Final Exam Prepper - ITSS4360 - The University of Texas at Dallas PDF

Summary

This document is a module for a final exam prepper in computer science at the University of Texas at Dallas. It is a summary of the topic of web applications.

Full Transcript

Final Exam Prepper
ITSS4360 MODULE 12

ITSS4360 1
Web App Attacks and
Security

ITSS4360 2
Modern vs Legacy Applications
Feature Modern Applications Legacy Applications

Cloud computing, microservices, Older technologies, monolithic
Technology
containers architectures

Development practices Agile, DevOps, CI/CD Waterfall, manual testing

Agility Highly agile, able to change quickly Less agile, difficult to change

Highly scalable, able to handle large Less scalable, can struggle to handle large
Scalability
volumes of traffic volumes of traffic

Less secure, may have security
Security More secure, built with security in mind
vulnerabilities

Used for new business initiatives or to Used for critical applications that
Purpose
replace legacy applications businesses can’t easily replace

ITSS4360 3
Website vs. Web Application
Website Web Application
◦ Websites are accessible through browsers ◦ A web app is a software that is accessed through a
◦ They are navigable (multi-page, with links and web browser.
menus) and can present digital content, images, ◦ Web applications differ from mobile and desktop
video, and audio. software in that they don’t have to be downloaded
◦ Websites are largely static, meaning the page and installed.
content doesn’t update (example, a blog), and offer ◦ Web applications are websites with functionality
minimal functionality and interactive elements.
◦ However, modern web technologies have helped ◦ Web application development tends to be more
web developers create interactive news websites complex because web apps need to store and
that are more app-like and are considered dynamic manipulate data based on user input. They need to
websites. incorporate code to manage:
◦ Websites are one-way informational feeds, they do ◦ User Access
not allow viewers to interact or communicate back ◦ Complex functions
to the site. ◦ Data storage and retrieval
◦ Most websites are built using HTML, CSS, and ◦ App security
maybe some JavaScript.

ITSS4360 4
How Modern Web Applications Work
The user opens a web browser and enters the
URL for the web application.
◦ The browser sends an HTTP request to the server
hosting the web application.
◦ The server receives the request and uses the
appropriate server-side component to process the
request.
◦ The server-side component retrieves data from a
database and generates an appropriate response.
◦ The response is sent back to the browser as an
HTTP response.
◦ The browser receives the response and uses the
appropriate client-side components (such as HTML,
CSS, and JavaScript) to render the response as a
user interface.

ITSS4360 5
How Modern Web Applications Work
The user interacts with the user interface,
triggering additional HTTP requests to the
server.
◦ The server receives each request and
processes it using the appropriate server-side
component.
◦ The server generates an appropriate response
and sends it back to the browser as an HTTP
response.
◦ The browser receives the response and
updates the user interface accordingly.
◦ The process continues until the user completes
their web application task.

ITSS4360 6
Frontend
https://www.youtube.com/watch?v=
WG5ikvJ2TKA (WATCH THIS!)

ITSS4360 7
Backend
https://www.youtube.com/watch?v=X
Bu54nfzxAQ (WATCH THIS!)

ITSS4360 8
Web Application – Simplified View
Backend

Frontend APIs Microservices Database

Authenticated Authenticated Authenticated Stored Data
Webpages API calls Functions and
HTTPS Request - Processes
Response

ITSS4360 9
What is an API?
An API, or application programming interface, is a set of rules or protocols that let software
applications communicate with each other to exchange data, features and functionality.
◦ In the context of APIs, the word Application refers to any software with a distinct function.
◦ Interface can be thought of as a contract of service between two applications.
◦ This contract defines how the two communicate with each other using requests and responses.
◦ Their API documentation contains information on how developers are to structure those requests and
responses.

https://www.ibm.com/topics/api

API Documentation example:
https://developer.blackboard.com/portal/displayApi

ITSS4360 10
How does an API work?

A client sends a request to the API server, usually over the internet or a local network. The request is made
using a specific protocol (such as HTTP) and includes information about the operation the client wants to
perform, e.g., retrieving data or updating a resource.
The API server receives the request and processes it. It may validate the request, authenticate the client,
authorize the request, or perform other necessary operations.
The API server sends a response back to the client, which may include data, an error message, or a status code
indicating the result of the operation.
The client receives the response and processes it.

ITSS4360 11
Knowledge Check
What are the differences between a Website and Web application?
◦ Websites are one-way informational feeds, they do not allow viewers to interact or communicate
back to the site.
◦ Web applications store data for individual users and manipulate that data based on user input.
They need to incorporate code to manage:
◦ User Access
◦ Complex functions
◦ Data storage and retrieval
◦ App security

Which protocol do web apps use to communicate between the frontend and
backend?
◦ HTTP / HTTPS
Knowledge Check
What does API stand For?
◦ API stands for Application Programming Interface
◦ API helps different software communicate with each other

How does an API work?
◦ Client sends Request (specific action, specific parameters, specific format)
◦ Server sends Response (specific parameters, specific format)
◦ All kinds of Requests in an API and their possible Responses are documented in API
documentation
Web Application Security Risks and Attacks
https://owasp.org/Top10/
1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration

ITSS4360 14
How to prevent Broken Access Control
Access control is only effective in trusted server-side code or server-
less API, where the attacker cannot modify the access control check or
metadata.
◦ Except for public resources, deny by default.
◦ Model access controls should enforce record ownership rather than accepting
that the user can create, read, update, or delete any record.
◦ Implement access control mechanisms once and re-use them throughout the
application
◦ Disable web server directory listing and ensure file metadata (e.g.,.git) and
backup files are not present within web roots.
◦ Log access control failures, alert admins when appropriate (e.g., repeated
failures).
◦ Rate limit API access to minimize the harm from automated attack tooling.
◦ Stateful session identifiers should be invalidated on the server after logout.
Developers and QA staff should include functional access control unit
and integration tests.

ITSS4360 15
How to prevent Cryptographic Failures
◦ Classify data processed, stored, or transmitted by an application.
Identify which data is sensitive according to privacy laws, regulatory
requirements, or business needs.
◦ Don't store sensitive data unnecessarily. Discard it as soon as possible.
Data that is not retained cannot be stolen.
◦ Make sure to encrypt all sensitive data at rest.
◦ Ensure up-to-date and strong standard algorithms, protocols, and keys
are in place; use proper key management.
◦ Encrypt all data in transit with secure protocols such as TLS with
forward secrecy (FS) ciphers, cipher prioritization by the server, and
secure parameters.
◦ Disable caching for response that contain sensitive data.
◦ Do not use legacy protocols such as FTP and SMTP for transporting
sensitive data.
◦ Store passwords using strong adaptive and salted hashing functions

ITSS4360 16
How to prevent Injection
Preventing injection requires keeping data separate
from commands and queries:
◦ The preferred option is to use a safe API, which avoids using
the SQL interpreter entirely and provides a parameterized
interface.
◦ Use positive server-side input validation, so only values are is
sent via input (not code). This is not a complete defense as
many applications require special characters, such as text
areas or APIs for mobile applications.
◦ Use LIMIT and other SQL controls within queries to prevent
mass disclosure of records in case of SQL injection.

ITSS4360 17
How to prevent Insecure Design
◦ Establish and use a secure development lifecycle with AppSec
professionals to help evaluate and design security and privacy-
related controls
◦ Use threat modeling for critical authentication, access control,
business logic, and key flows
◦ Integrate security language and controls into user stories
◦ Integrate plausibility checks at each tier of your application
(from frontend to backend)
◦ Write unit and integration tests to validate that all critical
flows are resistant to the threat model. Compile use-cases and
misuse-cases for each tier of your application.
◦ Limit resource consumption by user or service

ITSS4360 18
How to prevent Security Misconfiguration
◦ A repeatable hardening process makes it fast and easy to deploy
another environment that is appropriately locked down.
◦ Development, QA, and production environments should all be
configured identically, with different credentials used in each
environment.
◦ This process should be automated to minimize the effort required to
set up a new secure environment.
◦ A minimal platform without any unnecessary features, components,
documentation, and samples should be the starting point. Remove
or do not install unused features and frameworks.
◦ A segmented application architecture provides effective and secure
separation between components or tenants, with segmentation,
containerization, or cloud security groups (ACLs).
◦ An automated process to verify the effectiveness of the
configurations and settings in all environments.

ITSS4360 19
Key Cryptography

ITSS4360 20
‘Key’ Terms

Plaintext
◦ Original unencrypted message
Cipher / Ciphertext
◦ A cipher is a method used in cryptography for performing encryption or decryption. Essentially, it's a set of
algorithms that you apply to your data (plaintext) to transform it into an unrecognizable form (ciphertext).
Key
◦ In cryptography, a key is a string of characters used within an encryption algorithm (cipher) for altering data
so that it appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key
can unlock (decrypt) it.

ITSS4360 21
Ciphers
A cipher is a method or algorithm used
in cryptography for performing
encryption or decryption.
◦ Transposition ciphers keep all the original
bits of data in a byte but mix their order.
◦ Substitution ciphers replace specific data
sequences with other data sequences. For
example, one type of substitution would
be to transform all characters with unique
symbols.

Example: a -3 substitution cipher

ITSS4360 22
Keys
In cryptography a ‘key’ is a piece of
information used in combination with an
algorithm (a ‘cipher’) to transform plaintext
into ciphertext (encryption) and vice versa
(decryption).
If there is already a cipher, why do you need
a key?
◦ To individualize the encryption between sender
and receiver, so even if someone knows the cipher
algorithm, they cannot decrypt without a key
[Cipher (secret key) {Plaintext}] = Ciphertext
◦ Not a real formula!

ITSS4360 23
Key Encryption Types
Symmetric Key encryption
◦ The sender uses the same key to encrypt the
plaintext that the receiver uses to decrypt the
plaintext
◦ Symmetric key encryption is fully reversible

Advantage of Symmetric key encryption:
◦ It is computationally cheap

What are the issues with Symmetric Key
encryption?
◦ Key exchange (chicken and egg problem)

ITSS4360 24
Key Encryption Types
Asymmetric Key encryption
◦ (does this lock look peculiar?)
◦ This encryption type uses a pair of keys
◦ The sender uses a public key to encrypt the
plaintext and the receiver a different private key to
decrypt the plaintext.
◦ Its like a lock that you can lock with one key, but
cannot unlock it with the key you locked it with.
◦ You need a different key to unlock it.
Asymmetric Key encryption from the
receiver’s perspective:
◦ The locking key is the public key (shared with all who need
to send data to the receiver)
◦ The unlocking key is the private key

ITSS4360 25
Asymmetric Key Encryption
Algorithmically, this key pair can be used
interchangeably.
◦ Say, the key pair is ‘Key A’ and ‘Key B’
◦ If you encrypt with Key A, you can decrypt with Key B
◦ And reversibly, if you encrypt with Key B, you can
decrypt with Key A
◦ So you get to decide which key will be your (shared
with the world) ‘public key’ and which one will be
your (safeguarded with moats, turrets and dragons)
‘private key’.
Advantage of Asymmetric Key encryption
◦ Key exchange is simpler since you can freely share
your public key
Disadvantage of Asymmetric Key encryption
◦ It is computationally expensive

ITSS4360 26
Asymmetric Key Encryption
Digital Signatures?
◦ If I encrypt something with my private key and send that out
to the internet, what does that imply?
◦ Only my public key will be able to decrypt it, meaning this
file/message, HAD TO originate from me, confirming me as
the source of the message.

Going one step further,
◦ What if I encrypt a file/message with my private key. Then
encrypt that with your public key and send it on the
internet? Two-layer encryption.
◦ Only YOU can decrypt layer one with your private key. Then
encrypt layer 2 with my public key.
◦ One sender, one receiver on the entire internet.
◦ That is End-to-end encryption!

Symmetric and Asymmetric Encryption:
https://www.youtube.com/watch?v=GSIDS_lvRv4

ITSS4360 27
Hybrid Encryption / Hybrid Cryptosystem
On the internet, a hybrid form of
encryption happens when two endpoints
connect over https.
◦ The end points will use ‘asymmetric’ public and
private keys to exchange a ‘symmetric’ session
key
◦ Then all communication during the course of the
session will be done using the shared symmetric
session key
Why not just use asymmetric encryption
the whole time?
◦ Asymmetric encryption and decryption is
computationally intensive, so just the initial
session key is exchanged using asymmetric
encryption.

ITSS4360 28
Hybrid Encryption / Hybrid Cryptosystem
Asymmetric part:
◦ Certificate Check
◦ Client checks that the server is certified to make
sure it is who it says it is (example, Chase Bank)
◦ Upon successful certification, client receives
server’s public key
◦ Session Key Exchange
◦ Client generates a unique session key and encrypts
it using the server’s public key and sends to server
◦ Server decrypts session key using its own private
key

Symmetric part:
◦ Client and server then send and receive data
over the session (connection) by using the
session key for encryption and decryption

ITSS4360 29
Digital Certificates
Digital certificate or Public Key certificate
is an electronic document generated and
shared as part of a global secure Public
Key sharing infrastructure.
◦ Digital certificates are needed because there is
no way to determine the validity of a public
key sent from a server to a client.
◦ How will a client know if the key came from
the actual Chase.com, or from a threat actor?
Let’s look at a man-in-the-middle attack
scenario
◦ https://www.youtube.com/watch?v=5rT6fZUw
hG8 (WATCH THIS TILL THE END!)

ITSS4360 30
Digital Certificates
Digital Certificates are issued by Certificate
Authorities
◦ The Public Key issuer (individual or company) needs to
register themselves with the Certificate Authority
◦ https://www.youtube.com/watch?v=BUQ3oQ-ikQY
◦ Here are some examples of certificate authorities
◦ They encrypt the issuer’s public keys with their own
private keys
◦ Every internet browser comes with the certificate
authorities public keys
◦ If the browser is able to decrypt the certificate with a
CA Public key, that means the underlying issuer’s
public key is authentic
Let’s look at how digital certificates can prevent
m-i-t-m attacks:
◦ https://youtu.be/5rT6fZUwhG8?t=302

ITSS4360 31
Digital Certificates

ITSS4360 32
Passwords and Hashes
So far, we’ve discussed encryption of data in transit
Now let’s discuss encryption of data at rest
When you first create your account with a website, you register your password
with the website
Even if the connection to the website is through HTTPS/TLS, does the website
store your password as it is in their database?
Should it?
◦ What if their admin(s) have access to all passwords and go rogue? (insider attack)
Is there a better way?

ITSS4360 33
Hashing
Hashing is the process of using a
mathematical algorithm, to create a unique
but fixed length output of any plaintext input.
◦ The plaintext may be 4 characters or 40,000
characters, the hash will always be fixed length (for
example, 32 characters)
◦ As long as the plaintext is the same, the hash will
also be the same when run through the algorithm.
◦ If you change even one character from the plaintext
(out of the 40,000 in the example above), the hash
will be completely different.
◦ Hashes are irreversible. Once cannot generate the
plaintext from a hash.
◦ But hashes can be used to validate that the correct
plaintext was entered.
https://www.md5hashgenerator.com

ITSS4360 34
Hashing = Backend

When creating a new account with the website:

Hash is generated Server saves the
You create a on the front-end in Hash for your
Password the page code and account in their
sent to server database

When logging into the website:

Hash is generated on Server matches the
Grants or Denies
You enter your the front-end in the received hash with
access based on
Password page code and sent the one it saved for
match result
to server you in their database

ITSS4360 35
Hashing
Encryption and Hashing are NOT THE SAME!

Hashing is the process of using a mathematical
algorithm, to create a unique but fixed length output
of any plaintext input.
◦ The plaintext may be 4 characters or 40,000 characters, the
hash will always be fixed length (for example, 32 characters)
◦ As long as the plaintext is the same, the hash will also be the
same when run through the algorithm.
◦ If you change even one character from the plaintext (out of
the 40,000 in the example above), the hash will be
completely different.
◦ Hashes are irreversible. Once cannot generate the plaintext
from a hash.
◦ But hashes can be used to validate that the correct plaintext
was entered.

https://www.md5hashgenerator.com

ITSS4360 36
Hashing
Hashing algorithms:
MD-5
◦ MD5 is simple, quick, and free to use. It's among
the most widely used hash algorithms available, but
it's also ripe for hacking.
Secure Hash Algorithms (SHA)
◦ Current version SHA-3.
Tiger
◦ This algorithm was published in 1995, and it's made
for use on 64-bit platforms. It randomises data in 24
rounds, and it's considered remarkably secure.
https://www.md5hashgenerator.com

ITSS4360 37
Hashing
What if a hacker gets access to a Hashed
password database?
◦ Since hashes are irreversible, you think that
they won’t be able to know your password.
◦ But, they start with common passwords and
match it with the hash outputs of common
algorithms. Hashes will be the same if the
password is the same.
◦ If they figure out the hash algorithm used, they
can brute force ‘password to hash attempts’
and match with the hashes they have. (~50Bh
per sec for MD5, 1Bhps for SHA-3)
Then, how to secure hashes? Salt bae!

ITSS4360 38
Salting
A salt is a string value generated by a cryptographically secure
function that is added to the input of hash functions to create unique
hashes for every input, regardless of the input not being unique.
◦ Add something. This involves adding a string of unique, random characters to
the data they must protect.
◦ Hash the whole string. The original data with the salt addition moves through
the algorithm.
◦ Store securely. Companies place the salt value on the site, along with the
hashed data.
◦ Repeat. Companies can salt data more than once to offer deeper protection.

Salting is most effective, experts say, when companies use a different salt
string for each data point.

A password salt, for example, won't be as helpful if each password has
the same set of random characters attached. As soon as a hacker figures
out that code, all passwords are vulnerable.

A salt makes a hash function look non-deterministic, which is good as we
don't want to reveal duplicate passwords through our hashing.

ITSS4360 39
Salting

(plaintext password)

ITSS4360 40
Incident Response and
Digital Forensics

ITSS4360 41
Incident Response
Incident response (IR) is the process
by which an organization handles a
data breach or cyberattack.

It is an effort to quickly identify an
attack, minimize its effects, contain
damage, and remediate the cause to
reduce the risk of future incidents.

ITSS4360 42
Incident Response Terminology
Incident Response Framework
◦ IR Framework is the list of phases of a structured IR process

Incident Response Plan (IRP)
◦ An incident response plan (IRP) is a set of documented procedures detailing the steps that
should be taken in each phase of incident response. It should include guidelines for roles
and responsibilities, communication plans, and standardized response protocols.

IR Team
◦ Team that is assembled to respond to an occurred incident using the IRP. It is cross-
functional and includes members from across the organization.

ITSS4360 43
Incident Response Frameworks
NIST 4-step process
◦ Preparation
◦ Detection and analysis
◦ Containment, eradication and recovery
◦ Post-incident activity

ITSS4360 44
IR Phase 1 - Preparation
The Preparation phase happens before any
incident has occurred.
This phase consists of:
◦ Choosing an IR framework
◦ Developing an IR policy and am IR plan for your
company
◦ Identifying IR team constituents (not just IT folks!)
◦ should include representatives from management,
technical, legal, and communications disciplines
◦ Deploying tools and training necessary to enact
your IR plan
Lastly, the plan should also define who is in
charge and who has the authority to make
certain critical decisions.

ITSS4360 45
IR Phase 2 – Detection and Analysis
Detection and Analysis Tools:
◦ A vulnerability scan is completed by software
to identify a device's vulnerabilities.
◦ A bandwidth monitor is monitoring software
used to measure the amount of data a
connection transfers.
◦ Traffic monitoring
◦ Netflow is a Cisco-proprietary protocol system that
collects inbound and outbound traffic, or flow, on
Cisco devices.
◦ Sampled flow (sFlow) randomly samples and
collects a network's inbound and outbound traffic.
◦ IP flow information export (IPFIX) is an industry
standard for collecting and visualizing IP flow.
◦ A protocol analyzer is monitoring software used to
intercept and classify network traffic by protocol.

ITSS4360 46
IR Phase 2 – Detection and Analysis
Metadata
◦ Data is information stored in various forms. Ex:
Data is stored in a file, on the internet, or on a
mobile device. Data describing or identifying
other data is known as metadata.
◦ Metadata examples:
◦ A file's creation date and time, or timestamp.
◦ A sending email server's information.
◦ A hosting web server's information.
◦ A GPS coordinate for a picture taken with a mobile
device.
◦ Metadata is used for incident identification.
◦ Ex: An unauthorized file modification is identified by
reviewing the file's metadata for a modification
timestamp.

ITSS4360 47
IR Phase 2 – Detection and Analysis
Device Logs
◦ A device will record, or log, most activities in a device log.
◦ A device log is a text-based file containing various device
events. A device log can identify when and how an incident
occurred. Device logs remain on a local device by default.
◦ Two primary device log types exist:
◦ A traffic log is a device's recording of incoming and outgoing network
traffic events.
◦ An audit log is a device's recording of system-related events such as
failed and successful user login attempts.

Device log examples:
◦ A network device log for a switch or router's traffic-related
events.
◦ A system device log for a server's application or security-
related events.
◦ A web log containing client requests for a website.
◦ A DNS log recording DNS resolution requests and responses.

ITSS4360 48
IR Phase 2 – Detection and Analysis
System logging protocol
◦ System logging protocol, or syslog, is a
network protocol enabling a device or
application to send log entries to a syslog
server.
◦ A syslog server is a node configured to
receive logs from syslog-configured devices
and applications.
◦ Syslog classifies log entries by descending
severity levels.

ITSS4360 49
IR Phase 3 – Containment, Eradication and Recovery
Eradication is intended to actually remove
malware or other artifacts introduced by the
attacks, and fully restore all affected systems.
◦ Reimaging—complete wipe and re-image of
affected system hard drives to ensure any malicious
content is removed.
◦ Preventing the root cause—understanding what
caused the incident preventing future compromise,
for example by patching a vulnerability exploited by
the attacker.
◦ Applying basic security best practices—for
example, upgrading old software versions and
disabling unused services.
◦ Scan for malware—use anti-malware software, or
Next-Generation Antivirus (NGAV) if available, to
scan affected systems and ensure all malicious
content is removed.

ITSS4360 50
IR Phase 4 – Post-Incident Activities
Incident report contents:
◦ When was the problem first detected and
by whom
◦ The scope of the incident
◦ How it was contained and eradicated
◦ Worked performed during recovery
◦ Areas where the IRT teams were effective
◦ Areas that need improvement

ITSS4360 51
Digital Forensics
Digital forensics is a branch of forensic
science that focuses on collection,
examination, analysis, and reporting on
electronically stored and/or processed data.
Digital forensics is used in tasks such as
investigating digital crimes, identifying
internal policy violations, recovering from
system damage or data loss, and
reconstructing security incidents.
Digital forensics has several sub-
branches, including computer forensics,
network forensics, database forensics,
and cloud forensics.

ITSS4360 52
Digital Forensics Steps
Step 1: Data collection

After a breach, forensic investigators collect data from operating
systems, user accounts, mobile devices and any other hardware and
software assets that threat actors may have accessed.

Common sources of forensic data include:
◦ File system forensics: Data found in files and folders that are stored on
endpoints.
◦ Memory forensics: Data found in a device’s random access memory
(RAM).
◦ Network forensics: Data found by examining network activity like web
browsing and communications between devices.
◦ Application forensics: Data found in the logs of apps and other software.

To preserve evidence integrity, investigators make copies of data
before processing it. They secure the originals so that they cannot
be altered and the rest of the investigation is carried out on the
copies.

ITSS4360 53
Digital Forensics Steps
Step 2: Examination
◦ Investigators comb through the data for signs of cybercriminal
activity, such as phishing emails, altered files and suspicious
connections.

Step 3: Analysis
◦ Investigators use forensic techniques to process, correlate, and
extract insights from digital evidence. Investigators may also
reference proprietary and open-source threat intelligence feeds
to link their findings to specific threat actors.

Step 4. Reporting
◦ Investigators compile a report that explains what happened
during the security event and, if possible, identifies suspects or
culprits. The report may contain recommendations for thwarting
future attacks. It can be shared with law enforcement, insurers,
regulators and other authorities.

ITSS4360 54
Digital Forensics – Key Terms
Digital evidence is electronic data of
value to an investigation that is stored on,
processed, received, or transmitted by an
electronic device.
A timestamp is a digital record of the date
and time an event occurred.
◦ Timestamps are used to track when data was
created, accessed, or modified.
◦ An operating system, application, or firmware
may use different time zones when creating
timestamps.
◦ A time offset is the time difference between a
system's local time and Greenwich Mean Time
(GMT).

ITSS4360 55
Digital Forensics – Key Terms
Digital evidence acquisition is the
process of collecting relevant data to a
forensic investigation, while preserving
data integrity.

A forensic artifact is any data that may
potentially be used as digital evidence.
◦ A forensic artifact is digital evidence only if
the artifact is relevant to a forensic
investigation.
◦ Ex: A file timestamp is a forensic artifact.

ITSS4360 56
Digital Forensics – Key Terms
A forensic snapshot captures a
system's data at a specific point in
time, thus preserving the data for
evidence acquisition in a forensic
investigation.
◦ Ex: A forensic snapshot of a web server
after a network intrusion resulting in
intellectual property theft.

ITSS4360 57
Digital Forensics – Key Terms
Data volatility is the measure of how long
data is retained on an electronic
component in absence of power.

The order of volatility is the sequence of
data acquisition in a forensic investigation
based on data volatility.
◦ Data is acquired starting with the most volatile
(most likely to disappear) and ending with the
least volatile.
◦ Ex: Random access memory (RAM) requires
power for data retention, but a hard disk drive
(HDD) retains data even when no power is
supplied to the device.

ITSS4360 58
Digital Forensics – On the Cloud
Right-to-audit is a legal contract that
grants one party the right to perform
an audit of the records, operations, or
processes of another party.
◦ Right-to-audit is often included in service
level agreements (SLAs) and is intended to
provide transparency and verification of a
party's business activities.
◦ An organization which stores data in the
cloud includes right-to-audit clauses in
SLAs to ensure the organization's customer
data is securely processed by the cloud
provider.

ITSS4360 59
Security Assessment

ITSS4360 60
Security Assessment
Security assessment is the testing and evaluation of a system's security controls.
◦ A system could be a computer, network, native application, or web app.
◦ A security assessment determines if a system's security controls are implemented correctly and operating as
intended.
A vulnerability scanner is a program which scans a system for known vulnerabilities. A
vulnerability scanner
◦ Identifies a system's vulnerabilities
◦ Prioritizes them by severity
◦ and provides recommendations for remediating those vulnerabilities
◦ Example: Nessus and OpenVAS are vulnerability scanners.
◦ Example: OpenVAS can identify an unpatched vulnerability in a Windows 11 device, rank the vulnerability
based on the vulnerability's severity, and provide guidelines for patching the vulnerability.
https://youtu.be/x87gbgQD4eg?t=482

ITSS4360 61
Vulnerability Scanner

ITSS4360 62
Vulnerability Databases
A vulnerability scanner uses databases of known vulnerabilities to identify and
prioritize a system's vulnerabilities.
◦ Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities
and exposures. CVE is maintained by the MITRE Corporation with funding from the US
Division of Homeland Security.
◦ Each CVE record is assigned a unique CVE ID.
◦ A CVE ID includes the year, followed by a four or five digit number.
◦ Example: CVE-2022-0001 is the 1st vulnerability made public in the year 2022
◦ Example: CVE-2023-33974 is the 33,974th vulnerability made public in the year 2023.

ITSS4360 63
Vulnerability Databases
The National Vulnerability Database (NVD) is the U.S. Government repository
of standards based vulnerability management data.
◦ The NVD includes databases of security checklist references, security-related software
flaws, misconfigurations, product names, and impact metrics.
◦ NVD is maintained by the National Institute of Standards and Technology (NIST) and uses the Common
Vulnerability Scoring System (CVSS) to evaluate the threat level of each CVE vulnerability.

Common Vulnerability Scoring System (CVSS) is an open industry standard for
assessing the severity of computer system security vulnerabilities.
◦ A CVSS score is calculated using metrics that indicate ease and impact of a vulnerability
exploitation. A CVSS score ranges from 0 to 10, with 10 being the most severe.
https://nvd.nist.gov/vuln/detail/CVE-2024-3738

ITSS4360 64
Question
Can a vulnerability scanner use CVE to identify zero-day vulnerabilities?
◦ Answer: No

Why?
◦ Answer: Because CVE only contains a list of known vulnerabilities

ITSS4360 65
Vulnerability Scan Types
A non-credentialed vulnerability scan, or unauthenticated vulnerability scan, is a
vulnerability scan in which a scanner identifies a system's vulnerabilities by probing
the network services exposed by the system.
◦ Ex: A non-credentialed vulnerability scan can identify a system's open ports and the vulnerable
services running on those ports.
A credentialed vulnerability scan, or authenticated vulnerability scan, is a
vulnerability scan in which a scanner has system privileges.
◦ A credentialed vulnerability scan can find more vulnerabilities than a non-credentialed vulnerability
scan because the scanner logs into a system and has direct access to the system's components and
configurations.
◦ Ex: A credentialed vulnerability scan can identify a system's software misconfigurations and missing
operating system patches.

ITSS4360 66
Vulnerability Scan Types
A non-credentialed or credentialed vulnerability scan can either be intrusive or
non-intrusive.
A non-intrusive vulnerability scan is a vulnerability scan which only identifies
and reports a system's vulnerabilities.
◦ Ex: Report the use of a weak hashing algorithm in signing a web server's SSL certificate.

An intrusive vulnerability scan is a vulnerability scan which attempts to exploit
a system's vulnerabilities found during a scan.
◦ Ex: Install malware on a device by exploiting a vulnerability found in Server Message Block
(SMB) protocol using TCP port 445.

ITSS4360 67
Event Management
A security assessment can be conducted by analyzing log
data and correlating the events occurring on various
systems.
SIEM
Security information management (SIM) is the practice of
collecting, storing, and managing log data from network
devices and software applications.
◦ Log data is a timestamped record of an event.
◦ Ex: a VPN server records a VPN user's username and timestamps a
login attempt as log data. SIM SEM
◦ A SIM system may have search, aggregation, and visualization Collects Log Data Analyzes Log Data
capabilities.

Security event management (SEM) is the practice of
monitoring, identifying, and reporting security-related
events.
◦ A SEM system detects threats and vulnerabilities by identifying
relationships and patterns in log data using statistical analysis. Incident / Event
◦ Ex: a SEM system can detect an IoT device's malware infection by
correlating firewall, router, and IPS log data. Alerts

ITSS4360 68
Event Management - SIEM
Security information and event management (SIEM) is an approach to security
management that combines SIM and SEM functionality into a single system.
◦ A SIEM system collects and analyzes log data, correlates events in real-time, detects threats, and
generates alerts.
◦ A SIEM system can collect syslog data (a standard for message logging) and use network packet
captures to gain additional insight into security events.
A SIEM system may also have the capability to detect insider threats by analyzing user
behavior.
◦ User behavior analytics (UBA) is the use of behavioral analytics and machine learning algorithms
to identify abnormal user behavior.
◦ UBA can identify insider threats or attacks that use compromised insider credentials by detecting
deviations from normal user behavior.

ITSS4360 69
Event Management – SIEM Dashboard

ITSS4360 70
Event Management - SOAR
Automating the assessment and prioritization of security events decreases
analysis errors and improves threat detection and response accuracy.
Two processes automate security assessment and prioritization:
◦ Security orchestration is the integration and analysis of data from disparate security
systems (collecting event/incident alert data).
◦ Security automation is the process of executing security operations-related tasks without
human intervention. (responding to events/incidents automatically)

ITSS4360 71
Event Management - SOAR
Security orchestration, automation, and response (SOAR) is the combination
of security orchestration and security automation tools to respond to security
events with limited or no human intervention.
SOAR enables the automation of manual tasks such as:
◦ vulnerability scanning
◦ log analysis
◦ auditing
◦ and incident response
A SOAR system may also integrate data from threat intelligence feeds to
improve threat detection.

ITSS4360 72
Event Management - SOAR
SIEM

SIM SEM SOAR
Automatically Prioritizes
Collects Log Data Analyzes Log Data and responds to Incidents
Incident / Event
Alerts

ITSS4360 73
SIEM + SOAR

ITSS4360 74
Penetration Testing
Penetration testing (pentesting), or ethical hacking, is an authorized attack on a
system to evaluate the system's security.
A penetration tester, or pentester, attempts to breach some or all of a system's
security controls by using tools and techniques an attacker uses.
Many software vendors offer pentesters rewards for finding and reporting
software vulnerabilities in the vendor's software through a program known as
a bug bounty.

ITSS4360 75
Penetration Testing
Pentesting environments:
◦ In an unknown environment, or close-box pentesting, a pentester is not provided with
any information on the target systems.
◦ In a partially known environment, a pentester is provided with limited information on
some of the target systems.
◦ In a known environment, or open-box pentesting, a pentester is provided with full
privileges and information on all the target systems.

ITSS4360 76
Penetration Testing Techniques
A Lateral movement is the act of moving from a compromised host to another host on the same
network.
◦ Lateral movements are used for finding and exploiting vulnerabilities in other systems located on the same
network.
Pivoting is the act of using a compromised system as a platform to launch attacks against other
systems.
◦ Pivoting bypasses security controls aimed at preventing unauthorized access to internal systems such as those
implemented by firewalls.
Persistence is the set of techniques used for maintaining access to compromised systems. Ex: adding
startup scripts, creating privileged accounts, and scheduling system tasks.
◦ Persistence enables a pentester to maintain system foothold across changed credentials, restarts, and other events
causing access disruptions.
Cleanup is the act of removing all the environment changes performed during an attack.
◦ Ex: deleting all accounts created, undoing all system configuration changes, and removing log files.

ITSS4360 77
TTP analysis
An organization's security can be improved by understanding an attacker's
tactics, techniques, and procedures (TTPs).
Tactics, techniques, and procedures (TTPs) are patterns of activities or
methods associated with a specific attacker or group of attackers.
◦ Ex: Receiving phishing emails from a specific domain.

TTP analysis can help security teams detect and mitigate attacks by
understanding the way attackers operate.

ITSS4360 78
TTP techniques
A technique for understanding of TTPs is to set up decoys to lure attackers into a
controlled environment for monitoring and behavioral analysis. Three types of decoys
exist:
◦ A honeyfile is a fake file intentionally placed in a location to detect an attacker or malicious insider.
Honeyfile names are chosen to attract more attackers. Ex: password.txt
◦ A honeypot is a security mechanism used for learning about attacks by luring attackers to an
isolated and monitored environment. A honeypot is a single service or networked computer and is
typically set up in a DMZ.
◦ A honeynet is a network of honeypots. A honeynet is set up with intentional vulnerabilities to ease
access by potential attackers. Fake telemetry from network devices may also be generated on the
network, providing additional targets for attackers.
Honeypots, honeynets, and honeyfiles may also be used to divert malicious traffic
away from real systems, networks, and files.

ITSS4360 79