CTI12318 - Infosec Notes

Intro to Infosec Notes Week 1 Lecture Notes  To understand and apply encryption standards to protect data.  To identify and apply network security concepts.  To secure OS against unauthorized programs and users.  To identify and apply risk-management strategies and regulatory compliance requirements related to information security. Be cautious of using ChatGPT – Professor will know. Security 501 is what the course is based on but 601 is the most recent. End of class presentation Security Issues  10-minute keynote/PowerPoint presentation  Select one of 10 topics in FSO.  Presentation should cover: o Overview of the issue o Why it is important to cloud security. o Compensating controls for the issue (Defense in Depth) o Risk to organizations from the issue Lab 1 – User Security Going to be creating a strong and weak password. Lab 2 – Patch, Harden, Protect CIS Controls and CIS Benchmarks 1.1 – In the News – Phishing $3M Mattel Phishing Scam  Phishing email claimed to be new executive needing a bill to China paid.  Mattel had controls requiring two signoffs that were poorly implemented.  The only reason they recovered the money was a hall conversation and a bank holiday. How does this impact information security?  $3M is a lot of money. What should be done? Double check the sign-off policy. How could you protect your system? Multi-faceted problem. Education and technology measures that can be implemented. 1.2 – CIA and Defense in Depth Confidentiality, Integrity, and Availability

Intro to Infosec Notes The framework of the mindset required to practice information security as a whole. Defense in Depth  Creating layered security o If one control fails another may stop the attack o “Belt and Suspenders” o Fail safe v Fail Open o Mixture of controls  Preventative – preventing an action from occurring.  Detective – detecting an action occurring.  Corrective – correcting an action that occurred. o Physical, Logical, Administrative  Locks on doors, security cameras  Fingerprint readers, passwords, 2FA  Rules Castles and Moats  Traditional networks are systems are not defended any different than castles.

Intro to Infosec Notes o User awareness o Policies  Privacy Badger – extension for blocking tracking, etc.  Ghostery  uBlock Origin Phishing Awareness  The most dangerous threat  All email cannot be blocked.  Well crafted phishing attempts are nearly impossible to detect.  Things to look out for: o Sense of urgency o Behavior outside the norm o Issue requiring “secrecy.” o Links or procedures outside SOP 1.8 – In the News – IoT  IoT Botnet causes internet outage. o In October 2016 Dyn was targeted by a botnet that disrupted numerous top Internet destinations.  How does this impact security?  What should be done?  How could you protect your system? 1.9 – Controls and Techniques  You will never know everything that needs to be secured.  The best way to understand controls is to start with a baseline.  Many organizations have reliable resources that can guide you to create security baselines: o OWASP Top 10 – Top 10 most found vulnerabilities in a web-based application. o DISA STIGS – Guides on how to harden operating systems made by the Department of Defense. o SANS Checklists – SANS is a large educational institute. o Common Criteria 1.10 – Data Security Security Concepts  OS Hardening o Why harden? o What is hardening?  Concept of making yourself harder to attack.  For example – removing or uninstalling features that come preinstalled that are not actually needed.  Lockout, Wipe, Tracking, Encryption o The device was stolen, now what? o Remote lockout, remote wipe, if encryption is available then use it.

Intro to Infosec Notes  Endpoint Protection – AV, HIDS, HIPS o Why so many agents (agent fatigue)? o Defense in depth. o The endpoints are the new perimeter.  Virtualization o Guest Breakout o Shared Resources  Physical, Logical, Administrative Data Security  Permissions – AAA and CIA o Authentication, Authorization, and Accounting o Confidentiality, Integrity, Availability  Storage – Hashing, Sharding, Parameterization o “It’s in the cloud, so it’s safe.” o Breaking up data into smaller pieces and assigning a number to them.  SANS – LUNS, Permissions, Access o Keeping the data separated o SANS – Storage Area Networks o LUNS – Logical Units  Encryption o Compliance, GDPR o HIPAA, SOX, GLBA  TPM o Secure Element o iOS o Trusted Platform Model  BitLocker o Comes already on Windows 11 and macOS. 1.11 – Alternate Environments  Internet of Things o IP Cameras o Toys  Embedded Firewalls  Mobile o iOS/Android  Vehicles  Game Systems  SCADA o Automated and connectivity of things that were never designed to be on the internet.

Intro to Infosec Notes 2.2 – Vulnerability, Threat, Exploit  Many use the term vulnerability, threat, and exploit interchangeably but they are not the same: o Vulnerability – a flaw that allows for unintended actions.  Unpatched software, misconfiguration, balancing of applications, misconfiguration with access control, etc. o Threat – threat actor, the thing or person attacking the vulnerability.  o Exploit – the method by which a threat leverages a vulnerability.   You need to have all three for a breach to occur. 2.3 – Malware Types  The term virus or worm is often outdated.  Malware is a common term related to the advanced threats we see today.  Malware today is often multi-level using a series of different attack methods to function.  Some common malware types are: o Adware – “malvertising” – malicious payload attached to ads, websites, etc. o Spyware – malicious code sole purpose is to spy. Affect camera, microphone. Keylogger. o Trojan – modern day virus. Piggybacks itself on legitimate software. o Rootkits – probably the most powerful. System level access.  APT – advanced persistent threats. o Ransomware – malware that can encrypt a variety of data on a machine and hold for ransom. The goal of ransomware is a money grab, not to affect the machine really. Surprisingly have good customer service. They do hold their end of the bargain. o Botnets – kind of like a zombie network. Used to perpetuate DDoS attacks. Slave machines to some sort of command in control. 2.4 – Vulnerabilities  Vulnerabilities are flaws and many groups have attempted to create common lists of flaws.  By organizing commonly known vulnerabilities organizations can test for the vulnerabilities.  Many organizations created reliable sources for reporting and understanding vulnerabilities: o US-CERT – United States Computer Emergency Response Team / Readiness Team – Notifies the public about current threats. o MITRE CVE – Common Vulnerability and Exposures List  CVSS – Vulnerability Scoring System o NIST NVD – National Organization – NIST 853 – document outlining framework. National Vulnerability Database. o SANS Internet Storm Center - o IT-ISAC – Information Sharing and Analysis – Organizations that come together with purpose of sharing info. 2.5 – Social Engineering Social Engineering, Detection, and Testing  You cannot stop social engineering.

Intro to Infosec Notes  Frank Abignale – Bank Drop Box – Catch Me if You Can movie – loose documentary.  Detection and education are the best defenses.  Prevention is nearly impossible.  Detection is Defense in Depth, AAA, and Anomalies  Testing can be done many ways: o Awareness campaigns o Vulnerability scanning o Code Review (Static, Fuzzing, and Dynamic) o Penetration testing 2.6 – Attack Types  XSS / CSRF – Cross-Site Scripting – vulnerabilities exist in applications.  Man-in-the-Middle – Networking attack. Wi-Fi Pineapple – intercepts all device traffic.  Brute Force – Keep trying to guess username/password – keep trying until you get in.  DDoS – Command in control leveraging a botnet – Overflow service.  Spam  Phishing – email, vishing – voice fishing, smishing – SMS attacks  Insider – Leaks  Password  URL Hijacking  Watering Hole – attacking a frequently visited website.  SQL Injection – application attack – instead of putting in a username or password, puts in a SQL command. Input parameters.  Zero Day – didn’t know that vulnerability/exploit existed until that day.  APT – Advanced Persistent Threats – worst of the worst. Malicious payload keeps itself on that entity or application. Stays no matter what. 2.10 – In the News – Two-Factor Authentication  JP Morgan forgot two-factor authentication. o In December of 2014, JP Morgan suffered a data breach losing 83 million customer records. o Breach occurred because a server on one of their networks was reconfigured without the need for 2FA.  How does this impact security?  What should be done? o Constant vulnerability scans, checks and balances, etc. 2.11 – Authentication Services  Radius – internal network.  Kerberos  LDAP – directory protocol  SAML – language of configuring single sign on. Security and Markup Language.  OAuth – open standard  PKI  SSO

Intro to Infosec Notes Week 3 Lecture Notes 3.1 – In the News – Baby Monitors Baby Monitors on the Internet  In December of 2016 the search engine Shodan.io can discover and connect to unsecured baby monitors connected to the internet.  Some of these monitors allow people to talk to the babies through the monitor. How does this impact security? What should be done? How can you protect your system? 3.2 – Network Security Technologies  Firewalls – kind of like a traffic cop. Blocking traffic that isn’t allowed to get in and communicate with your devices.  Load Balancers – technology that balances the load.  IPS/IDS – IDS came out in early 2000s. Intrusion detection/prevention system. More robust traffic management. “Next gen firewall” – analyze the traffic as it comes in, look for malicious payloads or malformed packets.  VPN – virtual private network.  Proxies – filter, analyze the traffic, malware analysis.  WAF – Web Application Firewall. Does same as regular firewall but with web applications.  Spam Filters – email protection, intercept email traffic, etc. Which one is the most important?  Trick question. Depends on the environment. How does this relate to Defense-in-Depth?  Deploy one or all of these technologies. Layer a variety of defenses on your network’s infrastructure. 3.3 – OSI Model Open Systems Interconnection Model  APSTNDP – All People Seem To Need Data Processing  TCP/IP – graphic on the right Why is understanding the OSI model important to security?

Intro to Infosec Notes Can you map specific technologies to the OSI model?  Data link layer – a switch  Network – Router, firewalls  Transport – VPN  Session, presentation, application – web browser o TCP Handshake, Session – ping to make sure the web server is available o Presentation – visuals, what you see on your browser – is there encrpytion? http – unencrpyted, https – encrypted o Application – network process 3.4 – Cloud There is no cloud – it’s just someone else’s computer.  PaaS, SaaS, IaaS o PaaS – Platforms as a Service – blue host, godaddy o SaaS – Software as a Service - gmail o IaaS – Infrastructure as a Service  Types o Private – limited in scope to the corp. o Hybrid – some assets you maintain internally, the rest by provider. o Public – obvious o Community -