2. UNDERSTANDING THREATS
(FORCES OF EVIL)
● Access control threats can be a negative
impact on confidentiality, integrity, and
availability of information assets.
● There are threats that attack the network
systems, and applications that store and
process an organization's data.
● There many different types of threats and it's
important for us to understand how the
threats work.
3. EXAMPLES OF THREATS:
● Denial of service
● Buffer overflows
● Mobile code
● Malicious software
● Password crackers
● Spoofing/masquerading
● Sniffers
● Eavesdropping
● Emanations
4. EXAMPLES OF THREATS
(CONTINUED):
● Shoulder surfing
● Tapping
● Object reuse
● Data remnants
● Unauthorized targeted data mining
● Dumpster diving
● Backdoor/trapdoor
● Theft
● Intruders
● Social engineering
5. DENIAL OF SERVICE(DOS):
● DoS can range from consumption of specific
resources, preventing resources, and
preventing networks to communicate to
preventing communication, performance of
system service or application unusable, or a
complete outage.
● Known as SYN floods, attacker would make
to many SYN packets without completing the
proper setup, taking all available server and
making sure that the owner would never
gain access to the server.
6. DOS(CONTINUED):
● DDoS is where DoS only attacks from
one location, DDoS attacks from
many different locations.
● Attackers built a vast networks of
commandeered system, known as
"Zombies", zombies make millions of
request to the web site at once and
fully floods the system, and thus it
shuts down.
7. BUFFER OVERFLOWS:
● Buffering is for controlling data inputs
and outputs at all levels of a system
interaction.
● Buffer overflow is an attack that
handles the system's capability to
operate it's buffers, causing system
failures and outages, fail to control an
application state, not able to control a
running program, or the performance
of code of an attacker's choosing.
8. BUFFER OVERFLOWS (CONTINUED):
● Buffer overflows can also be used to
insert malicious software for processing
for the attacker. Also because memory
buffers are used in network interfaces,
video systems, RAM, or virtual memory
on hard disks, all are vulnerable to a
buffer overflow.
● Buffering overflows are mostly caused
by poor application or system memory
management.
9. MOBILE CODE:
● Mobile code is a software that is transmitted
across a network from a remote source to a
local system.
● Security involvement are important because
distribution capability, limited user awareness,
and potential for harm.
● Mobile code is designed to be provided to an
end-user device. If device is not configured
properly it can infect or manipulate system.
● Organizations should make its users aware of the
dangers of mobile code.
10. MALICIOUS SOFTWARE (MALWARE):
● Malware any digital material that is deliberately
designed to perform undesirable tasks.
● ○Virus: Parasitic code that requires human action or
insertion.
● ○ Worm: Self-propagation code that exploits system
or application vulnerability to replicate.
● ○ Trojan Horse: Is general temp referring to programs
that appear desirable, but contains something
harmful.
● ○ Spyware: Spyware was a hidden application
injected through poor browser security by companies
seeking:
11. MALWARE (CONTINUED):
a) Malvertisement: are web
advertisements which appear to be
legitimate yet direct users to download
malware onto system.
b) Malnets: are malware networks
which typically consist of numerous
infected websites, desktops, laptops,
and increasingly mobile devices to
gain more information about user's
Internet activity.
12. PASSWORD CRACKERS:
● Key factor is the saving of the hashed
password, and that is where password
cracker comes in.
● Password crackers are one of the few tools
that are equally effective for security
administrators and attackers alike.
● Rainbow table: attack has revolutionized
password cracking is being rapidly
adopted by tool creators.
13. SPOOFING/MASQUERADING
● Is the act of appearing to a system as if a
communication from an attacker is coming from a
known and trusted source
● Early versions of spoofing were performed by
manipulating the packets of data used in the IP
protocol.
● Not common because todays computers are
prepared from the systems and firewalls.
● Have a profound effect on access control system
because they move the assurance that a person is
dealing with a trusted entity.
14. SNIFFERS,EAVESDROPPERS. AND
TAPPING
● All communications, weather wired or
wireless need to travel from point to point
over some medium.
● Sniffers are devices that can collect
information from a communication medium,
such as a network.
● Sniffing can be used for good and evil.
● Best protecting against sniffing,
eavesdropping, and tapping is to intercept
transmission between devices.
15. EMANATION:
● Is the proliferation or propagation at those
signals.
● By intercepting and interpreting the emanations
coming from a particular device, an attacker
can often by reconstruct the information that is
being shown or processed on the device.
● There are materials that restrict the ability for
radio waves to propagate through them. This
involves the use of special point on the walls
and special window coverings that can be
placed on windows or other weak points to
further disrupt the emanation of
16. SHOULDER SURFING
● Is the act of surreptitiously gathering
information from a user by, means of
direct observation of the users
activity, by looking over their
shoulder as they perform some
action.
17. OBJECT REFUSE:
● Refers to the allocation or reallocation of system
resources to a user or to an application or
process.
● There are two areas of concern with
application object reuse: the direct
employment of the objects, or the data input or
output from the object.
● Object reuse is also applicable to system
media, such as a hard drive, magnetic media,
RAM-based devices or other forms to data
storage.
18. DATA REMANENCE
● It is becoming increasingly common place to
bug used computers equipment, such as a
hard drive, or router, and find information on
the device left there by the previous owner,
information they thought had been deleted.
● Another potential source of data exposure
comes from the slack space at the end of a
file.
● In early computer systems, the slack space at
random portions of data pulled from memory.
19. DATA REMANENCE (CONTINUED):
● Slack space can also be used by an attacker. Some
data is completely used to identify and extract the
information.
● There are utilities that can be used to securely wipe
the data from the hard drive by over writing the file
information with bytes of 1's and 0's, or a random
combination of both. This wipe includes the unusual
stable space in clusters assigned to allocated files.
● The most effective mechanism to destroy data,
either a single file or an entire disk-short of grinding
the disk into little pieces, which is still no guarantee, is
to over write the data several times.
20. UNAUTHORIZED TARGETED DATA
MINING
● Is the act of collecting and analyzing large
quantities of information to determine
patterns of use or behavior and use those
patterns to form conclusion about past,
current, or future behavior.
● Attackers will perform reconnaissance
against their target in an effort to collect as
much information as possible to draw
conclusions on operations, practices,
21. DUMPSTER DIVING
● Is simply the act of taking what people assume is
trash and using that information, sometimes in
combination with other data, to formulate
conclusions or refine strategies for an attack.
● Most attackers don't want to risk physical
contact with their target and the potential
exposure of going through the organization's
trash.
● The ability of an unauthorized person to get to
the trash repository of a site also shows a
weakness in the physical access controls of that
facility.
22. BACKDOORS AND TRAPDOORS
● Applications may have hard-coded instructions that
allow complete and unfettered access to those who
know the existence of the backdoor.
● Most common method of backdoor access is the
use of hidden accounts built within the application.
● The threat to access controls from backdoors and
trapdoors is based on the existence of unknown
configurations that will allow someone to circumvent
established controls and gain full access to system.
23. LOGIC BOMBS:
● Attacks can be immediately seen or effect takes
hold as soon as the attack is launched, or some
attacks can hold for days, weeks, even years. These
attacks are called logic bombs because the rely on
a logical progression of events before they unleash
their aggression.
● Can be difficult to find, particularly if they have
been placed there by someone with intimate
knowledge of the system of it's source code.
● Best way to defend against them is to include a
through out code review on all software deployed
throughout the enter prise.
24. THEFT:
● Is a simple concept anyone can grasp
how ever, as the digital interaction
between people and business expands,
the exposure of valuable information
continues to exceed the physical notion
of the term theft.
● Physical theft includes anything of value
an unauthorized entity can remove.
● Digital theft is when the thief has
destroyed the information during the act
of stealing it, original data is still there
25. SOCIAL ENGINEERING:
● Is the practice of misdirection to obtain
information through social contacts.
● Can take many forms, ranging from
telephone calls to e-mail to face to
face interaction.
● Best prevention is effective and
continues security awareness and
education effort to all personnel within
the organization.
26. E-MAIL SOCIAL ENGINEERING
● Can be a powerful persuasion device for
attackers and con artists alike.
● E-mail has become a basic mode of
communications for many people and is
considered crucial for many companies to run a
successful business.
● E-mail social engineering presents many
problems to effective access control,but the
primary problem is that it can be used to obtain
enough personal or system information from a
victim that the attacker can subsequently
obtain or bypass legitimate authentication and
authorization information.
27. HELP DESK FRAUD
● The goal of a helped desk attack is for
the attacker to get a valid ID and
password to an internal system.
● This technique is becoming harder and
harder to use, because helped desk
employees are usually trained to follow a
specific protocol and providing
passwords,and many of these protocols
do not include furnishing passwords over
the phone
28. THREAT MODELING
● In reviewing access control attacks and mitigating factors,
several risk assessment methods can be considered.
● Threat modeling approaches vary from organization to
organization but generally follow an approach of:
● Defining the scope and objectives
● Understanding or modeling the system
● Development of threats
● Development of vulnerabilities
● Determining the impact and risk
● Develop the mitigation plan
29. DEFINE THE SCOPE AND OBJECTIVES
● An effective threat modeling exercise must
determine what is within the scope of the
modeling.
● There is a trade off between the size of the
scope and amount of effort required to provide
meaningful recommendations.
● If scope is to narrow the assessor may neglect
significant information.
● If scope is too large, resources available for
mitigation are spent on assessment.
30. UNDERSTANDING OR MODELING
THE SYSTEM:
● In understanding how the target system
or application operates, collect as much
information available about the system.
● Cost information about the operation,
development and information contained
in the system should also be understood
as it will be required to make value based
decisions.
31. DEVELOPMENT OF THREATS:
● Can be as much of an art as a science
and will vary greatly depending on the
threat information sources available.
● Classified or national security information,
which may be relevant to the system.
32. DEVELOPMENT OF VULNERABILITIES:
● Using automated tools, a
vulnerability scan of the target
system or application should be
performed.
● Weakness should also be reviewed.
33. DETERMINING IMPACTS AND RISK:
● There are several qualitative and
quantitative ways to determine
impacts and risks.
● Qualitative route is the simplest and
helps determine the overall impact
and risk to the organization.
● Once levels of risk are determined a
value to mitigate each should be
determined.
34. DEVELOP A MITIGATION PLAN:
● This plan should ideally identify
residual risks, exposure, resources
required to mitigate risks and time
lines for mitigations.
● Plan should also have identify
responsible party for each risk
mitigation and who accepted
residual risks on behalf of the
organization.
35. ASSET VALUATION:
● In determining the value of information systems
there are several components which must be
accounted for:
● Hardware
● Software
● Integration
● Opportunity cost
● Regulatory exposure
● Information replacement
● Reputation exposure
36. HARDWARE, SOFTWARE,
AND INTEGRATION:
● Hardware:
● The replacement cost of hardware can be significant
and can increase dramatically when the hardware is
out of support or the vendor has gone out of business.
● Software:
● Much like hardware, software can go out of support
and vendors can dissolve or merge with other
companies.
● Integration:
● Cost are often “sunk” invisible costs that are easily
overlooked when considering the value of an asset.
37. OPPORTUNITY COSTS, REGULATORY AND
REPUTATIONAL EXPOSURE, AND
INFORMATION REPLACEMENT:
● Opportunity Costs:
● When a crucial business support system such as an e-commerce
site for a major online retailer is down time is substantial money.
● Regulatory Exposure:
● In a regulated environment, there are stiff penalties for breaching
information.
● Information Replacement:
● The information an organization develops as part of it's operation is
most likely not going to be replaced overnight.
● Reputational Exposure:
● What's that cost of losing a reputation? Reputation is extremely
difficult and expensive to achieve and mainstream.
38. ACCESS AGGREGATION:
● Is the act of collecting additional roles and
responsibilities in organization or information system.
● The combination of systems may make it possible to
commit fraud as separation of duties also breaks
down as access aggregation occurs.
● Information security professionals should work with
human resources and information technology
administrators to ensure DE-provisioning of access is
performed any time an human resource changes
roles.
39. VULNERABILITY ASSESSMENT:
● To begin the vulnerability assessment process, assessor
must have a good understanding of the business, it's
mission and the system or application to be assessed.
● The next step is to examine the existing controls in place
to protect the system or process.
● Once the vulnerability scanning is complete the security
analyst must examine the results for accuracy.
● Once the final analysis is complete the assessor should
discuss the findings with the business are to determine the
appropriate course of remediation action to take.
40. PENETRATION TESTING:
● The next level in vulnerability assessment seeks to
exploit existing vulnerabilities to determine the true
nature and impact of a given vulnerability.
● Penetration testing goes by many names, such as
ethical hacking, tiger teaming, red teaming and
vulnerability testing.
● Penetration testing can be employed against any
system or service.
● The key to successful and valuable penetration
testing is clearing defined objectives, scope,
started goals, agreed-upon limitations, and
acceptable activities.
41. PENETRATION TEST STRATEGIES:
● Strategies are based on specific
objectives to be achieved, are a
combination of the source of the test,
how the company's assets are targeted,
and the information provided to the
tester.
● The organization must determine the area
of the organization or the service to be
tested.
42. APPLICATION SECURITY TESTING:
● The objective of application security testing is to
evaluate the controls within an application and
it's information process flow.
● Application testing will test the flow of
information through the application and it's
susceptibility to intercept or alteration.
● Application will test for a wide range of
common attack scenarios to gauge the level of
resistance an application has to attacks of
varying level of sophistication.
43. DENIAL-OF-SERVICE (DOS) TESTING:
● Goal is to evaluate the system's
susceptibility to attacks that will render it
inoperable or unable to provide needed
services to the organization external users.
● Because the DoS testing presents such a
risk to systems, many testers will perform
the attack steps leading up up to the DoS
but stop short of crashing the system. This
saves a great deal of response and
44. WAR DIALING:
● Is a technique for systematically calling a
range of telephone numbers in an attempt
to identify modems, remote-access devices,
and maintenance connections for computer
that may exist within an organization's
network.
● Organizations would be wise not to
underestimate their reach into the
infrastructure or their potential for creating
vulnerabilities in the environment.
45. WIRELESS NETWORK TESTING:
● Wireless networks, whether through
formal, approved network architecture or
the inadvertent actions of well-meaning
users, creates additional security
exposures.
● Goal is to identify security gaps or flaws in
the design, implementation, or operation
of the organization's wireless network.
46. SOCIAL ENGINEERING:
● Often used in conjunction with blind
and double-blind testing, social
engineering refers to techniques
used social interaction, typically with
the organization's employees,
suppliers, and contractors, to gather
enough information to be able to
penetrate the organization's
physical premises or systems.
47. PBX AND IP TELEPHONY TESTING:
● Beyond war dialing, phone systems
have been a highly vulnerable, yet
often overlooked, method of gaining
access to corporate resources.
● The potential threat profile represented
by combining the threats associated
with IP networks and those of
telephone systems is one and
organization should take seriously.
48. PENETRATION TEST METHODOLOGY:
● A methodology is an established collection of processes
that are preformed in a predetermined order to ensure
the job, function, or security test is accurately executed.
● (1)Reconnaissance/Discovery:Identify and document
information about the target.
● (2)Enumeration:Gain more information with intrusive
methods.
● (3)Vulnerability Analysis:Map the environment profile to
known vulnerabilities.
● (4)Execution:Attempt to gain user and privileged access.
● (5)Document findings:Document the results of the test.