What are the three types of countermeasures?

Application Concepts

Alarm/access control systems use access control readers, electrified locks, request-to-exit sensors, door alarms, and volumetric and point alarms to defend facilities against inappropriate access by unauthorized users.

Use a layered security approach. This is a combination of detection and access layers placed over each other at geographical progression toward the most valuable assets (see Fig. 27.1).

The basic goals of electronic security countermeasures include:

Access control

Deterrence

Detection

Assessment

Coordinating response

Evidence gathering

It is essential that all these goals should be met in the design of a comprehensive coordinated security program.

Security system designs should also be robust and redundant, expandable, flexible, and easy to use. And they should be sustainable.

Deploying an appropriate collection of information security countermeasures in an organization should result in high-level blocking power against existing threats. In this chapter, a new knapsack-based approach is proposed for finding out which subset of countermeasures is the best at preventing probable security attacks. In this regard, an effectiveness score is defined for each countermeasure based on its mitigation level against all threats. Organizations are always looking for more effective low-cost solutions, so another consideration is that the implementation cost of the selected countermeasure portfolio should not exceed the allocated budget. Following the knapsack idea, the implementation cost of each countermeasure and its effectiveness, defined as inputs and the best subset, are chosen with respect to budget limits. Our results are compared with similar research and recommend the same countermeasure portfolio.

Detection Elements

If deterrence is the ultimate goal of security countermeasures, then detection is where deterrence begins.2 The ability to detect is at the heart of eliminating the probability of success of the criminal or terrorist mission. Detection is a process that includes sensing, processing, and transmitting the detection, and reporting it to someone who can act.3

Personnel

Ironically, the utilization of people as a security countermeasure can be the most efficient and effective strategy or, depending on the circumstances, the poorest.

Because of the ongoing expense of personnel (not only for salaries but also full benefit package, supervision, and replacement), every effort should be exercised to cure risks whenever possible by means other than utilizing people. The rule of thumb is to use people only in those areas where procedural controls, hardware, or electronics cannot be employed more efficiently.

There are security functions for which people are the best and sometimes the only countermeasure. The critical factor in the decision to use people, one that is their greatest attribute that can never be replaced, is their ability to exercise judgment. Wherever judgment is essential in carrying out a security function, people should be utilized. A common example might be the job of overseeing employees as they leave work in a production plant by inspecting lunch pails and other containers. Personnel are essential for a variety of other roles that cannot be affected by procedures, hardware, or electronics. Among these functions are guard posts and patrols, inspections, investigations, prevention of criminal attacks, maintenance of order, and crowd control.

Kernel-Land Exploits Versus User-Land Exploits

We described the kernel as the entity where many security countermeasures against exploitation are implemented. With the increasing diffusion of security patches and the contemporary reduction of user-land vulnerabilities, it should come as no surprise that the attention of exploit writers has shifted toward the core of the operating system. However, writing a kernel-land exploit presents a number of extra challenges when compared to a user-land exploit:

The kernel is the only piece of software that is mandatory for the system. As long as your kernel runs correctly, there is no unrecoverable situation. This is why user-land brute forcing, for example, is a viable option: the only real concern you face when you repeatedly crash your victim application is the noise you might generate in the logs. When it comes to the kernel, this assumption is no longer true: an error at the kernel level leaves the system in an inconsistent state, and a manual reboot is usually required to restore the machine to its proper functioning. If the error occurs inside one of the sensible areas of the kernel, the operating system will just shut down, a condition known as panic. Some operating systems, such as Solaris, also dump, if possible, the information regarding the panic into a crash dump file for post-mortem analysis.

The kernel is protected from user land via both software and hardware. Gathering information about the kernel is a much more complicated job. At the same time, the number of variables that are no longer under the attacker's control increases exponentially. For example, consider the memory allocator. In a user-land exploit, the allocator is inside the process, usually linked through a shared system library. Your target is its only consumer and its only “affecter.” On the other side, all the processes on the system may affect the behavior and the status of a kernel memory allocator.

The kernel is a large and complex system. The size of the kernel is substantive, perhaps on the order of millions of lines of source code. The kernel has to manage all the hardware on the computer and most of the lower-level software abstractions (virtual memory, file systems, IPC facilities, etc.). This translates into a number of hierarchical, interconnected subsystems that the attacker may have to deeply understand to successfully trigger and exploit a specific vulnerability. This characteristic can also become an advantage for the exploit developer, as a complex system is also less likely to be bug-free.

The kernel also presents some advantages compared to its user-land counterpart. Since the kernel is the most privileged code running on a system (not considering virtualization solutions; see the following note), it is also the most complicated to protect. There is no other entity to rely on for protection, except the hardware.

Note

At the time of this writing, virtualization systems are becoming increasingly popular, and it will not be long before we see virtualization-based kernel protections. The performance penalty discussion also applies to this kind of protection. Virtualization systems must not greatly affect the protected kernel if they want to be widely adopted.

Moreover, it is interesting to note that one of the drawbacks of some of the protections we described is that they introduce a performance penalty. Although this penalty may be negligible on some user-land applications, it has a much higher impact if it is applied to the kernel (and, consequently, to the whole system). Performance is a key point for customers, and it is not uncommon for them to choose to sacrifice security if it means they will not incur a decrease in performance. Table 1.1 summarizes the key differences between user-land exploits and kernel-land exploits.

Table 1.1. Differences between user-land and kernel-land exploits

Attempting to…User-land exploitsKernel-land exploitsBrute-force the vulnerabilityThis leads to multiple crashes of the application that can be restarted (or will be restarted automatically; for example, via inetd in Linux).This leads to an inconsistent state of the machine and, generally, to a panic condition or a reboot.Influence the targetThe attacker has much more control (especially locally) over the victim application (e.g., the attacker can set the environment it will run in). The application is the only consumer of the library subsystem that uses it (e.g., the memory allocator).The attacker races with all the other applications in an attempt to “influence” the kernel. All the applications are consumers of the kernel subsystems.Execute shellcodeThe shellcode can execute kernel system calls via user-land gates that guarantee safety and correctness.The shellcode executes at a higher privilege level and has to return to user land correctly, without panicking the system.Bypass anti-exploitation protectionsThis requires increasingly more complicated approaches.Most of the protections are at the kernel level but do not protect the kernel itself. The attacker can even disable most of them.

The number of “tricks” you can perform at the kernel level is virtually unlimited. This is another advantage of kernel complexity. As you will discover throughout the rest of this book, it is more difficult to categorize kernel-land vulnerabilities than user-land vulnerabilities. Although you can certainly track down some common exploitation vectors (and we will!), every kernel vulnerability is a story unto itself.

Sit down and relax. The journey has just begun.

Establishing Electronic Security Program Objectives

Electronic security in general is a subset of the overall security countermeasures that should be implemented for any organization. In my opinion, electronics should be the last element to be implemented. Yes, you heard me right… the last. That statement is coming from a person who has made a nearly lifelong career out of designing electronic security systems. There is a hierarchy to security countermeasures, and it should start with policies and procedures, then physical and network security, security awareness training, operational security programs, and, finally, electronic security. It does no good to have cameras and card readers if the building is not locked at night. Ridiculous, you say? You can point to any 10 high-rise or corporate buildings that are more than 20 years old, and I assure you that on average more than 90% of those buildings have no record of who held the master keys to the building going back 10 years, let alone the life of the building. A master key gives the holder access to virtually every asset in the building. Master keys leave no trace of who used them, and many building electronic security systems are not monitored 24 hours a day and do not have useful cameras on every door. Even with cameras, the master key holder can conceal his or her identity from them. Electronics is the high priest of false security. So first, as a designer, do no harm. Advise the owner to secure the building with strong physical security. Next, how many organizations run effective background checks of their employees, contractors, and vendors (and their contractors’ employees)? Second principle: Do not let criminals into the building. Please—advise the owner. So the foundation is to establish and prioritize overall security objectives.

Java Code Obfuscation

This is a method that is also used to bypass security countermeasures such as antivirus, network intrusion prevention systems, and host intrusion prevention systems. The following is just an example of obfuscating code that is used to run on the target system. The online tool used below is provided by iWEBTOOL.com. Again, it is important to point out that the intent of this tool was probably not to be used in a nefarious manner. The example in Figure 11.12 is a bogus Website, but an example of what is used in an iFrame injection. If the security countermeasures are in place looking for iFrames, it may have a hard time finding a match as this is now running as a java script. It is important to understand that the conversion below is not really encrypted. It is basically taking the input and translating into hexadecimal code to avoid detection.

Another popular place that you will find JavaScript utilizing unescape is within a PDF. The great thing about PDFs, from a nefarious cyber actor's point of view, is that they are widely deployed and are a great vector for obfuscating JavaScript, which can execute in a PDF viewer. This is a commonly used method for bypassing intrusion prevention systems and antivirus. However, a great way to combat malicious java script within your PDF is to disable JavaScript (Figure 11.13).

Because of the widespread use of malicious PDFs, it would be a great idea to launch your Adobe reader and click “Edit,” click “Preferences” and make sure to uncheck “Enable Acrobat JavaScript.” The previous examples we provided on packing, encryption, and JavaScript obfuscation are just a few ways in which nefarious cyber actors can bypass and test the validity of their exploits. The tools referenced are widely known above ground. Tools that are used by the underground often take time to find and with the right information you can come across some very interesting ones. Blaze Botnet is a tool that the author Will Gragido stumbled on.

Chapter 8: Information security awareness training: Your most valuable countermeasure to employee risk

Sean Lowther describes ways to incorporate Security Awareness Training as one of your least expensive and most effective security countermeasures. Jack met Sean about 5 years ago at a security conference and immediately recognized Sean as a world-class leader in the development of security awareness programs for organizations of all sizes. Sean is well known for designing a remarkably effective enterprise-wide awareness program at Bank of America. His program received the highest rating from the bank's regulators, and was consistently rated world class by industry peer groups. Sean firmly believes the success of a security plan is achieved by involving each and every employee. This chapter outlines the processes, procedures, and materials needed to build and measure a successful awareness program, as well as tips and tricks to keep employees engaged and make security part of the company mindset.

The system security engineering process

The foundation of SSE rests on cost-benefit decision tradeoffs focused on engineering out vulnerabilities and designing in security countermeasures as long-term cost saving measures [1]. The SSE process was originally considered for the design and development of systems with respect to the acquisition life cycle phases shown in Figure 1.1, while program protection addresses operations and support in phase IV:

Phase 0. Develop system security criteria, describe the baseline security system design, and conduct security threat and vulnerability studies.

Phase I. Analyze and validate the system security baseline, prepare preliminary performance specifications for security hardware and software, and process identified threats and vulnerabilities through system design modifications and risk management techniques.

Phase II. Design and integrate the security system, acquire or develop security system hardware and software against the specifications.

Phase III. Implement the security system design via production and conduct deployment planning.

Phase IV. Address operational and support security concerns through continual risk management via the program protection process.

From this description we note fundamental items of interest that constitute core SSE MPTs. Risk management forms the crux of US DoD system security and protection efforts through threat identification and vulnerability analysis serving as the basis for all SSE decisions. Of great importance, system security requirements are also emphasized from initial concept exploration to implementation and production. Lastly, integrated throughout the acquisition process is the system security baseline, which serves as the foundation for security tradeoffs.

In the 1990s, industry and government supported the development of a System Security Engineering–Capability Maturity Model (SSE-CMM) to help standardize and assess SSE practices. The SSE-CMM was accepted by the International Organization for Standardization/Intentional Electrotechnical Commission in 2002 and revised again in 2008 [3]. The SSE-CMM formalizes SSE into three separate process areas: risk, engineering, and assurance. The SSE-CMM provides SSE goals consistent with MIL-HDBK-1785 [1], while further attempting to address and clarify difficult security concepts such as assurance and trust:

Gain understanding of the security risks associated with an enterprise;

Establish a balanced set of security needs in accordance with identified risks;

Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (i.e., determine acceptable risks);

Transform security needs into security guidance to be integrated into the activities of other disciplines employed on a project and into descriptions of a system configuration or operation;

Establish confidence or assurance in the correctness and effectiveness of security mechanisms; and

Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system.

What are the types of countermeasure?

What are countermeasures?

What are physical countermeasures?

What are countermeasures in cyber security?