WEBVTT

00:07.400 --> 00:12.050
Often when we look at end of life or outdated components, we need to understand that those end of life

00:12.050 --> 00:16.760
components, whether it's software, hardware or operating systems, can pose a significant security

00:16.760 --> 00:20.240
risk or vulnerability to our network as a whole.

00:20.270 --> 00:26.990
In 2007, when Microsoft seven came out, they had about a lifespan of about a decade, and after that

00:26.990 --> 00:29.030
decade occurred, they stopped supporting it.

00:29.030 --> 00:31.550
When they stopped supporting it, they no longer patched it.

00:31.580 --> 00:36.530
Those vulnerabilities or new vulnerabilities that erupted from that operating system were no longer

00:36.530 --> 00:38.000
being supported by Microsoft.

00:38.000 --> 00:41.930
And as such, those vulnerabilities became every day anybody could access it.

00:41.960 --> 00:47.060
It's not uncommon right now to find vulnerabilities in Microsoft seven that are still being utilized

00:47.060 --> 00:52.520
in a classroom, as how to guides on how to hack different machines within the software cycle.

00:52.520 --> 00:54.620
We need to look at a software bill of materials.

00:54.620 --> 00:55.580
Let's take a look at that.

00:55.580 --> 01:00.630
Now within the software bill of materials, you can see here that it's nothing more than an audit form.

01:00.630 --> 01:07.170
For software, we identify the component name or the specific software we're utilizing the version number.

01:07.200 --> 01:11.340
This identifies whether the version is older or newer than what we've seen before.

01:11.370 --> 01:16.830
If there's any licensing information or associated information where the product was purchased, we

01:16.830 --> 01:22.830
have dependencies and sub dependencies with sub dependencies being hey, does this software align to

01:22.860 --> 01:28.830
another software that we're utilizing and then sub to sub dependencies being is there a third strain

01:28.860 --> 01:29.820
of the software?

01:29.820 --> 01:34.950
For instance, if I have Microsoft Windows, that is my part of Microsoft Office, which is also part

01:34.950 --> 01:41.010
of Microsoft Windows, then I would have a sub dependency of a sub dependency of a known software,

01:41.010 --> 01:43.200
and then finally known vulnerabilities.

01:43.200 --> 01:49.200
You want to identify and detail the specific known vulnerability with the CVE number or the critical

01:49.200 --> 01:54.510
vulnerability number, and enumerate what known vulnerabilities are associated with that software.

01:54.780 --> 02:01.930
When we're looking at a software composition analysis, we're doing a scan or a specific software that's

02:01.930 --> 02:07.150
looking at our current software on our system, identifying where is that software in play?

02:07.150 --> 02:09.280
Is it currently vulnerable to attack?

02:09.310 --> 02:15.190
This is much like what we might see in Nessus or another vulnerability scanner, but it's specific to

02:15.220 --> 02:16.360
software itself.

02:16.360 --> 02:18.160
What version are we currently running?

02:18.160 --> 02:20.920
Are there known vulnerabilities to that specific version?

02:20.920 --> 02:23.620
How is that interacting with our software as a whole?

02:23.620 --> 02:29.380
And she can provide us detailed information and identifying outdated material that's currently residing

02:29.380 --> 02:30.790
on our operating systems.

02:30.790 --> 02:36.100
We need to constantly be identifying and authenticating our users that are currently residing on our

02:36.100 --> 02:37.300
network as a whole.

02:37.300 --> 02:40.330
We need to be able to verify are they legitimately there?

02:40.360 --> 02:42.040
Are they who they say they are?

02:42.040 --> 02:48.100
And have we properly identified an authenticated that specific user and then authorize them to use specific

02:48.100 --> 02:48.820
software?

02:48.820 --> 02:51.820
This usually aligns with password policies.

02:51.850 --> 02:55.360
Is the password they're currently utilizing something that we want.

02:55.480 --> 02:59.830
Or is it an older password that quite honestly is weak in foundations.

02:59.830 --> 03:04.720
When we're looking at password policies, we also need to look at multi-factor authentication or two

03:04.750 --> 03:06.100
factor authentication.

03:06.100 --> 03:10.270
We are just going to depend on something they know we need to be aware.

03:10.300 --> 03:11.050
Do they have something?

03:11.050 --> 03:12.220
They have something.

03:12.220 --> 03:13.600
They are somewhere.

03:13.600 --> 03:15.070
They are multi-factor.

03:15.070 --> 03:21.070
Authentication is becoming more and more profound in the security world, as it limits attackers from

03:21.070 --> 03:25.240
specifically using just passwords to gain entry into our systems.

03:25.270 --> 03:29.560
A Captcha is a little design you've probably seen on websites before.

03:29.560 --> 03:35.200
It thwarts automated responses for software's just routinely going through and continually providing

03:35.200 --> 03:36.850
different passwords for a system.

03:36.850 --> 03:43.930
By requiring users to click on a on a specific button that may not always be in the same spot, or to

03:43.960 --> 03:49.390
arrange and pinpoint specific bus terminals or street lights on a on a different picture.

03:49.390 --> 03:55.300
This provides us a unique advantage to identifying and stopping automated attacks.

03:55.300 --> 04:01.270
When we look at rate limiting, how often am I allowing a user to provide a password.

04:01.270 --> 04:06.370
If I know your username is your email, then I want to limit the amount of times you can enter that

04:06.370 --> 04:12.010
password before I start limiting the scope, or the amount of times you can input that password.

04:12.040 --> 04:14.470
This is usually routinely one second.

04:14.470 --> 04:18.040
As one second doubles, it continues to double and double again.

04:18.040 --> 04:23.590
So if you enter a password wrong I put a forced one second rule in there, which means that you can't

04:23.590 --> 04:25.570
input another password for one second.

04:25.600 --> 04:29.170
The second time it's two seconds, then four, eight, 16.

04:29.170 --> 04:30.100
You get the point.

04:30.100 --> 04:33.370
However, a lot of times we can limit the passwords to just three or more.

04:33.400 --> 04:37.900
After three failed attempts, we lock you out of the system and force you to re-identify yourself and

04:37.900 --> 04:39.370
recreate a new password.

04:39.400 --> 04:43.720
We can do session management, limiting the amount of sessions which we've talked about before.

04:43.750 --> 04:46.330
Encryption, of course, access and control.

04:46.330 --> 04:49.450
But the last one I really want to touch on is user education.

04:49.450 --> 04:53.980
With user education, we can identify and specifically state to our users.

04:53.980 --> 04:59.940
Not only this is the policy, but this is why we have the policy You'd be amazed how many people in

04:59.940 --> 05:01.830
the office routinely go through.

05:01.830 --> 05:05.790
And they're like, I have no idea why I have to follow this stupid rule.

05:05.790 --> 05:07.170
It doesn't make any sense.

05:07.170 --> 05:08.070
I don't like it.

05:08.100 --> 05:14.010
It makes my life harder if they just understood why they're required to input a new password every six

05:14.010 --> 05:19.800
months, and why we require two uppercase, two lowercase two special characters, and all the rules

05:19.800 --> 05:20.580
that we have.

05:20.610 --> 05:25.680
You'd get a lot more buy in from your employee base, and that's done via user education.

05:25.680 --> 05:31.230
Educating our users is probably one of the single greatest things you could do for non-it people to

05:31.260 --> 05:33.540
conform to our cybersecurity policies.

05:33.540 --> 05:39.210
When we talk about remote code execution, we're referring to the attacker's capability to execute malicious

05:39.210 --> 05:45.600
code on a targeted platform that is remote, i.e., it's not there with them.

05:45.600 --> 05:50.730
When we talk about remote code execution and how to mitigate such attacks, a lot of times we want to

05:50.730 --> 05:51.060
do that.

05:51.060 --> 05:52.080
Input validation.

05:52.080 --> 05:56.670
Now, I have drummed and beat that dead horse on input validation all throughout this course.

05:56.670 --> 05:59.360
I don't feel like I need to do it again, But one more time.

05:59.360 --> 06:00.500
Input validation.

06:00.500 --> 06:06.590
We are going to make sure that only the code or the special characters that we want in the program are

06:06.590 --> 06:08.600
there and usable by the user.

06:08.600 --> 06:11.660
We don't want special characters like semicolons in there.

06:11.660 --> 06:17.180
That is often referred to for code implementation, and if we allow that into our system, we're asking

06:17.180 --> 06:19.850
for trouble so we can do input validation.

06:19.850 --> 06:25.130
My old adage if I have a calculator, I'm not letting somebody write a sentence into my calculator program.

06:25.130 --> 06:26.990
We want application firewalls.

06:26.990 --> 06:29.720
We want those firewalls to help protect our applications.

06:29.720 --> 06:35.660
They provide some unique advantages to protecting our software from an application standpoint.

06:35.660 --> 06:38.390
We want runtime application self-protection.

06:38.390 --> 06:42.080
We want to also use containerization and virtualization.

06:42.080 --> 06:47.840
If I'm using containerization and virtualization, then I'm able to set aside that specific program

06:47.840 --> 06:54.290
or application or even operating system and provide an extra layer of segmentation and thereby security,

06:54.290 --> 06:57.770
which is going to help prevent remote code execution across the board.

06:57.830 --> 07:02.420
They may get access to one container, but are they able to get access to multiple containers using

07:02.420 --> 07:03.380
the same code?

07:03.380 --> 07:07.640
We also use containerization and virtualization for a lot of honeypots and honey nets.

07:07.670 --> 07:13.520
When we're going through mitigating against remote code, execution really provides a defensive structure

07:13.520 --> 07:17.090
that we really need to pinpoint when we're talking about software security.

07:17.120 --> 07:22.460
When we talk about privilege escalation, we're referring to the aspect of if an attacker gets into

07:22.460 --> 07:28.790
a system, we don't want them to gain additional roles or responsibilities or access into other systems.

07:28.790 --> 07:34.940
We want to limit their escalation process as much as possible, i.e., if I have a janitor that has

07:34.970 --> 07:39.860
access to Microsoft Word and that's the only program they have access to, and somebody gets access

07:39.860 --> 07:43.400
to their account, we don't want them to suddenly be able to access our servers.

07:43.400 --> 07:45.500
This is referred to as privilege escalation.

07:45.500 --> 07:51.230
When an attacker is able to move up the chain or gain additional permissions or authority within our

07:51.230 --> 07:55.280
system to prevent privilege escalation, we need to do least privilege.

07:55.280 --> 08:00.820
It's not uncommon for an employee to change jobs over time or to get promoted.

08:00.820 --> 08:06.520
If you have an IT guy that has access to our servers, our help desk policies and different aspects

08:06.520 --> 08:11.290
of our IT network, and they suddenly get promoted into a managerial role where they aren't doing that

08:11.290 --> 08:12.460
on a day to day basis.

08:12.460 --> 08:14.530
And they really don't do it often at all.

08:14.560 --> 08:17.080
Does it really make sense to maintain that access?

08:17.080 --> 08:18.400
By doing least privilege?

08:18.400 --> 08:21.490
We can take away accesses where people don't need them.

08:21.490 --> 08:27.010
When we talk about least privilege, we're really referring to what is the maximum access they need

08:27.040 --> 08:27.430
access.

08:27.730 --> 08:32.290
Maximum access they need availability to in order to do their job.

08:32.290 --> 08:34.360
No more, no less.

08:34.390 --> 08:39.250
When we talk about mandatory access control, we're talking about military level access control.

08:39.250 --> 08:44.350
This is the most restrictive type of access control where we're identifying, hey, is this component.

08:44.350 --> 08:48.340
Does this specific person need access to this specific software?

08:48.340 --> 08:52.660
It's very detailed and accurate and it takes a lot of time to pull off.

08:52.660 --> 08:58.870
But we're really reflecting the user to the access level when we talk about discretionary access control

08:58.870 --> 09:02.020
or DAC, this is the least restrictive access control.

09:02.020 --> 09:06.850
The end user controls their access, and with the end user being able to control their access, it's

09:06.850 --> 09:11.410
quite easy for them to go from one point of access all the way up to a maximum access level.

09:11.410 --> 09:16.330
This is probably not utilized very much in most enterprise environments, if at all.

09:16.330 --> 09:21.220
We have role based access control, which is the most widely used access control that I'm aware of.

09:21.250 --> 09:26.380
This is where if I have an employee and that employee operates at the help desk, then I can create

09:26.410 --> 09:28.990
access controls for every help desk employee.

09:28.990 --> 09:33.070
If I have a new employee, they gain the role of help desk employee.

09:33.070 --> 09:36.580
They gain access to every other thing that a help desk employee needs.

09:36.580 --> 09:38.080
No more, no less.

09:38.080 --> 09:40.030
Now I can fine tune that.

09:40.030 --> 09:45.670
Maybe I have a help desk employee that also has a subset and servers, so I could give him specific

09:45.700 --> 09:49.270
access to a server that he's able to, uh, to rely on.

09:49.270 --> 09:53.890
But this role based access control is most likely used in enterprise environments.

09:53.890 --> 10:00.150
I have rule based access control where I'm identifying specific rules i.e. is it this time of day that

10:00.150 --> 10:01.590
you have access to this system?

10:01.590 --> 10:04.560
I may have a help desk employee that works from 8 to 5.

10:04.590 --> 10:09.450
If he's trying to access our controls at 2 a.m. in the morning, I probably might think that, hey,

10:09.450 --> 10:11.160
this is an hourly employee.

10:11.190 --> 10:15.480
He doesn't need access to the systems at 2 a.m., so they aren't authorized.

10:15.480 --> 10:18.810
I have their access set from 8 a.m. to 5 p.m..

10:18.810 --> 10:20.070
No more, no less.

10:20.070 --> 10:24.210
This would be an example of rule based access control.

10:24.240 --> 10:30.360
Then I have something called attribute access control, where I limit resources or access based on specific

10:30.390 --> 10:36.750
attributes of the job title or location, meaning that if I have that same help desk employee and he

10:36.750 --> 10:41.040
works in, I don't know, Indianapolis, Indiana, that's his location.

10:41.040 --> 10:46.800
If he's only helping people in Indiana, then why would he need access to systems or to employees that

10:46.800 --> 10:48.870
are operating remotely out of Phoenix?

10:48.870 --> 10:52.770
If that's not part of his job, that would be an attribute that I'm going to limit.

10:52.770 --> 10:58.020
That's attribute based access control And then we talk about segmentation and isolation.

10:58.020 --> 11:03.120
When we're talking about isolation and segmentation, where in the network are they able to be?

11:03.150 --> 11:04.950
Do I want to segment them off this?

11:04.950 --> 11:10.740
I most commonly denote this to an operations personnel who works on the day to day operations of a company

11:10.740 --> 11:14.190
or business, not really needing access to the finance department.

11:14.190 --> 11:17.580
Why do they need access to the finance department or the HR department?

11:17.580 --> 11:20.190
I want to segment into their little, little area.

11:20.220 --> 11:21.420
That's where they work.

11:21.420 --> 11:22.620
Stay in your lane.

11:22.620 --> 11:24.600
That's segmentation and isolation.

11:24.600 --> 11:29.580
Most often when we talk about privilege escalation, we also need to take into account logging and monitoring.

11:29.580 --> 11:33.900
How am I going to log the different peripheries that are going on within my network?

11:33.930 --> 11:38.580
Again, if I have that help desk person and he does something on my network, I want to be aware of

11:38.610 --> 11:38.970
that.

11:38.970 --> 11:40.770
I want to log what he's doing.

11:40.770 --> 11:45.780
If he accesses a server or attempts to log into a server, then that creates a log.

11:45.780 --> 11:50.640
That log needs to move to a CRM where it can be analyzed to find out what's going on.

11:50.640 --> 11:56.300
At the same token, if he's trying to log into the system at 2 a.m. and his attributes or his rule only

11:56.300 --> 12:03.170
permit from 8 a.m. to 5 p.m. that I need to be aware of that, and I need to log that specific, uh,

12:03.170 --> 12:03.950
attempt.

12:03.950 --> 12:08.240
And when that attempt is logged, it's going to be monitored by the mechanisms in place.

12:08.240 --> 12:10.730
And then I can go back and detect what's going on.

12:10.760 --> 12:13.460
I need to do regular patching and software updates.

12:13.460 --> 12:14.960
I pound this into the ground.

12:14.990 --> 12:18.920
Patching is filling in vulnerabilities or flaws within our software.

12:18.920 --> 12:23.960
We need to be regularly patching to make sure that somebody doesn't gain access to a vulnerability that

12:23.960 --> 12:25.280
we could have easily patched.

12:25.310 --> 12:27.890
My favorite story about this is the WannaCry virus.

12:27.920 --> 12:32.930
When Microsoft first came out with SMB 22 vulnerability, the WannaCry virus didn't come out and take

12:32.930 --> 12:35.510
advantage of that vulnerability for six months.

12:35.540 --> 12:40.430
It was six months before the WannaCry virus came out and actually exploited that vulnerability.

12:40.460 --> 12:43.850
However, Microsoft had already patched it six months before.

12:43.880 --> 12:50.120
Any corporation, any environment, even any home computer that had properly introduced those patches,

12:50.120 --> 12:55.130
would have been protected from the WannaCry virus, the first version of a ransomware that was widely

12:55.130 --> 12:56.420
known across the world.

12:56.420 --> 12:57.830
All it took was a patch.

12:57.860 --> 13:03.020
Yet millions upon millions of users and organizations refused to patch their computers for whatever

13:03.020 --> 13:03.590
reason.

13:03.590 --> 13:09.290
And the WannaCry virus, even though it was completely preventable, took stage front and center and

13:09.290 --> 13:11.540
took advantage of all those different computers.

13:11.540 --> 13:13.670
We want to do penetration testing.

13:13.700 --> 13:17.360
Common folks doing penetration testing is not a good idea.

13:17.360 --> 13:18.860
We want to hire professionals.

13:18.860 --> 13:22.130
We want people that know what they're doing, have a scope.

13:22.130 --> 13:25.460
They understand what the rules are, and they follow a contract.

13:25.460 --> 13:29.870
We'll provide them a scope of work saying, hey, you're able to do this, this and this, but maybe

13:29.870 --> 13:30.110
not.

13:30.110 --> 13:31.670
Social engineering attacks.

13:31.670 --> 13:36.650
When we talk about penetration testing for privilege escalation, we're hiring professional organizations

13:36.650 --> 13:41.780
or professional people to go through and attempt to take advantage of vulnerabilities they find within

13:41.780 --> 13:42.560
our network.

13:42.590 --> 13:47.360
It gives us a realistic idea of what's going on through our network from the eyes of a malicious user.

13:47.360 --> 13:49.640
And finally, that application firewall.

13:49.640 --> 13:51.080
It's always going to be front and center.

13:51.080 --> 13:55.420
It provides so much more defense in depth than what we're commonly used to It's just kind of that security

13:55.420 --> 14:00.280
blanket that fills over and helps fill in some of those common gaps that we may see in our defense in

14:00.280 --> 14:00.940
depth structure.

14:00.970 --> 14:07.990
Local File Inclusion, or LFI and Remote File Inclusion, or RFI pose common vulnerabilities found in

14:07.990 --> 14:09.130
web application.

14:09.130 --> 14:14.800
Where LFI arises from, the attacker manages to include a file located on the server or in the web page,

14:14.800 --> 14:17.560
and grants access to sensitive information.

14:17.590 --> 14:24.250
RFI, or remote file inclusion is the same, except it's done via the remote structure as opposed to

14:24.280 --> 14:25.600
the local structure.

14:25.600 --> 14:29.200
When we talk about input validation, we're going through that same process.

14:29.200 --> 14:31.660
Am I validating the inputs that are in place?

14:31.690 --> 14:34.990
Am I providing those access controls that we talked about before?

14:35.020 --> 14:37.000
Am I sanitizing my files?

14:37.000 --> 14:39.370
What do we mean by file sanitization?

14:39.370 --> 14:43.450
When we talk about file sanitization, we're talking about going through a file and making sure that

14:43.450 --> 14:46.990
PII or sensitive data isn't front and center.

14:46.990 --> 14:51.190
You can often see this in the military where we have the full Social Security number in there.

14:51.190 --> 14:56.310
But if you're pulling it off of a web server, the first 5 to 6 digits may not be prevalent.

14:56.310 --> 14:59.220
You'll only see the last four digits of that Social Security number.

14:59.250 --> 15:00.990
Maybe the date of birth is skewed out.

15:01.020 --> 15:03.000
Maybe the employee ID is skewed out.

15:03.000 --> 15:09.720
When we talk about file sanitization, where sanitizing files and getting rid of pertinent PII or sensitive

15:09.720 --> 15:15.060
data that may be located on that file on that server, if it doesn't need to be there, then it's going

15:15.090 --> 15:15.690
to get blurred out.

15:15.690 --> 15:16.770
It's going to get removed.

15:16.770 --> 15:18.330
We can do secure coding.

15:18.330 --> 15:22.380
We've talked about this before where we're ensuring that secure coding is from the get go.

15:22.410 --> 15:26.760
We're making sure that code is not full of vulnerabilities or flaws, that errors have been detected

15:26.760 --> 15:29.910
and they've been corrected and that it handles errors properly.

15:29.940 --> 15:33.090
We're going to do a web application firewall, we're going to do patching.

15:33.090 --> 15:35.340
And then finally our file handling libraries.

15:35.340 --> 15:39.180
Are we using the library that's appropriate for the software that we're including.

15:39.180 --> 15:42.780
Is that file library perceived to be truthful and honest.

15:42.780 --> 15:45.780
It's not there to provide malware.

15:45.780 --> 15:47.640
It's not put there by just anybody.

15:47.670 --> 15:54.450
We're ensuring that file library actually includes relevant information from a good source.