General Security Concepts part 2 Flashcards
Change management
Making sure changes to software or applications are completed properly.
- Upgrade software
-Patch an application
-Change firewall configuration
-Modify switch ports
Change approval process
- Complete the request forms
-Determine the purpose of the change
-Identify the scope of the change.
-Schedule a date and time of the change
-Determine affected systems and the impact
-Analyse the risk associated with the change
-Get approval from the change control board
-Get end-user acceptance after the change is complete
What is the role of an owner in the change control process.
Own the process
Don’t perform the change
Process updates are provided to the owner as they oversee/manage the process.
IT team handles the change
Importance of Stakeholders in the chance control process
Who will be impacted by the change
Might not be so obvious
Change control Impact Analysis
Determine a risk value
Fixes can potentially break something else
Operating system failures
Data corruptions
Risk of NOT making the change (Security vulnerability)
How can you rest the results of a change
Test before implementing change.
Sandbox testing environment (Technological safe space)
Sandbox we can load a duplicate of the software and try the upgrade, apply the patch, test and confirm before deployment.
Back out plan
Ability to revert your changes back to a configuration which was proven to have worked in the past.
Some changes are difficult to revert. Need good backups and ideas of how to revert back to original configuration.
Maintenance window (change control)
When is the change happening?
Potential downtime would affect a large part of production
Challenging for 24-hour productions schedules.
Technical Change management examples:
Change to allow/deny list
Allow list (Nothing runs unless it has been approved - very restrictive)
Deny list (Nothing on the deny list can be executed (Anti-virus, Anti-malware)
Downtime
Services will eventually be unavailable
-The change process can be disruptive
-Usually scheduled during non-production hours
-If Possible, prevent any downtime
Restarts
Some changes require physical restarts
Services - stop and restart the service
Application - close the application completely. Launch a new application instance.
Legacy Application (old)
Legacy applications run for very long time. No longer supported by the developer. Hard to make changes to to these systems.
Become the expert in this system as may not be as complicated as you may think
Dependancies
A service will not start without other active services.
Modifying one component may require changing or restarting other components
Dependencies may occur across systems.
Documentation
it can be challenging to keep up with changes. Documents required with the change management process
Updating diagrams (Modification to network configurations,
Version control
Track changes to a file or configuration date over time
Public Key Infrastructure
Policies, procedures, hardware, software responsible for creating distributing, managing, storing and revoking digital certificates.
Symmetric encryption
A single, shared key which is used for encryption and decryption. (A shared secret)
This does not scale very well.
Very fast to use, has less overhead than asymmetric encryption. Often combined with asymmetric encryption
Asymmetric Encryption
Two keys are mathematically related. One is the private key and one is the public key.
The private key is the only key that can decrypt data encrypted with the public key.
You cannot derive the publc key from the private key and vise versa. (Cannot reverse engineer)
Examples of stored data
-SSD, Hard drive, USB drive, Cloud storage.
-Full-disk volume encryption - BitLocker, FileVault
-File level encryption - Third party utilities
Database Encryption
- Transparent encryption, Encrypt all database information with a symmetric key
-Record-level encryption, use symmetric keys for each column on a table for example. Some is displayed in plain text but sensitive information is encrypted
Transport Encryption
Protect data traversing the network.
HTTP: Example of encrypting data in the application
VPN (Virtual Private Network)
-Encrypts all data transmitted over the network, regardless of the application. Creates encrypted tunnel.
-Client based VPNs encrypted via SSL/TLS
-Site to site VPN is encrypted using Ipsec
Encryption Algorithms
The formula used to encrypt and decrypt data. Both sides to decide on the algorithm before encrypting the data.
There are advantages and disadvantages between algorithms. Security level, speed, complexity of implementation
What are the two types of encryption algorithms
DES Encryption Algorithm (More complex)
AES Encryption Algorithm
Key Stretching
Creating a hash of a password and then making a hash of that hash, then making a hash of that hash
Key Exchange - How to do this successfully?
Out of band key exchange. Telephone, courier, in person
In-band Key change.
-Protect the key with additional encryption. Often you could use asymmetric encryption to deliver a symmetric key.
Key Exchange algorithm
two separate pairs of a public key and private key are combined to create a symmetric key which can be used to decrypt data.
Trusted platform module
Hardware designed to provide cryptographic functions for that computer.
Features of TPM
Cryptographic Processor - Random Number generator, key generators
Persistent Memory
Versatile Memory
-Storage keys, Hardware configuration information
- Securely store BitLocker Keys
-Password protected (No way to use brute force).
Hardware Security Module
Used in Large environments
-Used in large environments, clusters, redundant power,
-Securely store thousands of cryptographic keys.
High end cryptographic hardware. Plug-in Card or separate hardware device.
Key Backup. Secure in hardware
Cryptographic accelerators - Offload that CPU overhead from other devices.
Key Management System
Manage all keys from a centralised manager.
Keeping data private. How?
Secure Enclave - Implemented as a hardware processor, Isolated from the main processor,
Provides extensive security features
Has its own boot ROM
Monitor the system boot process
True random number generator.
Real time memory encryption
Root Cryptographic Keys
Perform AES encryption in hardware.
Obfuscation
The process of making something unclear - making something much more difficult to understand.
Hide information within an image - Steganograhy
Common Steganography techniques
- Network based (Embed messages in TCP packets)
-Use an image - Embed the message in the image itself
-Invisible watermarks - Yellow dots on printers
-Video Staganograhy
- Tokenisation - Replace sensitive data with a non sensitive placeholder
Data Masking
Hiding part of the data with **
Hashing
Represent data as a short string of text
Blockchain
A distributed ledger
A ledger which is is available for everyone to see and keeps track of transactions.
Records and replicates to anyone and everyone.
Practical Applications of the blockchain
- Payment processing
-Digital Identification
-Supply chain monitoring
-Digital voting
What does a digital certificate include
- A digital signature
- A public key
How does a digital signature add trust?
PKI uses certificate authorities for additional trust.
Web of trust adds other users for additional trust
Is a certificate authority required?
No. Certificates can be built into the Operating System. Part of the windows domain services.
Many 3rd Party options for certificate creation.
Whats in a digital certificate and what is the standard format ?
X.509 - Formate
Certificate details:
Serial Number
Version
Signature algorithm
Issuer
Name of the cert holder
Public key
Extensions
Certificate signing request.
- Create a digital certificate using the public key with the applicant identifying information to create a certificate signing request. (CSR)
-CSR sent to the Certificate authority who validates the request.
-CA signs the digital certificate with their private key and returns the digitally signed certificate back to the applicant.
Wildcard Certificates
Allows you to put the name of the domain and the device name associated with it.
Can make a single certificate to be distributed across all devices.
Certificate Revocation list
List of all of the certificates which have been revoked. Maintained by the certificate authority.
OCSP Stapling ?
OCSP Status is stapled into the SSL/TSL handshake. Digitally signed by the CA.
