Quiz 2 Ch.9, 10, 11, 17 Flashcards
Ch. 9 Need for firewalls
Internet connectivity is essential but creates threat
FW inserted between premises network and internet to establish link
FW characteristics
Design goals
- all traffic from inside to outside must pass through FW
- FW immune to penetration
FW access policy
this lists types of traffic authorized to pass through FW
- includes address ranges, protocols, applications, content
FW Filter Characteristics
IP address and protocol values
- Application protocol
- User identity
- Network activity
FW Capabilities and limits
C: Defines single choke point
- can serve as platform for IPSec
L: Cannot protect against attacks bypassing firewall
- may not protect fully against internal threats
Types of FW
- Packet Filtering FW
- Stateful inspection FW
- Application-level gateway
- Circuit-level gateway
Packet Filter
adv.
- Simplicity
- typically transparent to users and fast
weaknesses.
- cant prevent attacks that employ application specific vulnerabilities
- applies rules to each incoming and outgoing ip packet
Stateful Inspection FW
Tighten rules for TCP traffic by creating directory of outbound TCP connections
- Reviews packet info but also records info about TCP connections
Application Level gateway
acts as relay of application level traffic
- must have proxy code for each application
- tend to be more secure than packet filters
- disadv. is additional processing overhead on each connection
Circuit level gateway
Sets up 2 TCP connections, one between itself and a TCP user on inner host and one on an outside host
- used when inside users are trusted
SOCKS circuit level gateway
To provide framework for client-server applications in TCP/UDP domains
Bastion Hosts
- System identified as critical strong point
- Serves as platform for an application level or circuit level gateway
Characteristics of BH
- runs secure OS only essential services
- may require user authentication to access proxy
each proxy: - restrict features
- small, simple
Host-based FW
used to secure an individual host
- available in OS or can be provided as an add-on package
Personal FW
- Controls traffic between a PC and internet
- software module
FW Topologies
- Host-resident FW
- Screening router
- Single bastion inline
- Single bastion T
- Double bastion inline
- Double bastion T
- Distributed FW configuration
DMZ demilitarized zone
Systems that are externally accessible but need some protections are usually located on DMZ
Intrusion Prevention Systems IPS
Capability to attempt to block/prevent detected malicious activity
- host-based, network-based, distributed/hybrid
- use anomaly detection to identify behavior that is not that of legit users
Host-Based IPS (HIPS)
Can make use of either signature or anomaly detection techniques to identify attacks
Sig: focus is on the specific content of app. network traffic
Ano.: IPS is looking for behavior patterns that indicate malware
HIPS Examples of the types
Modification of system resources
- Privilege-escalation exploits
- Buffer-overflow exploits
- access to email contact list
HIPS capabilities
Can be tailored to specific platform
- set of general purpose tools may be used for desktop or server
- Use sandbox approach
Role of HIPS
provide an integrated, single-product suite of functions
Network-Based IPS NIPS
Inline NIDS with authority to modify or discard packets and tear down TCP connections
NIPS
Makes use of signature/heuristic detection and anomaly
- provide flow data protection
NIPS- methods used to identify malicious packets
- Pattern matching
- Stateful matching
- Protocol anomaly
- Traffic anomaly
- Statistical anomaly
Distributed or hybrid approach
Digital Immune System
Comprehensive defense against malicious behavior caused by malware
- gathers data from a large number of host and network-based sensores, relays this info to central analysis system to analyze then send respond/defend
Snort inline
- Enables Snort to function as an intrusion prevention system
- includes a replace option which allows the snort user to modify packets rather than drop them
Ch. 10 Buffer overflow
- very common attack mechanism - first - Morris Worm in 1988
- a condition at an interface under which more input can be placed into buffer or data holding area than the capacity allocated, overwriting other info
BO basics
Programming error when a process attempts to store data beyond the limits of a fixed-sized buffer
- Overwrites adjacent memory locations
- Buffer could be located on stack
BO Attacks
To exploit a BO an attacker needs:
- to identify a BO vulnerability in some program that can be triggered using externally sourced data under the attackers control
- to understand how that buffer is stored in memory and determine potential for corruption
Stack BO
Occur when buffer is located on stack
- also called as stack smashing - used by Morris Worm
- exploits included an unchecked BO
Stack frame - when one function calls another it needs somewhere to save return address
Shellcode - Code supplied by attacker
- function was to transfer control to user command-line interpreter, or shell, which will give access to any program
- Machine code -specific to processor and OS
- need good assembly language skills to create
- Metasploit project - provides useful info to people who perform penetration
BO Defenses
- Compile time defenses
- Run-time defenses
Compile time defenses
Use modern high-level language
- not vulnerable to BO attacks
DISADV.
- additional code must be executed at run time to impose checks
- flexibility and safety comes at a cost in resource use
CTD
- C designers placed much more emphasis on space efficiency and performance than on type safety
- Programmers need to inspect the code and rewrite any unsafe coding
- P have audited existing code base, including OS, standard libraries and common util.
CTD Stack Protection
add function entry and exit code to check stack for signs of corruption
- use random canary
- Stackshield and Return Address Defender (RAD)
Run-time Defenses: Executable address space protection
use virtual memory support to make some regions of memory non-executable
RTD: Address Space Randomization
- Manipulate location of key data structures
- Randomize location of heap buffers
- Random location of standard library functions
RTD: Guard Pages
- Place guard pages between critical regions of memory
- Further extension places guard pages between stack frames and heap buffers
Other forms of overflow attacks
- Replacement stack frame
Variant that overwrites buffer and saved frame pointer address
- off by one attacks - allows 1 more byte to be copied than there is space available
Defenses - any stack protection
- use non-executable stacks
- randomization
Return to System call
- Defenses - any stack protection, non executable stacks, randomization of stack
- Stack overflow variant replaces return address with standard library function
Heap overflow
Attack buffer located in heap - located above program code
- no return address - no easy transfer of control
Defenses - make heap non-executable, randomizing allocation of memory on heap
Global data overflow
Defenses - non-executable or random global data region, move function pointers, guard pages
- Can attack buffer located in global data - may be located above program code
Ch. 11 Software Security
Vulnerabilities result from poor programming practices
- consequence from insufficient checking, validation of data, error codes
Software quality and reliability: concerned with accidental failure of program
- improve using structured design and testing; eliminate as many bugs as possible
- concern is not how many bugs but how often they are triggered
SS: Attacker chooses probability distribution
Defensive Programming
Designing software that it continues to function even when attacked
Key rule is to never assume anything, check all assumptions and handle any possible error states
DP
- Programmers often make assumptions about the type of inputs a program will receive
- Requires a changed mindset to traditional programming practices
Security by design
Software Assurance Forum for Excellence in Code SAFECode
Handling Program input
- incorrect handling is a very common failing
- input is any source of data from outside and whose value is not explicitly known by programmer
- must identify all data sources
- explicitly validate assumptions on size and type
Input size & Buffer Overflow
Allocated buffer size isnt confirmed
- resulting in BO
- Testing may not identify vulnerability
- safe coding treats all input as dangerous
Writing safe program code
- Correct algorithm implementation - compare machine code with original source
- ensuring that machine language corresponds to algorithm
- correct interpretation of data values -
- correct use of memory
- prevent race conditions with shared memory
Interpretation of program input
may be binary or text
- character sets being used
- failure to validate may result in an exploitable vulnerability
- 2014 Heartbleed OpenSSL bug
Injection attacks
occur in scripting languages
- encourage reuse of other programs
Cross Site Scripting XSS ATTACKS
where input provided by one user is subsequently output to another user
- in scripted web apps
Validating Numeric Input
- internally stored in fixed sized value - 8, 16, 32, 64 bit integers
- must correctly interpret text form and process consistently
- issues comparing signed to unsigned
Input fuzzing
1989 UNI of Wisconsin
- software testing technique that uses randomly generated data as inputs to program
- can also use templates to generate classes of known problem inputs
Operating System interaction
- programs execute on systems under the control of OS - systems have concept of multiple users
Environment variables
collection of string values inherited by each process from its parent
- common use is by local user attempting to gain increased privileges
Use of least privilege
run programs with least privilege needed to complete their function
- determine appropriate user and group priv.
System calls and standard library functions
- programs use system calls and standard library functions for common operations
Preventing race conditions
programs may need to access common system resource
- need suitable synchronization mechanisms - lockfile
Safe temporary files
secure temp file creation and use requires use of random names
Ch. 16 Physical and Infrastructure Security
Logical security
Physical security
Premises security
Physical Security Threats
- protects physical assets that support the storage of processing info Threats: - Environmental threats - Technical threats - human-caused threats
Water damage
- primary danger is an electrical short
- pipe may burst
- sprinkler set off
- floodwater leaving muddy residue
Chemical, Radiological, Biological hazards - discharges can be introduced through vents, windows,
Dust and infestation
- block ventilation
Technical Threats
Power util. problems:
- under-voltage - dips/brownouts/outages; interrupts service
- over-voltage - surges/faults; destroy chips
- noise - powerlines; may interfere with device operation Electromagnetic interference EMI
Human -caused threats
- less predictable
- unauthorized physical access
- theft of equipment
- vandalism
- misuse of resources
Physical Security Prevention and Mitigation measures
- one prevention measure is use of cloud computing
- inappropriate temp
- fire and smoke alarms
- water; cutoff sensors
Mitigate Tech threats
critical equipment should be connected to emergency power source
- deal with EMI with filters and shielding
Mitigate Human caused threats
Restrict building access
- patrol and guarded
- locks at entry points
- tracking device on movable resources
- sensors alarms
- surveillance
Recovery from Physical security breaches
Redundancy - provides recovery from loss of data
- important data available off-site
- encrypted remote backup
Physical and logical security integration
- numerous detection and prevention devices
- personal identity verification
- use of PIV credentials in physical access control systems
Ch. 17 Human Resources Security
Security Awareness, Training and Education
Benefits to Organizations
improve employee behavior, accountability, liability, comply with regulations
Awareness
- Seeks to inform and focus an employee’s attention on security issues within org.
- program tailored to needs of org.
Training
What people should do and how
- focus on computer security practices
- develop secure mindset
- how to make tradeoffs involving security risks, costs, benefits
- risk management goals, measurement, leadership
Education
Targeted at security pros whose jobs require expertise in security
- career development
- most in depth program
Employment Practices and Policies
- Managing personnel with potential access is an essential part of information security
Employee involvement
Security in Hiring process
to ensure employees understand their responsibilities and are suitable for the roles they are considered for
- need appropriate background checks and screening
During employment
Objectives with respect to current employees - reduce risk of human error
- 2 elements of personnel security: - comprehensive security policy document
- an ongoing awareness and training program
Termination of employment
- termination security objectives: - ensure employees exit org. in an orderly manner
- critical actions:
- remove name from all authorized access lists
- inform guards that ex employees is not allowed
Email and internet use policies
concerns for employers:
- work time consumed in non-work related activities
- risk of importing malware
- possible harm, harassment
Security incident response
- procedures need to reflect possible consequences of an incident
- systematic incident response
- quicker recovery to minimize loss, theft, disruption of service
Computer Security Incident Response Team (CSIRT)
Rapidly detecting incidents
- Minimizing loss and destruction
- Mitigating weaknesses that were exploited
- restoring computing services
Security incidents
unauthorized access to system
modification of info on system
Detecting incidents
- by users or admin. staff
- automated tools - system integrity veification, log analysis, network, host IDS
Triage Functions
Ensure that all info destined for incident handling service is channeled through a single focal point
- responds to incoming info by:
requesting additional info in order to categorize incident
Responding to incidents
procedures should:
- detail how to identify the cause
- describe action taken to recover
- identify categories of incidents and approach taken
- identify management personnel responsible
- identify circumstances when security breaches should be reported
Documenting incidents
should immediately follow a response to an incident
