Security + 700 PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document provides an overview of different security control types: preventive, deterrent, detective, corrective, and compensating. It also covers important concepts like technical, managerial, and physical controls, along with operational controls.
Full Transcript
**Security + 700** Security control Prevents security events, minimize the impact and limit the damage Individual are trying to get into our systems and we have to think of way to stop them from getting into Protect days physical property and computer systems Minimized and limits damage [Contr...
**Security + 700** Security control Prevents security events, minimize the impact and limit the damage Individual are trying to get into our systems and we have to think of way to stop them from getting into Protect days physical property and computer systems Minimized and limits damage [Control categories ] - technical - Managerial - Physical - Operating Technical control - Technical control are implemented with using something technical - Operating system control that allows or disallows certain functions and access - Firewalls, antivirus ,and other types of software Managerial control - this is when policies and administrative control are created in security design - Policies, standard operating procedures Ex. Creating security policy documentation Operational controls Using people to make these controls - having security guards, awareness programs to help explain best practices of IT - Physical control - controls that limits someone access to a building or room or device - Guard shack - Limits physical access - Fences - Locks - Badge reader [Control types] Preventive control type - blocks access to a resource - You shall not pass Prevents access from - firewall rules - Follows security policy - Guard shack check all identification - Door locks Deterrent Discourages an intrusion attempts but doesn't directly prevent access from accessing resources \- have them think twice Example - application splash screen - Threat of demotion - Front reception desk - Posted warning signs Detective control - identify and logs an intrusion attempt.. doesn't not prevent access - It would give log and warning of attack Find the issue - collect and review system logs - Review login reports - Regularly patrol the property - Enable motion detectors Corrective If someone has gain accesses (Basically the next steps of what to do if someone gains access) Apply a control after event has been detected Reverse the impact of an event Helps to continue operating with minimal downtime Correct the problem -restoring from backups can mitigate ransomware infections - create policies for reporting security issues - Contact law enforcement to manage criminal activity - Use a fire extinguisher Compensating - Control using other means - Usually temporary as it is for a short term fix to work while getting stuff together Prevent the exploitation of a weakness - firewall blocks a specific application instead of patching the app - Implement separation of duties - Requires simultaneous (more than one ) guard duties - Generator used after power outage Directive - directs a subject towards security compliance - Relatively Weak security control - Directing someone to do something more secure than less secure Do this, - store all sensitive files in a protected folder - Create compliance and procedure - Train users in proper security policy - Lost a sign for "Authorized Personnel Only" ------------- -------------------- ---------------- ---------------------- ----------------------------------------------- --------------------------------- ---------------------------------- Preventive Deterrent Detective Corrective Compensating Directive Technical Firewall Splash screen System logs Backup recovery Block instead of patch File storage policies Managerial On boarding policy Demotion Review login reports Policies for reporting issues when they occur Separation of duties Compliance policies Operational Guard shack Reception desk Property patrol Contact authorities Require multiple security staff Security policies training Physical Door lock Warning sign Motion detectors Fire extinguisher Power generator Sign "Authorized Personnel Only" ------------- -------------------- ---------------- ---------------------- ----------------------------------------------- --------------------------------- ---------------------------------- Not everyone uses the same policies 1.2 CIA Triad also known as the AIC Triad to differentiate from the Central Intelligence Agency however it is very easy remembering it as CIA Triad It is the fundamental/pillars of security Combination of principles Confidentiality- prevent disclosure of information to unauthorized individuals Integrity- information can not be changed without any detection/ notification Availability- information, systems and networks are running and can be accessed by authorized individuals Confidentiality -available to the right people Ways of ensuring: - encryption One individual can encrypt information so that it can only reach the people who need to read it. One can encrypt, person send, next individual decrypt Anyone in the middle of it would not be able to see the message and would only be viewing plain txt - Access Controls Selectively restrict access to resources Ex. Marketing can see all of the marketing presentations and information but cannot see accounting information. - Two factor authentication Additional confirmation before information is available Integrity Data is stored and transferred without any modification that would identified Ways to provide integrity - hashing Map data of an arbitrary length to data of a fixed length If your hash number matches the sender hash then that's how you know that it holds it integrity Digital signature - mathematical theme to verify the integrity of data which give extra verification that you are who you are Certificates - Combines with a digital signature to verify an individual - Especially when sending it from one device to another Non repudiation - Proof of integrity, can be asserted to be genuine - Proves that it came from the originating party Availability Information is always available to authorized user - At your fingertips Provides availability - Redundancy Builds services that will always be reliable Having systems that are up and running Fault tolerance - system will continue to run even if there is failure that occurs Patching - stability - Closes security holes - Prevents someone from gaining any entrance from an exploit Topic 1.2 Non repudiation You can not deny what you've already said - There's no taking it back Sign a contract - your signature adds non repudiation - Others can see your signature and you really signed it Adds a different perspective for cryptography - proof of integrity - Proof of origin, with high assurance of authenticity Proof of integrity is that we are able to verify the information that was sent - accurate and consistent - Knows that nothing was changed In cryptography, hash can be used to verify - Represents data as a short string of text - A message direct , fingerprint If data changed, the hash changes - if the person changes, the fingerprint changes Doesn't necessarily associate data with an individual - Only tells you if data has changed Change one character somewhere in the file , the hash changes If hash is different, integrity has been compromised Practice hash change Proof of origin Proves the message was not changed - integrity Proves the source of the message - Authentication Makes sure that the signature is not false - non repudiation Signs with the private key Only known by the person sending the data. The public key can be used to confirm the private key. - the message doesn't need to be encrypted - Nobody else can't sign this (obviously) Creating digital signature Alice is sending a message to Bob. Alice will send a digital signature when she sends it. An algorithm is made when digital signature is made. Since Alice is the only one with the private key, it will be encrypted and send it with the plain text. Bob can use Alice public key to decrypt to view and confirm that this message came directly from Alice The original hash is available. Verifying it by using the hashing algorithm 1.2 Authentication authorization accounting First what is IAM? Identity Access Management A set of policies and technology that help to ensure that appropriate access to technology and data resources are provided to authorized individuals. AAA framework Think of it as logged in to a system Identification - this is who you claim to be - Usually your username Authentication - Proves you are who you away you are - Password and other authentication factors Authorization - based on your identification and authentication, what access do you have? Accounting - resources used: login time, data sent and received, logout time RADIUS- Remote Authentication Dial In User Service - a networking protocol that provides centralized authentication, authorization, accounting management for users who connect and use a network service. - Allows easier management of user passwords across multiple access points. Authenticating people Client \> internet \> Firewall/ VPN concentrator is used to block until authenticated(AAA server) once access credentials are approved \> internal file system Authenticating systems You have to manage many devices - often devices that you'll never physically see A system can't type a password - you may not want to store one How can you truly authenticate a device - a certificate that is digitally signed on the device - Can be checked during login Other business processes rely on the certificate - access to the VPN from authorized devices - Management software can validate the end device Certificate authentication An organization has a trusted Certificate Authority (CA) - device or software that is responsible for managing all certificates in our environment - most organizations maintain their own The organization creates a certificate for a device - Digitally signs the certificate with the organization's CA The certificate can now be included on a device as an authentication factor - the CAs digital signature is used to validate the certificate Authorization models To users or device has now authenticated - To what do they now have access? - Time to apply Authorization models Users and service\> data and applications - associating individuals users to access rights does now scale Put an authorization model in the middle - defines by role, organization, attributes No authorization model - a simple relationship - User\> resources Some issues with this method - difficult to understand why an authorization may exist - Does not scale Add an abstraction - reduce complexity - Creates a clear relationship between the user and the resources Administration is streamlined - easy to understand the authorization - Supports any number of users or resources Can be done in Active Directory **Gap Analysis** The study of where we are vs. where we would like to be "The gap between two" It is to understand what security we need in the future. Requires extensive research as there is a lot to consider when making a plan - Can take weeks or months or years - An extensive study with numerous participants - Get ready for emails, data gathering, and technical research Before setting the gap analysis, Choose the framework: - Have a known baseline that: - May be an internal set of goals - Some organizations should use formal standards - Determine the end goal - Can be based on previous publications Evaluate people and processes - Get a baseline of employees - Formal experience - Current training - Knowledge of security policies and procedures Examine the current processes - Research existing IT systems - Evaluate existing security policies (to see how they relate to the conditions of that you are looking for at the end goal) Analysis portion of Gap analysis is based on compare and contrast - Comparison of existing systems that are in the environment - Leading to identifying the weaknesses - Along with the most effective processes - To understand how to compensate for the weaknesses - A detailed analysis is created which goes into - Examine broad security categories - Break into smaller segments Example: A screenshot of a computer Description automatically generated Once we have the information for all process and procedure, technology. We can create a final comparison with: - Detailed baseline objective - A clear view of the current state processing, forwarding, trunking, encrypting, NAT Need a path to get from the current security to the goal - this will almost certainly include time, money, and a lot of change control(so that you can implement these changes) - Once all information is compiled, tike to create the gap analysis report - A formal description of the current state. - Recommendations for meeting the baseline. **Zero Trust** Many networks are relatively open on the inside - Once you're through the firewall, there are few security controls Zero trust is a holistic approach to network security - Covers every device, every process, and every person **Everything must be verified** Authenticating yourself or prove yourself each time you want access to any resource. - Nothing is inherently trusted - Multi-factor authentication, encryption, system permissions, additional firewalls, monitoring and analytics, etc. Nothing is trusted. Plane of operation - Split the network into functional planes - Applies to physical, virtual, and cloud components - Data plane- performing the actually security process - Process the frame, packets, and networking data (this could be where the switch, router, or firewall work) - Processing, forwarding, trunking, encrypting, NAT - NAT- a technique that allows multiple devices to share a single public IP address - Public vs Private IP Addresses: - Public : imagine it as a home address, the public Ip acts like your house number on the internet. Its a unique identifier assigned to your network router by the internet service provider (ISP). Usually assigned dynamically by ISPs and are not generally owned by individual user. - Private: for internal use within the network. Act as if they are apartment numbers within a building. Each device on your home network has a unique private IP address assigned by the router. These address allow you to communicate with each other on your network but aren't directly accessible from the internet. Control plane - Manages the actions of the data plane - Defies policies and rules - Determine how packets packets should be forwarded - Routing tables, session tables, NAT tables Extends the physical architecture - Separate into functional tasks - Incorporate into hardware or software Controlling trust - Adaptive identity - Examining the identity of individual and apply security control based on not just what the user is telling us but other information that is being gathered about the authentication process. - For example: looking at the source or the one who is requesting data that is from the United States however; the IP address is based in Chine. You may want to perform additional security - Consider the source and the requested resources - Multiple risk indicators- relationship to the organization, physical location, type of connection, IP address, etc. - The following can help strengthen the authentication, if needed Threat scope reduction - Decrease the number of possible entry points Policy-driven access control - Examine all of these individual data points, puts them all together to truly understand if the person trying to identify themselves is really themselves. - Combine the adaptive identity with a predefined set of rules Security zones - Security is more than a one to one relationship - Broad categorizations provide a security related foundation - Where are you coming from and where you are going (Looks at where we are connecting at to where are trying to connect to) - Trusted, untrusted - Internal network, external network - VPN 1, VPN 5, VPN 11 (separate VPN connections) - Marketing, IT, Accounting, Human Resources (separate groups of different departments) - Using the zones may be enough by itself to deny access - For example, untrusted to trusted zone traffic - Some zones are implicitly trusted - For example, trusted to internal zone traffic Policy enforcement point- set policies and procedure that creates an enforcement - Subject and systems - That are communicating through they will be subject to evaluation - Ens users, applications, non human entities - Policy enforcement point (PEP) - The gatekeeper - Allow, monitor, and terminate connections - Can consist of multiple components working together Policy decision point - There's a process for making an authentication decision Policy engine - Evaluates Esch access decision based on policy and other information sources - Grant, deny, revoke Policy Administrator - Communicates with the Policy Enforcement Point - Generates access tokens or credentials Tells the Policy Enforcement Point to allow or disallow access Zero trust access planes Starts with Subject and system \> Communicating from untrusted zone over the data plane and communicating through the policy Enforcement Point If there is a policy enforcement that needs to take place, this enforcement point will provide that the policy administrator which then communicates to the policy engine to make the decision about whether this traffic is allowed. The result is then passed down to the policy administrator which provides that to the policy enforcement point. If that traffic is allowed, the policy enforcement point, then provides access to this trusted zone, and ultimately the enterprise subject **Physical Security** One common method of physical security is Barricades/bollards - Prevents access - There are limits to the prevention - Channel people through a specific access point - Keep out other things - Allows people, prevents cars and trunks - Barricades can be to identify safety concerns - Can be used for extreme - Concrete barriers/ bollards - Moats - Ex: you may have water around a particular building and require people to go over a bridge to enter or exit the particular building. Access Control Vestibules - All doors normally unlocked - Opening one door causes others to open - All doors normally locked - Opening one door prevents other from being unlocked - One door open/ other locked - When one is open, the other cannot be unlocked - One at a time, controlled group - Managed control through an area Very common for very large data center or in corporations where extra security may be needed. Fencing- - Builds a perimeter - Usually very obvious - May not be what you're looking for - Can be transparent or opaque - See through the fence (or not) - Robust - Difficult to cut the fence - Prevents climbing - Razor wire - Build it high Video surveillance -) - CCTV (closed circuit television) - Can replace physical guards - Camera feature are important - Motion recognition can alarm and alert when something is moving - Object detection can identify a license plate or person's face - Often many different cameras - Networked together and recorded over time Guards and access badges - Security Guard- - Physical protection at the reception area of a facility - Validates identification of existing employees - Two person integrity/ control - (one security guard would not be able to circumvent the existing security policy because there is always someone else there to provide checks and balances). - Minimizes exposure to an attack - No single person has access to a physical asset - Access Badge/ Identification badge - Picture, name, other details - Must be worn at all times - Electronically logged Lighting - More light= more security - Attackers avoid light - Easier to see when lit - Non IR camera can see better - Specialized design - Consider overall light levels - Lighting angles may be important - Important for facial recognition - Avoid shadows and glares Sensors - Infrared - Detects infrared radiation in both light and dark - Common in motion detectors - Pressure - Detects a change in force - Floor and window sensors - Microwave - Detects movement across large area - Ultrasonic - Send ultrasonic signal , receive reflected sound waves - Detect motion, collision detection, etc. **Deception and Disruption** Preventing hackers from accessing your systems, deception and disruption is created and used to stop those same attackers. **Honeypot** - A way to attract attackers to your system and be able to keep them involved in these systems so you can see what type of security technique they are trying to use against you. - The attacker is usually an automated process (machine) - Question what type of machine is being used and what type of systems are they trying to attack Honeypots - creates a virtual world to explore Many different options - Most are open source and available to download - Open source and commercial Constant battle to discern the real from the fake. Honeynets - Number of virtualized honeypots; a real network includes more than a single device - Usually consist of servers, workstations, routers, switches, firewalls - Builds a larger deception network with one or more honeypots - Learn more on making honeypots/nets /stop spammers Honeyfiles - Files that have fake information or may be files that appear to be very important or contain sensitive information - Attracts the attacker with more honey - Create files with fake info - Something bright and shiny - Baits for the honey net (password.txt) - Add many honey files to file share - An alert is sent if the file is accesses - Virtual bear trap Honey tokens - Traceable data that would be added to honey net. - If it is copied and pasted/stolen, you know exactly where the information was sent. - API credentials - Does not actually provide access - Notifications are sent when used - Fake email addresses - Add it to a contact list - Monitor the internet to see who posts it - Many other honey token examples - Database record, browser cookies, pixels on a webpage Change Any change that is made in a corporate or large organization, it can affect hundreds or even thousands - How to make a change: - Upgrade software, patch an application, change firewall configuration, modify switch ports - One of the most common risks in the enterprise - Occurs frequently - Often overlooked or ignored - Did you feel that bite? - Have a clear policies - Frequency, duration, installation process, rollback procedures - Sometimes extremely difficult to implement when there is no plan for it - Its hard to change corporate culture Change approval process - A formal process for managing change - Avoid downtime, confusion, and mistakes - A typical approval process - Complete the request forms - Determine the purpose of the change - Identify the scope of the change - Schedule a date and time of the change - Determine what system would be affected and the impact - Analyze the risk associated with the change - Get approval from the change control board - Get end user acceptance after the change is complete (feedback) Ownership Change usually starts when the owner the application or data wants to make a change to the application or data. - An individual or entity needs to make a change - They own the process - They don't usually perform the actual change - The owner manages the process - Process updates are provided to the owner - Ensures the process is followed and acceptable - Address label printers needs to be upgraded - Shipping and receiving department own the process - IT handles the actual change Stakeholders- impacted by the change is you're implementing - Who is impacted by this change? - They'll want to have input on the change management process - This may be as obvious as you might think - A single change can include one individual or the entire company - Upgrade software used for shipping labels - Shipping/receiving - Accounting reports - Product delivery timeframes - Revenue recognition- CEO visibility Impact analysis - Determine a risk value - High, medium, low - The risk can be minor or far reaching - The "fix" doesn't actually fix anything - The fix breaks something else - Operatin system failure - Data corruption - What the risk with NOT making the change - Security vulnerability - Application unavailability - Unexpected downtime to other services Test results- done before implementing the change in reality - Sandbox testing environment - No Connection to the real world or production system - A technological safe space - Use before making a change to production - Try the upgrade, apply the patch - Test and confirm before deployment - Confirm the backout plan - Move everything back to original (reset everything before the change was made) - A sandbox can't consider every possibility Backout Plan - The change will work perfectly and nothing will ever go bad - Of course it will - You should always have a way to revert your changes - Prepare for the worst, hope for the best - This isn't easy as it sounds - Some change are difficult to revert - In some cases it is easy as you would just uninstall the patch you were trying to implement, install and confirm the original files are back; however some are harder to revert - Always have a backup - Always have a good backup Maintenance window - When is the change happening? - This might be the most difficult part of the process - His to be planned and considered - You wouldn't want to make change during workday hours - Potential downtime would affect a large part of production - Overnights are often a better choice - Challenging for 24 hour production schedules - The time of year may be a consideration - Retail network are frozen during the holiday season Standard operating procedure - Change management is critical - Affects everyone in the organization - The process must be well documented - Should be available on the Intranet - Along with all standard processes and procedures - Changes to the process are reflected in standards - A living document **Technical Change Management** Where the change is actually implemented - Puts the change management process into action - Execute the plan - There's no such thing as a simple upgrade - Can have many moving parts - Separates events may be required - Change management is often concerned with "what" needs to change - The technical team is concerned with "how" to change it Allow list/ deny list - Any application can be dangerous - Vulnerabilities, Trojan horse, malware - Security policy can control app execution - Allow list , deny/block list - Allow list - Nothing runs unless it's approved - Very restrictive - Deny list - Nothing on the "bad list" can be executed - Anti-virus, anti-malware Restricted Activities - The scope of a change is important - Defines exactly which components are covered - A change isn't permission to make any change - Limited to changes only on the process plan - The change control approval is very specific - The scope may need to be expanded during the change window - It is impossible to prepare for all possible outcomes - The change management process determines the next steps - There are processes in place to make the change successful Downtime - Services will eventually be unavailable - The change process can be disruptive - Usually scheduled during non production ours - If possible, prevent any downtime - Switch to secondary systems upgrade the primary, then switch back - Minimize any downtime events - The process should be automated as possible - Switch back to secondary if issues appear - Should be part of the backout plan - Send email and calendar updates Restarts - Its common to require a restart - Implement the new configuration - Reboot the OS, power cycle the switch, bounce the service - Can the system recover from a power outage? - Services - Stop and restart the service or daemon - May take sounds or minutes - Applications - Close the application completely - Launch a new application instance Legacy applications - Some applications were here before you arrived - They'll be here when you leave - Often no longer supported by the developer - You're now the support team' - Fear of the unknown - Face your fears and document the system - It may be as bad as you think - May be quirky - Create specific processes and procedures - Become the expert Dependencies - To compare A, you must complete B - A service will not start without other active services - An application requires a speck library version - Modifying one component may require changing or restarting other components - This can be challenging to manage - Dependencies may occur across systems - Upgrade the firewall code first - Then upgrade the firewall management software Documentation - It can be challenging to keep up with changes - Documentation can become outdated very quickly - Require with the change management process - Updating diagrams - Modifications to network configurations - Address updates - Updating policies/ procedures - Adding new systems may require new procedures Version Control - Track changes to a file or configuration file - Easily revert to a previous setting - Many opportunities to manage versos - Router configuration - Windows OS patches - Application registry entries - Not always straightforward - Some devices and operating systems provide version control features - May require additional management software Section 1.4 Public Key Infrastructure (PKI) - Refers to policies and procedures, also including hardware and software that is responsible for creating, distributing, managing, storing, and revoking and performing other process with digital certificates - This takes a lot of planning as it is really big to achieve (endeavor) - Also refers to the binding of public keys to people or devices - The certificate authority - Its all about trust Symmetric encryption - Anytime you are performing a decryption of some information, you're using he same key that was used to encrypt information. - If it gets out, you'll need another key \*\*Think of it as the movies where the guy handcuffs hisself to a briefcase of money, the same key that is used to encrypt is used to decrypt\*\* - Secret key algorithm - A shared secret - Doesn't scale very well - Can be challenging to distribute to multiple people - Its very fast to use - Less overhead than asymmetric encryptions - Often combined with asymmetric encryption Asymmetric encryption - You use two or more keys to encrypt and decrypt which are mathematically related. - Once you have the two keys, you then assign one as being a private key and the other as public key. - Private key - keep this private - No one can see this - The key that is used to decrypt data that is encrypted with the public key - Public key- anyone can see this and can be given away Examples of Asymmetric encryption: PGP and GPG The Key Pair - Asymmetric encryption - Public key cryptography - Key generation - Builds both the public and private key at the same time - Lots of randomizations - Large prime numbers - Lots and lots of math/cryptogtaphy - Everyone can have the public key - Alice keep their private key private Scenario: Bobs laptop- sends message "Hello Alice"/ Alice Public key- Ciphertext "wvbkawdvwahgvsakhg" (No one can decrypt the cipher text as it cannot be reversed engineered).. as the cipher text is created, it can now be sent to Alice... Alice then sees that it is encrypted data and uses her private key to decrypt the cipher text which results in plain text that was originally created. Key escrow - Someone else holds your decryption keys - Your private keys are in the hands of a 3rd party - This may be within your own organization - This can be legitimate business arrangement - A business might need access to employee information - Government agencies may need to decrypt partner data - Handing your private key off to someone else to be able to manage the process may seem a little controversial. - Of course - It may be required to upkeep and maintain organizations data Encrypting stored data - If you need to protect data on storage devices such as SSD, hard drives, USB drive, cloud storage, etc. you will need to work on encrypting when data is at rest - This can include more than files, full disk and partition/volume level encryption can also be stored - BitLocker, FileVault, etc may be used - File encryption - EFS (Encrypting File System, which is a third party utility) To encrypt with Windows, you will: 1. Go to the properties of the file or folder 2. Click Advanced Attributes 3. Select encrypt content to secure data to enable EFS Database encryption - Protecting stored data - And the transmission of that data - Transparent encryption - Encrypt all database information with a symmetric key - Record-level encryption - Encrypt individual columns (some columns may be encrypted while other are plaintext) - Use separate symmetric keys for each column Transport encryption - Protect data traversing the network - You're probably doing this now - Encrypting in the application - Browser can communicate using HTTPS (everything transversing the network is encrypted) - VPN (Virtual Private Network)- creates an encrypted tunnel - Encrypts all data transmitted over the network, regardless of the application - Client-based VPN using SSL/TLS - Site to Site VPN using IPsec (which IPsec provides that VPN connectivity) Encryption algorithms - There are many many different ways to encrypt day - The proper "formula" must be used during encryption and decryption - Both sides decide on the algorithm before encrypting the data - The details are often hidden from the end user - There are advantages and disadvantages between algorithms - Security levels, speed, complexity of implementation, etc. DES-Data Encryption Standard - 5 different steps AES- Advanced Encryption Standard - 3 different steps \*Cannot be used together\* Cryptographic keys - There's very little that isn't known about cryptographic process - The algorithm is usually a known entity - The only thing you don't know is the key - The key determines the output - Encrypted data - Hash value - Digital signature - Keep your key private - Its the only thing protecting your data Key length - Larger keys tend to be more secure - Prevents brute force attacks - Attackers can try every possible key combination to determine what the public or private key might be - Symmetric encryption - 128 bit or larger symmetric keys are common - These numbers get larger and larger as time goes on - Asymmetric encryption - Complex calculation of prime numbers - Larger keys than symmetric encryption - Common to see key length of 3072 bits or larger Key stretching - A weak key id a weak key - By itself , it not every secure - Make a weak key stronger by performing multiple processes - Hash a password. Hash the hash of the password, and continue - Key stretching, key stretching - Brute force attacks would require reversing each of those hashes - The attacker has to spend much more time , even though the key is small Key Exchange A logistical challenge - How do you share an encryption key across an insecure medium without physically transferring the key? - Out-of-band exchange (not using the network) - Don't send the symmetric key over the 'net - Telephone, courier, in-person, etc. - In band exchange - Its on the network - Protects the key with additional encryption - Use asymmetric encryption to deliver the symmetric key which can be done with third party Real time encryption/decryption - There's a need for fast security - Without compromising the security part - Share a symmetric session key using asymmetric encryption - Client encrypts a random (symmetric) key with a server's public key - The server decrypts this shared key and uses it to encrypt data - This is the session key - Implement session keys carefully - Needs to be changed often (ephermal keys) temporary - Needs to be unpredictable Symmetric Key from asymmetric keys - Use public and private key cryptography to create a symmetric key - Math is powerful Example: if Bob is using his private key + Alice public key= Symmetric key Alice uses her private key + Bob's public key= symmetric key = this provides two symmetric keys ; key exchange Encryption Technologies Trusted Platform Module (TPM) - Cryptography hardware on a device (could be found on the motherboard of device; hardware) - A specification for cryptographic functions - crytographic processor - Random number generator, key generator - Persistent memory - Unique keys burned in during manufacturing - Versatile memory - Storage keys, hardware configuration information - Securely store BitLocker keys - Password protected - No dictionary attacks Hardware Security Module (HSM) - Used in large environment - Clusters, redundant power - Securely store thousands of cryptographic keys - High end cryptographic hardware - Plug in card or separate hardware devices - Key backup - Secure storage in hardware - Crytoghraphic acceleration - Offload that CPU overhead from other devices Key management system - Services are everywhere - On premise, cloud based - Many different keys for many different services - Manage all keys from one centralized manager - Often provided as third-party software - Separate the encryption keys from the data - All key management from one console - Create keys for a specific or cloud provider (SSL/TLS, SSH, etc.) - Associate keys with specific users - Rotate keys on regular intervals - Log key use and important events Keeping data private - Our data is located in many different places - Mobile phones, cloud, laptops, etc. - The most private data is often physically closest to us - Attackers are always finding new techniques - Its a constant race to stay one step ahead - Our data is changing constantly - How do we keep this data protected? - Secure Enclave - A protected area for our secrets - Often implemented as a hardware processor - Isolated from main processor - Many different technologies and names - Provides extensive security features - Has its own boot ROM - Monitors the system boot process - True random number generator - Real time memory encryption - Root cryptographic keys - Performs AES encryption in hardware - And more.... Obfuscation - the process of making something unclear or difficult to understand - But not impossible to understand - You know how to read it - Hide information in plain sight - Store payment information without storing a credit card number - Hide information inside of image - Steganography Steganography - Greek for concealed writing - Hide data in an image which is security through obscurity; you can recover data the same way you hid data - Message is invisible - But its really there - The cover text - The container document or files Common Steganography techniques - Network based - Embed message in TCP packets - Sent a few bits at a time - Use an image - Embed the message in the image itself - Invisible watermarks - Yellow dots or printers Other steganography types - Audio steganography - Modify the digital audio file - Interlace a secret message within the audio - Similar technique to image steganography - Video steganography - A sequence of images - Use image steganography on a larger scale - Manage the signal to noise ratio - Potentially transfer much more information Tokenization - Replace sensitive data with a non sensitive placeholder - SSN 266-12-1112 is now 691-61-8539 - Common with credit card processing - Use a temporary token during payment (one time token) - An attacker capturing the card numbers can't use them later - This isn't encryption or hashing - The original data and token aren't mathematically related Steps of tokenization 1. Register a credit card number on their mobile phone: 4111 1111 1111 1234 2. Card is registered with the token service server 3. Took service provides a token instead: 4545 9999 9999 5678 4. Phone is used at the store during checkout using NFC (Near Field Communication) to transfer into the payment system 5. Pay with 4545 9999 9999 5678 token made by the Remote Token Service Server 1. merchant payment processing server is where it is sent and validated 6. Card number validation: 4545 9999 9999 5678 to ensure you have the proper funds or credit 7. 4545 999 9999 5678 is the token for 4111 1111 1111 1234 8. Token is validated 9. approves the transaction 10. The token is then thrown away and phone readies the next token that is in your list or its request a new token from the token service server which is used fir the next Data Masking - Data obfuscation - Hide some of the original data - Shows a portion - Protects PII - And other sensitive data - May only be hidden from view - The data may still be intact in storage - Control the view based on permissions - Many different techniques - Substituting, shuffling, encrypting, masking out, etc. - Not always asterisks Hashing and Digital Signature Hashes - Represent data as a short string of text - A message digest, a fingerprint - One way trip - Impossible to recover the original message from the digest - Used to store passwords/ confidentiality - You cannot recreate cryptographic hash as it is not encryption; just as you cannot recreate a person with their fingerprint - Verify a download document is the same as the original - Integrity - Can be digital signature - Authentication, non repudiation, and integrity A hash example: SHA256 hash - Produces 256 bits of information/ 64 hexadecimal My name is Joelle Gaines. - SHA256 hash:986793df764e0eac48d37bf78a5942f43f8c9dba865fa0761208fa8dbb5329ca My name is Joelle Gaines! - SHA256 hash: 7e21e35c2f0f98a9ba22927dd156991d996c7900e6bec4d0881582be0b4dc1ff One minor change can change the hash majorly Collision - Hash functions - Take an input of any size - Create a fixed size string - Message digest, checksum - The hash should be unique - Different input should never create the same hash - If they do, its a collision - If there is a little difference in hash and not completely different, there is a collision - Should always be uniquely different - MD5 has a collision problem, - Found in 1996 - Don't use MD5 for anything - ![A screenshot of a computer Description automatically generated](media/image2.png) Practicing hashing - Verify a downloaded file - Hashes may be provided on the download site - Compare the download file hash with the posted hash value - Password storage - Instead of storing the password, store a salted hash (have no clue of what the actual password might be) - Compare hashes during the authentication process - Nobody ever knows your actual password Adding some salt - Salt - Random data added to a password when hashing - Every user gets their own random salt - The salt is commonly stored with the password - Rainbow tables won't work with salted hashes - Additional random value added to the original password - This slows things down the brute force process - Its doesn't completely stop the reverse engineering Salting the hash - Each user gets a different random hash - The same password creates a different hash Example of salting: password= dragon ![A screenshot of a computer Description automatically generated](media/image4.png) Digital Signatures - Proves the message was not changed - Integrity - Proves the source of the message - Authentication - Make sure the signature isn't fake - Non-repudiation - Sign with the private key - The message doesn't need to be encrypted - Nobody else can sign this (obviously) - Verify the public key - Any change in the message will invalidate the signature Creating digital signature scenario Alice computer\> "you're hired Bob" Plaintext\> press button to digital signature; behind the scenes it gies through hashing algorithm\>hash of plaintext created "jakuhuhauibuaysgvd"\> the has is then encrypted with Alice private key\>digital signature= plaintext and digital signature Verifying a digital signature Plaintext and digital signature\> Bob laptop\> Decryption of digital signature with Alice public key\> separately: hash of original plaintext\> hash algorithm\> hash of plaintext = compare both hashes of the algorithm and if they match then it means that Alice sent it Blockchain Technology Blockchain - A distributed ledger - Keep track of transactions - Everyone on the blockchain network maintains the ledger - Records and replicates to anyone and everyone - Many practical applications - Payment processing - Digital identification - Supply chain monitoring - Digital voting The blockchain process - A transaction is requested The transaction could be ant digital transaction from transferring Bitcoins, medial record, data backups, or transferring house title information 1. The transaction is sent to every computer (or node) in a decentralized network to be verified - Every individual device in the blockchain that is keeping track of the ledger will also get a copy of the transaction 2. The verified transaction is added to a new block of data containing other recently verified transactions. 3. A secure code (or hash) is calculated from the previous block of transaction data in the blockchain 4. The hash is added to the new block of verified transactions. 5. The copy of this block is them sent to everyone. The block is added to the end of the Blockchain, which is then updated to all nodes in the network for security. 6. The transaction is complete - If any blocks are altered, its hash and all following hashes in the chain are automatically recalculated. - The altered chain will no longer match the chains stored by the rest of the network, and will be rejected. Certificates Digital certificates - A public key certificate - Binds a public key with a digital signature - And other details about the key holder - A digital signature adds trust - PKI uses Certificates Authorities for additional trust; if CA trusts it then we should trust it - Web of Trust adds other users for additional trust - Certificate creation can be built into the OS - Part of Windows Domain Services - Many 3rd party options Whats in the digital signature? - X.509 - Standard format that everyone can read; X509 certificate - Certificate details - Serial number - Version - Signature algorithm - Issuer - Name of the cert holder - Public key - Extensions - And more... Root of Trust - Everything associated with IT security requires trust - A foundational characteristic - How to build trust from something unknown? - Someone/something trustworthy provides their approval - Refer to the root of trust - An inherently trusted component - Hardware, software, firmware, or other component - Hardware security module (HSM), Secure Enclave, Certificate Authority, etc. Certificate Authorities - You connect to a random website - Do you trust it? - Need a good way to trust an unknown entity - Use a trusted third-party - An authority - Certificate Authority (CA) has digitally signed the website certificate - You trust the CA, therefore you trust the website - Real-time verification Third party certificate authorities - Built in to your browser - Any browser - Purchase your web site certificate - It will be trusted by everyone's browser - CA is responsible for vetting the request - They will confirm the certificate owner - Additional verification information may be required by the CA Creating signing requests - Creat a key pair, then send the public key to the CA to be signed - A certificate signing request (CSR) - The CA validates the request - Confirms DNS emails and website ownership - CA digitally signs the cert - Returns to the applicant Private certificate authorities - You are your own CA - Build it in-house your devices must trust the internal CA - Needed for medium to large organizations - Many web servers and privacy requirements - Implement as part of your overall computing strategy - Windows Certificate Service, Open CA Self signed certificates - Internal certificates don't need to be signed by a public CA - Your company is the only one going to use it - No need to purchase trust for devices that already trust you - Build your own CA - Issue your own certificates signed by your own CA - Install the CA certificate/ trusted chain on all devices - They'll now trust any certificates signed by your internal CA - Works exactly like a certificate you purchased Wildcard certificates - Subject Alternative Name (SAN) - Allows you to put a name of a domain with an asterisk associated with the name of the device; can be used with any device that shares that fully qualified domain - Extension to an X.509 certificate - Lists additional identification information - Allows a certificate to support many different domains - Wildcard domain - Certificates are based on the name of server - A wildcard will apply to all server names in a name domain Key revocation - Certificate Revocation lIst (CRL) - List of certs that have been revocated - Maintained by the Certificate Authority (CA) - Can contain many revocations in large file - Many different reasons - Changes all the time - April 2014 - CVE 2014-0160 - Heartbleed - OpenSSL flaw put the private key of affected web servers at risk - OpenSSL was patched, every web server certificate was replaced - Older certificates were moved to the CRL \*Found under CRL distribution points to see if it is revoke\* OCSP stapling - Online Certificate Status Protocol - Provides scalability for OCSP checks - The CA is responsible for responding to all client OCSP requests - This may not scale well - To make it more efficient: have the certificate holder verify their own status - Status information is stored on the certificate holder's server - OCSP status is "stapled" into the SSL/TLS handshake - Digitally signed by the CA Getting revocation details to the browser - OCSP (Online certificate status protocol) - The browser can check certificate revocation - Messages usually sent to an OCSP responder via HTTP - Easy to support over Internet links - More efficient than downloading a CRL - Not all browser/apps support OCSP - Early internet explorer versions did not support OCSP - Some support OCSP, but don't bother checking **Threat Actors** - An entity that is cause for an event that has an impact on the safety of another entity - Also known as malicious actor - Threat actor attributes - Describes characteristics of the attacker - Useful to categorize the motivation - Why is this attack happening? - Is this directed or random? Attributes of threat actors - Internal/external - The attacker is inside the house - They're outside and trying to get in - Resources/funding - No money (limited resources) - Extensive funding - Level of sophisticated / capability - Blindly runs scripts or automated vulnerability scans - Can write their own attack malware and scripts Motivation of threat actor - What makes them tick? - There's purpose to this attack - Motivations include - Data exfiltration - Espionage (spying) - Service disruption - Blackmail - Finical gain - Philosophical / political beliefs - Ethical - Revenge - Disruption/chaos - War Nation states - External entity - Government and national security - Many possible motivations - Data exfiltration, philosophical, revenge, disruption, war - Constant attacks, massive resources - Commonly an Advanced Persistent Threat (APT) - Highest sophistication - Military control, utilities, finical control - United States and Israel destroys 1000 nuclear centrifuges with the Student worm Unskilled Attackers - Runs pre-made scripts without any knowledge of what's really happening - Anyone can do this - Motivated by the hunt - Disruption, data exfiltration, sometimes philosophical - Can be internal or external - But usually external - Not very sophisticated - Limited resources, if any - No formal funding - Looking for low hanging fruit Hacktivist - A hacker with a purpose - Motivated by philosophy, revenge, disruption, etc. - Often an external entity - Could possibly infiltrate to also be an insider threat - Can be remarkable sophisticated - Very specific hacks - DoS, website defacing, private document release - Funding may be limited - Some organizations have fundraising options Insider Threat - More than someone that just takes your password from sticky note - Motivated by revenge, financial gain - Extensive resources - Using the organization's resources against themselves - An internal entity - Eating away from the inside - Medium level of sophistication - The insider has institutional knowledge - Attacks can be directed at vulnerable systems - The insider knows what to hit Organized crime - Professional criminals - Motivated by money - Almost always an external entity - Very sophisticated - Best hacking money can buy - Crimes that's organized - One person hacks, one person manages the exploits, another person sells the data, another handles customer support (think of it like LIFT) - Lots of capital to fund hacking efforts Shadow IT - Going rogue - Working around the rules put in place by internal IT organization - Builds their own infrastructure - Information Technology can put up roadblocks - Shadow IT is unencumbered - Use the cloud - Might also be able to innovate - Limited resources - Company budget - Medium sophistication - May not have IT training or knowledge A screenshot of a computer Description automatically generated **2.2 Common Threat Vectors** Threat vector - A method used by the attacker - Gain access or infect to the target - Also called "attack vectors" - A lot of work goes into finding vulnerabilities in these vectors - Some are more vulnerable than others - IT security professional spend their career watching these vectors - Protect existing vectors - Find new vectors Message-based vectors - One of the biggest (and most sucessful) threat vectors - Everyone has at least one of these messaging systems - Email - Malicious links in an email - Link to malicious site - SMS (Short Message Service) - Attacks in a text message - Phishing attacks - People want to click links - Links in an email, links send via text or IM - Delivers the malware to the user - Attach it to the email - Scan all attachments, never launch untrusted links - Social engineering attacks - Invoice scams - Cryptocurrency scams Image based vectors - Easy to identify a text based threat - Its more difficult to identify the threat in an image - Some images formats can be threats - The Scalable Vector Graphics (SVG) format - Image is described in XML (Extensible Markup Language) - Significant security concerns - HTML injections - Javascript attack code - Browsers must provide input validation - Avoids running malicious code File based vectors - More than just executables - Malicious code can hide in many places - Adobe PDF - A File format containing other objects - ZIP/RAR files (or any compression type) - Contains many different files - Microsoft Office - Documents with macros - Add-in files Voice call vector - Vishing (Voice Phishing) - Phishing over the phone - Spam over IP - Large scale phone calls - War dialing - It still happens - Call tampering - Disrupting voice calls Removable device vectors - Get around the firewall - The USB interface - Malicious software on USB flash drives - Infect air gapped networks - Industrial systems, high security services - USB devices can act as keyboards - Hacker on a chip - Data exfiltration - Terabytes of data walk out of the door - Zero bandwidth used Vulnerable software vectors - Client based - Infected executable - Known (or unknown) vulnerabilities - May require constant updates - Agentless - No installed executable - Compromised software on the server would affect all users - Client runs a new instance each time Unsupported system vectors - Patching is an important prevention tool - Ongoing security fixes - Unsupported systems aren't patched - There may not be an option - Outdated operating systems - Eventually, even the manufacturer won't help - A single system could be an entry - Keep your inventory and records current Unsecured network vectors - The network connects everything - Ease of access for the attackers - View all (non-encrypted) data - Wireless - Outdated security protocols (WEP, WPA, WPA2) - Open or rogue wireless networks - Wired - Unsecure interface - No 802.1X - Bluetooth - Reconnaissance - Implementation vulnerabilities Open service ports - Most network based services connect over a TCP or UDP port - An open port - Every open port is an opportunity for the attacker - Application vulnerability or misconfiguration - Every application has it own open ports - More service expands the attack surface - Firewall rules - Must allow traffic to open port Default credentials - Most devices has default username and passwords - Change yours!! - The right credentials provides full control - Administrator access - Very easy to find the default password for your access points or routers - You can check to see if your password is one on this website: [www.routerpasswords.com](http://www.routerpasswords.com) Supply chain vectors - Tamper with the underlying infrastructure - Or manufacturing process - Managed service providers (MSPs) - Access many different customer network from one location - Gain access to a network using a vendor - 2013 Target crest card breach - Suppliers - Counterfeit networking equipment - Install backdoors, substandard performance and availability - 2020- fake Cisco catalyst switches **Phishing** - Social engineering with a touch of spoofing - Often delivered by email, text, etc. - Very remarkable well done - Don't be fooled - Check the URL - Usually there's something not quite right - Spelling, font, graphics Business email compromise - We trust email sources - The attackers take advantage of this trust - Spoofed email addresses - Not really a legitimate email address - - Financial fraud - send emails with updated bank information - Modify wire transfer details - The recipient clicks the links - The attachments have malware Tricks and misdirection - How are they so successful? - Digital slight of hand - It fools the best of us - Typo squatting - A type of URL hijacking- - Pretexting - Lying to get information - Attacker is a character in a situation they create - Hi, we're calling from Visa regarding an automated payment to your utility service Phishing with different bait - Vishing (Voice phishing) is done over the phone or voicemail - calleIrD spoofing is common - Fake security checks or bank updates - Smishing (SMS phishing) is done by text message - Spoofing is a problem here as well - Forwards links or ask for personal information **Impersonation** Pretext - Before the attack, the trap is set - there's an actor and a story - "Hello sir, my name os Wendy and Im from Microsoft Windows. This is an urgent check up call for your computer as we have found several problems with it." - Voice mail: " This is an enforcement action executed by the US Treasury intending your serious attention." - "Congratulation on your excellent payment history! You now qualify for 0% interest on all your credit card accounts." Impersonation - Attacker pretend to be someone they aren't - Halloween for the fraudsters - Use some of those details from reconnaissance - You can trust me, I'm with you help desk - Attack the victim as someone higher in rank - Office of the Vice President for Scamming - Throw tons of technical details around - Catastrophic feedback due to the depolarization of the differential magnetometer - Be aa buddy - How about those Cubs? Eliciting information - Extracting information from the victim - The victim doesn't even realize that is happening - Hacking the human - Often seen with vishing (Voice phishing) - Can be easier to get thus information over the phone - These are well-documented psychological techniques - They can't just ask, "So, what's your password?" Identity Fraud - Your identity can be used by others - Keep your personal information safe! - Credit card fraud - Open an account in your name, or use your credit card information - Bank fraud - Attacker gains access to your account or open a new account - Loan fraud - Your information is used for a loan or lease - Government benefit fraud - Attacker obtains benefits on your behalf Protect against impersonation - Never volunteer information - My password is 12345 - Don't disclose personal details - The bad guys are tricky - Always verify before revealing info - Call back, verify through 3rd parties - Verification should be encouraged - Especially if your organization owns valuable information **Watering Hole Attacks** - What if your network was really secure? - You didn't even plug in that USB from the parking lot - The attackers can't get in - Not responding to phishing emails - Not opening any email attachments - Have the mountain come to you - Go where the mountain hangs out - The watering hole - This requires a bit of research - \*poison the watering hole and will wait for you to visit.\* Executing the watering hole attack - Determine which website the victim group uses - Educated guess- local coffee or sandwich shop - Industry related sites - Infect one of these third party sites - Site vulnerability - Email attachments - Infect all visitors - But you're just looking for specific victims - Now you're in! \*Example of watering hole attack\* - Because that's where the money is - January 2017 - Polish Financial Supervision Authority, National Banking and Stock Commission of Mexico, State-owned bank in Uruguay - The watering hole was sufficiently poisoned - Visiting the site Ould download malicious JavaScript files - But only to IP addresses matching banks and other financial institutions - Did the attack work? - We still don't know Watching the watering hole / how to aid with / cope with watering hole attack? - Defense- in-depth - Layered defense - Its never one thing - Firewall and IPS - Stop the network traffic before things get bad - Anti-virus / Anti-malware signature updates - The Polish Financial Supervision Authority attack code was recognized and stopped by generic signatures in Symantec's antivirus software **2.2 Other Social Engineering Attacks** Misinformation/disinformation - Disseminate factually incorrect information - Creates confusion and division - Influence campaigns - Sway public opinion on political and social issues - Nation- state actors - Divide, distract, and persuade - Advertising is an option - Buy a voice for you opinion - Enabled through Social Media - Creating, sharing, liking, amplifying Misinformation process 1. Creates fake users 2. Create content 3. Post on social media 4. Amplify message 5. Real user share the message once reached on algorithm 6. Mass media picks up the story Brand impersonation - Pretend to be well known brand - Coca-cola, McDonald's, Apple, etc. - Cretes tens of thousands of impersonated sites - Get into the Google index, click an ad, get a WhatsApp message - Visitors are presented with a pop-up - You won! Special offer! Download the video! - Malware infection is almost guaranteed - Display ads, site tracking, data exfiltration **2.3 Memory Injection** Finding Malware -Malware runs in memory memory forensics can find the malicious code Memory contains running process such as: - DLL (Dynamic Link Libraries) - Threads - Buffers - Memory management functions - And more Malware is hidden somewhere - Malware runs its own process - Malware injects itself into a existing /legitimate process - Add code into the memory of existing process - Hides malware inside of the process - Gets access to the data in that process - The same rights and permissions as the existing process has - Performs a privilege escalation DLL - Dynamic Link Library - A windows Library containing code and dat - Many applications can use this library - The attacker has to first find a path to inject the malicious DLL into some storage that your system can access - Runs as part of the target process - One of the most popular memory injection methods - Relatively easy to implement 1. the attacker has to put the Malicious DLL on a path located on storage drive 2. The link or the path then goes into the target process 3. When the process is executing, it has to go back to reference that DLL 4. It goes out to disk and pull in the malicious DLL 5. The Malicious DLL is now loaded into memory **Buffer Overflows** - Overwriting a buffer of memory - Spills over into other memory areas - Developer need to perform bounds checking - The attackers spend a lot of time looking for openings - Not a simple exploit - Takes time to avoid crashing things - Takes time to make it do what you want - A really useful buffer overflow is repeatable - The system can be compromised ![A green box with black text Description automatically generated](media/image6.png) Has 8 different bit where it can be written in memory. Valuable B has already been written into memory. (2 bits long) Variables B should provide rights and permissions. If value is under 2000, you have effectively use rights and permissions on applications Hackers can fill the 8 bits to input of Variable and it will overflow into Variable B of the 9th byte. Any value of over 24,000 in variable B provides that user with the rights and permissions of administrator. A green rectangular box with black text Description automatically generated **Race Condition** - When two events happen at nearly the same time with an application and the applications doesn't take it in account that they may be happening simultaneously - Can be bad if not planned - Time-of-check or Time-of-Use (TOCTOU) - Check the systems - When do you use the results of your last check? - Something might happen between the time of check and the time of use = Race condition ![A diagram of a bank account Description automatically generated](media/image8.png) Should have \$0 dollars Race condition can cause big problems - January 2004- Mars rover "Spirit" - Reboot when a problem is identified - Problem is with the file system, so reboot because of the file system problem - Reboot loop was the result - Pwn2Own Vancouver 2023- Tesla Model 3 - TOCTOU attack against the Tesla infotainment using Bluetooth. - Elevated privilege to root - Earned \$100,000 US price and they keep the Tesla **Malicious Updates** Software Updates - Always keep our operating system and applications updated - Updates often bug fixes and security patches - This process has its own security concerns - Not every update is equally secure - Follow the best practices - Always have a known good backup - Install from trusted sources - Backup your device Downloading and updating - Install updates from a download file - Always consider your actions - Every installation could potentially b malicious - Confirm the source - A random pop-up during web browsing may not be legitimate - Visit the developer's site directly - Don't trust a random update button or random downloaded files - Many operating system will only allow signed apps - Don't disable security controls - Automatic Updates - The app updates itself - Often includes security check/ digital signature - Relatively trustworthy - Comes directly from the developer - SolarWinds Orion supply chain attack - Reported in December 2020 - Their certification authority had verified it the software - Attackers gained access to the SolarWinds development systems - Added their own malicious code to the update - Gained access to hundreds of government agencies and companies