cissp tips - cloudinary · oracle 1521 h.323 1720 pptp 1723 rdp 3389. reproduction prohibited ......
TRANSCRIPT
Reproduction prohibited
CISSP TIPSPART 2
ENTREPRENEUR | CISO ADVISOR | CYBERFEMINIST | PEERLYST BRAND AMBASSADOR | TOP 50 CYBER INFLUENCER | @RESPONSIBLE CYBER
MAGDA LILIA CHELLY
1
Reproduction prohibited
OVERVIEW
ISC2 REQUIREMENTS ON INDIVIDUALS
THESE INCLUDE:
• BACKGROUND
• FIVE YEARS EXPERIENCE IN ANY OF THE 8 DOMAINS OR FOUR YEARS EXPERIENCE AND A COLLEGE
DEGREE
• TEST FEE
• APPROVED APPLICATION
• AGREEMENT TO THE ISC2 CODE OF ETHICS
2
Reproduction prohibited
DOMAINS
THE 8 DOMAINS ARE:
1. SECURITY AND RISK MANAGEMENT
2. ASSET SECURITY
3. SECURITY ENGINEERING
4. COMMUNICATION AND NETWORK SECURITY
5. IDENTITY AND ACCESS MANAGEMENT
6. SECURITY ASSESSMENT AND TESTING
7. SECURITY OPERATIONS
8. SOFTWARE DEVELOPMENT SECURITY
3
Reproduction prohibited
EXERCISE
Classify each of the following as an attack on confidentiality, integrity, and/or availability
(more than one may apply) and justify your answers. Post on Peerlyst.com.
• Olavi crashes Sami's system
• Pierre forges Paul's signature
• Sami spoofs Mandy's IP address to gain access to her laptop
• Tom publishes company internal document on his blog
• Someone copy your article
• James added a zero to Paul’s cheque bank and changed it from 100€ to 1000€
4
Reproduction prohibited5
IDENTITY AND ACCESS MANAGEMENT
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
6
▪ Identity and access management overview
▪ Identification mechanisms
▪ Authentication factors
▪ Password authentication protocols
▪ Enforcing accountability
▪ Managing credentials with policies
▪ Using access control lists
▪ Defending against access control attacks
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
7
A key aspect of security is access control – Whether or
not to accept a request.
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
8
Identification & Authentication
▪ Representing identity: Users, groups, roles, certificates.
▪ Information systems possess the characteristic of identification when they are able
to recognize individual users;
▪ Authentication occurs when a control provides proof that a user possesses the
identity that he or she claims;
▪ Identification and authentication are essential to establishing the level of access or
authorization that an individual is granted;
▪ Authentication is a technical concept: e.g., it can be solved through cryptography;
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
9
AUTHENTICATION can be accomplished by biometrics, a password, a
passphrase, a password, a one-time password, or a token.
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
10
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
11
Authorization
Policy stating who is allowed to do which actions on what resources;
When user/computer is authorized will be granted specific right,
such; access, update, delete, etc…
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
12
Access control = Mechanism by which services
know whether to accept or deny requests.
There are four pieces to the process:
• Identification: Claiming an identity.
• Authentication: Who are you ? What you have
? What you are ?
• Authorization: Expressing a permission.
• Decision: Accept or not a request.
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
13
• Access control is a must in information
security.
• The information owner defines the
classification of the data and assets.
• The custodian implements the right
controls.
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
14
• ADMINISTRATIVE
• TECHNICAL (LOGICAL)
• PHYSICAL
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
15
ADMINISTRATIVE CONTROLS:
• POLICIES
• STANDARDS
• PROCEDURES
• GUIDELINES
• PERSONAL SCREENING
• AWARENESS TRAINING
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
16
TECHNICAL (LOGICAL) CONTROLS:
• NETWORK ARCHITECTURE
• ENCRYPTION
• SECURITY DEVICES
• IDENTIFICATION AND AUTHENTICATION
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
17
PHYSICAL CONTROLS:
• BUILDING PROTECTION
• SECURITY GUARDS
• LOCKS
• MONITORING
• DATA BACKUPS
• MOTION OR THERMAL ALARM SYSTEMS
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
18
DISCRETIONARY ACCESS CONTROL
MANDATORY ACCESS CONTROL
NON-DISCRETIONARY ACCESS CONTROL
ROLE-BASED ACCESS CONTROL
Identification
Authentication
Authorization
Accountability
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
19
DISCRETIONARY ACCESS
CONTROL:
OBJECT ACCESS
RESTRICTED TO IDENTITY
OF THE SUBJECT
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
20
MANDATORY ACCESS CONTROL (MAC) USES
A SECURITY LABEL SYSTEM.
USERS HAVE CLEARANCES, AND RESOURCES
HAVE SECURITY LABELS WITH DATA
CLASSIFICATIONS.
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
21
NONDISCRETIONARY ACCESS
CONTROL IS BASED ON A ROLE-
BASED APPROACH TO DEFINE
RIGHTS AND PERMISSIONS.
Role 1
Role 2
Role 2
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
22
Role-based access control (RBAC) = User roles and
permissions
Pros Cons
Scalable Provisioning
Flexible Maintenance
Less Administrative
Tasks
Static
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
23
• Manageability problems
• Scalability problems
• Granularity
• Delegation
• Revocation
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
24
Sure
!
Doctor… I don’t want my
information to be shared with
researchers who are not HIPPA
compliant !!
Oh Gosh ! How
do I do that ?!
You have data
release requests
from
510 researchers
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
25
PREVENTIVE CONTROLS: CONTROLS TO AVOID
• No internal or external access
• Example: Security policy
DETECTIVE CONTROLS: CONTROLS THAT IDENTIFY
• Track an unauthorized transaction
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
26
CORRECTIVE CONTROLS: CONTROLS THAT REMEDY
• Recover or restore operations
DETERRENT CONTROLS: CONTROLS THAT DISCOURAGE
• Used to encourage or increase compliance
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
27
RECOVERY CONTROLS: CONTROLS THAT RESTORE
• Example: Offsite facility
COMPENSATIVE CONTROLS: CONTROLS THAT PROVIDE
ALTERNATIVES TO OTHER CONTROLS
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
28
Single sign-on technology
authenticated to the network only one
time.
KERBEROS
• A user receives a ticket from the KDC
• The Kerberos user receives a ticket
granting ticket (TGT)
• The user requests access through the
ticket granting service (TGS).
• The TGS
• generates a new ticket with the session
keys.
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
29
Kerberos Strengths:
• Client and Sever mutually authenticate
• User’s passwords are never sent across the network
• Secret Keys are only passed encrypted
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
30
SESAME SECURE EUROPEAN SYSTEM IN A MULTIVENDOR
ENVIRONMENT
Sesame uses symmetric and
asymmetric encryption
Reproduction prohibited
IDENTITY AND ACCESS MANAGEMENT
31
KERBEROS VS SESAMESYMMETRIC VS SYMMETRIC & ASYMMETRIC
Reproduction prohibited32
SECURITY ASSESSMENT AND TESTING
Reproduction prohibited33
▪ Design and validate assessment and test strategies
▪ Vulnerability assessment
▪ Penetration testing
▪ Log reviews
▪ Synthetic transactions
▪ Code review and testing (e.g. manual, dynamic, static, fuzz)
▪ Misuse case testing
▪ Test coverage analysis
▪ Interface testing (e.g. API, UI, physical)
▪ Backup verification data
SECURITY ASSESSMENT AND TESTING
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
34
Employee
Network
Social Engineer / Hacker
Firewall
Social Engineering
Traditional Hacking
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
35
Social Engineering is an art mixed with science.
Or
Social engineering is an attack using manipulation to access
confidential information.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
36
Most common social engineering scenarios:
• Scenario with a sense of urgency: Car accident or Stolen wallet in a foreign
country
• Impersonating someone important such as a CEO: CEO Fraud
• Mentioning popular events: Manchester Vs Barca Replay
• Offering an incentive: Free ticket to Britney’s concert
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
37
Security assessments are security reviews of a
system, application, or other tested environment.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
38
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
39
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
40
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
41
Vulnerability scans check systems, applications,
and networks, looking for vulnerabilities that may be
exploited.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
42
Vulnerability scans check systems, applications,
and networks, looking for vulnerabilities that may be
exploited.
=
Security testing tools
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
43
• TCP Connect Scanning
• TCP ACK Scanning
• Xmas Scanning
Network Discovery Scanning
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
44
The TCP SYN scan sends a SYN packet and receives
back a SYN ACK packet.
IT does NOT send the final ACK.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
45
The most popular tool for
network discovery scanning
is an open source tool
called nmap
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
46
Network vulnerability
scan will scan more in
depth the network than
discovery scans.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
47
FTP 21
SSH 22
Telnet 23640
SMTP 25
DNS 53
HTTP 80
POP3 110
NTP 123
HTTPS 443
Microsoft SQL Server
1433
Oracle 1521
H.323 1720
PPTP 1723
RDP 3389
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
48
Open ports = Security risks
Ports 80 and 443 are expected to be open.
Port 1433 is a database port and should NOT be exposed.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
49
Web Vulnerability Scanning
• Burp Suite https://portswigger.net/burp
‘’Burp or Burp Suite is a graphical tool for testing Web application security. The
tool is written in Java and developed by PortSwigger Security.’’
• Veracode https://www.veracode.com/products/static-analysis-
sast/static-code-analysis
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
50
Web Vulnerability Scanning
• Burp Suite https://portswigger.net/burp
‘’Burp or Burp Suite is a graphical tool for testing Web application security. The
tool is written in Java and developed by PortSwigger Security.’’
• Veracode https://www.veracode.com/products/static-analysis-
sast/static-code-analysis
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
51
Network vulnerability scans generally and Application
vulnerability looks into the structure of web
applications
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
52
Metasploit is an automated exploit tool.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
53
Penetration Testing
The process may include the following:
▪ Reconnaissance
▪ Network discovery scans
▪ Network vulnerability scans
▪ Web application vulnerability scans
▪ Use of exploit tools
▪ Manual attack attempts
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
54
▪ White Box Penetration Test
▪ Grey Box Penetration Test
▪ Black Box Penetration Test
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
55
Code Review and Testing
The inspection of the source code to find security vulnerabilities,
OWASP Best Practices, Vulnerable Syntax, Inputs
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
56
▪ Planning
▪ Overview
▪ Preparation
▪ Inspection
▪ Rework
▪ Follow-up
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
57
OWASP TOP 10
‘’The Open Web Application Security Project (OWASP) is a 501(c) worldwide
not-for-profit charitable organization focused on improving the security of
software.’’
CWE SANS TOP 25
The CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most
critical programming errors that can lead to critical software vulnerabilities.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
58
Static testing Without running the software
Dynamic testing Software in a runtime environment
Fuzz testing Stress software’s limits
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
59
Interface testing
Performance of modules vs
the interface specifications
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
60
Misuse case testing known ways that an attacker might exploit.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
61
Security assessment reports are addressed to the
organization’s management.
Reproduction prohibited
SECURITY ASSESSMENT AND TESTING
62
■ Number of open vulnerabilities
■ Time to resolve vulnerabilities
■ Number of compromised accounts
■ Number of software flaws
■ Repeatable audit findings
■ Attempts to visit malicious sites
Reproduction prohibited
THANK YOU !
PLEASE FEEL FREE TO ASK QUESTIONS
OR SHARE YOUR TIPS
63