Cryptographic transfer protocols used to exchange data securely

Cryptographic transfer protocols used to exchange data securely 

Types of Event Logs

 

·         Account Activity Logs
2. Network Activity Logs
3. Operating System/Server Logs
4. Application activity Logs(Role based logging, api logging, system performance logs, http logging, etc)

 

Account Activity Logs

 

·         Any activity performed by administrators and privileged accounts.

1. Creation of accounts and de-provisioning
2. Addition or removal of user accounts from the admin group
3. Granting, elevating, or removal of privileges
4. Successful and failed login attempts
5. Locking and unlocking of accounts
6. Password changes

 

Network Activity Logs

 

·         HIDS/NIDS logs
2. Firewall logs
3. Router logs
4. Load Balancer logs
5. Switch logs

 

Operating System/Server Logs

 

·         system logs
2. process logs,
3. boot logs,
4. server logs(ISS, Apache)

 

Application Logs

 

·         Role based logging
2. API logging
3. session management
4. input validation/output validation failures
5. HTTP Information(Status codes, http headers)

 

Events of interest

 

·         Repeat login attack - 3 or more failed login attempts in 1 minute
2. Repeat Firewall attack - 15 or more firewall drop/reject/deny events from a single ip address in 1 minute
3. Repeat HIDS attack - 7 or more IDS alerts from 1 ip address in 1 minute
4. Virus/Malware identified on a host
5. Traffic to known attacker - Alert on any event to an ip address that is part of a blacklisted network
6. possible outbreak - excessive connections or excessive malware on a large number of hosts on the same subnet
7. Large file transfers
8. Critical Errors on a system/Application Crashes

 

Windows Initial System Examination

 

·         Examine Network Configuration -
arp -a;
netstat
ipconfig /all
2. List network connections
netstat -nao
net session
net use
3. List users and groups
lusrmgr
net users
net localgroup administrators
net group administrators
4. Look at scheduled jobs
schtasks
5. Look at auto-start programs
msconfig
6. List processes
taskmgr
wmic process list full
7. List services
net start
tasklist /svc
8. Check DNS settings
ipconfig /displaydns
check systemroot/etc/host file
9. verify integrity of files
10. research recently modified files
11. Avoid using windows explorer, it modifies system details; use command line

 

Unix Initial System Examination

 

·         Look at event log files in dirs
/var/log
/var/adm
/var/spool
2. List recent security events
wtmp
who
last
lastlong
3. Examine network configuration
arp -a
route print
4. List network connections
netstat -nap
lsof -i
5. List users
more /etc/passwd
6. Look at scheduled jobs
more /etc/crontab
ls /etc/cron.*
ls /var/at/jobs
7. Check DNS settings and hosts file
more /etc/resolv.conf
more /etc/hosts
8. Look at auto-start services
chkconfig --list(Linux)
9. List processes
ps aux
top
10. Find recently modified files
ls -lat

 

Assessing suspicious situation steps

 

·         Examine recently‐reported problems, intrusion
detection and related alerts for the system.
2. Look at system, security and application logs for unusual events
3. Examine network configuration details and connections; note anomalous settings, sessions or ports
4. Look at the list of users for accounts that do not belong or should have been disabled
5. Look at a listing of running processes or scheduled jobs for those that do not belong there.
6. Look for unusual programs configured to run
automatically at system's start time.
7. Check ARP and DNS settings; look at contents of the hosts file for entries that do not belong there.
8. Look for unusual files and verify integrity of OS and application files.
9. Use a network sniffer, if present on the system or
available externally, to observe for unusual activity.

 

Incident Response Steps

 

·         Preparation - Gather and learn necessary tools, security policies, procedures
2. Identification - Detect the incident, determine scope, and involve necessary parties
3. Containment - Contain the incident to minimize effect on neighboring sources
4. Eradication - Eliminate compromise artifacts, path to recovery
5. Recovery - Restore system to normal operations, possibly via reinstall or backup
6. Wrap-up - Post mortem, lessons learned, write up incident details and collected data.

 

SSDLC

 

·         Requirements Phase - review requirements, vendor assessment, PIA(OCP)
2. Architecture Review - Architecture diagram reviewed and remediation guidance provided on minimum/recommended security controls
3. Security Testing - SAST, DAST, Pentest
4. QA - Final Review and approval

 

Cross Site Scripting

 

·         Data from an untrusted source is injected into a web application and processed normally through a web request. Normally javascript.

Persistent (Stored) XSS - Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Non-Persistent (Reflected) XSS - Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user's browser.

Remediation - WAF, Filters, ORM Framework(Django / Flask), Content Security Policy, and Input Validation(front end, backend)

 

Security misconfiguration

 

·         is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion

HSTS Not Enforced
Content Security Policy Not Enforced
Verbose Banner Information

Remediation - A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to setup a new secure environment.

 

Broken Access Control

 

·         Restrictions on what authenticated users are allowed to do are often not properly enforced.
Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

Remediation -
Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage.
Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.

 

Cross Site Request Forgery

 

·         forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Remediation -
Verify origin - xforwarded-header, csp

Double submit using pseudorandom value

stateful with synchronizer token and stateless with encrypted/HMAC token)

Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session, large random value, and also generated by a cryptographically secure random number generator. The CSRF token is added as a hidden field for forms headers/parameters for AJAX calls, and within the URL if the state changing operation occurs via a GET. See "Disclosure of Token in URL" section below. The server rejects the requested action if the CSRF token fails validation.

 

Buffer Overflow

 

·         A buffer overflow, or buffer overrun, occurs when more data is put into a fixed-length buffer than the buffer can handle.

Attackers use buffer overflows to corrupt the execution stack of a web application. By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code - effectively taking over the machine.

Remediation - The easiest way to prevent these vulnerabilities is to simply use a language that does not allow for them. C allows these vulnerabilities through direct access to memory and a lack of strong object typing. Languages that do not share these aspects are typically immune. Java, Python, and .NET, among other languages and platforms, don't require special checks or changes to mitigate overflow vulnerabilities.

 

Hash

 

·         A number generated by an algorithm from a text string. Also known as a message digest. Generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value

MD5 - 128-bit hash value
vulnerability - brute force
SHA-1 - 160-bit hash value
vulnerability - collision attack
SHA-256, 512, - 256, 512 bits

 

            

Steps for SSL/TLS process

 

·         Negotiation Phase - Cipher Suites, Lifetime
2. Authentication - Verify identity(x509 certificate) PKI
3. Exchange of keys - DH/RSA Encryption
4. Begin Secure Transmission

 

HAGLE

 

·         Hashing - MD5, SHA-1, SHA-256
2. Authentication - Validate Certificates,RSA Digital Signatures, Pre-shared keys
3. Group - DH, RSA Encryption
4. Lifetime - 1 hour / 24 hours
5. Symmetric Encryption - AES, DES, 3DES, RC5

 

Harden Server

 

·         Disable unnecessary services and accounts
2. Enable Strict Login/Password Policies
3. Ensure system stays up to date with Patch Management Cycle process
4. Ensure file systems are correct
5. Configure firewall and monitoring tools
6. Ensure proper logging
7. Vulnerability Assessments

 

SSL/TLS

 

·         cryptographic transfer protocols used to exchange data securely over the internet

Accomplished by asymmetric and symmetric encryption

asymmetric - integrity, confidentiality, and authenticity - public/private key pair

symmetric - confidentiality - one key

 

RSA

 

·         The idea of RSA is based on the fact that it is difficult to factorize a large integer. The public key consists of two numbers where one number is multiplication of two large prime numbers. And private key is also derived from the same two prime numbers. So if somebody can factorize the large number, the private key is compromised

 

Diffie/Helman

 

·         Diffie-Hellman key exchange (D-H) is a protocol that allows two entities to share a secret key over the internet which is insecure. Ensures Forward Secrecy

 

Elliptic Curve

 

·         Requires smaller keys compared to others which is good for mobile devices in terms of processing power / bandwidth

 

Block Cipher

 

·         a method of encryption that processes blocks of data rather than streams

 

Stream Cipher

 

·         An encryption method that encrypts a single bit at a time. Popular when data comes in long streams (such as with older wireless networks or cell phones).
RC4

 

Confidentiality

 

·         the assurance that messages and information are available only to those who are authorized to view them

 

Integrity

 

·         Integrity makes sure that the information is not tampered whenever it travels from source to destination or even stored at rest.

 

Availability

 

·         Availability concept is to make sure that the services of an organization are available.

 

Threat

 

·         A threat is a potential event that could take advantage of your protected asset's vulnerabilities and result in the loss of your security's confidentiality, integrity, and/or availability (C-I-A). There are three main types of threats - natural threats (e.g., floods or a tornado), unintentional threats (such as an employee mistakenly accessing the wrong information) and intentional threats.

 

Risk

 

·         Risk refers to the potential for loss or damage when a threat exploits a vulnerability.