Contents

• Assessment
• Prevention
• Detection
• Reaction
• Tools
• Logging
• Resources

Security is about protecting data. Specifically it is about 3 aspects of data (The CIA Triad):

• confidentiality - only authorized parties can access data; examples are encryption, ACLs, principle of least privilege
• integrity - deny improper modification at rest and in transit; verify that data has not been modified (f.e. supply one-way hash of data, which receiver can calculate and compare)
• availability - protecting systems that store, process, and deliver data

4Cs of security in the cloud: Code, Container, Cluster, Cloud (datacenter).

Assessment

Assessment is the operation of determining the value of assets and the cost of implementing security to protect those assets; due to limited resources, priorities are assigned based on asset value.

5 types of assessments:

1. risk
2. security control
3. compliance
4. vulnerability
5. penetration test

• Penetration Testing Execution Standard
• Open Source Security Testing Methodology Manual

Classes of attackers:

• white hat - ethical hacking, breaking security system for non-malicious reasons - testing security system, performing penetration tests, etc.
• black hat - breaking computer security for malicious or personal gain, e.g. destroying data, making network inaccessible for authorized users, etc.
• script kiddie (aka skid or skiddie) - non-expert breaking into system using tools written by others, often with little understanding of underlying concepts
• hacktivist - using technology to announce social, ideological, political, or religious message; mostly website defacement or dos attacks
• nation state - intelligence agencies or cyber warfare operatives
• organized crime - criminal activities for profit
• bots - automated software used by any type of hacker

Attack types

Active attacks attempt to alter or affect operations of resources (integrity or availability).

• Denial of service
• Spoofing
• Port scanning (nmap)

Passive attacks attempt to learn or make use of information from the system, but do not affect system resources (compromises confidentiality).

• wiretapping via tcpdump or wireshark
• wardriving - wiretapping signals or sounds on physical locations, e.g. window vibrations

STRIDE:

• Spoofing - pretending to be someone else; ARP, DNS, IP address, MAC are susceptible to spoofing.
• Tampering - modifying data or code
• Repudiation - denying actions
• Information Disclosure - exposing sensitive information to unauthorized users
• Denial of Service - flooding a service or network with more requests that it can handle.
• Elevation of Privileges - gaining unauthorized access rights

Risk assessment

Determine where an organization may be exposed to attack. Gauge leadership risk appetite and identify likelihood and impact.

National Institute of Standards and Technology - good place to find definitions. It also hosts National Vulnerability Database, which includes checklists for compliance, vulnerability, specialized issues for various software. Vulnerability search, e.g. Kubernetes.

Federal Information Processing Standards, FIPS, provide guidelines across various topics, such as Minimum Security Requirements for Federal Information and Information Systems and Personal Identity Verification (PIV) of Federal Employees and Contractors.

Threat is a circumstance or event that could damage the confidentiality, integrity, and availability of information or information systems (f.e. possibility to take application offline or make changes without proper approvals).

Vulnerability is a weakness that enables the threat to be successful (f.e. missing security patch or default admin password).

NIST SP 800-30 Rev.1 (more qualitative approach) and FAIR, Factor Analysis of Information Risk (more quantitative approach), are good places to start.

Calculating risk score

• likelihood - the probability that a threat might actually succeed in exploiting the vulnerability
• impact - the amount of damage inflicted by a threat

Information Sharing and Analysis Centers.

Security control assessment

Identify existing controls. Evaluate control strength, cost, and complexity. Make use of security control frameworks. Often includes conducting interviews with technical stuff and config files analysis. End result is prioritized list of control gaps.

International Organization of Standardization. ISO 27000 family contains standards regarding Information security management system (ISMS) and over 45 published standards. Reviewed and updated every 5 years. ISO 27002 is about code of practice for information security control with 114 controls (14 categories). ISO 27001 security.

NIST publications

Subseries	Topics
SP 800	Computer security
SP 1800	Cybersecurity practice guides
SP 500	Information technology

NIST Cybersecurity framework. NIST 800-53 Rev. 4 is similar to ISO 27002:2013.

Use ISO for organizing security program and NIST for technical implementation.

Compliance assessment

Determine whether your security program meets specific requirements outlines by external authority. One of most well known is Payment Card Industry Data Security Standard (PCI DSS).

Vulnerability assessment

Validate that technical vulnerabilities are being identified and remediated on a regular basis. End result are prioritized vulnerabilities, information regarding potential exploits, remediation recommendations.

Different scanning tools based on objects

• hosts - Nessus
• databases - Scuba
• applications - OWASP ZAP

NISP SP 800-15 provides guidance on manual assessments.

• Common Vulnerability Scoring System - focuses on OS vulnerabilities
• Common Weakness Enumeration - focuses on software vulnerabilities

Penetration assessment

Exploit weaknesses identified by previous assessments.

Types of testing

Type	Description
White box	full knowledge (insider) - network diagrams, internal vulnerability reports, firewall rule sets; focus on exploiting known weaknesses
Black box	perspective on unauthorized outsider; focus on finding and exploiting weaknesses
Grey box	Some internal knowledge; test known weaknesses from a perspective of unauthorized outsider

Goals of tests:

• domain admin
• email access
• intellectual property
• customer information

Prevention

Prevention is the implementation of security measures, called controls, to protect assets identified during the assessment stage. Types of controls:

• technical - software and hardware
• procedural - policies and procedures
• physical - facilities, staff, locks, etc

Detection

Detection is often the most expensive, and difficult to execute effectively part. It involves involves monitoring through remote logging, system statistics, and performance metrics. Intrusion Detection and Prevention Systems (IDPS) are used to identify possible incidents, create a consistent audit trail, and report attempted intrusions.

Current incident detection methods include signature-based, statistical anomaly-based (creating a baseline and monitoring for anomalies), and stateful protocol analysis, which includes system monitoring.

Reaction

Often overlooked (poorly planned) principle. Examples are adding firewall rules, shutting down certain component, etc.

Part of the reaction is ensuring business continuity, which requires the knowledge of most important part for the business (identified in assessment phase).

Tooling

https://www.offensive-security.com/

https://sectools.org/

Nmap

Networking mapping

• Nnap Scripting Engine (NSE)
• nmap cheat sheet
• scanme.nmap.org - server hosted by nmap for test queries

Scan all hosts on a particular network (-Pn treats all hosts as online, since icmp might be disabled and not be discovered)

$ nmap -Pn 192.168.1.0/24

OS and version detection

$ nmap -A target

Interesting areas:

• unencrypted protocols (telnet, FTP)
• administrative services (SSH, RDP, VNC, HTTPS)

Nessus

Technical vulnerability scanner

Wireshark

Capture and analyse network packets

Lynis

Security configuration assessment for Unix-based systems.

Scan report is saved to /var/log/lynis-report.dat. Preferences are stored in default.prf. Center for Internet Security can be used to interpret results.

CIS

Center for Internet Security is a non-profit organization working to share cybersecurity best practices, information, and tools. Some information is free, other tools require a membership, such as CIS-CAT Pro. Security configuration benchmarks, which are free, can be used to evaluate your systems on your own.

Configuration Assessment Tool Lite (requires java) can only scan the following technologies (Pro version supports all benchmarks):

• Windows 10
• Ubuntu
• macOS
• Google Chrome

Aircrack-ng

Wireless network security testing

Need to connect another wireless adapter, for example, Alfa AWUSO36NH.

cli

# display wireless interfaces and chipsets
$ airmon-ng

# monitor wlan0 on channel 9
$ airmon-ng start wlan0 9

# capture traffic
# channel 9 + AP MAC address + interface in monitor mode
$ airodump-ng -c --bssid 00:11:33:33:77:00 -w psk mon0 

# deathenticate wireless client
# -0 - death, 1 - number of death to send
# -a - MAC address of wireless AP, -c - MAC of client
$ aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

Hashcat

Password cracking

RockYou breach (Dec 2009) exposed 32 million credentials and created largest password wordlist (/usr/share/wordlists/rockyou.txt.gz in Kali).

$ echo -n "password1" | md5sum | tr -d "  -" >> captured.txt

# add --force option while running on not specialized hardware
$ hashcat -m 0 -a 0 -o output.txt captured.txt output.txt

OWASP ZAP

Open Web Application Security Project hosts multiple multiple open source projects. Zep Attack Proxy scans for basic web application security vulnerabilities. OWASP also includes intentionally vulnerable web apps to practice assessors - Juice Shop.

cli wrapper, needs ZAP to be installed.

OWASP top 10

2017 RC version

1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML External Entity (XXE)
5. Broken access control - for example, Insecure Direct Object Reference (application doesn't check address, thus, changing URL allows to access other resources)
6. Security misconfiguration
7. Cross-Site scripting
8. Insecure deserialization
9. Using components with known vulnerabilities
10. Insufficient logging and monitoring

Nipper

Firewall and network configuration audit tool

Logging

Commercial

• Splunk
• Qradar
• LogRhythm
• AlienVault

Open source

• Syslog - native in Linux systems
• Syslog-ng
• Graylog
• ELK stack

Critical Log Review Checklist for Security Incidents

Resources

• Red Team Field Manual
• Blue Team Field Manual
• Social Engineer Toolkit
• Intentionally vulnerable linux virtual machines
• Platform Abstraction for Security

Cybersecurity Directives are Binding Operational Directives (BODs) and Emergency Directives (EDs) for federal agencies. Securing High Value Assets BOD.