Identify and Analyse Malicious Code and Activity

Hacker - very general term

Posotive and negative

Hackathon - group based hacking event

Again, both posotive and negative

Script Kiddie - inexperienced person using pre-built hack tools

Certified ethical hackers (CEH) - authorized pen testing

Hackers for Hire - hired to exploit andsteal

Hacktivist - exploits for their own agenda

Insider attacks - disgruntled employees

Worm - can self-replicate accross networks

Virus - attached files and passed

Payload - the harmful part

Signature - identified string of characters

Boot sector virus - infects the master boot record

RootKit - appears as an operating system file

Stealth Virus - appears as a legal program

Polymorphic virus - changes its signature as it replicates

Time Bomb (Logical bomb, Bomb)

Has a times fuse to go off on a date, time or event

Often an insider attack

Trojan Horse (Trojan Malware) - payload hides in a trusted program

Spyware - payload monitors user and system

Ransomeware prevents users from accessing parts of the system until payment is made

Adware - pop up advertisements

SQL injection - code that attacks data applications (databases)

Zero-day attack - uses a totally unknown type of attack vector

Malicious Code Countermeasures

Counter-measures

Anti-malware - formelly anti-virus but includes broader protection

Installed on end-point (client and servers)

Can act as network gateway scanners

Must perform period scans

Must be updated

Should scan e-mail attachments

Should be able to clean and quarentine threats

Should have configuration protection from users

Backups - the last resort

Periodic - evaluate data loss policies

Patches and updates

Very important to implement on a timely basis

Host firewalls

Enable and block unused ports and protocols

Code Signing

For scripts and software

Uses certificates (code-signing cert)

Sandboxing

Seperating applications and systems for testing

Often is disconnected

Air-Gap

Separating a test environment from production

Central malware and policy management

Social Engineering - non technical means of gaining access

Tricking people into giving out credentials or making system changes

Difficult to prevent

Pharming - attempt to get credentials or other PII

Example: Redirect to a website that apperas to be trusted

Vishing (v=voice) - direct user to call a number

Keylogger - software or hardware that collects keystrokes

Denial of service (DOS)

Distributed Denial of Service (DDOS) = using multiple systems to perform DOS

Also known as Botnet, Bots, Zombie

Spoofing

Attack is initiated as something or someone trusted

Example: MAC spoofing

Phishing

Attempts to obtain PII

Blanket coverage

Spear phishing - directed attack to specific user or group

Malicious Activity Countermeasures

User awareness

Keep people informed - threat board

Train users on social engineering and other threats

Bo open to questions - even on personal/home threats

User Training

Log off workstations - can be automated with inactivity

Clean desk policy

Clean screen policy

Password policy

CCTV

Inside and outside

Real and fake

Host Firewalls

Enable and block unused ports and protocols

Patches and updates - to personal systems

Implement and Operate Endpoint Device Security

Intrusion Systems

Intrusion Detection - to detect unwanted traffic

Software can run on appliance or hosts

HIDS - Host intrusion Detection System

NIDS Network Intrusion Detection System

Intrusion Prevention - Can take action if unwanted traffic exists

Often works with IDS - then named intrusion Detection/Prevention System (IDPS)

Detection Methods

Behaviour-based

Signature-Based

Anomally-Based

Heuristic-Based

Host-based Firewalls

Application White Listing

Endpoint Encrytpion

Disk and removable storage

Example: Windows Encryted File System (EFS)

Trusted Platform Module (TPM)

Built in cryto-processor

Used in many devices and computers

Encrytion key storage

Boot Protection (trusted)

Password Protection

Data Removal - Endpoint Data Sanitization

Intended permanent removal/destruction of data

Prevents most advanced forensic tools from data retrieval

Can be physical destruction

Mobile Device Security

Bring your own Device (BYOD)

Hard to manage - May cause compliance/legal issues

Keep OS updated

Don't allow jail broken phones

Use Strong Passwords

Ese encrytion technology

Coperate Oned Personally Enabled (COPE)

Company owned hardware

May cause compliance/legal issues

Lost or Stolen

Train users on policy and procedures

Perform remote wipe

Enable device tracking

Device seizure policy

Secure Browsing

The wonderful world of Cloud

Where is my data stored?

How much processing do I really use?

Who has access to my data?

Is it really Secure?

Is the cloud/service provider trustworthy?

Are they responsive?

Can other customers access your data?

Can other customers impact your performance?

Do they meet your security requirments?

Do they meet your regulatory requirements?

Can you audit them?

What is the SLA?

Operation Models

Software as a Service (SaaS) - your applications

Concerns:

Is it configured securly?

Is it updated?

Is it monitored?

Platform as a Service (PaaS) - your servers

Concerns: Just like any other VM, can be attacked

Infrastructure as a Service (LaaS) - your network

Concerns:

Like all, monitoring and auditing

Udates?

Configuration Management

Legal and Privacy Concerns

Learn for exam 95\46

What legal, compliance or contractual obligations does your company follow

Will your data cross country boundries

Boarderless computing - regulations and governance

Directive 95/46 EC - governs the protection of transboarder data flows

General Data Protection regulation - replaces Directive 9/46 EC

Unify the 28 member stses european union

Some cases - can request data only be stored in a specific country boundry

Data Storage and Transmission

How is your data handled and protected

Archiving

Example: email discovery

Recovery

What recovery options do you have?

Is it point-intime recovery?

How long does it take?

Resilience/Availability

What options are available?

Third-party/outsourcing Requirements

Combining Third-parties for Higher availability

Concerns:

SLA

Data transmission - how? Is it secure?

Data destruction

Auditing

Cost

SLA

Data Transmission - how? Is it secure?

Data destruction

Auditing

Cost

Application Vulnerabilities

Because of the scale of data - very hard for a person or team to manage

Does use search encrytion

Does provide cluster encrytion

Affected by standard application vulnerabilities

Updated and configured correctly

Affected by underlying frameworks - mapreduce, Hadoop

Must be monitored

Architecture or Design Vulnerabilities

Similar to application vulnerabilies

Data ownership is a concern

May assign ownership and security outputs of searcxh and analysis

Data ownership may be seperated between "who inputs the data and who outputs the data

Data owner - puts data into database and classifies the data

Information owner - owns the searched/analysed data and performs classification

Vast and growing

Operate and Secure Virtual Environments

Software-defined Networking

Virtual appliances

The network appliances - only virtual

Switches

Routers

Firewalls

Load-balancing

Continuity and resiliency