Jr Penetration Tester
Learn the practical skills required to start your career as a Professional Penetration Tester.
SECTION 1
Introduction to Pentesting
1-Pentesting Fundamentals:
2-Principles Of Security:
Learn the principles of information security that secures data and protects systems from abuse,
Task 1 Introduction
The following room is going to outline some of the fundamental principles of information security. The frameworks used to protect data and systems to the elements of what exactly makes data secure.
The measures, frameworks, and protocols discussed throughout this room all play a small part in “Defence in Depth.”
Defense in Depth is the use of multiple varied layers of security to an organization’s systems and data in the hopes that multiple layers will provide redundancy in an organization’s security perimeter.
Answer the questions below
Let’s proceed!
Task 2 The CIA Triad
The CIA triad is an information security model that is used in consideration throughout creating a security policy. This model has an extensive background, ranging from being used in 1998.
This history is because the security of information (information security) does not start and/or end with cybersecurity, but instead, applies to scenarios like filing, record storage, etc.
Consisting of three sections: Confidentiality, Integrity, and Availability (CIA), this model has quickly become an industry-standard today. This model should help determine the value of data that it applies to, and in turn, the attention it needs from the business.
The CIA triad is unlike a traditional model where you have individual sections; instead, it is a continuous cycle. Whilst the three elements to the CIA triad can arguably overlap, if even just one element is not met, then the other two are rendered useless (similar to the fire triangle). If a security policy does not answer these three sections, it is seldom an effective security policy.
Whilst the three elements to the CIA triad are arguably self-explanatory, let’s explore these and contextualize them into cybersecurity.
Confidentiality
This element is the protection of data from unauthorized access and misuse. Organizations will always have some form of sensitive data stored on their systems. To provide confidentiality is to protect this data from parties that it is not intended for.
There are many real-world examples for this, for example, employee records and accounting documents will be considered sensitive. Confidentiality will be provided in the sense that only HR administrators will access employee records, where vetting and tight access controls are in place. Accounting records are less valuable (and therefore less sensitive), so not as stringent access controls would be in place for these documents. Or, for example, governments using a sensitivity classification rating system (top-secret, classified, unclassified)
Integrity
The CIA triad element of integrity is the condition where information is kept accurate and consistent unless authorized changes are made. It is possible for the information to change because of careless access and use, errors in the information system, or unauthorized access and use. In the CIA triad, integrity is maintained when the information remains unchanged during storage, transmission, and usage not involving modification to the information. Steps must be taken to ensure data cannot be altered by unauthorized people (for example, in a breach of confidentiality).
Many defenses to ensure integrity can be put in place. Access control and rigorous authentication can help prevent authorized users from making unauthorized changes. Hash verifications and digital signatures can help ensure that transactions are authentic and that files have not been modified or corrupted.
Availability
In order for data to be useful, it must be available and accessible by the user.
The main concern in the CIA triad is that the information should be available when authorized users need to access it.
Availability is very often a key benchmark for an organization. For example, having 99.99% uptime on their websites or systems (this is laid out in Service Level Agreements). When a system is unavailable, it often results in damage to an organization's reputation and loss of finances. Availability is achieved through a combination of many elements, including:
- Having reliable and well-tested hardware for their information technology servers (i.e. reputable servers)
- Having redundant technology and services in the case of failure of the primary
- Implementing well-versed security protocols to protect technology and services from attack
Answer the questions below
What element of the CIA triad ensures that data cannot be altered by unauthorised people?
Ans=Integrity
What element of the CIA triad ensures that data is available?
Ans=Availability
What element of the CIA triad ensures that data is only accessed by authorised people?
Ans=Confidentiality
Task 3 Principles of Privileges
It is vital to administrate and correctly define the various levels of access to an information technology system individuals require.
The levels of access given to individuals are determined on two primary factors:
- The individual’s role/function within the organization
- The sensitivity of the information being stored on the system
Two key concepts are used to assign and manage the access rights of individuals, two key concepts are used: Privileged Identity Management (PIM) and Privileged Access Management (or PAM for short).
Initially, these two concepts can seem to overlap; however, they are different from one another. PIM is used to translate a user’s role within an organization into an access role on a system. Whereas PAM is the management of the privileges a system’s access role has, amongst other things.
What is essential when discussing privilege and access controls is the principle of least privilege. Simply, users should be given the minimum amount of privileges, and only those that are absolutely necessary for them to perform their duties. Other people should be able to trust what people write to.
As we previously mentioned, PAM incorporates more than assigning access. It also encompasses enforcing security policies such as password management, auditing policies, and reducing the attack surface a system faces.
Answer the questions below
What does the acronym “PIM” stand for?
Ans=Privileged Identity Management
What does the acronym “PAM” stand for?
Ans=Privileged Access Management
If you wanted to manage the privileges a system access role had, what methodology would you use?
Ans=PAM
If you wanted to create a system role that is based on a users role/responsibilities with an organisation, what methodology is this?
Ans=PIM
Task 4 Security Models Continued
Before discussing security models further, let’s recall the three elements of the CIA triad: Confidentiality, Integrity and Availability. We’ve previously outlined what these elements are and their importance. However, there is a formal way of achieving this.
According to a security model, any system or piece of technology storing information is called an information system, which is how we will reference systems and devices in this task.
Let’s explore some popular and effective security models used to achieve the three elements of the CIA triad.
The Bell-La Padula Model
The Bell-La Padula Model is used to achieve confidentiality. This model has a few assumptions, such as an organisation’s hierarchical structure it is used in, where everyone’s responsibilities/roles are well-defined.
The model works by granting access to pieces of data (called objects) on a strictly need to know basis. This model uses the rule “no write down, no read up”.
Answer the questions below:
What is the name of the model that uses the rule “can’t read up, can read down”?
Ans=The Bell-La Padula Model
What is the name of the model that uses the rule “can read up, can’t read down”?
Ans=The Biba Model
If you were a military, what security model would you use?
Ans=The Bell LaPadula Model
If you were a software developer, what security model would the company perhaps use?
Ans=The Biba Model
Task 5 Threat Modelling & Incident Response
Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation’s information technology infrastructure and services.
A critical stage of the threat modelling process is identifying likely threats that an application or system may face, the vulnerabilities a system or application may be vulnerable to.
The threat modelling process is very similar to a risk assessment made in workplaces for employees and customers. The principles all return to:
- Preparation
- Identification
- Mitigations
- Review
It is, however, a complex process that needs constant review and discussion with a dedicated team. An effective threat model includes:
- Threat intelligence
- Asset identification
- Mitigation capabilities
- Risk assessment
To help with this, there are frameworks such as STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service and Elevation of privileges) and PASTA (Process for Attack Simulation and Threat Analysis) infosec never tasted so good!. Let’s detail STRIDE below. STRIDE, authored by two Microsoft security researchers in 1999 is still very relevant today. STRIDE includes six main principles, which I have detailed in the table below:
Answer the questions below
What model outlines “Spoofing”?
Ans=Stride
What does the acronym “IR” stand for?
Ans=incident response
You are tasked with adding some measures to an application to improve the integrity of data, what STRIDE principle is this?
Ans=Tampering
An attacker has penetrated your organisation’s security and stolen data. It is your task to return the organisation to business as usual. What incident response stage is this?
Ans=Recovery