ECS726: Security and Authentication
Week 11: Pen testing and further topics
EECS, QMUL
Copyright By PowCoder代写 加微信 powcoder
Further topics in practical security
◃ There are many other security topics beyond Network and Web security,
◃ In this final week we will briefly describe a few of these topics:
◃ pen testing, security models, cybersecurity frameworks (NCSC), language based security, cybersecurity decision support, economics of cybersecurity
High level summary:
◃ pen testing, security models: act as an attacker to test defence
◃ cybersecurity frameworks (NCSC): cybersecurity guidance from experts’ organizations
◃ language based security: mitigate security bugs in code
◃ cybersecurity decision support, economics of cybersecurity: understand attackers’ strategies to optimize defence
Pen testing
◃ Pen testing is an essential part of cybersecurity
◃ In a nutshell a pen tester is someone who is paid
from an organisation to play the role of an attacker
◃ hence all attack examples we have seen could have been carried out by a pen tester
◃ as the name suggest a pen tester “tests” the security of the organization, reports on the weaknesses found and recommends mitigations
Pen testing: Rules of Engagement
◃ a penetration test is an authorised audit of a computer system’s security and defences
◃ it must be agreed by the owners of the systems, otherwise it may be illegal
◃ the scope of the test must be agreed in advance using Rules of Engagement
◃ the rules include: Permission, Test Scope, Rules
Pen testing: Methodology
◃ Typically these are the steps followed during pen testing:
◃ Information gathering,
◃ scanning (discover applications and services)
◃ exploitation (exploit vulnerablity)
◃ privilege escalation (get highest privileges you can)
◃ post exploitation (draw some conclusions)
Pen testing: tools
◃ A pen tester uses the same tools as an attacker, for example
◃ nmap to scan for ports
◃ wireshark to capture and analyze traffic
◃ hydra to brute force passwords
◃ other important tools are Burp suite, Metasploit and Splunk
Pen testing: Metasploit
◃ Metasploit is a general attack tool based on known vulnerabilities
◃ it is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation, and more.
◃ it has a command-line interface (msfconsole) plus modules (exploits, payloads etc), and tools (msfvenom, meterpreter etc.)
Pen testing: Splunk
◃ Splunk is a product that provides the ability to collect, analyze and correlate the network and machine logs in real-time.
◃ Logs are an essential tools for the detection and investigation of suspicious activity
◃ Almost all attacks leave a trace in some organization log hence the capability to analyze them is a great tool for cybersecurity
Pen testing: Principles of Security
◃ Fundamental principles of Security.
◃ These refer to principles every security practitioner
should know and apply
◃ the room ”Principles of Security” in the Jr Penetration Tester learning path on tryhackme covers this topic
Principles of Security: CIA triad
◃ The CIA triad
◃ Confidentiality, Integrity, Availability (CIA)
◃ we have studied these topics in the first part of the module
Principles of Security: Principle of least Privileges
◃ principle of least privilege:
◃ users should be given the minimum amount of privileges, and only those that are absolutely necessary for them to perform their duties.
Principles of Security. Security Models: Bell-LaPadu
◃ security models helps to achieve the CIA triad.
◃ The Bell-La Padula Model is used to achieve
confidentiality:
◃ The model states: “No read up, no write down”
◃ example: a subject A with lower security clearance than B cannot read B level data
◃ Also the subject at level B cannot write data at lower level A
Principles of Security. Security Models: Biba model
◃ security models helps to achieve the CIA triad.
◃ The Biba model is used to achieve integrity:
◃ The model states: No write up, no read down
◃ example: a subject A with lower security clearance than B cannot write B level data
◃ Also a subject at level B cannot read data of level A
Cybersecurity organizations: National Cyber-Securit Center (NCSC)
Several organizations publish cybersecurity guidelines, provide cybersecurity advice and tools, e.g. NIST in the US and NCSC in the UK.
NCSC originates from GCHQ and as such has extensive experience of cyberattacks (as spooks…). Their tools and advice is hence valuable.
On their website1 you can find: information, advice and training for all sorts of cyber-users, from individuals to large organizations.
1 https://www.ncsc.gov.uk
Cybersecurity organizations: National Cyber-Securit Center (NCSC)
NSCS also provide certifications, e.g. as a pentester2 and useful infographics3 for the most common threat scenarios.
2 https://www.ncsc.gov.uk/section/information-for/cyber-security- professionals
3 https://www.ncsc.gov.uk/information/infographics-ncsc
NCSC: ten steps to cyber security
the ten steps4 is a NCSC guidance on how organisations can protect themselves in cyberspace.
Originating in 2012, it provides the 10 top recommendations for cybersecurity.
4 https://www.ncsc.gov.uk/collection/10-steps
NCSC: ten steps to cyber security
Risk management
Take a risk-based approach to securing your data and systems.
Engagement and training
Collaboratively build security that works for people in your organisation.
Asset management
Know what data and systems you have and what business need they support.
Architecture and configuration
Design, build, maintain and manage systems securely.
Vulnerability management
Keep your systems protected throughout their lifecycle.
Identity and access management
Control who and what can access your systems and data.
Data security
Protect data where it is vulnerable.
Logging and monitoring
Design your systems to be able to detect and investigate incidents.
Incident management
Plan your response to cyber incidents in advance.
Supply chain security
Collaborate with your suppliers and partners.
10 Steps to Cyber Security
This collection is designed for security professionals and technical staff as a summary of NCSC advice for medium to large organisations. We recommend you start by reviewing your approach to risk management, along with the other nine areas of cyber security below, to ensure that technology, systems and information in your organisation are protected appropriately against the majority of cyber attacks and enable your organisation to best deliver its business objectives.
© Crown Copyright 2021
www.ncsc.gov.uk
National Cyber Security Centre
ten steps: risk management
Take a risk-based approach to securing your data and systems.
Taking risks is a natural part of doing business. Risk management informs decisions so that the right balance of threats and opportunities can be achieved to best deliver your business objectives. Risk management in the cyber security domain helps ensure that the technology, systems and information in your organisation are protected in the most appropriate way … A good risk management approach will be embedded throughout your organisation and complement the way you manage other business risks.
ten steps: engagement and training
Collaboratively build security that works for people in your organisation.
People should be at the heart of any cyber security strategy. Good security takes into account the way people work in practice, and doesn’t get in the way of people getting their jobs done. People can also be one of your most effective resources in preventing incidents (or detecting when one has occurred)… Supporting your staff to obtain the skills and knowledge required to work securely is often done through the means of awareness or training. …
ten steps: asset management
Know what data and systems you manage, and what business need they support.
Asset management encompasses the way you can
establish and maintain the required knowledge of your assets. Over time, systems generally grow organically,
and it can be hard to maintain an understanding of all the assets within your environment. Incidents can occur as
the result of not fully understanding an environment,
whether it is an unpatched service, an exposed cloud
storage account or a mis-classified document. Ensuring
you know about all of these assets is a fundamental precursor to being able to understand and address the resulting risks. … 20
ten steps: architecture and configuration
Design, build, maintain and manage systems securely.
The technology and cyber security landscape is constantly evolving. To address this, organisations need to ensure that good cyber security is baked into their systems and services from the outset, and that those systems and services can be maintained and updated to adapt effectively to emerging threats and risks.
ten steps: vulnerability management
Keep your systems protected throughout their lifecycle.
The majority of cyber security incidents are the result of attackers exploiting publicly disclosed vulnerabilities to gain access to systems and networks. Attackers will, often indiscriminately, seek to exploit vulnerabilities as soon as they have been disclosed. So it is important (and essential for any systems that are exploitable from the internet) to install security updates as soon as possible to protect your organisation….
ten steps: identity and access management
Control who and what can access your systems and data.
Access to data, systems and services need to be protected. Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out. You must choose appropriate methods to establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions.
ten steps: data security
Protect data where it is vulnerable.
Data needs to be protected from unauthorised access, modification, or deletion. This involves ensuring data is protected in transit, at rest, and at end of life (that is, effectively sanitising or destroying storage media after
use). In many cases data will be outside your direct
control, so it important to consider the protections that you can apply as well as the assurances you may need from
third parties. With the rise in increasingly tailored ransomware attacks preventing organisations from
accessing their systems and data stored on them, other relevant security measures should include maintaining up-to-date, isolated, offline backup copies of all important 24 data.
ten steps: logging and monitoring
Design your systems to be able to detect and investigate incidents.
Collecting logs is essential to understand how your
systems are being used and is the foundation of security
(or protective) monitoring. In the event of a concern or potential security incident, good logging practices will
allow you to retrospectively look at what has happened
and understand the impact of the incident. Security monitoring takes this further and involves the active
analysis of logging information to look for signs of known attacks or unusual system behaviour, enabling
organisations to detect events that could be deemed as a security incident, and respond accordingly in order to 25 minimise the impact.
ten steps: incident management
Plan your response to cyber incidents in advance.
Incidents can have a huge impact on an organisation in terms of cost, productivity and reputation. However, good incident management will reduce the impact when they do happen. Being able to detect and quickly respond to incidents will help to prevent further damage, reducing the financial and operational impact. Managing the incident whilst in the media spotlight will reduce the reputational impact. Finally, applying what you?ve learned in the aftermath of an incident will mean you are better prepared for any future incidents.
ten steps: supply chain security
Collaborate with your suppliers and partners.
Most organisations rely upon suppliers to deliver
products, systems, and services. An attack on your
suppliers can be just as damaging to you as one that
directly targets your own organisation. Supply chains are often large and complex, and effectively securing the
supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. The first step is to understand your supply chain, including commodity suppliers such cloud service providers and
those suppliers you hold a bespoke contract with.
Exercising influence where you can, and encouraging continuous improvement, will help improve security 27 across your supply chain.
Two important zeros in cybersecurity
◃ zero days attacks: this term refers to “new attacks”. Typically this could be an attack involving a newly discovered software vulnerability. This kind of attacks are the most devastating, but also the rarest and most difficult to set up and defend from (typically state agencies like NSA could have an inventory of such attacks ready for use).
◃ zero trust: this is a relatively new cybersecurity framework supported by NCSC. Zero trust ”is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.”
Language based security
This term refers to:
◃ security measures designed within a programming language. For example Java is more secure than C
◃ Typically languages which have types and prohibit direct memory access and explicit pointers are more secure
◃ Also the terms refers to automated analysis which can detect or mitigate security vulnerabilities in a program
◃ for example a program analysis detecting buffer overflows or null references
Language based security
◃ automated analysis are often based on abstract interpretation
◃ this is a mathematical technique where states in a program execution are abstracted to mathematical object, e.g. a set or an interval of numbers
◃ By selecting the appropriate abstraction automated security analysis of large code base can be done efficiently
◃ for example Facebook, Instagram and whattsapp code is daily analyzed by tools based on abstract interpretation (Infer, Zoncolan)
◃ some of these tools where created at QMUL (Infer)
Decision support and economics of security
◃ An attacker will attack if he can get something valuable out of the attack
◃ A defender should make the best defensive choices within some security constraints e.g. budget
◃ Both this defender and attacker problem can be modelled in terms of Game Theory
◃ Game Theory is the mathematical theory for modelling adversarial interaction
Decision support and economics of security
◃ Cybersecurity decision making is an important topic for companies and organizations
◃ They want to deploy security mitigations each with some potential effectiveness against vulnerabilities
◃ Mitigations could be: encryption, firewalls, authentication, (many more we haven’t seen…)
◃ Each mitigation has an effectiveness, a cost and a “negative cost”
◃ the cost is how much it costs in terms of purchase and installation, maintentance etc.
◃ negative cost is how much it gets in the way of productivity etc…
Decision support and economics of security
◃ The optimal solution for an organization is to select the mitigations that best defend against specified threats among all possible mitigations’ choices within some direct and negative costs budget
◃ it is a complex mathematical optimization problem
◃ a solution is for example given in https://www.sciencedirect.com/science/article/pii/S0377221719303728
Conclusions
◃ This module has presented both theoretical and practical aspects of security
◃ on the theory side we have for example seen the maths behind RSA and many other cryptographic concepts
◃ on the practical side we have been engaging in discovering and exploiting vulnerabilities, learning appropriate tools and mitigations
◃ hopefully the skills you learned will help both in your intellectual and professional journey
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com