Kategori
CEH Security

Introduction to Ethical Hacking

1.1 Information Security Overview

  • Source code leaks accelerated malware release cycles (malware variants) characteristics、signatures、evasive capabilities anti-virus/anti-malware
  • Old school malware techniques made a comeback anti-virus applications、IDS、firewall cyber-crime techniques (manual) (time consuming) (infection) (propagation)
  • Growth of 64-bit malware increased64-bit
  • Malware researcher evasion became more popular
  • Mobile SMS-forwarding malware are becoming ubiquitous
  • Account takeover moved to the victim’s device
  • Attacks on corporate and personal data in the cloud increased
  • Exploit kits continued to be a primary threat for Windows
  • Attackers increasingly lure executives and compromise organizations via professional social networks
  • Java remains highly exploitable and highly exploited – with expanded repercussionsAttackers are more interested in cloud data than your network
  • The sheer volume of advanced malware is decreasing
  • Redkit, Neutrino, and other exploit kits struggled for power in the wake of the Blackhole Author ArrestBlackhole exploit kit,Redkit Neutrino exploit kits。
  • Mistakes are made in “offensive” security due to misattribution of an attack’s source
  • Cybercriminals are targeting the weakest links in the “data-exchange chain” consultants、contractors vendors
  • Major data-destruction attacks are increasing

Essential Terminology

  • Hack Value: It is notion among hackers that something is worth doing or is interesting
  • Vulnerability: Existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the security of the system
  • Exploit: A breach of IT system security through vulnerabilities
  • Payload: Payload is the part of an exploit code that performs the intended malicious action, such as destroying, creating backdoors, and hijacking computerPayload
  • Zero-Day Attack: An attack that exploits computer application vulnerabilities before the software developer releases a patch for the vulnerability
  • Daisy Chaining: It involves gaining access to one network and/or computer and then using the same information to gain access to multiple networks and computers that contain desirable information
  • Doxing: Publishing personally identifiable information about an individual collected from publicly available databases and social media
  • Bot: A “bot” is a software application that can be controlled remotely to execute or automate predefined tasks

Elements of Information Security

  • Information security is a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low or tolerable.
  • Confidentiality: Assurance that the information is accessible only to those authorized to have access
  • Integrity: The trustworthiness of data or resources in terms of preventing improper and unauthorized changes
  • Availability: Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users
  • Authenticity: Authenticity refers to the characteristic of a communication, document or any data that ensures the quality of being genuine
  • Non-Repudiation: Guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

The Security, Functionality, and Usability Triangle

  • Level of security in any system can be defined by the strength of three components:
    • Functionality (Features)
    • Security (Restrictions)
    • Usablity (GUI)

1.2 Information Security Threats and Attack Vectors

Motives, Goals, and Objectives of Information Security Attacks

  • Attacks = Motive (Goal) + Method + VulnerabilityWindows XP和Flash即是常見的Vulnerabilities
  • A motive originates out of the notion that the target system stores or processes something valuable and this leads to threat of an attack on the system.
  • Attackers try various tools and attack techniques to exploit vulnerabilities in a computer system or security policy and controls to achieve their motives.目標存在或執行有價值的東西,攻擊者利用exploit vulnerabilities來攻擊以達成他們的動機或目的
  • Motives Behind Information Security Attacks:
    • Disrupting business continuity
    • Information theft
    • Manipulating data
    • Creating fear and chaos by disrupting critical infrastructures
    • Propagating religious or political beliefs
    • Achieving state’s military objectives
    • Damaging reputation of the target
    • Taking revenge

Top Information Security Attack Vectors

  • Cloud Computing Threats:
    • Cloud computing is an on-demand delivery of IT capabilities where sensitive data of organization’s and clients is stored.
    • Flaw in one client’s application cloud allow attackers to access other client’s data.
  • Advanced Persistent Threats: APT is an attack that focus on stealing information from the victim machine without the user being aware of it.持續性的:低調、緩慢、無時間概念
  • Viruses and Worms: Viruses and worms are the most prevalent networking threat that are capable of infecting a network within seconds.virus會經由夾帶在其它程式來自我複製。worm是惡意程式,它是經由網路來散播、複製與執行。
  • Mobile Threats: Focus of attackers has shifted to mobile devices due to the increased adoption of mobile devices for business and personal purposes and comparatively lesser security controls.
  • Botnet: A botnet is a huge network of the compromised systems used by an intruder to perform various network attacks.Botnet是網路上大量被入侵的電腦,會被攻擊者來利用發動DDoS攻擊
  • Insider Attack: It is an attack performed on a corporate network or on a single computer by an entrusted person (insider) who has authorized access to the network.

Information Security Threat Categories

  • Network Threats:
    • Information gathering
    • Sniffing and eavesdropping
    • Spoofing
    • Session hijacking and Man-in-the-Middle attack
    • DNS and ARP Poisoning
    • Password-based attacks
    • Denial-of-Service attack
    • Compromised-key attack
    • Firewall and IDS attacks
    從電腦與電腦間的通訊端進行的攻擊所造成的威脅
  • Host Threats:
    • Malware attacks
    • Footprinting
    • Password attacks
    • Denial-of-Service attacks
    • Arbitrary code execution
    • Unauthorized access
    • Privilege escalation
    • Backdoor attacks
    • Physical security threats
    針對有價值的特定主機進行攻擊所造成的威脅
  • Application Threats:
    • Improper data/Input validation
    • Authentication and Authorization attacks
    • Security misconfiguration
    • Information disclosure
    • Broken session management
    • Buffer overflow attacks
    • Cryptography attacks
    • SQL injection
    • Improper error handling and exception management
    應用程式的漏洞使得攻擊者能夠利用所造成的威脅

Types of Attacks on a System

  • Operating System Attacks:
    • Attackers search for vulnerabilities in an operating system’s design, installation or configuration and exploit them to gain access to a system.
    • OS Vulnerabilities: Buffer overflow vulnerabilities, bugs in operating system, unpatched operating system, etc.
    攻擊者找尋作業系統或OS Level的漏洞來存取系統權限,例如Buffer overflow、作業系統的bug、未更新作業系統、特定的網路協定漏洞、攻擊系統權限、破壞file-system、破解密碼和加密機制。
  • Misconfiguration: Attacks Misconfiguration vulnerabilities affect web servers, application platforms, databases, networks, or frameworks that may result in illegal access or possible owning of the system.錯誤配置設定造成攻擊者能夠未授權取得系統權限。修改系統預設值,移除或關閉不必要的服務。
  • Application-Level Attacks:
    • Attackers exploit the vulnerabilities in applications running on organizations’ information system to gain unauthorized access and steal or manipulate data.
    • Application Level Attacks: Buffer overflow, cross-site scripting, SQL injection, man-in-the-middle, session hijacking, denial-of-service, etc.
    利用應用程式的漏洞取得未授權存取權限並竊取或修改資料。攻擊方式有Buffer overflow, Sensitive information disclosure, XSS, session hijacking, man-in-the-middle, denial-of-service attacks, SQL injection attacks, Phishing, Parameter/form tampering, Directory traversal attacks.將session ID放在cookie裡而不是URL可防止session hijackingDenial-of-Service是對目標電腦/網路做大量的存取資源,使得合法使用者無法使用。可使用finally做例外處理。
  • Shrink-Wrap Code Attacks: Attackers exploit default configuration and settings of the off-the-shelf libraries and code.軟體開發者使用的free libraries若存在漏洞,造成所有開發者的軟體都有漏洞,因此使用時必須要修改並調整程式碼內容,使得沒有exploit可正常利用。

Information Warfare

  • The term information warfare or InfoWar referes to the use of information and communication technologies (ICT) to take competitive advantages over an opponent.
  • Defensive Information Warfare: It refers to all strategies and actions to defend against attacks on ICT assets.
    • Prevention
    • Deterrence
    • Alerts
    • Detection
    • Emergency Preparedness
    • Response
  • Offensive Information Warfare: It refers to information warfare that involves attacks against ICT assets of an opponent.
    • Web Application Attacks
    • Web Server Attacks
    • Malware Attacks
    • MITM Attacks
    • System Hacking

資訊戰武器像是有viruses, worms, Trojan horses, logic bombs, trap doors, nano machines nad microbes, electronic jamming和penetration exploits and tools.

資訊戰可分為:Command and control warefare (C2 warfare), Intelligence-based warfare, Electronic warfare, Psychological warfare, Hacker warfare, Economic warfare, Cyberwarfare.

1.4 Ethical Hacking Concepts and Scope

What is Ethical Hacking?

  • Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities so as to ensure system security.
  • It focuses on simulating techniques used by attackers to verify the existence of exploitable vulnerabilities in the system security.
  • Ethical hackers performs security assessment of their organization with the permission of concerned authorities.同樣使用hacking tools來驗證弱點是否存在,但是是在有授權允許下進行的。

Why Ethical Hacking is Necessary

  • To beat a hacker, you need to think like one!
    • Ethical hacking is necessary as it allows to counter attacks from malicious hackers by anticipating methods used by them to break into a system.
  • Reasons why Organizations Recruit Ethical Hackers:
    • To prevent hackers from gaining access to organization’s information.
    • To uncover vulnerabilities in systems and explore their potential as a risk.
    • To analyze and strengthen an organization’s security posture including policies, network protection infrastructure, and end-user practices.
    像駭客一樣思考,從攻擊者的角度來對抗、防禦預防攻擊者、揭露弱點、加強組織安全架構
  • Ethical Hackers Try to Answer the Following Questions:
    • What can the intruder see on the target system? (Reconnaissance and Scanning phases)
    • What can an intruder do with that information? (Gaining Access and Maintaining Access phases)
    • Does anyone at the target notice the intruders’ attempts or successes? (Reconnaissance and Covering Tracks phases)
    • If all the components of information system are adequately protected, updated, and patched
    • How much effort, time, and money is required to obtain adequate protection?
    • Are the information security measures in compliance to industry and legal standards?

Scope and Limitations of Ethical Hacking

  • Scope:
    • Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices.
    • It is used to identify risks and highlight the remedial actions, and also reduces information and communications technology (ICT) costs by resolving those vulnerabilities.
  • Limitations:
    • However, unless the businesses first know what it is at that they are looking for and why they are hiring an outside vendor to hack systems in the first place, chances are there would not be much to gain from the experience.
    • An ethical hacker thus can only help the organization to better understand their security system, but it is up to the organization to place the right guards on the network.

Skills of an Ethical Hacker

  • Technical Skills:
    • Has in-depth knowledge of major operating environments, such as Windows, Unix, Linux, and Macintosh.
    • Has in-depth knowledge of networking concepts, technologies and related hardware and software.
    • Should be a computer expert adept at technical domains.
    • Has knowledge of security areas and related issues.
    • Has “high technical” knowledge to launch the sophisticated attacks.什麼都要會
  • Non-Technical Skills: Some of the non-technical characteristics of an ethical hacker include:
    • Ability to learn and adapt new technologies quickly.
    • Strong work ethics, and good problem solving and communication skills.
    • Committed to organization’s security policies.
    • Awareness of local standards and laws.

1.5 Information Security Controls

Information Assurance (IA)

  • IA refers to the assurance that the integrity, availability, confidentiality, and authenticity of information and information systems is protected during usage, processing, storage, and transmission of information.
  • Some of the processes that help in achieving information assurance include:
    • Developing local policy, process, and guidance
    • Designing network and user authentication strategy
    • Identifying network vulnerabilities and threats
    • Identifying problems and resource requirements
    • Creating plan for identified resource requirements
    • Applying appropriate information assurance controls
    • Performing certification and accreditation
    • Providing information assurance training
    管理面

Information Security Management Program

  • Programs that are designed to enable a business to operate in a state of reduced risk.
  • It encompasses all organizational and operational processes, and participants relevant to information security.
  • Information Security Management Framework: It is a combination of well-defined policies, processes, procedures, standards, and guidelines to establish the required level of information security.

Threat Modeling

  • Threat modeling is a risk assessment approach for analyzing security of an application by capturing, organizing, and analyzing all the information that affects the security of an application.
    1. Identify Security Objectives: Helps to determine how much effort need to put on subsequent steps.
    2. Application Overview: Identify the components, data flows, and trust boundaries.
    3. Identify Vulnerabilities: Identify weaknesses related to the threats found using vulnerability categories.
    4. Decompose Application: Helps you to find more relevant and more detailed threats.
    5. Identify Threats: Identify threats relevant to your control scenario and context using the information obtained in steps 2 and 3.
    系統/軟體威脅評估3 major building blocks: understanding the adversary’s view, characterizing the security of the system, and determining threats. 充份了解從對手的角度來看、描繪系統的特徵、決定威脅評估

Enterprise Information Security Architecture (EISA)

  • EISA is a set of requirements, processes, principles, and models that determines the structure and behavior of an organization’s information systems.
  • EISA Goals:
    • Helps in monitoring and detecting network behaviors in real time acting upon internal and externals security risks.
    • Helps an organization to detect recover from security breaches.
    • Helps in prioritizing resources of an organization and pays attention to various threats.
    • Benefits organization in cost prospective when incorporated in security provisions such as incident response, disaster recovery, event correlation, etc.
    • Helps in analyzing the procedure needed for the IT department to function properly and identify assets.
    • Helps to perform risk assessment of an organization IT assets with the cooperation of IT staff.

Network Security Zoning

  • Network security zoning mechanism allows an organization to manage a secure network environment by selecting the appropriate security levels for different zones of Internet and Intranet network.
  • It helps in effectively monitoring and controlling inbound and outbound traffic.
  • Examples of Network Security Zones:
    • Internet Zone: Uncontrolled zone, as it is outside the boundaries of an organization.
    • Internet DMZ: Controlled zone, as it provides a buffer between internal networks and Internet.
    • Production Network Zone: Restricted zone, as it strictly controls direct access from uncontrolled networks.
    • Intranet Zone: Controlled zone with no heavy restrictions.
    • Management Network Zone: Secured zone with strict policies.

網路安全管理,從Internet及Intranet、inbound及outbound來分類

Defense in Depth

  • Defense in depth is a security strategy in which several protection layers are placed throughout an information system.
  • It helps to prevent direct attacks against an information system and data because a break in one layer only leads the attacker to the next layer.
  • 從最外層到最內層:
    • Policies, Procedures, and Awareness
    • Physical
    • Perimeter
    • Internal Network
    • Host
    • Application
    • Data

分層防禦,避免直接受到攻擊

Information Security Policies

  • Security policies are the foundation of the security infrastructure.
  • Information security policy defines the basic security requirements and rules to be implemented in order to protect and secure organization’s information systems.
  • Goals of Security Policies:
    • Maintain an outline for the management and administration of network security.
    • Protect an organization’s computing resources.
    • Eliminate legal liabilities arising from employees or third parties.
    • Prevent waste of company’s computing resources.
    • Prevent unauthorized modifications of the data.
    • Reduce risks caused by illegal use of the system resource.
    • Differentiate the user’s access rights.
    • Protect confidential, proprietary information from theft, misuse, unauthorized disclosure.

There are two types of security policies: technical security and administrative security policies. Technical security policies describe how to configure the technology for convenient use; administrative security policies address how all persons should behave.

Types of Security Policies (重要)

  • Promiscuous Policy:
    • No restrictions on usage of system resources.
  • Permissive Policy(黑名單作法):
    • Policy begins wide open and only known dangerous services/attacks or behaviors are blocked.
    • It should be updated regularly to be effective.
  • Prudent Policy(白名單作法):
    • It provides maximum security while allowing known but necessary dangers.
    • It blocks all services and only safe/necessary services are enabled individually; everything is logged.
  • Paranoid Policy:
    • It forbids everything, no Internet connection, or severely limited Internet usage.

針對已知和未知的威脅進行的安全策略,從完全放任使用到完全不能使用分成四種。

Example of Security Policies

  • Access Control Policy: It defines the resources being protected and the rules that control access to them.
  • Remote-Access Policy: It defines who can have remote access, and defines access medium and remote access security controls.
  • Firewall-Management Policy: It defines access, management, and monitoring of firewalls in the organization.
  • Network-Connection Policy: It defines who can install new resources on the network, approve the installation of new devices, document network changes, etc.
  • Password Policy: It provides guidelines for using strong password protection on organization’s resources.
  • User-Account Policy: It defines the account creation process, and authority, rights and responsibilities of user accounts.
  • Information-Protection Policy: It defines the sensitivity levels of information, who may have access, how is it stored and transmitted, and how should it be deleted from storage media.
  • Special-Access Policy: This policy defines the terms of conditions of granting special access to system resources.
  • Email Security Policy: It is created to govern the proper usage of corporate email.
  • Acceptable-Use Policy: It defines the acceptable use of system resources.

Privacy Policies at Workplace

  • Employers will have access to employees’ personal information that may be confidential and they wish to keep private.
  • Basic Rules for Privacy Policies at Workplace:
    • Intimate employees about what you collect, why and what you will do with it.
    • Limit the collection of information and collect it by fair and lawful means.
    • Inform employees about the potential collection, use, and disclosure of personal information.
    • Keep employees’ personal information accurate, complete, and up-to-date.
    • Provide employees access to their personal information.
    • Keep employees’ personal information secure.

Note: Employees’ privacy rule at workplace may differ from country to country.

Steps to Create and Implement Security Policies

  1. Perform risk assessment to identify risks to the organization’s assets.
  2. Learn from standard guidelines and other organizations.
  3. Include senior management and all other staff in policy development.
  4. Set clear penalties and enforce them.
  5. Make final version available to all of the staff in the organization.
  6. Ensure every member of your staff read, sign, and understand the policy.
  7. Deploy tools to enforce policies.
  8. Train your employees and educate them about the policy.
  9. Regularly review and update.

P.S.: Security policy development team in an organization generally consists of information Security Team (IST), Technical Writer(s), Technical Personnel, Legal Counsel, Human Resources, Audit and Compliance Team, and User Groups.

HR/Legal Implications of Security Policy Enforcement

  • HR implications of Security Policy Enforcement:
    • HR department is responsible to make employees aware of security policies and train them in best practices defined in the policy.
    • HR department work with management to monitor policy implementation and address any policy violation issue.
  • Legal implications of Security Policy Enforcement:
    • Enterprise information policies should be developed in consultation with legal experts and must comply to relevant local laws.
    • Enforcement of a security policy that may violate users rights in contravention to local laws may result in law suits against the organization.

Physical Security

  • Physical security is the first layer of protection in any organization.
  • It involves protection of organizational assets from environmental and man-made threats.
  • Why Physical Security?
    • To prevent any unauthorized access to the systems resources.
    • To prevent tampering/stealing of data from the computer systems.
    • To safeguard against espionage, sabotage, damage, or theft.
    • To protect personnel and prevent social engineering attacks.
  • Physical Security Threats:
    • Natural/Environmental threats:
      • Floods
      • Fire and Smoke
      • Earthquakes
      • Dust
    • Man-made threats:
      • Terrorism:
        • Assassinations
        • Bombings
        • Random killings
        • Hijackings
      • Wars
      • Explosion
      • Dumpster diving and theft
      • Vandalism

Physical Security Controls

  • Premises and company surroundings: Fences, gates, walls, guards, alarms, CCTV cameras, intruder systems, panic buttons, burglar alarms, windows and door bars, deadlocks, etc.
  • Reception area:
    • Lock the important files and documents.
    • Lock equipment when not in use.
  • Server and workstation area: Lock the systems when not in use, disable or avoid having removable media and DVD-ROM drives, CCTV cameras, workstation layout design.
  • Other equipment such as fax, modem, and removable media: Lock fax machines when not in use, file the faxes obtained properly, disable auto answer mode for modems, do not place removal media at public places, and physically destroy the corrupted removal media.
  • Access control: Separate work areas, implement biometric access controls (fingerprinting, retinal scanning, iris scanning, vein structure recognition, vocie recognition), entry cards, man traps, faculty sign-in procedures, identification badges, etc.
  • Computer equipment maintenance: Appoint a person to look after the computer equipment maintenance.
  • Wiretapping: Inspect all the wires carrying data routinely, protect the wires using shielded cables, never leave any wire exposed.
  • Environmental control: Humidity and air conditioning, HVAC, fire suppression, EMI shielding, and hot and cold aisles.

Incident Management

  • Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident.
  • Incident Management:
    • Vulnerability Handling
    • Artifact Handling
    • Announcments
    • Alerts
    • Incident Handling:
      1. Triage
      2. Incident Response
      3. Analysis
      4. Reporting and Detection
    • Other Incident Management Services

事件回應

Incident Management Process (重要,順序)

  1. Preparation for Incident Handling and Response
  2. Detection and Analysis
  3. Classification and Prioritization
  4. Notification
  5. Containment (封鎖)
  6. Forensic Investigation
  7. Eradication and Recovery (清除與復原)
  8. Post-incident Activities
  • Incident management is the process of logging, recording, and resolving incidents that take place in an organization.
  • Objective: To restore the service to a normal state as quickly as possible for customers, while maintaining availability and quality of service.

Responsibilities of an Incident Response Team

  • Managing security issues by taking a proactive approach towards the customers’ security vulnerabilities and by responding effectively to potential information security incidents.
  • Developing or reviewing the processes and procedures that must be followed in response to an incident.
  • Managing the response to an incident and ensuring that all procedures are followed correctly in order to minimize and control the damage.
  • Identifying and analyzing what has happened during an incident, including the impact and threat.
  • Providing a single point of contact for reporting security incidents and issues.
  • Reviewing changes in legal and regulatory requirements to ensure that all processes and procedures are valid.
  • Reviewing existing controls and recommending steps and technologies to prevent future security incidents.
  • Establish relationship with local law enforcement agency, government agencies, key partners, and suppliers.

What is Vulnerability Assessment?

  • Vulnerability Assessment is an examination of the ability of a system or application, including current security procedures and controls, to withstand assault.
  • It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels.
  • A vulnerability assessment may be used to:
    • Identify weaknesses that could be exploited.
    • Predict the effectiveness of additional security measures in protecting information resources from attack.

可檢查出:

  • Misconfiguration
  • Security bug: 已知Public (無法掃出zero day)

Types of Vulnerability Assessment

  • Active Assessment: Uses a network scanner to find hosts, services, and vulnerabilities.
  • Passive Assessment: A technique used to sniff the network traffic to find out active systems, network services, applications, and vulnerabilities present.
  • Host-based Assessment: Determines the vulnerabilities in a specific workstation or server.
  • Internal Assessment: A technique to scan the internal infrastructure to find out the exploits and vulnerabilities.
  • External Assessment: Assesses the network from a hacker’s point of view to find out what exploits and vulnerabilities are accessible to the outside world.
  • Application Assessment: Tests the web infrastructure for any misconfiguration and known vulnerabilities.
  • Network Assessment: Determines the possible network security attacks that may occur on the organization’s system.
  • Wireless Network Assessment: Determines the vulnerabilities in organization’s wireless networks.

Network Vulnerability Assessment Methodology

  • Phase 1: Acquisition
    • Collect documents required to:
      • Review laws and procedures related to network vulnerability assessment.
      • Identify and review document related to network security.
      • Review the list of previously discovered vulnerabilities.
  • Phase 2: Identification
    • Conduct interviews with customers and employees involved in system architecture design, and administration.
    • Gather technical information about all network components.
    • Identify different industry standards which network security system complies to.
  • Phase 3: Analyzing
    • Review interviews.
    • Analyze the results of previous vulnerability assessment.
    • Analyze security vulnerabilities and identify risks.
    • Perform threat and risk analysis.
    • Analyze the effectiveness of existing security controls.
    • Analyze the effectiveness of existing security policies.
  • Phase 4: Evaluation
    • Determine the probability of exploitation of identified vulnerabilities.
    • Identify the gaps between existing and required security measures.
    • Determine the controls required to mitigate the identified vulnerabilities.
    • Identify upgrades required to the network vulnerability assessment process.
  • Phase 5: Generating Reports
    • The result of analysis must be presented in a draft report to be evaluated for further variations.
    • Report should contain:
      • Task rendered by each team member.
      • Methods used and findings.
      • General and specific recommendations.
      • Terms used and their definitions.
      • Information collected from all the phases.
    • All documents must be stored in a central database for generating the final report.

Vulnerability Research

  • The process of discovering vulnerabilities and design flaws that will open an operating system and its applications to attack or misuse.
  • Vulnerabilities are classified based on severity level (low, medium, or high) and exploit range (local or remote).
  • An administrator needs vulnerability research:
    • To gather information about security trends, threats, and attacks.
    • To find weaknesses, and alert the network administrator before a network attack.
    • To get information that helps to prevent the security problems.
    • To know how to recover from a network attack.

不斷地研究最新的弱點、新的產品與技術、從地下網路獲取新弱點與exploits等。

Severity -> Response Time: 不同風險等級的弱點,回應修補的時間也不相同。

Vulnerability Research Websites

Penetration Testing

  • Penetration testing is a method of evaluating the security of an information system or network by simulating an attack to find out vulnerabilities that an attacker could exploit.
  • Security measures are actively analyzed for design weaknesses, technical flaws and vulnerabilities.
  • A penetration test will not only point out vulnerabilities, but will also document how the weaknesses can be exploited.
  • The results are delivered comprehensively in a report, to executive management and technical audiences.

Why Penetration Testing

  • Identify the threats facing an organization’s information assets.
  • Reduce an organization’s expenditure on IT security and enhance Return On Security Investment (ROSI) by identifying and remediating vulnerabilities or weaknesses.
  • Provide assurance with comprehensive assessment of organization’s security including policy, procedure, design, and implementation.
  • Gain and maintain certification to an industry regulation (BS7799, HIPAA etc.).
  • Adopt best practices in compliance to legal and industry regulations.
  • For testing and validating the efficiency of security protections and controls.
  • For changing or upgrading existing infrastructure of software, hardware, or network design.
  • Focus on high-severity vulnerabilities and emphasize application-level security issues to development teams and management.
  • Provide a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation.
  • Evaluate the efficiency of network security devices such as firewalls, routers, and web servers.

Comparing Security Audit, Vulnerability Assessment, and Penetration Testing

  • Security Audit: A security audit just checks whether the organization is following set of standard security policies and procedures.
  • Vulnerability Assessment: A vulnerability assessment focues on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitabion of the vulnerability.
  • Penetration Testing: Penetration testing is methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers.

Security Audit是審查企業公司是否有照著security policies和流程去做。

Vulnerability Assessment是去發現系統中存在的弱點,但並無法提供驗證及弱點是否可被利用。

Penetration Testing包含security audit和VA,且能夠驗證此弱點是否會被攻擊者給利用。

Blue Teaming/Red Teaming (重要)

  • Blue Teaming (防守者):
    • An approach where a set of security responders performs analysis of an information system to assess the adequacy and efficiency of its security controls.
    • Blue team has access to all the organizational resources and information.
    • Primary role is to detect and mitigate red team (attackers) activities, and to anticipate how surprise attacks might occur.
  • Red Teaming (攻擊者):
    • An approach where a team of ethical hackers performs penetration test on an information system with no or a very limited access to the organization’s internal resources.
    • It may be conducted with or without warning.
    • It is proposed to detect network and system vulnerabilities and check security from an attacker’s perspective approach to network, system, or information access.

Types of Penetration Testing

  • Black-box: No prior knowledge of the infrastructure to be tested:
    • Blind Testing (盲打對方)
    • Double Blind Testing (盲打對方且對方也不知道會被打)
  • White-box: Complete knowledge of the infrastructure that needs to be tested.
  • Grey-box: Limited knowledge of the infrastructure that needs to be tested.

There are two ways to perform above penetration tests:

  • Announced Testing
  • Unannounced Testing:
    • Monitor
    • Response
    • Escalation

Phases of Penetration Testing (重要)

  • Pre-Attack Phase:
    • Planning and preparation
    • Methodology designing => 此兩點就是RoE (Rule of Engagement)/RoB (Rule of Behavior)
    • Network information gathering
  • Attack Phase:
    • Penetrating perimeter
    • Acquiring target
    • Escalating privileges
    • Execution, implantation, retracting
  • Post-Attack Phase:
    • Reporting
    • Clean-up
    • Artifact destruction

Security Testing Methodology

  • A security testing or pen testing methodology refers to a methodological approach to discover and verify vulnerabilities in the security mechanisms of an information system; thus enabling administrators to apply appropriate security controls to protect critical data and business functions.
  • Examples Security Testing Methodologies:
    • OWASP: The Open Web Application Security Project (OWASP) is an open-source application security project that assist the organizations to purchase, develop and maintain software tools, software applications, and knowledge-based documentation for Web application security.
    • OSSTMM: Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing high quality security tests such as methodology tests, data controls, fraud and social engineering control levels, computer networks, wireless devices, mobile devices, physical security access controls and various security processes.
    • ISSAF: Information Systems Security Assessment Framework (ISSAF) is an open source project aimed to provide a security assistance for professionals. The mission of ISSAF is to “research, develop, publish, and promote a complete and practical generally accepted information systems security assessment framework.”
    • EC-Council LPT Methodology: LPT Methodology is a industry accepted comprehensive information system security auditing framework.

1.6 Information Security Laws and Standards

Payment Card Industry Data Security Standard (PCI-DSS)

  • The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
  • PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
  • High level overview of the PCI DSS requirements developed and maintained by Payment Card Industry (PCI) Security Standards Council:
    • Build and Maintain a Secure Network
    • Protect Cardholder Data
    • Maintain a Vulnerability Management Program
    • Implement Strong Access Control Measures
    • Regularly Monitor and Test Networks
    • Maintain an Information Security Policy

支付卡產業資料安全標準

ISO/IEC 27001:2013

  • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
  • It is intended to be suitable for several different types of use, including the following:
    • Use within organizations to formulate security requirements and objectives.
    • Use within organizations as a way to ensure that security risks are cost effectively managed.
    • Use within organizations to ensure compliance with laws and regulations.
    • Definition of new information security management processes.
    • Identification and clarification of existing information security management processes.
    • Use by the management of organizations to determine the status of information security management activities.
    • Implementation of business-enabling information security.
    • Use by organizations to provide relevant information about information security to customers.

資訊安全管理系統規範

Health Insurance Portability and Accountability Act (HIPAA)

  • HIPPA’S Administrative Simplification Statute and Rules:
    • Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers.
    • Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.
    • Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information.
    • National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions.
    • Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.

醫療保險流通與責任法案

PII, e.g. DPA

PFI, e.g. PCI-DSS

DHI, e.g. HIPPA

Sarbanes Oxley Act (SOX)

  • Enacted in 2002, the Sarbanes Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures.
  • Key requirements and provisions of SOX are organized into 11 titles:
    • Title I: Public Company Accounting Oversight Board (PCAOB) establishes to provide independent oversight of public accounting firms providing audit services (“auditors”).
    • Title II: Auditor Independence establishes standards for external auditor independence, to limit conflicts of interest and addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements.
    • Title III: Corporate Responsibility mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports.
    • Title IV: Enhanced Financial Disclosures describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers.
    • Title V: Analyst Conflicts of Interest consists of measures designed to help restore investor confidence in the reporting of securities analysts.
    • Title VI: Commission Resources and Authority defines practices to restore investor confidence in securities analysts.
    • Title VII: Studies and Reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions.
    • Title VIII: Corporate and Criminal Fraud Accountability describes specific criminal penalties for fraud by manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers.
    • Title IX: White Collar Crime Penalty Enhancement increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.
    • Title X: Corporate Tax Returns state that the Chief Executive Officer should sign the company tax return.
    • Title XI: Corporate Fraud Accountability identifies corporate fraud and reocrds tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to temporarily freeze large or unusual payments.

沙賓法案 (內線交易)

  • The Digital Millennium Copyright Act (DMCA):
    • The DMCA is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO).
    • It defines legal prohibitions against circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information.

數位著作權法

  • Federal Information Security Management Act (FISMA):
    • The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.
    • It includes:
      • Standards for categorizing information and information systems by mission impact.
      • Standards for minimum security requirements for information and information systems.
      • Guidance for selecting appropriate security controls for information systems.
      • Guidance for assessing security controls in information systems and determining security control effectiveness.
      • Guidance for the security authorization of information systems.

Ref : [1][2]