Does not keep information between connection like http
Exit out of current directory and access other files
Scanning tool to find open ports
Destroying the look of a website
User is redirected to a fake page (phishing)
Attacker hides behind the user to avoid detection like tricking into solving CAPTCHA
Make the server send request to other server (unwanted)
Make the user send request to other server (unwanted)
Broadcast ping to all IP in the network (spoofed source IP) to make all IP reply to the victim
Send SYN packet to the victim and never send ACK to complete the handshake (spoofed source IP)
Send SYN packet with the same source and destination IP
Send fragmented packets with overlapped offset cause server to crash when it tries to reassemble
Send request to a server and make it reply to the victim
HDP Port 7: When received packaet, then send back to the source
UDP Port 19: When received packet, then send random string of characters
Result in infinite loop
Query DNS request with spoofed source IP address being the target (Ask for xxx.com please reply to the victim)
Insider who misuses authorized access
- Anomaly detection: Compare with normal behavior
- Signature or Heuristic detection: Compare with known attack patterns
- Host agent module: Monitor the host and report to central manager
- LAN monitor agent module: Monitor the LAN traffic and report to central manager
- Central manager: Collect and analyze the data from host agent and LAN monitor agent
An event reported by a host monitoring agent
Monitor traffic at selected points on a network
Key elements of any IDS
- Data source: Raw data
- Sensor: Collect data from the data source & forwards to the analyzer
- Analyzer: Analyze the data for unauthorized/unwanted activities
- Administrator: Human who setting security policy
- Manager: Human who manage the components of IDS
- Operator: Human who operate the system
A popular open-source light weight IDS, including 4 components
- Packet decoder: Decode the packet
- Detection engine: Compare the packet with the rule
- Logger: Log the packet if it matches the rule
- Alert: Alert to a file, a UNIX socket, or a database
- Accepted: Allow the packet to pass
- Dropped: Drop the packet with no indication of failure
- Rejected: Drop the packet and let the sender know the packet was rejected
- Service control: Filter traffic based on the service
- Direction control: Filter traffic based on the direction
- User control: Filter traffic based on the user who attempt to access it
- Behavior control: Filter traffic based on the behavior of the traffic
- A Positive filter: Allow only packets that pass the rules
- A Negative filter: Block packets that pass the rules
Filter traffic based on the TCP connection
- Host application/circuit-level gateway
- Critical strongpoint in network
A area between the internal network and the external network like Web server, Mail server, Proxy server
A screening router with a bastion host
- Perimeter network
- Bastion host
- Interior router: Protect from internet and from bastion host
- Exterior router: Connect to the internet
A decoy systems included with monitoring and logging tools
- Transport mode: Only encrypt the payload
- Tunnel mode: Encrypt the entire packet
A single security product that contains multiple security features
- Perception layer: Collect data (Sensor, Transmitter)
- Network layer: Transfer data
- Application layer: Allows user interaction
Create a mesh network based on low power RF
Create a mesh network based on 2.4 GHz
A lightweight publish-subscribe messaging protocol
Attacker takes control of sensor node
Attacker sends a lot of packets to the network to make the network busy
A single node pretends to be multiple nodes
Disrupt connection between two nodes
- Public cloud: Cloud service provider has full ownership
- Private cloud: Internal usage
- Community cloud: Shared by several organizations
- Hybrid cloud: Combines two or more deployment models
- Multi-cloud: Use multiple cloud providers
- Software as a Service (SaaS): On-demand software
- Platform as a Service (PaaS): Application development environment including OS, Compiler, Database, Web server
- Infrastructure as a Service (IaaS): Assigned with virtual machines (VMs)
A single instance of software serves multiple customers
- Role-based multi-tenancy access control: Assign role to user
- Access policies based on data attributes
- Physical measures: Hardware token
A document that describes how an organization will address its security needs
- Policy, Current state, Requirements, Recommended controls, Accountability, Timetable, Continuing attention
Document how a business will continue to function during a computer security incident: Assess business impact -> Develop a strategy to control impact -> Develop and implement a plan
- Catastrophic situation: All or major part is destroyed
- Long duration
How to deal with a security incident
Assumes that experts make informed guesses based on their experience
Systematic method to find the security weaknesses
- Defining, Identifying, Classifying, Prioritizing
Attempts to actively exploit weaknesses in a system
- White box: Full knowledge of the system
- Gray box: Partial knowledge of the system
- Black box: No knowledge of the system
Off-site: A location that is far away from the primary site
Hot-site: A location that is ready to use
- Preserving authorized restrictions on information access and disclosure
- Including means for protecting personal privacy and proprietary information (คุมครองข้อมูลส่วนบุคคล)
- The property of being genuine and being able to be verified and trusted
- ของแท้มั้ย?
- Actions of an entity to be traced uniquely to that entity
- ชี้แจงรายการได้ว่าใครทำอะไร
- An entity that attacks a system.
- คนร้าย
- Attempts to learn or make use of information from the system but does not affect system resources.
- Eavesdropping: ดักฟัง
- Attempts to alter system resources or affect their operation.
- เช่น การ Masquerade: ปลอมตัวเป็นผู้ใช้ระบบ, Denial of Service
- Capture message from one to another and resend it to the receiver later.
- Altering the content of messages. before they are delivered to the recipient.
- Stop the service. “denial of services”
- Attack on availability
- Altering the data.
- Attack on integrity
- Capture the data. “un-authorized access”
- แอบดักฟัง
- Attack on confidentiality
- Create the data.
- ปลอมข้อมูล
- Attack on authenticity
- An unauthorized entity indirectly accesses sensitive data by reasoning from characteristics or byproducts of communications.
- คาดเดาข้อมูลจากข้อมูลที่มีอยู่
A threat to either system or data integrity. (การหลอกลวง) เช่น
- Masquerade: ปลอมตัวเป็นผู้ใช้ระบบ
- Falsification: ปลอมข้อมูล
- Repudiation: ปฏิเสธการกระทำ
A threat to system availability or system integrity. (การขัดขวาง) เช่น
- Incapacitation: ทำให้ระบบไม่สามารถทำงานได้
- Corruption: ทำให้ข้อมูลเสียหาย (แก้ไข)
- Obstruction: ทำให้ระบบทำงานช้าลง
A threat to system integrity. (การยึดครอง) เช่น
- Misappropriation: เข้าถึงข้อมูลที่ไม่ได้รับอนุญาต
- Misuse: ใช้ข้อมูลที่ไม่ได้รับอนุญาต
Provide confidence in the identity of the entities connected
Provide assurance that the source of received data is as claimed
Prevent unauthorized use
Encrypt
Study of encryption and decryption
Hidden writing
Break cipher to get plain text
Person to break cipher to plain text
Work with good guy �
Work with bad guy 👎
Map bit, text to another element (confusion)
Rerrange (difussion)
Process one block at a time
Process continuosly
Divide and encrypt each indently with same block
Encrypt with result of ECB with next block and so on...
Shift alphabet
Shuffle alphabet
Input horizon, reads vertical
...
1 Key
2 Keys
Encrypt with private, decrypt with public => can be sure sender is legit
Encrypt with public, decrypt with private => other cannot read
Encrypt with reader's public => encrypt with sender's private => decrypt with sender's public => decrypt with reader's private
Message with hash (can encrypt), can verifies received message is authentic
Steal key during Key exchange/distribute
Problems:
- Key generation
- Key storing
- Key distribution
- Require trusted intermediary (คนไว้วางใจได้) เช่น Key distribution center (KDC) (Symmetric key), Certification Authority (CA) (Confirm public key is really belong to the owner)
Message =Hash=> Encryption hash with private key and store the signature with file, so reader can decrypt with public key and compare the hash
A malware that require host program (ไปเกาะไฟล์/โปรแกรม)
Can be scheduled and run by the OS
Copies of itself
Program that contain unexpexted addiotional functionality
Script or macro ex. Spreadsheet, Docx, PDF, ไฟล์ที่รัน Macro ได้
Tools used to break into new machines remotely
Generate new viruses automatrically
Active malware **no countermeasure avalible**
Ability of infecting multiple types of files
It uses multipls methods of infection
1. Dormant: waiting on trigger event
2. Propagation: การแพร่กระจาย
3. Triggering: by event to execute payload (ไวรัส)
3. Executeion: the function is performed
- Infection mechanism กลไกการติดเชื่อ
- Trigger: event that makes payload activate
- Payload: the actual virus
A virus that mutates with every infection, checking signature is impossible
Virus that change their behavior as well as their appearance
Search for bit patterns of code fragments, check for unsual actions
Checksums or hash values (message digests)
A sandbox layer that run a suspicous code and flags its before proceeding to users
Propagates over net
Phases: Dormant, Propagation, Triggering, execution
Detect for surges in the rate of outgoing connection attempets, and block immediataely
A form of defensive design to ensure continued function of software despite unforeseen usage
an automated software teasing by providing invalid, unexpected, or random data as inputs
A small piece of code used as the payload in the exploitation of software vulnerability
Memory protection, so users cannot cross a specified address
Precompute tables of hash values for all salts
Verify the identity of users based on the authentication performed by an Authorization Server
A website that wants to verify the end-user's identifier
A service that specializes in registering OpenID URLS Ex. Github, Google, Microsoft, ...
Embodied in an authorization database, dictates what types of access are permitted, under what circumstances, and by whom.
Based on identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowd to do.
Based on comparing security labels (which indicate how sentitive or crtical system resources are) with security clearances
based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles
Access control concept that is referred to as an abstract machine that mediates all accesses to objects
The value of specific data element is written or changed only by authorized users
Checks on the values of elements can help to prevent insetion of improper values
Entire attributes or entire records can be duplicated in a DB
A small number of privileged users may grant and revoke access right
The owner of a table may grant and revoke access rights to the table
In addition to granting and revoking access rights to a table, the owner of the table may grant and reboke authorization to uther users, allowing them to grant and revoke access rights to the table
Arises when authorized information enables a user to infer something about information that is not authorized for disclosure
An attacker retrieves many data items of the same type can learn sensitive data by viewing all the responses
Provides answers to all queries, but the answers are approximate