CIA Triad and Security Terminology
CIA Triad
Confidentiality – The data was not disclosed to any unauthorized parties.
Integrity – The data was not violated or modified
Availability – The data can get where it needs to go without fail
Design Principles
Fail-Safe Defaults
Permissions are only given with explicit permission
If all systems fail what will happen to system security?
You should consider the different ways a system could fail
Ex: chinese character in input field?
Least Privilege
Don’t give out any more privileges than necessary
Nobody should have privileges they don’t absolutely need.
sudo chmod –R 777 / is opposite of this principal
Open design
Commonly violated principal
Make algorithms public because you cannot design a better algorithm than decades of review
For example google uses AES-256 a very common standard
Minimize Attack Surface Area
Two things are twice as hard to defend as one.
Attack surface examples: hardware,software,data,networks
Reducing system complexity can help reduce a system’s attack surface area
Defense in Depth
Have more than one defense mechanism
Redundancy
Logins have email verification redundancy to ensure a real user
Attack Trees
Useful for thinking about vulnerabilities
Shows that nothing is “totally secure” Ex:
Sometimes an attack tree is priced to find cheapest option
Types of Attacks
Attacks are not always intentional
Attacks can contain passive and active elements
Active Attacks
An attempt to alter system resources or affect its operation
Easier to detect usually
Threatens the availability or integrity of data
Examples
Ransomware
DDos
Passive Attacks
Use or learn from information in a system without affecting the system.
No system interference
Usually harder to detect
Threatens the confidentiality of the data
Examples:
Monitoring pizzas delivered to pentagon
Traffic Sniffing
Inside attacks
From inside organization
Often non-intentional
Sometimes unsatisfied employees
Security Terminology
Asset (system resources)
Anything valuable to the victim or attacker
Vulnerability
Weakness that could be exploited or triggered by a threat source
Threat
Anything that is capable of exploiting a vulnerability
NOT threat actor or action
Can violate CIA triad of something
Attack
Malicious activity to de
sudo chmod –R 777 /
stroy (or more) information system resources of the information itself
A threat in action
Risk
In book: asset + vulnerability + threat
In industry: loss x (probability of occurring)
Ransomware attack on home network
Vulnerability: Un-updated modem software
Assets: Network files/Computer files
Threat: Encrypt data on network with ransom demand
Risk: Data is expensive or encrypted
Example: Consider the following scenario: We run a power plant in Oklahoma, and want to assess if our system is safe in the face of a tornado. Match the following vocabulary terms with the correct instance
Mother Nature | Threat Actor |
A tornado could come and hit our power plant | Threat |
We made our power cables withstand up to 120mph winds | Countermeasure |
Our power cables can only withstand wind speeds up to 80mph | Vulnerability |
A storm will come and hit our power plant tomorrow | Attack |
There’s a chance of temporarily losing power to the city | Risk |
The entire city’s power supply | Asset |
NIST Framework
A way of thinking about security
Used by government
Not detailed
Not solution to security
Three parts
Tiers: how mature companies security
Profiles: Help company grow into where it should be
Core: We are only concerned with core
Core breakdown, each part is phase in cyber attack:
Identify: Your assets and resources, making a network map, finding potential problems, and prioritization
Ex: Prioritize security measures in need of improvement
Protect: Implement access control, authentication, encryption, honeypot, application whitelisting, etc.
Ex: Enforce a minimum password length with special requirements
Detect: Know when your being attacked, Monitor your network, Collect attack data, detect anomaly vs signature
Ex: Monitor firewall logs and system processes for abnormal behavior
Respond: • Step 1: Analyze the incident • Step 2: Mitigate the incident • Step 3: Improve the situation
Ex: Eradicate malware and all persistence mechanisms
Recover: Backups? Run an audit? Improve system?
Ex: Restore backups and create a plan to improve security
Types of Cryptography:
Symmetric (SAME KEY)
Public/private key (DIFFERENT KEY in and out)
Hashing (NO KEY)
Symmetric Encryption
Secret key or one time pads are a secret legend that help decode symmetrically encrypted text. Not used in practice because key distribution is difficult.
Vigenère Cipher: add alphabetical count of chars in each position of key and plaintext. Each time you get a sum%26 that is the character from the encoded version. For example plain:“applebees” and key:”bees”. The first encrypted character is (1 + 2)%26 = 3. So the first character is C. If key is too short just repeat it like “beesbeesb”.
Casear Cipher:
Decrypt message with every key
For each letter, multiple frequency by probability of occurring
Sum over all previous numbers. Yields an arbitrary number.
Highest number is most likely the key
Caesar Cipher: All chars in plaintext have been added to numerically by a value k. i.e “hello” k = 2 becomes “JGNNQ”
To crack you must consider every key and sum the character freq for each key.
Here are the correct freq:
Charts like this are helpful:
Cryptanalysis
DES
Invented in 1975
Key length is 56 bits
Very short
Algorithm has concerns
3Des
Better version of Des
Can be attacked successfully using birthday attack which takes advantage of the small block size used in 3DES
NIST depreciated 3DES in 2017
Block vs. Stream Ciphers
Block:
Processes input one block of elements at a time (more common)
Produces output block for input block + can reuse keys
Stream:
Processes input elements continuously (faster + less code)
Encrypts plaintext one byte at a time
Modern Symmetric Algorithms
Sub-topic 1
Sub-topic 2
Asymmetric Encryption
Diffie-Hellman Key Exchange
Generate prime p and a base g that is less than p (both parties get the same key)
Each party picks private value x and x p-1
Each party sends y = g^x % p
Calculate key g^y % p
The value x is a secret||y’s, p, and g are not secrets
Main issue with this encryption is man-in-the-middle attacks
p = 17, g = 12
Person 1 | Person 2 |
X = 13 | X = 4 |
Y1 = 1213mod 17 = 14 | Y2 = 124mod 17 = 13 |
(switch 14 | and 13) |
Z = y2xmod p | Z = y1xmod p |
Z = 1313 mod 17 = 13 | Z = 144 mod 17 = 13 |
Uses of Public-Key Cryptography
Key Exchange:
Want to communicate over insecure channel
Need a way to communicate
Key encryption vs key distribution
Digital signatures & digital envelopes
Signature = INTEGRITY (from the person, untampered)
Envelope = CONFIDENTIALITY (need keys)
Hashing
One way encryption
No key
Uniform distribution
Small input changes get large output changes
Used for:
Storing passwords
Verify checksums
As a data structure
Application signatures
Guarantee message integrity
Hashing Security Properties
Hashing function H can be applied to data block of any size
H produces fixed length output
H is easy to compute for any given x, making it practical
Given any generated code M it is infeasible to find an x so that H(x) = M
Needs strong collision resistance meaning no other x should generate the same hash as another x value
No pair(x,y) should generate the same hash
Birthday Paradox
Shows hashing is hard because collisions are naturally common in the real world
N(1−(1−1/365)^(N-1))
Modern Hashing Algorithms
Def’n: SHA = secure hashing algorithm
MD5
Don’t use
Very fast
SHA-1
Slightly better than MD5
Slower than MD5
Still not recommended anymore
SHA2
Better version of SHA-1
Provides SHA-256
Good option
SHA3 –
Not used yet
Not fully implemented
Came from NSA
Will be used in future
Message Integrity
Digital Signature provides integrity
“Everybody and their dog knows about the message in plain text”
Digital envelope provides confidentiality
Message Authentication Code:
3 methods: symmetric, public key, secret value
Hmac is most common
Random Numbers
Used for generating secret keys to:
Create digital envelopes
Temporary session keys
Stream Cipher Randomness
Generate prime numbers for RSA/public key
Handshakes to prevent replay attacks
Need to be unpredictable and uniformly distributed
Bad seeds:
Time
Modulos on small integers
Other fixed predictable stuff
Good Seeds:
Radiation
Lava Lamps
/dev/urandom
User mouse movement
Symmetric Encryption Modes
Def’ns:
ECB = electronic codebook mode
CBC = cipher block chaining mode
CFB = simplified cipher feedback mode
OFB = output feedback mode
Block Ciphers are more common
Block Ciphers are parallelizable
ECB
bad (provides LEAST confidentiality)
CBC mode
XOR with input before encryption, prevents repeated blocks
Init vector is possible vulnerability
Needs IV
CFB mode
encrypt IV and key together and XOR with plaintext
Flipped version of CBC
No padding necessary
Needs IV
OFB essentially same as CFB
Needs IV
CTR mode: use counter instead of IV
Secure as rest
Galosis Counter Mode (GCM)
Provide integrity as its computed
ONLY encryption mode that provides integrity
MitM (Man in the Middle) Attacks On Asymmetric Key Exchange
SSL/TLS
TLS is new SSL
Key difference is that SSL is out of date.
Proper SSL was depreciated long ago
Basically a handshake, “here’s my certificate and your key”
Send a symmetric key, decrypt with a private key, then continue communication with the private key.
HTTPS
HTTP over SSL(TLS)
Encrypts:
Payload(data)
Cookies
URL
REST Method
Contents of browser forms
Contents of document
HTTP header
Does NOT Encrypt
Source IP address
Destination IP address
Type of traffic(SSH, FTP, HTTP,HTTPS,ETC)
Port number
Length of packet
PKI
Public Key Infrastructure
Somebody(Certificate Authority) append digital signature to hash
Somebody else vouches for us
Authenticating a server
Create a cert
Create a Certificate Signing Request
Have server sign it and return it
Install certificate into Apache web server
Attacks on SSL
HeartBleed Exploit
Instead of regular heartbeat requests, a small payload disguised as a large payload request causes the server to send back more data from TLS server than was sent originally. This extra content can be passwords, private keys, etc
Everyone affected had to update OpenSSL to be secure.
SSL Strip
User connects to server over HTTP , the attacker will route you to them and take the HTTPS port given from the site. This prevents the user from using the encrypted port and the attack is in the middle of the connection.
THe solution is HsTS which bakes the websites into the browser so you know it’s the real site.
Authentication
Four Means of authenticating a user:
Something they have
Something they know
Something they are
Something they do
Examples: [have, know, are, do] = [card, password, fingerprint, voice pattern]
Passwords
Easy to verify, should be hashed
Hash passwords
x | x | x |
Probability = 6/6 * ⅚ * 4/6 * 3/6
Birthday Paradox
365/365 * 364/365 ~~~~~~~~~~ (240/240) * (240-1/240)
The probability of a collision is 1 – the probability of no collisions
Rainbow Tables:
Pre compute common hashes (take common passwords and hash all)
Useful for OFFLINE attacks (can’t attack multiple people when online)
Salting:
Appending a random value to the password before hashing
Different outputs when hashed
Salt helps hashes be different
Stored in PLAINTEXT
Avoid same hashes (in the same file or with different systems)
Prevent rainbow tables
Attackers have to target one user at a time
Salting doesn’t help with online attacks or targeted
Password Complexity:
Dictionary attacks
complexity = (# of characters)^(size of character set)
Bloom filters:
Creation
Use 3(ish) hash functions to hash a password
Mark each location as set
Repeat for all bad passwords
Checking
Take the user’s entered password
Hash with the same three hashes
If all three are marked, don’t permit password
Biometric Analysis
Something You HAVE
Static biometrics
Requires physical presence
Ex: retinal scan, fingerprint
Something You ARE/DO
“Dynamic biometrics”
Typically very accurate
Ex: Gait, typing rhythm, voice, etc
Replay Attacks
Sub-topic 1
Sub-topic 2
Kerberos
Starts out with replay attacks
Check Case 1, Case 2, and Case 3
Go to authentication service, talk to servers the service knows
Authentication protocol
For both the client and server!
“Ticket-based” Single-Sign On (SSO) protocol
Take ticket and give it to each of these people rather than developing a new key for all the services.
Akin to CU login “Federated identikey service”
Authorization
BLP = Bell La Padula (MAC)
BLP PART 1: Confidentiality
Every subject has a clearance
Every object has a classification
(clearance, {category set})
Information flows up
Levels: Top secret, secret, confidential, unclassified
Rule: “Read down, Write up”
E.g Alice has clearance (TS, {A,B})
E.g a document has clearance (S, {B,C,D}
Alice can’t write to it because of her TS and categories don’t exactly match but can read.
Dan with (U) and a document (TS, {A,B,C})
Anybody with U can write, but can’t read.
BLP PART 2: Confidentiality
Model is too linear
Each subject + object has category set
ONLY READ: clearance is greater than or equal to that of the document AND have all categories of the doc
ONLY WRITE: clearance is less than or equal to that of the doc AND no categories the document doesn’t have
BLP guarantees CONFIDENTIALITY
Biba guarantees INTEGRITY (information flows down)
Special Bits:
Setuid and setgid:
Allow non owner users to run file as owner/group
Sticky Bit:
When applied to directory, specifies that only owner of any file in directory can rename, move, or delete that file
MAC
Def’n: Mandatory Access Control
Rigid access control
Compares clearance levels of each
Ex: Bell La Padula model (BLP)
DAC/Linux
Def’n: Discretionary Access Control
Users of system can dictate if others see the files
Privileges can be assigned and revoked on per item basis
Use case: Linux
RBAC
Def’n: Role-Based Access Control
Divided in users, roles, and resources
No direct relationship with every item
Each user has number of roles (instead of “this user can/can’t”)
Each resource requires certain set of roles, widely used in industry
RBAC Models
Roles and sub-roles (with hierarchies)
Constraints
Provisions restrictions on relationships between roles
Types
Mutually exclusive (user only assigned to one role)
Cardinality (setting max # with respect to roles)
Prerequisite roles (users can only be assigned specific role if it’s already assigned to another role)
RBAC(1) = hierarchies NO, constraints NO
RBAC(2) = hierarchies YES, constraints NO
RBAC(3) = hierarchies NO, constraints YES
RBAC(4) = hierarchies YES, constraints YES
Social Engineering
Lie to get what you want
Easiest way into a system
Tactics:
Authority, intimidation, consensus, scarcity, familiarity, urgency
Malware
Common terms:
Advanced persistent threat (attacks over years from nation-states)
Payload (the thing we want to be delivered)
Zero-day exploit (exploits widely unknown vulnerability [creates huge rush to patch])
Trigger: could involve logic bomb
What’s a bot net
Def’n: A program that is inserted into software with the intent of harming the user’s CIA of data, apps, or operating system
Viruses:
Need a host
4 phases: dormant, propagation, triggering, execution
Common vectors: Word, Excel, PDF
Worms:
Don’t need a host
Actively seeks out machines to infect
Follows same phases as virus
Exploits software vulnerabilities in client or server programs
DDoS Attacks
Def’n: Distributed Denial of Service
Floods victims with illegitimate requests
Attack on AVAILABILITY
Ping DoS
Run ping many times
Doesn’t do much, easy to launch
Poison packets
Takes advantage of a fault the user system already has
Causes system to crash (ping of death)
Spoof IP addresses
Makes attacking systems harder to identify
Causes congestion in network flow
TCP handshake
Ensuring there’s actually a connection between two users
SYN spoofing
Referring to handshake
Server holds different fake connections in memory and can’t identify real connections
Reflection attacks
Sends packets to a known service (of an actual victim)