Pages

Sunday, May 28, 2017

Software Quiz 3

1. What is one difference between an HTTP GET and an HTTP POST request?

Only POST requests may include parameter data in the request body

Only POST requests can encode parameters in the URL

Only GET requests use the REFERER header

Only GET requests are subject to the same-origin policy


2. Which of the following is true about static and dynamic web content?

The server often produces dynamic content based on the contents of the database

Static content may be re-generated with each request

Static pages may include PHP programs, which execute at the browser

Javascript programs embedded in HTML pages are run server-side to produce dynamic content


3. SQL injection exploits a bug in what interaction of a web application?

Network to server

Server to client

Server to database

Client to server


4. SQL injection often allows an attacker to do which of the following?

Overrun a buffer to smash the stack

All of the above

Cause memory to be used after it's freed

Access information he shouldn't


5. If you had to summarize the key (most specific) programming failure with SQL injection, it would be:

Confusing data with code

Bypassing authentication

Trusting without verifying

Circumventing the same origin policy


6. What is escaping an example of?

Blacklisting

Sanitization

Checking

Whitelisting


7. Suppose a web application implements authentication by constructing an SQL query from HTML from data using PHP's prepared statements. What would happen if an attacker entered FRANK' OR 1=1; --  in the web form's user field?

The text will modify the structure of the SQL query and possibly bypass authentication

The application will try to authenticate a user whose name is FRANK' OR 1=1; -- 

The text will corrupt the query structure and the database will view it as a syntax error

The text will be confused as the password and authentication will probably fail


8. Why is it undesirable to implement session identifiers using (only) hidden form fields?

The session ID is forgotten when the browser window is closed

Such fields cannot contain binary data

Such fields cannot include timeout information

These fields are easily modified by the user


9. Suppose a browser submits a GET request to URL http://www.mybank.com/accountinfo on 20 February 2015. Which of the following cookies, if already stored at the browser, would be sent with the request?

lang=us-english; expires=Sat, 1-Aug-2015; path=/accountinfo/; domain=.fidelity.com

sessid=ABCDEFG; expires=Sat, 21-Feb-2015; path=/; domain=.mybank.com

edition=us; expires=Thu, 19-Feb-2015; path=/accountinfo/prefs; domain=.mybank.com

edition=us; expires=Wed, 18-Feb-2015; path=/; domain=.mybank.com


10. Which of the following are ways that session cookies could be stolen or forged?

Copying a cookie by keylogging

Compromising the browser or server

Predicting the cookie's structure and reconstructing it


11. Which of the following are ways to reduce the impact of a stolen cookies?

Associate the cookie with the server's IP address

Changing a user's cookie from session to session

Prevent cookies from entering the DNS cache


12. How can the REFERER field be used to defend against CSRF attacks?

It can be used to ensure that sensitive requests are (only) initiated by interaction with a site's own pages

It can be used to check that a Javascript program is from the proper origin

It can't be used reliably because it only works for dynamic content

It ensures that requests only come from authenticated users


13. <script></script>tags in HTML pages most often identify programs written in what language?

Javascript

Java

PHP

C

14. The browser implements security for Javascript programs for what reason?

It doesn't -- Javascript programs run at the server so the browser can ignore them

It doesn't -- these programs are only used to render dynamic content but are otherwise not security-relevant

Such programs could deny service by running forever

Such programs may access browser-controlled resources, which include potentially sensitive data in HTML documents and cookies


15. XSS subverts what policy?

Whitelisting

Secure defaults

Same Origin

Availability


16. What is the difference between stored (or persistent) XSS and reflected XSS?

Stored XSS works by injecting code in a site's served content, while reflected XSS injects code in a URL

Stored XSS embeds Javascript in an a URL, while reflected XSS embeds it in a mirrored site

Stored XSS is amenable to blacklisting but reflected XSS is not

Stored XSS works on database queries while reflected XSS works on cookies, which are received from and reflected back to the server

Thursday, May 25, 2017

Curriculum

I am going to approach this learning experience by following a structured path that includes everything I need to know. Here will live the master curriculum which I will add to and update as I go along.

There are many great (and free) resources on the web. After building a list of courses I wanted to take based off of a Cyber Security masters degree curriculum, I found that cybrary had everything I needed to get started so I will be using many of their resources to fulfill my educational requirements.

I love information but I also love simplicity. I plan to use these resources to learn to be a security personnel as quickly and efficiently as possible.

There is a useful extension on chrome called vimeo repeat & speed that can be used to watch the HD videos sped up.

I will be posting each course with my course notes so that this blog can be searched when more information is needed on a subject.

Off we go!

Introduction to Reverse Engineering  https://www.cybrary.it/course/malware-analysis/

Introduction to Post-Exploitation  https://www.cybrary.it/course/post-exploitation-hacking/

Introduction to Vulnerabilities  https://www.cybrary.it/course/metasploit/

Cryptography

Historical uses of cryptography

-Caesar cipher -shifted character 3 spaces to the left
-Scytale -spartans used this cipher to communicate messages to generals in the field, wrapped tape around a rod, diameter of the rod is the pre-agreed upon secret
-Vignere -a polyalphabetic cipher, key word is agreed upon, first letter of the key is matched against first letter of the message
-Vernam cipher -the only mathematically unbreakable form of cryptography, one time key pad

Security services provided by cryptography

-privacy, authenticity, integrity, non-repudiation

plain text + initialization vector + algorithm + key = cipher text

Desirable qualities of an algorithm

-confusion, diffusion, avalanche, permutations, open-Kerchkoff's principle

Desirable qualities of a key
-long, random, secret

Symmetric cryptography

-the same key is used by both parties to both encrypt and decrypt
-two types of symmetric ciphers or algorithms --> stream and block
-stream is very efficient, however generally considered to be not as secure
-RC-4 is a stream cipher

-block ciphers are slower but more secure
-two main block ciphers used today are AES and 3DES

-drawbacks of symmetric cryptography -out of band key exchange, not scalable, no authenticity, integrity, or non-repudiation

Asymmetric cryptography

-every user has a key pair -public key is made available to anyone who requests it, private key is only available to that user and must not be disclosed or shared
-the keys are mathematically related so that anything encrypted with one key can only be decrypted by the other

Security Systems Architecture

Governance and Risk Management

Risk Governance -comes from executive management and the board of directors, the job is to align the risk strategy with the objectives of the organization

-Are we doing the right things?
-Are we doing things right?
-Are we getting things done well?
-Are we maximizing the benefits?

Risk Management -planning, building, running, and monitoring according to the directions established and in compliance with governance

Enterprise Risks: Databases
-code injection -only allow users to input the bare minimum, input validation, force users who are untrusted to use an interface that is trusted before they access your backend data
-scripting -regulate field size 
-aggregation -the collection of information 
-inference 
-entity, semantic, and referential integrity 

Utilities 
-power -spikes, surge, sag, brownout, fault, blackout
-HVAC, humidity, EMI, RFI 

Network Components 
-cable, hubs, switches, routers, firewalls, proxies, network services, wireless communication

Users
-internal theft, fraud, salami attacks, data diddling, falsification of time-sheets, compromise of sensitive information, disgruntled employees 
What are Enterprise Goals? 

-the COBIT 5 generic enterprise goals can provide a starting point for the strategic planning 
-the derived enterprise goals should be linked to stakeholder needs and governance objectives of value creation, namely benefits realization, risk optimization and resource optimization 

Key principles of Enterprise Architecture
-define protections that enable trust in the cloud 
-develop cross-platform capabilities and patterns for proprietary and open source providers
-facilitate trusted and efficient access, administration, and resiliency to the customer




-provide direction to secure information that is protected by regulations 

Introduction to Malware

What is malware analysis and why is it useful? 

-malicious is software that executes without permission or knowledge

-it has software problems just like every other product: compatibility issues, bugs, customer service, versions/updating issues, team development/source code control    

Anti-virus software cannot be relied on because it is a difficult task to make a program or algorithm to determine if some software is malicious. 

Anti-virus software is not dead, it does catch a lot of old stuff, but it only detects about 17% of the time

50-97% of breaches involve malware, in most breaches malware has automated some task for an attacker or increased their capabilities by taking advantage of a vulnerability, exploiting something on a system, and increasing their foothold 

Breach happens -Now what?

Typically you reimage the machine

Advanced: Incident response
-analyze logs, network traffic, strange processes etc.
-is it anywhere else?
-how did it get there

Mature: Gather intelligence
-what is the impact
-what is the risk
-financially motivated? hacktivism? opportunistic? advanced persistent threat (apt)?

70-90% of malware samples are unique to an organization- Verizon data breach report 

Types of Analysis 

-Dynamic Analysis -executing the malware. Simple, Fast, Easy to miss things. 
-Static Analysis -reverse engineering. Slow, deep technical knowledge. With enough time anything can be reversed. 
-Hybrid Static/Dynamic -most analysis is a mixture: You will find something in the disassembly then you confirm/investigate while the malware is executing. 
-Memory forensics can be useful but is not the end all be all

System Security


This course provided a good introduction to system security. For those with an IT background this course may not be necessary but I thought it was useful. 

Notes

Appropriate procedures to establish host security 

Application Security

Anti-Malware -takes care of viruses, worms, and trojans
-software has been designed to find the specific signatures of the malware on a system; track, identify, deactivate 
-regularly update the signature/definition files to keep the anti-malware software effective 

Anti-Spam -organizations will use spam filters on emails and messages to prevent spam from getting to the users inbox 
-prevents/limits servers from congestion  

Anti-Spyware -spyware can track your activity online by reviewing your cookies
-anti-spyware eradicates tracking cookies from your system 

Pop-up blockers- pop ups are usually how you get adware, you can turn on pop-up blockers by going to your internet options page 

Host-based firewalls -a firewall that resides on a computer system that protects traffic coming in or leaving the system 
-this is something to monitor periodically to prevent intrusion into the system and to facilitate the generation of alerts 

Patch management -patches are produced to fix flaws that exist within software
-individuals in an organization should be responsible for validating the source of a patch, testing it for sufficiency, and migrating the patch to the production systems once it has been found to be robust
-never download a patch and install it directly on your real system 

Hardware Security

-cable locks- prevent rearrangement of the infrastructure you have; most likely used for laptops
-safe -lock away spares, documents
-locking cabinets -used for servers, switches, patch panels, and server racks to prevent unauthorized access and modification

-unauthorized access could change config = loss of integrity 

-mobile device -screen lock, strong password

-devices should support encryption so that keys are required before anyone has access
-this way if you lose your device, you know that nobody else has access to the content 
-encryption is the best form of security for mobile devices
-another option is remote wipe which allows your providers or device administrators to send a script to the phone that can either erase or cause damage to the content on the phone so that it cannot be accessed anymore 

-devices should be returned to IT before they are shared between users; sanitization is very important 

-voice encryption is another best practice 
-one voice solution is VoIP (Voice over internet protocol) 
-a malicious person can packet sniff our transmission, when we use voice encryption our packets are encrypted as they move on data lines which prevents eavesdropping 

-another best practice is GPS tracking on mobile devices
-if GPS is disabled, you can still sync the picture content with your email to try to identify the location of the device 

Virtualization

-a hypervisor is the software environment within which we build virtual machines
-it shares resources with your host PC such as memory, processor, ports etc
-virtualization is different from multi booting where you have multiple operating systems on the host PC, but can only run one at a time
-with virtualization we can run all the machines at the same time provided there is sufficient memory and a reliable processor that supports virtualization  

Benefits -allows for maximum utilization of hardware, cost saving (buy less machines, less space, less licenses)

Data Security

-data loss prevention -financial, medical, trade secret, PII(personal identifiable information)

Data in motion -email, network, chat sessions 

Data at rest -database, file sharing, desktop or laptop

Data in use -copiers, printer, removable media, screen, clipboard

storage area networks -devoted to storage and useful during disaster recovery situations 

handling big data -some companies now employ security incidents events managers so that data that is of concern can be put on one management interface

Data Encryption

-this is required to ensure confidentiality 
-encrypting data changes it from plain text to cipher text

Full disk encryption -you encrypt the entire content of the hard drive, unless unauthorized users provide encryption keys, they don't have access to the data

Database encryption -unless keys are provided, no access to database

Individual files -moving a file off an encrypted disk can make it vulnerable, if you want to sent one file or a group of files, encrypting them ensures that they are still encrypted while in transit or storage 



This is an interesting lecture about rootkits