- Policies - Security Policy Best Practices
-
Information Security Standards (ISO 17799, ISO 27001, BS7799)
-
Common Criteria
-
Provides a security framework whereby...
- Users can specify what they want
- Vendors can implement it
- Labs can test vendors claims
- derrived from BS7799
-
CIA
-
Confidentiality
- Prevenets unauthorized disclosure
- Implemented by Encryption
-
Integrity
- Prevents anauthorized moddification of data
- Implemented by Hashing Algorythms
-
Availability
- ..Is the prevention of loss of access to data,
i.e. to ensure it's available when needed
- Implemented by Resiliancy / Redunancy & Load Balancing
-
Security Policies
- Acceptable
- Ethics
- Infomation Sensitivity
- Email
- Security Wheel
-
ISO 17799
- Renamed ISO 2702
- Wikipedia Page
-
ISO 27001
- Wikipedia
-
BS7799
- Wikipedia
- Standards Bodies
-
Common RFCs
-
RFC1918
- Special-Use IPv4 Addresses
-
RFC 2827
- Network Ingress Filtering
Defeating Denial of Service Attacks which employ
IP Source Address Spoofing
-
RFC3330
- Special-Use IPv4 Addresses
-
RFC2401
- Security Architecture for the Internet Protocol
-
BCP 38
-
Network Ingress Filtering for MULTI-HOMED Devices
- Linked to RFC2827
-
BCP 38, RFC 2827, is designed to limit the impact of distributed
denial of service attacks, by denying traffic with spoofed addresses
access to the network, and to help ensure that traffic is traceable
to its correct source network. As a side effect of protecting the
Internet against such attacks, the network implementing the solution
also protects itself from this and other attacks, such as spoofed
management access to networking equipment. There are cases when this
may create problems, e.g., with multihoming. This document describes
the current ingress filtering operational mechanisms, examines
generic issues related to ingress filtering, and delves into the
effects on multihoming in particular. This memo updates RFC 2827.
- Linked to RFC3704
-
Attacks, Vulnerabilities and Common Exploits - recon, scan, priv escalation, penetration, cleanup, backdoor
-
Spanning Tree Attacks
- User sends malicious BPDU's to become the route brigde
- Can be used for further Sniffing / DoS Attacks
-
MAC / CAM flood attacks
- User sends many arp packets to fill switch CAM Tables
- When Switch CAM resouce flooded the switch becomes a hub & broadcasts all frames/packets
-
Reconnaissance Attacks
-
Sniffing
- Capturing Packets of Clear Text Protocols
- Port Scans
- Ping Sweeos
-
Internet Info Queries
- DNS / WHOIS lookups
- Google
-
Access Attacks
-
Password Cracking / Attacking
- Dictionary Attack
- Brute Force Guessing
- Rainbow tables
- Trust Exploitation
-
Buffer Overflow
-
When Data written to a memory buffer, due to insufficient bounds checking,
Corrupts data vales in memory address adjacent to the buffer
- Bounds Checking: Checks if data is "appropriate for storage"
-
VLAN Hopping
-
Switch Spoofing
- i.e. Connecting to a Switch as a trunk port, when should be a user
- not an exploit as such, if auto trunk is left on then user can be trunk port and "hop" out of the "user" vlan
-
Double Tagging
- Attacker sends double-encapsulated 802.1q Frames to switch
- Switch strips off one tag and forwards the other
- Only uni-directional traffic, as victim won't double tag response frames
- very old exploit, switches now check frames conform to standards
- Port Redirection
-
Man in the Middle Attacks
- Attacker Sniff Packets (nonblind attack)
- Attacker redirects traffic (blind attack)
-
IP Spoofing
- IP is Connectionless
-
Non-Blind Spoofing
- Attacker "sniffs" sequence numbers
-
Blind Spoofing
- Attacker calculates Sequence numbers
-
Malware
- Worm
- Virus
- Spyware
- Trojan
-
DHCP Server Spoofing
- Malicious User replies to DHCP broadcasts
- .. has to either respond quicker than legit server or exahust the legit server pools
-
DHCP Starvation Attack
- Either to spoof
- Or to DoS
-
Denial of Service
- DoS
- dDoS - Distributed Denial of Service
- TCP SYN Flood
- BotNets
-
Vulnerability
- a weakness in a system
-
examples
- application bugs
- poor passwords
-
Exploit
- Something that takes advantage of a Vulnerability
- Hacking Lifecycle
-
Security Audit & Validation
-
CVE
- Common Vulnerabilities and Exposures
- a dictionary of publicly-known information security vulnerabilities and exposures
-
Risk Assessment
-
Qualitative
- Only Potential Loss is Calculated
-
Compenents....
-
Threats
- Things that "can go wrong" or "attacks"
- e.g. Fire, Fraud
-
Vulnerabilities
- Weaknesses or things that make a threat more likely
- e.g. paper in the building = FIRE
-
Controls
- Countermeasus for Threats & Vuln's
- Deterrent
- Reduce probability
- Preventative
- Prevent sucess if happens
- Corrective
- Reduces effectiviness
- Detective
- Discovers if happens
- May trigger Corrective
-
Quantitative
- A Risk calculation based on figures
-
The probablility of an event, and the estimated cost if it does
-
The Outputs of this....
- ALE
Annual Loss Expectancy
- EAC
Estimated Annual Cost
- + A number is generated and risks can easily be ranked by importance
- - Probability is rarely accurate / precice, an incorrect calculations can promote complacency
- Change Management Process
- Incident Response Framework
-
Computer Security Forensics
- Chain of Evidence