Cybersecurity - 5. Assets, Threats, and Vulnerabilities

A reiteration:

• Risk: Anything that can affect the confidentiality, integrity, and availability of an asset
• Threat: Any circumstance of event that can negatively impact assets
• Vulnerability: A weakness that can be exploited by a threat

Protect Organization Assets

Control Types

• Technical - Encryption, authentication systems, etc.
• Operational - Maintaining day to day security environment, awareness training/incident response
• Managerial - Policies, standards, procedures

Principle of Least Privilege

Information/access is on a need to know basis. For example, booking a flight with an airline. General employees shouldn’t have access to your credit card information. Perhaps, with a customer support agent, but only if you’re making a purchase. In other words, access is not only limited by role, but by situation.

Data Lifecycle

Collect → store → use → archive → destroy.

• Data owner: Person who decides who can access, edit, use, or destroy their information
• Data custodian: Anyone responsible for safe handling, transport of data
• Data steward: Person/group that maintains and implements data governance policies set by organization

Data governance is the set of processes that define how an organization manages information. Including policies on how to keep data private, accurate, available, and secure.

Privacy

Some common regulations:

• GDPR: Puts data owners in total control of their personal information. Applies to any business that handles the data of EU citizens, which includes many US based firms.
• PCI DSS: Set of security standards for the financial industry, aiming to secure credit/debit transactions.
• HIPAA

Cryptography

• Public Key Infrastructure (PKI) - Secures the exchange of information online (often uses both asymmetric + symmetric encryption)
  • Step 1. Exchange encrypted information (in some way).
  • Step 2. Address the vulnerability of key sharing, by establishing trust using a system of digital certificates between computers and networks.
• Digital Certificate - A file that verifies the identity of a public key holder.

	Symmetric Encryption	Asymmetric Encryption
Definition	Exchanging the same key for use by both parties.	The decryptor uses a private key, the encryptor uses a public key.
Ex.	Triple DES (3DES) and AES (128, 192, or 256 bits)	Rivest Shamir Adleman (RSA) and Digital Signature Algorithm (DSA) which often complement each other
How do certificates work? Well, they’re grounded in the real world. Let’s say you register a domain and want a digital certificate for it. The registrar sends information to a trusted certificate authority (CA) and a public key for the site is provided. The CA then verifies the owner’s identity, encrypts data with its own private key, and creates a digital certificate with the encrypted company data.

Non-repudiation and Hashing

Non-repudiation: A security mechanism that prevents a party from denying the authenticity of a digital message/transaction. (Repudiation means denial of truth/validity of something)

Access Controls

AAA Framework refers to authentication, authorization, and accounting.

SSO and MFA are frequently used in conjunction. SSO improves the user experience by reducing repeated logins, at the cost of some security—i.e. imagine your Google password is stolen and now you’ve not only compromised your Google account, but numerous other accounts that use Google SSO. MFA solves this problem.

Accounting is the process of monitoring access logs, perhaps to detect multiple failed logins or someone who logs in from an unusual location.

Session hijacking involves taking something like a session cookie containing the authentication token and using it to impersonate someone.

User Provisioning

It’s the process of creating and maintaining a user’s identity, for example creating a faculty account for a new-hire that gives them access to faculty-specific resources, but not student or IT resources. This also includes deprovisioning someone.

There are three common frameworks for granting authorization:

1. Mandatory Access Control (MAC): The strictest of the three, access must be granted by a central authority for each asset. This is also known as non-discretionary control because access is not given at the discretion of the data owner, but rather the overseeing entity (like a SysAdmin), commonly seen in law enforcement, military, and other strict government.
2. Discretionary Access Control (DAC): The data owner decides who can do what with the data. For example, the owner of a Google Drive file can make it public, editable, shareable, etc.
3. Role-based Access Control (RBAC): Authorization is determined by a user’s role in the organization, like a faculty member vs. marketer at a university, for example.

Vulnerabilities in Systems

Defense in Depth is a layered approach (model) to vulnerability management, not to be confused with redundancy. It usually uses a five-layer design:

1. Perimeter: User authentication layer, only allow assets from trusted partners to reach the next layer of defense.
2. Network Layer: Authorization layer, e.g. Firewalls.
3. Endpoint Layer: Devices like laptops or servers using anti-virus software.
4. Application Layer: Interfaces used to interact with technology, e.g. MFA.
5. Data Layer: Critical data that must be protected, like PII.

Common Vulnerabilities

• Broken access control
• Cryptographic failures: Weak hashing algorithms, outdated encryption, etc.
• Injection: Things like XSS, command injection, SQL injection, all allowing malicious user-designed code to be run.
• Insecure design
• Security misconfiguration: Like using default settings.
• Vulnerable and outdated components
• Identification and authentication failures: For example, being able to connect to someone’s Wi-Fi without the password.
• Software and data integrity failures: E.g. hackers injected code into software updates for a security company (SolarWinds) who released those updates to their customers.
• Security, logging, and monitoring failures: Negligence towards monitoring.
• Server-side request forgery: Making a backend action diverge from its intended use, possibly interacting with other resources on the server.

Threats to Asset Security

Social Engineering Tactics

• Baiting: To tempt people’s minds into performing a compromising action, like USB baiting.
• Phishing: Tricking people into revealing sensitive info or compromising their security, often via email.
• Quid pro quo: A type of baiting where you convince someone they’ll be rewarded for sharing information, access, or even money. (e.g. “Just pay $50mailfeesoIcansendyou$10k check”)
• Tailgating: Following an authorized person into a restricted area.
• Watering hole: Attacking a common application used by a particular group. (e.g. Holy Water attack of 2020)

Social Engineering Solutions

It’s ultimately a mental game that relies on education. Encourage others to stay alert, be cautious, and control curiosity on top of enforcing organizational security policies.

A precis of malware

• Virus: Must be installed by target user before it can spread.
• Worm: Must be installed by target user, and duplicates/replicates on its own.
• Trojan: Appears as a legitimate file/program.
• Adware: Doesn’t necessarily imply malware since it can be used to lower production costs for developers, or make it free to the public (freeware/shareware). However, malicious adware falls under potentially unwanted applications (PUAs) which may cause device slowdowns, install other software, or be the result of a malicious actor injecting ad software into a legitimate program for monetary benefit.
• Spyware: Gathers and sells/uses information without consent. Considered a PUA. Commonly hidden in bundleware.
• Scareware: Displaying fake warnings that appear to come from legitimate sources, such as data/files being at risk. Used to scare users into compromising their security.
• Fileless malware: Operates directly in memory, potentially using tools like PowerShell or Windows registry for execution, nothing is written to the hard drive making it difficult to detect traditionally.
• Rootkits: Provides remote, administrative access to a device, often to open a backdoor to install other malicious software. Two stages: dropper and loader. The dropper delivers and installs the rootkit on the victim’s system, usually hiding within a harmless file. A loader embeds the rootkit code into the system’s memory or kernel giving inconspicuous total control.
• Botnet: A collection of computers infected by malware under the control of a single threat actor (bot-herder). Viruses, worms, and trojans usually spread the initial infection.
• Ransomware: Encrypts data and halts organizational activities for a ransom.
• Cryptojacking: Malware that performs crypto mining operations.

Cross-site scripting (XSS)

Three main types:

• Reflected: Criminals send their target a web link that appears to be a trusted site, but contains a payload. If the web server does not perform any sanitizing and blindly trusts the payload, this causes the user’s “action” to be trusted, executed, and therefore subsequently compromise their security.
• Stored: Payload is persisted on the server, probably in a DB table like a comment field, or message board. Now when other user’s access load the comment entry (as an example), it will also load the payload, compromising other user’s security. This is why strict sanitization is needed for anything that allows user input.
• DOM-based: Similar to reflect, but instead of the payload affecting the server, it only affects the victim’s DOM, and runs malicious code there directly without the server seeing anything.

SQL Injection

A simple way of converting a form input into an SQL query is to construct the query and place a variable where variable data might occur via string concatenation like so:

SELECT * FROM users WHERE name = '<user_input>';

However, what if we changed it from WHERE name = 'Alice' to WHERE name = '' OR '1'='1'? Well now the form will expose the entire database.

The safer solution internally would be to use parameterization to construct the query, so in this case if the attacker put WHERE name = '' OR '1'='1', it will read as WHERE name = ''' OR '1'='1'' (notice that it’s wrapped in the quote), rendering it useless.

Other solutions:
This was an example of prepared statements (parameterized queries). Another solution is validation, checking that the input meets certain rules (certain characters, length, format), but doesn’t necessarily guarantee prevention. The last solution is sanitizing, by modifying the input to remove dangerous characters/phrases, but once again, this is quite vulnerable if not exhaustive.

Types of SQL injection:

• Out-of-band: Attacker triggers database to send data through a separate channel, since original channel doesn’t return query results. I.e. inject payload, send DB response to DNS request to attacker server.
• In-band: Attacker retrieves data through same channel used to initiate the attack. I.e. injects a payload, the DB response contains the data.
• Inferential: DB data doesn’t actually get sent anywhere, but often observing response time/error messages you can infer what data does and does not exist.