Tuesday, December 6, 2016

Information Security Learning Resources part 2

   Today we have part 2 of a 2-part guest post by security analyst Chris Goff.  Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Security Concepts
There are three key concepts of information security which you may or may not be familiar with:
    -      Confidentiality
o   Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.
    -      Integrity
o   Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damaged, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted.
    -      Availability
o   Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

This is known as the “security triad”. It can be further expanded upon:
    -      Privacy
o   Information that is collected, used, and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected. Privacy as a characteristic of information does not signify freedom from observation (the meaning usually associated with the word), but in this context, privacy means that information will be used only in ways known to the person providing it. Many organizations collect, swap, and sell personal information as a commodity. It is now possible to collect and combine information on individuals from separate sources, which has yielded detailed databases whose data might be used in ways not agreed to, or even communicated to, the original data owner. Many people have become aware of these practices and are looking to the government for protection of the privacy of their data.
    -      Identification
o   An information system possesses the characteristic of identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material, and it services as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID.
    -      Authentication
o   An information system possesses the identity that he or she claims. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections or the use of cryptographic hardware devices--for example, hardware tokens provided by companies such as RSA's SecurID--to confirm a user's identity.
    -      Authorization
o   After the identity of a user is authenticated, a process called authorization assures that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. An example of authorization is the activation and use of access control lists and authorization groups in a networking environment. Another example is a database authorization scheme to verify that the user of an application is authorized for specific functions such as reading, writing, creating, and deleting.
    -      Accountability
o   Accountability of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. (Management of Information Security by Michael E. Whitman and Herbert J. Mattord)

Here is another, shorter view (from “Cryptography worst practices” by Dan Bernstein - https://cr.yp.to/talks/2012.03.08-1/slides.pdf):
Confidentiality despite espionage;
    -      Maybe Eve wants to acquire data.
 Integrity despite corruption;
    -      Maybe Eve wants to change data.
Availability despite sabotage;
    -      Maybe Eve wants to destroy data.

Other Concepts
    -      De-perimeterisation (https://en.wikipedia.org/wiki/De-perimeterisation)
    -      CVE, or Common Vulnerabilities and Exposures (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
    -      Risk Management (https://en.wikipedia.org/wiki/Risk_management)
    -      Least Privilege
    -      Multifactor Authentication
    -      Security Usability
“That as a rule of thumb is mostly what engineering is about. You can have most things, but not everything. I think security engineering are about tolerable failure modes -- are about what the tolerable levels of failure are. Determine what failure modes are tolerable and what are not and I can design around not having the intolerable ones. But the cost of it will be some others, because you can't have them all. So when I say, not not fast, cheap and reliable but freedom, security, and convenience, choose two -- it's in that spirit as an engineer.” – Dan Greer
“The point is that any security policy, mechanism, or procedure is based on assumptions that, if incorrect, destroy the superstructure on which it is built. Analysts and designers (and users) must bear this in mind, because unless they understand what the security policy, mechanism, or procedure is based on, they jump from an unwarranted assumption to an erroneous conclusion.” –Matt Bishop (Computer Security: Art and Science)
“Never attribute to malice that which is adequately explained by stupidity.” – Hanlon’s Razor
It is a good idea for a security professional to have experience in both Security Management and Security Operations. Even a high level understanding of one will make you that much better in the other. Mix in business knowledge which will take you far.

Security Management
E.g. Analysts, Architecture, Audit, Risk

    -      Risk Management
o   NIST Risk Management Framework (RMF) - http://csrc.nist.gov/groups/SMA/fisma/framework.html
    -      Governance, Risk, and Compliance (GRC)
o   Frameworks
§  NIST 800-53
·       Checkout the 800-54A document for audit
§  ISO 27001
o   Controls
§  CIS Top 20
·       List of STIGS - http://iase.disa.mil/stigs/Pages/index.aspx
·       US Government Configuration Guidelines - https://usgcb.nist.gov/usgcb_content.html
·       STIG Viewer - https://www.stigviewer.com/
    -      Security Metrics
o   An Information Security Metrics Primer - https://danielmiessler.com/study/information-security-metrics/
o   Dan Greer “Measuring Security” presentation - http://all.net/Metricon/measuringsecurity.tutorial.pdf

Helpful summary of the differences between policy, standards, and procedures:
    -      Policy: “Why do we need to do this?”
    -      Control Objective: “What are the best practices?”
    -      Standard: “What is our requirement?”
    -      Procedure: “How do we actually do it?”
    -      Guideline: “FYI this is strongly recommended!”

Security Operations
E.g. Analysts, Engineering, Incident Response, Penetration Testing
Network Security
    -      Network Lessons (Security): https://networklessons.com/security/
    -      Firewall.cx - http://www.firewall.cx/
    -      Intrusion Protection and Intrusion Detection systems
o   Build a lab and use Security Onion

Security Analytics
    -      Log Management
    -      Security Information and Event Manager (SIEM)
o   Learn how to correlate events
o   Investigations (cases, etc.)
    -      Malware Analysis

Penetration Testing
    -      Penetration Testing Lab - http://www.amanhardikar.com/mindmaps/Practice.html
    -      Offensive Computer Security Course: http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html
    -      CTF Field Guide: https://trailofbits.github.io/ctf/
    -      Pentesting Cheat Sheet - https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
    -      NMAP Cheat Sheet - https://highon.coffee/blog/nmap-cheat-sheet/
    -      Hacking Tools Repository - http://gexos.github.io/Hacking-Tools-Repository/
    -      Pentester Academy - http://www.pentesteracademy.com/topics
    -      Penetration Test Lab - https://lab.pentestit.ru/
    -      VulnHub: https://www.vulnhub.com/
    -      Understanding the process of finding serious vulnerabilities: http://lcamtuf.blogspot.com/2015/08/understanding-process-of-finding.html
    -      WPA Lookup Tables: https://www.renderlab.net/projects/WPA-tables/

    -      Elliptic Curve Cryptography  - http://fails.org/ecc.pdf
    -      Godzilla Crypto Tutorial: https://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html
    -      Cipher Tools: http://rumkin.com/tools/cipher/
    -      Understanding Random: http://faculty.rhodes.edu/wetzel/random/intro.html
    -      Crypto101 - https://www.crypto101.io/
    -      Cryptomuseum - http://www.cryptomuseum.com
    -      The Amazing King - http://www.theamazingking.com/

Secure Development
    -      Reverse Engineering for Beginners - https://beginners.re/
    -      Gentle Introduction to Secure Computation: http://www.alexirpan.com/2016/02/11/secure-computation.html
    -      Gentle Introduction to Application Security: https://paragonie.com/blog/2015/08/gentle-introduction-application-security
    -      LANGSEC: http://langsec.org/
o   This is extremely interesting (https://www.youtube.com/watch?v=3kEfedtQVOY)
    -      High-Quality Software Through Semiformal Specification and Verification: http://infohost.nmt.edu/~al/cseet-paper.html
    -      Secure Software Design and Programming Class Materials: http://www.dwheeler.com/secure-class/
    -      http://www.crackmes.de/ - Reverse engineering practice
    -      Free Lecture Courses on Data Communications, Networking, Cryptography and Computer Security (http://blog.agupieware.com/2014/02/online-learning-free-lecture-courses-on.html)

  1. Default Permit
  2. Enumerating Badness
  3. Penetrate and Patch
  4. Hacking is Cool
  5. Educating Users
  6. Action is Better Than Inaction

“20 of the best IT security lessons ever learned”
  1. Security must enable business, not prevent it.
  2. Work with people. Don't fight them.
  3. Problems first, then solutions.
  4. Teach the basics again and again.
  5. Data security and privacy starts with employees.
  6. Mistakes happen, especially by you.
  7. To get respect, you'll need a few shots fired at you.
  8. Think like an attacker.
  9. Backup your data…away from the data source.
  10. If it's online, you can't be certain it's private.
  11. In a business vs. security battle, business is always right.
  12. A business must balance some risk in order to profit.
  13. Business first, then security.
  14. Educate users about good password security.
  15. Be wary of how much authority you give to a consultant.
  16. Don't go overboard.
  17. Make the cost of breaking in higher than the benefit.
  18. Record as much activity as you can.
  19. Destroy and recycle electronics correctly.
  20. Security is everyone's responsibility.

Of all the security books, this has been the best for me:
Security Engineering by Ross Anderson (http://www.cl.cam.ac.uk/~rja14/book.html). The book is available free online, and a physical copy can be ordered online.

Engineering Security by Peter Gutmann. More of a technical book but the concepts are equally relevant. Freely available here: https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf. Particularly interesting from a Security Usability point of view.

Reflections on Trusting Trust by Ken Thompson: http://dl.acm.org/citation.cfm?id=358210. A look into how low level vulnerabilities can give things farther up the stack a bad day.

Psychology of Intelligence Analysis by Richards J Heuer: https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/PsychofIntelNew.pdf. This book, while not directly information security related, is eye opening for the security analyst. It also has a very interesting (and truthful) statement:
“Whatever the complexities of the puzzles we strive to solve and whatever the sophisticated techniques we may use to collect the pieces and store them, there can never be a time when the thoughtful man can be supplanted as the intelligence device supreme.”
Personal observations on the reliability of the Shuttle by R.P. Feynman: http://science.ksc.nasa.gov/shuttle/missions/51-l/docs/rogers-commission/Appendix-F.txt. Building reliable systems isn’t easy.

Tradeoffs in Cybersecurity - http://geer.tinho.net/geer.uncc.9x13.txt
There are also some pretty good psychology books and papers out there which are helpful for how “wetware” operates. An example would be Social Engineering: The Art of Human Hacking by Christopher Hadnagy. Remember you aren’t fighting machines; you’re fighting the people operating the machines.

Kerckhoffs - Cryptographie militaire: http://www.petitcolas.net/kerckhoffs/index.html#english
“Here is an approximate English version of the principles that should apply to a crypto-system:-      The system must be substantially, if not mathematically, undecipherable;
-      The system must not require secrecy and can be stolen by the enemy without causing trouble;
-      It must be easy to communicate and retain the key without the aid of written notes, it must also be easy to change or modify the key at the discretion of the correspondents;
-      The system ought to be compatible with telegraph communication;
-      The system must be portable, and its use must not require more than one person;
-      Finally, given the circumstances in which such system is applied, it must be easy to use and must neither stress the mind or require the knowledge of a long series of rules.”
Gray Hat Hacking BookViolent Python Book
In this industry experience trumps anything else. Ultimately you will want your CISSP (Certified Information Security Professional). If you don’t have the prerequisite time involved any of the domains, you should be knocking out a Security+ which can knock some time off the CISSP requirements. Additionally SANS GIAC certifications, while expensive, are well regarded.

Bruce Schneier (https://www.schneier.com/)
If you are feeling contrarian, Marcus Ranum (http://www.ranum.com/)

Information Security Stack Exchange - http://security.stackexchange.com/

IronGeek’s Playlists (all the conferences you don’t get to attend—recorded!) - https://www.youtube.com/user/irongeek/playlists

How to Crack Applications with Cheat Engine (and you thought it was for games)
    -      Complete Playlist (https://goo.gl/J1OEPA)

Mailing Lists
Hacker Newsletter: http://hackernewsletter.com
Websec Weekly: http://websecweekly.org/
http://seclists.org/ - Curated list of security mailing lists, etc.


I cannot stress this enough: you should have some sort of lab or testing environment setup. This can be done inexpensively.
    -      GNS3: https://www.gns3.com/
    -      Kali Linux: https://www.kali.org/
    -      Security Onion: https://securityonion.net/

General Links
Top 125 Security Tools: http://www.insecure.org/tools.html
https://www.shodan.io/ - Tool for finding exposed services
Curated Lists of Awesome: https://awesome.re/
The Computer Technology Documentation Project (http://www.comptechdoc.org/) – Old but still contains some interesting information and resources
US Navy Electricity and Electronics Training Series (http://jacquesricher.com/NEETS/)
    -      Buy a copy of The Elements of Style by Strunk and White.
Hacker News - https://news.ycombinator.com/. There are a few commenters that I recommend paying attention to:
    -      tptacek; founder of Matasano Security
    -      cperciva; former FreeBSD Security maintainer, created scrypt
    -      nickpsecurity; interesting comments
    -      VLM; also interesting comments
Recommended Reading from Andrew Case: http://dfir.org/?q=node/8

Aggregated News
Latest pinboard security bookmarks: https://pinboard.in/t:security

Risky.Biz; Defensive Security Podcast; Paul’s Security Weekly; TrustedSec Security Podcast; The Social-Engineer Podcast, ISC Stormcast Daily, TechSnap, Brakeing Down Security, Security Now; Down the Security Rabbit Hole; 7 minute security (7ms.us); Tripwire has a great list here: https://www.tripwire.com/state-of-security/security-awareness/information-security-podcast-roundup-2016-edition/

Public Speaking
Speaking.io: http://speaking.io/
The Cognitive Style of Powerpoint: https://www.edwardtufte.com/tufte/powerpoint

Project Management

In Closing
This list may be daunting, especially to those starting out, but I’ll pass on some wisdom given to me:
“The key is to lay a solid foundation. The better you understand each of these realms, the fewer blind spots you will have as you move into other realms and roles.”
That said the goal of this document is to function as a curriculum of sorts or quick reference to help guide your security career. To augment this document I highly recommend you seek out a mentor. If you are starting from scratch, search your local area for security group meetings (Bsides, ISSA, Infragard). At work seek out individuals from the security department. Don’t be afraid to e-mail respected members of the community, they are often responsive and helpful.

I also want to encourage security professionals with experience in the field to watch for those who show genuine desire to learn our profession and do what you can to aid them. Managers: consider the concept of apprenticeship!

Thanks to the following individuals who have helped me over the years. Their knowledge and wisdom in key areas has contributed greatly to the design of this document:
My Parents
Jay C.
Rick E.
Mark M.
Caleb G.
Dan W.

Link to an always up-to-date version of this document: https://1drv.ms/w/s!AuPlDU9PSb0ci8Mt91_GeoHfTiRDBQ

1 comment:

  1. Good post! Thanks for sharing this information. I appreciate it. It is very beneficial for visitors.Visit: Access Security