How to apply additional security measurements besides PCI DSS?

What do I need to know about PCI DSS?

  • PCI DSS and PCI SSC:
    PCI DSS

For the sake of minimizing this risk, there exists the Payment Card Industry Data Security Standard (PCI DSS). It is designed and set by the PCI Security Standards Council (PCI SSC). In a nutshell, it aims at securing online transactions to a great extent.

Credit card companies put these standards into action themselves. The standards compel every retailer to comply with a long checklist if they accept any means of online payments. This ensures that transactions operate in a completely safe environment. Such lists mainly strive to make sure that data and networks are highly secure.

  • Spear phishing:

PCI DSS

Spear phishing is mainly a type of attack underlined by the art of social engineering. In this type of phishing, few end users receive customized emails. This is in an attempt to get their private information in a fraudulent manner.

A philosophical question now to ask is this. If spear phishing describes the previously explained behavior; What is then the difference between normal phishing and spear phishing?

Whereas phishing targets a large group of people to send emails to them with no prior research expecting that a few number of people will send a response, spear phishing targets a specific group of people to send them customized emails. This occurs after concise research on such a group of people. They are targeted with the correct message in which they are expected to respond positively and get tricked subsequently.

Phishing attacks reach a significant number of people. However, they receive a very small success rate from the number of links their links receive. Nevertheless, spear phishing attacks do not have that large number of target group but around half of such group click on the sent links or open the attachments.

  • Tokenization

PCI DSS

Whenever sensitive data is dealt with, tokenization has to be mentioned. This is in order to ensure that such data is secured to a great extent. Fundamentally, such valuable information gets replaced with a token number which is of no actual use except for merely this process. A token number is a number which makes no sense for an attacker or even for whoever uses it. It gets mapped back to its valuable specific piece of information associated with it.

In this process, the need for a tokenization system is a must, where such tokens could be requested, generated, and detokenized back to get the data. Therefore, such data becomes secured to the maximum using this method. There is still one aspect which should be cared about; it is the security of the tokenization system in the first place. Such system has to get secured following best security practices such as standards of sensitive data protection, secure storage, audit, authentication, and authorization.

  • Jump Server

PCI DSS

It is essential to understand the concept of a jump server when talking about network and security and securing the data flow within it. Devices in a separate security zone could be managed through such jump server. One of the most commonly used example for such concept is the demilitarized zone (DMZ). It could be managed by trusted networks or computers through a jump server.

A jump server has to have specific administrators who have authorized credentials on it for the sake of gaining access to DMZ for instance. All other requested access attempts from non-authorized users have to get logged for next audit. This server could work as single audit point for traffic, securing the data inside DMZ to the maximum.

How to apply additional security measurements besides PCI DSS?

  1. An organization’s administration should recognize the potential of being breached at any instant of time in the first place. Security standards could be set very high, and they could be followed very strictly. Whereas still, any security incident could still occur. Well, what is the benefit of security controls then? They are mainly meant to get the number of such events as much minimal as possible. Besides, such controls make the probability of obtaining sensitive data very low. How is that? Imagine that an organization was breached, such restrictions shall play a significant role in identifying a risk or an attack before an attacker gets his desired information from the network.
  2. Highly sensitive data should no longer be saved or stored in the system. This is because as long as they are there, there is always a vulnerability in the system which could be exploited to get such valuable information. On the other hand, if an organization or a merchant is obliged to get such data saved. Then, tokenization is the perfect solution for this case, for not saving data on the system.
  3. Get any sensitive data isolated inside the network or the organization’s system. In this regard, approaches like of the model of Forrester’s “Zero Trust” or McGladrey Ultra Secure could be followed. This is to ensure a very high level of security on sensitive data.

    PCI DSS

  4. Another attractive solution is to minimize the number of authorized accesses to sensitive data. Accordingly, whenever an incident happens to occur, there should be a small focus group on which social engineering could be applied by information security responsible persons.
  5. A “jump box” or a “jump server” should be made use of in order to force users to log into such server first of all before getting any access to sensitive data. The cardholder data environment shall be restricted to those who have the capability to correctly log into the jump box. This could be further coupled through using different credentials required for the sake of gaining access to such data. All activity performed on the jump box could be also captured by adding in full instrumentation of the jump box. Subsequently, the jump box could be monitored for any suspicious accesses.
    PCI DSS
  1. Internet Protocol (IP) addresses should be limited to the people inside an organization. While all traffic using HTTP or HTTPS should still be open for all the business’ use to satisfy their needs, they cannot be though unrestricted to access any desired IP address or URL. The solution for this is to apply proper white or black list IP addresses. Accordingly, an attacker will not simply work from any IP address or URL to play around with the network.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://pciguru.wordpress.com/2013/02/06/how-to-be-pci-compliant-and-still-be-breached/

https://usa.kaspersky.com/resource-center/definitions/spear-phishing

https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack

https://en.wikipedia.org/wiki/Tokenization_(data_security)

https://en.wikipedia.org/wiki/Jump_server

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.    
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!

How does Amazon AWS deal with data encryption?

What is PCI DSS?
amazon aws

To begin with, the Payment Card Industry Data Security Standards (PCI-DSS) provides a checklist with which organizations dealing with online credit card payments have to comply. Such list ascertains organizations follow the appropriate security standards to prevent any breach cases from occurring. Otherwise, merchants who refuse to comply face with great financial penalties thereafter.

What is HIPAA?
amazon aws

Health Insurance Portability and Accountability Act (HIPAA) is legislation which is concerned with making the medical information as safe as possible through making sure of data privacy and other security provisions.

Cyber attacks and ransomware attacks deploy upon health insurance data including both insurers and providers of such service. Such attacks are of a great concern of HIPAA. HIPAA aims to protect such sensitive data from any potential breaches on contaminated systems.

Why Data Encryption at Rest?


amazon aws

An essential requirement which both PCI DSS and HIPAA enforces to be applied inside an organization’s system is to have the sensitive data either cardholder data or health insurance data respectively in an encrypted format.

Before we proceed on to this point, let’s get some more insight about the notion of data encryption. Encrypting data means having data in another form, or code. This is such that having access to the decryption key is a must to understand such stored data.

Almost all organizations depend on this technique since it has been extremely popular and effective in securing data. Getting into more details, there are two sorts of encryption commonly in use around the globe. These are asymmetric encryption or the public key encryption method, and the symmetric encryption.

Symmetric encryption has privilege over the asymmetric encryption due to its speed. During the process, an exchange of the encryption key occurs between the sender and recipient before decrypting it.

Accordingly, huge quantities of keys have to get distributed and managed by companies in order for them to be capable of utilizing such encryption method. Therefore, it has become usual for companies to use a symmetric algorithm to encrypt data. After this, we use an asymmetric algorithm for the sake of exchanging the secret key.

On the other hand, asymmetric encryption or public-key cryptography uses two different keys: one public and one private. At the same time when a public key is known and everyone can share it, the private key is highly protected for security purposes.

One of the most widely used encryption algorithms is Sharmir-Adleman (RSA) algorithm. One could secure sensitive data through such an algorithm which depends on the public key cryptography technique.  The insecure network just as the internet is a perfect place to harness such an algorithm.

The confidentiality, integrity, authenticity, and non-reputability of electronic communications and data are assured by the use of such algorithm which encrypts data using both the public and private keys before sending it to an insecure network. Digital signatures are used within such process as well.

What is AES?


AED

The Advanced Encryption Standard (AES) also known as Rijndael is a means of encrypting data. Originally, the U.S. National Institute of Standards and Technology created such specification back in 2001.

With the evolution of such standard, the Data Encryption Standard (DES) became superseded and not used anymore for any advanced encryption purposes in organizations seeking high levels of security. The US government also adopted AES and made use of it in data encryption.

The symmetric key encryption algorithm is adopted by such standard, which means that encrypting and decrypting the data both use the exact same key.

What does Amazon S3 offer in this regard?

amazon s3

Amazon Simple Storage Service is a service where collecting, storing, and analyzing data of different formats and sizes could be possible and easy. Through Amazon Web Services (AWS), one can store and retrieve back.

Sources of such data could vary from websites and mobile apps to corporate applications, and data from sensors or devices of the Internet of Things (IoT).  Media storage and distribution have the capability to depend on Amazon S3. This is such as the “data lake” for big data analytics. Even computation applications which are serverless can utilize Amazon S3.

Mobile device photos and videos or other captured data, backups of mobile or other devices, backups of a machine, log files generated by a machine, streams created by an IoT sensor and images which are of a high resolution could all efficiently make use of Amazon S3.

It is then possible to configure Buckets of Amazon S3 for server-side encryption (SSE) making use of AES-256 encryption.

What can Amazon EC2 offer for decryption?
amazon ec2

One could use instance storage on Amazon EC2. Such instance storage allows for data to become stored in a temporary period of time. Information that frequently changes, such as buffers, caches, and scratch data are the mostly stored on such instance storage but in an unencrypted format.

One could utilize Linux dm-crypt in this process. It is essentially a Linux kernel-level encryption mechanism. It is possible to mount an encrypted file system, making it available to the operating system. Then, applications can easily deal with all files in the file system with no more needed interactions.

Dm-crypt basically resides between the physical disk and the file system. Data becomes encrypted when writing it from the operating system into the disk as shown in the following figure.

Finally, it is important to note that an application never knows a thing about such encryption. That is due to the fact that applications use a specific mount point to store and retrieve files. In the meanwhile, encryption occurs on such data during storage in the disk. Therefore, there is no use of data if the hard disk becomes stolen or lost.

amazon aws
amazon aws

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/

http://searchhealthit.techtarget.com/definition/HIPAA

https://aws.amazon.com/s3/

https://digitalguardian.com/blog/what-data-encryption

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.    
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!

How to Perform Physical Acquisition in Android Forensics?

Things you need to understand first:

  • Logical Storage:

    Data Acquisition

We need to grasp the idea of a logical disk fundamentally. I will try to explain such notion in a nutshell. Fundamentally, a logical disk is often referred to as a virtual disk as well. A virtual disk is a storage capacity which could utilize several physical disk drives’ storage.

A contiguous storage area is provided to the user following this concept of a logical storage. It is not, of course, a physical storage because it does not rely on only one disk and claim its capacity as its own. It has the capability of storing files on multiple physical units. Most modern operating systems offer logical volume management.

  • System partition & Data partition:

    Data Acquisition

The system partition is where the system root resides. In other words, the operating system folder is contained by such system partition. For instance, the root directory (/) mounts all operating system files for Linux platforms.

Data partition is basically the disk partition which contains all of the data which is stored by the user on the hard disk. It has nothing to do with the operating system since it is all related to the user in the first place.

There is another partition called the boot partition. It fundamentally has the bootloader which is utilized for the sake of making the operating system capable of booting. For instance, the directory of /boot/ mounts boot files (such as the kernel, initrd, and bootloader GRand Unified Bootloader (GRUB)).

  • Data Acquisition Methods:

    Data Acquisition

An interesting topic to know about in the domain of mobile forensics is data acquisition. But why is it important to get to know about it in the first place? Since a logical image is needed for investigating a system, we need to refer to such process of extracting data as data acquisition. There are in fact three main categories of data acquisition which we are to analyze in details.

  1. Manual Acquisition:
    • A mobile device’s user interface is depended on in order to get through the investigation process.
    • Images of each screen are taken or captured by the examiner while the device gets browsed. Although there is no need for any tools to be involved in such process, the manual acquisition has a great pitfall on the other hand. In addition to being a time-consuming process, not all the data could be visualized by the user and therefore not all the data could be recovered by this method in the first place.
  2. Physical Acquisition:
    • A bit-by-bit copy of the whole file system is created.
    • This seems so similar to physical acquisition process on standard digital forensics
    • Data residing on a device plus unallocated space in addition to even deleted data are all copied through such demanding method.
  • Logical Acquisition
    • The application programming interface of an equipment manufacturer is depended on in this process.
    • The phone’s contents get synchronized with a personal computer through such original interface.
    • This method has a plenty of free software tools available.
    • Neither deleted data or unallocated space gets recovered through such method which fundamentally extracts these data accessible to the users of the device.

How to image Android File System using dd?

In fact, there is plenty of free and commercial tools available to take an image of a specific partition. However, all of such tools require that the user should be the root of the device on the emulator. The device gets rooted temporarily even when using commercial tools before an image of a partition is taken through acquiring a physical dump.

Data Acquisition

In this regard, there is a tool called “dd” which is basically specified for getting an image of a rooted device.

  1. Get the device rooted if a real device is connected or on the emulator.
  2. Get to know that the tool of “dd” is located in the following directory “/system/bin” by default on Android system.
  3. Make use of the command “mount” which will familiarize us with the locations of partitions on the device from where we can know our desired partition’s location.

    Data Acquisition

  4. Analyzing the results, we got in the last image, it is apparent how the system partition has the following entry to it:

/dev/block/mtdblock0

  1. On the other hand, it is apparent how the data partition has the following entry to it:

/dev/block/mtdblock1

  1. It is also obvious though that the sd card pasd-cardn has the following entry to it:

/dev/block/vold/179:0

  1. It is essential to understand one point that taking an image of any of the aforementioned partitions will be of the same steps and methodology to accomplish the task properly. However, the data partition will be of our concern for this article.
  2. Extracting the data partition could be performed using the following command which relies on the “dd” tool:

dd if=/dev/block/mtdblock1 of=/mnt/sdcard/output.img

  1. Okay, well we need to get to know the idea of such command. While if means input file, of refers to the output file on the other hand. The position where the image should reside after the command is inside the sdcard, and its name is “output.img”
  2. There is still an option to get the block size customized through the option of “bs” with the “dd” tool.
  3. Pulling the file afterward is pretty straightforward using the command of “adb pull”. Using the upcoming command will result in getting the image file pulled out to our workstation:

adb pull /mnt/sdcard/output.img

The command in the very last line should be cared about because a new SD card destination has to be specified; otherwise, the image file will be overwritten on the same SD card partition of the device.

  1. Note that now the image should be existent on the local machine for investigation. However, the only pitfall of such method is that the use of SD card was a must; otherwise, we couldn’t have been able to proceed with this method.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/getting-started-android-forensics/

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.    
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!

How to perform a logical acquisition using Santoku Linux using adb?

Things you need to know first 

  • Data Acquisition Methods:

An interesting topic to know about in the domain of mobile forensics is data acquisition. But why is it important to get to know about it in the first place? Since a logical image is needed for investigating a system, we need to refer to such process of extracting data as data acquisition. There are in fact three main categories of data acquisition which we are to analyze in details.

  1. Manual Acquisition:
    • A mobile device’s user interface is depended on in order to get through the investigation process.
    • Images of each screen are taken or captured by the examiner while the device gets browsed. Although there is no need for any tools to be involved in such process, the manual acquisition has a great pitfall on the other hand. In addition to being a time-consuming process, not all the data could be visualized by the user and therefore not all the data could be recovered by this method in the first place.
  2. Physical Acquisition:
    • A bit-by-bit copy of the whole file system is created.
    • This seems so similar to physical acquisition process on standard digital forensics
    • Data residing on a device plus unallocated space in addition to even deleted data are all copied through such demanding method.

3. Logical Acquisition

  • The application programming interface of an equipment manufacturer is depended on in this process.
  • The phone’s contents get synchronized with a personal computer through such original interface.
  • This method has a plenty of free software tools available.
  • Neither deleted data or unallocated space gets recovered through such method which fundamentally extracts these data accessible to the users of the device.
  • Adb:

In order to master the field of Android forensics, there are some essential tools which have to be grasped very clearly. Among these tools is there what is referred to as Android Debug Bridge (adb).

Android SDK has essentially such tool pre-installed inside it, is located in the directory of “platform-tools”. There is no need for setting such tool up when using Santoku since it is already added to the folder of to “/usr/bin”

How to perform a logical acquisition using Santoku Linux using adb?

(Extracting the entire filesystem)

  1. First of all, we need to open the terminal window inside Santoku
  2. “adb shell” should be typed inside the terminal in order to get commands issued without entering the adb remote shell on the emulated device.
  3. Then, “mount” should be typed as the proceeding command to get the device’s filesystem attached to one file tree.

    santoku

  4. You can simply see that /dev/block/mtdblock1 is where the /data partition is located.
  5. “df” command could be utilized at this point for the sake of showing the available disk space on the partition. In fact, it will show the total space, the used one, and the available as well.
    santoku
  6. “exit” should be typed now as a command to get out of the adb shell.
    santoku
  7. A pull command offered by adb shall be used in order to get the file system extracted to the examiner’s computer. Opening files inside the file browser afterward is a logical acquisition.
  8. The used command in this regard is “adb pull” followed by the /name of the file followed by /destination. In this case, all user’s data is pre-assumed to be residing in /data/ partition. Accordingly, a command of “adb pull /data /path/to/store/files” typed on a new terminal window will definitely extract all user’s data partition.
  9. Now, you could double check the extracted files through the “ls /data” command.

    santoku

  10. The Operating System (OS) explorer could be depended on at this point to browse the pulled folders.
    santoku
  11. Inside the folder called data, there shall be another folder called “data” having all the installed applications inside it.
  12. A single application, however, could have been solely extracted through typing “adb pull” followed by “/data/data” then /the name of this certain package then /the path to it and then finally the package name.
  13. Now, a good suggestion is to have a list of all the installed packages. One way to do that is simply by typing “ls/data/data”, yet after typing “adb shell” first of all. This shall display a list of the installed packages as shown in the following image.

    santoku

  14. Again type “exit” in order to get out of the adb shell at the moment.

(Extracting certain files)

  1. Imagine now we need to only get the SMS extracted. How can we do that? We fundamentally need to get the package named “com.android.providers.telephony” extracted with no other packages. Consequently, the following command will work perfectly for our purpose: “adb pull /data/data/ com.android.providers.telephony /path/Telephony/”. You should note that “/path/Telephony” is the new location of such extracted data, and it is not, of course, a necessary condition to have such path. It could be altered to “/home/infosec/Telephony” for instance.
    santoku
  2. The pulled files inside their directories could be explored now through depending on the utilities existing in Santoku.
  3. In order for us to reach the most recently extracted directory, the File Manager PCManFM’s icon should be pressed now. Thereafter, the folder named “Telephony” should be opened through a simple double click on it.

    santoku

    santoku

  4. Inside the “databases” folder, a file name “mmssms.db” resides there, which could be opened through the utility named “Sqliteman” by a simple right click on the file before selecting such utility. This will contain all of the details of SMS/MMSas suggested by their tables name.
    santoku
    santoku
  5. The SMS table is up for querying and getting displayed by a simple double-click on the table. Inside it, all SMS could be found and further correlated with IDs through using some other tables and columns. A sample of the SMS table is shown in the following image.

    santoku

    Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/android-forensic-logical-acquisition/

https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community

https://en.wikipedia.org/wiki/Digital_forensics

https://en.wikipedia.org/wiki/Emulator#In_new_media_art

https://en.wikipedia.org/wiki/Logical_disk

https://en.wikipedia.org/wiki/System_partition_and_boot_partition

https://santoku-linux.com/about-santoku/

http://resources.infosecinstitute.com/getting-started-android-forensics/

http://resources.infosecinstitute.com/android-forensics-labs/

https://developer.android.com/studio/run/managing-avds.html

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.    
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!