CISSP Blog Post 26, Domain 8: Malware

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Finally! Congratulations on making it to the last CISSP post in this series. Today we will cover the most exciting topic of Malware! Here are some of the most common types of malware you need to know about:

1. Viruses are malicious code that replicate by creating, replacing, or attacking other programs or files. Viruses generally require some initiating action by the user. Virus Types include File Infectors and Boot Sector Infectors (which are read before the host operating system is started)
2. Worms are a malicious and continuous process that reproduces and eats up resources. Generally it does not require an initiating action by the user. They spread over networks by exploiting vulnerabilities in network protocols, or through application components (e.g. DLLs, etc.) Unlike viruses, worms do not require using infected files to spread (i.e. viruses require a file “host”).
3. Trojans are installed by a user because they think they want it. They are a form of social engineering.
4. Remote Access Tools aka RAT’s can be legitimate remote administration tool but they can also be an illegitimate remote access trojan.
5. Rootkits are often trojans or other malware that can replace critical system files or interfere with system kernel functions to seize control of a processor’s central ring (0 or 1) such that a whole system is compromised.
6. A Logic Bomb is malicious code, often planted by someone you know (i.e. an insider programmer) that is triggered by an event or specific schedule. Usually as an act of revenge.
7. Botnets are where multiple systems are compromised and turned into agents / bots / zombies.
8. Distributed Denial of Service (DDoS) attacks have 3 phases:
   1. Attacker infects many machines with agents (aka bots or zombies)
   2. Attacker uses a Master / Handler program to command agents
   3. Agents initiate denial of service or SPAM attack against attacker’s target ISPs and managed DNS can help stop a DDoS attack.
9. Zero-Day Exploits / Malware are attacks that take place shortly after a security vulnerability is discovered but before a vendor has a fix or patch available.

So how do you protect against Malware? Malware tools come with different types of capabilities including:

• Known Signature Scanning – the program scans based on known malware or attack signatures (e.g. Antivirus). These solutions are only as good as known, available signatures.
• Heuristic Scanning – the program looks for suspicious system behavior or activity. It does NOT use baseline learning, it only uses predefined rules.
• Change Detection Tools look for unauthorized changes to files, system configuration, or programs (e.g. File Integrity Monitoring solutions). These tools take baseline snapshots of files (via a file hash) and then creates new hashes periodically to see if they change.

CISSP Blog Post 25, Domain 8: Program Exploits

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Ok! Last domain of the CISSP – we have two topics to cover – we’ll cover one today and one next week.

In this post, we’ll cover some common Program Exploits at a high level to get you familiar with terminology.

The first is Memory Buffer Overflow an example is a website form running on a server where the attacker enters a longer string than the program that ingests the form can allow, causing the memory on the server to overflow which can corrupt data, crash the system, or provide access to things the attacker should not have access to. To fix, the programmer must put in validation checking for fields in the website form.

Covert Channel is a secret transfer or sharing of information that violates security. Examples could be a Covert Storage Channel which is a hidden data storage location, or hidden data that an attacker shouldn’t be accessing within a program. A Covert Timing Channel is secret signaling. For example, using screen flicker to exfiltrate data from a facility.

Cross-Site Scripting is a well known attack and is where a malicious user puts comments with a malicious script in a web form. A regular user then picks up content when they load the website in their browser and the comment causes the regular user’s browser to execute the script. This for example, could be used to harvest cookies. A user can safeguard against this by disabling scripting in their browser.

Cross-Site Request Forgery is similar where a user has two browser tabs open. In Tab 1 they might have an image with a reference link or a script with a request action on a specific banking site. In Tab 2, they may have open their banking site. The browser may allow a transaction or activity from Tab 1 to occur on the website in Tab 2 believing it’s legitimate because it’s occurring within the same browser.

Memory or Object Reuse is where you need to sanitize media before reusing it with a protected audit log trail.

Trapdoors / Back-doors / Maintenance Hooks are hidden mechanisms for bypassing access controls. They are put in by programmers – typically for convenience when debugging their code.

SQL Injection is where a front-end form passes input containing SQL code that runs on a back-end database and returns output or runs code. For example, if someone put the following into a "First Name" field of a web form: “Bobby ‘DROP TABLE”, it could cause the database to delete a table from the database if there are no validation checks or neutralization of form entries to cause them to not execute.

A Race Condition Attack is where two signals or processes race each other to influence the output first. A physical representation of this would be two joint bank account owners trying to make a withdrawal from the account at the same time. If the combination of both their withdrawals is larger than the account, the bank may not realize that they have overdrawn their account and allow both of them to complete their withdrawals at the same time.

Time of Check / Time of Use (TOCTOU) is where variables of a system are changed but there’s a delay in when the system honors the changes. The example here is changing your account permissions may not take affect right away or require you to refresh your browser, etc.

CISSP Blog Post 24, Domain 7: Disaster Planning and Restoration

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Ok, you’ve (hopefully) backed up your data in the last post, so now let’s talk Disaster Planning and restoration.

Some unforeseen factors when planning that you should be aware of may include:

• Your backup site is also impacted by the disaster
• You cannot get to your backup site
• If you have a hot site, it may not be able to accommodate multiple customers all having an issue at the same time
• Your employee’s families may need care as well, reducing available support staff

So what’s the goal of restoration? The goal is to return to your original site with original capacity and data.

Recovery vs. Restoration

Restoration phases include:

1. Is the incident ended?
2. Is it safe to return?
3. Document the losses
4. Salvage the assets
5. Repairs & replacement
6. Return to site (Tier 5 first, all the way up to Tier 1 support employees)
7. Closure – lessons learned, official end of disaster

Pro tip: When you’re documenting your plan put a 1-year expiration date on the plan to force updates and make it obvious which is most recent version.

Speaking of version control – obsolete plans should be:

1. Archived
2. Collected
3. Confirm collection
4. Issue new plan
5. Destroy old plans

Oh… also you – need to be testing your plan. You can do so in multiple ways including:

Testing Type	Method
Checklist or Desk Check	Give each business unit (BU) a copy of the plan and have them run through a checklist to ensure all relevant points are covered.
Structured Walk-through / Tabletop Exercise	Key players get together and review plan collectively.
Simulation Test	Practice drill mobilizing the personnel (e.g. Fire Drill) and rehearse going to assembly point.
Parallel Test	Operational test at alternate site running in parallel with main site (production).
Full Interruption Test	Shutdown production environment and run a live environment at alternate site. Need to have prior management written permission before parallel test conducted.

CISSP Blog Post 23, Domain 7: Digital Backups

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Welcome to February 2021! This month I plan to wrap up our CISSP blog post series.

Let’s start by talking about data backups! There are lots of ways to do data backups:

• A Full backup is exactly what it sounds like – all your data is copied to another location and backed up.
• A Differential backup is where all data that’s changed since the last full backup is copied.
• An Incremental backup is where all data that has changed since the last full OR incremental backup, is backed up. This is easier to restore from but you will need more time and media storage space.

Cost and Capability Comparison of Backup Sites

Some technology that can be useful for creating backups is a Redundant Array of Independent Disks (aka RAID). Again, lots of choices:

RAID 0 – Stripping of data – very fast, no recovery! 2 drives minimum required.

RAID 0

RAID 1 – Mirroring – double storage cost, slower, 2 drives minimum required.

RAID 1

RAID 3 & 4 – RAID 3 reads and writes data at the byte level. RAID 4 reads and writes at the block level. You can only lose 1 active drive at a time. If the parity drive fails, the RAID falls back to RAID 0 or you can rebuild the parity drive back on a spare drive. This requires 3 drives minimum and only gives 2 drive capacity.

RAID 3 & 4

RAID 5 is faster because parity info is written in parallel. If there is no spare drive, it will reconstruct lost data and parity info into system memory in chunks. It needs 3 drives minimum, with a 2 drive capacity.

RAID 6 (Enhanced RAID 5) provides 2-dimensional parity, allowing for the loss of 2 drives simultaneously. It needs 1 extra drive than a RAID 5. Requires 4 drives minimum, with a 2 drive capacity.

RAID 5 & 6

You can also combine RAID’s: e.g. 0+1, 1+0, 1+5, 5+1, etc.