Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017

FRSecure 2017 CISSP
Mentor Program
EVAN FRANCEN, PRESIDENT & CEO – FRSECURE
BRAD NIGH, SENIOR INFORMATION SECURITY ANALYST - FRSECURE
CLASS SESSION #10

CISSP Mentor Program Session #10
Domain 4: Communication and Network Security - Review
• Network Scanning Tools
• Secure Communications
• Wireless Local Area Networks
• Remote Access
We finished Domain 4!

Domain 5: Identity and Access Management - Review
• Cornerstone access control concepts
• Access control models
• Authentication Methods
• Type 1
• Type 2
• Type 3
• Single Sign-On (SSO)
Now for the Domain 4 Quiz…

Domain 4: Communication and Network Security Quiz Review

1. Which protocol should be used for an audio streaming server, where
some loss is acceptable?
a. IP
b. ICMP
c. TCP
d. UDP
D

2. What network topology uses fixed-length cells to carry data?
a. ARCNET
b. ATM
c. Ethernet
d. FDDI
B

3. Secure Shell (SSH) servers listen on what port and protocol?
a. TCP port 20
b. TCP port 21
c. TCP port 22
d. TCP port 23
C

4. What network cable type can transmit the most data at the longest
distance?
a. Coaxial
b. Fiber optic
c. Shielded Twisted Pair (STP)
d. Unshielded Twisted Pair (UTP)
B

5. Which device operates at Layer 2 of the OSI model?
a. Hub
b. Firewall
c. Switch
d. Router
C

6. What are the names of the OSI model layers, in order from bottom to top?
a. Physical, Data Link, Transport, Network, Session, Presentation,
Application
b. Physical, Network, Data Link, Transport, Session, Presentation,
Application
c. Physical, Data Link, Network, Transport, Session, Presentation,
Application
d. Physical, Data Link, Network, Transport, Presentation, Session,
Application
C

7. Which of the following authentication protocols uses a three-way
authentication handshake?
a. CHAP
b. EAP
c. Kerberos
d. PAP
A

8. Restricting Bluetooth device discovery relies on the secrecy of what?
a. MAC address
b. Symmetric key
c. Private key
d. Public key
B

9. Which wireless security protocol is also known as the RSN (Robust
Security Network), and implements the full 802.11i standard?
a. AES
b. WEP
c. WPA
d. WPA2
D

10. What is the difference between a stateful firewall and a proxy firewall?
a. Stateful firewalls have state, proxy firewalls do not
b. Proxy firewalls have state, stateful firewalls do not
c. Stateful firewalls terminate connections, proxy firewalls do not
d. Proxy firewalls terminate connections, stateful firewalls do not
D

11. Which transmission mode is supported by both HDLC and SDLC?
a. Asynchronous Balanced Mode (ABM)
b. Asynchronous Response Mode (ARM)
c. Normal Balanced Mode (NBM)
d. Normal Response Mode (NRM)
D

12. What is the most secure type of EAP?
a. EAP-TLS
b. EAL-TLLS
c. LEAP
d. PEAP
A

13. What WAN protocol has no error recovery, relying on higher level
protocols to provide reliability?
a. ATM
b. Frame Relay
c. SMDS
d. X.25
B

14. What is the most secure type of firewall?
a. Packet filter
b. Stateful firewall
c. Circuit-level proxy firewall
d. Application-layer proxy firewall
D

15. Accessing an IPv6 network via an IPv4 network is called what?
a. CIDR
b. NAT
c. Translation
d. Tunneling
D

Domain 5: Identity and Access Management
Single Sign-On (SSO)
As outlined in the IBM article, “Build and Implement a Single Sign-On Solution” by Chris Dunne,
September 30, 2003, SSO is an important access control and can offer the following benefits:
• “Improved user productivity. Users are no longer bogged down by multiple logins and they are not
required to remember multiple IDs and passwords. Also, support personnel answer fewer requests
to reset forgotten passwords.”
• “Improved developer productivity. SSO provides developers with a common authentication
framework. In fact, if the SSO mechanism is independent, then developers do not have to worry
about authentication at all. They can assume that once a request for an application is accompanied
by a username, then authentication has already taken place.”
• “Simplified administration. When applications participate in a single sign-on protocol, the
administration burden of managing user accounts is simplified. The degree of simplification depends
on the applications since SSO only deals with authentication. So, applications may still require user-
specific attributes (such as access privileges) to be set up.”

The disadvantages of SSO are listed below and must be considered before implementing
SSO on a system:
• “Difficult to retrofit. An SSO solution can be difficult, time consuming, and expensive
to retrofit to existing applications.”
• “Unattended desktop. Implementing SSO reduces some security risks, but increases
others. For example, a malicious user could gain access to a user’s resources if the
user walks away from his machine and leaves it logged in. Although this is a problem
with security in general, it is worse with SSO because all authorized resources are
compromised. At least with multiple logons, the user may only be logged into one
system at the time and so only one resource is compromised.”
• “Single point of attack. With single sign-on, a single, central authentication service is
used by all applications. This is an attractive target for hackers who may decide to
carry out a denial of service attack.”

Domain 5: Identity and Access
Management
Access Provisioning Lifecycle
• After an access control model has been
chosen.
• Identity Lifecycle – provisioning,
maintenance
(passwords/rights/privileges), changes,
re-provisioning, reconciliation/audit

Access Provisioning Lifecycle
IBM describes the following identity lifecycle rules:
• “Password policy compliance checking
• Notifying users to change their passwords before they expire
• Identifying life cycle changes such as accounts that are inactive for more than 30
consecutive days
• Identifying new accounts that have not been used for more than 10 days following their
creation
• Identifying accounts that are candidates for deletion because they have been
suspended for more than 30 days
• When a contract expires, identifying all accounts belonging to a business partner or
contractor’s employees and revoking their access rights”

User Entitlement, Access Review and Audit
• Authorization creep
• occurs when subjects not only maintain old access rights but gain new ones as they
move from one role to another within an organization
• User rights (or entitlements) must be routinely reviewed

• Identity as a service (IDaaS) - Gartner Inc., divides IDaaS services into
two categories:
• Web access software for cloud-based applications such as software as a service
(SaaS)
• Web-architected applications; and cloud-delivered legacy identity management
services.
• LDAP – Lightweight Directory Access Protocol – common, open
protocol for interfacing and querying directory service information over
a network. TCP/UDP port 389. LDAPS (LDAP over TLS); TCP 636 & 3269

Single Sign-On (SSO) - Kerberos
• A third-party authentication service that may be used to support Single
Sign-On
• Kerberos (http://www.kerberos.org/) was the name of the three-
headed dog that guarded the entrance to Hades (also called Cerberus)
in Greek mythology
• The three heads of the mythical Kerberos were meant to signify the
three “A”s of AAA systems: authentication, authorization, and
accountability
• The original Kerberos mainly provided authentication

• Kerberos FAQ (see http://www.faqs.org/faqs/kerberos-faq/user/)
states:
• Kerberos is a network authentication system for use on physically insecure
networks
• Based on the key distribution model presented by Needham and Schroeder
• Allows entities communicating over networks to prove their identity to each other
while preventing eavesdropping or replay attacks
• Provides for data stream integrity (detection of modification) and secrecy
(preventing unauthorized reading) using cryptography systems such as DES (Data
Encryption Standard)
The Needham–Schroeder
Symmetric Key Protocol is based
on a symmetric encryption
algorithm. It forms the basis for
the Kerberos protocol. This
protocol aims to establish a
session key between two parties
on a network, typically to protect
further communication.

• Uses secret key encryption
• Provides mutual authentication of both clients and servers
• Protects against network sniffing and replay attacks
• Current version of Kerberos is version 5, described by RFC 4120 (http://www.ietf.org/rfc/rfc4120.txt)
• Kerberos has the following components:
• Principal: Client (user) or service
• Realm: A logical Kerberos network
• Ticket: Data that authenticates a principal’s identity
• Credentials: a ticket and a service key
• KDC: Key Distribution Center, which authenticates principals
• TGS: Ticket Granting Service
• TGT: Ticket Granting Ticket
• C/S: Client Server, regarding communications between the two

• Strengths:
• Provides mutual authentication of client and server
• If a rogue KDC pretended to be a real KDC, it would not have access to keys
• mitigates replay attacks (where attackers sniff Kerberos credentials and replay them
on the network) via the use of timestamps

• Weaknesses:
• KDC stores the plaintext keys of all principals (clients and servers)
• A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the
Kerberos realm
• KDC and TGS are single points of failure: if they go down, no new credentials can be issued
• Replay attacks are still possible for the lifetime of the authenticator (An attacker could sniff an
authenticator, launch a denial-of-service attack against the client, and then assume or spoof the client’s
IP address)
• Any user may request a session key for another user
• Kerberos does not mitigate a malicious local host: plaintext keys may exist in memory or cache

Single Sign-On (SSO) - SESAME
• Secure European System for Applications in a Multi-vendor Environment
• A single sign-on system that supports heterogeneous environments
• Can be thought of as a sequel of sorts to Kerberos
• It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of
symmetric keys
• Uses Privilege Attribute Certificates (PACs) in place of Kerberos’ tickets
• More information on SESAME is available at:
https://www.cosic.esat.kuleuven.be/sesame/

Access Control Protocols And Frameworks - RADIUS
• Remote Authentication Dial In User Service (RADIUS) protocol
• A third-party authentication system
• Described in RFCs 2865 and 2866
• Uses the User Datagram Protocol (UDP) ports 1812 (authentication) and 1813
(accounting)
• Formerly used the (unofficially assigned) ports of 1645 and 1646 for the same respective
purposes; some continue to use those ports
• Considered an “AAA” system
• Authenticates a subject’s credentials against an authentication database
• Authorizes users by allowing specific users’ access to specific data objects
• Accounts for each data session by creating a log entry for each connection made

• Request and response data is carried in Attribute Value Pairs (AVPs)
• According to RFC 2865 (http://tools.ietf.org/html/rfc2865), RADIUS supports the following
codes:
• Access-Request
• Access-Accept
• Access-Reject
• Accounting-Request
• Accounting-Response
• Access-Challenge
• Status-Server (experimental)
• Status-Client (experimental)

Access Control Protocols And Frameworks - Diameter
• RADIUS’ successor
• Designed to provide an improved Authentication, Authorization, and Accounting (AAA)
framework
• Also uses Attribute Value Pairs, but supports many more:
• RADIUS uses 8 bits for the AVP field (allowing 256 total possible AVPs)
• Diameter uses 32 bits for the AVP field (allowing billions of potential AVPs)
• Uses a single server to manage policies for many services, as opposed to RADIUS which
requires many servers to handle all of the secure connection protocols
• Provides AAA functionality
• More reliable by using the Transmission Control Protocol (TCP)
• Currently a draft standard, first described by RFC 3588 (http://tools.ietf.org/html/rfc3588)

Access Control Protocols And Frameworks - TACACS and TACACS+
• Terminal Access Controller Access Control System (TACACS)
• Centralized access control system that requires users to send an ID and static (reusable)
password for authentication
• TACACS uses UDP port 49 (and may also use TCP)
• Reusable passwords have security vulnerability: the improved TACACS+ provides better
password protection by allowing two-factor strong authentication
• TACACS+ is not backwards compatible with TACACS
• TACACS+ uses TCP port 49 for authentication with the TACACS+ server
• The actual function of authentication is similar to RADIUS
• RADIUS only encrypts the password (leaving other data, such as username, unencrypted);
TACACS+ encrypts all data below the TACACS+ header

PAP and CHAP
• Password Authentication Protocol (PAP)
• Defined by RFC 1334 (http://tools.ietf.org/html/rfc1334#section-2)
• Not a strong authentication method
• User password and it is sent across the network in clear text
• When received by the PAP server, it is authenticated and validated
• Challenge Handshake Authentication Protocol (CHAP)
• Defined by RFC 1994 (http://www.faqs.org/rfcs/rfc1994.html)
• Provides protection against playback attacks
• Uses a central location that challenges remote users
• “CHAP depends upon a ‘secret’ known only to the authenticator and the peer. The secret is not sent over the
link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set
may easily be used for mutual authentication.”
• A sniffer that views the entire challenge/response process will not be able to determine the shared secret

Access Control Protocols And Frameworks - Microsoft Active Directory
Domains
• Microsoft Windows Active Directory uses the concept of domains as the primary means to
control access
• For authentication purposes, Microsoft bases their authentication of trust relationships
on RFC 1510, the Kerberos Authentication Protocol, and it is fully integrated into
Microsoft Windows operating systems since Windows 2000.
• Each domain has a separate authentication process and space
• Each domain may contain different users and different network assets and data objects
• If a two-way trust between domains is created, then the users and data objects from each
domain can be accessed by groups belonging to either domain.

Access Control Protocols And Frameworks - Microsoft Active Directory
Domains
As stated by Microsoft,
• “How a specific trust passes authentication requests depends on how it is configured;
trust relationships can be one-way, providing access from the trusted domain to
resources in the trusting domain, or two way, providing access from each domain to
resources in the other domain. Trusts are also either nontransitive, in which case trust
exists only between the two trust partner domains, or transitive, in which case trust
automatically extends to any other domains that either of the partners trusts.”
• Microsoft trust relationships fall into two categories; nontransitive and transitive.
Nontransitive trusts only exist between two trust partners. Transitive trusts exist between
two partners and all of their partner domains. For example, if A trusts B, in a transitive
trust, A will trust B and all of B’s trust partners.

DONE!
On to Domain #6: Security Assessment and Testing
A new domain…

Domain 6: Security Assessment and Testing
• Assessing Access Control
• Software Testing Methods
Unique Terms & Definitions:
• Dynamic Testing – Tests code while executing it
• Fuzzing – A type of black box testing that submits random, malformed data as inputs
into software programs to determine if they will crash
• Penetration Testing – Authorized attempt to break into an organization’s physical or
electronic perimeter (and sometimes both)
• Static Testing – Tests code passively: the code is not running.
• Synthetic Transactions – Also called synthetic monitoring: involves building scripts or
tools that simulate activities normally performed in an application

Penetration Testing - Black Hats and White Hats
• Black hat attackers are malicious hackers, sometimes called crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with malicious intent, and may violate the
confidentiality, integrity, or availability of organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better understanding and ethically disclose vulnerabilities
to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the
owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security

Penetration Testing
• A penetration tester is a white hat hacker who receives authorization to attempt to break into an
organization’s physical or electronic perimeter (and sometimes both)
• Penetration tests (called “pen tests” for short) are designed to determine whether black hat hackers
could do the same
• A narrow test
• Penetration tests may include the following tests:
• Network (Internet)
• Network (internal or DMZ)
• Wardialing
• Wireless
• Physical (attempt to gain entrance into a facility or room)
• Wireless
• Network attacks may leverage client-side attacks, server-side attacks, or Web application attacks

Penetration Testing
• War dialing uses modem to dial a series of phone numbers, looking for an answering
modem carrier tone (the penetration tester then attempts to access the answering
system); the name derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security controls
• May be used in combination with many types of attacks, especially client-side attacks or physical tests
• An example of a social engineering attack combined with a client-side attack is emailing malware with a
Subject line of “Category 5 Hurricane is about to hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into a building)

Penetration Testing
• A zero-knowledge (also called black box) test is “blind”; the penetration tester begins
with no external or trusted information, and begins the attack with public
information only
• A full-knowledge test (also called crystal-box) provides internal information to the
penetration tester, including network diagrams, policies and procedures, and
sometimes reports from previous penetration testers
• Partial-knowledge tests are in between zero and full knowledge: the penetration
tester receives some limited trusted information
• Most penetration tests have a scope that includes a limitation on the time spent
conducting the test

Penetration Testing Tools and Methodology
• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools

Penetration Testing Tools and Methodology
• Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
• Black hat hackers typically follow a similar methodology
• Black hats will also cover their tracks (erase logs and other signs of
intrusion), and frequently violate system integrity by installing back
doors (in order to maintain access)

Assuring Confidentiality, Data Integrity, and System Integrity
• Penetration testers must ensure the confidentiality of any sensitive data that
is accessed during the test
• Testers will often request that a dummy file containing no regulated or
sensitive data (sometimes called a flag) be placed in the same area of the
system as the credit card data, and protected with the same permissions
• If the tester can read and/or write to that file, then they prove they could
have done the same to the credit card data
• Penetration testers must be sure to ensure the system integrity and data
integrity of their client’s systems
• The risk of encountering signs of a previous or current successful malicious
attack (discuss this before starting a test)

Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm

Security Audits
• Testing against a published standard
• PCI-DSS compliance
• SOC 2, Type 1 and SOC 2, Type 2
• Purpose is to validate/verify that an organization meets the
requirements as stated in the published standard

Security Assessments
• A holistic approach to assessing the effectiveness of access control
• Broad scope
• Security assessments view many controls across multiple domains, and may
include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits

• Key words… “assessing the effectiveness”
• Where there are gaps in control (weakness/vulnerability), what
are the applicable threats?
• Vulnerabilities + Threats = Likelihoods & Impacts = RISK
• FRSecure specializes in assessments – FISA™

• FRSecure specializes in assessments – FISA™ is at our core.

Internal and 3rd-Party Audits
• Internal audit
• Structured audits – external audience, validate compliance, etc.
• Unstructured audits – internal audience, improve security, etc.
• 3rd-Party audits
• Experts (hopefully)
• Adds credibility
• Teach

Security Audit Logs
• According to “Five mistakes of Log Analysis” by Anton Chuvakin (see
http://www.computerworld.com/s/article/96587/Five_mistakes_of_lo
g_analysis), audit record management typically faces five distinct
problems:
• Log are not reviewed on a regular and timely basis.
• Audit logs and audit trails are not stored for a long enough time period.
• Logs are not standardized or viewable by correlation toolsets—they are only
viewable from the system being audited.
• Log entries and alerts are not prioritized.
• Audit records are only reviewed for the “bad stuff.”

Security Audit Logs
• Reviewing security audit logs within an IT system is one of the easiest ways to verify that
access control mechanisms are performing adequately
• Reviewing audit logs is primarily a detective control
• According to NIST Special Publication 800-92 (http://csrc.nist.gov/publications/nistpubs/800-
92/SP800-92.pdf), the following log types should be collected:
• Network Security Software/Hardware:
• Antivirus logs
• IDS/IPS logs
• Remote Access Software (such as VPN logs)
• Web proxy
• Vulnerability management
• Authentication servers
• Routers and firewalls

Security Audit Logs
• According to NIST Special Publication 800-92
(http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf), the
following log types should be collected:
• Operating System:
• System events
• Audit records
• Applications
• Client requests and server responses
• Usage information
• Significant operational actions

Security Audit Logs – Centralized Logging
• Assists in log retention (sufficient for legal/regulatory compliance
and investigation)
• Assists in log protection (integrity & availability)
• SIEM
• Log protection
• Log aggregation
• Log correlation
• Dashboard reporting

Software Testing Methods
• Static testing tests the code passively: the code is not running. This includes walkthroughs,
syntax checking, and code reviews.
• Dynamic testing tests the code while executing it.
• White box software testing gives the tester access to program source code, data structures,
variables, etc.
• Black box testing gives the tester no internal details: the software is treated as a black box that
receives inputs.
• Traceability Matrix (sometimes called a Requirements Traceability Matrix, or RTM) can be used
to map customer’s requirements to the software testing plan: it “traces” the “requirements,”
and ensures that they are being met.
• Fuzzing (also called fuzz testing) is a type of black box testing that enters random, malformed
data as inputs into software programs to determine if they will crash.
• Combinatorial software testing is a black-box testing method that seeks to identify and test all
unique combinations of software inputs.

Software Testing Methods
• Static testing tests the code passively: the code is not running. This
includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the source
code, and in the other cases, some form of the object code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis)

Domain 6: Security
Assessment and
Testing
Software Testing
Methods
• Traceability Matrix
(or Requirements
Traceability Matrix
or RTM)

Software Testing Levels
• Unit Testing: Low-level tests of software components, such as
functions, procedures or objects
• Installation Testing: Testing software as it is installed and first operated
• Integration Testing: Testing multiple software components as they are
combined into a working system. Subsets may be tested, or Big Bang
integration testing tests all integrated software components
• Regression Testing: Testing software after updates, modifications, or
patches
• Acceptance Testing: testing to ensure the software meets the
customer’s operational requirements. When this testing is done
directly by the customer, it is called User Acceptance Testing.

Fuzzing
• Black box testing that enters random, malformed data as inputs into
software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible buffer
overflows
• Typically automated, repeatedly presenting random input strings as
command line switches, environment variables, and program inputs
attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/

Other Software Testing Terms
• Misuse Case Testing - derived from and is the inverse of use case
testing; describes the process of executing a malicious act against a
system, while use case can be used to describe any action taken by the
system
• Test Coverage Analysis
• Interface Testing – testing of all interfaces exposed by the application.
• Combinatorial software testing - a black-box testing method that seeks
to identify and test all unique combinations of software inputs.

DONE!
On to Domain #7: Security Operations
Adomain…

Domain #7: Security Operations
• Administrative Security
• Forensics
• Incident Response Management
• Operational Preventive and Detective Controls
• Asset Management
• Continuity of Operations
• BCP and DRP Overview and Process
• Developing a BCP/DRP
• Backups and Availability
• DRP Testing, Training and Awareness
• Continued BCP/DRP Maintenance
• Specific BCP/DRP Frameworks

Unique Terms and Definitions
• Business Continuity Plan (BCP)—a long-term plan to ensure the
continuity of business operations
• Collusion—An agreement between two or more individuals to subvert
the security of a system
• Continuity of Operations Plan (COOP)—a plan to maintain operations
during a disaster.
• Disaster—any disruptive event that interrupts normal system
operations
• Disaster Recovery Plan (DRP)—a short-term plan to recover from a
disruptive event

Unique Terms and Definitions
• Mean Time Between Failures (MTBF)—quantifies how long a new or
repaired system will run on average before failing
• Mean Time to Repair (MTTR)—describes how long it will take to
recover a failed system
• Mirroring—Complete duplication of data to another disk, used by some
levels of RAID.
• Redundant Array of Inexpensive Disks (RAID)—A method of using
multiple disk drives to achieve greater data reliability, greater speed, or
both
• Striping—Spreading data writes across multiple disks to achieve
performance gains, used by some levels of RAID

Administrative security
• Administrative Security provides the means to control people's
operational access to data
Least Privilege or Minimum Necessary Access
• Dictates that persons have no more than the access that is strictly
required for the performance of their duties
• May also be referred to as the principle of minimum necessary
access
• Discretionary Access Control (DAC) – most often applicable

Need to know
• Mandatory Access Control (MAC)
• Access determination is based upon clearance levels of subjects
and classification levels of objects
• An extension to the principle of least privilege in MAC
environments is the concept of compartmentalization:
• A method for enforcing need to know goes beyond the reliance upon
clearance level and necessitates simply that someone requires access to
information.

Separation of Duties
• Prescribes that multiple people are required to complete critical
or sensitive transactions
• Goal of separation of duties is to ensure that in order for
someone to be able to abuse their access to sensitive data or
transactions; they must convince another party to act in concert
• Collusion is the term used for the two parties conspiring to undermine the security
of the transaction

Rotation of Duties/Job Rotation
• Also known as job rotation or rotation of responsibilities
• Provides a means to help mitigate the risk associated with any one individual having
too many privileges
• Requires that critical functions or responsibilities are not continuously performed by
the same single person without interruption
• “hit by a bus” or “win the lottery” scenario
Exam Warning: Though job or responsibility rotation is an important control, this, like
many other controls, is often compared against the cost of implementing the control.
Many organizations will opt for not implementing rotation of duties because of the cost
associated with implementation. For the exam, be certain to appreciate that cost is
always a consideration, and can trump the implementation of some controls.

Mandatory Leave/Forced Vacation
• Also known as forced vacation
• Can identify areas where depth of coverage is lacking
• Can also help discover fraudulent or suspicious behavior
• Knowledge that mandatory leave is a possibility might deter some
individuals from engaging in the fraudulent behavior in the first
place

Non-Disclosure Agreement
• A work-related contractual agreement that ensures that, prior to
being given access to sensitive information or data, an individual
or organization appreciates their legal responsibility to maintain
the confidentiality of sensitive information.
• Often signed by job candidates before they are hired, as well as
consultants or contractors
• Largely a directive control

Background Checks
• Also known as background investigations or preemployment screening
• Majority of background investigations are performed as part of a
preemployment screening process
• The sensitivity of the position being filled or data to which the individual will
have access strongly determines the degree to which this information is
scrutinized and the depth to which the investigation will report
• Ongoing, or postemployment, investigations seek to determine whether the
individual continues to be worthy of the trust required of their position
• Background checks performed in advance of employment serve as a
preventive control while ongoing repeat background checks constitute a
detective control and possibly a deterrent.

Privilege Monitoring
• Heightened privileges require both greater scrutiny and more
thoughtful controls
• Some of the job functions that warrant greater scrutiny include:
account creation/modification/deletion, system reboots, data
backup, data restoration, source code access, audit log access,
security configuration capabilities, etc.

Digital Forensics
• Provides a formal approach to dealing with investigations and evidence
with special consideration of the legal aspects of the process
• Forensics is closely related to incident response
• Main distinction between forensics and incident response is that forensics is
evidence-centric and typically more closely associated with crimes, while incident
response is more dedicated to identifying, containing, and recovering from security
incidents
• The forensic process must preserve the “crime scene” and the
evidence in order to prevent unintentionally violating the integrity of
either the data or the data's environment

Digital Forensics
• Prevent unintentional modification of the system
• Antiforensics makes forensic investigation difficult or impossible
• One method is malware that is entirely memory-resident, and not installed on the disk drive. If an
investigator removes power from a system with entirely memory-resident malware, all volatile
memory including RAM is lost, and evidence is destroyed.
• Valuable data is gathered during the live forensic capture
• The main source of forensic data typically comes from binary images of secondary
storage and portable storage devices such as hard disk drives, USB flash drives, CDs,
DVDs, and possibly associated cellular phones and mp3 players
• A binary or bit stream image is used because an exact replica of the original data is
needed
• Normal backup software will only capture the active partitions of a disk, and only
that data which is marked as allocated

Digital Forensics
The four types of data that exist:
• Allocated space—portions of a disk partition which are marked as
actively containing data.
• Unallocated space—portions of a disk partition that do not contain
active data. This includes memory that has never been allocated, and
previously allocated memory that has been marked unallocated. If a
file is deleted, the portions of the disk that held the deleted file are
marked as unallocated and available for use.

Digital Forensics
The four types of data that exist:
• Slack space—data is stored in specific size chunks known as clusters. A cluster
is the minimum size that can be allocated by a file system. If a particular file,
or final portion of a file, does not require the use of the entire cluster then
some extra space will exist within the cluster. This leftover space is known as
slack space: it may contain old data, or can be used intentionally by attackers
to hide information.
• “Bad” blocks/clusters/sectors—hard disks routinely end up with sectors that
cannot be read due to some physical defect. The sectors marked as bad will
be ignored by the operating system since no data could be read in those
defective portions. Attackers could intentionally mark sectors or clusters as
being bad in order to hide data within this portion of the disk.

Digital Forensics
• Numerous tools that can be used to create the binary backup including free
tools such as dd and windd as well as commercial tools such as Ghost (when
run with specific nondefault switches enabled), AccessData's FTK, or
Guidance Software's EnCase.
• The general phases of the forensic process are:
• the identification of potential evidence;
• the acquisition of that evidence;
• analysis of the evidence;
• production of a report
• Hashing algorithms are used to verify the integrity of binary images
• When possible, the original media should not be used for analysis

Live Forensics
• Forensics investigators have traditionally removed power from a
system, but the typical approach now is to gather volatile data.
Acquiring volatile data is called live forensics.
• The need for live forensics has grown tremendously due to non-
persistent tools that don’t write anything to disk
• One example from Metasploit…

Live Forensics - Metasploit
• Popular free and open source exploitation framework
• Metasploit framework allows for the modularization of the underlying
components of an attack, which allows for exploit developers to focus
on their core competency without having to expend energy on
distribution or even developing a delivery, targeting, and payload
mechanism for their exploit
• Provides reusable components to limit extra work
• A payload is what Metasploit does after successfully exploiting a target

Live Forensics – Metasploit & Meterpreter
• One of the most powerful Metasploit payloads
• Can allow password hashes of a compromised computer being dumped to an
attacker's machine
• The password hashes can then be fed into a password cracker
• Or the password hashes might be capable of being used directly in Metasploit's
PSExec exploit module, which is an implementation of functionality provided by
Sysinternal's (now owned by Microsoft) PSExec, but bolstered to support Pass the
Hash functionality.
Information on Microsoft's PSExec can be found at http://technet.microsoft.com/en-
us/sysinternals/bb897553.aspx. Further details on Pass the Hash techniques can be
found at http://oss.coresecurity.com/projects/pshtoolkit.htm

• Dumping password hashes with Meterpreter.
• In addition to dumping password hashes, Meterpreter provides features such
as:
• command execution on the remote system
• uploading or downloading of files
• screen capture
• keystroke logging
• disabling the firewall
• disabling antivirus
• registry viewing and modification
• Meterpreter's capabilities are updated regularly

• Dumping password hashes with Meterpreter.

• Dumping the registry with Meterpreter.
• Meterpreter was designed with detection evasion in mind
• Meterpreter can provide almost all of the functionalities listed above
without creating a new file on the victim system
• Runs entirely within the context of the exploited victim process, and all
information is stored in physical memory rather than on the hard disk.

• Dumping the registry with Meterpreter.

• If the forensic investigator removed the power supply from the
compromised machine, destroying volatile memory: there would be
little to no information for the investigator to analyze

Questions?
We made it through Class #10!
Check it out…
We finished Domain 5: Identity and Access Management, went all the way
through it through Domain 6: Security Assessment and Testing, and started
Domain 7: Security Operations!
Homework for Tuesday (5/2)
◦ Catch-up with reading; we’re going to finish Domain 7 on Tuesday.
◦ Take a spin through the Access Control quiz.
Have a great mid-week!

Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017

More Related Content

What's hot (20)

Viewers also liked (11)

Similar to Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017 (20)

More from FRSecure (13)

Recently uploaded (20)

Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017