Architecture and Design Flashcards by Bryan Kruep

The only constant is change
- Operating systems, patches, application updates, network modifications, new application instances, etc.

Identify and document hardware and software settings
- Manage the security when changes occur

Rebuild those systems if a disaster occurs
- Documentation and processes will be critical

Configuration Management

How well did you know this?

Not at all

Perfectly

Network diagrams - Document the physical wire and device

Physical data center layout - Can include physical rack locations

Device diagrams - Individual cabling

Diagrams

How well did you know this?

Not at all

Perfectly

The security of an application environment should be well defined
- All application instances must follow this
- Firewall settings, patch levels, OS file versions
- May require constant updates

Integrity measurements check for the secure baseline
- These should be performed often
- Check against well-documented baselines
- Failure requires an immediate correction

Baseline configuration

How well did you know this?

Not at all

Perfectly

Create a standard
- Needs to be easily understood by everyone

Devices
- Asset tag names and numbers
- Computer names - location or region
- Serial numbers

Networks - Port labeling

Domain configurations
- User account names
- Standard email addresses

Standard naming conventions

How well did you know this?

Not at all

Perfectly

An IP address plan or model
- Consistent addressing for network devices
- Helps avoid duplicate UP addressing

Locations
- Number of subnets, hosts per subnet

IP ranges
- Different sites have a different subnet
- 10.1.x.x/24, 10.2.x.x/24, 10.3.x.x/24

Reserved addresses
- Users, printers, routers/default gateways

IP schema

How well did you know this?

Not at all

Perfectly

Data that resides in a country is subject to the laws of that country
- Legal monitoring, court orders, etc

Laws may prohibit where data is stored
- GDPR (General Data Protection Regulation)
- Data collected on EU citizens must be stored in the EU
- A complex mesh of technology and legalities

Where is your data stored?
- Your compliance laws may prohibit moving data out of the country

Data sovereignty

How well did you know this?

Not at all

Perfectly

Data obfuscation
- Hide some of the original data

Protects PII
- and other sensitive data

May only be hidden from view
- The data may still be intact in storage
- Control the view based on permissions

Many different techniques
- Substituting, shuffling, encrypting, masking out, etc.

Data masking

How well did you know this?

Not at all

Perfectly

Encode information into unreadable data
- Original information is plaintext, encrypted form is ciphertext

This is a two-way street
- Convert between one and the other
- If you have the proper key

Confusion
- The encrypted data is drastically different than the plaintext

Diffusion
- Change one character of the input, and many characters change of the output

Data encryption

How well did you know this?

Not at all

Perfectly

The data is on a storage device
- Hard drive, SSD, flash drive, etc

Encrypt the data
- Whole disk encryption
- Database encryption
- File or folder-level encryption

Apply permissions
- Access control lists
- Only authorized users can access the data

Data at-rest

How well did you know this?

Not at all

Perfectly

Data transmitted over the network
- Also called data in-motion

Not much protection as it travels
- Many different switches, routers, devices

Network, based protection
- Firewall, IPS

Provide transport encryption
- TLS (Transport Layer Security)
- IPsec (Internet Protocol Security)

Data in-transit

How well did you know this?

Not at all

Perfectly

Data is actively processing in memory
- System RAM, CPU registers and cache

The data is almost always decrypted
- Otherwise, you can’t do anything with it

The attackers can pick the decrypted information
- A very attractive option

Data in-use

How well did you know this?

Not at all

Perfectly

Replace sensitive data with a non-sensitive placeholder

Common with credit card processing
- Use a temporary token during payment
- An attacker capturing the card numbers can’t use them later

This isn’t encryption or hashing
- The original data and token aren’t mathematically related
- No encryption overhead

Tokenization

How well did you know this?

Not at all

Perfectly

Control how data is used
- Microsoft Office documents, email messages, PDFs

Restrict data access to unauthorized persons
- Prevent copy and paste
- Control screenshots
- Manage printing
- Restrict editing

Each user has their own set of rights
- Attackers have limited options

Information Rights Management (IRM)

How well did you know this?

Not at all

Perfectly

Where’s your data?
- Social Security numbers, credit card numbers, medical records

Stop the data before the attackers get it
- Data “leakage”

So many sources, so many destinations
- Often requires multiple solutions in different places

Data Loss Prevention (DLP)

How well did you know this?

Not at all

Perfectly

On your computer
- Data in use
- Endpoint DLP

On your network
- Data in motion

On your server
- Data at rest

Data Loss Prevention (DLP) systems

How well did you know this?

Not at all

Perfectly

Legal implications
- Business regulations vary between states
- For a recovery site outside of the country, personnel must have a passport and be able to clear immigration
- Refer to your legal team

Offsite backup
- Organization-owned site or 3rd-party secure facility

Offsite recovery
- Hosted in a different location, outside the scope of the disaster

Travel considerations for support staff and employees

Geographical considerations

How well did you know this?

Not at all

Perfectly

Incident response and recovery has become commonplace
- Attacks are frequent and complex

Incident response plan should be established
- Documentation is critical
- Identify the attack
- Contain the attack

Limit the impact of an attacker
- Limit data exfiltration
- Limit access to sensitive data

Response and recovery controls

How well did you know this?

Not at all

Perfectly

Commonly used to examine outgoing SSL/TLS
- Secure Sockets Layer/Transport Layer Security

SSL/TLS relies on trust
- Without trust, none of this works

Your browser contains a list of trusted CAs

Your browser doesn’t trust a website unless a CA has signed the web server’s encryption certificate
- The website pays some money to the CA for this

The CA has ostensible performed some checks
- Validated against the DNS record, phone call, etc.

Your browser checks the web server’s certificate
- If it’s signed by a trusted CA, the encryption works seamlessly

SSL/TLS Inspection

How well did you know this?

Not at all

Perfectly

Represent data as a short string of text
- A message digest

One-way trip
- Impossible to recover the original message from the digest
- Used to store passwords/confidentiality

Verify a downloaded document is the same as the original
- Integrity

Can be a digital signature
- Authentication, non-repudiation, and integrity

Will not have a collision (hopefully)
- Different messages will not have the same hash

Hashing

How well did you know this?

Not at all

Perfectly

Control software or hardware programmatically

Secure and harden the login page

On-path attack
- Intercept and modify API messages, replay API commands

API injection
- Inject data into an API message

DDoS
- One bad API call can bring down a system

API considerations

How well did you know this?

Not at all

Perfectly

Recovery site is prepped
- Data is synchronized

A disaster is called
- Business processes failover to the alternate processing site

Problem is addressed
- This can take hours, weeks, or longer

Revert back to the primary location
- This process must be documented for both directions

Site resiliency

How well did you know this?

Not at all

Perfectly

A exact replica
- Duplicate everything

Stocked with hardware
- Constantly updated
- You buy two of everything

Applications and software are constantly updated
- Automated replication

Flip a switch and everything moves
- This may be quite a few switches

Hot site

How well did you know this?

Not at all

Perfectly

No hardware
- Empty building

No data
- Bring it with you

No people
- Bus in your team

Cold site

How well did you know this?

Not at all

Perfectly

Somewhere between a hot and cold site
- Just enough to get going

Big room with rack space
- You bring the hardware

Hardware is ready and waiting
- You bring the software and data

Warm site

How well did you know this?

Not at all

Perfectly

Attract the bad guys - And trap them there The "attacker" is probably a machine - Makes for interesting recon Create a virtual world to explore Constant battle to discern the real from the fake

Honeypots

More than one honeypot on a network More than one source of information

Honeynets

Bait for the honeynet An alert is sent if the file is accessed A virtual bear trap

Honeyfiles

Machine learning - Interpret big data to identify the invisible Train the machine with actual data - Learn how malware looks and acts - Stop malware based on actions instead of signatures Send the machine learning model fake telemetry - Make malicious malware look benign

Fake telemetry

Sometimes called Hardware as a Service (HaaS) - Outsource your equipment You're still responsible for the management - And for the security Your data is out there, but more within your control Web server providers

Infrastructure as a service (IaaS)

No servers, no software, no maintenance team, no HVAC - Someone else handles the platform, you handle the development You don't have direct control of the data, people, or infrastructure - Trained security professionals are watching your stuff - Choose carefully Put the building blocks together - Develop your app from what's available on the platform - SalesForce.com

Platform as a service (PaaS)

On-demand software - No local installation - Why manage your own email distribution or payroll? Central management of data and applications - Your data is out there A complete application offering - No development work required - Google Mail

Software as a service (SaaS)

A broad description of all cloud models - Use any combination of the cloud Services delivered over the internet - Not locally hosted or managed Flexible consumption model - No large upfront costs or ongoing licensing IT becomes more of an operational model - And less of a cost-center model - Any IT function can be changed into a service

Anything as a service (XaaS)

Provide cloud services - SaaS, PaaS, IaaS, etc Charge a flat fee or based on use - More data, more cost You still manage your processes - Internal staff - Development team - Operational support

Cloud service providers

UPDATE

Managed service providers (MSP)

Firewall management Patch management, security audits Emergency resonse

Managed Security Service Provider (MSSP)

Your applications are on local hardware Your servers are in your data center in your building

On-premise cloud model

Your servers are not in your building They may not be even running on your hardware Usually a specialized computing environment

Off-premise cloud model

Available to everyone over the internet

Public cloud deployment

Several organizations share the same resources

Community cloud deployment

Your own virtualized local data center

Private cloud deployment

A mix of public and private

Hybrid cloud model

Over 30 billion IoT devices on the internet - Devices with very specific functions - A huge amount of data Process application data on an edge server - Close to the user Often process data on the device itself - No latency, no network requirement - Increased speed and performance - Process where the data is, instead of processing in the cloud

Edge computing

A cloud that's close to your data - (Cloud + IoT - Fog Computing) A distributed cloud architecture - extends the cloud Distribute the data and processing - Immediate data stays local - No latency - Local decisions made from local data - No bandwidth requirements - Private data never leaves - Minimizes security concerns - Long-term analysis can occur in the cloud - Internet only when required

Fog computing

Basic application usage - Applications actually run on a remove server - Virtual Desktop Infrastructure (VDI) - Desktop as a Service (DaaS) - Local device is a keyboard, mouse, and screen Minimal operating system on the client - No huge memory or CPU needs Network connectivity - Big network requirement - Everything happens across the wire

Thin client

Run many different operating systems on the same hardware Each application instance has its own operating system - Adds overhead and complexity - Virtualization is relatively expensive

Virtualization

Contains everything you need to run an application - Code and dependencies - A standardized unit of software An isolated process in a sandbox - Self-contained - Apps can't interact with each other Container image - A standard for portability - Lightweight, uses the host kernal - Secure separations between applications

Application containerization

Monolithic applications - One big application that does everything Application contains all decision making processes - User interface - Business logic - Data input and output Code challenges - Large codebase - Change control challenges APIs - API is the glue for the microservices - Work together to act as the application Scalable - Scale just the microservices you need Resilient - Outages are contained Security and compliance - Containment is built-in

Microservices/APIs

Function as a Service - Applications are separated into individual, autonomous functions - Remove the operating system from the equation Developer still creates the server-side logic - runs in a stateless compute container May be event triggered and ephemeral - May only run for one event Managed by a third-party - All OS security concerns are at the third-party

Serverless architecture

Virtual Private Cloud - A pool of resources created in the public cloud Common to create many VPCs - Many different application clouds Connect VPCs with this - And users to VPCs - A "cloud router" Now make it secure - VPCs are commonly on different IP subnets - Connecting through the cloud is often through a VPN

Transit gateway

Assigning permissions to cloud resources - Not the easiest task - Everything is in constant motion Specify which resources can be provisioned (Azure) - Create a service in a specific region, deny all others Specify the resource and what actions are permitted (Amazon) - Allow access to an API gateway from an IP address range Explicitly list the users who can access the resource (Amazon) - Userlist is associated with the resource

Resource policies

Many different service providers - The natural result of multi-sourcing Every provider works differently - Different tools and processes Provides a single business-facing IT organization An evolving set of processes and procedures

Service Integration and Management (SIAM)

Describe as infrastructure - Define servers, network, and applications as code Modify the infrastructure and create versions - The same way you version application code Use the description (code) to build other application instances - Build it the same way every time based on the code An important concept for cloud computing - Build a perfect version every time

Infrastructure as code

Networking devices have two functional planes of operation - Control plane, data plane Directly programmable - Configuration is different than forwarding Agile - Changes can be made dynamically Centrally managed - Global view, single pane of glass Programmatically configured - No human intervention Open standards/vendor neutral - A standard interface to the network

Software Defined Networking (SDN)

You must see the traffic to secure the data - React and respond Dynamic deployments include security and network visibility devices - Next-generation firewalls, web application firewalls - SIEM Data is encapsulated and encrypted - VXLAN and SSL/TLS New technologies change what you can see - Infrastructure as code, microservices Security devices monitor application traffic - Provides visibility to traffic flows Visibility expands as the application instances expand - Real-time metrics across all traffic flows Application flows can be controlled via API - Identify and react to threats

Software Defined Visibility (SDV)

Click a button - You've built a server - Or multiple servers, networks, and firewalls It becomes almost too easy to build instances - this can get out of hand very quickly The virtual machines are sprawled everywhere - You aren't sure which VMs are related to which applications - It becomes extremely difficult to deprovision Formal process and detailed documentation - You should have information on every virtual object

VM sprawl avoidance

The virtual machine is self-contained - There's no way out - Or is there? Virtual machine escape - Break out of the VM and interact with the host operating system or hardware Once you escape the VM, you have great control - Control the host and control other guest VMs This would be a huge exploit - Full control of the virtual world

VM escape protection

Secure environment Writing code Developers test in their sandboxes

Development environment

Still in the development stage All of the pieces are put together Functional tests Does it work?

Test environment

Verifies features are working as expected Verifies new functionality Verifies old errors don't reappear

Quality Assurance (QA)

Almost ready to roll it out Works and feels exactly like the production environment Working with a copy of production data Runs performance tests Test usability and features

Staging

Application is live Rolled out to the user community Challenging step - Impacts the users Logistical challenges - New servers - New software - Restart or interrupt of service

Production

Deploy an application - Web server, database server, middle server, user workstation configuration, certificate updates, etc Application software security - Operating system, application Network security - Secure VLAN, internal access, external access Software deployed to workstations - Check executes for malicious code, verify security posture of the workstation

Provisioning

The ability to increase the workload in a given infrastructure Build an application instance that can handle

Scalability

Increase or decrease available resources as the workload changes Deploy multiple application instances to handle

Elasticity

Dismantling and removing an application instance - All good things Security deprovisioning is important - Don't leave open holes, don't close important ones Firewall policies must be reverted - If the application is gone, so is the access What happens to the data? - Don't leave information out there

Deprovisioning

A balance between time and quality - Programming with security in mind is often secondary Testing, testing, testing - The Quality Assurrance (QA) process Vulnerabilities will eventually be found - And exploited

Secure coding concepts

SQL databases - Client sends detailed requests for data Client requests can be complex - And sometimes modified by the user - This would not be good These limit the client interactions - That's it. No modifications to the query are possible.

Stored Procedures

Make something normally understandable very difficult to understand Take perfectly readable code and turn it into nonsense - The developer keeps the readable code and gives you the chicken scratch - Both sets of code perform exactly the same way Helps prevent the search for security holes - Makes it more difficult to figure out what's happening- But not impossible

Obfuscation

Use old code to build new applications - Copy and paste If this has security vulnerabilities, reusing the code spreads it to other applications - Making this much more difficult for everyone

Code reuse

Calculations are made, code is executed, results are tallied The results aren't used anywhere else in the application All code is an opportunity for a security problem - Make sure your code is as alive as possible

Dead code

All checks occur on the server Helps protect against malicious users Attackers may not be even using your interface

Server-side validation

The end-user's app makes the validation decisions Can filter legitimate input from genuine users May provide additional speed to the user

Client-side validation

As a developer, you must be mindful of how memory is used - Many opportunities to build vulnerable code Never trust data input - Malicious users can attempt to circumvent your code Buffer overflows are a huge security risk - Make sure your data matches your buffer sizes Some built-in functions are insecure - Use best practices when designing your code

Memory management

Your programming language does everything - Almost Third-party libraries and software development kits - Extend the functionality of a programming language Security risk - Application code written by someone else - Might be secure. Might not be secure. - Extensive testing is required Balancing act - Application features vs. unknown code base

Third-party libraries and SDKs

So much sensitive data - Credit card numbers, social security numbers, medical information, address details, email information How is the application handling the data? - No encryption when stored - No encryption across the network - Displaying information on the screen All input and output processes are important - Check them all for data exposure

Data exposure

Create a file, make a change, make another change, and another change - Track those changes, revert back to previous version Commonly used in software development - But also in operating systems, wiki software, and cloud-based file storage Useful for security - Compare versions over time - Identify modifications to important files - A security challenge - Historical information can be a security risk

Version control

Alternative compiler paths would result in different binary each time - Each compiled application would be a little bit different - But functionality the same An attack against different binaries would only be successful on a fraction of the users - An attacker wouldn't know what exploit to use - Make the game much harder to win

Software diversity

Plan for change - Implement automatically Automated courses of action - Many problems can be predicted - Have a set of automated responses Continuous monitoring - Check for a particular event, and then react Configuration validation - Cloud-based technologies allow for constant change - Automatically validate a configuration before going live - Perform ongoing automated checks

Automation and scripting

Code is constantly written - And merged into the central repository many times a day So many chances for security problems - Security should be a concern from the beginning Basic set of security checks during development - Documented security baselines as the bare minimum Large-scale security analysis during the testing phase - Significant problems will have already been covered

Continuous Integration (CI)

Keep all of an organization's usernames and passwords in a single database - Also contains computers, printers, and other devices Large distributed database - Constantly replicated All authentication requests reference this directory - Each user only needs one set of credentials - One username and password for all services Access via Kerberos or LDAP

Directory services

Provide network access to others - Not just employees - Partners, suppliers, customers, etc - Provides SSO and more Third-parties can establish network this - Authenticate and authorize between the two organizations - Login with your Facebook credentials The third-parties must establish a trust relationship - And the degree of the trust

Federation

Prove the hardware is really yours - A system you can trust Easy when it's just your computer - More difficult when there are 1,000

Attestation

Device provides an operational report to a verification server Encrypted and digitally signed with the TPM An IMEI or other unique hardware component can be included in the report

Remote attestation

Text messaging - Includes more than text these days Login factor can be sent via SMS to a predefined phone number - Provide username and password - Phone receives an SMS - Input the SMS code into a login form Security issues exist - Phone number can be reassigned to a different phone - SMS messages can be intercepted

Short message service (SMS)

Similar process to a SMS notification - Authentication factor is pushed to a specialized app - Usually on a mobile device Security challenges - Applications can be vulnerable - Some push apps send in the clear Still more secure than SMS - Multiple factors are better than one factor

Push notification

Pseudo-random token generators - A useful authentication factor Carry around a physical hardware token generator Use software-based token generator on your phone - Powerful and convenient

Authentication apps

Use a secret key and the time of day - No incremental counter Secret key is configured ahead of time - Timestamps are synchronized via NTP Timestamp usually increments every 30 seconds - Put it your username, password, and TOTP code One of the more common OTP methods - Used in Google, Facebook, Microsoft, etc

Time-based One-Time Password algorithm (TOTP)

One time password - Use them once, and never again - Once a session, once each authentication attempt

Hashed One-Time password (HOTP)

A voice call provides the toke - The computer is talking to you - "Your code is 1-6-2-5-1-7" Similar disadvantages to SMS - Phone call can be intercepted or forwarded - Phone number can be added to another phone

Phone call

Authentication factors that don't change - You just have to remember Personal Identification Number (PIN) - Your secret numbers Can also be alphanumeric - A password or passphrase

Static codes

Integrated circuit card - Contact or contactless Common on credit cards - Also used for access control Must have physical card to provide digital access - A digital certificate Multiple factors - Use the card with a PIN or fingerprint

Smart cards

Fingerprint scanner - Phones, laptops, door access Retinal scanner - Unique capillary structure in the back of the eye Iris scanner - Texture, color Voice recognition - Talk for access Facial recognition - Shape of the face and features Gait analysis - Identify a person based on how they walk - Many unique measurements Veins - Vascular scanners - Match the blood vessels visible from the surface of the skin

Biometric factors

Likelihood that an unauthorized user will be accepted - Not sensitive enough

False acceptance rate (FAR)

Likelihood than an authorized user will be rejected - Too sensitive

False rejection rate (FRR)

Defines the overall accuracy of a biometric system - The rate at which FAR and FRR are equal - Adjust sensitivity to equalize both values

Crossover error rate (CER)

This is who you claim to be - Usually your username

Identification (AAA framework)

Prove you are who you say you are - Password and other factors

Authentication (AAA framework)

Based on your identity and authentication, what access do you have?

Authorization (AAA framework)

Resources used: Login time, data sent and received, logout time

Accounting (AAA framework)

Third-party can manage the platform - Centralized platform - Automation options with API integrations - May include additional options (for a cost)

Cloud-based security authentication

Internal monitoring and management - Need internal expertise - External access must be granted or managed

On-premise authentication

Password - Secret word/phrase, string of characters - Very common authentication factor PIN - Personal identification number - Not typically contains anywhere on a smart or ATM card Pattern - Complete a series of patterns - Only you know the right format

Something you know

Smart card - Integrates with devices - May require a PIN USB token - Certificate is on the USB device Hardware or software tokens - Generates pseudo-random authentication codes Your phone - SMS a code to your phone

Something you have

Biometric authentication - Fingerprint, iris scan, voice print Usually stores a mathematical representation of your biometric - Your actual fingerprint isn't usually saved Difficult to change - You can change your password - You can't change your fingerprint Used in very specific situations - Not foolproof

Something you are

Provide a factor based on your location - The transaction only completes if you are in a particular geography IP address - Not perfect, but can help provide more info - Works with IPv4, but not so much with IPv6 Mobile device location services - Geolocation to a very specific are - Must be in a location that can receive GPS information or near an identified mobile or 802.11 network - Still not a perfect identifier of location

Somewhere you are

A personal way of doing things - You're special Handwriting analysis - Signature comparison - Writing technique Very similar to biometrics - Close to something you are

Something you can do

A unique trait, personal to you Gait analysis - the way you walk Typing analysis - the way you hit the enter key too hard

Something you exhibit

A social factor It's not what you know... Web of trust Digital signature

Someone you know

Duplicate parts of the system - If a part fails, the redundant part can be used Maintain time - The organization continues to function No hardware failure - Servers keep running No software failure - Services always available No system failure - Network performing optimally

Redundancy

Bad things can happen in a local area - Hurricanes, tornadoes, flooding Disperse technologies to different geographies - Use multiple data centers - In different locations Data centers might be part of the normal operations May be part of a disaster recovery center

Geographic dispersal

Multipath I/O (Input/Output) - Especially useful for network-based storage subsystems - Multiple Fibre Channel interfaces with multiple switches RAID - Redundant Array of Independent Disks Multiple drives create redundancy - Many different designs and implementations

Disk redundancy

Striping without parity High performance, no fault tolerance

RAID 0

Mirroring Duplicates data for fault tolerance, but requires twice the disk space

RAID 1

Striping with parity Fault tolerant, only requires an additional disk for redundancy

RAID 5

Multiple RAID types Combine RAID methods to increase redundancy

RAID 0+1, etc

Some servers are active - Others are on standby If an active server fails, the passive server takes its place

Load balancing

Load Balancing/Fail Over (LBFO) - Aggregate bandwidth, redundant paths - Becomes more important in the virtual world Multiple network adapters - Looks like a single adapter - Integrate with switches NICs talk to each other - Usually multicast instead of broadcast - Fails over when a NIC doesn't respond

NIC teaming

Short-term backup power from blackouts, brownouts, surges Features - Auto shutdown, battery capacity, outlets, phone line suppression

UPS - Uninterruptible Power Supply

Long-term power backup - Fuel storage required Power an entire building - Some power outlets may be marked as generator-powered It may take a few minutes to get the generator up to speed - Use a battery UPS while the generator is starting

Generators

Redundancy - Internal server power supplies - External power circuits Each power supply can handle 100% of the load - Would normally run at 50% of the load Hot-swappable - Replace a faulty power supply without powering down

Dual-power supplies

Provide multiple power outlets - Usually in a rack Often include monitoring and control - Manage power capacity - Enable or disable individual outlets

Power distribution units (PDUs)

Share data between different devices - If one device fails, you can still work with the data - VERY fast recovery times compared to traditional backups

SAN replication

Specialized high-performance network of storage devices

Storage area network (SANs)

Create a state of data based on a point in time Copy that state to other SANs Type of backup primarily used to capture the entire operating system image including all applications and data Commonly used with virtualized systems

SAN snapshot backup

Maintain one VM, replicate to all others The virtual machine is really just one big file Consistent service offering - Maintain copies anywhere in the world Recover from a replicated copy - Provides a backup if needed Efficient copying - Only replicates the data that has changed

VM replication

Speed - Local devices are connected over very fast networks - Cloud connections are almost always slower Money - Purchasing your own storage is an expensive capital investment - Clouds costs have a low entry point and can scale Security - Local data is private - Data stored in the cloud requires additional security controls

On premises vs cloud redundancy

Everything backed up

Full backup

All files changed since the last incremental backup Full backup is taken first Subsequent backups contain data changed since the last full back up and last incremental backup - These are usually smaller than the full backup A restoration requires the full backup and all of these backups

Incremental backup

All files changed since the last full backup Full backup is taken first Subsequent backups contain data changed since the last full backup - These usually grow larger as data is changed A restoration requires the full backup and the last one of these

Differential backup

Magnetic tape - Sequential storage - 100 GB to multiple terabytes per cartridge - Easy to ship and store Disk - Faster than magnetic tape - Deduplicate and compress Copy - A useful strategy - May not include versioning - May need to keep offsite

Backup media

Connected to a shared storage device across the network - File level access Storage devices that connect directly to your organization’s network Often implement RAID arrays to ensure high availability

Network Attached Storage (NAS)

Looks and feels like a local storage device Block-level access Very efficient reading and writing

Storage Area Network (SAN)

Backup to a remote device in the cloud Support many devices May be limited by bandwidth

Cloud backup

Capture an exactly replica of everything on a storage device Restore everything on a partition, including operating system files and user documents

Image backup

Backup to local devices Fast and secure Must be protected and maintained Often requires offsite storage for disaster recovery

Offline backup

Remote network-connected third-party Encrypted Accessible from anywhere Speed is limited by network bandwidth

Online backup

The cloud is always in motion - Application instances are constantly built and torn down Snapshots can capture the current configuration and data - Preserve the complete state of a device, or just the configuration Revert to known state - Fall back to a previous snapshot Rollback to known configuration - Don't modify the data, but use a previous configuration Live boot media - Run the operating system from removable media - very portable!

Non-persistence

Redundancy doesn't always been available - May need to be powered on manually Always on, always available May include many different components working together - Active/Active can provide scalability advantages Higher availability almost always means higher costs - There's always another contingency you could add - Upgraded power, high-quality server components, etc

High availability (HA)

Certain components may need to be restored first Databases should be restored before the application

Application-specific restoration

Incremental backups restore the full backup, then all subsequent incremental backups Differential backups restore the full backup, then the last differential backup

Backup-specific restoration

A zero-day OS vulnerability can cause significant outages Multiple security devices

Technology Resiliency

A single vendor can become a disadvantage No options during annual renewals A bad support team may not be able to resolve problems in a timely manner

Vendor Resiliency

All cryptography is temporary Diverse certificate authorities can provide additional protection

Cryptographic Resiliency

Administrative controls Physical controls Technical controls Combine them together Defense in depth

Controls Resiliency

Hardware and software designed for a specific function - Or to operate as part of a larger system Is built with only this task in mind - Can be optimized for size and/or cost Common examples - Traffic light controllers - Digital watches - Medical imaging systems Not usually a fully capable computer - Low cost, purpose-built Adds additional constraints - May have limited or missing features - Upgradability limitations - Limits in communication options An ongoing trade off - Low cost systems - Unique management challenges

Embedded systems

Multiple components running on a single chip - Common with embedded systems Small form-factor - External interface support - Cache memory, flash memory - Usually lower power consumption Security considerations are important - Difficult to upgrade hardware - Limited off-the-shelf security options

SoC (System on a Chip)

An integrated circuit that can be configured after manufacturing - Array of logic books - Programmed in the field A problem doesn't require a hardware replacement - Reprogram the FPGA Common in infrastructure - Firewall logic - Routers

Field-programmable gate array (FPGA)

Large-scale, multi-site Industrial Control Systems (ICS) PC manages equipment - Power generation, refining, manufacturing equipment - Facilities, industrial, energy, logistics Distributed control systems - Real-time information - System control Requires extensive segmentation

SCADA/ICS

Sensors - Heating and cooling, lighting Smart devices - Home automation, video doorbells Wearable technology - Watches, health monitors Facility automation - Temperature, air quality, lighting Weak defaults - Manufacturers are not security professionals

Internet of Things (IOT)

Instead of analog phone line or the POTS A relatively complex embedded system - Can be relatively important Each device is a computer - Separate boot process - Individual configurations - Different capabilities and functionalities

VoIP

Heating, ventilation, and Air Conditioning - Thermodynamics, fluid mechanics, and heat transfer A complex science - Not something you can properly design yourself - Must be integrated into the fire system PC manages equipment - Makes cooling and heating decisions for workspaces and data centers Traditionally not built with security in mind - Difficult to recover from an infrastructure DoS

HVAC

Flying vehicle - No pilot on board May be manually controlled from the ground - Often with some autonomy - Set it and forget it Extensive commercial and non-commercial use - May require federal licenses - Security and fail-safes are required Quickly cover large areas - More than just one building More than physical security - Site surveys, damage assessments On-board sensors - Motion detection - Thermal sensors Video evidence - High resolution video capture

Drones

All-in-one or multifunction devices (MFD) - Everything you need in one single device No longer a simple printer - Very sophisticated firmware Some images are stored locally on the device - Can be retrieved externally Logs are stored on the device - Contain communication and fax details

Multi-Function Printers

An operating system with a deterministic processing schedule - No time to wait for other processes - Industrial equipment, automobiles - Military environments Extremely sensitive to security issues - Non-trivial systems - Need to always be available - Difficult to know what type of security is in place

RTOS (Real-Time Operating System)

Video/audio surveillance - Embedded systems in the cameras and the monitoring stations Secure the security system - Restrict access from others - Prevent a denial of service Physically difficult to replace cameras - Accessible independently over the network - May allow for firmware upgrades

Surveillance systems

Fifth generation cellular networking - Launched worldwide in 2020 Significant performance improvements - At higher frequencies - Eventually 10 gigabits per second - Slower speeds from 100-900 Mbit/s Significant IoT impact - Bandwidth becomes less of a constraint - Larger data transfers - Faster monitoring and notification - Additional cloud processing

A universal integrated circuit card Used to provide information to a cellular network provider - Phones, tablets, embedded systems Contains mobile devices - IMSI (international Mobile Subscriber Identity) - Authentication information, contact information Important to manage - Many embedded systems, many SM cards

Subscriber Identity module (SIM)

Communicate analog signals over a narrow range of frequencies - Over a longer distance - Conserve the frequency use Many IOT devices can communicate over long distances - SCADA equipment - Sensors in oil fields

Narrowband

Generally a single cable with a digital signal - Can be fiber or copper The communication signal uses all of the bandwidth - Utilization is either 0% or 100% Bidirectional communication - But not at the same time using the same wire/fiber Ethernet standard - 100BASE-TX, 1000BASE-T, 10GBASE-T

Baseband

Internet of Things networking - Open standard - IEEE 802.15.4 PAN Alternative to WiFi and Bluetooth - Longer distances than Bluetooth - Less power consumption than WiFi Mesh network of all these devices in your home - Light switch communicates to light bulbs - Tell Amazon Echo to lock the door Uses the ISM band - Industrial, Scientific, and Medical - 900 MHz and 2.4 GHz frequencies in the US

Zigbee

May not have access to a main power source - Batteries may need to be replaced and maintained

Power Constraint (Embedded Systems)

Low-power CUs are limited in speed - Cost and heat considerations

Compute Constraint (Embedded Systems)

May not have the option for a wired link May be in the middle of a field Wireless is the limiting factor

Network Constraint (Embedded Systems)

Limited hardware options Difficult to change or modify cryptography features

Crypto Constraint (Embedded Systems)

Some IoT devices have no field-upgradable options Upgrade options may be limited or difficult to install

Inability to Patch Constraint (Embedded Systems)

Security features are often an afterthought - Limited options, no multi-factor, limited integration with existing directory services

Authentication Constraint (Embedded Systems)

Purpose-built - usually does one thing very well May not provide much additional functionality

Range Constraint (Embedded Systems)

Single-purpose functionality comes at a low cost Low cost may affect product quality

Cost Constraint (Embedded Systems)

Limited access to the hardware and software Difficult to very the security posture

Implied trust Constraint (Embedded Systems)

Prevent access - There are limits to the prevention Channel people through a specific access point - And keep out other things - Allow people, prevent cars and trucks Identify safety concerns - And prevent injuries Can be used to an extreme - Concrete barriers - Moats

Barricades / Bollards

All doors normally unlocked - Opening one door causes others to lock All doors normally locked - Unlocking one door prevents others from being unlocked One open door / other locked - When one is open, the other cannot be unlocked One at a time, controlled groups - Managed control through an area

Access control vestibules

Circuit-based - Circuit is opened or closed - Door, window, fence - Useful on the perimeter Motion detection - Radio reflection or passive infrared - Useful in areas not often in use Duress - Triggered by a person - The big red button

Alarms

Clear and specific instructions - Keep people away from restricted areas - Consider visitors Consider personal safety - Fire exits - Warning signs - Chemicals - Construction - Medical resources Informational - In case of emergency, call this number

Signs

CCTV (Closed Circuit television) - Can replace physical guards Camera features are important - Motion recognition can alarm and alert when something moves - Object detection can identify a license plate or person's face Often many different cameras - Networked together and recorded over time

Video surveillance

Conceal an important facility in plain sight - Blends in to the local environment Protect a data center - No business signs - No visual clues - Surround it with a water feature - Install a guard gate - Planters out front are bollards

Industrial camouflage

Physical protection at the reception area of a facility Validates identification of existing employees Provides guest access

Security guard

Two-person integrity/control - Minimize exposure to an attack - No single person has access to a physical asset

Two person integrity/control

Biometric authentication - Fingerprint, retina, voiceprint Usually stores a mathematical representation of your biometric - Your actual fingerprint isn't usually saved Difficult to change - You can change your password - You can't change your fingerprint Used in very specific situations - Not foolproof

Biometrics

Conventional - Lock and key Deadbolt - Physical bolt Electronic - Keyless, PIN Token-based - RFID badge, magnetic swipe card, or key fob Biometric - Hands, fingers, or retina Multi-factor - Smart card and PIN

Door access controls

Temporary security - Connect your hardware to something solid Cable works almost anywhere - Useful when mobile Most devices have a standard connector - Reinforced notch Not designed for long-term protection - Those cables are pretty thin

Cable locks

Don't connect to unknown USB interfaces - Even if you need a quick charge - Prevent "juice jacking" Allow the voltage, reject the data Use your power adapter - Avoid the issue entirely

USB data blocker

More light means more security - Attackers avoid the light - Easier to see when lit - Non IR cameras can see better Specialized design - Consider overall light levels - Lighting angels may be important - Facial recognition - Avoid shadows and glare

Proper lighting

Build a perimeter - Usually very obvious - May not be what you're looking for Transparent or opaque - See through the fence (or not) Robust - Difficult to cut the fence Prevent climbing - Razor wire - Build it high

Fencing

Electronics require unique responses to fire - Water is generally a bad thing Detection - smoke detector, flame detector, heat detector Suppress with water - Where appropriate Suppress with chemicals - Halon - No longer manufactured - Destroys ozone - Commonly replaces with Dupont FM-200

Fire suppression

Motion detection - Identify movement in an area Noise detection - Recognize an increase in sound Proximity reader - Commonly used with electronic door locks - Combined with an access card Moisture detection - Useful to identify water leaks Temperature - Monitor changes over time

Sensors

Mesh of conductive material - The cage cancels the electromagnetic field's effect on the interior - The window of a microwave oven Not a comprehensive solution - Not all signal types are blocked - Some signal types are not blocked at all Can restrict access to mobile networks - Some very specific contingencies would need to be in place for emergency calls

Faraday cage

Formerly known as a demilitarized zone (DMZ) - An additional layer of security between the internet and you - Public access to public resources

Screened subnet

Protected Distribution System (PDS) - A physically secure cable network Protect your cables and fibers - All of your data flows through these conduits Prevent cable and fiber taps - Direct taps and inductive taps Prevent cable and fiber cuts - A physical denial of service (DoS) Hardened protected distribution system - Sealed metal conduit, periodic visual inspection

Protected cable distribution

Physically secure the data - As important as the digital security An important part of a security policy - Not a question to leave unanswered Secure active operations - Prevent physical access to the systems Secure offline data - Backups are an important security concern

Secure areas

Physical separation between networks - Secure network and insecure network - Separate customer infrastructures Most environments are shared - Shared routers, switches, firewalls - Some of these are virtualized Specialized networks require air gaps - Stock market networks - Power systems/SCADA - Airplanes - Nuclear power plant operations

Air gap

A secure reinforced room Store backup media Protect from disaster or theft Often onsite

Vault

Similar to a vault, but smaller Less expensive to implement Space is limited - install at more locations

Safe

Data centers - Lots and lots of equipment - This equipment generates heat Optimize cooling - Keep components at optimal temperatures Conserve energy - Data centers are usually very large rooms - Focus the cooling - Lower energy costs

Hot and cold aisles

Disposal becomes a legal issue - Some information must not be destroyed - Consider offsite storage You don't want critical information in the trash - People really do dumpster dive - Recycling can be a security concern - Physically destroy the media Reuse the storage media - Sanitize the media for reuse - Ensure nothing is left behind

Data destruction and media sanitization

Shredder / pulverizer - Heavy machinery, complete destruction Drill / Hammer - Quick and easy - Platters, all the way through Electromagnetic (degaussing) - Removing the magnetic field - Destroys the drive data and renders the drive unusable Incineration - Fire hot

Physical destruction

The algorithm used to encrypt and/or decrypt

cipher

Add the key to the cipher to encrypt Larger keys are generally more secure Some encryption methods use one key - Some use more than one key - Every method is a bit different A weak key is a weak key - By itself, it's not very secure Make a weak key stronger by performing multiple processes - Hash a password. Hash the hash of the password. Continue - Key stretching, key strengthening Brute force attack would require reversing each of those hashes - The attacker has to spend much more time, even though the key is small There's very little that isn't known about the cryptographic process - The algorithm is usually a known entity - The only thing you don't know is the key Key determines the output - Encrypted data - Hash value - Digital signature Keep your key private - It's the only thing protecting your data

Cryptographic keys

Already built for your application - No additional programming involved

Key stretching libraries

Powerful cryptography has traditionally required strength - A powerful CPU and lots of time Internet of Things (IoT) devices have limited power - Both watts and CPU New standards are being created - National Institute of Standards and Technology (NIST) leading the effort - Provide powerful encryption - Include integrity features - Keep costs low

Lightweight cryptography

Encrypted data is difficult to work with - Decrypt the data - Perform a function - Encrypt the answer Perform calculations of data while it's encrypted Perform the work directly on the encrypted data The decrypted data can only be viewed with a private key Many advantages - Securely store data in the cloud - Perform research on data without viewing the data

Homomorphic encryption (HE)

A single, shared key - Encrypt with the key - Decrypt with the same key - If it gets out, you'll need another key Secret key algorithm - A shared secret Doesn't scale very well - Can be challenging to distribute Very fast to use - Less overhead than asymmetric encryption - Often combined with asymmetric encryption

Symmetric encryption

Public key cryptography - Two (or more) mathematically related keys Private key - Keep this private Public key - Anyone can see this key - Give it away The private key is the only key that can decrypt data encrypted with the public key - You can't derive the private key from the public key Everyone can have the public key - Only Alice has the private key

Asymmetric encryption

Need large integers composed of two or more large prime factors Instead of numbers, use curves - Use smaller keys than non-ECC asymmetric encryption - Smaller storage and transmission requirements - Perfect for mobile devices

Elliptical curve cryptography (ECC)

Represent data as a short string of text - A message digest One-way trip - Impossible to recover the original message from the digest - Used to store passwords / confidentiality Verify a downloaded document is the same as the original - Integrity Can be a digital certificate - Authentication, non-repudiation, and integrity Will not have a collision (hopefully) - Different messages will not have the same hash

Hashes

Verify a downloaded file - Hashes may be provided on the download site - Compare the downloaded file hash with the posted hash value Password storage - Instead of storing the password, store a salted hash - Compare hashes during the authentication process - Nobody ever knows your actual password

Practical hashing

Random data added to a password when hashing Every user gets a random of these - Commonly stored with the password Rainbow tables won't work with these hashes - Additional random values added to the original password This slows down the brute force process - It doesn't completely stop the reverse engineering Each user gets a different random hash - The same password creates a different hash

Salting

Prove the message was not changed - Integrity Prove the source of the message - Authentication Make sure the signature isn't fake - Non-repudiation Sign with the private key - The message doesn't need to be encrypted - Nobody else can design this Verify with the public key - Any change in the message will invalidate the signature

Digital signature

Larger keys tend to be more secure - Prevent brute-force attacks - Attackers can try every possible key combination Symmetric encryption - 128-bit or larger symmetric keys are common - These numbers get larger as time goes on Asymmetric encryption - Complex calculations of prime numbers - Larger keys than symmetric encryptions - Common to see key lengths of 3,072 bits or larger

Key strength

A logistical challenge Out-of-band key exchange - Don't send the symmetric key over the 'net' - Telephone, courier, in-person, etc In-band key exchange - It's on the network - Protect the key with additional encryption - Use asymmetric encryption to deliver a symmetric key

Key exchange

Use public and private key cryptography to create a symmetric key - Math is powerful

Symmetric key from asymmetric keys

Change the method of key exchange - Don't use the server's private RSA key Elliptic curve or Diffie-Hellman ephemeral - The session keys aren't kept around Can't decrypt with the private key server - Every session uses a different private key for the exchange Requires more computing power - Not all servers choose to use this The browser must support this - Check your SSL/TLS information for details

Perfect Forward Secrecy (PFS)

Hide information inside of an image Message is invisible - But it's really there The covertext - The container document or file

Steganography

Modify the digital audio file Interlace a secret message within the audio Similar technique to image steganography

Audio steganography

A sequence of images Use image steganography on a larger scale Manage the signal to noise ratio Potentially transfer much more information

Video steganography

Computers based on quantum physics - This is not an upgrade to your existing computer - This is a new computing technology Classical mechanics - Smaller form of information is a bit - Bits are zeros and ones Quantum mechanics - Smallest form of information is a qubit - Bits are zeros, ones, and any combination in-between, at the same time - This is called quantum superposition Search quickly through large databases - Index everything at the same time Simulate the quantum world - Medical advances, weather prediction, astrophysics, and much more

Quantum computing

Breaks our existing encryption mechanisms - Quickly factor large prime numbers This would cause significant issues - None of the existing cryptography could be trusted - No financial transactions would be safe - No data would be private Peter Shor invented Shor's algorithm in 1994 - Given an integer N, find its prime factors - Traditional computers would take longer than the lifetime of the universe - Shor's algorithm would theoretically by much, much faster - Time for updated cryptography - Not vulnerable to quantum computer based attacks

Post-quantum cryptography

Protection against eavesdropping using quantum cryptography - Quantum Key Distribution (QKD) Create unbreakable encryption - Send a random stream of qubits (the keys) across a quantum network channel Both sides can verify the key - If it's identical, the key was not viewed during transmission An attacker eavesdropping on the communication would modify the data stream - That attacker would have to violate quantum physics

Quantum communication

Encryption is done one bit or byte at a time - High speed, low hardware complexity Used with symmetric encryption - Not commonly used with asymmetric encryption The starting state should never be the same twice - Key is often combined with an initialization vector (IV)

Stream ciphers

Encrypt fixed-length groups - Often 64-bit or 128-bit blocks - Pad added to short blocks - Each block is encrypted or decrypted independently Symmetric encryption

Block ciphers

A popular mode of operation - Relatively easy to implement Each plaintext block is XORed with the previous ciphertext block - Adds additional randomization - Use an initialization vector for the first block

Cipher Block Chaining (CBC)

Block cipher mode / acts like a stream cipher - Encrypts successive values of a "counter" Plaintext can be any size, since it's part of the XOR, 8 bits at a time (streaming) instead of a 128-bit block

Counter (CTR)

Encryption with authentication - Authentication is part of the block mode - Combines Counter Mode with Galois authentication Minimum latency, minimum operation overhead - Very efficient encryption and authentication Commonly used in packetized data - Network traffic security (wireless, IPsec) - SSH, TLS

Galois/Counter Mode (GCM)

A distributed ledger - Keep track of transactions Everyone on this network maintains the ledger - Records and replicates to anyone and everyone Many practical applications - Payment processing - Digital identification - Supply chain monitoring - Digital voting Steps: 1. A transaction is requested. The transaction could be any digital transaction from transferring Botcoins, medical records, data backups, to transferring house title information 2. The transaction is sent to every computer, or not, in a decentralized network to be verified 3. The verified transaction is added to a new block of data containing other recently verified transactions 4. A secure code, called a Hash, is calculated from the previous blocks of transaction data in this. The hash is assed to the new block of verified transactions 5. The block is added to the end of this which is then updated to all nodes in the network for security. The transaction is complete 6. If any blocks are altered, its hash and all following hashes in the chain are automatically recalculated. The altered chain will no longer match the chains stored by the rest of the network, and will be rejected

Blockchain

Mobile devices, portable systems Smaller symmetric key sizes Use elliptic curve cryptography (ECC) for asymmetric encryption

Low power devices

Fast computation time - Symmetric encryption, smaller key sizes

Low latency

Larger key sizes Encryption algorithm quality Hashing provides data integrity

High resiliency

Secrecy and privacy Encryption (file-level, drive-level, email)

Confidentiality use case

Prevent modification of data Validate the contents with hashes File downloads, password storage

Integrity use case

Modern malware Encryption data hides the active malware code Decryption occurs during execution

Obfuscation use case

Password hashing Protect the original password Add salt to randomize the stored password hash

Authentication use case

Confirm the authenticity of data Digital signature provides both integrity and non-repudiation

Non-Repudiation

Cryptography adds overhead A system needs CPU, CPU needs power More involved encryption increases the load

Speed

Typical block ciphers don't increase the size of encrypted data AES block size is 128 bits/16 bytes Encrypting 8 bytes would potentially double the storage size

Size (Cryptography limitation)

Larger keys are generally more difficult to brute force The weak IV in RC4 resulted in the WEP security issues

Weak keys (Cryptography limitation)

Encryption and hashing takes time Larger files take longer Asymmetric is slower than symmetric

Time (Cryptography limitation)

A specific cryptographic technology can becomes less secure over time Smaller keys are easier to brute force, larger keys take longer to process Key retirement is a good best practice

Longevity (Cryptography limitation)

Random numbers are critical for secure cryptography Hardware random number generators can be predictable A passphrase needs to be appropriately random

Predictability and entropy

Reusing the same key reduces complexity Less cost and effort to recertify keys Less administrative overhead If the key is compromised, everything using that key is at risk IoT devices often have keys embedded in the firmware

Key reuse (Cryptography limitation)

IoT devices have limited CPU, memory, and power Real-time applications can't delay Difficult to maintain and update security components

Resource vs. security constraints (Cryptography limitation)

Rolls out tested changes into production automatically as soon as they have been tested Automatically pushing a developer's changes from the repository to the live environment where customers can use them

Continuous Deployment (CD)

Ensures that software is released effectively when requested Entails that an operations team can deploy a developer's changes to a live production environment after they have been automatically checked for bugs and submitted to a repository

Continuous Delivery

Provides a regularly updated list of proactive controls that are useful to review not only as a set of useful best practices, but also as a way to see how web application security threats change from year to year

Open Web Application Security Project (OWASP)

Single board computers, which means they they have all the features of a computer system on a single board, including network connectivity, storage, video output, input, CPU, and memory Capable computational platform that can run a variety of operating systems, including Linux and Windows More likely to be found used for personal development or small-scale custom use rather than in broader deployment

Raspberry Pi

Belong to a class of computer known as the microcontroller Include a lower-power CPU with a small amount of memory and storage, and they provide input and output capabilities Do not have a wireless or wired network built into them, thus reducing their attack surface because they lack direct physical access

Arduinos

Remind authorized personnel that they are in a secure area and that others who are not authorized should not be permitted to enter and should be reported if they are seen Serve as a deterrent controls Can prevent those who might casually violate the rules this show

Signage

Monitoring Rounds / Periodic checks An emerging technology

Robot sentries

Measured in the amount of processing time required to defeat the cryptosystem

Key length

A technique that is used to mitigate a weaker key by increasing the time needed to crack it WPA, WPA2, PGP, bcrypt, and other algorithms utilize this

Key stretching

A cryptographic key that is generated for each execution of a key establishment process These keys are short-lived and used in the key exchange for WPA3 to create perfect forward secrecy

Ephemeral

A record-keeping system that maintains participants’ identities in secure and anonymous form, their respective cryptocurrency balances, and a record book of all the genuine transactions executed between network participants A permissioned blockchain is used for business transactions and promotes new levels of trust and transparency using this

Public ledger