Cyber Security: Security Controls and Network Layers

Security Controls

• Security control is defined as an action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, minimizing harm, or discovering and reporting it to enable corrective action.

Control Classifications

• Management controls:
  • Focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and protect the organization's mission.
  • Address issues that management needs to address.
• Operational controls:
  • Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identified operational deficiencies.
  • Relate to mechanisms and procedures that are primarily implemented by people rather than systems.
  • Used to improve the security of a system or group of systems.
• Technical controls:
  • Involve the correct use of hardware and software security capabilities in systems.
  • Range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions.

Control Classes

• Each of the control classes may include:
  • Supportive controls:
    • Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls.
  • Preventative controls:
    • Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability.
  • Detection and recovery controls:
    • Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources.

Application Layer Controls

• Email Security:
  • MIME (Multipurpose Internet Mail Extension) and S/MIME (Secure/Multipurpose Internet Mail Extension) provide security enhancements to the Internet e-mail format.
  • S/MIME provides the ability to sign and/or encrypt e-mail messages.
• Pretty Good Privacy (PGP) Cryptography:
  • A standard for electronic-mail encryption and digital signatures.
  • Uses a Public Private Keys (PPK) method.
• DNS Threats Prevention:
  • DNS Security (DNSSEC) is deployed to ensure the authenticity of DNS answers, integrity of replies, and authenticity of denial of existence.
  • Accomplishes this by signing DNS replies at each step of the way using public-key cryptography.
• Secure Shell (SSH):
  • A protocol for secure network communications designed to be relatively simple and inexpensive to implement.
  • Provides a secure remote logon facility, file transfer, and email.

Host to Host/Transport Layer Controls

• Transport Layer Security:
  • A definition of the transport layer protocol.
• TLS (Transport Layer Security) Protocol Stack:
  • TLS is designed to make use of TCP to provide a reliable end-to-end secure service.
  • The TLS Record Protocol provides basic security services to various higher-layer protocols.
• TLS Concepts:
  • TLS Session: created by the Handshake Protocol, defines a set of cryptographic parameters, and is used to avoid the expensive negotiation of new security parameters for each connection.
  • TLS Connection: a transport layer protocol that provides a suitable type of service, peer-to-peer relationships, and every connection is associated with one session.
• TLS Handshake Messages:
  • The most complex part of TLS, used before any application data are transmitted, allows server and client to authenticate each other, negotiate encryption and MAC algorithms, and negotiate cryptographic keys to be used.

Network Layer Security

• IP Security (IPsec):
  • Provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services.
• IPsec Services:
  • Access control, connectionless integrity, data origin authentication, rejection of replayed packets (integrity), and confidentiality (encryption/confidentiality).
• Benefits of IPsec:
  • Provides strong security that can be applied to all traffic crossing the perimeter.
  • Traffc within a company or workgroup does not incur the overhead of security-related processing.
  • IPsec is below the transport layer (TCP, UDP) and so is transparent to applications.
  • There is no need to train users on security mechanisms.
• The Scope of IPsec:
  • Provides two main functions: a combined authentication/encryption function called Encapsulating Security Payload (ESP) and a key exchange function.
  • Also provides an authentication-only function, implemented using an Authentication Header (AH).
• Transport Mode:
  • Provides protection primarily for upper-layer protocols.
  • Examples include a TCP or UDP segment or an ICMP packet.
  • Typically used for end-to-end communication between two hosts.
• Tunnel Mode:
  • Provides protection to the entire IP packet.
  • Used when one or both ends of a security association (SA) are a security gateway.
  • A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec.### Malicious Software
• Malware is a program that is inserted into a system to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system.
• Malware can be classified based on how it spreads or propagates through an information system environment.

Malware Taxonomy

• The NCSC approach to classifying malware considers the following dimensions:
  • Host dependent or independent
  • Persistent or transient
  • Where it installs itself
  • How it is triggered
  • Static or dynamically updated
  • Act alone or coordinated attack

Malware Types

• Virus: a piece of software that infects programs, modifies them to include a copy of the virus, and replicates and goes on to infect other content.
• Worm: a program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines.
• Rootkit: a type of malware that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised.
• Trojans: a type of malware that disguises itself as a legitimate program.
• Spyware: a type of malware that monitors and collects information about a user's activities without their consent.
• Adware: a type of malware that displays unwanted advertisements.

Malware Components

• Infection mechanism: the means by which a virus spreads or propagates.
• Trigger: the event or condition that determines when the payload is activated or delivered.
• Payload: what the virus does (besides spreading).

Malware Classifications

• By targets: boot sector infector, file infector, macro virus, multipartite virus.
• By concealment strategy: encrypted virus, stealth virus, polymorphic virus, metamorphic virus.

Malvertising

• Places malware on websites without compromising them.
• Uses malicious ads to infect visitors to the targeted websites.

Clickjacking

• Also known as a user-interface (UI) redress attack.
• Uses a similar technique to hijack keystrokes.
• Vulnerability used by an attacker to collect an infected user's clicks.

Social Engineering

• "Tricking" users to assist in the compromise of their own systems.

Macro and Scripting Virus

• Infects scripting code used to support active content in a variety of user document types.
• Threatening because they are platform-independent, infect documents, and are easily spread.

Active Content Virus

• Active content refers to dynamic objects that do something when the user opens a webpage.
• Has potential weaknesses that malware can exploit.

Worm Technology

• Multi-platform: worms are not operating system specific.

• Multi-exploit: worms penetrate systems using a variety of methods.

• Ultrafast spreading: exploits various techniques to optimize the rate of spread of the worm.

• Polymorphic: to evade detection, worms adopt the virus polymorphic technique.

• Metamorphic: in addition to changing their appearance, metamorphic worms have a collection of behavior patterns that are unleashed at different stages of propagation.

• Zero-day exploit: to achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched.### Types of Malware

• Memory-based malware: Has no persistent code, survives only in memory, and cannot survive a reboot, making it hard to detect.

• User mode malware: Intercepts API calls and modifies returned results.

• Kernel mode malware: Intercepts native API calls in kernel mode, can hide malware process presence, and remove it from the kernel's list of active processes.

• External mode malware: Located outside the normal system operation, in BIOS or system management mode, allowing direct hardware access.

Payload Classifications

• System Corruption: Causes damage to physical equipment, such as Stuxnet worm, targeting specific industrial control system software.
• Attack Agents (Bots): Takes over another internet-connected computer, using it to launch or manage attacks, creating a botnet capable of coordinated actions.
• Remote Control Facility: Implements remote control using an IRC server, allowing bots to join a specific channel and receive commands.
• Information Theft (Keyloggers and Spyware): Captures keystrokes to monitor sensitive information, or subverts the compromised machine to monitor system activity.
• Information Theft (Phishing): Exploits social engineering, masquerading as a trusted communication, to capture login credentials.
• Stealthing (Backdoor): A secret entry point into a program, allowing an attacker to bypass security access procedures.
• Stealthing (Rootkit): A set of hidden programs, giving an attacker administrator privileges, allowing them to add/remove programs, monitor processes, and access the system.

Malware Countermeasures

• Prevention: The ideal solution to malware threats, involving policy, awareness, vulnerability mitigation, and threat mitigation.
• Detection, Identification, and Removal: Technical mechanisms used to support threat mitigation options.

Generations of Anti-Virus Software

• Multiple generations of anti-virus software: Developed to combat evolving malware threats.

Web Application Attacks

• OWASP Top 10: A standard awareness document for developers and web application security, highlighting critical security risks.
• Security Flaws: Include handling program handling, buffer overflow, injection flaws, cross-site scripting, and improper error handling.
• CWE/SANS Top 25 Most Dangerous Software Errors: A list of poor programming practices causing the majority of cyber attacks.

Software Security, Quality, and Reliability

• Software quality and reliability: Concerned with accidental program failures, improved through structured design and testing.
• Software security: Triggered by unusual inputs, rarely identified by common testing approaches.

Handling Program Input

• Unvalidated input: A common failing in web application security, leading to vulnerabilities.
• Program input interpretation: May be binary or text, requiring care to identify character sets and encoding.

SQL Injection Attacks

• SQL injection attacks: Exploit web application pages, inserting or "injecting" a SQL query via input data.
• Attack goals: Include bulk data extraction, modifying database data, executing administration operations, and recovering file system content.

XML External Entity Processing

• XML external entity injection attack: Accepts data from the client without validation, allowing tampering with an existing XML page and parsing different commands.

Cross-Site Scripting (XSS) Attacks

• XSS attacks: Use the web server to attack the client side, injecting code fragments into input fields.
• Types of XSS attacks: Include persistent, reflected, and DOM-based XSS attacks.

SQL Injection Techniques

• Tautology: Injects code into conditional statements to always evaluate to true.
• End-of-line comment: Nullifies legitimate code using end-of-line comments.
• Piggybacked queries: Adds additional queries to the intended query.
• Inferential attack: Reconstructs information by observing the website's behavior.