CIA is the acronym that boils down the basics of security - and no, I don’t mean CIA as in the intelligence organization. In tech, it’s a standard acronym that is Confidentiality, Integrity and Availability. It is the measurements that determine security in an environment. If these measurements look good in your environment, you can feel good that the bad guys will do no harm. In this post I’ll give a briefer through examples with Techman X.
Confidentiality
A bad guy, Techman X, learns that Gym A puts their customers’ credit card information on one particular laptop. Techman X thinks, “Aha! My recon work is done. If I get my hands on that laptop, I can steal other people’s credit card information.” One evening, Techman X tip toes into the gym. While no one is looking he snatches the laptop, and sneaks out! “Success!” so he thinks.
Techman X is a pretty smart guy. He knows how tech stuff works. So later that evening, he grabs one of his fancy forensic tech tools. The tool should allow him to see what’s in the laptop without the password. But a surprise hits Techman X. When he attempts to pwn the laptop, he’s stunned at what he sees… Giberrish… The data in the laptop is jumbled up.
This is confidentiality. It is the idea that allows for credit card information to be kept secret for Gym A. Encryption falls into this category, and was the saving defense for Gym A – it made the data look like gibberish.
Other aspects to confidentiality, also include authentication. Users can access secret information if they have authorized credentials such as a username and password. Some companies also use smart cards to authenticate. This gives an extra layer of security by having a physical item as a prerequisite to access.
Integrity
This topic is based on reputation. Can the data that you have be trusted? Or has it morphed into something evil? Perhaps. Well, at least in the next scenario with Techman X it has.
Techman X decides to use an executable to steal credit card information. On a Saturday morning, he poses as a patching technician that corporate sent to Gym A. The local IT guy at Gym A is weary because he hasn’t been informed about this surprise visit. Techman X tries to ease the local IT guy’s nerves, “It’s all good, I don’t have to stay. You can perform the patching. Here’s the regular OS update from Big Company.” Techman X hands the local IT guy the usb with the patch from Big Company’s OS update. The patch is an executable and it looks legit.
When the surprise visitor leaves, local IT guy takes off his glasses and dons the blue cape. BlueTeamTech goes into action. He goes to Big Company’s website to see that the executable’s name is legitimate, patch.exe. That checks out. BlueTeamTech has abilities that are out of this planet, so he doesn’t stop there. He checks to see if there is a hash for the executable. Behold, Big Company has the hash.
BlueTeamTech goes to his isolated sandbox, and navigates to the terminal and types:
cd D:
certutil –hashfile patch.exe
The terminal spits out a hash. BlueTeamTech checks to see if it matches with Big Company’s hash. It doesn’t. BlueTeamTech immediately destroys the isolated sandbox and reports the usb incident to proper authorities.
Integrity checks beyond what seems reputable. In this case, the patch, looked legitimate. But at a closer look shows it wasn’t. The data couldn’t be trusted.
Availability
Backups and throughputs could sum up availability. These two components allow continuous use of data. Backups allows continuous use of data if previous data happens to become corrupt. Throughputs allows continuous use of data, by making sure there is no obstacles in the way to get to the data (ie network latency).
With this example with Techman X, I’ll explore the throughput side of availability.
Techman X is at it again. His plans keep getting foiled. But this time, he thinks, “If I make my attacks more sophisticated, I will eventually steal the credit card information.” So he devises.
On his white board he draw out what he’s going to do. On the left side of the board, he draws 10 computers representing 1,000,000 other computers. On the right, he draws Gym A’s infrastructure where website credit card payments are processed. In the middle is Gym A’s main website IP, and his Man-in-the-Middle Server. His plan is to unleash a full scale distributed denial of service attacks from his unaware cavalry of 1,000,000 computers against Gym A’s website IP. This should bring it down. Meanwhile, he will enable his MITM Server to go live to replicate Gym A’s website. With the MITM Server, users who enter credit card information will now be visible to Techman X.
The Zero Day DDOS attack approaches and is executed. 1,000,000 unwitting soldiers fire shots of ping, and syn flood messages towards the website IP. Techman X’s eyes are wide with malicious hope. One minute goes by, and the attack rages on. Two minutes… Three minutes… Four minutes… Nothing is happening. His MITM server isn’t online, and customers are still able to use Gym A’s website. Techman X is infuriated, “It must be that darn local IT guy!”
It was that darn local IT guy. With network visibility, BlueTeamTech laughed as he saw the attack being thwarted by his sophisticated fortress. The network perimeter was built with next generation equipment. Stacked with Intrusion Prevention Systems, and load balancers in mind, the website was impregnable. Availability prevailed.
No comments:
Post a Comment