CYB 134 Introduction to Cybersecurity PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document provides an introduction to fundamental cybersecurity concepts, including the CIA triad (confidentiality, integrity, availability), security controls, and the role of operating systems in managing computer resources. It also touches on data protection methods and states of information.
Full Transcript
CYB 134: Introduction to Cybersecurity Fundamental Concepts Topics 1. Why would anyone want to hack me? 2. What is cybersecurity? 3. CIA Properties 4. States of Information 5. Security Controls Why would anyone want to hack me? https://krebsonsecurity.com/2013/06/the-value...
CYB 134: Introduction to Cybersecurity Fundamental Concepts Topics 1. Why would anyone want to hack me? 2. What is cybersecurity? 3. CIA Properties 4. States of Information 5. Security Controls Why would anyone want to hack me? https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ CIA Properties Integrity Confidentiality Availability Confidentiality Confidentiality is the avoidance of the unauthorized disclosure of information. Example: Emily is a college freshman who regularly checks her bank account online to manage her finances and make sure she has enough money for textbooks and groceries. Confidentiality Need: When Emily logs into her bank's website, she enters her username and password. If this information is not kept confidential and encrypted, a hacker could intercept her login credentials and gain access to her bank account, potentially stealing her money or personal information. Examples of Confidentiality Protection Physical World Digital World Sealed envelopes. Smartphone PINs. Safe deposit boxes. Netflix profiles. Diary with a lock. Instagram direct Keeping a secret recipe in messages. a locked room. Password-protected WiFi. Classified government Google Doc sharing documents in a safe. settings. Integrity Integrity is the property that information has not be altered in an unauthorized way. Example: Mike is a college freshman who uses social media to stay in touch with friends and family. He frequently shares photos and updates about his life. Confidentiality Need: Mike has set his social media profiles to private, meaning only his approved friends can see his posts. If the confidentiality of his account settings is breached, strangers or potential cyberstalkers could gain access to his personal information and photos, compromising his privacy and security. Where do you need integrity protected? Medical records. Financial transactions. Academic records. Voting systems. Medicines. Crime scene evidence. Signed contracts. Availability Availability is the property that information is accessible and modifiable in a timely fashion by those authorized to do so. Example: Maria is a college freshman taking an online course. She needs to access the course materials, participate in discussions, and submit assignments through the university's learning management system. Availability Need: If the online platform experiences a Denial of Service (DoS) attack and becomes unavailable, Maria and her classmates would be unable to access their course materials or submit assignments on time, potentially affecting their grades. Ensuring availability means the online learning platform is accessible whenever students need it. Where do you need availability protected? Physical World Digital World Power grid. Online banking. Water supply. Cloud storage. Public transportation. LMS (Canvas). Supermarket stocking. E-commerce sites. Police response capacity. Gaming servers. Emergency room access. Healthcare records. Air traffic control systems. Stock exchanges. Library book access. Tax filing systems. DAD Threats to CIA Security Properties Security Control Types by Mechanism Technical controls enforce security in the digital world, such as firewall rules, intrusion prevention systems, and encryption. Operational controls include processes used by an organization to manage technology. Such controls include user account management, log monitoring, and vulnerability management. Managerial controls are procedures that help manage risk, such as regular risk assessments, change management, etc. Physical controls are controls in the physical world, such as door fences, locks, and alarms. Security Control Types by Effect Preventive controls like firewalls Preventive Detective are designed to stop an attack. controls controls Deterrent controls seek to stop attackers from attempting to violate security, such as posted warning Corrective Deterrent signs. controls controls Directive Compensati controls ng controls Security Control Types by Effect Detective controls like network Preventive Detective intrusion detection systems work to controls controls identify security events so they can be stopped before a data breach occurs. Corrective Deterrent Corrective controls remediate controls controls security issues that have already occurred, such as restoring data from backup. Directive Compensati controls ng controls Security Control Types by Effect Compensating controls mitigate Preventive Detective the risk from security policy controls controls exceptions, such as additional network security around a device with a known vulnerability required Corrective Deterrent for business needs. controls controls Directive controls are policies and procedures that inform people how to achieve security objectives, such Directive Compensati as password requirements. controls ng controls How to Evaluate Security Controls 1. What assets are you trying to protect? 2. What are the risks to those assets? 3. How well does the security control mitigate those risks? 4. What other risks does the security control cause? 5. What costs and trade-offs does the security control impose? Example: Password Manager 1. Asset: passwords. 2. Risks: use of passwords by someone else to gain access to private email, bank, health information. 3. Mitigate: encrypted storage prevents use of passwords without master password used to login to manager. 4. Other risks: lose access to all passwords if you forget the key. 5. Costs/tradeoffs: if vault is on PC, lose access elsewhere. If vault is networked, passwords may not be encrypted in transmission, will be accessible to attackers who don’t have access to your PC. States of Information 1. Storage: information in permanent storage (disk or tape) that is not currently being accessed. 2. Processing: information in memory (RAM or cache) that is currently being used by a program. 3. Transmission: information in transit between one node and another on a network. Protecting Data Preventive controls ○ Data Minimization eliminates data that isn’t needed. ○ Access restrictions limits who can access data on a computer. ○ Encryption scrambles data so an attacker cannot read it. ○ Hashing transforms data so original data cannot be retrieved. Detective controls ○ Data Loss Prevention (DLP) systems detect unauthorized use data in storage, processing, or transmission. Key Points CIA Triad: Confidentiality, integrity, availability. Need to protect data transmission, processing, and at rest. Security Control Types ○ By mechanism (technical, operational, managerial, physical) ○ By intended effect (preventive, detective, …) Methods of protecting data New Slide Operating Systems Topics 1. Simple Computer Model 2. OS Kernel 3. Process Management 4. Memory Management 5. File Management 6. CPU Protection Rings 7. What is Linux? 8. Family Tree of UNIX Oses 9. Open Source Software Simple Computer Model An operating system controls sharing of computer resources between programs, including CPU, random access memory (RAM), input/output (I/O) devices, and long-term storage. Simple Computer Model Long-term storage is where the operating system (OS) , software, and data are stored. Historically, this was usually a hard drive but today it is usually flash memory. ○ RAM loses data when powered off. Flash memory does not. When the computer boots, the OS is loaded into RAM, starts running, configures the hardware, and provides a user interface for the user. Programs must be loaded from storage into RAM in order to begin execution. The OS Kernel Core part of operating system that is always in RAM. Applications have to request access to hardware from kernel. Operating System Components Process Management ○ Controls which programs are running and what resources (CPU time, RAM, storage, I/O) they can access. File Management ○ Provides access to storage as files and folders. ○ Controls how processes can access (read, write, delete) files. Memory Management ○ Provides RAM to processes when requested. ○ Restricts direct access to physical RAM by virtual memory system. I/O Management ○ Manages input/output devices other than storage, including networking, keyboard, mouse, screen, etc. Process Management A process is a program that is being run. It includes ○ The code of the program, plus ○ The data the program is currently using. ○ Metadata kept by the OS, like open files, network sockets, etc. One program can have many processes ○ We login to the Linux server via ssh. ○ The ssh server on the server has one process for each of us. Process Metadata PID = Process ID PPID = Parent process ID Status ○ R is ready to run ○ S is sleeping ○ T is stopped User = User who owns the process. Command = Program Memory Management Each process has its own virtual memory address space. ○ Accessing memory location 1000 in process A may find a 1, ○ While in process B, the data stored in location 1000 may be a 2. OS assigns a virtual memory space to each process. ○ Processes therefore cannot read or write to memory in other processes, an essential confidentiality and integrity protection. Processes request RAM when needed from OS ○ OS allocates physical RAM, then adds a mapping from the virtual address space to the physical RAM location. Virtual Address Translation Memory addresses are divided into a ○ Page number ○ Offset within the page OS sets up page tables which translate ○ Virtual page numbers ○ To physical page numbers. ○ Offsets are not translated. File Management The OS provides an interface to storage of files and folders organized in a tree structured hierarchy. File Management OS usually provides GUI tools to view the filesystem. File Management OS usually provides CLI tools to view the filesystem too. File Access Control Multiple users can use the same OS on the same computer, so the filesystem controls who can access (read, write, modify) files and folders. CPU Protection Rings Application programs run in ring 3 and cannot run privileged instructions. OS kernel runs in ring 0, also known as supervisor mode. It can run privileged operations, such as ○ Accessing hardware ○ Selecting virtual memory space If user applications ran in ring 0, they could ○ Read any file on storage whether or not OS file permissions allowed them to. ○ Read or modify private data out of the memory of other processes. Simplified Family Tree of UNIX OS What is Linux? Linux is an open source Unix-like operating system whose OS kernel was created by Linus Torvalds starting in 1991. Linux distributions provide a complete OS with ○ The Linux kernel, ○ A package manager for installing software, ○ Command line tools, like bash, usually from the GNU Project, ○ Possibly a graphical user interface (GUI). Linux is used in a wide variety of computers, including ○ Desktops, servers, phones (Android), smart TVs, etc. Linux Distributions https://takethenotes.com/linux-distributions/ Open Source Software Open source software is software where the source code is available to the public, enabling anyone to copy or modify it. ○ Licenses define what you can do with open source software. The Internet is built on open source software ○ Linux is the most widely used OS, making up much of the cloud and also being the dominant OS run on phones and other consumer devices. ○ Git is the most popular source code control software, used by most companies and most open source projects ○ Chromium is an open source browser, whose source code is modified and used to make the Chrome browser. ○ Open source libraries like libz and OpenSSL provide fundamental data compression and encryption features to thousands of software packages. Key Points 1. Basic computer model: CPU, RAM, I/O, storage. 2. Operating systems 1. OS kernel is always running. 2. OS uses hardware features like CPU protection rings and virtual memory to enforce security by controlling how processes can access computer resources. 3. What is open source software. Extra Slides Interrupts CPUs are fast ○ You take about 0.1 seconds to hit a key. ○ A 1 GHz CPU can run 100,000,000 instructions in that time. Instead of the CPU polling for data: while (TRUE) { check_if_data_ready_from_keyboard() } Use interrupts, where hardware can notify CPU when it’s ready. ○ OS can let another program that’s not waiting on data run, ○ so the computer gets more work done instead of polling. What happens when an interrupt occurs? 1. Hardware transfers control to OS kernel. 1. CPU moves from ring 3 to ring 0. 2. Kernel saves state of previously running program. 3. Kernel runs code to handle that particular interrupt. 1. Reads/writes keystroke, network packet, disk data, etc. 4. Kernel decides which program to run next. 5. Kernel restores state of that program. 6. CPU goes from ring 0 to ring 3. 7. Control transferred to user program. Multitasking Processes Multitasking The idea ○ Give each running program a “slice” of the CPU’s time. ○ The CPU is running so fast that to any user it appears that the computer is running all the programs simultaneously. A program runs until 1. It has used up its entire time slice. 2. It asks the kernel to access a resource (software interrupt). 3. A hardware interrupt occurs. New Slide CYB 134: Introduction to Cybersecurity Threats Topics 1. Why would someone hack my company? 2. Threat actors 1. Script Kiddies 2. Hacktivists 3. Cybercrime Groups 4. Nation States 5. Insiders 6. Shadow IT 7. Competitors 3. Attack surface and threat vectors 4. Threat intelligence Why would someone hack my company? https://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/ Threat Actor Characteristics Internal vs. Level of external sophistication Characteristics that differentiate cybersecurity threat actors Resources and Intent/motivation funding Unskilled Attackers (aka Script Kiddies) Often young people looking to prove skills to online audience. Limited to configuring and using existing security tools ○ Security controls should prevent their success, but ○ they only need one unsecured point to access data and systems. Numerous with plenty of free time to try accessing systems. Hacktivists Want to promote political, social, or ethical goals. Typical activities include ○ Website defacement ○ Denial of service attacks Vary widely in skills. Organized Crime Motivation is financial using techniques like ○ Clickjacking and other advertising fraud ○ Credit card fraud ○ Fraudulent loans and tax return filings ○ Extortion (ransomware or denial of service attacks) Organized Crime Organized crime groups vary widely in skill and resources ○ Ones that target individuals usually have less than groups that target large organizations who may pay millions in ransoms. ○ Individual within groups have specialized skills. Lockbit Cybercrime Group Offers “Ransomware as a Service” ○ Affiliates pay LockBit initial fees, subscription fees, and a cut of their profits. ○ LockBit provides software, software updates, handles ransom payments, and publishes private data if ransoms not paid. First seen in September 2019 ○ 80% of targets small/medium businesses, 20% large ○ 1700 attacks against US organizations w/ $91M in payments. ○ Have attacked many other first world countries too. Example cybercrime specializations Affiliate managers recruit and manage partners who distribute malware like ransomware. Access experts gain initial access to target organizations. Exploit developers identify vulnerabilities and build software to use vulnerabilities to gain access. Financial analysts evaluate a victim’s ability to pay ransoms and provide information to negotiators to help maximize payments. Malware developers create malware used to maintain access (backdoors or C2) and tools like ransomware. Money launderers convert cryptocurrency, wire transfers, etc. into usable money with no criminal ties. Social engineers manipulate individuals to gain access or data. https://www.darkreading.com/cybersecurity-operations/cybercrime-orgs-human-trafficking-staff-scam-mills Nation State Attackers Highly skilled attackers with significant resources. ○ Motivations can be espionage, including economic espionage, as well as battlefield preparation (obtaining access in case of a cyber war.) ○ High tolerance for risk, including for gaining physical access or creating insiders by getting agents hired by target organizations. ○ Long term thinking includes multiple levels of backdoors and compromising vendors trusted by the target organization to gain access. Example: US sabotage of Iranian Uranium refinement with Stuxnet. Natanz Uranium Enrichment Site in Iran Centrifuges Centrifuges spin their contents to separate components. Salad spinner Separating whole blood Gas centrifuges for Uranium Stuxnet Stuxnet was malware created by the US and Israel to sabotage Iran’s uranium refinement operations by destroying centrifuges. ○ Could spread via USB drive as well as Internet. ○ Allows it to reach networks separated by an “air gap.” First attack in 2007, not discovered until 2010. Targeted specific supervisory control and data acquisition (SCADA) configurations used in uranium refinement. Randomly would change centrifuge spin frequency from high (>1000 Hz) to low (2 Hz) and back, gradually damaging them before returning to normal operation, thwarting detection attempts. Advanced Persistent Threat (APT) Advanced persistent threat (APT) refers to a group that has the ability to maintain a constant presence inside a target’s network. Includes high end organized crime and nation state threat actors. Insiders Insiders are employees or contractors with authorized access to an organization’s systems and data. ○ Vary widely in skill level. ○ Motivations include financial, activist, or personal grievance. Insiders have a running start due to current access, but their current access may not include what they are targeting. Shadow IT Employees who use their own systems to accomplish work ○ Servers under the desk or in their own cloud accounts ○ Data stored on personal devices or cloud services ○ Use of services like ChatGPT or VirusTotal using confidential data that should not be shared with third parties. Shadow IT often arises when IT organizations fail to meet business needs. Competitors Competitors may engage in corporate espionage to duplicate products, target customers, etc. Attack Surface Attack surface is the set of ways that a system or organization can be attacked. ©Gartner, Inc., 2023 Emerging Cybersecurity Market Trends and Growth Opportunities, June 2023 Threat Vectors (aka Attack Vectors) https://www.cloudflare.com/learning/security/glossary/attack-vector/ Types of Threat Vectors Threat vectors are the means by which threat actors obtain access: ○ Message-based threat vectors (email, SMS, slack, etc.) ○ Wired networks (require physical access) ○ Wireless networks (can be far away with a good antenna) ○ Systems (servers accessible via the Internet, etc.) ○ Files and images (malware) ○ Removable devices (malicious USB devices) ○ Cloud systems and data ○ Software supply chain Example Message Attack Supply Chain Attacks Software is built on software ○ 98% of commercial applications use open source software libraries. ○ Libraries handle common features like data compression, encryption, network access, etc. ○ If a library has a vulnerability, the software that uses that library may have the vulnerability too. Threat Intelligence (TI) Feeds A TI feed is a data stream of new and emerging threats The idea is to spread information about new threats and active attacks throughout the community as quickly as possible Unlike periodic updates, such as security patches and virus scanner definitions, these feeds can serve more like an alarm While it is possible for humans to monitor and respond to these feeds, automated systems exist that can parse this data and be configured to perform pro-active steps to protect the organization Threat Intelligence Feed Sources There are two principle types of feeds Open Source or Community These feeds are run by government agencies or non-profits and are meant to serve the community at large Governments benefit from providing the resource by enhancing the nation’s security posture Commercial These are run by companies that offer subscription-based access or provide access in conjunction with their analytics service or cybersecurity product The companies that provide the feeds seek to offer something above-and-beyond what is being disseminated via open source Example Open Source Feeds AlienVault – Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. Over 14 million threat indicators daily. CISA – Automated Indicator Sharing provides real-time machine readable threat data from the Cybersecurity and Infrastructure Security Agency (CISA). SafeBrowsing provides information about malicious and hacked web sites. Many web browsers use this automatically to warn users before going to a potentially dangerous site. Key Points 1. Threat actors have widely varying characteristics (motivation, capabilities, sophistication, internal/external). 1. Defenders need different techniques to protect against script kiddies than to protect against APTs. 2. The attack surface of a system measures all of the ways a threat actor can attack and compromise a system. 1. The smaller the attack surface, the more secure a system is. 2. Threat vectors are parts of the attack surface, ways for a threat actor to compromise a system. 3. Threat intelligence updates the knowledge of defenders, so that they can protect against rapidly evolving threats. New Slide CYB 134: Introduction to Cybersecurity Malicious Code Topics 1. What is Malware? 2. Vocabulary 3. Types of Malware 4. Examples 5. Malware Analysis 6. Lab Exercises What is Malware? Our books says… “The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, and users.” Vocabulary Indicator of Compromise (IoC) > clues that a network or endpoint has been breached Lateral Movement > techniques that a cyber attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets Endpoint Detection and Response > technology that continuously monitors endpoints for evidence of threats and performs automatic actions to help mitigate them Command and Control (C2) > method that cybercriminals use to communicate with compromised devices within a target company’s network Living off the Land (LOTL) > technique where the cybercriminal uses native, legitimate tools within the victim’s system to sustain and advance an attack Hash, Checksum, Digest, Signature > a one-way mathematical function that turns data into a string of nondescript text that cannot be reversed or decoded Persistence > capacity of a malicious entity like a computer virus, worm, or Trojan, to remain within a system, against defense mechanisms and all attempts to exterminate it Types of Malware Ransomware A kind of malware that takes over a computer then demands a ransom. An effective backup system that stores files in a separate location will not be impacted if the system or device it backs up is infected and encrypted by ransomware. Trojans A type of malware that is typically disguised as legitimate software. They rely on unsuspecting individuals running them, thus providing attackers with a path into a system or device. Types of Malware Worms Self-install and spread themselves. Worms can spread via email attachments, network file shares, or other methods. Rootkits Specifically designed to allow attackers to access a system through a backdoor. The best ways to prevent rootkits are normal security practices, including patching, use of secure configurations, and ensuring that privilege management is used. Tools like secure boot and techniques that can validate live systems and files can also be used to help prevent rootkits from being successfully installed or remaining resident. Types of Malware Backdoors Provide access that bypasses normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications. Can be both hardware and software based; can be included in trojans and rootkits. Bots Are remotely controlled systems or devices that have a malware infection. Groups of bots are known as botnets, and botnets are used by attackers who control them to perform various actions ranging from additional compromises and infection to denial of service attacks or acting as spam relays. Types of Malware Keyloggers Capture keystrokes from keyboards as well as other inputs like mouse movement, touchscreen inputs, or credit card swipes Both software and hardware versions Logic Bombs Not independent malicious programs Activate when set conditions occur and take malicious action Viruses Self copy and self replicate Require an infection mechanism to spread themselves Types of Malware Fileless Spread via spam and malicious websites using web browser and plugin flaws Inject themselves into memory Types of Malware Spyware A kind of malware that is designed to obtain information about an individual, organization, or system. Spyware is most frequently combated using anti-malware tools, although user awareness can help prevent the installation of spyware that is included in installers for software or through other means where spyware may appear to be a useful tool or innocuous utility. PUPs PUPs are typically installed without the user’s awareness, or as part of a software bundle or other installation. A discussion around awareness and best practices with the end-user, removal with appropriate tools, and a return to normal operation may be the best solution. The Worst Malware Attack Ever (IMO Anyway) Around 2012, the U.S. National Security Agency discovered a vulnerability in Microsoft Server Message Block (SMB) protocol, which allows file and printer sharing. ○ Multiple versions of Windows Server and Windows desktop could not detect certain types of network packet tampering, which allow attackers to execute code remotely on a target computer. ○ They developed spyware called EternalBlue. ○ The NSA did NOT notify Microsoft of this vulnerability, keeping it secret for 5 years! Somehow – this has never been clearly explained – EternalBlue was stolen and leaked by a Hacker group known as the Shadow Brokers in 2017. After this, THEN the NSA alerted Microsoft who released a zero-day patch on March 14th, 2017 Because so many endpoints use Windows, hundreds of thousands if not millions on computers had to be patched, which of course, did not happen Then, all hell breaks loose…. WannaCry On May 12, 2017, the WannaCry ransomware used EternalBlue to attack organizations all over the world. This virus encrypted the computer’s hard drive, making it unreadable until the ransom was paid. It is estimated that over 200,000 computers were infected including FedEx, Honda, Nissan and the UK’s National Health Service. The attack on the NHS was particularly bad as multiple patients were impacted, including hundreds of cancelled surgeries. A researcher quickly found out how to stop the spread by tricking the malware into thinking it was in a sandbox environment, but by then many computers had to be decommissioned and/or organizations paid the ransom Some attribute this attack to a North Korean based hacker group, but that has never been proven Petya THEN, in June of 2017 Petya/NotPetya hit using the SAME ExternalBlue exploit. This was developed by Russia to attack the Ukraine, but also quickly spread all over the world. This malware also encrypted hard drives until the ransom was paid. Organizations infected included Maersk, which controls 18% of the worlds shipping, radiation monitoring at Chernobyl, Merck, one of the world’s largest pharmaceutical companies, and Cadbury Chocolate and FedEx (again!). Merck was totally down, every computer and was communicating with customers via Twitter. The White House estimated that this attack cost the global economy $10B Malware Analysis Online analysis tools like VirusTotal can be used to check whether the malware is a known tool and to see what it is identified as by multiple antivirus (AV) tools. Sandbox tools can be used to analyze malware behavior in a protected environment. Manual code analysis is common, particularly with scripts and interpreted code like Python and Perl. Malware can be analyzed using tools like strings to look for recoverable artifacts that may be useful for analysis. Lab Exercises TryHackMe - MAL: Malware Introductory VirusTotal New Slide Seven Key Principles Authority Intimidation Consensus Scarcity Trust Urgency Familiarity Social Engineering Techniques Phishing Vishing Smishing Misinformation and Disinformation Impersonation Business Email Compromise Pretexting Watering Hole Attacks Brand Impersonation Typo Squatting Evolving Threat Landscape Quishing -> a type of phishing attack that utilizes QR codes to deceive individuals into visiting harmful websites or downloading files containing malware. QR codes can host various sources, such as links, documents, and payment portals, making them a versatile tool for cybercriminals. Baiting -> a type of social engineering attack where the scammer lures unsuspecting users with false promises. This can be both physical or online. Other Techniques? Stages of a Social Engineering Attack Identify the target Identify the target Hook and Deceive Exploit the target Disengage and Exit Password Attacks Brute force ○ iterate through passwords until one works Password spraying ○ attempt to use one or a few passwords for many accounts or systems Password Spray attack ○ Large list of available usernames and a single or small list of passwords. ○ Many applications and sites will lock account after too many failed logins. Credential Stuffing ○ Using compromised passwords from an alternate site (for instance from the 2019 Zynga breach where 172 million passwords were stolen.) Password Cracking ○ Dictionary ○ Brute force ○ Rainbow Tables Password Cracking Common Tools John the Ripper Hashcat Medusa How Hackers Really Crack Your Passwords Techniques Dictionary Attack: In this mode, John the Ripper takes text string samples (usually from a file, called a wordlist, containing large number of words, phrases and possible passwords derived from previously leaked data dumps or breaches), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. Dictionary words could also be altered in a randomized manner to check if they work this way Brute Force Attack: In this type of attack, John the Ripper goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently used characters first. The process can be effective but excruciatingly slow, sometimes it takes years to do this. That’s exactly why that security professionals suggest to choose a long and complex password that consists of a combination of different character types. However, this positive point is also significant that this method could identify those passwords having no existence in a dictionary. Rainbow tables: In this way, a pre-computed list of password hashes (derived from commonly set passwords) is compared against an existing data dump to find the correct password in its plaintext form. This way is faster than brute-forcing, but this way will be ineffective when password hashes are salted and salt values are too large, all of which increases the overall complexity. Windows Passwords Windows still uses Security Account Manager (SAM) manages user accounts and passwords in windows. However, it has implemented additional security protocols on top of SAM SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can be found in the registry. Open the Registry Editor and navigate yourself to HKEY_LOCAL_MACHINE\SAM. WAIT – YOU NEED TO BE VERY CAREFUL WHEN EDITING THE WINDOWS REGISTRY. IF YOU MAKE A MISTAKE, YOU MAY “BRICK” THE DEVICE. To open the registry editor, you can type regedit at the command prompt. A safer way if you just want to look at something is to use the req query command, e.g., reg query HKEY_LOCAL_MACHINE\SAM Password Storage: Hashing and Salting What is a salt? "SALT" is not an acronym but rather a term that refers to a random value or piece of data that is used as an additional input to a cryptographic algorithm, such as a hash function, to enhance the security of password storage and data encryption. Password Hashing: When a user creates an account or changes their password, the system generates a random salt value. This salt is then combined with the user's password and passed through a cryptographic hash function, such as SHA-256 or bcrypt. The resulting hash, which includes the salt, is stored in the database. Uniqueness: The use of a unique salt for each user ensures that even if two users have the same password, their hashes will be different due to the unique salts. This prevents attackers from easily identifying identical passwords. Protection Against Precomputed Tables: One of the main reasons for using salts is to defend against precomputed tables. Without a salt, attackers can compute hashes for common passwords and compare them to the stored hashes. Salting ensures that this approach is ineffective because the attacker would need to compute hashes for each password-salt combination. Enhanced Security: By using salts, even if an attacker gains access to the hashed password database, they cannot directly use the hashes to gain the original passwords. The attacker would need to know the salt for each user, making the process significantly more complex and time-consuming. Protection Against Dictionary Attacks: Salts make dictionary attacks less practical because attackers must compute hashes for each password and salt combination, which significantly increases the computational effort required. Older versions of Windows did not have a Salt, but more current versions do. Linux Passwords Linux stores passwords in /etc/shadow since mid-1980s (used to be in /etc/passwd) /etc/passwd is publicly available to all users on a system (try: cat /etc/passwd) Passwords stored with a hash + salt algorithm. Salt means two people with the same password will not have the same stored hash. Slows down dictionary attacks, since each password has to be generated with a unique salt. Example Passwords: test1:$6$RgEHNSxRo.W4zgz.$pej.aCf3bL.NB5jU/CW0bw7nqsyoM2IedwVkzotQB3aXcVaP0HUAJ.Pe0D55PMIOm6wi2z.XoaNGP4ktcbVUk.:19094:0:99999:7::: test2:$6$mo1LQSamj3HW.PW3$TxE6glLRagXVW1SRk.mixYGblUtGyobNPk46D/P8sDjpXQRuC/wLCCMBzwgHwTikgqw9xyy.4R3rGUNWm.Ljy/:19094:0:99999:7::: test3:$6$ZKNtxMctfJlBFbFT$xsVxcw4jmVnOtcqlY.KOS9VmYvSguYrqBXD.T1odiSz6pT3veDc8ktS.gZ6aRAXQ0HTfuGgGXtZGrtkLbnX7N/:19094:0:99999:7::: $6$ shows us its a SHA-512 hash, ZKNtxMctfJlBFbFT$ is a 128-bit salt value in ASCII format Windows Passwords – Example Using the SYSTEM, SAM, and SECURITY registry files allows us to dump domain credentials as well Password Cracking Use John the Ripper Create a folder in your local directory called ripper and move to it (mkdir ripper && cd ripper). Copy /groups/cyb134/passwords/passdump to the ripper folder. test1:$6$RgEHNSxRo.W4zgz.$pej.aCf3bL.NB5jU/CW0bw7nqsyoM2IedwVkzotQB3aXcVaP0HUAJ.Pe0D55PMIOm6wi2z.XoaNGP4ktcbVUk.:19094:0:99999:7::: Run John the Ripper, you should see the results below (john passdump) You can see the results by running John the Ripper again with the -show option (john --show passdump) – dig through the files and see if the password was cracked New Slide CYB 134: Introduction to Cybersecurity Vulnerabilities Topics 1. What’s a vulnerability 2. Managing Vulnerabilities 3. CVE and CVSS What is a vulnerability? “A weakness in the computational logic (e.g. code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.” - CVE definition A sense of scale https://www.comparitech.com/blog/information-security/cybersecurity-vulnerability-statistics/ A sense of scale https://unit42.paloaltonetworks.com/network-security-trends-cross-site-scripting/ Vulnerability category distribution for CVEs registered in November 2021 to January 2022 Vulnerability Classification Outdated Operating Systems (OS) / Applications Weak Configuration Error Messages Insecure Protocols Weak Encryption Heartbleed example Missing bounds check in handling TLS heartbeats Allows for exposure of up to 64k of memory to a connected client or server CVE-2014-0160 Heartbleed example Heartbleed example Heartbleed example Vulnerability Management Environments are complex Vulnerabilities are inevitable and discovered regularly What to do? ○ Identify ○ Prioritize ○ Remediate Miami’s Vulnerability Management Standard Vulnerability Life Cycle Vulnerability Scanning (Identify) What to scan? data classification service criticality population test/prod internet exposure How to scan? un/authenticated network/agent frequency - risk tolerance, regulatory requirements, technical constraints, business constraints, licensing limits automation - scheduling, alerting tools Vulnerability Scanners Vulnerability Response (Prioritize + Remediate) Automate scan schedules and alerting Validate scan results, considering false positives and false negatives Validate remediation results Prioritize remediation requirements by establishing Service Level Agreements (SLAs) CVE - Common Vulnerabilities and Exposures - catalog of weaknesses Common Vulnerability Scoring System (CVSS) New Slide CYB 134: Introduction to Cybersecurity Pen Testing and Assessments Topics 1. Penetration Testing 2. Audits and Assessments What is Penetration Testing? Authorized, legal attempts to defeat security controls Taking on the hacker’s mindset Pen Testers follow the same attack lifecycle as real attackers ○ Reconnaissance ○ Intrusion ○ Exploitation ○ Privilege escalation ○ Lateral movement ○ Denial of service / Exfiltration Penetration Testing Reasons Provides visibility of security posture not available by other means Blueprints for remediation Essential, focused information on specific attack targets Types of Penetration Tests Physical Offensive Defensive Integrated Known environment Unknown environment Partially known Rules of Engagement Timeline Scope Data handling Behaviors Resources Legal concerns Communications Permission Permission Permission Permission Permission Crowd Sourcing Penetration Testing Responsible disclosure programs Bug bounty programs Audits and Assessments Security Tests verify controls already in place. Security Assessments include risk assessments, review of threats, current and future risks, and the value of targets. Security Audits are similar to tests and assessments but are conducted by an independent entity to avoid conflicts of interest. Audits and Assessments Internal audits External audits Independent 3rd party audits New Slide CYB 134: Introduction to Cybersecurity Application Security Think, Pair, Share Activity Write your own answers to the following two questions 1. What does it mean for an application to be secure? 2. How can you know if an application is secure? If you’re having trouble starting, think about the CIA properties. Discuss your answers with a neighbor ○ What aspects of security did you miss that your neighbor included for the first question? ○ How are your approaches for determining if an application is secure different from those of your neighbor? Share with the class Topics 1. Software Development Life Cycle (SDLC) 2. Software Security Testing 3. Continuous Integration/Deployment (CI/CD) 4. Injection Vulnerabilities 5. Race Conditions and TOCTOU Vulnerabilities 6. Application Security Controls Software Development Life Cycle (SDLC) SDLC Stages 1. Planning. This is the first step where the idea for the software is discussed. The goal is to understand what problem needs to be solved and outline the general approach to building the software. It includes figuring out the project's scope, time frame, budget, and resources needed. 2. Requirements. In this phase, detailed discussions happen to understand exactly what the software needs to do. This includes talking to users and stakeholders to define the software's functions, features, and how it will be used. SDLC Stages (2) 1. Design. Creating the architecture (how it is divided into modules and files), choosing technologies, and designing the user interface (how it looks and feels). The design acts like a blueprint for the developers to follow during coding. 2. Coding. This is the phase where developers write the actual code based on the design. They use programming languages to turn ideas and designs into a working application. SDLC Stages (3) 1. Testing. Software is tested to find and fix bugs or issues. Different types of testing are done, such as checking if the software works as expected (functional testing) and to check for resistance to attacks (security testing). 2. Maintenance. This includes fixing bugs that weren’t caught earlier, security updates, and adding new features. For applications, you may have to download new versions to get maintenance changes, but for web applications, updates are often handled without user intervention (or often without even informing the user.) Microsoft Secure Development Lifecycle (SDL) Includes practices for ensuring application security in each lifecycle stage. Software Security Testing Security Testing examines and runs the code to ○ Verify security features like authentication work as intended. ○ Identify security vulnerabilities. Types of Testing: ○ Static Analysis ○ Dynamic Analysis ○ Fuzz Testing Example Web Application Testing Methodology Static Analysis Static analysis finds security vulnerabilities without running the code. Advantages over dynamic analysis: ○ Can be used before application is complete enough to run. ○ Finds different vulnerabilities. Static Analysis Tool Example: Fortify Dynamic Analysis Run code and check application output for ○ Signs of compromise ○ Unexpected results Tools help automate creation of security relevant application inputs. Dynamic Analysis Tool: ZAP Fuzz Testing Fuzz testing generates and sends random data as application input to find bugs and vulnerabilities. ○ What happens if an image viewer gets an image where the height and width of the image are fuzzed? ○ How does a web browser handle random HTML with improperly nested or unclosed tags? DevSecOps Lifecycle Continuous Integration and Deployment Injection Vulnerabilities Unvalidated input is embedded in an instruction stream and cannot be distinguished from valid instructions. Applications have the potential for injection vulnerabilities when they send commands/code to another application. Common types of injection Command injection (shell injection) SQL injection JavaScript injection (cross-site scripting) Command Injection Impacts applications that run a command shell with commands that include user input. Threat actors use command shell statement separators like ; | && etc. to add a second command to be executed when the application runs the command shell. Command Injection: Example Program import subprocess domain_name = input("Enter the domain name: ") command = "nslookup {}".format(domain_name) response = subprocess.check_output(command,shell=True,encoding='UTF-8') print(response) Command Injection: Malicious Input SQL Injection Example Login: John Password: John1234 String query = “SELECT * FROM users WHERE login = ‘” + login + “’ AND password = ‘” + password + “’”; Expected input: SELECT * FROM users WHERE login = ‘John’ AND password = ‘John1234’ Result: Returns John’s user information SQL Injection – Tautology Login: ’ OR ‘1’ = ‘1 Password: ’ OR ‘1’ = ‘1 String query = “SELECT * FROM users WHERE login = ‘” + login + “’ AND password = ‘” + password + “’”; Expected input: SELECT *FROM users WHERE login = ‘’ OR ‘1’=‘1’ AND password = ‘’ OR ‘1’=‘1’ Result: Returns all user information in the users table Cross-site Scripting (XSS) Threat actor causes a legitimate web server to send user executable code (Javascript) of attacker’s choosing. Impact of XSS Account hijacking. Browser hijacking (malware hosting.) Information leakage (stored form values, etc.) Virtual defacement. Cross-Site Scripting: How it Works 1. Attacker stores code in legitimate website as a social media post, comment, review, etc. 2. Victim runs stored code when they access the post on the legitimate website. 3. Code runs in victim’s browser with their permissions and data. Reflected Cross-Site Scripting 1. Attacker embeds XSS attack in a hyperlink sent to the victim. 2. Victim clicks on link and sends request to legitimate website. 3. Website includes content from link in web page it sends to victim. 4. Malicious code executes in victim’s browser. Browser Exploitation Framework (BeEF) Inject code on right via XSS. BeEF now controls the browser, enabling you to run more code, like keyloggers, vulnerability scanners, etc. Race Conditions A race condition occurs when the behavior of a software system depends on the sequence or timing of uncontrollable events, such as the order in which different threads or processes execute. Consider two processes, A and B, that both need to increment a shared counter: Process A reads the value of the counter (say it’s 5), then increments it to 6. Process B reads the same value (5) before Thread A writes the updated value (6), then increments it to 6. Time of Check, Time of Use Vulnerability The passwd command runs with root privilege so that it can change your password in /etc/shadow and change account properties in the /etc/passwd file. It also lets the user specify a passwd file to edit which is useful when booting in recovery mode. The passwd program writes to a file in the shared /tmp directory. As root can write to any file, the program ensures that the user who is running the command has permissions to write to the target file. access() system call checks if the Real User ID has write access to /tmp/X. After the check, the file is opened for writing. Understanding the attack Attack program runs: Let’s consider steps for 2 programs: A1,A2,A1,A2……. Vulnerable program runs : A1 : Make “/tmp/X” point to a file V1,V2,V1,V2….. owned by us A2 : Make “/tmp/X” point to the file we As the programs are running don’t have permission to write. simultaneously on a multitasking operating system, the instructions will V1 : Check user’s permission on be interleaved, depending on how the “/tmp/X” OS kernel schedules the processes: V2 : Open the file A1, V1 , A2, V2 : vulnerable program uses root privilege to open target file. Application Security Controls 1. Input validation 2. Web application firewalls (WAFs) 3. Parameterized queries 4. Sandboxing 5. Code signing Input Validation Check that input is of correct type and reasonable length. Check that user input matches ○ A valid string from a list (like state abbreviations) ○ A pattern, like [0-9][0-9][0-9]-[0-9][0-9][0-9][0-9] for phone numbers. Application should reject input, not attempt to fix it ○ Example: Avoid XSS by deleting the string from input. ○ Attack: Threat actor sends , which becomes when the string is deleted. Web Application Firewall (WAF) A WAF is a separate piece of software or hardware that performs input validation on all incoming network traffic. Parameterized Queries The best solution is an injection vulnerability is to eliminate the possibility altogether by 1. Not running other programs that accept commands, or 2. Separating code and data. Parameterized queries are a SQL technique for #2. ○ Instead of inserting data values into queries, ○ Send SQL code to database, then send data separately. Sandboxing: Android Apps Code Signing Digital signatures and certificates are cryptographic concepts we’ll cover later in the course. New Slide CYB 134: Introduction to Cybersecurity Cryptography Topics 1. Meet Alice & Bob 2. Cryptography Goals and Terminology 3. Symmetric Encryption 4. Brute Force Attacks 5. DES and AES 6. Symmetric Key Management 7. Hashes 8. HMAC Encryption and Decryption plaintext plaintext Encryption Decryption Algorithm Algorithm Alice Bob ciphertext + + encryption key decryption key Terminology plaintext ciphertext plaintext Encryption Decryption Algorithm Algorithm Alice Bob Operations – Plaintext P to ciphertext C: encryption: C = E(P,Key1) – Ciphertext C to plaintext P: decryption: P = D(C,Key2) – E is encryption algorithm, D is decryption algorithm Cryptography Goal: Confidentiality Eve should not be able to read M. M Alice M Bob Eve Cryptography Goal: Integrity Eve should not be able to modify M. M Message: I love you Message: Alice I hate you M Bob Ha! Bob should feel sad Eve Cryptography Goal: Authentication Eve should not be able to send messages claiming to be from Alice M Alice M Bob Eve Symmetric Encryption Symmetric ciphers ○ Symmetric ciphers use the same key for encryption and decryption, so Alice and Bob must share a key. ○ They work similar to traditional padlocks with keys. Symmetric ciphers work by substitution and permutation ○ Substitution replaces one piece of plaintext with another piece, e.g. replace an A with a K or replace a binary 010 with 111. ○ Permutation reorders the symbols in the plaintext, like replacing HELLO WORLD with HWEOL OLRLD. Example Substitution Cipher: Caesar Cipher Shift Ciphers Generalization of Caesar cipher to have a key K, which is a number from 1 to 25 (K=0 doesn’t change anything.) 1. Let messages be all capital letter case from A through Z (delete all spaces and punctuation). 2. Represent letters A through Z by numbers from 0 to 25. 3. Encryption function 1. Ci = E(Pi ) = Pi + K (mod 26) 2. 0 + 3 MOD 26 = 3 -> d 4. Decryption function 1. Pi = D(Ci ) = Ci - K (mod 26) ROT-13: Properties of Shift Cipher with K=13 Caesar cipher with a key of 13. Since there are 26 letters, encrypting twice is the same as decrypting. Think, Share, Pair: Caesar Cipher 1. On your own, encrypt the message HELLO WORLD using Caesar cipher (key of 3), then write down the ciphertext. 2. Partner with someone from another row and compare your ciphertexts. 3. Decrypt your partner’s ciphertext and verify that you get back the plaintext message HELLO WORLD. 4. ABCDEFGHIJKLMNOPQRSTUVWXYZ Cryptanalysis Cryptanalysis is the process of breaking or cracking a cipher in order to obtain the plaintext and/or the encryption key. Approaches include: ○ Brute force: decrypt ciphertext with every possible key, then examine output is see if it’s a likely plaintext. ○ Frequency analysis: attempt to determine substitution process because some plaintext symbols are more common than others (for example, in English, 1/8 of all letters are e’s.) ○ Known plaintext: threat actor has both plaintext and ciphertext and wants to use them to obtain the key. Brute Forcing Caesar Cipher 1 => PSZIERHLSRSV 2 => ORYHDQGKRQRU 3 => NQXGCPFJQPQT 4 => MPWFBOEIPOPS 5 => LOVEANDHONOR 6 => KNUDZMCGNMNQ 7 => JMTCYLBFMLMP 8 => ILSBXKAELKLO 9 => HKRAWJZDKJKN 10 => GJQZVIYCJIJM 11 => FIPYUHXBIHIL 12 => EHOXTGWAHGHK 13 => DGNWSFVZGFGJ 14 => CFMVREUYFEFI 15 => BELUQDTXEDEH 16 => ADKTPCSWDCDG 17 => ZCJSOBRVCBCF 18 => YBIRNAQUBABE 19 => XAHQMZPTAZAD 20 => WZGPLYOSZYZC 21 => VYFOKXNRYXYB 22 => UXENJWMQXWXA 23 => TWDMIVLPWVWZ 24 => SVCLHUKOVUVY 25 => RUBKGTJNUTUX Brute Force Attack Effectiveness If the encryption algorithm E(k) is secure, brute force attack is only approach that may work. Time to complete depends on the number of keys. Modern ciphers are N-bit strings, with 2N possible keys. For N possible keys, Worst case is N decryptions. Mean case is N/2 decryptions. Example: DES has 56-bit keys Mean time to find key is 255 decryptions. Worst time to find key is 256 decryptions. Cipher Types Block ciphers Operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Stream ciphers Operate on one character or bit of a message (or data stream) at a time. Data Encryption Standard Adopted in 1977 by A block cipher that breaks National Bureau of plaintext into 64-bit Standards (Now NIST) chunks, which it then encrypts. FIPS PUB 46 Keys are 56-bit binary numbers. Too small to resist modern attackers. Algorithm is referred to Triple DES, where you as the Data Encryption encrypt plaintext 3 times Algorithm (DEA) with DES still in use. Advanced Encryption Standard Winner of open NIST competition (1997-2000) Rijndael, designed by Joan Daemen and Vincent Rijmen. Published as FIPS 197 in November 2001. Most widely used block cipher. 128-bit block cipher 128-, 192-, or 256-bit keys. 10, 12, or 14 rounds, depending on key size. Replacement for DES DES vulnerable to brute force attacks due to 56-bit keys. AES is about 2X faster than DES, 6X faster than 3DES. Is 128 bits long enough to stop brute force? There are 2128 possible 128-bit keys. This is a big number: 340,282,366,920,938,463,463,374,607,431,768,211,456 or Approximately 3.4 x 1038 keys Cracking 1 trillion (1012) keys per second requires 3.4 x 1026 seconds, which is 1.08 x 1019 years Cracking 1 trillion keys per second on 1 billion CPUs requires 1.08 x 1010 years = 10.8 billion years Symmetric Key Management Many keys ○ Every pair of individuals who want to communicate confidentially must have their own secret key shared only by the two of them. If there are n people in an organization, n new keys need to be created in order for a new employee to be able to communicate securely with each of them. Key distribution ○ How do we get shared, secret keys to authorized personnel in a secure way that no one can intercept or modify? Key storage ○ Keys must be stored in such a way that they are protected in storage. ○ SSH lets you store login keys that are encrypted with a password. Key escrow and recovery ○ When large amounts of data are encrypted, losing a key can be disastrous, so it can be important to store a copy of the key. Example: if ransomware encrypts your backup server, including the key you use to encrypt backups, you cannot restore from backups without an offline copy of the key. Symmetric Key Distribution Eve can use a network sniffer to intercept secret keys. key Alice, 1st Bob, 2nd participant participant Eve, the Eavesdropper Secure Key Distribution: Trusted Third Party { request for secret key to Bob } kA Cathy { ks } kA || { ks } kB Cathy { ks } kB Alice B Alternate Approach: Use Asymmetric Cryptography {Alice’s message}eB {Bob’s message}eA Alice Bob Notation: eA is Alice’s public key, which is used for encryption dA is Alice’s private key, which is used for decryption Bob decrypts Alice’s message with dB, his private key. Alice decrypts Bob’s message with dA, her private key. We’ll talk about asymmetric cryptography in detail in our next class. Hash Functions A one-way function h: M→H Input M: variable length message M Output H: fixed length hash or “message digest” of input Some inputs produce same output (called a hash collision) Limited number of outputs; infinite number of inputs Avalanche effect: small input change -> big output change Example Hash Function Break M into 32-bit words, then sum words of message mod 232 Applications of Hash Functions Verifying file integrity (integrity) How do you know that a file you downloaded was not corrupted during download? Storing passwords (confidentiality) To avoid compromise of all passwords by an attacker who has gained admin access, store hash of passwords. Additional features needed for secure passwords. Digital signatures (authentication) Cryptographic verification that data was downloaded from the intended source and not modified. Used for operating system patches and packages. Commonly Used Hash Functions Hash Output Size (Bits) Applications Function MD4 128 Used for storing Windows passwords. MD5 128 Used to be widely used, but has practical security vulnerabilities SHA-1 160 Used to be widely used, has theoretical security vulnerabilities SHA-2 224, 256, 384, Widely used for digital signatures, password 512 storage (Linux, Mac) SHA-3 224, 256, 384, Alternative to SHA-2 created by NIST using 512 different mathematical techniques in case attacks on SHA-1 can be extended to SHA-2. Activity: Computing Hash Functions Use MD5 Hash Generator https://www.md5hashgenerator.com/ To hash the following inputs password password1 password123 completelydifferent Then discuss the results with a student next to you. Are the hashes the same for both of you? The first 3 inputs are similar strings. Are there any similarities between their hashes? Are there any similarities between the MD5 and SHA-1 hashes for the same input? MITM Attacks on Hash Functions Mallory can modify both message and its hash via a MITM. message + hash of message Alice, 1st Bob, 2nd participant participant Mallory, the MITM Solution: HMAC A keyed hash message authentication code (HMAC) is the use of a hash function for calculating a message authentication code (MAC), aka message digest or hash, based on a message in combination with a shared, secret key. HMAC algorithm works with any ○ Hash function ○ Message length ○ Key length Solution: HMAC Mallory can modify message, but cannot compute the correct HMAC since she does not know the key, so Bob will detect the integrity violation. message + HMAC(message) Alice, 1st Bob, 2nd participant participant Mallory, the MITM New Slide CYB 134: Introduction to Cybersecurity Public Key Cryptography Topics 1. Asymmetric Cryptography 2. Diffie-Hellman Key Exchange 3. RSA 4. Elliptic Curve Cryptography 5. Digital Signatures 6. Public Key Infrastructure 7. Certificates Public Key (Asymmetric) Cryptography Public key cryptography is a form of cryptography where everyone has 2 keys: A private key, known only to the owner. A public key, known to everyone. It is asymmetric The public key is used for encryption. The private key is used for decryption. How Public Key Cryptography is Used {Alice’s message}eB {Bob’s message}eA Alice Bob Notation: eA is Alice’s public key, which is used for encryption dA is Alice’s private key, which is used for decryption Bob decrypts Alice’s message with dB, his private key. Alice decrypts Bob’s message with dA, her private key. COMPARISON OF SYMMETRIC AND ASYMMETRIC CRYPTOGRAPHY SYSTEMS SYMMETRIC ASYMMETRIC Single shared key Key pair sets Out-of-band exchange In-band exchange Not scalable Scalable Fast Slow Bulk encryption Small blocks of data, digital signatures, digital certificates Confidentiality, integrity Confidentiality, integrity, authentication, nonrepudiation Diffie-Hellman Key Exchange Compute a common, shared key Called a symmetric key exchange protocol Based on discrete logarithm problem One way function: f(k) = gk mod p. Invert function by computing logarithm to find k. Solutions known for small p. Computationally infeasible for large p. Shared Constants prime modulus p, integer base g ≠ {0, 1, p–1} Diffie-Hellman Algorithm 1. Alice chooses a random private key k 2. Computes public key A = gk mod p and sends to Bob. 3. Bob chooses a random private key k’ 4. Computes public key B = gk’ mod p and sends to Alice. 5. Alice computes secret key K1 = Bk mod p 6. Bob computes secret key K2 = Ak’ mod p 7. Encrypt messages w/ symmetric cipher using K1=K2 as the secret key. How do they both compute the same key? K1 = Bk mod p = (gk’ mod p)k mod p = gk’k mod p = gkk’ mod p = (gk mod p)k’ mod p = Ak’ mod p = K2 RSA (Rivest-Shamir-Adleman) Encryption 1. Public key cipher based on modular exponentiation. Encrypt: C = Me mod n Decrypt: M = Cd mod n = (Me)d mod n = M where e is the public key and d is the private key. 2. Treat message blocks as integers. 3. Relies on the computational difficulty of determining the number of integers relatively prime to a large integer n. RSA Demonstration on CryptTool Use RSA step by step to see how each block is encrypted. https://www.cryptool.org/en/cto/rsa-step-by-step Use RSA visual to see a whole message visually. https://www.cryptool.org/en/cto/rsa-visual Elliptic Curve Cryptography ECC is based on the algebra of elliptic curves (like y2 = x3 + ax + b) over finite fields instead of being based on simple finite groups like modular arithmetic. Analogs to discrete logarithm and other one-way functions suitable for public key crypto exist in EC. Example: ECDH is Elliptic Curve Diffie Hellman Key Exchange. EC analogs of problems are more difficult, allowing the use of smaller keys. ECC is faster than modular public key cryptography. Digital Signatures Public-key encryption provides a method for creating digital signatures, enabling us to check authenticity of messages. 1. To sign a message, Alice computes a hash of message M, h(M), and encrypts it with her private key, dA, creating C = E(h(M), dA). 2. Anyone can decrypt the hashed message C using Alice’s public key, h(M’) = D(C, eA). 3. If h(M)=h(M’), then the digital signature is valid. This check provides authentication of the message. We’ll see how to get both confidentiality + authentication later. How do you know you have Alice’s key? You could meet Alice in person and get her key that way ○ People do that at security conferences, but it doesn’t scale to handling e-commerce on the Internet. If you send the key over the Internet, how do you know ○ that you can trust the server you got the key from? ○ that the key wasn’t intercepted and replaced in a MITM attack? Let’s see how that works on the next slide. MITM Attacks against Public Key Cryptography please send Bob’s public key Eve intercepts request Alic Cathy e please send Bob’s public key Eve Cathy eB Eve Cathy eE Alic Eve e { ks } eE Eve intercepts message Alic Bo e b { ks } eB Eve Bo Solution: security certificates A certificate is token that binds an identity to a public key: Identity of principal (here, Alice), Corresponding public key, Timestamp (when issued), Other information like the identity of the signer. signed by trusted authority (Cathy.) CA = { eA || Alice || T } dC Using a Certificate If Bob wants to communicate with Alice, the process is 1. Bob requests a certificate for Alice from Cathy, a trusted 3rd party. 2. Cathy sends certificate signed with her private key. 3. Bob decrypts certificate with Cathy's public key. This proves that the message came from Cathy. 4. Bob checks that certificate contains Alice's identity. 5. Bob extracts Alice's public key from certificate. 6. Bob uses Alice's public key to send her an encrypted message. Certificate Authorities Responsibilities Validating identities (usually domain names like miamioh.edu) Domain validation verifies identity by a valid email address. Extended validation verifies business using public records. Issuing and revoking certificates Software starts with trusted root CAs OS install contains some trusted CAs. Browsers may have own list of root CAs or use OS list. Programing libraries often have own list of root CAs. Activity: Check which certificates you trust In Firefox, Go to Settings Click on Privacy & Security Click on View Certificates Select the Authorities tab in the Certificate Manager window In Chrome, Go to Settings Click on Privacy and Security Click on Security Click on Manage device certificates Select the Trusted Root Certification Authorities tab in the Certificates window Checking Certificate Validity 1. Obtain issuer’s public key 2. Decipher signature Gives hash of certificate. 3. Compute hash of certificate; compare with step 2 hash If they differ, there’s a problem. 4. Check interval of validity This confirms that certificate is current. Revoking Certificates Certificates are revoked when Private key is compromised or no longer in use. Certificate was issued to wrong entity (faulty validation). Certificate Revocation List (CRL) List of serial numbers of revoked certificates that have not yet expired. Can be large, so lookup can be slow. Online Certificate Status Protocol (OCSP) Check revocation status of a single certificate. CA specifies their OCSP servers in issued certificates. Transport Layer Security (TLS) TLS protocol provides security features: Authentication of server to client. Optional authentication of client to server (client certificates.) Confidentiality of communication. Integrity of communication. HTTPS is HTTP over TLS Web servers need certificates to use HTTPS. Browsers must be able to validate that server certificates are signed by a trusted CA or by another CA that has a certificate signed by a trusted CA. TLS checks for revoked certificates before establishing connection. TLS Cipher Suites 1. Key Exchange Algorithm Used to exchange session keys for bulk encryption algorithm. Examples: RSA, Diffie-Hellmann, Elliptic Curve Diffie-Hellman 2. Bulk Encryption Algorithm Used to encrypt message stream. Examples: RC4-128, Triple-DES, AES-128, AES-256 3. Message Authentication Code MAC is keyed hash function to ensure integrity. Based on MD5, SHA-1, or SHA-2, key based on master secret. 4. Pseudorandom Function Used to create master secret, a 48-byte secret shared with both parties. Used to create session keys. Activity: TLS Browser Test Find a partner and agree on which browser each of you will test. You must chose a different browser from your partner. Test web browser on your phone, laptop, or PC by going to https://www.ssllabs.com/ssltest/viewMyClient.html Does your browser support the latest TLS version? Does your browser support any weak cipher suites? How many? Compare findings with a partner in an adjacent row What are your browser’s strengths compared to your partner’s? What are your browser’s weaknesses compared to your partner’s? New Slide CYB 134: Introduction to Cybersecurity IAM - Identity and Access Management Topics 1. Identity 2. Account Types 3. Account Lifecycle 4. Authentication Identity Individuals Applications Devices Systems Organizations Who am I? and Who are you? Common ways to assert or claim an identity Smart cards Certificates Usernames SSH keys Tokens Account Types User accounts Privileged or administrative accounts Shared and generic accounts or credentials Guest accounts Service accounts Account Policies and Controls Password Complexity Account Password policies & The time of day lifespan controls The network Other location of the information system Geolocation data Authentication Provisioning Authorization Beginning of Relationship Lifecycle Password Management Deprovisioning Compliance End of Relationship Authentication Technologies EAP CHAP 802.1X RADIUS TACACS+ Kerberos 802.1 AUTHENTICATION ARCHITECTURE WITH EAP, RADIUS, AND LDAP Kerberos Authentication Process Single Sign-On (SSO) LDAP - Lightweight Directory Access Protocol SAML - Security Assertions Markup Language OpenID - is about authentication OAuth - is about authorisation Federation The Is typically a user. principal Or IdPs provide identity and authentication Identity services via an attestation process in which providers the IdP validates that the user is who they claim to be. Service Or SPs provide services to users whose identities have been attested to by an providers identity provider. Authentication Methods Passwords NIST best practices: Reducing password complexity requirements and instead emphasizing length Not requiring special characters Allowing ASCII and Unicode characters in passwords Allowing pasting into password fields to allow password managers to work properly Monitoring new passwords to ensure that easily compromised passwords are not used Eliminating password hints Password Managers and Passwordless Password managers allow secure storage, creation, and management of passwords. Enterprise options track and manage passwords and allow logging and additional controls. Passwordless uses an app, device, or security key or other device that provides both public key cryptography and a physical token. More Password Managers Some have a "digital will" feature where siblings, parents, children can get into account if you have died. 3rd party person requests access, site sends you email and if you don't cancel in (1 week) the systems grants them access. Password Manager (LastPass) Browser password managers Convenient, but…. If your browser is compromised, so are your passwords Browsers often remain logged in Not compatible across browsers They don’t necessarily managed the encryption keys securely Apple Icloud – more secure than than a browser password, but still vulnerable to some of the items above Browsers were not designed to be password managers – how secure is your browser password? How often to you change it? PC magazine review of password managers: https://www.pcmag.com/picks/the-best-password-managers Password Managers Miami Knowledge Base Roboform 1Password Lastpass Bitwarden KeePass https://www.komando.com/privacy/how-to-use-password-managers/826275/ Lastpass Security Audit – I’ve got some work to do! LastPass Dark Web Monitoring Multi Factor Authentication Something you know Something Something you are you have Titan Key USB Security Key One Time Passwords Time-based one-time passwords HMAC-based (TOTP) one-time password (HOTP) TOTP Code Generation HOTP Token Biometrics Fingerprints Retina scanning Iris recognition Facial recognition Voice recognition Vein recognition Gait analysis New Slide CYB 134: Introduction to Cybersecurity IAM - Identity and Access Management Topics 1. Authorization 2. Access Control 3. Access Control Schemes 4. Privileged Access Control 5. Compliance (Auditibility) Authentication Provisioning Authorization Beginning of Relationship Lifecycle Password Management Deprovisioning Compliance End of Relationship Authorization Types of Authorization Implicit/Inherited - contained in the nature of something though not readily apparent Explicit - fully revealed or expressed without vagueness, implication, or ambiguity : leaving no question as to meaning or intent Windows File Permissions Linux File Permissions Linux ls, getfacl, and groups Commands The Linux chmod Command chmod (user) (groups) (world) chmod u+x,g=rwx,o=r new_file.txt chmod 777 new_file.txt Activity: Create a File and Change Permissions Find a partner and get signed into CECLNX01. You have to make sure Each of you should do the following this is your ○ Everyone has the ability to write to /groups/cyb134/tmp. uniqueid!!!!!! ○ Create a file in /groups/cyb134/tmp called uniqueid.txt (use nano). ○ Put some text in it and save the file. List the permissions on the file you created, and on the file your partner created. How do they differ? Can you read the file your partner created? Change the permissions so that everyone can read and write to your file. ○ chmod 666 uniqueid.txt Verify that your partner can now edit the file, look at the permissions again and note how they changed. Providing the minimum access and tools that you need to complete the work, and nothing else. Access Control Schemes Attribute-based access control (ABAC) Role-based access control (RBAC) Rule-based access control (RuBAC) Mandatory Access Control (MAC) Discretionary access control (DAC) Privileged Access Management Just-in-time permissions Location - ensures the user only exercises the privileged access from a pre-approved location Time - ensures the user only has elevated permissions for the necessary time during which the work must get completed Actions - ensures the user is limited the least amount of actions necessary to complete the work Compliance How do we know it’s working? Activity: Apache Logs Apache is the web server we used to publish pages in the last lab. The log is located at /var/log/apache2/access.log What information can you find about someone trying to access your files from the last lab? The fields: IP from request Date "request" STATUS CODE (200=OK, 401 unauthorized, 404 Not Found…) Size of response Other info about request New Slide CYB 134: Introduction to Cybersecurity Endpoint Security Topics 1. What is an Endpoint? 2. Endpoint Vulnerabilities 3. Endpoint Security Tools 4. Hardening 5. SCADA 6. Specialized Systems Operating System Vulnerabilities OS vulnerabilities can be exploited by attackers and drives patching and secure configurations Defaults and insecure settings are paths for attackers Misconfiguration and human errors are also concerns Hardware Vulnerabilities Firmware: embedded software that allows devices to function. Attacked via updates, user-space attacks, and remote attacks if network connected. Lifecycle: ○ End of life and end of support Preserving Boot Integrity Endpoint Security Tools Antivirus and anti-malware Allow and deny lists EDR and XDR Data Loss Prevention Network Defenses Antivirus and Anti-Malware Signature based detection Common Methods Heuristic, or behavior based detection AI and machine learning systems Sandboxing Network Defenses Hardening Endpoints and Systems SERVICE HARDENING OPERATING SYSTEM HARDENING Service Hardening Port and protocol Windows Linux 22/TCP - Secure Shell (SSH) Uncommon Common 53/TCP and UDP - DNS Common (servers) Common (servers) 80/TCP - HTTP Common (servers) Common (servers) 125-139/TCP and UDP - Common Occasional NetBIOS 389/TCP and UDP – LDAP Common (servers) Common (servers) 443/TCP – HTTPS Common (servers) Common (servers) 3389/TCP and UDP – Remote Common Uncommon Desktop Protocol Service Hardening - Services.msc Operating System Hardening Example Windows benchmark items: ○ Setting the password history to remember 24 or more passwords. ○ Setting maximum passwords age to “60 or fewer days, but not 0,” preventing users from simply changing their passwords 24 times to get back to the same password while requiring pass ○ word changes every 2 months. ○ Setting the minimum password length to 14 or more characters. ○ Requiring password complexity. ○ Disabling the storage of passwords using reversible encryption. Configuration, Standards, and Schemas Naming standards and Patch addressing management schemas Encryption Full-disk encryption (FDE) encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use. Volume encryption (sometimes called filesystem-level encryption) protects specific volumes of the drive, allowing different trust levels and additional security beyond that provided by encrypting the entire disk with a single key. File Permissions Assessing Embedded Systems 1. Identify the manufacturer or type of embedded system and acquire documentation or other materials about it. 2. Determine how the embedded system interfaces with the world: does it connect to a network, to other embedded devices, or does it only have a keyboard or other physical interface? 3. If the device does provide a network connection, identify any services or access to it provided through that network connection, and how you can secure those services or the connection itself. Assessing Embedded Systems 4. Learn about how the device is updated, if patches are available, and how and when those patches should be installed, then ensure a patching cycle is in place that matches the device’s threat model and usage requirements. 5. Document what your organization would do in the event that the device had a security issue or compromise. Could you return to normal? What would happen if the device were taken offline due to that issue? Are there critical health, safety, or operational issues that might occur if the device failed or needed to be removed from service? 6. Document your findings and ensure that appropriate practices are included in your organization’s operational procedures. SCADA and ICS Securing the Internet of Things (IoT) Poor security practices Common issues Short support lifespans Vendor data handling practice issues IoT Specialized Systems Medical Smart meters Vehicles systems Drones and autonomous VoIP systems Printers vehicles (AVs) Surveillance systems Security Constraints of Embedded Systems The overall computational power and capacity of embedded systems is usually low Embedded systems may not connect to a network Network connectivity is necessary Embedded systems may be very low cost, but many are effectively very high cost Asset Management Acquisition and procurement Asset inventory Asset lifecycle ○ Decommissioning ○ Retention New Slide CYB 134: Introduction to Cybersecurity NICE Framework Topics 1. NICE Framework Definition 2. Task, Knowledge, and Skills 3. Competency Areas 4. Work Roles 5. Teams NICE Framework The Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 rev. 1) establishes a standard approach and common language for describing cybersecurity work and learner capabilities. The NICE Framework seeks to improve communication among stakeholders throughout the cybersecurity ecosystem about how to identify, recruit, develop, and retain talent. Attributes of the NICE Framework Agility - People, processes, and technology mature and must adapt to change. Flexibility - While every organization faces similar challenges, there is no one-size-fits-all solution to those common challenges. Interoperability - While every solution to common challenges is unique, those solutions must agree upon consistent use of terms. Modularity - While cybersecurity risk remains the basis of this document, there are other risks that organizations must manage within the enterprise. Task, Knowledge, and Skills (TKS) Statements Task Task - An activity that is directed toward the achievement of organizational objectives. Task Statements Easy to read and understand Begin with the activity being executed Do not contain the task objective Knowledge Knowledge - A retrievable set of concepts within memory. Knowledge Statements Describe foundational or specific Knowledge Multiple statements may be needed to complete a Task A single statement may be used to complete many different Tasks Skill Skill - The capacity to perform an observable action. Skill Statements Describe straightforward or complex skills Multiple Skill statements may be needed to complete a Task A single Skill statement may be used to complete more than one Task Competency Area A cluster of related Knowledge and Skill statements that correlates with one’s capability to perform Tasks in a particular domain. Can Be Are Not Additive to one or more Work Redundant or Duplicative of Roles Work Roles Span multiple Work Roles Represent emerging domains Competency Competency - A mechanism for organizations to assess learners. Competencies Defined via an employer driven approach Learner-focused Observable and measurable Competency (as part of the hiring process) Competency (as part of credentials) Work Role != Job Title Work Role Category Description Number of Work Roles Oversight and Governance (OG) Provides leadership, management, direction, and 16 advocacy so the organization may effectively manage cybersecurity-related risks to the enterprise and conduct cybersecurity work. Design and Development (DD) Conducts research, conceptualizes, designs, 8 develops, and tests secure technology systems, including on perimeter and cloud-based networks. Work Role Category Description Number of Work Roles Implementation and Operation Provides implementation, administration, 7 (IO) configuration, operation, and maintenance to ensure effective and efficient technology system performance and security. Protection and Defense (PD) Protects against, identifies, and analyzes risks to 7 technology systems or networks. Includes investigation of cybersecurity events or crimes related to technology systems and networks. Work Role Category Description Number of Work Roles Investigation (IN) Conducts national cybersecurity and cybercrime 2 investigations, including the collection, management, and analysis of digital evidence. Cyberspace Intelligence (CI) Performs highly specialized review and 5 evaluation of incoming cybersecurity information to determine its usefulness for national intelligence. Work Role Category Description Number of Work Roles Cyberspace Effects (CE) Plans, supports, and executes cybersecurity for 7 cyberspace capabilities where the primary purpose is to externally defend or conduct force projection in or through cyberspace. Teams Work Roles and Competency Areas can both be used to build teams. A Work Role-centered approach to building teams allows organizations to define what types of roles are needed to achieve defined objectives. Teams built with this “top down” approach begin with the identification of the work that needs to be accomplished. A Competency Area-centered approach to building teams recognizes that individual Tasks may be unknown, but the Competency Areas needed to solve a challenge are known. This approach may be considered “bottom up.” Teams built this way can help identify learners who may participate in the Team’s work in the future. Activity Work with a partner to find 2 cybersecurity jobs. Make note of the information below, how does this fit into the NICE framework? Be prepared to share your findings with the class. 1) Job description 2) Minimum required skills 3) Salary 4) Company Name and location of job New Slide CYB 134: Introduction to Cybersecurity Networking Topics 1. Network Basics and Terms 2. TCP/IP 3. Application Layer 4. Transport Layer 5. Packet Sniffing What is a Computer Network? A group of connected computers and devices (aka hosts) that can communicate with each other and share resources. Printer Host Host Ethernet Most wired networks use Ethernet. ○ Speeds range from 1 Gbps for personal devices up to ○ 400 Gbps inside data centers to connect server racks. LANs usually run Ethernet over CAT-5e cables with RJ-45 connectors. Standard limits to 100m length. RJ-45 Connectors and Physical Ports Network switches A switch moves data packets from one device that enters on one port, sending it to another port that moves it closer to its destination based on the destination address encoded in the packet. Network diagram representation of An actual network switch. a switch. IEEE 802.11 Wireless (aka WiFi) IEEE 802.11 is a series of standards for computers to communicate using radio waves. ○ 2.4 GHz was the first frequency range used. It penetrates walls well, but conflicts with other devices that use this range, like Bluetooth, some cordless phones, microwaves, etc. ○ 5 GHz is faster, has fewer conflicts, doesn’t go through walls well. Speed has improved from ○ 802.1