Information Security 101
In two days I’ll have a 3 hour exam covering for my Information Security subject at university. Instead of flicking through lectures to absorb info, I’m writing it down to make sure I understand it. Plus infosec is something I love to talk & learn about.
There are 10 topics in total.
Topic 1: Introduction
Going to gloss over this because it’s fairly straight forward.
- Information security is important because people’s data needs to be kept private.source: lecture slides
- 430 million pieces of malware were created in 2015.
- 75% of legitimate websites have vulnerabilities.
- 55% increase in spear phishing.
- 35% increase in ransom ware.
Stats grabbed from lecture.
- Confidentiality — preventing unauthorised disclosure of information (e.g SQL injection revealing user’s private details).
- Integrity — preventing unauthorised modification of information (e.g MITM attack that edits a message).
- Availability — making files available to authorised users (e.g DDoS attack on a website).
Note: Unauthorised also covers people within an organisation that might accidentally modify or view information.
- Non-repudiation — recording events so users can’t deny they did/tried to do something.
- Threat — set of circumstances that may cause potential harm.
- Vulnerability — weakness in a system (e.g a person or XSS vulnerability)
- Security Incident — the combination of a vulnerability being exploited to become a threat.
- Storage — electronic, physical or human
- Transmission — physical or electronic
- Processing (use) — ^^
- Verify entity is who they claim they are
- Verify data origin and integrity
- Preventative — prevent exploits in vulnerabilities
- Detective — warning of attempts to exploit
- Corrective — correct errors or irregularities
Types of measures:
- Tech — firewalls, encryption, digital signature (more detail later)
- Policy — acceptable use, data protection
- Training & Education
Topic 2: Threats, Vulnerabilities & Attacks
As touched on previously, a threat is a set of circumstances that could potentially cause harm, while a vulnerability is simply a weakness in the system that can be exploited in an attack.
An attacker usually considers all of the components and interactions in the following areas:
In doing this they hope to uncover a vulnerability in a certain system.
Threats come from two sources:
- Externally—entities outside of an organisation that are unauthorised to use certain information systems.
- Internally — people inside of an organisation that might be authorised to use a system but use it in an unauthorised/malicious manner.
Typically, threats also only have a few types:
- Natural events — consider data centres that get flooded, servers that go offline in a black out (with respect to the goals of CIA)
- Human action — both deliberate and accidental (e.g picture of password in background posted to social media vs attacker using a key logger)
Deliberate human action usually comes in the form of Malicious Software (Malware) such as viruses, worms or trojans.
- Virus — self replicating and copies itself into other files.
- Worms — typically spreads through a network without human interaction.
- Trojans — masquerade under desirable programs (e.g torrent the new Battlefield game, secretly steals your banking details etc.)
When finding a vulnerability, the assets of the above 5 areas should be considered. For example, the physical assets of a set of servers might be guarded physically under lock and key and patrolled, but the software the servers runs on might have a known exploit.
These servers might also need extensive cooling, and gaining access to this system could prevent other people accessing the data stored on these servers.
Redundancy is an important aspect to consider; what happens if the servers do go offline/get corrupted?
An attack is when deliberate human action is taken to exploit a vulnerability. Attacks can be both passive and active.
- Passive — attackers goal is to obtain information, not alter it (e.g MITM, network sniffing).
- Active — attackers goal is to obtain, modify or fabricate information (e.g Denial of Service attack, phishing, social engineering).
Important: know different types of attacks. Research MITM (all types), spoofing/masquerading, replay attack, XSS, SQL Injections.
Topic 3: Identity & Authentication
- Knowledge based — something you know (e.g PIN or password)
Note: password storage is a huge topic. Tldr; hash it, salt it, don’t use MD5. Check out this dope post for more info.
- Object Based — (e.g key card, token that generates new codes)
- ID-based — (e.g finger print)
When using biometric security a few unexpected things can happen:
- A false match — mistaking two biometric measurements from two people as the same
- A false non-match — mistaking two biometric measurements from the same person as different.
This is determined by a threshold (usually symbolised as t). When t is decreased, makes the system more tolerant to variations. Increasing t does the inverse; making the system less tolerant.
- Location based (e.g being in the right geographical location to access something).
Two Factor Authentication (2FA) is one way to achieve multi-factor authentication. The most common example of this is sending a text to your mobile phone with a code to verify you are logging in as you.
Topic 4: Access Control
Access control basically determines who is authorised to access what. The most basic form of this is white lists and black lists.
- Whitelist — list of entities authorised to access/visit something.
- Blacklist — list of entities unauthorised to access/visit something.
There are common principles implemented in most access control policies. One is the Principle of Least privilege. This is when a user is restricted to the minimum set of authorisations they needs to complete day to day tasks.
Separation of duties is also an important concept to understand. This is when an employee will look over some sort of form, and then their manager will approve the form.
Typically authorisations involve the following permissions:
- read — simply look at a file, not edit it.
- write — look and edit a file.
- execute — run an application, but not allowed to edit or look at it.
Access control comes in three major forms:
- Discretionary — the owner of information allows people to access it (e.g sharing a Google Doc)
- Mandatory — system wide set of rules is applied.
- Role-based — Admin, teachers, students etc with different permissions for reading/writing.
When implementing access control, there are two phases to consider. The first is the policy definition phase. This is where privileges (read, write etc) are allocated to users. The second is the policy enforcement phase where privilege is required to gain access (e.g authenticate a user).
Topic 5: Privacy & Security
In Australia there are several pieces of legislation in regard to how data is stored and used.
- Commonwealth Privacy Act 1988 — deals with privacy of personal information (name, address medical records etc)
- Privacy Amendment (Private Sector) Act 2000 — the act now covers private sector, including health service providers.
- Privacy Amendment (Enhancing Privacy Protection) Act 2012 — came into effect March 2014. Groups Australian Privacy Principles into the following 5 parts.
- Consideration of personal information privacy — transparent management of personal information.
- Collection of personal information.
- Dealing with personal information — can’t be used for direct marketing, individuals must consent if someone wants to use or disclose personal info.
- Integrity of Personal information — ensures information is secure & correct.
- Access to, and correction of, personal information.
Threats to privacy include both human and technological threats. Most of these relate to the above section (Topic 3). Monitoring technology like key loggers, cookies, and web bugs are all fairly important pieces of technology to understand.
- Cookies are stored in browser and can track where you go on the internet, as well as store certain information for your session.
- Web Bugs (aka web beacons, pixel tags) are used to monitor the users behaviour while on a website. A really cool example of this would be hotjar.
Identity theft is also a basic concept to understand, and in recent years there has been plenty of coverage of people impersonating other people and stealing credit card information. Identity theft can also come in the form of a phishing email from someone posing as a legitimate company.
An identity can be stolen through dumpster diving (physically stealing documents that haven’t been destroyed), raiding letter boxes, social engineering (call up Telstra and convince them you’re John Smith). People also store a huge amount of public data online so attackers can also target that vector.
Topic 6, 7 & 8: Symmetric & Asymmetric Cryptography & Public Key Infrastructure
This is probably one of the most important topics information security; how details and transmission of data is kept safe. Straight off the bat, read this for information on how cryptography works. You’ll also want to be fairly familiar with hashing functions, so watch this and read this if you haven’t already! They explain things very clearly, and it covers all the basics and a bit more for this section, but I’ll be summarising and condensing it.
Hashing & Salting
Hash functions are one way functions (or at least they are “infeasible” to reverse). There are many different types, common functions being MD5 (broken), SHA-1, and SHA-256.
Hashing is used predominantly to keep your passwords safe. Play with this site to see what hashes there are. Essentially, if I enter “password” I will get this SHA-256 hash back.
password => 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Salting is an extra random string appended to a hashed piece of text. This is to prevent attackers using rainbow tables to crack passwords. The salt must be randomly generated for all users and fairly long so it’s also hard to crack. It looks something likes this.
password => 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 + 35c246d5 (the random salt)
A salt can be stored in a database, and it would be good practice to store it in a separate database table than the passwords. When a user then goes to log into a web site this happens.
password => hash => add users salt => check users stored hashed & salted password in db => return a message accordingly
Salting is not correctly defined above. The salt is added to the plaintext password before being hashed, like so:
password + "25346hreg" (the salt) => password25346hreg => 423763059d8c052b55bf8158cf460eeda7d309aaf4efc4c5f2fa536667076ca8
So instead of “password” generating the same SHA-256 hash, adding a random salt generated by you, the hash becomes something entirely different.
The above is a basic explanation of how symmetric cryptography works. The following is a narrative style explanation. The most popular symmetric cipher is AES (Advanced Encryption Standard) but the Caesar cipher is also a symmetric cipher.
Edward Snowden wants to send Julian Assange a message, but the NSA can’t know what’s in it. Snowden & Julian met awhile ago and exchanged a secret key for just this sort of situation. Snowden encrypts his message, then sends it to Assange. Once Assange received the ciphertext, he uses the same key Snowden used to encrypt the message to decrypt it.
The only problem with this cryptography technique is that if the NSA had found a copy on Snowdens computers, then the message could be intercepted and decrypted by the NSA.
Enter Asymmetric Cryptography.
I’ll again use a story to illustrate how Asymmetric Cryptography works.
Snowden knows that the secret key that Assange and he and exchanged had been compromised, so he emails Assange and asks for his public key. Assange replies with the public key. Snowden then encrypts his plaintext message with Assange’s public key. He then sends the cipher text to Assange, who decrypts the message with his private key.
This cryptographic technique only allows Assange (the holder of the private key) to decrypt a message that used his public key. However, how does Assange know the message came from Snowden?
Enter Digital Signatures.
For this to work, Snowden would have to sign the message he sent to Assange by signing the message with his private key. Assange would then need to use Snowden’s public key to verify that the message came from him.
So, how can we use this on a larger scale? Enter the Public Key Infrastructure (PKI).
Public Key Infrastructure
PKI is a set of policies, products and procedures that allow users to implement PK cryptography in distributed settings. The main issue is trust models. The integrity of public keys can be breached (the key is edited) and the trustworthiness of public keys — can you trust that it’s Snowden’s public key and not the NSA’s?
For this, there are two types of trust models.
- User Centric — each user has a key ring containing public keys of other users. Examples include PGP (Pretty Good Privacy) but this type of model only works with a relatively small amount of people who understand how PKI works.
- Trusted Authority Models — trusted authorities (Certificate authorities or CA’s) perform checks and issue certificates (or certs) endorsing public keys of different entities.
The trusted authority model uses trust pathways to validate whether or not a digital certificate issued by a CA is trustworthy. This is to prevent something like this happening. These chains are made up of CAs who have had their public keys certified by other CAs.
PKI is also very important in how websites communicate securely. Browsers preinstall root certificates to verify incoming certificates (e.g when you request google.com the browser checks that the certificates match).
Take the following scenario:
You click on a phishing email’s link that takes you to your banks website. An attacker uses a MITM attack and a self-signed certificate to produce a convincing website. If the user accepts the certificate, the public key details form the certificate are used to secure communications between the fake site and the victim. The website now looks legitimately secured.
Topic 9 & 10: Network Security
Data transmission over a network is sent in packets. Packets involve a packet header which has information like the destination of the packet, while the packet body holds the data encoded in binary as the payload.
Two well known models — ISO (OSI the 7 layer model) and IETF (TCP/IP).
HTTP is how information is transferred between clients and servers. The basic flow is:
client (browser) requests page => server receives request and returns requested material
For information on Digest Authentication, read this.
Secure Shell (SSH) is used to remotely access remote servers via command line. It uses public key authentication, and a secure SSH system would only ever use public keys to authenticate.
It’s essentially just a very secure way to access remote servers.
SSL = Secure Sockets Layer
TLS = Transport Layer Security
Uses port 443.
TLS is a cryptographic protocol that operates about the transport layer and uses the PKI. TLS allows message confidentiality — it ensures that a messages contents can’t be read in transit. It also uses a handshake protocol to establish a symmetric key that’s used to encrypt TLS payloads.
TLS also ensures integrity of messages — see how asymmetric cryptography works. TLS is very much just using PKI at huge scale. If you understand PKI you understand TLS.
IPSec (Internet Protocol Security) operates at the Network layer and uses end-to-end security. As well as protecting message confidentiality and message integrity, it offers traffic analysis protection. A person sniffing the network will not be able to know who is talking to who.
Has two modes:
- Transport Mode — operates on the payload of the original packet
- Tunnel mode — original packet is encapsulated into a new one. Used in gateway-to-gateway architecture.
Firewalls are placed between two networks with the aim of controlling the flow of network traffic between a protected network and other networks. All messages pass through the firewall, and are examined. If they don’t meet requirements they are blocked from entering or leaving.
If communication does not terminate at a firewall, it is acting as a filter. If it does terminate, it is acting as a proxy.
Packet filters work at the network layer and decides if packets are passed or dropped based on the information in the packet such as: header fields, the protocol (TCP, UDP), port numbers and direction (in or out of the network).
Simple Packet Filter s— examines each packet independently of other packets, even if they are apart of the same connection. It has two actions: allow or block. It uses ingress filtering (inbound traffic) and egress filtering (outbound).
Stateful/Dynamic Packet Filters — same mechanism as simple packet filters, but it keeps a state table that notes the state of each connection (e.g hat happened before, what happened after).
Packet filters are good because they have low overhead and high throughput, and operate at low layers of the stack. Unfortunately they do no examine application layer commands and may allow unauthorised commands to be sent.
Application-layer Firewalls — filters packets based on application data. Unfortunately this is slower than packet filters as it operates on behalf of the client.
Usually has 4 phases
- Propagation — copies itself to programs or disks
- Triggering — activated by date, file opening, disk limit, or almost any factor
- Execution — performs the intended function (e.g adds your computer to a botnet).
Intrusion Detection Systems (IDS)
- Host based — detects intrusions only to on the host it is installed on
- Network based — detects intrusions on one or more network segments, usually to protects multiple hosts.
There are also two types of detection methods:
- Misuse detection — matches behaviour to malicious behaviour.
- Anomaly detection — compares behaviour with known ‘good’ behaviour, if they don’t match then the behaviour is bad.
That’s security 101 in a nutshell; the only thing missing is how to manage security risk but that seems fairly common sense risk management. If you made it this far, I hope it all made sense to you :) If you have any questions flick me a message on Twitter @awoldes or email me.
Note: This is how I’ve understood the content, if I missed something or didn’t explain something correctly, I’m keen to learn!