CISSP study notes: Security vulnerabilities, threats and countermeasures

Enterprise 2023-10-04 21:04:53 views: null

Chapter 9 Security Vulnerabilities, Threats and Countermeasures

9.1 Assess and mitigate security vulnerabilities

9.1 Hardware

  • processor
  • execution type
    1. Multitasking: Working on two or more tasks at the same time
    2. Multiprocessing: Utilizing multiple processors to complete the processing power of an application
    3. Multiprogramming: Coordination of two tasks on a single processor through the operating system to simulate the simultaneous execution of two tasks
      • Gap between multiprogramming and multitasking: Multiprogramming is usually used for large-scale system use, multitasking is used in personal computer operating systems, multitasking is usually coordinated by the operating system, multiprogramming requires specially written software
    4. Multi-threading: multiple concurrent threads are executed in a single process. The advantage of multi-threading is to reduce the cost of conversion between multiple threads.
  • Processing type:
    Many security-critical systems control the processing of information assigned different security levels
    • Single state: Use policy mechanisms to manage information at different security levels
    • Polymorphism: Multiple systems can achieve higher levels of security by using specific security mechanisms to organize information across different security levels.
  • protection mechanism
    • Protection ring. The protection ring represents the code and components in the operation channel as concentric rings. The further inside the ring, the higher the privilege level.
      • Essence: The essence of the protection ring lies in priorities, privileges and memory partitioning
      • Security: Operating system and application isolation, strict boundaries between privileged operating system components and privileged operating components
    • Process state: also called operating state, refers to the various execution forms in which a process may run.
    • Safe Mode: Before deploying Safe Mode, three specific elements must be present:
      • Layered MAC environment
      • Full physical control of the host with access to the computer console
      • Full physical control over a subject with access to the room where the computer console is located
    • Classification of safe modes:
      • Proprietary mode: Excessive “know what you need” permission to all information processed by the system is equivalent to not knowing what you need.
      • Advanced system mode: The difference between proprietary mode and advanced system mode. In advanced system mode, you do not need to have the required permissions for the system to process information (you only need to have the required permissions for some of the information processed by the system).
      • Split mode: System users in split mode do not have to approve access to all information in the system
      • Multi-level pattern: Multi-level pattern exposes the highest level of risk
    • Secure permissions, know what you need, handle data with multiple permission levels PDMCL

  • operating mode
    • The processor supports two modes of operation: user mode and privileged mode
      • User mode: only allows execution of part of the instructions in its entire instruction set, in order to prevent the execution of poorly designed code and unintentional abuse of code that may accidentally damage the system.
      • Privileged mode (supervisor mode, system mode, kernel mode): processes executing on the CPU are granted wide-ranging privileges

9.1.2 Memory

Memory: The storage location a computer needs to keep information accessible.

  • Read-only memory: memory that can be read but cannot be modified. The subtypes are as follows
    • Programmable Read-Only Memory: PROM chip contents are not programmed into the factory, allowing the end user to program in the contents later
    • Erasable Programmable Read-Only Memory (EPROM): When exposed to a special UV light, the contents of the chip can be erased, and the user can then burn new information into the EPROM
    • Electrically Erasable Programmable Read-Only Memory (EEPROM): erased using voltage supplied to the chip pins,
    • Flash memory: a non-transitory storage medium that can be electronically erased and rewritten. Flash memory can be erased in blocks or pages.
  • Random access memory (RAM): Readable and writable memory. When the power is turned off, the data disappears. RAM has the following types:
    • Real Memory: The maximum RAM storage resource available in a computer
    • Cache RAM: Retrieving data from slower devices and temporarily storing it on high-performance devices. Cache can improve system performance.
  • Registers: The core part of the CPU that provides directly accessible storage locations
  • Memory Addressing: Five Different Types of Addressing
    • Register addressing: using the register address to access the contents of the register
    • Immediate addressing: A method of referencing some data that is made available to the CPU as part of an instruction
    • Direct addressing: The actual address of the memory location being accessed is given to the CPU
    • Indirect addressing: provided to the CPU memory as part of the instruction and does not include the actual value used by the CPU to operate
    • Base address + offset addressing: Use the value stored in a certain CPU register as the base address to start calculation, then add the offset provided by the CPU instruction to the base address, and calculate the storage location to retrieve the operand
  • Auxiliary storage: refers to magnetic/optical media or other storage devices that contain data that cannot be immediately obtained by the CPU.
    Auxiliary storage is cheaper than actual storage and can store a large amount of information. Hard drives, floppy disks, and optical media can all be used as auxiliary storage.
  • Memory security issues:
    The most important security issue surrounding storage is: the computer use process must control those who access the data in the memory.

9.1.3 Storage devices

  • Primary storage devices and secondary storage devices
    • Main storage device: RAM used by a computer to store necessary information that is easily accessible to the CPU during runtime
    • Secondary storage device: consists of magnetic media and optical media
  • Volatile storage devices and non-volatile storage devices
    • A measure of the likelihood that a storage device will lose data when power is removed
  • Random access and sequential access
    • Random access memory devices allow the operating system to instantly read data from any location within the device through certain addressing systems
    • Sequential storage devices require that all data physically stored before a specified location be read before reaching that location.

9.1.4 Security of storage media

  • Data residual magnetism: Data may still remain on the secondary storage device after being deleted. Purification can solve this problem.
  • Purification does not work on SSDs
  • Secondary storage devices are susceptible to theft
  • Access to data stored on secondary storage devices is one of the most critical issues facing computer security experts

9.1.5 Input and output devices

Input and output devices are not basic, primitive peripherals and present security risks

  • monitor
    • TEMPEST's technology will threaten the security of locked display data on the monitor
    • Shoulder peeping and camera telephoto lenses are the biggest risks
  • printer
    • Forgot to remove printed sensitive information
    • Disk retains printed copies indefinitely
  • Mouse and keyboard
    • Monitoring with TEPEST technology
  • modem
    • Modem use is necessary for business reasons, otherwise the use of modems should be considered a priority within the organization's security policy
  • input/output structure
    • Storage mapped I/O: Access to mapped storage locations should be mediated by the operating system and subject to proper authorization and access control
    • Interrupts (IRQs): Only the operating system has indirect access to IRQs at a high enough privilege level to prevent tampering or accidental misconfiguration
    • Direct memory access (DMA):

9.1.6 Firmware

Firmware: describes software stored in a ROM chip that rarely changes

  • BIOS: Basic input and output system, using UEFI (Unified Extensible Firmware Interface) to replace the BIOS of traditional systems
  • Device firmware:

9.2 Client-based

applet: code object sent from the server to the client in order to perform some operation

  • Advantage
    • Processing pressure is shifted to the client, thereby preventing server resources from
    • Can respond faster to modifications to input data
    • In a properly programmed applet, the security and privacy of insight data can be maintained
  • Security issue: The applet allows the remote system to send execution code to the local system
  • Java applets and Active X controls
    • Java applet: Advantages: It can be shared between operating systems and does not require modification. Disadvantages: The sandbox reduces the types of malicious events through JAVA, but there are still many widely exploited vulnerabilities.
    • Active X control: It has full access rights to the operating system and can perform many privileged operations. If it becomes weak, Active
  • Local cache: Any content temporarily stored on the client for future reuse
    • ARP cache poisoning, DNS cache poisoning, temporary Internet files or Internet file caching
    • Methods to mitigate local cache security:
      • Install operating system and application patches
      • Install host intrusion detection system and network intrusion detection tools to regularly audit logs

9.3 Based on server

The server focuses on data flow control

9.4 Database security

Without database security efforts, business tasks can be compromised and confidential information leaked.

9.4.1 Aggregation

  • Aggregation: Combining records from one or more tables to generate potentially useful information
  • Prevention methods: Strictly control access to aggregate functions and fully estimate the potential information that may be exposed to unauthorized individuals

9.4.2 Reasoning

  • Reasoning: Using the combination of several non-sensitive information fragments to gain access to information corresponding to higher-level classifications
  • Solution: Use obfuscation and be wary of individual user privileges

9.4.3 Data mining and data warehousing

  • Data warehouses contain large amounts of potentially sensitive information and are vulnerable to aggregation and inference attacks
  • Data mining techniques can be used as security tools when developing benchmarks for anomaly-based intrusion detection systems

9.4.4 Data analysis

Data analysis: Examine raw data and extract useful information

9.4.5 Massively parallel data systems

Parallel data system or parallel computing system

9.5 Distributed systems

  • Distributed system structures are prone to unexpected vulnerabilities
  • Communications equipment can provide undesirable access to distributed environments

9.5.1 Cloud Computing

  • Cloud computing has issues: privacy concerns, compliance difficulties, adoption of open standards and whether cloud-based data is secure
  • cloud concept
    • Platform as a Service (PaaS): Provides computing platforms and software solutions as virtual or cloud-based services, providing operating systems and complete solutions
    • Software as a Service (SaaS): Provides on-demand online access to a specific software application or suite without requiring local installation. SaaS can be a subscription service, a paid service, or a free service.
    • Infrastructure as a Service (IaaS): not only provides solutions for secure operations, but also provides complete outsourcing options

9.5.2 Grid computing

  • A form of parallel distributed processing that loosely groups a large number of processing nodes together to work to achieve a certain processing goal.

9.5.3 Peer-to-Peer (P2P)

Peer-to-peer technology is a solution for networking and distributed applications for sharing tasks and workloads between peer-to-peer entities. The main advantage of grid computing is that there is no central management system and the provision of services is real-time.

9.6 Industrial control systems

  • Distributed Control System (DCS): Responsible for collecting data and implementing control from a large network environment at a single location, using analog or digital systems
  • Effective single-purpose or special-purpose digital computer (PLC): used for various industrial electromechanical automation management and operations
  • SCADA (Supervisory Control and Data Acquisition System):

9.7 Assess and mitigate web-based system vulnerabilities

  • Vulnerabilities include XML and SAML, as well as issues discussed in the Open WEB Application Security Project (OWASP)

9.8 Assess and mitigate mobile system vulnerabilities

  • Malicious insiders can bring malicious code inside via different types of external storage devices.
  • Mobile device peers contain sensitive data

9.8.1 Equipment security

  • Full-device encryption:
  • Remote wipe: Remote wipe can remotely delete all data and even configuration settings on the device. Data recovery tools can restore the data and be used with encryption.
  • Lockout: After multiple failed attempts, the account or device is disabled until the administrator clears the lockout flag.
  • Lock screen: Prevent someone from accidentally picking up and using your phone or mobile device
  • GPS: Track your lost device with GPS tracking
  • App Control: Restrict apps on the device, which can also be used to force the installation of specific apps or perform settings for certain apps.
  • Storage segmentation: artificially dividing data of different types or values ​​on storage media
  • Asset tracking:
  • Inventory control:
  • Mobile Device Management: Solve the challenging task of employees using mobile devices to access company resources
  • Device Access Control: Reduce unauthorized access to mobile devices, such as forcing lock screen configuration and preventing users from disabling the feature
  • Removable storage:
  • Turn off unused features, delete applications and disable other features that are not necessary for business tasks and personal use

9.8.2 Application security

App Security: Focus on the apps and features used on your device

  • Key Management
    Most cryptosystem problems lie in key management rather than algorithms. Once keys are created, store them in a way that minimizes exposure to loss and risk.
  • Credential Management: Credential storage in a central location is called Credential Management
    Credential management solutions provide a way to securely store large sets of credentials
  • Authentication: Discreet combination of device authentication and device encryption to prevent access to stored information over connecting cables
  • Geotag: GPS
  • Encryption: Encryption can provide confidentiality mechanism against unauthorized data access.
  • Application Whitelist: A security option that prevents unauthorized software from being executed

9.8.3 BYOD concerns:

  • BYOD: Allows employees to bring their own personal mobile devices to work and use these devices to connect to corporate network services or the Internet
  • Problems caused by BYOD:
    • Data ownership: Provide data isolation, segmentation, support business data processing without affecting personal data
    • Ownership support
    • Patch management
    • Anti-virus management
    • evidence collection
    • privacy
    • Online/offline
    • Follow company policies
    • User accepts
    • Architecture/Infrastructure Considerations
    • Legal Issues
    • acceptable strategy
    • Onboard camera/video

9.9 Assess and mitigate the vulnerabilities of embedded devices and IoT systems

  • Embedded systems use computers to implement part of a larger system

9.9.1 Embedded systems and static data examples

  • Network-enabled devices are those written or non-portable devices that have network capabilities themselves
  • A cyber-physical system refers to a device that uses computational means to control something in the physical world
  • A new extension of cyber-physical systems, embedded systems, and network-enabled devices is the Internet of Things (loT)
  • Mainframes are high-end computer systems used to perform highly complex calculations and provide large-volume data processing
  • Modern mainframes are more flexible
  • Vehicle computing systems use it to understand engine performance and optimize braking, steering and suspension components

9.9.2 Security methods

  • Embedded systems or static systems often lack security and are difficult to upgrade or install patches. Security management methods:
    • Network Segmentation: Involves controlling traffic between network devices, isolation is complete, and transmission is limited to between devices that separate the network
    • Security layer: When devices with different levels of classification or different sensitivities are grouped together, there is a security layer to isolate groups of different levels. Logical isolation requires data packets to use different classification labels, and physical isolation requires different security Network segmentation and spatial isolation between level networks
    • Application firewall: Device, server plug-in, virtual service or system filter that defines strict communication rules between a service and all users
    • Network firewall: A device designed for general network filtering, with the goal of providing broad network-wide protection.
    • Manual upgrades: In a static environment to ensure that only test and authorized changes are implemented, using an automatic update system will allow undetected updates to introduce unknown security downgrades
  • Firmware versioning: Firmware versioning prioritizes maintaining a stable operating platform while minimizing hazard exposure and downtime
  • Wrapper: Encloses or wraps something else, a control channel can be a specific wrapper, including integrity and authentication functions
  • Control redundancy and diversity: Defense in depth uses multi-layered access control in a concentric circle or flat layer manner to avoid the trap of a single security function failure through redundant and diverse security controls.

9.10 Basic security protection mechanism

The security mechanism is divided into two parts: technical mechanism and policy mechanism.

  • Technical mechanism: the control measures established by the system designer for the system
    • Layered approach: implement a structure similar to the ring model used for operating systems and can be applied to each operating system process. Communication between layers can only use specific well-defined interfaces to provide the necessary security.
    • Abstraction: The user of the object does not need to know the details of the working of the object, as long as the correct syntax and the integrity of the data returned as a result are used. Another way of abstraction is to introduce security groups
    • Data hiding: an important feature of multi-level security, which can ensure that data at a certain security level is invisible to processes running at different security levels.
    • Process isolation: The operating system is required to provide different memory spaces for the instructions and data of each process. The advantages of process isolation: prevent unauthorized data access and protect the integrity of the process.
    • Hardware Separation: Used to organize access to information belonging to different processes/security levels, Hardware Isolation enables requirements to be implemented through no control, Process Isolation is through logical process isolation imposed by the operating system

9.10.2 Security policy and computer architecture

  • Security policies guide an organization’s daily security operations, processes, and measures.
  • The role of security policy is to inform and guide the design, development, implementation, testing and maintenance of certain special systems
  • The strategy of organizational information flowing from higher security levels to lower security levels is called Chen Wei Multi-Level Security Policy

9.10.3 Policy mechanism

  • Minimize Privilege Principle
  • Separation of privileges and separation of duties can be thought of as the application of least privilege for administrators
  • Accountability: Supporting accountability requires user activity records, reliable auditing and monitoring systems, flexible authorization systems, and perfect identity authentication systems

9.11 Common Bugs and Security Issues

The purpose of the security model and architecture is to address as many known flaws as possible

9.11.1 Covert channel

  • A covert channel is a method used to transmit information that violates, bypasses, or circumvents security policies without being discovered.
  • Covert channel type:
    • Temporal covert channels: changing the performance of system components or changing the timing of resources to create information that is difficult to detect
    • Storage covert channel: writing data to a public storage area that other processes can read to convey information
  • Implement auditing and analysis of log files as the best protection against covert channel activity

9.11.2 Attacks and security issues based on design or coding flaws

Poor design methods, poor implementation applications and measures, and insufficient testing may lead to specific attacks.

  1. Initialization and failure status: Trusted recovery can ensure that no access activity occurs when security controls fail, even during the system recovery phase
  2. Input and parameter checking: The type of attack that results when attempting to inject malicious code or code as part of the input to a program is known as a buffer overflow. The responsibility for buffer overflow vulnerabilities lies with the programmer.
  3. Maintenance hooks and privileged programs: Maintenance hooks are system entry points known only to system developers, also known as backdoors. Unauthorized administrators accessing backdoors can be discovered by monitoring audit logs.
    • System vulnerability is a situation where the security level of a program is increased during execution
  4. Incremental Attacks: Attacks occur in slow, gradual increments
    • Data spoofing occurs when an attacker gains access to a system and makes small, random, or incremental changes to data during storage, processing, input, output, or transaction processing. Data spoofing is a method of modifying data and is considered Active attack
    • salami attacks, systematic reduction of assets in accounts or financial institutions

9.11.3 Programming

  • Maximum access to programming, buffer overflow
  • All programs must be fully tested to comply with the security model

9.11.4 Timing, status changes and communication interruptions

  • Attackers can develop exploits based on the predictability of task execution
  • When the state of a resource or the entire system changes, an attacker can attempt to take actions between two known states.

9.11.5 Technical and process integrity

9.11.6 Electromagnetic radiation

  • The easiest way to eliminate electromagnetic radiation interception: reduce the radiation by shielding the cables or putting in conduits

Guess you like

Origin blog.csdn.net/Runnymmede/article/details/133364260
Recommended
Ranking
2019 JD pen questions - Choir
Grafana installation & basic configuration
How to solve the high gas fee of Filecoin? The official attitude is bright!
Informatization development 59
Date,DateFormat,Calendar,
Introduction to MySQL - Understanding MySQL
win10 conexão de área de trabalho remota ubuntu20 (RDP)
52. Customize generics on methods
Detailed explanation of CAP, ACID, BASE theory and NWR practice strategy
UnknownHostException:XXX:Name or service not know
Daily
More
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)

Code World

© 2018 codetd.com