefits

1. Compartmentalizes network, increasing security

2. Efficient use of IP address

3. Reduces IP collision and broadcast signals

- Overview

1. Class A : Large network, 255.0.0.0

2. Class B : Medium network, 255.255.0.0

3. Class C : Small network, 255.255.255.0

Example : 192.168.1.0/28 28 is total number of bits used Class C Network

255.255.255.240 1111 1111 . 1111 1111 . 1111 1111 . 1111 0000

First 3 octets are Class C mask

First 4 bits of last octet is subnet mask, 2^4 = 16 subnets

Last 4 bits of last octet is host ID, 2^4-2 = 14 hosts

VLAN(Virtual LAN)

- Segments various networks sharing the same switch, reduce collision, Organize network, boost performance and security

- Works on Layer 2 (Data link frames)

- Allows admins to group hosts connected on different switches together

- VLAN Hopping : Methods of gaining access to other VLANs on switch

1. Switch Spoofing

2. Double Tagging

Telephony

- Provides voice communications, fax etc

- Now computers are involved in telephony as CTI

- Modems

> Still often used to connect to networking equip. via dial up

> Very insecure (War dialing)

> Protections : Callback, username/pw, hide modem number

PBX(Private Branch Exchange)

- Makes internal phone connections, connects to PSTN

- New added features now make them less secure

VoIP

- Broad term for voice data over IP networks

- IP phones exploited the same way as regular computers

- Home VoIP solutions use SIP(Session Initiation Protocol) vulnerable to MiTM

Cloud Security and Server Defense

Definition of Cloud : Any network between two organization borders

Cloud Computing

- A method of offering on demand services normal users don’t have

- SaaS (Software as a Service)

> Allows user to have access to software they don’t have on host

- IaaS (Infrastructure as a Service)

> Offers networking, routing, VM hosting and other networking

- PaaS (Platform as a Service)

> Offers virtual development of application

- SECaaS (Security as a Service)

> Offers security services to be integrated into existing infra. Different Types of Cloud - Public Cloud : Full public access, low security - Private Cloud : Full private access, high security - Hybrid Cloud : Utilize both private and public depending on handled data - Community Cloud : Private to specific group, good for collab projects Cloud Security - Depends on the amount of security control the admin has - Defenses for sending data to cloud 1. Passwords : 10 char general case, 15 for confidential data 2. Multifactor authentication 3. Strong data access policy : passwords, multifactor, group policy 4. Encryption : strong PKI encryption on all files 5. Programming standardization 6. Data protection * Unconventional data channels : Social media, P2P, dark net Server Defenses - Servers are most important part of network to secure - Contains all data and services 1. File Servers > Stores, transfer, migrate, synchronize and archive files > Identical vulnerability to malware that target desktop PCs > Hardening, updates, AV, SW/HW firewall, HIDS, encryption, monitoring 2. Network Controllers > Central repo of all user and computer accounts > LDAP injection, Kerberos vulnerabilities privilege escalation > Updates, hot fixes 3. Email Servers > Deals with email, texting, fax, chat etc > May run multiple services and ports, POP3, SMTP, IMAP, Outlook > XSS, DDOS, SMTP memory exploits, directory traversal etc > Updates, quarantine, HW/SW spam filter, DLP, encryption (TLS/SSL) 4. Web Servers > Provide web and website services to users Ex) Microsoft IIS, Apache HTTP, lighthttp, Oracle iPlanet > DDOS, overflow attacks, XSS, XSRF, remote code exec., backdoors > Secure programming, updates, HW firewall, HTTPS * Darkleech : Apache based attack using malicious Apache modules 5. FTP Servers > Basic file access (public/private) > Web shells, weak authentication, bounce attacks, buffer overflow > Strong password, secure encrypted FTP, dynamic port assignment