Cryptography and Mitigation (Ch. 10,11) Flashcards
PKI
_ public key infrastructure
Symmetric vs asymmetric encryption
_ same key to encrypt and decrypt vs different keys
_ asymmetric requires PKI for certificates
_ asymmetric is much more resource intensive (so mainly only used to exchange symmetric keys)
Stream cipher
_ encrypts one bit or one byte at a time
_ more efficient with unknown or variable length data
Block cipher
_ encrypts data in blocks
_ more efficient with known-length data
ECC
_ elliptic curve cryptography
_ minimal overhead
_ useful in mobile devices
steganography
_ hides data within other files
_ e.g. embed data within whitespace of an image
Digital signature for email
_ has of email encrypted with private key
Benefits of a digital signature
_ authentication
_ non-repudiation
_ integrity
MD5
_ message digest 5
_ hashing algorithm producing 128-bit hash
_ has vulnerabilities, so now used as a checksum
_ susceptible to has collisions, making it unsuitable as a cryptographic hash (e.g. for hashing passwords)
SHA
_ secure hashing algorithm
_ can be used to verify integrity
SHA-2
_ created by NSA
_ SHA-256 creates 256-bit hashes
_ SHA-512 creates 512-bit hashes
_ SHA-224 truncates SHA-256
_ SHA-384 truncates SHA-512
SHA-3
_ created in a non-Nsa public competition
_ alternative to SHA-2 (making same sizes available)
HMAC
_ hash-based message authentication code
_ fixed-length string requiring a shared secret to create and validate
_ encrypts MD5 hash
_ provides both integrity and authenticity
_ used in IPsec and TLS
_ (if hash is transmitted with message, attacker could revise hash for a revised message, but not with HMAC)
sha256sum
_ calculates SHA-256 of a file
Password spraying attack
_ a kind of brute force attack
_ loops over many accounts for each attempted password
_ increases time between attempts on any given account, helping to avoid password lockout
Pass the hash attack
_ attacker first somehow acquires a hash for a password
_ attacker then uses that hash in authentication
Birthday attack
_ named for the mathematical “birthday paradox”
_ in any group of 23 people, there is a 50% chance 2 of them were born on the same day of their birth year
_ attack guesses the hash (which has collisions)
Rainbow table attack
_ attempts to discover a password from a hash
_ rainbow table is a DB of hashes for passwords (e.g. hashes for every possible 9-digit password)
_ hashes are time-consuming to produce, but rainbow tables can be so huge that they save time
Key stretching
_ applies cryptographic stretching to a salted password to make the effort of guessing hashes much more time consuming
_ Bcrypt, PBKDF2, and Argon2 also key stretch
Bcrypt
_ salts password prior to encrypting
_ repeats process up to 60 times to make computationally expensive
_ 60-character string
pepper
_ a second random salt number
PBKDF2
_ 64+ bit salt with HMAC
_ can (but need not) repeat process many times to make computationally expensive
AES
_ advanced encryption standard
_ symmetric key algorithm
_ encrypts into 128-bit blocks
_ key sizes 128, 192, or 256 bits
_ fast, efficient, strong
3DES
_ “triple DES” (Data Encryption Standard)
_ improves on DES
_ encrypts in 3 passes with 3 different keys
_ more resource intensive than AES
_ used when hardware doesn’t support AES
Key exchange
_ asymmetric keys are used to secretly exchange a symmetric key
_ the symmetric key is then used for encryption and decryption because it’s much more efficient
Digital certificate
_ means by which public keys are shared
_ includes a public key
_ describes owner of the certificate
_ serial number
_ certificate authority issuer
_ validity dates
_ valid usage (encryption, authentication, etc.)
_ CN
_ sent to clients in response to an HTTPS request
CA
_ certificate authority
_ issues and manages digital certificates
_ provides trust in certificates
Ephemeral key
_ lasts only the duration of a session
RSA key lengths
_ 1024, 2048, 4096 bits
_ 1024 no longer considered secure
tokenization
_ obfuscation technique that replaces sensitive data with non-sensitive placeholders (i.e. tokens)
_ tokens have to be looked up within a database to retrieve what they represent
_ reduces exposure when one of the datasets is compromised
masking
_ showing asterisks instead of a typed value
Encryption with private key
_ for making digital signatures
_ not used to encrypt web traffic; that’s done with an ephemeral symmetric key
DSA
_ digital signature algorithm
_ encrypted hash of a message, using sender’s private key
_ authenticates the sender
_ sender can’t repudiate that they sent the message
_ ensures message integrity, as the hash was included
_ encrypting the message would do the same but take far more resources
S/MIME
_ secure/multipurpose internet mail extensions
_ used for digitally signing and encrypting/decrypting email
HTTPS TLS handshake
_ client requests an HTTPS session (but TLS is not restricted to HTTP)
_ server responds with certificate containing its public key
_ client creates a symmetric key
_ client encrypts symmetric key with server’s public key
_ client sends encrypted symmetric key to server
_ server decrypts symmetric key with server’s private key
_ data is thereafter encrypted with the symmetric key
Downgrade attack
_ forces system to downgrade its security
_ attacker then exploits the lesser security
_ e.g. if SSL is enabled and client says it doesn’t support TLS, server might allow SSL
_ e.g. if server supports a weak cipher suite, client might force it to downgrade to that
blockchain
_ distributed, decentralized public ledger
Blockchain block
Contains:
_ info about the transaction
_ info about the parties involved (digital signatures rather than names)
_ a hash that uniquely identifies the block
Blockchain block creation process
_ transaction occurs
_ networked computers verify transaction
_ transaction is recorded in a block
_ block is assigned a hash
_ block is added to the blockchain (referencing the prior block’s hash)
entropy
_ randomness of a cryptographic algorithm
_ greater randomness provides greater security
Plaintext attack
_ attacker has plaintext and its associated ciphertext
_ can then determine the encryption method
_ can then decrypt any ciphertext
Chosen-plaintext attack
_ attacker has part of the text associated with some ciphertext
_ can be used to find the encryption method
Root certificate
_ certificate that identifies the CA
_ goes in Os or browser’s root certificate store
_ browsers often ship with root certificates
_ can be used to sign certificates of other CAs to convey trust to those CAs, making CAs hierarchical
_ leaf node CAS of this hierarchy are used in apps and services
_ may be kept offline to prevent compromise, enabling it to re-issue certs for compromised certs
Certificate chain/path
_ chain of all certs from root to any given cert
CSR
_ certificate signing request
_ includes purpose of certificate, a public key, and info about the owner of the public key
_ CA receives CSR, validates owner’s identity, and issues a certificate containing the public key
_ validation process depends on declared purpose
RA
_ registration authority
_ assists with registration process
_ doesn’t issue certificates
_ used by large organizations
Reasons to revoke a cert
_ private key compromise
_ CA compromise
_ change of affiliation
_ superseded by another cert
_ cease of operation
_ certificate hold
_ certificate holder’s request
CRL
_ certificate revocation list
_ publicly available
_ often downloaded and cached, so it might not be up-to-date
OCSP
_ online certificate status protocol
_ API for determining whether a cert has been revoked
_ signs the response (+ timestamp) so that response can be reused by others with trust (aka “stapling”)
Validating a cert
_ check whether expired
_ check whether issued by a trusted CA (i.e. whether it’s in the certificate authorities store)
_ check whether revoked (requiring that the client request the CRL from the CA or use OCSP)
_ if the site provides a “stapled” OCSP response, the client can verify this response and need not perform the above checks, reducing traffic to the OCSP and CA
Certificate pinning
_ HTTPS response includes a header listing hashes derived from public keys that the site uses
_ each hash also has a max-age telling the client when to expire the hash
_ when clients reconnect to a website, they recalculate the hashes and compare with the returned values
_ matching hashes indicate a return to an already-verified website
Key escrow
_ process of placing coy of a key in a safe environment for recovery purposes
KMS
_ key management system
_ manages entire life cycle of cryptographic keys (generation, storage, distro, rotation, retirement/revocation/destruction)
Common cert types
_ machine/computer - identifies the device within a domain
_ user - for encryption or authentication
_ email - encryption and signing
_ code signing - signing software and scripts
_ self-signed - privately used certs, not CA-backed
_ root - root cert of a CA
_ wildcard - starts with an asterisk, applying to all subdomains of a given domain
_ subject alternative name (SAN) - applies to different domains owned by the same org
_ domain validation - asserts an org owns a domain
Cert filename extensions
_ there are many cert file formats
_ e.g. .crt, .cer, .pem, .p7b, .p7c, .p7s, .pfx, .p12
_ file may have a format different from that indicated by its extension
CER
_ ASCII format cert
DER
_ binary format cert
PEM
_ privacy-enhanced email (cert format)
_ certs can be used for purposes other than email
_ very common format
P7B
_ cert format often used to share public keys
P12 and PFX
_ cert formats used to hold private keys
Perfect forward secrecy
_ generates a new random public key for each session
_ generates key non-deterministically (given same input, generates a different public key)
_ keys therefore are not reused
_ past compromised keys can’t be used in a later attack
Backout plan
_ steps to follow if a change goes wrong
_ restores system to a previous operational state ASAP
wiping
_ erases data from disks by overwriting various patterns multiple times
_ does not apply to SSDs, which require a special erase process; SSDs are usually therefore destroyed
degaussing
_ a powerful magnet renders data on tapes and disk drives unreadable
_ not effective on SSDs
COD
_ certification of (device or drive) destruction
Incident response plan
_ formal plan of how to respond to an incident
_ defines incident types (distinguishing events from incidents)
_ response team
_ roles and responsibilities
_ communication plan
Incident communication plan
_ first responders should know who to contact under what conditions
_ further internal communication plans with others
_ reporting requirements with external entities
_ constraints on external communication
_ plan for communicating with the customer
SOC
_ security operations center
Incident response process
_ preparation before an incident, including establishing procedure to prevent incidents
_ detection processes and operations
_ analysis to determine whether an event is an incident
_ containment of incident (e.g. isolating or unplugging system)
_ eradication of the components of the attack (and forensic analysis)
_ recovery, returning systems to normal
_ lessons learned
Order of volatility
Order in which to collect evidence. Most to least volatile:
_ cache
_ RAM
_ swap file or pagefile
_ disk
_ attached devices (e.g. USB drives)
_ network
dd
_ data duplicator command
_ good for taking snapshots for forensic examination
Legal hold
_ legal obligation to maintain different types of data as evidence
eDiscovery
_ identification and collection of electronically stored data (for legal purposes)
Chain of custody
_ process that assures that evidence has been properly controlled and handled
_ in security, this is form that gets filled out indicating every person who was in possession of the asset
_ control is the effort to ensure that the written chain of custody remains valid
TTP
_ tactics, techniques, and procedures of an attack
SOAR
_ security orchestration, automation, and response
_ tools that respond to low-level security events automatically
_ e.g. responding to phishing emails
_ e.g. opening attachments in a sandbox to observe behavior
_ uses playbooks and runbooks
playbook
_ general guidelines
_ e.g. what to check to detect a phishing email
runbook
_ technical details for implementing playbook
_ uses the tools of the organization
_ either auto-handles the event or tasks an admin
Security governance
_ responsibilities and processes established by an organization to manage its security efforts
_ provides framework for making decisions
_ sets strategic direction and goals
_ indicates how to manage risk
AUP
_ acceptable use policy
_ of computer system or network
Information security policy
_ protects data and information systems
_ rules for managing, protecting, distributing information
_ e.g. password complexity, handling of sensitive data
Security guidelines
_ best practices (optional)
_ unlike policies, standards, and procedures, which are mandatory
Data governance
_ processes an organization uses to manage, process, and protect data
_ helps ensure or improve quality of data
Data roles
_ data owner - responsible for the data, including classifying it
_ data steward - entity to whom owner delegates management of the data
_ data custodian - does routine daily tasks like backup
_ data controller - org that collects info from employees for payroll processing
_ data processor - third-party org that works with data on behalf of the data controller
EOSL
_ end of service life
_ end of vendor support
Right-to-audit clause
_ clause in cloud contracts giving customers right to hire an auditor to review cloud provider’s records and systems
SLA
_ service level agreement
_ stipulates performance expectation
_ e.g. uptime/downtime levels
_ may include a monetary penalty for failure to meet
MOU
_ memorandum of understanding
_ aka memorandum of agreement (MOA)
_ expresses understanding between parties to work together toward a goal
_ less formal than an SLA and no monetary penalties
BPA
_ business partners agreement
_ written agreement detailing relationship between business partners and obligations
MSA
_ master services agreement
_ structured agreement for vendors used repeatedly
_ agreement applies across projects
_ a work order (WO) or statement of work (SOW) is written per project
Rules of engagement
_ what one is and is not allowed to do in security testing
GLBA
_ Gramma-Leach Bliley Act
_ aka Financial Services Modernization Act
_ requires financial institutions to provide consumers with privacy notices
GDPR
_ general data projection regulation
_ an EU directive mandating privacy for EU individuals
_ applies globally
PCI DSS
_ payment card industry data security standard
_ contractual relationship between banks that issue credit cards and merchants
_ provides strict requirements for handling cardholder data
Due diligence
_ actions taken to ensure organization is aware of all legal requirements
Due care
_ continuous effort to ensure organization adhere to legal requirements and identifies non-compliance in a timely manner
CBT
_ computer based training
