1. CISSP CBKWEEK 4 By: Jessamyn Tollefson (pages 194-251)

2. UNDERSTANDING THREATS(FORCES OF EVIL) Access control threats can be a negativeimpact on confidentiality, integrity, andavailability of information assets. There are threats that attack the networksystems, and applications that store andprocess an organizations data. There many different types of threats and itsimportant for us to understand how thethreats work. 3. EXAMPLES OF THREATS: Denial of service Buffer overflows Mobile code Malicious software Password crackers Spoofing/masquerading Sniffers Eavesdropping Emanations 4. EXAMPLES OF THREATS(CONTINUED): Shoulder surfing Tapping Object reuse Data remnants Unauthorized targeted data mining Dumpster diving Backdoor/trapdoor Theft Intruders Social engineering 5. DENIAL OF SERVICE(DOS): DoS can range from consumption of specificresources, preventing resources, andpreventing networks to communicate topreventing communication, performance ofsystem service or application unusable, or acomplete outage. Known as SYN floods, attacker would maketo many SYN packets without completing theproper setup, taking all available server andmaking sure that the owner would nevergain access to the server. 6. DOS(CONTINUED): DDoS is where DoS only attacks fromone location, DDoS attacks frommany different locations. Attackers built a vast networks ofcommandeered system, known as"Zombies", zombies make millions ofrequest to the web site at once andfully floods the system, and thus itshuts down. 7. BUFFER OVERFLOWS: Buffering is for controlling data inputsand outputs at all levels of a systeminteraction. Buffer overflow is an attack thathandles the systems capability tooperate its buffers, causing systemfailures and outages, fail to control anapplication state, not able to control arunning program, or the performanceof code of an attackers choosing. 8. BUFFER OVERFLOWS (CONTINUED): Buffer overflows can also be used toinsert malicious software for processingfor the attacker. Also because memorybuffers are used in network interfaces,video systems, RAM, or virtual memoryon hard disks, all are vulnerable to abuffer overflow. Buffering overflows are mostly causedby poor application or system memorymanagement. 9. MOBILE CODE: Mobile code is a software that is transmittedacross a network from a remote source to alocal system. Security involvement are important becausedistribution capability, limited user awareness,and potential for harm. Mobile code is designed to be provided to anend-user device. If device is not configuredproperly it can infect or manipulate system. Organizations should make its users aware of thedangers of mobile code. 10. MALICIOUS SOFTWARE (MALWARE): Malware any digital material that is deliberatelydesigned to perform undesirable tasks. Virus: Parasitic code that requires human action orinsertion. Worm: Self-propagation code that exploits systemor application vulnerability to replicate. Trojan Horse: Is general temp referring to programsthat appear desirable, but contains somethingharmful. Spyware: Spyware was a hidden applicationinjected through poor browser security by companiesseeking: 11. MALWARE (CONTINUED):a) Malvertisement: are webadvertisements which appear to belegitimate yet direct users to downloadmalware onto system.b) Malnets: are malware networkswhich typically consist of numerousinfected websites, desktops, laptops,and increasingly mobile devices togain more information about usersInternet activity. 12. PASSWORD CRACKERS: Key factor is the saving of the hashedpassword, and that is where passwordcracker comes in. Password crackers are one of the few toolsthat are equally effective for securityadministrators and attackers alike. Rainbow table: attack has revolutionizedpassword cracking is being rapidlyadopted by tool creators. 13. SPOOFING/MASQUERADING Is the act of appearing to a system as if acommunication from an attacker is coming from aknown and trusted source Early versions of spoofing were performed bymanipulating the packets of data used in the IPprotocol. Not common because todays computers areprepared from the systems and firewalls. Have a profound effect on access control systembecause they move the assurance that a person isdealing with a trusted entity. 14. SNIFFERS,EAVESDROPPERS. ANDTAPPING All communications, weather wired orwireless need to travel from point to pointover some medium. Sniffers are devices that can collectinformation from a communication medium,such as a network. Sniffing can be used for good and evil. Best protecting against sniffing,eavesdropping, and tapping is to intercepttransmission between devices. 15. EMANATION: Is the proliferation or propagation at thosesignals. By intercepting and interpreting the emanationscoming from a particular device, an attackercan often by reconstruct the information that isbeing shown or processed on the device. There are materials that restrict the ability forradio waves to propagate through them. Thisinvolves the use of special point on the wallsand special window coverings that can beplaced on windows or other weak points tofurther disrupt the emanation of 16. SHOULDER SURFING Is the act of surreptitiously gatheringinformation from a user by, means ofdirect observation of the usersactivity, by looking over theirshoulder as they perform someaction. 17. OBJECT REFUSE: Refers to the allocation or reallocation of systemresources to a user or to an application orprocess. There are two areas of concern withapplication object reuse: the directemployment of the objects, or the data input oroutput from the object. Object reuse is also applicable to systemmedia, such as a hard drive, magnetic media,RAM-based devices or other forms to datastorage. 18. DATA REMANENCE It is becoming increasingly common place tobug used computers equipment, such as ahard drive, or router, and find information onthe device left there by the previous owner,information they thought had been deleted. Another potential source of data exposurecomes from the slack space at the end of afile. In early computer systems, the slack space atrandom portions of data pulled from memory. 19. DATA REMANENCE (CONTINUED): Slack space can also be used by an attacker. Somedata is completely used to identify and extract theinformation. There are utilities that can be used to securely wipethe data from the hard drive by over writing the fileinformation with bytes of 1s and 0s, or a randomcombination of both. This wipe includes the unusualstable space in clusters assigned to allocated files. The most effective mechanism to destroy data,either a single file or an entire disk-short of grindingthe disk into little pieces, which is still no guarantee, isto over write the data several times. 20. UNAUTHORIZED TARGETED DATAMINING Is the act of collecting and analyzing largequantities of information to determinepatterns of use or behavior and use thosepatterns to form conclusion about past,current, or future behavior. Attackers will perform reconnaissanceagainst their target in an effort to collect asmuch information as possible to drawconclusions on operations, practices, 21. DUMPSTER DIVING Is simply the act of taking what people assume istrash and using that information, sometimes incombination with other data, to formulateconclusions or refine strategies for an attack. Most attackers dont want to risk physicalcontact with their target and the potentialexposure of going through the organizationstrash. The ability of an unauthorized person to get tothe trash repository of a site also shows aweakness in the physical access controls of thatfacility. 22. BACKDOORS AND TRAPDOORS Applications may have hard-coded instructions thatallow complete and unfettered access to those whoknow the existence of the backdoor. Most common method of backdoor access is theuse of hidden accounts built within the application. The threat to access controls from backdoors andtrapdoors is based on the existence of unknownconfigurations that will allow someone to circumventestablished controls and gain full access to system. 23. LOGIC BOMBS: Attacks can be immediately seen or effect takeshold as soon as the attack is launched, or someattacks can hold for days, weeks, even years. Theseattacks are called logic bombs because the rely ona logical progression of events before they unleashtheir aggression. Can be difficult to find, particularly if they havebeen placed there by someone with intimateknowledge of the system of its source code. Best way to defend against them is to include athrough out code review on all software deployedthroughout the enter prise. 24. THEFT: Is a simple concept anyone can grasphow ever, as the digital interactionbetween people and business expands,the exposure of valuable informationcontinues to exceed the physical notionof the term theft. Physical theft includes anything of valuean unauthorized entity can remove. Digital theft is when the thief hasdestroyed the information during the actof stealing it, original data is still there 25. SOCIAL ENGINEERING: Is the practice of misdirection to obtaininformation through social contacts. Can take many forms, ranging fromtelephone calls to e-mail to face toface interaction. Best prevention is effective andcontinues security awareness andeducation effort to all personnel withinthe organization. 26. E-MAIL SOCIAL ENGINEERING Can be a powerful persuasion device forattackers and con artists alike. E-mail has become a basic mode ofcommunications for many people and isconsidered crucial for many companies to run asuccessful business. E-mail social engineering presents manyproblems to effective access control,but theprimary problem is that it can be used to obtainenough personal or system information from avictim that the attacker can subsequentlyobtain or bypass legitimate authentication andauthorization information. 27. HELP DESK FRAUD The goal of a helped desk attack is forthe attacker to get a valid ID andpassword to an internal system. This technique is becoming harder andharder to use, because helped deskemployees are usually trained to follow aspecific protocol and providingpasswords,and many of these protocolsdo not include furnishing passwords overthe phone 28. THREAT MODELING In reviewing access control attacks and mitigating factors,several risk assessment methods can be considered. Threat modeling approaches vary from organization toorganization but generally follow an approach of: Defining the scope and objectives Understanding or modeling the system Development of threats Development of vulnerabilities Determining the impact and risk Develop the mitigation plan 29. DEFINE THE SCOPE AND OBJECTIVES An effective threat modeling exercise mustdetermine what is within the scope of themodeling. There is a trade off between the size of thescope and amount of effort required to providemeaningful recommendations. If scope is to narrow the assessor may neglectsignificant information. If scope is too large, resources available formitigation are spent on assessment. 30. UNDERSTANDING OR MODELINGTHE SYSTEM: In understanding how the target systemor application operates, collect as muchinformation available about the system. Cost information about the operation,development and information containedin the system should also be understoodas it will be required to make value baseddecisions. 31. DEVELOPMENT OF THREATS: Can be as much of an art as a scienceand will vary greatly depending on thethreat information sources available. Classified or national security information,which may be relevant to the system. 32. DEVELOPMENT OF VULNERABILITIES: Using automated tools, avulnerability scan of the targetsystem or application should beperformed. Weakness should also be reviewed. 33. DETERMINING IMPACTS AND RISK: There are several qualitative andquantitative ways to determineimpacts and risks. Qualitative route is the simplest andhelps determine the overall impactand risk to the organization. Once levels of risk are determined avalue to mitigate each should bedetermined. 34. DEVELOP A MITIGATION PLAN: This plan should ideally identifyresidual risks, exposure, resourcesrequired to mitigate risks and timelines for mitigations. Plan should also have identifyresponsible party for each riskmitigation and who acceptedresidual risks on behalf of theorganization. 35. ASSET VALUATION: In determining the value of information systemsthere are several components which must beaccounted for: Hardware Software Integration Opportunity cost Regulatory exposure Information replacement Reputation exposure 36. HARDWARE, SOFTWARE,AND INTEGRATION: Hardware: The replacement cost of hardware can be significantand can increase dramatically when the hardware isout of support or the vendor has gone out of business. Software: Much like hardware, software can go out of supportand vendors can dissolve or merge with othercompanies. Integration: Cost are often sunk invisible costs that are easilyoverlooked when considering the value of an asset. 37. OPPORTUNITY COSTS, REGULATORY ANDREPUTATIONAL EXPOSURE, ANDINFORMATION REPLACEMENT: Opportunity Costs: When a crucial business support system such as an e-commercesite for a major online retailer is down time is substantial money. Regulatory Exposure: In a regulated environment, there are stiff penalties for breachinginformation. Information Replacement: The information an organization develops as part of its operation ismost likely not going to be replaced overnight. Reputational Exposure: Whats that cost of losing a reputation? Reputation is extremelydifficult and expensive to achieve and mainstream. 38. ACCESS AGGREGATION: Is the act of collecting additional roles andresponsibilities in organization or information system. The combination of systems may make it possible tocommit fraud as separation of duties also breaksdown as access aggregation occurs. Information security professionals should work withhuman resources and information technologyadministrators to ensure DE-provisioning of access isperformed any time an human resource changesroles. 39. VULNERABILITY ASSESSMENT: To begin the vulnerability assessment process, assessormust have a good understanding of the business, itsmission and the system or application to be assessed. The next step is to examine the existing controls in placeto protect the system or process. Once the vulnerability scanning is complete the securityanalyst must examine the results for accuracy. Once the final analysis is complete the assessor shoulddiscuss the findings with the business are to determine theappropriate course of remediation action to take. 40. PENETRATION TESTING: The next level in vulnerability assessment seeks toexploit existing vulnerabilities to determine the truenature and impact of a given vulnerability. Penetration testing goes by many names, such asethical hacking, tiger teaming, red teaming andvulnerability testing. Penetration testing can be employed against anysystem or service. The key to successful and valuable penetrationtesting is clearing defined objectives, scope,started goals, agreed-upon limitations, andacceptable activities. 41. PENETRATION TEST STRATEGIES: Strategies are based on specificobjectives to be achieved, are acombination of the source of the test,how the companys assets are targeted,and the information provided to thetester. The organization must determine the areaof the organization or the service to betested. 42. APPLICATION SECURITY TESTING: The objective of application security testing is toevaluate the controls within an application andits information process flow. Application testing will test the flow ofinformation through the application and itssusceptibility to intercept or alteration. Application will test for a wide range ofcommon attack scenarios to gauge the level ofresistance an application has to attacks ofvarying level of sophistication. 43. DENIAL-OF-SERVICE (DOS) TESTING: Goal is to evaluate the systemssusceptibility to attacks that will render itinoperable or unable to provide neededservices to the organization external users. Because the DoS testing presents such arisk to systems, many testers will performthe attack steps leading up up to the DoSbut stop short of crashing the system. Thissaves a great deal of response and 44. WAR DIALING: Is a technique for systematically calling arange of telephone numbers in an attemptto identify modems, remote-access devices,and maintenance connections for computerthat may exist within an organizationsnetwork. Organizations would be wise not tounderestimate their reach into theinfrastructure or their potential for creatingvulnerabilities in the environment. 45. WIRELESS NETWORK TESTING: Wireless networks, whether throughformal, approved network architecture orthe inadvertent actions of well-meaningusers, creates additional securityexposures. Goal is to identify security gaps or flaws inthe design, implementation, or operationof the organizations wireless network. 46. SOCIAL ENGINEERING: Often used in conjunction with blindand double-blind testing, socialengineering refers to techniquesused social interaction, typically withthe organizations employees,suppliers, and contractors, to gatherenough information to be able topenetrate the organizationsphysical premises or systems. 47. PBX AND IP TELEPHONY TESTING: Beyond war dialing, phone systemshave been a highly vulnerable, yetoften overlooked, method of gainingaccess to corporate resources. The potential threat profile representedby combining the threats associatedwith IP networks and those oftelephone systems is one andorganization should take seriously. 48. PENETRATION TEST METHODOLOGY: A methodology is an established collection of processesthat are preformed in a predetermined order to ensurethe job, function, or security test is accurately executed. (1)Reconnaissance/Discovery:Identify and documentinformation about the target. (2)Enumeration:Gain more information with intrusivemethods. (3)Vulnerability Analysis:Map the environment profile toknown vulnerabilities. (4)Execution:Attempt to gain user and privileged access. (5)Document findings:Document the results of the test.