Digital certificates
A public key certificate. Binds a public key with a digital signature and other details about the key holder.
A digital signature adds trust. PKI uses certificate authorities for additional trust. Web of trust adds other users for additional trust.
Certificate creation can be built into the OS. Part of Windows Domain Services. Many 3rd party options.
What’s in a digital certificate? (See video example).
X.509. Standard format.
Certificate details. Serial number, version, signature algorithm, issuer, name of the cert holder, public key, extensions, and more.
Root of trust
Everything associated with It security requires trust. A foundational characteristic.
How to build trust from something unknown? Someone/something trustworthy provides their approval.
Refer to the root of trust. An inherently trusted component. Hardware, software, firmware, or other component, Hardware security module (HSM), Secure enclave, certificate authority.
Certificate authorities
You connect to a website do you trust it?
Needa good way to trust an unknown entity. Use a trusted third party, an authority.
Certificate Authority (CA) has digitally signed the website certificate. You trust the CA; therefore, you trust the website. Real time verification.
Third party certificate authorities
Built into your browser. Any browser.
Purchase your web certificate. It will be trusted by everyone’s browser.
CA is responsible for vetting the request. They will confirm the certificate owner. Additional verification information may be required by the CA.
Certificate signing requests
Create a key pair, then send the public key to the CA to be signed. A certificate signing request (CSR).
The CA validates the request. Confirms DNS emails and website ownership.
CA digitally signs the cert. Returns to the applicant.
(See video example).
Private certificate authorities
You are your own CA. Build it in house. Your devices must trust the internal CA.
Needed for medium to large organizations. Many web servers and privacy requirements.
Implement as part of your overall computing strategy. Windows certificate services, OpenCA.
Self-Signed certificate
Internal certificates don’t need to signed by a public CA. Your company is the only one going to use it. No need to purchase trust for devices that already trust you.
Build your own CA. Issue your own certificates signed by your own CA.
Install the CA certificate/trusted chain on all devices. They’ll now trust any certificates signed by your internal CA. Works exactly like a certificate you purchased.
Wildcard certificates
Subject alternative name (SAN). Extension to a X.509 certificate. List additional identification information.
Allows a certificate to support many different domains.
Wildcard domain. Certificates are based on the name of the server. A wildcard domain will apply to all server names in a domain.
Key revocation
Certification Revocation List (CRL). Maintained by the certificate Authority (CA). Can contain many revocations in a large file.
Many different reasons it occurs. Changes all the time.
April 2014-CVE-2014-0160. Heartbleed, OpenSSL flaw put the private key pf affected web servers at risk. OpenSSL was patched; every web server certificate was replaced. Older certificates were moved to the CRL.
(see video example)
OCSP Stapling
Online certificate Status Protocol. Provides Scalability for OCSP Checks.
The CA is responsible for responding to all client OCSP requests. May not Scale well.
Instead have the certificate holder verify their own status. Status information is stored on the certificate holders server.
OCSP status is “stapled” into the SSL/TLS handshake. Digitally signed by the CA.
Getting revocation details to the browser
OCSP (Online certificate status protocol. The browser can check certificate revocation.
Messages usually sent to an OCSP responder via HTTP. Easy to support over internet links. More efficient than downloading a CRL.
Not all browser/apps support OCSP. Early internet explorer versions did not support OCSP. Some support OCSP, but don’t bother checking.
-
Security controls 1.111
-
Preventive Control types (1.1)4
-
Deterrent control types (1.14
-
Detective control types (1.1)4
-
Corrective control (1.1)4
-
Compensating control (1.1)4
-
Directive control type (1.1)4
-
CIA Triad 1.24
-
Confidentiality (1.2)4
-
Integrity (1.2)5
-
Availability (1.2)4
-
Non repudiation (1.2)5
-
Acronyms324
-
Authentication, Authorization, & Accounting 1.27
-
Gap Analysis 1.25
-
Zero Trust 1.28
-
Physical Security 1.27
-
1.2 Deception & Disruption4
-
Change management steps 1.39
-
Technical change management steps 1.39
-
Public Key Infrastructure 1.46
-
Encrypting data 1.410
-
Key Exchange 1.46
-
Encryption technologies 1.47
-
Obfuscation 1.47
-
Hashing & digital signatures 1.49
-
Blockchain technology 1.42
-
Certificates 1.412
-
2.1 Threat Actors15
-
2.2 Common Threat Vectors13
-
2.2 Phishing4
-
Impersonation 2.26
-
Watering Hole Attacks 2.24
-
Other Social engineering attacks (2.2)3
-
Memory Injections 2.33
-
Buffer Overflows 2.31
-
Race Conditions 2.33
-
Malicious Updates 2.33
-
2.3 Operating system vulnerabilities3
-
2.3 SQL Injection4
-
2.3 Cross Site Scripting7
-
2.3 Hardware Vulnerabilities4
-
2.3 Virtualization Vulnerabilities4
-
2.3 Cloud specific Vulnerabilities.3
-
Supply chain vulnerabilities 2.37
-
Misconfiguration vulnerabilities 2.35
-
Mobile device vulnerabilities 2.34
-
Zero-day vulnerabilities 2.33
-
An overview of Malware 2.46
-
2.4 Viruses and worms5
-
2.4 Spyware and Bloatware5
-
2.4 Other Malware Types6
-
2.4 Physical attacks4
-
2.4 Denial of Service4
-
2.4 DNS attacks4
-
2.4 Wireless Attacks5
-
2.4 On Path Attacks2
-
2.4 Replay attacks6
-
2.4 Malicious Code3
-
2.4 Application attacks11
-
2.4 Cryptographic Attacks5
-
2.4 Password attacks6
-
2.4 Indicators of compromise9
-
2.5 Segmentation and Access Control3
-
2.5 Mitigation techniques6
-
2.5 Hardening techniques9
-
3.1 Cloud Infrastructure6
-
3.1 Network Infrastructure concepts4
-
3.1 other Infrastructure concepts10
-
3.1 Infrastructure Considerations12
-
3.2 Secure Infrastructures5
-
3.2 Intrusion prevention5
-
3.2 Network appliances10
-
3.2 Port Security4
-
3.2 Firewall Types6
-
3.2 Secure communication11
-
3.3 Data types and classifications3
-
3.3 States of Data5
-
3.3 Protecting data9
-
3.4 Resiliency11
-
3.4 Capacity planning4
-
3.4 Recovery Testing5
-
3.4 Backups8
-
3.4 Power resiliency3
-
4.1 Secure Baselines4
-
4.1 Hardening targets10
-
4.1 Securing wireless & Mobile8
-
4.1 Wireless Security settings11
-
4.1 Application Security7
-
4.2 Asset management6
-
4.3 Vulnerability scanning5
-
4.3 Threat intelligence5
-
4.3 Penetration testing5
-
4.3 Analyzing Vulnerabilities9
-
4.3 Vulnerability remediation9
-
4.4 Security monitoring8
-
4.4 Security tools11
-
4.5 Firewalls6
-
4.5 Web filtering8
-
4.5 Operating system security3
-
4.5 Secure Protocols5
-
4.5 email security5
-
4.5 Monitoring data7
-
4.5 Endpoint Security8
-
4.6 Identity and Access Management10
-
4.6 Access controls8
-
4.6 Multifactor Authentication7
-
4.6 Password Security7
-
4.7 Scripting and automation4
-
4.8 Incident response10
-
4.8 Incident planning5
-
4.8 Digital Forensics7
-
4.9 Log data12
-
5.1 Security policies10
-
5.1 Security Standards5
-
5.1 Security procedures7
-
5.1 Security considerations4
-
5.1 Data roles & Responsibilities2
-
5.2 Risk Management4
-
5.2 Risk Analysis6
-
5.2 Risk Management Strategies2
-
5.2 Business impact analysis1
-
5.3 Third Party Assessment10
-
5.3 Agreement types2
-
5.4 Compliance7
-
5.4 privacy6
-
5.5 Audits and Assessments3
-
5.5 Penetration tests6
-
5.6 Security Awareness5
-
5.6 User training2
-
1.1 Compare and contrast types of secuirty controls1
