Chapter 1: A Refresher on Defensive Security Concepts
Cybersecurity is no longer an exclusive matter of the IT department, it is increasingly an issue that needs to be understood by the company's leadership and a challenge that involves the awareness and knowledge of each of the members of the organization.
– Rogelio Umaña - Senior Partner | Digital Transformation for RDP Consulting
Understanding the core cybersecurity concepts is key to becoming a master. A master is not just defined by their experience in relation to a given technology, but also by their deep understanding of the topics and the proper use of the technological jargon and concepts.
As a cybersecurity expert, you may be engaged by the media who want to know more about the latest attack, or called by the government to be part of a team of advisors in cybersecurity. In both cases, you will have to be prepared to speak up and provide your expert opinion, and this chapter will prepare you to be so well-grounded in cybersecurity concepts that you are able to speak as a master!
As part of this journey, we're going to cover the following main topics:
- A deep dive into the core of cybersecurity
- Managing cybersecurity's legendary pain point: Passwords
- How to master defense-in-depth
- A comprehensive explanation of the Blue and Red teams
Deep dive into the core of cybersecurity
A master possesses a higher knowledge and understanding of their domain. In this case, you should understand all the concepts, terminology, and attacks to confidently speak as a cybersecurity expert. It is not about repeating what you are told; it is about acquiring a level of understanding in which you can explain all these topics to the point that everyone will understand them (even if they are not familiar with IT concepts).
The cybersecurity triad
A CISO once told me: If you want to see whether the person talking about an attack really knows their business, just ask: What element of the CIA triad is being impacted by this attack? If no response is forthcoming, that person is a newbie. If the answer is not clear or lacking in arguments, that person is a junior, but if the response clearly outlines what elements of the triad will be affected by the attack and why, then you are talking with an expert.
This triad is especially important when working on defensive security because it will help you to prioritize the risks based on the impact and how that impact correlates with the business.
This is especially important for organizations as this helps them to identify priority areas to invest in (and to provide more resources) to reduce the impact or damage to the company in the event of a cyber attack. For example, an attack on the availability of the informational web page of an HR company may result in a minimal impact on the business, while an attack on the confidential information that they manage could be catastrophic.
Figure 1.1 shows the three components of the CIA triad: Confidentiality, Integrity, and Availability. Now, let's take an in-depth look at each of these three concepts.
The attacks affecting confidentiality are based on access by an unauthorized person to the company's data. But how do you know who can access which kinds of data? The best way to respond to this question is by following the best practice that says that all companies must have their data classified and labeled based on its sensitivity. That way, you can effectively determine how to put in place the appropriate controls. The data can be classified as follows:
- Restricted: This is the most important data the company possesses as it may include trade secrets that, if disclosed, could have a catastrophic impact on the company.
- Confidential: This is data that companies must keep confidential (on a need-to-know basis). Many times, this type of data is associated with some external regulations, and sanctions and fines may apply if disclosed.
- Private: This is less sensitive data. However, it is not intended for public consumption and should be maintained within the organization.
- Public: This is data that is intended for public distribution (most of the time, it is available and indexed online).
Besides keeping the data confidential, we also need to ensure that data is not altered by a malicious actor. In fact, we need to ensure that appropriate mechanisms are in place to ensure that the data will only be changed by authorized parties.
This is especially relevant if your company runs a transactional website (such as an e-commerce website) because an attacker may attack your database and create or modify discount codes and, by the time you discover the issue, your merchandise may already be sold and delivered for a fraction of the original price.
What makes these attacks more dangerous is that the attacker will not just apply this discount to their purchase but for everyone. Therefore, you may find 1,000 orders discounted by 99%, making it harder for you to identify who performed the attack.
The most famous hacks to banks were caused because the integrity of the data was compromised.
Therefore, due to the impact of these kinds of attacks, companies must proactively and constantly invest time and resources to prevent them.
These attacks aim to disrupt the availability of a given system, network, or web resource.
Except for online stores, these are the less dangerous type of attack; however, such attacks are also the most common type of attack. In fact, the majority of the attacks performed by Hacktivist groups aim to disrupt system availability.
Types of attacks
To implement a good defensive strategy, you must understand the current threat landscape and the most common types of attacks—you cannot be protected against the unknown. Some sources separate the attacks by type based on the area of impact; for example, network attacks and physical attacks. However, such a high-level categorization is too simple for a master like you, so instead, I am going to provide you with an extensive and up-to-date list of the most common types of attacks that you may encounter today, as seen in Figure 1.2:
Now, let's explore each of these categories so as to have a better understanding of the current threat landscape.
Everyone is familiar with this type of attack. In fact, almost everyone will be affected by this type of attack at least once in their life. However, while most of them can be prevented with good and up-to-date antivirus software, it is worthwhile keeping an eye on new threats to ensure that our protection mechanisms are capable of dealing with new threats.
To enhance the efficacy of these types of attacks, normally they are used in conjunction with other tactics to spread it, for example, by using social engineering.
There are several types of malware, including RAT, Trojans, Worms, Ransomware, Spyware, and more. Each of them is different and you must understand their unique characteristics to be able to appropriately defend against them.
As a fun fact, I recall when I discovered that the reason for me having to re-install the OS of my mom's computer every week was due to my brother believing in his good luck when surfing the internet:
Now, let's look at the biggest threat to the security of any corporation, infiltration through social engineering:
As technology enthusiasts, we often focus on securing our systems and networks. In fact, we may invest a lot of time, effort, and resources in building a robust cybersecurity environment, but that will not be complete until you include the weakest actor, the user.
I have seen many cases when a company suffers a catastrophic attack, not because their expensive systems were breached, not because they were attacked by a sophisticated zero-day vulnerability, but because an employee inadvertently provided their credentials to an attacker.
This topic is normally overlooked, and criminals know that, so you must understand and apply all the strategies, mechanisms, and systems to avoid these types of attacks in your organization. In Chapter 4, Patching Layer 8, we will go in deep about how to defend against attacks including phishing, spear phishing, whaling, pharming, and more.
Imagine you are on a date in the mall, and you want to show a video, but Murphy's law intervenes and your internet speed is extremely slow. However, there is a Wi-Fi network called Free Wi-Fi – sounds like a miracle, right? Well, let me tell you that it is not your lucky day. Chances are that a cybercriminal knows that cellular reception is poor in that area and lays a trap to capture all your data without you even noticing it.
While this is a simplistic case of a man-in-the-middle-attack, it shows you how easy it is to achieve it.
In terms of techniques, the criminal may use one of the many available, such as session hijacking, IP spoofing, replay, or eavesdropping. These will be covered in depth in Chapter 8, Enhancing Your Network Defensive Skills.
The all-time favorite attack employed by hacktivists, the Distributed Denial-of-Service (DDoS) attack, is very interesting because it may affect you in two ways, as an attacker, and as a target. As mentioned earlier, the impact of these kinds of attacks depends on the nature of business; however, your infrastructure can be used by an attacker to launch a Botnet-based attack on another company and that will have serious implications for your company regardless of the type of business.
A Botnet is a network of infected devices that are remotely controlled by an attacker (normally using a command and control server) to perform a plurality of tasks without the consent and knowledge of the owner of the device. The controlled or infected machines are normally called zombies and, as mentioned, they will perform background tasks such as DDoS attacks, sending spam, and mining cryptocurrency (Bitcoins).
One interesting variant of these attacks is the SYN flood attack. This attack is very interesting and clever, and it is based on the TCP three-way handshake. But wait, what is a TCP three-way handshake?
Let me do an analogy to explain it: Imagine that you (the client) need a cab (the server), so you decided to call the cab (SYN). When the cab arrives, it informs you that it is at the gate (SYN-ACK) and waits for your confirmation to pass (ACK). Now, imagine that you never confirm and keep calling more cabs. Eventually, your driveway will be full of cabs, preventing the arrival of any other car to your house.
I know this SYN Flood Attack may sound very technical, but that doesn't make it less common. Additionally, there are many other ways to execute a DDOS attack, and another cool example is the teardrop attack.
The teardrop attack leverages an old vulnerability in which the system tries to reassemble fragmented packets, but since they were corrupted, the system crashes (by taking the CPU to 100%). As mentioned, this is an old vulnerability and an up-to-date system should not be affected. However, there is a new version called FragmentSmack, which affects current OSes, including Windows 10 and Linux distributions (see CVE-2018-5391). The good thing is that there are already patches for both.
As a walkaround in Windows systems, you can disable packet reassembly as follows:
Netsh int ipv4 set global reassemblylimit=0
Netsh int ipv6 set global reassemblylimit=0
There are other types of DDoS attacks, including the Ping of Death and Smurf Attacks (using ICMP packets), but these are old attacks that you should be already familiar with, so I am not going to waste your time on them.
These types of attacks are one of the most dangerous ones because they will hit us by surprise.
When dealing with these types of attacks, reacting fast is the key. In fact, you need to be on the lookout for new vulnerabilities all the time, so that you can understand them, evaluate whether they affect your infrastructure, and find a workaround or mitigation until an official solution or patch is released.
There are many sites and blogs with cybersecurity news; however, as you may know, fake news is prevalent, so you will need to make sure you use a responsible source that provides you with the best information. Personally, I would recommend that you use the following sites to stay up to date with the latest vulnerabilities and threats:
RSS feeds are cool
As a side note, I suggest you use RSS feeds to subscribe to the sites above to get all the news in real time. You can get them on your phone using a widget or app or you can add them to your messaging app. For example, I use Slack and the integration is very cool (https://slack.com/help/articles/218688467-Add-RSS-feeds-to-Slack).
I recall the times when you modify the host file on a Windows 2000 machine just to have some fun by redirecting pages around. However, things have changed and now there are many more sophisticated DNS-related attacks.
Now, let's take a look at everything you need to know about the most popular DNS attacks today.
In this attack, the computer is normally affected by malware that points the computer to the attacker's DNS server instead of a trusted DNS, allowing the attacker to control and redirect all the traffic.
Here are some defensive measures that can be taken:
- Protect endpoints against malware attacks.
- Always check the URL of the site.
- When possible, type the URL instead of clicking on links (especially from emails)
- Implement DNSSEC.
- Check and/or monitor the Host file for modifications.
- You can also use this web page to check whether your DNS is compromised: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS.
This attack uses the same principle as the one mentioned previously. It is about intercepting a DNS request and replaying it with a bogus website in response. To achieve this, the attacker intercepts the request between the victim and the real DNS to provide the user with a response to a malicious site.
Here are some defensive measures that can be taken:
- Avoid connecting to open hotspots.
- Avoid connecting to public networks.
- Avoid connecting to free Wi-Fi.
DNS router attack
In this case, the attacker leverages a vulnerability on the router to perform the redirection to the malicious site.
Here are some defensive measures that can be taken:
- Change the default admin and connection passwords on your network devices (routers, access points, and so on).
- Keep the firmware of your network devices up to date.
- Try purchasing network devices of known reputation (a bad quality firmware device may be vulnerable).
DNS cache poisoning
This is very similar to DNS hijacking, but in this case, the attacker just modifies the DNS cache to send future requests to malicious sites.
The following diagram depicts an exemplary embodiment of a cache poisoning attack:
But don't worry, here are some defensive measures that you can take against this threat:
- Place your DNS resolvers inside your firewall.
- Remove unnecessary DNS resolvers to reduce risks.
- DNS servers must be hardened to ensure all unnecessary services are removed (thus reducing the points of failure and potential vulnerabilities).
- Use a random source port, randomize the query ID, and use random case (uppercase/lowercase) in domain names.
- Flush your DNS cache macOS (Catalina):
sudo killall -HUP mDNSResponder
- Flush your DNS cache Windows:
- Clear your browser cache.
Additionally, in case you have a system exposed to external users, it is recommended to implement a "reboot and restore" system, so in case someone changes the DNS locally, those values will be deleted (and restored to their original values) once the computer is rebooted or the user is logged out.
Domain hijacking and redirection
This attack is aimed at web resources (web pages, web apps, and so on). Here, the attacker will modify the DNS on your domain registrant to send all the traffic aimed at your page to another server. Here, the attackers use misspelled names or letters that look similar to the original to fool the user into believing that they are accessing the real site.
Here are the defensive measures that can be taken:
- Register your domains with a trusted company.
- Avoid registering domains with several vendors.
- Use crazy long random passwords for your DNS admin account (based on a password manager).
Let's consider an example.
Do you think these two domains are the same:
They look the same, but they are not, and that is one of the tactics used on these types of attacks (and also in some phishing attacks) to trick the victim into thinking that they are on the original site when they are not.
In this example, the first domain has an uppercase
i, while in the second example, it uses a lowercase
L, similar to the eye, but clearly not the same domain.
This is a very clever attack in which the attacker uses DNS queries and responses to exfiltrate data without detection. This exfiltration mechanism allows the attacker to bypass most network controls. However, this attack is very complex as it requires the attacker to have control over the machine where the data resides (normally by using a command and control malware), the internal DNS server, an external DNS server, and a domain.
Normal DNS query:
C:\Users\Cesar> Nslookup mysite.com Server: dns.google Address: 126.96.36.199 Non-authoritative answer: Name: mysite.com Address: 188.8.131.52
DNS tunneled query:
C:\Users\Cesar> Nslookup company_exfiltrated_data123.com Server: dns.google Address: 184.108.40.206 *** dns.google can't find company_exfiltrated_data123.com: Non-existent domain
Here are the defensive measures that can be taken:
- Set up monitors to track anomalies on DNS traffic (many of these attacks exponentially increase the number of DNS queries to exfiltrate large amounts of data).
- Analyze DNS queries to identify anomalies.
DNS tunneling tools
There are several tools for exfiltrating the data, including
heyoka, and some other tools designed to sniff the content of the DNS queries, including
Remember that this is a sample list that you can use as a baseline, but there are many other types of attacks that I won't mention here but will be covered later, for example, IoT attacks, web-based attacks, and more. However, keep in mind that a master should continue researching to stay up to date and always be on the lookout for new threats and vulnerabilities.
Managing cybersecurity's legendary pain point: Passwords
Passwords are probably the biggest pain for us in our job. The interesting part is that for the last 14 years, many experts have been saying that passwords will disappear, but despite all the new authentication technologies, passwords are still around and probably will stay with us for a long time. Therefore, as security experts, we need to constantly look for innovative ways to protect against password-based attacks and that's why, in this chapter, we will review the most common types of attack and how to protect you and your infrastructure against them.
Nowadays, it is becoming a very common sight to see a new data breach (exposing the emails, usernames, and passwords of millions of users to the internet) almost every month or week. Therefore, while you cannot control the level of security that other companies put on your personal data, there are some extra steps that you can take to prevent being impacted by those attacks.
If you haven't already done so, check whether your account has already been compromised. You can do this on the famous site https://haveibeenpwned.com and https://dehashed.com/.
One of the cool features that you can find on those pages is the ability to search by email, user, or even by a password. Also, those sites will tell you some very interesting information, such as the name of the hacks in which your data was exposed, username details (in case the site uses a custom username instead of an email), and the hash of the compromised passwords.
I was struggling to decide whether I should add this step or not (because this may be obvious for a pro like you); however, if I don't add this, some people may call me out on this, so here it is: If your password is found on any of those sites, then change your passwords (all of them):
- Use or enable multi-factor or multi-step authentication when available.
- Migrate to stronger password-less solutions when available (such as Microsoft Authenticator).
But wait, Cesar, aren't you going to recommend password vaults? Actually no, because a password vault will not help you in these kinds of attacks because it doesn't matter if your password is CesarRocks or Iam_having-a.greattimereadingthisbookin2021 because both will be disclosed in the same way, as a hash that may look like this: 31b54027af2ed2299b2bd7fda556d782.
Do you want to decode a hash? You may use a page such as https://md5hashing.net/hash, which uses hash matching (dictionary tables) to decode a hash.
Multi-factor versus multi-step authentication
There are still people who use these two terms interchangeably, but as a master in security, you must know the difference.
Multi-factor means that you are using at least two different factors during the authentication process. This includes the original three (something I know, something I have, something I am), plus two more that researchers are introducing: somewhere I am (this is enabled by geoposition and geofencing technologies) and my personal favorite, something you do (this is enabled by IoT devices).
An example of this will be your bank asking you to move your writs to the right to authenticate. This movement will be captured by the accelerometers in your smartwatch and that data shared by using a secure API with the bank.
Social engineering attacks using compromised passwords
This is an interesting attack because it requires no technical knowledge on the part of the attacker, which makes this a very common and dangerous threat.
Here, the attacker gathers email/password combinations from published password breaches and uses them to trick people into believing that they have been hacked for a long time and that the hacker contains sensitive information about the person. There are several variants of these attacks that vary from telling the victim that the hacker accessed the webcam and have compromised videos/photos of the victim, or that the hacker got access to the browsing history and that it will publish the victim's "dirty" website history unless some payment is made.
As a security expert, you may have fun when receiving an email like this one, but remember, as a professional, your mission is to help others from falling victim to these kinds of attacks, from family and friends to coworkers, and especially high-end targets, such as executives of your company. The best way to deal with these kinds of attacks is through education. In fact, user education is one of the keys pillars for any cybersecurity strategy. This topic is so important that I decided to create an entire chapter for you!
Use your social media as a tool to let others know that this is a hoax. Try to post something related to these kinds of attacks on your LinkedIn, Facebook, and Instagram accounts at least every 3 months. This simple act may save your friends a lot of trouble and money while helping you to grow your social eminence.
As a cybersecurity expert, you have great powers, but also great responsibilities.
One of the most common attacks on passwords is brute-force attacks. By far the most famous app to achieve this is John the reaper, in which you can customize the attack to reduce the time required to expose a password.
In these types of attacks, password complexity (and size) matters, so let me use some math to prove it.
We have two variables: the spectrum of possibilities (S) and the password length (L). In the alphabet, we have 26 characters, so it means our spectrum of possibilities is 26, but that is considering just one case, because if we use lowercase and uppercase, then it increases to 26+26 = 52.
This means that if we have an 8-character password (L) with just lowercase letters (S), the number of possibilities will be SL, or, in this case, 268, which means around 200 billion combinations.
Some of you may think that 200 billion is a huge number of possibilities to guess, but a modern computer can guess 100 billion combinations every second, which means that our 8-character password with just lowercase can be cracked in 2 seconds.
But no worries, all we have to do is to increase the spectrum of possibilities (S) as follows:
- By adding numbers, the spectrum (S) increases by 10. This is equal to 368, which can be guessed in 30 seconds.
- By adding special characters as well, the spectrum (S) increases by 32. This is equal to 688, which can be guessed in 1.5 hours
- By adding uppercase, too, the spectrum (S) increases by 26. This is equal to 948, which can be guessed in 20 hours.
All this math proves that an 8-character password is no longer secure. Therefore, to be considered secure, a password should be at least 10 characters long and include all of the above. This math is very important, especially to support the requirements to determine the password policy of your organization (and gain the buy-in from users and executives).
If you want to check the password strength without having to do all the math, I recommend the following site: https://www.grc.com/haystack.htm
This is similar to a brute-force attack, but instead of guessing the password, it uses a dictionary with the most common passwords.
You can find dictionaries with millions of passwords. In fact, some of them are so big that they can make Notepad crash. So, to make it easier for the attacker, most dictionaries are sorted by topic, region, language, or by source (normally from a password breach).
As mentioned, this attack is different from the attacker's point of view, but the same tips provided earlier work for this type of attack.
If you want to see what dictionaries look like, here you can see many dictionaries sorted by several factors: http://www.md5this.com/tools/wordlists.html.
Take a look at these two passwords and think which one is more secure, and then go to the link above and see the results:
Creating a secure password
If there has ever been a never-ending debate, it is probably the one about password strength. My grandpa used to say: Avoid talking about religion, politics, and soccer because it will always end in a fight and you will lose many friends. Well, I think that "password strength" conversations should also be included on that list.
I remember being on a board of experts from all around the world discussing very challenging topics and, despite our differences, we were able to agree on all topics but one: passwords!
Some experts believe in pure length (such as using long phrases), others in complexity (they want something unreadable), others want both, but the most controversial topic is around password expiration. There are mainly two parties – the dictatorial and the user friendly.
The dictatorial don't care about the user experience, they just want to create the rules and leave it up to the user to figure out how to comply (even if this means writing the password on a sticky note below the keyboard).
On the other hand, the user-friendly group uses a more empathic approach by analyzing how realistic it would be for users to comply with a given rule without adopting bad practices.
In that context, instead of taking one side or the other, you must make your decisions based on facts (data never lies). Therefore, to create a bulletproof password expiration policy, I recommend that you find a response to the following questions:
- How technical is my audience?
- How educated are they in terms of passwords?
- Can you apply segmentation based on user roles? (Privileged users will change their password every 90 days, while regular users will do this every 180 days).
- Do I have the infrastructure to enforce this policy?
- Can you apply segmentation based on the data/systems accessed/used?
- Do they have the tools and training to create/store/manage complex passwords?
Additionally, there are Three Golden Rules to help you improve password security within your organization:
- Implement password vaults: By default, people don't trust putting all your credentials on an app. In this case, you need to educate users and show them all the benefits of using a password vault (starting with the fact that this is better than having the password on a post-it under your keyboard).
But don't go the hard way by making a policy and forcing everyone to implement it. Instead, lead by example, show the people how much you love using your password vault, how easy it is to use it, and how convenient it is to log on to all your apps with a single click. Brag about how you have a unique bullet proof 80-character password for each of your accounts, yes, a different password for each account. Let them know that this is not just for corporate usage, but for their personal life, show them how confident you are that your boyfriend will never be able to guess your password because you will never have to tape it (never be afraid of shouldering again), just a single click and bam!, you are connected to your account. The only thing you need is a password vault app (there are many free and even open source options) and a master password to unlock it (since you only need to remember one, make sure this one is secure). Remember that passphrases are always a good option.
Once people see how easy this is, they will love it and begin asking for it (so instead of you chasing them to implement it, they will chase you to have it). If you want to reduce costs, you can try KeePass, it has everything you need and is free and open source. Another option is to use LastPass; they have a great version for free, but also offer some extra options that may be useful to your organization for a very low cost.
To create a passphrase, try using a sentence that you won't forget, such as I remember the day when I met my girlfriend at Walmart, or I would never eat a burger again at Happy Burger.
- Once everyone loves it, create a policy and a system to enforce it: Make sure that a policy is created, approved, and published before applying any enforcement mechanism. Otherwise, you may end up with a lot of complaints and unnecessary support tickets due to password issues.
- Don't be a ruler, be a leader: Instead of defining a crazy password policy that no one understands and everyone hates, create some training or webinars relating to passwords, as well as the dangers and consequences of a data leak caused by a weak password. If time allows, perform some real demonstrations, set a Kali machine with John the reaper, and show how you can crack any 8-character passwords in no time. Remember: A document is better than nothing, audio is better than a document, a video is better than audio, but nothing beats a real-time demonstration. In the beginning, you may think that it is very time-consuming, but based on experience, all the time and effort you invest in face-to-face training and demonstrations is time well invested.
Once people understand the consequences of using a weak password and the advantages associated with your password policies, they won't see them as a pain, but as a tool that can save their job.
Managing passwords at the enterprise level
While the previous pages were intended to help you improve your password management skills, there are still some additional security considerations that you must follow when managing passwords at the enterprise level. Now, let's explore the main threats that you may encounter when managing this kind of environment.
As mentioned previously, passwords are not stored in plain text (well, at least they shouldn't be), so normally they are stored as hashes. Hashes are normally called one-way hash functions, meaning that they were created to be mathematically impossible to create a reverse function to obtain the plain text based on the hashed value.
This sounds very cool, clever, and secure, but it is NOT! (I think hackers are way cleverer).
To crack them, hackers use something called Rainbow tables. The concept is very simple. Basically, it is a database of hash/plain text combinations that can be used to determine the corresponding text of a given hash and this is possible because the hash value of a word or phrase will always be the same.
Rainbow tables are huge (they may contain billions of combinations), making this kind of attack very dangerous.
If you want to play around with rainbow tables, you can visit this site where you can download a big collection of them: https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm.
However, do not worry! There is a way to defend against Rainbow table attacks; you just need to do what you do when you get a salad….Add Salt and Pepper!
Defensive solution – Using salt and pepper
Despite the funny name of this technique, this is actually a very powerful mechanism for protecting against Rainbow table attacks and it is actually simpler than what you may expect.
This entails adding randomly generated text to your password before being hashed. This salt is then saved on the same password database to be used for further authentication:
$Salt = random_bytes [$Salt] $Hash = SHA [$password + $Salt]
Why should the salt be random? If the salt is the same, then the attacker will be able to identify users using the same password as seen here:
$Salt = random_bytes [$Salt] $Bob_Psswd = [$password + $Salt] | Hash= 68586044d92547df605b $Jake_Psswd = [$password + $Salt] | Hash= 68586044d92547df605b
But if they use a different (randomly created) salt, the hash will be completely different and therefore an attacker won't be able to determine whether they are the same:
$BobSalt = random_bytes [$Salt] $JakeSalt = random_bytes [$Salt] $Bob_Psswd = [$password + $BobSalt] | Hash = 10db4775dc38f4 $Jake_Psswd = [$password + $JakeSalt] | Hash = dc74116ef9525h
So, as seen in the preceding example, even if Bob and Jake use the same password, the attacker won't be able to determine that because the salt used is different.
As mentioned, the hash and the salt are stored in the same database, so if an attacker can access the database, the hash can be compromised even if salted.
To reduce that risk, we can add another string of characters (just like the salt), but this time this value is saved in another location, converting this new string as a secret to the attacker because even if the main database is compromised, the pepper will remain secret:
$Pepper = I.am.the.Pepper $BobSalt = random_bytes [$Salt] $JakeSalt = random_bytes [$Salt] $Bob_Psswd = [$password+$BobSalt+$Pepper] | Hash = h1k477g56 $Jake_Psswd = [$password+$JakeSalt+$Pepper] | Hash = o28l4115h
In the preceding example, we can see how the password is composed on the basis of three variables (the password, the salt, and the pepper), which increases the complexity exponentially to crack it.
In terms of the implementation, it is up to you if you want the salt to be added in front of the password or at the end of the password. The important thing is that it is added before the hash is created. As my math teacher used to say: the order of the factors does not alter the product.
Also, it could be difficult to implement a dynamic salt on legacy systems. In those cases, I strongly recommend the use of salt and pepper to increase the security of the system.
Salt efficiency is about randomness, pepper is about secrecy.
You can use the same pepper for all passwords on the same system, but my suggestion to you is to use a different pepper for each system (if one is compromised, it will not compromise all your systems).
Let me share with you the latest research associated with trying to resolve the password problems (hardware and software):
Enhanced password authentication
This is a super interesting system that I developed with Rhonda Childress, Deputy CISO at Kyndryl, about a system that leverages a USB vulnerability and transforms it into a clever solution to the password problem. Here is the link to the full patent pending disclosure: https://patents.google.com/patent/US20200092282A1/en.
Wireless injection of passwords
This idea was part of some research conducted with my friend and security expert John Feezell, in which we wanted to take password vaults to another level by enabling a true plug-and-play solution to wireless inject passwords from a password vault. The beauty of this system is that it does not require the installation of any special driver and firmware and yet can still work on any OS. You can check the details at the following link: https://patents.google.com/patent/US20190163893A1/en.
Keyboard injection of passwords
This is an improved version of the previous idea in which we added another layer of security and leverage the currently connected keyboard as the input mechanism to inject the password as normal keystrokes: https://patents.google.com/patent/US20200074069A1/en.
We covered a lot of good information about the main risks related to passwords and how to address them from the point of view of the users and the infrastructure. Now is the time to jump to the next level and see how we can create the best defensive security strategy based on interconnected layers of systems, methods, and techniques.
Mastering defense in depth
Back in the old days, people relied on perimeter defense, which is erecting a virtual fence to prevent non-authorized people from getting into your systems.
However, the threat landscape has evolved, and we must do the same!
While perimeter defense is mostly based on a single layer of protection (normally a network layer), Defense in Depth (DiD) takes this further by applying a plurality of security layers in which each layer offers a new line of defense against an attack.
Normally, those layers are independent and each of them provides a different security mechanism that increases the overall security. The benefit of this independence is that a vulnerability that affects one layer may be irrelevant to the other layer. This is a great advantage over a pyramidal model where, if the foundation is affected, the rest will fall.
However, this independence also has its downside in terms of the complexity of the operations. In this case, managing all the different layers (configuration, test, updates, maintenance) is not an easy task, but who says that our job will be easy!
Factors to consider when creating DiD models
Most DiD models create the layers based on technology; however, if you want to apply DiD as a master, you must also consider the following two very important factors: People and Processes.
The DiD model can be applied at a macro level (to the entire organization) or at a micro level (to a single system or technology). This means that once you master this method, you can use it to create your overall security strategy, as well as use it to create the security strategy to secure your web apps.
Now, let's analyze these two factors in detail.
People are often pointed to as the biggest threat in cybersecurity…and they are! And we are not talking about the criminals; we are talking about your company employees who are responsible for many of the security breaches, either as a result of an inadvertent error or by being used by an attacker to gain access to some systems or data.
Therefore, we must consider the human factor when developing our defense strategy. Ignore this and your strategy will be doomed.
The very first step here for you is to segment the company employees by access type. Users should be created on a need-to-know/need-to-do basis. This segmentation of employees should be performed as part of your identity and management process and while, in the beginning, it may be a time-consuming process, in the end, I assure you that the investment is well worth it.
Some companies started to adopt a policy to provide admin rights to all employees over their work computers. The justification is related to the huge cost associated with having a support team in charge of helping the user every time they need to install software, hardware, update, or plugin.
But what about the cost of reinstalling a machine following a malware infection? What about the cost associated with the installation of corrupted drivers? What about the cost of a data leak due to the installation of a trojan? What about the legal cost of the installation of unlicensed or restricted software? Those are some of the questions that you may ask senior management in case they want to provide admin rights to everyone. Remember, it is your responsibility to help your organization to understand that security will always be above usability and user experience.
Are you saying this should not be done? No, I am just saying that this needs to be carefully analyzed from the cybersecurity perspective to ensure that if applied, all appropriate controls are in place to reduce the risks mentioned earlier.
You must have an in-depth understanding of the organization that you are tasked with defending. You can achieve this by understanding all the company's processes (or at least the core of them). Once you know them, it will be easier for you to identify vulnerabilities and risks where others don't!
I understand that as a technical person, you may hate processes and the associated (and mostly) outdated documentation that it brings, but trust me, if you know them, you will bring an exceptional value that very few are capable of providing to their organization.
Another reason for you familiarizing yourself with this is because you will have to eventually create your own processes. One good tip is to create your processes in alignment with the organizational processes; this will enable you to reduce risks while closing any potential gaps.
Additionally, I suggest you evaluate/analyze those three factors (Technology, People, and Processes) from two perspectives: Internal and External.
I suggest you do an inventory of your technology, processes, and types of employees, and then evaluate the risks (internal/external) associated with each of them, as shown in the following diagram.
Now that we have reviewed the factors that need to be considered and how to manage them, it is time to move forward to understand how to determine which assets will be defended by our DiD model and how to prioritize them.
In an ideal world, you would apply the strongest defense across the entire organization, but as you may know, that is not realistic because the stronger the security, the more expensive the cost.
Therefore, before moving forward, you must analyze your systems and data and sort them to prioritize the defense strategy for each type.
Once you have identified the different systems and data, create a Kanban-like board in which the columns are the levels of security (with an associated cost), and then schedule a meeting with relevant upper management (CEO, CFO) and ask them to place the different systems and data in the desired security level (columns). This is a great tool for you when it comes to supporting your budget request, but also when delegating the responsibility of the security level selected for each system/infrastructure or dataset.
The following diagram is an example of a Kanban-like board that can be used to determine Asset priorities (based on impact) and also to support budget requests made to upper management:
Now it is time to create the layers of your DiD model.
Defense by layers
Here, you will use the inputs from the asset prioritization that we just created to develop the best-layered model based on your resources.
There is an open debate ongoing about whether it is better to have one super strong control or multiple good controls.
Let's look at some pros and cons of a sample scenario so that you can draw your own conclusions.
There are two ways to create your layers, by means of the functionality of the control or by technology, as explained next.
Creating layers by type or functionality of the control
Here, you create the layers based on the functionality or type of controls.
The idea is that you correlate what you are trying to secure against the controls applicable to it. For example, there will be cases in which corrective controls may not be relevant, while in other cases, it should be the priority. Remember that in security, everything needs to be tailor-made based on the business.
Figure 1.12 shows a full layered model that includes the most popular controls layered by their function. For example, an electrified fence to prevent someone from entering the building, a Camera system to detect intruders, a security guard to deter potential intruders, biometric authentication or geolocation as an alternative method to compensate a more expensive mechanism, a backup to perform the recovery following a disaster, and a "Reboot to restore" software (like a deep freeze) to correct any issue or misconfiguration on a given system.
Creating layers by technology
Here you create layers of controls based on the technology used, despite the fact that they provide the same functionality. For example, you may implement several methods or technologies on a critical system to detect intruders (IDS, audits, logs, and so on).
In the preceding diagram, you can see an example of how you can create layers based on the technology. For example, a camera and a sensor may both be a detective control, but both use different technologies to achieve it. This model is very useful when you want to increase the focus on a given functionality, for example, implementing a plurality of technologies to provide a special focus on detection or prevention.
To make things more interesting, remember that layers can also be further defined on three categories of controls: administrative, physical, and technical. I know that you are already familiar with those categories (so there is no need to waste ink in explaining them), but I just want you to keep in mind that you can add components from the three categories on the same layer.
Which approach is better?
This will depend on your infrastructure, and that is why performing an in-depth analysis of the environment is key.
Remember that the logic behind this is to make things harder for an attacker and you can achieve that with both methods.
Benefits of a security by layer model
There are a lot of benefits associated with the implementation of a Security by layer approach and Figure 1.14 highlights some of them for you to consider whether they can be beneficial for your defensive security strategy:
Additionally, upper management will also benefit from implementing this type of security model as this enables the company to perform a better allocation of cybersecurity resources.
Layered models were designed to work in isolation, which means that there is no communication between the layers. However, the latest research studies confirm that interconnecting the layers will improve the system as one layer may learn from the other one to better protect against an upcoming threat.
Keep in mind (like everything else in security) that a layered model that works today may be obsolete in 2 years, so you need to constantly evaluate your layers to determine if they still offer the required level of security.
I know you want to see the latest and greatest technologies, so here are a couple of systems recently developed that can be implemented on layered security models.
Mobile device feature disablement
This is a very interesting project (patented in the US) that I worked on recently with my friend and master inventor, Eric Rueger. The idea is a system that prevents the execution of a plurality of systems on a mobile device based on a plurality of factors such as time and location. Therefore, this is a state-of-the-art system that can be applied to the preventive or detective layer of the model. Here is the link: https://patents.google.com/patent/US10594855B2/en.
Cognitive security adjustments based on the user
If you want to see one real example of how you can add AI to a preventive layer (and take your layered model to the next level), take a look at this patent pending in which the system monitors the user's emotional state and level of attention to determine whether the user's computer should be automatically locked to prevent unauthorized access or the inadvertent disclosure of sensitive information. In terms of the development of this system, I had the privilege to work with one of the most prolific inventors in human history, Greg Boss: https://patents.google.com/patent/US20190180013A1.
Comparing the blue and red teams
The blue team is the defense team, the one in charge of the policies, processes, methods, and technologies aimed at preventing a cybersecurity incident (which is probably you).
On the other hand, the red team is a team of professionals trained to find vulnerabilities. They will use their skills to find a way to gain access to a given system or data.
They will basically follow the same steps that an attacker would, but instead of exposing your data or selling it to the highest bidder, they will create a beautiful report that you can use to detect your vulnerabilities and create strategies to correct them.
Some big companies may have their own red team, but this is very expensive, and resources may be underutilized, so most of the companies just hire them on a regular basis to test their infrastructure and gather valuable data to improve.
Like many other topics in cybersecurity, there is an open debate about red teams and pentesting, so to make things easier for the reader, pentesting will be defined as one of the tasks carried out by a red team.
As a defensive security professional, there are many factors that you must know about in relation to pentesting, such as the types of testing, pentesting services, and their benefits.
Types of pentesting
A pentest is classified based on the level of knowledge and access that you grant them prior to the test. The categories are as follows:
In this type of testing, the red team is not provided with any information about the target. This is commonly used when testing an entire infrastructure to find global vulnerabilities. Here, the red team will have to start by performing an initial discovery phase and move across layers to find any vulnerable spots.
This kind of testing is more generic and normally involves no collaboration between the teams. In fact, this is regularly performed as some type of audit in which just senior management knows about the execution of the test. This is normally done to perform a real test and without the security team being on alert.
This is normally the most complex, resource-intense, and extensive test of the three.
Here you provide the red team with some details about the target while obscuring others. For example, you may ask to test a given application and provide the architecture of said application, but more detailed information, such as the source code and users, will be obscured.
In this type of testing, you provide the red team with a lot of data about the tested system/infrastructure, including blueprints, users, code, and any other document related to the system/infrastructure being tested.
While this may seem as making life easier for the red team, this type is more about a collaborative environment between the blue and red teams to perform more targeted testing.
You can pretty much test anything; however, here is a list of the most common types of pentesting offered:
- Network services
- Web applications
- Web services
- Wireless networks
- Social engineering
- Physical intrusions
Benefits of pentesting
Many organizations are still reluctant to perform some type of pentesting on their environments, so let me share with you some benefits to motivate a company to use this great asset:
- External feedback about your infrastructure, including weak points, vulnerabilities, and improvement areas
- An opportunity to close security gaps before they are exploited by criminals
- Objective evaluation
- Support of your continuous improvement initiatives
- External validation of your hard work!!!
Hiring a dedicated red team may be expensive; however, if you have someone in your team with offensive skills, you can leverage that experience to perform mini testing (like a mini purple team).
Having a purple team does not replace the need for a red team as the inputs from an external "unbiased" tester provide additional insights and value.
Be careful when hiring a red team as they will handle very sensitive information about the company. Here, the rule is that you should always work with a partner that you can trust.
Involve your legal team and make sure that a confidentiality and data privacy contract is signed with the red team.
In this chapter, we reviewed a set of very interesting types of attacks, including teardrop attacks, SYN flood attacks, and many types of DNS attack, as well as how to defend your infrastructure against them.
We also learned how to better deal with password-based attacks, not just from the user's point of view, but also from an enterprise point of view. Additionally, we learned how to create a DiD model and how to take advantage of layers to secure your data.
Finally, we concluded the chapter by understanding how you can leverage the benefits of having (or hiring) a blue or red team in your organization.
Now, let's move on to the next chapter, where we are going to understand how to manage risks on an enterprise level by leveraging the NIST cybersecurity framework. Also, we will see how to create a world-class BCP and DRP to enhance the availability and survivability of your organization.
This book was designed to be focused on Defensive Security; however, if you want to read more about Offensive Security, take a look at this book about the strategies employed by offensive security teams (red teams): https://www.packtpub.com/product/cybersecurity-attacks-red-team-strategies/9781838828868.