Handling Security Vulnerabilities

Exploring Ways to Manage Security Vulnerabilities

Gregory M. Kapfhammer

November 18, 2024

We need to identify computer security vulnerabilities and effectively manage them! Best practices?

Security Vulnerability Management

  • Asset: A resource that is valuable to an organization
  • Vulnerability: A weakness in a computer system
  • Vulnerability management: A process for identifying, classifying, and handling a vulnerability in a computer system
  • Threat: A potential danger to an asset in a computer system
  • Risk: The likelihood of a threat exploiting a vulnerability
  • Countermeasure: A way to reduce the computer security risk
  • In-Class Discussion: What is a complete example of these concepts?
    • Identify the asset and its importance to computer security
    • Identify the threat to this asset and ways to mitigate it

Storing Secrets Inside of GitHub Repositories

Effective Secret Storage

  • Vulnerability:
    • Secrets unlock access to sensitive information
    • Programmers often store secrets in GitHub repositories
    • Attackers can find secrets and easily exploit them
  • Countermeasure:
    • How can we detect secrets in GitHub repositories?
    • What tools can we use to prevent secrets from being stored?

Secret Scanning

import re

def detect_api_keys(file_path: str):
    api_key_patterns = [
        r'AIza[0-9A-Za-z-_]{35}',
        r'AKIA[0-9A-Z]{16}',
        r'SK.[0-9a-zA-Z]{32}',
        r'[0-9a-fA-F]{32}',
        r'[0-9a-fA-F]{40}',
        r'[A-Za-z0-9-_]{32}',
        r'[A-Za-z0-9-_]{40}',
    ]
    with open(file_path, 'r') as file:
        content = file.read()
    matches = []
    for pattern in api_key_patterns:
        matches.extend(re.findall(pattern, content))
    if matches:
        print("\tPotential API keys found:")
        for match in matches:
            print(f"\t\t{match}")
    else:
        print("\tNo API keys found.")

Using a Secret Scanner

# scan three different files for API keys
print("Scanning src/subject_contains_key.py")
detect_api_keys("src/subject_contains_key.py")
print("\nScanning src/subject_contains_no_key.py")
detect_api_keys("src/subject_contains_no_key.py")
print("\nScanning src/subject_contains_false_positive.py")
detect_api_keys("src/subject_contains_false_positive.py")
Scanning src/subject_contains_key.py
    Potential API keys found:
        AIzaSyA-1234567890abcdefgHIJKLMNOPQRSTU
        AIzaSyA-1234567890abcdefgHIJKLMN
        AIzaSyA-1234567890abcdefgHIJKLMNOPQRSTUV

Scanning src/subject_contains_no_key.py
    No API keys found.

Scanning src/subject_contains_false_positive.py
    Potential API keys found:
        A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6

Inputs to Security Scanner

"""Example of a file that contains a secret key."""

if __name__ == "main":
    api_key = "AIzaSyA-1234567890abcdefgHIJKLMNOPQRSTUV"
    print("This is a file with a secret API key.")
"""Example of a file that contains no secret key."""

if __name__ == "main":
    print("This is a file without a secret API key.")
"""Example of a file that contains a false positive secret key."""

if __name__ == "main":
   dummy_key = "A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6"
   print("This is a file with a string that looks like an API key but is not.")

Secret Scanning Lessons Learned

Scanning for API Keys in GitHub Repositories

  • Important Questions:
    • Efficiency: Can we scan repositories quickly?
    • Effectiveness: Can we detect all secrets?
    • Accuracy: Can we avoid false positives?
    • Adaptability: Can we update for new secrets?
    • Security: Can we protect secrets from attackers?

Secret Scanning is an Important Business!

Collecting Information

  • Hardware: CPU, RAM, hard drives, network cards
  • Software: Operating systems, applications, libraries
  • Networks: Routers, switches, firewalls, servers
  • Data: Repositories, logs, databases, backups
  • People: Users, administrators, developers, attackers
  • Key Questions:
    • What is an automated strategy for collecting information?
    • Once a system is deployed, how can we collect information about it?

What are some automated strategies for collecting and maintaining computer system information?

Detecting CPU Details

def get_cpu() -> Dict[str, str]:
    """Return information about the current CPU in the system."""
    # detect the name of the function in
    # which this source code exists
    function_name = inspect.stack()[0][3]
    # parse out the second part of the name after
    # the underscore character
    function_name = function_name.split("_")[1]
    # create a dictionary with the function's
    # purpose as the key and the value as
    # the return of the function that collects it
    return {function_name: str(platform.machine())}
  • Use the inspect package to detect the name of the function
  • Use the platform package to detect the CPU architecture
  • Ensure that the function works in all execution environments!

Detecting Disk Details

def get_disk() -> Dict[str, str]:
    """Return disk space usage."""
    function_name = inspect.stack()[0][3]
    function_name = function_name.split("_")[1]
    if platform.system() == constants.system.Windows:
        total_disk = psutil.disk_usage("C:\\").total
        used_disk = psutil.disk_usage("C:\\").used
    else:
        total_disk = psutil.disk_usage("/").total
        used_disk = psutil.disk_usage("/").used
    total_disk_gb = total_disk / (1024**3)
    used_disk_gb = used_disk / (1024**3)
    disk = f"Using {used_disk_gb:.2f} GB of {total_disk_gb:.2f} GB"
    return {function_name: disk}
  • Use the psutil package to detect disk usage details
  • Customize this function for different operating systems

Key Insights About Information Collection

  • Feasibility: How much information can we collect?
  • Automation: Can we automate information collection?
  • Accuracy: Can we ensure that the information is accurate?
  • Security: Can we manage it without security compromises?

Even though system data can be automatically collected through scans, proper data collection and management is critically important!

Once a system’s vulnerability is known, how do we share details and prevent attacks?

  • CVEs: Common Vulnerabilities and Exposures
  • CVSS: Common Vulnerability Scoring System
  • Responsible disclosure of security vulnerabilities

Understanding CVEs

  • CVE: Common Vulnerabilities and Exposures
  • Purpose: Identify and catalog vulnerabilities in software and firmware
  • Format: CVE-YYYY-NNNN (e.g., CVE-2023-12345)
  • Database: Managed by MITRE Corporation
  • Usage: Helps organizations prioritize and address vulnerabilities
  • Important Questions:
    • MITRE and the disclosing company may decide to embargo a CVE! Why is this important in the computer security field?
    • What are the overall benefits of recording and disclosing CVEs?

Understanding CVSS

  • CVSS: Common Vulnerability Scoring System
  • Purpose: Standardized method for rating vulnerability severity
  • Range: Values range from 0.0 to 10.0
  • Interpretation: None, Low, Medium, High, Critical
  • Important Questions:
    • How can organizations use CVSS to prioritize their work?
    • What are the overall benefits of scoring a vulnerability?
    • How can we ensure that the CVSS score is accurate?

Vulnerability Management Review

Key Concepts

Managing Security

  • Asset identification
  • Vulnerability detection
  • Risk evaluation

Evaluation Metrics

  • Efficiency of scans
  • Accuracy of results
  • Security of stored secrets

Best Practices

Implementation

  • Use secret scanning tools
  • Update detection patterns
  • Automated data collection

Exploration

  • Evaluate scanning tool options
  • Ensure scanning effectiveness
  • Adapt to new types of secrets

Security is never perfect! We need a way to respond to security incidents when they occur! Best practices?

Security Operations Centers

  • Purpose: Monitor, detect, and respond to security incidents
  • Components: People, processes, and technology
  • Benefits: Rapid response to security incidents
  • Cost: Often there are high costs for maintaining an SOC
  • Important Questions:
    • What are best practices for maintaining compliance?
    • What is the security attack baseline for an organization?
    • How can an SOC maintain continuity after a security incident?

Security Incidents

Precursor to an Incident

  • Asset: A valuable resource to an organization
  • Threat: A potential danger to an asset
  • Vulnerability: A weakness in a computer system
  • Risk: Likelihood of a threat exploiting a vulnerability
  • Task: Monitor high-risk areas for developing exploits
  • Key Goal: Make sure that high-risk attacks are detected and handled before they manifest as security incidents!

Levels of Logging

import logging

# create a simple logging configuration
logging.basicConfig(level=logging.DEBUG,
                    format='%(asctime)s - %(levelname)s - %(message)s',
                    datefmt='%Y-%m-%d %H:%M:%S')

# debugging messages have severity levels
logging.debug('This is a debug message')
logging.info('This is an info message')
logging.warning('This is a warning message')
logging.error('This is an error message')
logging.critical('This is a critical message')
2023-10-05 12:00:00 - DEBUG - This is a debug message
2023-10-05 12:00:00 - INFO - This is an info message
2023-10-05 12:00:00 - WARNING - This is a warning message
2023-10-05 12:00:00 - ERROR - This is an error message
2023-10-05 12:00:00 - CRITICAL - This is a critical message

Security Logging Details

  • Purpose: Record details about system behavior
  • Severity: Indicate the severity of the event
  • Timestamp: Record the time when the event occurred
  • Execution: Run loggers on key infrastructure parts
  • Transmission: Send logs to a central server
  • Storage: Store logs for a period or to a size
  • Discussion Questions:
    • Where and for how long should a security log be stored?
    • How do we ensure that precursors are not overlooked?

Security Log Analysis

import time

# sample log file path
log_file_path = 'system.log'

# function to monitor the log file for suspicious activity
def monitor_logs():
    with open(log_file_path, 'r') as log_file:
        lines = log_file.readlines()
        for line in lines:
            if "ERROR" in line or "WARNING" in line:
                print(f"ALERT: Suspicious activity detected - {line.strip()}")

monitor_logs()
  • Read the log file and inspect each line
  • Checks for ERROR or WARNING messages
  • Surface alerts for suspicious activity

Establishing Business Continuity

Responding to Security Incidents

  • Business impact analysis measures outage impact on:
    • Property
    • Finance
    • Safety
    • Reputation
    • Customers
  • What are practical strategies for ensuring business continuity?
    • Technical
    • Operational
    • Legal

Redundancy, Backup, and Recovery

  • Redundancy: Duplicate systems to ensure continuity
  • Backup: Copy data to a separate location
  • Recovery: Restore data from backup
  • Benefits: Faster response to security incidents
  • Costs: Higher upfront costs and greater complexity

Understanding Redundancy

  • Purpose: Deploy extra components in case of failures
  • Failover: Switch to a backup system when a component fails
  • High availability: Ensure that systems are always available
  • Fault tolerance: Continue function if a component fails
  • Discussion Questions:
    • What are the trade-offs of redundancy?
    • What system components should be redundant?
    • Overall, how can you ensure high availability?

RAID to the Rescue!

  • RAID: Redundant Array of Independent Disks
  • RAID 0: Striping, no redundancy, improved performance
  • RAID 1: Mirroring, redundancy, improved reliability
  • RAID 5: Block-level striping with distributed parity

Understanding RAID’s Trade-offs

  • Performance: Varying effects on read/write speeds
  • Complexity: More hardware to manage and maintain
  • Recovery: Faster recovery from disk failures
  • Expense: Hardware RAID controllers can be costly

Understanding Data Integrity for Security Incident Response

  • Security attacks can corrupt data
  • Data integrity ensures that data is accurate
  • Ensures recovery is faster and more confident
  • Question: How can we confirm data integrity?

Data Integrity with Hashing

import hashlib

def calculate_hash_checksum(data):
    sha256 = hashlib.sha256()
    sha256.update(data.encode('utf-8'))
    return sha256.hexdigest()

# calculate the checksum of a string
data_one = "Important data for redundancy"
checksum_data_one = calculate_hash_checksum(data_one)

# display the data and its checksum
print(f"Data One: {data_one}")
print(f"Hash Checksum: {checksum_data_one}")
Data One: Important data for redundancy
Hash Checksum: 7221ade71a1fbb9b6a5e68583500b1bbfd344e5e19d458bad18323a088e982da

Are there other alternatives to SHA-256? How to use them?

Data Integrity with CRC32

import zlib

def calculate_crc32(data):
    return zlib.crc32(data.encode('utf-8'))

data_one = "Important data for redundancy"
data_two = "Additional Important data for redundancy"

checksum_data_one = calculate_crc32(data_one)
checksum_data_two = calculate_crc32(data_two)

print(f"Data One: {data_one}")
print(f"CRC32 Checksum: {checksum_data_one:#010x}")

print(f"Data Two: {data_two}")
print(f"CRC32 Checksum: {checksum_data_two:#010x}")
Data One: Important data for redundancy
CRC32 Checksum: 0x38799945
Data Two: Additional Important data for redundancy
CRC32 Checksum: 0xeba39413

Wrap-up on Incident Response

Key Concepts

Operation Centers

  • Monitor for suspicious activity
  • Detect security incidents
  • Effective security response

Security Logging

  • Record system behavior
  • Store logs securely
  • Analyze for anomalies

Best Practices

Implementation

  • Use fault-tolerant systems
  • Test backup and recovery
  • Effective log analysis

Exploration

  • Learn to use logging tools
  • Try out RAID configurations
  • Revisit data checksums

Security Synapse