Skip to content

Instantly share code, notes, and snippets.

@gary23w

gary23w/security_notes

Last active December 21, 2022 22:49
Show Gist options
  • Save gary23w/4b2c770e6e9c1ad510a1508bfccb680b to your computer and use it in GitHub Desktop.
Save gary23w/4b2c770e6e9c1ad510a1508bfccb680b to your computer and use it in GitHub Desktop.
Download ZIP
security+ notes
Raw
security_notes
Security +
Spam filter
- Spam defined.
- in most cases, spam is defined as unsolicited bulk email(ube), or junk email. The spammer is hoping that the recipient will buy a product or service.
- Filters for spam
- various filters can be put in place -- usually on an smtp server -- to resuce the amount of spam that is received.
- real time blacklist(RBL) a subscription service that provides a list of known ip addressess of spam hosts, which then allows them to be blocked
- connection filter: prohibiting a list of specific ip addresses from connecting to a smtp server
- recipient filter: blocking messages sent to a particular recipient
- sender id filter: allows an smtp server to review the sender policy framework spf record of the sender in dns. if the sending smtp server is listed, the message is accepted.
-
""" the first known instance of spam occured in 1978 and involved and advertisement for digital equipment corporation(DEC) computers. """
while the reaction from this UBE was largely negative, it did result in some sales.
when the term spam became associated with UBE is unknown. We can blame monty pythons flying circus for the term. In 1970 they aired a skit in which the word
spam keeps getting used, effectively blocking useful communication.
--
Network devices
Web security gateway.
- A system designed to protect networks from malicious content that is on the internet
- it can be used to filter out prohibited content
- it can be used to scan for malicous code
- these systems can also be used as a data loss prevention measure(DLP)
- outgoing content is scanned. Ifsenbsiutive content is discovered in the scan, it is not allowed to leave the network.
Protocol analyzer.
- often called a packet sniffer
- Examines the network behaviour at a very basic level, they allow for the examination of the individual packets of data.
- Can be used to see what is consuming network resources
- can be used to identify a network breach or attack
- can be used to study the methods used to create a network breach
- wireshark is a common protocol analyzer.
-
The web application firewall is a an application layer.(layer 7). firewall that is used to control HTTP traddic that is allowed to reach the web server.
This allows for greater inspection and control messages and traffic that is destined to a networks web servers. They are configured to protect the servers from common attacks.
They differ from normal network firewalls in that they are only converned about what is attempting to reach the web server. Network firewalls, on the other hand, attempt to protect the network as whole.
--
Integrating data and syustems with third parties.
Evaluate the risks of integration.
There are multiple reasons why msystems and data may be integrated with third parties. The key is to know the risks
Systems and data may be required to be integrated because of a joint venture with another entity. When implementing a cloud computing solution, there will be a need to integrate systems and data
In some cases, the need for integration is well known and intentional, while, in other cases, it may not even be recognized as happening. When people are using social media, they may actually be integrating company data with a third party.
In all cases, there are risks associated with integration of systems and data with third parties.
-
Considerations of integration
- risk awareness.
- always evaluate the risks when thinking about integrating systems and data with third parties.
- data may reside out of the control of the business
- network transmissionsd may be vulnerable
- the other side of the integration may not be secure.
- The third party may go out of business.
- Onboarding and offboarding of business partners.
- Procedures and systems need to be put in place that will allow authorized people from the third party business partner to access the appropriate systems and data--the onboarding process.
- implementing an identity and access management(IAM) systems can help ease the burden
- Procedures and systems also need to be put in place to remove access once the partnership is terminated or the authorized person leaves the business partner -- the offboarding process.
-
Considerations of integration
- Interoperability agreements.
- if risks of integration are deeemed acceptable, some additional agreements should be created to help the process.
- memorandum of understanding (MOU) a document that is created that established and agreement between two parties
- Blanket purchase agreement (BPA) a document created and used to cover repetitive needs for a product or service.
- service level agreement (SLA) an agreement that specifies the guaranteed uptime of a system.
- Internet service agreement (ISA) specifies any data limits placed on an internet connection and should also contain a guarantee of the amount of uptime of the internet connection.
- Data backups
- Cloud storage of data backups may be the best solution to off site storage for the backups--mitigating the risk of data loss in the case of a disaster.
- A risk associated with this is the loss of control of the data, all backups stored offsite should be encrypted.
- Data ownership.
- There needs to be a clear understanding of data ownership before integration of systems and data is undertaken.
- some third parties consider all data stored on their systems as being their data--no matter where it originated from.
- Compliance and performance standards.
- read all agreements with third parties carefully to ensure that what they offer and or provide meets with the compliance standards that are required,
- in some cases it is not only inappropriate to integrate data with a third party. it may actually be in violation with the law.
- Follow security policies and procedures,
- in all cases of systems and data integration, security policies and procedures should be in place to protect the integrity of the businesses systems,
- at least once of the policies needs to define what is considered to be unauthorized sharing of data.
-
""" social media represents a type of data integration that may be difficult to control. """
with increased use of social media networks and applications, company data may not necessarily be under the control of the proper entities.
companies should strive to train personnel on what is appropriate to share on social media, and what should not be placed out in the open. It is possible for sensitive company information to be placed on the internet through the use of social media.
--
Type of application attacks 1
Due to improvements in modern network security methods, hackers may not be able to easily exploit network resources
As these security improvements have developed. In many cases, attackers have shifted their focus to application attacks. The hacker will focus on exploiting weaknesses in the software and operating systems that people use every day.
In many cases the security used to protect software from exploitation is not as robust as the security that is used to protect networks. A poorly developed application can often give the hacker adminstrative control of a system if the exploit is executed properly.
-
Common application attacks
- Cross site scripting (XSS) attack
- the attacker inserts script code into a form on a web page that gets submitted to the server.
- the server submits the script code to another client system, which then executes the script.
- XSS is often used to attack the database servers that are used to support Web pages.
- SQL (Structured Query Language) Injection attack.
- SQL is the common language used to manipulate databases. Most I business and Web applications use SQL to retrieve data from databases
- To perform the attack, the hacker inserts SQL commands into the application, usually from an input field, jknowing that the application will pass the command to the database application.
- the injected SQL commands will then modify the database.
- Buffer overflow attack
- The hacker sends more information to the application than the applications memory buffer can handle--overflowing the buffer.
- the additional information will often be placed in memory outside of the buffer
- if the hacker can get the right information stored outside of the buffer, he or she can execute code with administrative privilege.
- Integer overflow attack
- Similiar to a buffer overflow attackm but involves exploiting the mathematical functions of an application.
- When a mathematical function returns an integer larger than the memory space that has been allocated to receive it, applications often respond in unexpected ways; this represents a security issue.
- Directory traversal/command injection attack
- A popular attack against Web servers in which the hacker attempts to traverse the web servers directories to the point where he or she can execute commands on the under lying operating system.
- The attacker manipulates the URL (UNIFORM RESOURCE LOCATOR) request in order to move through the directories and get to a command prompt on the underlying OS
- LDAP (lightweight directory access protocol) injection attack
- Uses the same principles as an SQL injection attack, but exploits LDAP calls instead of SQL commands
- XML (Extensible markup language) injection attack
- Uses the same principles as the SQL and LDAP injection, but exploits XML to modify the targeted application.
-
One of the largest threats that network security personnel face is the unknown vulnerability.
Network and systems administrators expend a fair amount of effort protecting the assets under their control. They can do a good job of hardening their systems, but not a perfect job
The problem lies with ZERO DAY attacks. Zero Day attacks take advantage of either new or very recently discovered vulnerabilities in applications, which means that networks and systems probably havent yet been hardened against them.
the unfortunate reality is that attacks keep changing and security experts must also be willing to adapt in order to keep pace.
the best defense against application attacks begins with teh applications developer.
most attacks against applications involve exploiting outside input to the applications. By using proper data validation techniques, application developers can stop most attacks from succeeding
all data validation techniqures should thoroughly tested by the developer to ensure that they are effective. It is even advisable to have an unaffiliated person or organization attempt to bypass the validation techniques in order to increase the effectiveneess of the testing.
--
Rule based management
- Rule based management defined
- The implementation of rules at the technology level, used to create a secure network environment. Rule based management should be designed and tested to ensure that the rules function as expected.
- Firwall rules.
- The firewall rules should be configured in such a way that only the required traffic is allowed to pass through
- Whenever possible, the default rule should be to deny traffic.
- Exception are then created to allow the required traffic.
- The last rule on any firewall should be to an implicit deny statement
- unless explicitly allowed, the traffic is denied entry into the network.
- Access control list(ACL)
- Should be implemented wherever possible.
- firewall rules are often call ACLs
- Files and folders cna have ACLs placed on them through the use of permissions
- Routers can have two ACLs per network interface
- One ACL is on the inbound side of the interface
- the other is on the outbound side of the interface.
- All ACLs end with an implicit deny statement
- if not explicitly allowed in the ACL, the traffic or request is denied.
- Once createdm the ACL should be tested for functionality
- To ensure that required actions are allowed
- To ensure that non required actions are not allowed.
--
Additional secure network administration concepts
1 Locking the front door to the network.
- Put ACLs in place. Disable defaults usernames and passwords. Require passwords for all router access. Only use secure protocols
2 Locking the back door to the network
- Enable security on all switch ports. This limits the ability of an attacker to gain access through a switch. MAC filtering is the security method that is most commonly used.
3 Putting the eggs in more than one basket
- Seperate and group network resources by function and security needs. This can create more secure areas within a network. Seperation can be achieved through VLAN management.
4 keeping the fox out of the hen house.
- Change default management VLANs. Proper VLAN management keeps network traffic where it belongs. To allow inter-VLAN communication, the traffic has to pass through a router.
5 Blocking the most common of attacks.
- the most common network attack is the denial of service(DoS) attack. The attacker floods the network with traffic to block legitimate traffic. Flood guards can recognize the pattern and halt the attack before the damage is done.
6 Preventing unnecessary network traffic.
- Redundant routes can create routing loops. Routers use a time to live TTL value and split horizon to combat these. Redundant links on switches can also create loops. Spanning tree protocol STP will regulate the loops.
7 know exactly who has access to resources.
- 802.1x is an authentication protocol used on wired and wireless networks. It requires users to authenticat against a control database before access to the network is granted
8 multiple security mesures in one device.
- unified threat managment UTM is a possible all in one security solution. UTM systems provide multiple security functions in a single network appliance
9 log analysis-know what is happening all the time.
- Security, systems, and application logs should be reviewed on a regular basis. All too often they are only reviewed after a problem has occured. When the signs were present in the log files all along.
--
Cloud concepts
cloud computing is where the resources on the network are not actually physical in nature. They are provided to the user virtually.
this can lead to a very fluid and dynamic environment, as required resources are normally only provisioned as needed and are decommisioned once their use is completed.
most often these virtual resources are not owned by the company that uses them, but are provided by a service provider.
while cloud computing is highly configurable and changeable, it have some basic structures that are used in the classification of the type of cloud that is in use.
- Public cloud
- Systems can interact with services and devices within the public cloud and on public networks and possible other public clouds.
- Private cloud
- Systems can only communicate with services and devices within the specified private cloud
- Hybrid cloud
- Combines aspects of both the public and private clouds.
- Community cloud
- cloud services used by private individuals, organizations, or groups that have a common interest.
-
Because of the nature of cloud computing, it is very configurable to the needs and desires of the purchaser
Purchasers have many options beyond the type of cloud services that they want to provision. They must also determine what type of service they are going to require--from the most basic to the highly complex( SaaS PaaS )
Cloud types
- Software as a service(SaaS)
- the end user purchases the rights to use an application without the need to configure the virtual servers that will deliver the application
- It is usually delivered as a Web application
- Platform as a Service (PaaS)
- the is provided with a development platform for the creation of software packages, without the need to configure the virtual servers and infrastructure that delivers it.
- Infrastructure as a Service (IaaS)
- the end user is provided with access to virtual servers and other virtual network resources.
- creates a highly configurable environment in which customers can create the resources and performance that they require.
- the end user supplies the software that is going to be used of the IaaS network.
It is not uncommon for the type of cloud computing beiung utilized by an organization to be a mix
some departments may use IaaS, while a development team utilizes a PaaS only. Part of the advantage of cloud computing is only intializing resources as they are needed.
In a private cloud situation, it is possible for the organization that is using it to actually own the cloud resources. If they do own the cloud resources, they may have it on site, or they may pay to have teh resources hosted off site.
cloud computing can be a great method of conserving company resources, but it also has several security considerations.
- when using hosting services, there is always the need to consider configentiality. When the resources are out of the physical control of the company, it may difficult to control access to those resources. In some situations--such as when a law requires a company to maintain physical control of the resources--cloud computing may be unacceptable.
- in addition to the physical control, there is also the problem of reliability and availability. the purchaser is having to rely upon the hosting services ability to maintain system uptime an availability.
- always perform due diligence research to ensure that the cloud provider is both reputable and reliable. as part of the reasearch, it is also important to evaluate whether or not the resources is appropriate to be hosted.
--
Defense
Due to the complexity of modern networks. malicious attackers have multiple avenues that they can use to breach network security.
the same complexity also allows for security to be okaced in multiple areas using different methods
by placing security at different levels and in different places, network administrators can increase the overall scurity posture of a network. This concept is known as defense in depth.
security should not just be placed in a single spot, as this creates a single point of failure. security should be emplaced at multiple layers of the network, using a diversity of methods, in order to create an effectively hardened network
** just as when peeling an onion, once one layer of security is stripped away, the attackers should find another layer waiting underneath. **
--
Elements and components of network design
- Demilitarized Zone(DMZ)
- the dmz is a specific area(zone) created--usually between two firewalls--that allows outside access to network resources, while the internal network remains protected from outside traffic.
- the external facing router allows specific outside traffic into the DMZ, while the internal router prevents that same outside traffic from entering the internal network
- Network address translation (NAT)
- NAT is a technique used to allow private IP addresses to be routed across or through an untrusted public network.
- the NAT device--usually router-- assigns a public routable IP address to a device that is requesting outside access.
- NAT has the added benefit of protecting the internal private network
- the private networks IP addressing scheme is hidden from untrusted networks by the NAT enabled router.
- Network access control (NAC)
- NAC is a method of controlling who and what gains access to a wired or wireless network
- In most cases NAC uses a combination of credentials based security (eg. 802.1x) and some form of posture assessment for a device attempting to log onto the network.
- A posture assessment considers the state of the requesting device. The device must meet a set of minimum standards before it is allowed access to the network.
- common device assessments include the type of device operating system, patch level of the operating system, the presence of anti malware software and how up to date it is.
- Virtualization.
- Virtualization is the process of creating cirtual resources instead oactual resources.
- Harware, operating systems, and complete networks can be virtualized.
- A security advantage to virtualization is that, if the virtual resource is compromised, if can easily be taken down, recovered, fixed and then brought back online.
- Subnetting
- Subnetting is the logical division of a network--a single block of IP addresses--into discrete seperate networks.
- Can be done to match the physical structure of the network
- can be done to increase the security of the network by segmenting resources by needs and security level
- Segmentation of resources
- Security can be increased by segmenting a network based on resources and security needs through the implementation of virtual local area networks(VLAN)
- This segmentation can be done based on user groups
- This segmentation can be done based on resource type
- commonly, segmentation is accomplished with a combination
- The use of VLANs supports a more secure, layered approach in the network design.
In modern networks, it is not uncommon to need to allow remote access to local network resources.
Remote workers often need to access resources that are located on the main business network. This requires the use of remote access technology in order for it to happen in a secure manner
Remote access can occur using telephony technology or through the use of a virtual private network. In all cases, secure protocols and methods should be used in order to ensure the security of the local network. For example, one of the forms of Extensible Authentication Protocol(EAP) should be used when allowing remote access.
--
Common network protocols part 1
IPv4/IPv6
With internet protocols, IPv4 still has dominance over IPv6 in the network. This will change and it is already beginning to do so.
- Both IPv4 and IPv6 operate at layer 3(network layer) of the OSI model. Both IPv4 and IPv6 operate at the internet layer of the TCP/IP reference model.
- The protocols are similiar isn function, and yet are different in how they provide those functions. Both protocols are responsible for network addressing and routing operations within a network. While IPv6 is slowly assuming those responsibilities and will eventually be the dominant protocol.
- IPv4 overview
- a 32 bit addressing scheme that provides over four billion possible unique network addresses.
- Commonly represented in dotted decimal format -- the numbers are seperated by decimals. Each unit represents eight bits(or one byte)
- Can use different methods of transmitting data through networks.
- Uncast--one to one communication
- Multicast--one to a few communication
- Broadcast--one to many communication.
- IPv6 overview
- a 128 bit addressing scheme that provides over 340 undecillion possible unique addresses
- commonly represented in comma seperated hexadecimal format. Each set contains two bytes (16 bits)
- Uses unicast and multicast, but does not use broadcast type transmissions.
- Uses anycast--one to the closest communication--to replace broadcast.
--
Network storage protocols.
The storage area network SAN and network attached storage NAS often get confused with one another.
- The SAN is and actual network of devices that have the sole purpose of storing data efficiently. The NAS is a specifically designed network appliance that been configured to store data more efficiently than standard storage methods.
the difference is that a NAS is a data storage appliance that is placed on a network, while a SAN is a network of data storage devices. It is not uncommon for a SAN to contain multiple NAS devices.
protocols
- Fibre channel (FC)
- A high speed network technology originally developed to operate over fiber optic cables only
- The standards have been modified to allow the use of copper cabling in conjunction with the fiber.
- Commonly used to connect SANs together
- Uses fibre Channel protocol FCP as its transport protocol to transmit SCSI commands to storage devices
- FC over Ethernet FCoE
- A layer 2 protocol used to transmit FC commands over and ethernet network
- As a layer 2 protocol, FCoE is non-routable
- Internet SCSI (iSCSI)
- An IP (layer 3) based networks standard used to connect data storage facilities and SANs
- Allows SCSI commands and processes to take place over long distances.
SCSI = SKUZZY**** >.>
--
Common network protocols part 2
difference between ports and protocols
- Ports
- A method of specifying what protocol service to access.
- protocols and services use default ports so they are easy to locate.
- There are 65 536 ports available to be used for communications but port 0 is reserved. SO, in actuality, only port 1 to 65 536
are available
- the first 1024 ports are specifically assigned and are called well known ports
- They can also be thought of as phone number extensions
- The IP address is the main number you are trying to reach
- The poort is the extension(service or protocol) you want to access
- Protocols
- Protocols can be thought of as the language that the two applications on either side of the connection agree to speak.
- Protocols translate requests into services
- Most protocols use pre-defined ports, but some protocols must use be user configured
--
Common protocols
- HTTP(Hypertext Transfer Protocol)
- The primary protocol used to transfer data over the internet
- Assigned to port 80(TCP and UDP)
- HTTPS(Hypertext transfer protocol SECURE)
- The primary protocol to securely transfer data over the internet using SSL (Secure socket layer) or TLS (transpot layer security) technology in actuality, SSL should no longer be used
- Assigned to port 443(TCP)
- NetBIOS (Network basic input output system)
- Originally developed to allow hosts to be able to communicate with servers.
- Assigned to port 137-139(TCP and UDP)
- SMTP (simple mail transfer protocol)
- The protocol used to transfer email from a client to an email server. It is also used to transfer email between servers
- Assigned to port 25 (TCP and UDP)
- POP3 (Post office protocol v3)
- The protocol used by clients to retrieve email from servers. Once engaged, POP3 downloads all messages from the servers. The user cannot access email messages until they have been downloaded.
- Assigned to port 110
- IMAP (Internet message access protocol)
- A protocol used by clients to access email on email servers. Allows the client to administer and organize email on the server into folders.
- Assigned to port 143
- SNMP (Simple network management protocol)
- A protocol used to monitor and manage local area networks.
- Assigned to port 161 (UDP)
- DNS (domain name system)
- the protocol used to map computers names to their IP addresses
- Assigned to port 53 (TCP and UDP)
- ICMP (internet control message protocol)
- A messaging service for IP
- Packets are carried as envcapsulated IP datagrams
- ICMP also provides information about networking issues
- Telnet
- A protocol used for remote access to systems, it is unsecure. It is bi directional terminal service
- Assigned to port 23
- SSH (secure shell)
- A protocol used to encrypt data traffic on a network. It can be used in place of telnet to provide a secure bi directional terminal connection
- assigned to port 22 (TCP and UDP)
- TLS (transport layer security)
- a cryptographic protocol used to encrypt online communications
- it uses certificates and asymmetrical cryptography to authenticate hosts and exchaqnge security keys.
- It is better than SSL. which functions in a similiar manner.
- FTP (File transfer protocol)
- A standard protocol for transferring files between computing systems, require use authentication but no encryption
- assigned to port 20 and to port 21 (TCP)
- SFTP (Secure file transfer protocol)
- A protocol for transferring files between computing systems, requires user authentication and encryption by default
- assigned to port 22 (TCP and UDP) when using SSH
- assigned to port 990 (tcp and udp) when using tls/ssl
- SCP (secure copy protocol)
- a protocol for transferring files between computing systems; requires user authentication and encryption by default
- assigned to port 22 (TCP and UDP)
- TFTP (trivial file transfer protocol)
- Transfer files between servers and clients, no user authentication required. Commonly used to upload and download network device configuration files
- Assigned to port 69 (TCP and UDP)
- RDP (remote desktop protocol)
- used in microsoft networks by remote desktop connection and remote assistance to make remote connections.
- assigned to port 3389 (tcp and UDP)
--
end to end security
- IPsec(internet protocol security)
- Works at layer 3 of the OSI model and above
- the most common suite of protocols to secure a VPN connection
- Can be used with the authentication header (AH) protocol
- AH only offers authentication services, no encryption.
- Can be used with Encapsulating Security Payload (ESP)
- ESP both authenticates and encrypts packets
- Both AH and ESP will operate in one of two modes
- can be used in transport mode--between two devices(vpn/host to host)
- can be used in tunnel mode--between two enpoints(site to site)
- IPSec implements internet security association and key management (ISAKMP) by default
- ISAKMP provides a method for transferring security keys and authentication data between systems outside of the security key generating process (a much more secure process)
---
unique challenge of wireless
Wireless networks can represent a special challenge in the network hardening process.
End users will often install their own access point (AP) for convenience, allowing them to connect to the network wirelessly on their own, These rogue AP's can create a vulnerability in the network as a whole.
Conductiong periodic site surveys, using a combination of hardware and software, can help to locate rogue APs so they can be removed. Site surveys canm also be used to ensure that wireless network signals are only present where they should be. The only wireless signals that should be present in any environment are those that are authorized.
-
security
- Default username and passwords.
- all networking devices come with a default administrator username and passwords
- a best practice is to change or disable the default administrator username and password when setting up a device.
- SSID (service set identifier) broadcasts
- A wireless access point (WAP) will broadcast the names of available networks.
- by default the SSID is broadcast in clear text, creating a vulnerability.
- A best practice is to set the WAP to hide the SSID beaconing, this will prevent the casual user from seeing the wireless network
- even with the beacon set to be hidden, with the proper hardware and software, an attacker can still read the broadcasts.
- Device placement
- WAPS with omnidirectional antennas should be placed at the center of the desired coverage area
- Omnidirectional antenna broadcast in all directions uniformly
- WAPs with directional antenna can be placed toward the edge of the desired coverage area
- directional antennas broadcast in a specific direction only
- Power level controls
- most WAPs come with the ability to adjust the power levels of the RD signals
- RF power levels should be set to reduce or increase the wireless coverage area to what is desired
- MAC filtering
- All WAPs come with the ability to limit which layer 2 MAC addresses can connect to the wireless network.
- While this can increase the security of the wireless network, MAC address can be spoofed.
- MAC filtering may not be appropriate in all situations
- WEP (wired equivalent privacy)
- an older encryption standard that utilized a pre shared key (PSK) to encrypt messages between the WAP and the connecting device
- used the RC4 algorithm for the encrpytion.
- It is easily broken and should not be used
- WPA (wireless protected access)
- an older encryption standard used as an intermediate replacement for WEP
- introduced TKIP (temporal key integrity protocol) as an additional security measure
- TKIP creates a new security key for every packet that is sent
- It can be broken and should not be used, unless absolutely necessary
- WPA2 - personal
- the current wireless encryption standard for the home or small business utilizing a PSK
- Introduced counter mode cupher block chaining message authentication code protocol (CCMP) with advanced encryption standard AES as a means of addressing the weaknesses present in WEP and WPA
- Cannot be easily cracked, but given enough time and computing resources it can also be broken
- WPA - enterprise
- the current wireless encryption standard for larger businesses
- users are required to be authenticated before being allowed to connect to the wireless network
- authentication can occur using different methods that fall within the 802.1x standard
- the WAP will pass requests to log onto an authentication server(commonly a radius server) to authenticate the user before allowing access.
security
- Extensible authentication protocol(EAP)
- a common authentication protocol used by WPA2 to allow access to wireless networks
- EAP packets are encapsulated within 802.1x packets, which are forwarded to an authentication server
- LEAP (lightweight EAP) is a CISCO proprietary method of implementing EAP. It was developed before the 802.1x standard was developed
- PEAP (protected EAP) is a method of encapsulating EAP packets with TLS in order to increase security.
- Additional wireless network security
- Captive portals can be used to require users to authenticate through a Web page when attempting to join a network
- A common method used in publicly available wireless networks
- WPN (virtual private network) over wireless can be used to firther increase wireless security.
- wireless network access must be through a VPNl this adds an additional level of security in the network.
--
risk concepts 1
control types
- Management controls
- any written policy, procedure or guideline that is used to help[ secure a network resources against attack
- are often used to define and outline other control types
- a very broad category of controls that can include security policies, hiring policies, security awareness training etc
- Technical controls.
- the security measures used in controlling access to any particular resource that is available on the network
- can include physical controls used to limit physical access to networking equipment
- examples include encryption firewalls password etc
- Operational controls
- the procedures that are put in place to help ensure that day to day operations can occur, even after a risk event has happened
- examples include network redundancies, hot and cold site mantenance, backup procedures, etc.
policies for reducing risk
any policy that is used to help secure the workplace, and or a companys data and networks is, by default, a security policy
security policies document or outline what is allowed or not allowed to occur on the network from a security point of view. They are usually crafted at the upper layer of management with the help of knowledgeable IT personnel
security policies give administrators the authority to put into place measures to protect the security of the network. In many cases, they also give administrators the authority to enforce the policies that lead to a hardened network.
- Privacy Policy
- a policy that is used to educate employees and customers on information collection practices
- why information is collected
- what information is collected
- when information is collected
- how information may be used
- many businesses now publish their privacy policies
- in many cases, privacy policies may be regulated
- Acceptable use policy (AUP)
- A policy that documents what a company considers to be acceptable use of its IT assets. It may contain several sub-policies
- acceptable use of internet
- acceptable use of email
- acceptable use of laptops
- acceptable use of mobile phones
while outside threats may be difficult to deal with, the inside threats are the most dangerous to the network
it has been estimated that up to 80 percent of all data breaches can be traced back to a failure of security measures from within the network itself. Sometimes the breaches occur by mistake, but all too often, they are intentional
this implies that the greatest security threats are the people that have already been given access to the network. Poilicies and procedures can be put in place to reduce the risks that are associated with internal employees
- Least priviledge
- administrators only grant the minimum amount of network priviledges(access to network resources) that are required to get the job done.
-helps to minimize risk when and account gets compromised, or in cases of malicious network users
- Separation of duties
- critical jobs are separated into different tasks with users only authorized to perform one of the tasks.
- Helps to minimize the damage that can occur from faudulent employee activities.
- mandatory vacations
- all employess should be required to take vacations
- can lead to reduction in the threat level from fraudulent employee actions. EMployees know that someone else will be performing their duties in their absence and may discover any irregularities
- Job rotation
- mandatory job rotation requires that employees change job duties on a regular basis.
- can lead ti a reduction in the risk of fraudulent activities and has the added benefit of cross training employees
--
risk related concepts part 2
qualitative vs quantitative (see CISSP notes for more details)
many businesses deicate a fair amount of their resources---both monmey and time-- to performing risk assessments
in most cases, the risk assessments may be broken into one of two categories. They may be either qualitative or quantitative assessments
qualitative assessments are conducted based on the probability, or likelihood, of the risk occuring and the expected impact on the business. This type of assessment is not really concerned about the actual dollar impact.
quantitative assessments are conducted based on the projected cost in dollars if a risk event occurs
- Qualitative assessments RISK = PROBABILITY X LOSS
- basic formula risk = probability/likelihood x loss/impact
- several tables are built using the variables of the formulas.
- a risk table outlines the possible events
- a probability/likelihood table outlines the possibility of the event occuring with a value assigned to the loss
- a loss/impact table outlines the impact to the business if the event occurs with a value assigned to the loss
- the tables are used collectively to create the qualitative risk assessment
- often, qualitative assessments are used to determine which assets and risks require a quantitative risk assessment.
- quantitative risk assessments require more time and effort
- Quantitative assessments
- involve using the actual cost of a threat event to help determine how much to spend on preventative measures
- it doesnt make sense to spend more than the actual cost
- Quantitative risk assessments can help when budgeting for a security solution to reduce the risk of occurence
- step 1 determine the value of the assets
- step 2 determine the exposure factor(EF)
- step 3 determine the single loss expectancy (SLE)
- step 4 determine the average rate of occurence (ARO) (each year)
- step 5 determine the average loss expectancy (ALE) (ALE=SLExARO)
- step 6 determine what security solution will mitigate the risk
other risk factors
- MTTF(mean time to fail)
- the average time a device is expected to be operational in production before it fails--usually as reported by the manufacturer
- MTBF (mean time between failures)
- the average time between failures of a system or device
- MTTR (mean time to restore/recover)
- the average time required to restore or recover when a failure occurs
- RTO (recovery time objective)
- the amount of allowable time before a system or device can be down
- RPO (recovery point objective)
- represents the portion of the system that is expected to be recovered after a failure.
--
risk related concepts part 3
- Approaches to handling risk
- once identified there are five main approaches to dealing with it
- Mitigation: the implementation of some types of control- eg administrative or technical control-- to reduce either the probability of a risk occuring or the severity of the event if it does occur
- Acceptance: taking no action to either reduce the probability of an event occuring or the severity of the event if it does occur--deciding that the impact does not justify the expenditure of resources
- Transference: making the risk another entity's issue--usually done through the purchase of insurance
- Avoidance: after identifying a risk, determining to avoid pursuing any action that may lead to the risk event occurring-- may mean the loss of a business opportunity
- Deferrence: an attempt is made to deter the risk from occurring--usually through the use of potential punishment. One of the least common approaches.
cloud computing and virtualization risks
cloud computing can create benefits to a business. IT needs, including data storage, can be offloaded, thus reducing costs.
while this may be beneficial, careful thought muyst go into the decision making process. This includes a thorough analysis of the risks that may be present
a review of the providers security is in order before any business should place crucial data on a cloud providers system. the reliability of the providers systems shouyld also be evaluated to ensure that availability meets the business requirements. Addtionally, in some cases, data and applications cannot reside on hosted systems because this may violate regulations.
risk terms and concepts
- assets
- A resource that a business needs in order to function
- False positive
- when an application or system implemented for security warns of a threat that is not actually present
- it is common for anti malware applications to block legitmate applications from executing due to false positives
- False negative
- when and application or system implemented for security fails to warn of ra risk that is actually present
- this situation presents a risk in iself. the failuire to warn or block an actual risk allows that risk to occur
- Vulnerability
- a weakness in the configuration of software or hardware
- Threat
- an event that can cause harm or reduce the value of an asset
- Threat target
- a system or device that is the object of a threat event
- Threat vector
- The mechanism, tool, or path used to exploit a weakness in networks, systems or software
- Threat actor
- the person or entity utilizing the threat vector to exploit a weakness
--
risk mitigation strategies
- "it seems to be a law of nature inflexible and inexorable, that those who will not risk cannot win" - john paul jones
in the marketplace there is no reward without take on the risk of failure
this up an interesting quandiary. Investors will often reward risk by increasing this value of a company. On the other hand, failure due to risk taking often leads to changes in management
management will often take on risk to gain the rewards, while, at the same time, implementing strategies to mitigate the amount of risk that it is willing to assume
- Change management (CM)
- all change represents a risk to systems--a small change in one system may have a ripple effect that multiplies through the whole system
- CM is implemented in order to evaluate changes for their effects on the system as a whole.
- CM allows for changes to occur, while, at the same time, mitigating the risks associated with those changes
- Review of user rights and user permissions
- Users must be granted the rights and permissions in order to function in theri positions, These rights and permissions may, in fact, represent a security risk.
- Periodic reviews should be conducted on user rights and permissions to ensure that the principle of least privilege is being followed--this mitigating risk.
- Periodic reviews should be conducted on user rights and permissions to ensure that unnecessary user accounts are removed from tehj system--also mitigating risk
- Perform routine audits
- Audits of systems should be conducted on a regular basis in order to reduce risk.
- Security audits can be conducted on many different systems to evaluate different aspects of risk. Including system configurations and vulnerability assessments
- Incident management
- A type of after-the-fact mitigation technique
- after a security incident has occured, effective incident management can help to contain the damage
- after a security incident has occured, effective incident management can help to prevent it from occuring again
- Enforcing policies and procedures
- Effective policies and procedures can reduce the chances of a risk event from ever taking place
- Proper enforcement of policies and procedures can help to prevent the loss or theft of data.
Data loss prevention(DLP) systems can be implemented as a type of technology control to mitigate the risk of loss or theft of data
DLP systems can be a software application or network appliance. They are designed to analyze information traversing the network to help ensure that sensitive data remains contained inside the esablished safe boundaries
DLP systems can monitor network links and review what is being transmitted through protocols associated with instant messaging, email, FTP, HTTP, etc. DLP systems may also be configured to scan storage systems to help ensure that data is being stored in the proper locations
--
basic forensic procedures
the first step in basic forensics is the recognition that forensic measures need to take place.
most technicians, hopefully, will not need to deal with a murder mystery in the workplace. However, it is almost a certainty that they will have to deal with type of security or legal issue when supporting an organizations netywork. This will often require uysing a first response that includes forensic procedures,
the response to security and legal issues needs to be donme in a manner such that evidence is recorded and preserved. the first step is recognizing that something has occured which needs to be documented and that evidence needs to be collected and preserved.
concepts and procedures
- First responder responsiblities
- Secure the area and limit who has access to the area as much as possible, do not power down computer systems at this time
- This is to protect possible evidence from being contaminated
- document anyone who has accessed the area after it has been secured.
- if necessary, to stop an ongoing computer attackm it is permissible to unplug the network cable.
- Document the scene thoroughly, including what is on any computer monitors
- Video capture can be used to document the scene
- Polaroid type picture, not digital pictures, work well as evidence
- It may also be necessary to diagram the area
- interview any witnesses as soon as possible
- Start the electronic evidence collection process by order of volatility
- Order of evidence volatility
- Electronic evidence is volatile and easilt corruptible just because of what it is, so the order of collection is important
- Contents of memory - the most volatile of all types of data
- Swap File - not as volatile as RAM, but still very temporary
- Network processes - all network processes that are active on the affected system or systems
- System processes - all system processes that are active on the affected system or systems
- File system information - including the attributes of all files.
- Raw disk blocks - all of the contents on all of the disk drives of all affected systems
- After isolating the affected system or systems from the network, create a bit level image of the system or systems,
- to create a proper time stamp, have the recording system match the time offset of the target system
- create two copies of the bit level image and create a message digest of the images to be able to later prove they have not been tampered with
- one image should be securely stored to be used as evidence
- the other image can be examined
two types of system images
- Live system image.
- capturing the system image before the system is poiwered down
- can be used to capture highly volatile evidence
- warning a live system image may change the target system's data structure
- Static system image.
- Capturing a txt level system image after the system is powered down
- The hard drive is removed from the system and connected to a forensic workstation, with a write blocker placed between them
- the write blocker prevents any changes from occuring on the target hard drive.
evidence chains
- Chain of custody
- A document that identifies who collected the evidence, when it was collected, and who has had access to it
- A proper chain of custody document can prove that evidence has been accurately preserved and can also be considered part of the evidence
- A chain of custody document will help ensure that all evidence is admissible in court
- A broken chain of custody will negate the collected evidence
- Creating a tracking log.
- Document all steps taken from teh beginning of the initial incident response.
- shows all of the steps taken during the forensic process
- Can be used to help track internal resources expended on the incident
- both for man hours and other expenditures
- Can be used to justify expense for management or clients
- Network traffic and log files
- Creates a history of events, which is a good source for determining what has occurred on a computer.
- Network traffic logs and browser history files can show where the system went on the internet and what actions were taken.
- Log files can help to determine what has occured with a system
- Big data analysis
- Recognize that, in some situations, big data analysis tools my be required.
- Big data in this situation refers to any set of data thjat is too large to analyze with typical data management tools.
- for example analyzing data from a security incident at a financial institution can involve multiple exabytes of data.
--
Incident response concepts
The first responder to an incident has two main responsibilities-- first to assess the situation and second, to contain the damage
When responding to an invident, the first item to evaluate is the overall situation. The first step is to judge how widespread the incident is. It may involve a single system or it may involve multiple PCs--possibly even an entire department.
The second main responsibility of the first responder is to isolate the incident and contain the damage. In most cases, this can be effectively achieved by removing the affected system from the network.(unplug the darn network cable). If the damage is more widespread, it may be necessary to power down a switch or other network device in order to contain the damage.
- Preparation
- A security response team should be created by an organization before an incident ever occurs
- The organization should be educated as to how everyone needs to respond to a security incident and how the response is to be conducted
- Incident identification.
- Every member of the response team should be capable of identifying a security incident.
- All members of the organization should be educated in how to identify a security incident.
- Escalation and notification
- Once a security in incident has occured, the incident response team should be notified.
- All personnel should know how to contact the security response team.
- Mitigation steps
- after containing the incident, security response personnel will identify steps required to mitigate the situation
- the steps may be as simple as requiring an antivirus software package to be updated
- the mitigation may be more complex--possibly installing a new firewall
- Lessons learned
- Document what has occured and how it was handled in order to help prevent the same situation from happening in the future
- "How did this happen?"
- "How did it get resolved and was teh resolution effective?"
- "How can a similiar occurence be prevented in the future?"
- Reporting
- The lessons learned documentation can be used to create a report. The report will have several uses
- Used to educate and train the security response team.
- Use to educate and train end users on best practices.
- Recovery and reconstitution procedures.
- These define how the system or systems are going to be returned to the state they were in before the security incident occurred.
- Incident Isolation
- Quarantine or remove the afftected device or devices to reduce opportunity for more damage to occur
- Damage and loss control.
- Always identify the extent of the damage to help ensure that it is contained to only the affected system(s)
- Data breach
- A data breach is any time that sensitive data is made available to an untrusted source.
- Extremely sensitive data should never be allowed on the network, it should be kept offline in storage.
--
security related awareness
the security policy
- A security policy is actually composed of many sub documents that cover the expected behavior of personnel from a security perspective
- It is created by personnel tasked with securing company assets, but it also has the backing of management. Without managements backing, it is difficult to enforce a security policy. All personnel should be required to be trained on the security policy and then acknowledge suych training with a signature.
the individual sub policies contained within the security policy wilkl not only detail the exprected behavior but will also outline the disciplinary actions that can or will be taken if the policy is violated. disciplinary actions can range from a simple reprimand to termination or prosecution.
- Role based security training.
- When training on indicidual securoity policies, it is important to craft the trainingh the fit the intended user.
- General user needs to know the what of the policy
- Technical user needs to know the how and what of the policy
- management needs to know the why of the poilicy
- Security policy training is vital
- Helps to ensure compliance with regulations
- Helps to ensure security best practices are followed
- Helps to ensure that internal standards are adhered to
- Ongoing security policy training
- The threat environ,ment is not static and neither should the security policy
- The security policy should be changed to adjust for new threats and trends as needed
- Training types and environment
- Dofferent types of training can and should be employed to help ensure consistent awareness and compliance with the security policy. These can also used as refresher courses.
- Printed documentation: can be used as part of the initial training after hiring. Is easily tracked with a signed copy on file
- Computer based training(CBT): the use of IT media to provide the training, this allows for an interactive experience and is easily tracked
- Seminars: half day or full day security policy seminars can be used to import knowledge to large groups at one time.
- Working lunches: similiar to the seminar, but usually will only cover a single topic.
- Informal training: security personnel should always be striving to help users and management understand the importance of the security policy
- All training should be documented and tracked
- The documentation and tracking can be measured.
-
security awareness topics
- Moist users take a fairly casual approach to IT security, even when they dont think that they do.
social networks are actually a security risk. It is all too easy for a user to share information on a social network that shouldnt be out in the wild.
P2P type networks are also a security risk. Just like social networks, a user may make information that should be kept in houise available on the network. P2P networks are also vulnerable to security exploits and have been used as threat vectors in the past to introduce malware into other networks.
- Information classification.
- All data and files should be classified as to their level of sensitivity
- In most cases, organizations are responsible for establishing the level of classification
- After data and files have received their classification, isers should be assigned to levels of access
- Personally identifiable information(PII)
- PII is any information that can be used to uniquely identify an individual.
- PII should always receive the highest level of classification and restrictions.
- PII should never leave the control of the organization
- Data handling and disposal
- Policies should outline how data can be stored and the appropriate methods for disposal.
- If data is allowed to be placed on removable media it should be encrypted
- Hard drives may be sanitized or physically destroyed
- User habits
- It is up to security personnel to instill strong security habits into other personnel items to focus on include
- Strong passwords and password management
- Proper data fandling techniques
- Clea desk techniques
- Physical security
- Personally owned devices
-
physical security and environmental controls
control types
there are three main types of controls that can be used to mitigate security risks
administrative: written documentation that is used to help secure systems from risks
technical: the security measures used to control access or reduce risk to any particular resource or asset. They may be digital in nature
operational: procedures that are put in place to help ensure that day to day operations can occur--even after a risk event has happened
- classification of control types
- the categories of control types can be further broken down iunto what theyare designed to achieved
- detterent: used to deter an action from being performed (threat of discipline)
- preventative: used to prevent a security threat from occurring
- detective: used to detect the occurence of a risk event
- compensating: used to compensate for any residual risk that may remain after another classification of control has been put in place
physical security
physical security measures can be used for multiple purposesm uncluding keeping people safe in the workplace
The user of proper lighting and signage can direct employees to emergency exits and or keep them safe at night in the parking lot. Fences and barricades can be used to secure sensitive areas, while(used in conjunction with access lists) ensure that only authorized personnel are present, creating a safer work environment
Physical security measures can also be used to restrict access to sensitive resources through the use of alarms or video surveillance.
- Hardware locks
- keeping assets where they belongs
- a technical preventative control that can be used to keep resources secure.
- Biometrics
- making a person prove who they are
- an authenticatio method that is based on a persons physical attributes or on physical actions
- Proximity readers
- Tracking movement within a facility
- Radio frequency ID badges or tokens can be used to determine to exact location of personnel within a facility. As an added benefit, they can be used to activate electonic door locks
some work environments require more security than others. One example is the wiring distribution point of IT networks
allowing unlimited access to the wiring distribution room is an extreme example of a security risk. Anybody would have access to all of the networks communication and or equipment, thus making them the "owner" of the network
In a highly sensitive risk intolerant environment, it may be necessary to implement a mantrap to control access to specific areas of an organization. A mantrap often involve two locking doors with a space between them. A person is allowed through the first door, but not the second, until after additional verification, trappinbg the person until authorization is granted.
environmental controls
a networks health and safety can be affected by more than just a network interface failing or a possible security breach
- network and system admin istratoprs also need to be concerned about environmental factors. Some of those factors include electrical power, heating, and humidity
a properly designed HVAC system can aid in protecting critical components from damage when they are designed with a hot and cold aisle approach. (equipment air intakes are pointed tward AC vents)
- Power monitoring
- systems and tools can be used to evaluate the amount of, and the quality of, the electrical power being delivered to the system
- Power monitoring is often deployed with, or alongside, an uninterruptable power supply.
- Humidity monitors
- Humidity monitoring
- monitors allow adminstrators to control humidity levels
- Fire suppression systems
- Need to be specifically designed for the resources they protect
- Elecomagenetic interference shielding
- in some work environments, it may be necessary to use shielded cabling to protect networks from EMI.
--
Disaster recovery concepts
In the business world a disaster is any event that incolces more than the dayt to day emergency response resources
It is a fact of life that disasters will happen. Any event that can prevcent an organization from functioning normally will have a major impact on the continued existence of that business. The more time that is spent non operational, the harder it becomes to recover from a disaster
An organization should create a disaster response place (DRP) in order to address these situations. The DRP needs to be a compregensive place that covers everthing from the unfortunate loss of key personnel to the loss of a critical business site.
- Cold site.
- a pre arranged location that an organization can utilize iun the case of a disaster. It is a backup space only
- In thec ase of a disaster, the business moves all personnel, systems, and equipment toi the site
- it is the least expensive backuop site to maintain
- It is the hardest type of backup site to bring up to speed
- Warm site
- a pre arranged location that an organization can utilize in the case of a disaster. It usually contains office space and some critical IT infrastructure components
- In the case of a disaster, the business moves all personnel, systems, and other necessary equipment to the site
- It is less expensive than a hot site and usually only requires the addition of the latest backups to get systemns back up and running
- It is more expensive than a cold site and takes more time to bring up to speeed
- Hot site
- a pre arranged location that an organization can utilize in the event of a disaster. It contains a duplicate of all equipment and systems necessary to perform all critical operations
- In the case of a disaster, only personnel need to be moved to the site before operations can proceed
- it allows for the quickest recovery of operations
- It is the most expensive of the backupsites to create and maintain
- Further site categorization.
- Shareed site: an alternative disaster recovery site where the cost of maintaining the facility is split with another organization.
- Exclusive site: an alternative disaster recovery site where the cost of maintaining the facility is borne by a single organization
- will not be required to share the facility
datas backups
- data plays an extremely important role in the life of organizations. they may live or die based on the data that they utilize
This importance requires that data be kept and maintained safely. Without it, most organizations will not be able to operate until it can be recreated. This means that data backup plans and procedures are a vital part of any DRP. Backups should be stored off site in order to safeguard against a disaster
Backups also play a key role in recovering from unexpected consequences or from the failure of a component. Backup schedules must be implemented, and periodic tests should be conducted to ensxure that the backup process is working.
- Types of backups
- Full: all data on the targeted system is backed up
- Slowest backup method with the highest storage requirements, but leads to the fastest recovery period.
- recovert only requires the full backup file
- Incremental: only the new or modified files are backed up
- Fastest backup method with the lowest storage requirements, but leads to the slowest recovery period
- recovery requires the last full backup file and all of the incremental backup files
- Differential: only data that has changed since the last full backup is saved.
- Time to backup is moderate, requires a moderate amouint of storage, but also is the middle ground on length of time for recovery
- Recovery requires the last full backup file and the last differential backup file
- the configuration files of a network device should also be backed up
- once a network device has been configured and is operating as expected, a backup of the configuration files and operating system should be created.
this helps to speed up the recovery time in cases of equipment failure, or when a change to the configuration has unexpected consequences
--
business continuity concepts
a best practice is a technique or methodology that consistently results in superior results over another technique or methodology
- best practices can be standardized across an industry. a single compnay, or an individual. Best practices may also be customized to fit any given situation.
the creation of a business continuity place (BCP) is a best practice that should be done within every organization. A BCP is a sub element of a disaster recovery oplace(DRP) that utilizes business impact analysis (BIA) to determine the impact of down or lost systems through the use of risk assessment techniques
** a bia will help to determine which function or systems are critical to the continuity of operations. Once identified, steps may be taken to reduce or to mitigate those risks. **
- Critical system and component identification
- if the loss of a system or component would result in significant list revenue or in a safety situation. it is determined to be critical
- these are often determined to be single points of failure
- Single point of failure
- When the failure of a single device or component can bring the en tire system down or have a disproportionate impact on operations.
- Is most often mitigated by implementing redundancy--using multiple duplicate systems that immediately take over when failure occurs
- in some situations, single points of failure may be mitigated through high availability techniques--similiar in concept to redundancy, but involving data instead of systems.
- Succession planning
- two process of ensuring that if a key person to the organization is lost, that there are personnel who can step into the position--even if it is on an interim basis
- IT contingency planning
- Preparation of a recovery place to be used when something fails or goes wrong within an IT system, think of it as a succession plan for IT
- BCP testing
- All of the elementsof the BCP should be periodically conducted to ensure that the BCP is still validation
- The team responsible for the BCP gathers reviews every aspect of the BCP to determine if anything is missing, and to review everyones responsibilities during a disaster event.
fault tolerance
building fault tolerance into IT systems is a main tactic used to remove single points of failure and to ensure high availability of data
- Using a single server to run a maintain critical business functions represents a huge risk. If that server were to fail, it would have a severe impact on the operations of an organization
fault tolerance is the process of putting systems and processes in place to reduce the impact of the failure on any single system.
- Server fault tolerance
- clustering. taking a single servers responsibilities and spreading them across multiple servers(nodes)
- the active node is responsible for ensuring that the other nodes contain current copies of data or processes
- if a single node fails, operations continue uniterrupted
- Has teh advantage of allowing for load balancing
- As all nodes contain current information, during peak periods, the workload may be spread out amount the various nodes
- The cluster may be contained within a single facility or it may be geographically disbursed
- geographic distribution has teh added benefit of protecting against a natural disaster.
- Hard drive fault tolerance.
- Most commonly achieved through the implementation of RAID
- RAID may be used to increase performance, or fault tolerance, or both performance and fault tolerance
- not all implementations of RAID involve fault tolerance
- Types of RAID
- RAID 0 data is striped across two or more disks which leads to fault tolerance
- RAID 1 data is duplicated across two or more disks, which leads to fault tolerance
- RAID 5 data is striped across multiple disks along with a parity bit
- is fault tolerant and has performance close to that of RAID 0
- RAID 10 requires four or more disks, as it includes a mirror set and a stripe set.
- Has best fault tolerance/performance
--
goals of security controls
confidentiality integrity availability
no matter how a security control is implemented, it always has a goal--to keep systems and data or personnel and facilities safe
in some cases these end goals can be combined, however, in most cases, they are deployed separately to achieve the goal. It is not uncommon for the categories to work together to increase the overall security of the data and systems.
when the focus is on systems and data. The security control can be placed into one of three categories. The categories are confidentiality integrity and availability (CIA triad)
- confidentiality
- using technological controls to ensuire that only authorized personnel can gain access to the information
- Access control/permissions explicitly establishing who can access the information, the person requesting access must have explicit permissions to be able to do so
- Encryption using an algorith to make data unreadable unless the appropriate security key is present, encryption can be placed at multiple levels
- Steganography concealing data within a graphic file, the person receiving the graphic file must use Steganography software to read the secured data
- in many cases, access control/permissions and encryption are used together to increase the confidentiality of data or systems
- integrity
- using technological controls to ensure that, when data is sent from a source, exactly the same data is received at the detination--in short, authenticatingthedata
- Hashing using a mathematical algorith to verify that no change has occured to the data in transit, oince received, the hashed value of the data is used to ensure that integrity has been maintained
- Certificates a cyptographic means of transporting or exchanging security keys. Ensures the integrity of the security keys
- Digital signatuires using a combination of certificates and security keys to authenticate the sender of a message or data--in short, ensuring the integrity of the source
- Integrity controls are often used in conjunction with confidentiality controls.
- availability
- using various types to ensure that data and systems are always available when required.
- fault tolerance
- redundancy
- backups
- patching
safety controls
security controls should also be put in place to ensure the safety of personnel and facilities
often the responsibility for securing systems and data are separated from the responsibility to secure personnel and facilities. Whoutout the people and facilities, the systems and data will not do much good. Some security goals should be put in place with this in mind
These controls should cover disasters, personal safety, and outside threats. The controls also need to be tested on a periodic basis to ensure that all people know and understand them.
--
types of malware
malware can be defined as any code based attack that can be utilized against a system or network
In most case, malware has been specifically designed to perform a malicous action. As such, IT CAN also be defined as any software that harms or misuses the system.
this means that a poorly written software package can also fall into the definition of malware, even if harm was not the intent. Always thoroughlt test any software package before deploying it in a production setting. This will help to reduce the chances of introducing unintentional malware into a network.
- Virus
- Malware that has two jobs--to replicate and top activate.
- Requires a host program, a host machine, and user action to spread.
- viruses only affest drives
- Often contains a destructive payload.
- Trojan
- Malware that hides its purpose by disguising itself as something the end user desires.
- Used to get the end user to download a virus or package
- This is often the method that is used to establish botnets or zombie nodes
- Worm
- Similiar to a virus but it replicates itself across a network without user actiion
- It doesnt need a host file in order to operate
- Worms will replicate themselves across networks, creating havoc
- Rootkit
- a software package that gets installed on a system, giving the attacker privileged access to the system
- most often, the attacker attempts to hide the rootkit from the administrator
- Logic bomb.
- A virus that, after getting installed on a system, waits for a specific event to occur before activating its payload.
- The application carrying the logic bomb will function normally until the trigger even occurs
- Often, logic bombs are triggered by date and time
- Ransomware
- A virus package that takes over an infected system for the purpose of etorting moneys.
- often, the virus will encrypt all the files and folders on the infected system--effectively locking ouit the end user.
- botnets
- a collection of infected systems(zombie nodes) under the control of the attacker. The zombies are used to perform other attacks
- The zomvie controller will often rent out the use of the botnet for other attackers to use
- Adware
- A software package designed to automatically load advertisements on a system--usually in the for of popup windows
- The goal is to entice users to purchase something, the result is usually just annoyance and pooy system performance
- Spyware
- Malicious code that collects information about the system and may change some settings
- may be programmed to send the collected information to an attacker at specific times.
- maybe prograkmmed top save the collected information until the attackers performs another action.
- Polymorphic
- a virus package that self mutates in order to avoid detection.
- allows the virus to avoid signature based malware detection
- Armored virus
- a virus package that attempts to harden iteself against defensive actions, making it difficulkt to be decompiled
- anti virus vectors often decompile viruses when developing counter measures
- Backdoor access.
- When creating applications, developers often create backdoors into the programs. Backdoors are a means of accessing and application or service, while bypassing the normal authentication process.
- in most cases the application is listening on a specific port for a request for access
- Malicious employees
- Malicious empoloyees are difficult to defend againsts, as the threat is already inside the networks.
- Resources must be granted in order for employees to do their jobs
- One of the best defenses is using the principle of least privilege
- only granting the least amount of authorication that is required for people to get their work done
- Privilege escalation
- attempting to raise a users account privileges to an adminstrative level—giving access to almost everything.
- Social engineering
- The process of using social pressure to cause somebody to compromise a system from inside the defenses of the network.
- The pressure can be applied in multiple forms: by phone, in person, via email. Through a rogue website, or by other methods
- ARP cache poisoning
- The arp cache, which maps IP addresses to mac addresses is corrupted by an attacker with the end result being that the attacker has control of which IP addresses are associated with mac addresses
- commonly using in man in the middle attacks.
- Client side attack.
- And attack on a system through vulnerabilities that may be present within software on a client system.
- Attacks often originate from internet applications or messaing applications.
- Replay attacks.
- an attack that uses a packet sniffer to capture network session data
- the attacker then re submits the captured packets in an effort to gain access to the network.
-Transitive access attack
- The attacker attempts to get a user to click on a hyperlink to an MS Windows shared folder.
- If the user clicks on the hyperlink, the users system is forced to send the user account credemtials allowing the attacker to attempt to get access to valid credentials.
- Man in the middle ATTACK
- The attacker is not necessarily inside the network per se, but is in between two ferns
- Spoofing
- an attacker attempts to gain access to gain access to network resources by having his or her system masquerade as a trusted system
- this is achieved by modifying either the IP address or the MAC address of the attacking system
- Spam
- Unsolicited bulk email (UBE), junk email that attempts to entice a person into buying a product or service
- While in most cases the receiving of spam isnt a security threat, it is a waste of resources—which is considered a security issue
- SPIM
- an attacker harvests instant message IM Ids and then attempts to entice the end user to click on a hyperlink that is included in an IM
- Often used as the first step in another type of attack.
- DNS poisoning
- The attacker changes the DNS records for a specific website in order to redirect traffic to a malicious website
- The change in record can either be on the local dns apparatus or it may occur at a higher level
- Typosquatting
- the attacker sets up malicious websites using common misspelling of legitimate URL names
- Watering hole attack
- the attacker compromises a legitimate trusted website
- as users visit the trusted site, malicious code is executed.
- DoS threats
- covers a very broiad category of threats to networks and systems
- any threat that can potentially keep users or customers from using network resources as designed can be considered a type of DoS threat
- Permanent DoS attack
- an attempt to permanently deny a network resource for othersl it can be done by physically destroying a resource or by damaging the underlying operating system
- traditional DoS attack
- an attempt to flood a network with enough traffic to bring it down---commonly used with malformed ICMP requests
- Distributed DoS DdoS
- a DoS attack in which more than a single system is involved in sneding the attack, a botnet is often used to implement the attack
- Smurf attack or smurfing
- a network is flooded with ICMP requests in which the source address for th requests appears to be that of the intended targest.
Sniffer and password attacks.
- Quite often, an attacker will use a sniffer type attack in order to determine what type of attack to use on a network.
Sniffer attacks use specialized software to examine the network for vulnerabilities. That software may conduct a port scan—looking for either open or vulnerable ports that can be exploited. Or, the software may be used to examine network packets in order to determine what applications, protocols, and services are in use on the network.
A common port scanning attack is the XMAS scan. With the XMAS scan, each packet sent by the scanner has three of the six possible flags set in order to keep the sdcan from being discovered.
Unfortuanately, end user passwords often present an attacker with an easy entry into the network.
Even when network administrators try to create a strong passwod policy, end users often attempt to create easy to remember passwords, Usually, if the password is easy to remember, it is easy to crack.
Types of password attacks
- dictionary attack: the attacker uses a specialized software that contains a list of the most popular usernames and a list of all the words in a language
- the program runs through all of the possible combinations in an attempt to find one that works
- Brute force attack: an attackeruses a password cracking application that mathematically calculates every possinle password combination
- Rainbow table may speed up the process. It contains a list of all the possible characters and combinations that can be used to create a password
- Hybrid attack: uses a combination of the dictionary attack and the brute force attack
- Birthday attack: an attempt to duplicate a hashed value that is used to authenticate a user or system.
-Social engineering
- Phishing attack.
- The hacker typically casts out a broad net of emails that appear to be from a trusted source that requests that the user click on a hyper link
- Pharming attack
- the attacker uses DNS poisoning to rediurect traffic from legitimate sites to a different or malicious site
- Vishing using the telephone to perform a phising attack
- The attacker impersonates a trusted source.
What makes social engineering so effective
The largest vulnerability in any system tends to be the humans
Hackers know this because they are also humans. So they target the other humans that are like them.
The end
- Reasons for effectiveness
- Authority: the hacker impersonates and authority figure, the victom believes that he or she must comply with the authority
- intimidation: the attacker uses a message that intimidates the victim; due to fear, the viuctim succumbs to the pressures
- Consensus/Social proof: the hacker presents some known fact as proof that he or she is telling the truth; the victim ends up trusting the attacker based on the social proof
- scarcity: the attacker persuades the victim that what is neing offered is highly valued due to its scarcity.
- urgency: the hacker imparts a sense of situational urgency, the victim feels like he or she needs to act now
- Familiarity/liking: the attacker either uses a friendly tone or inserts herself/himself into the workplacel the victims tend to like the attacker or feel that they can trust the atacker.
- Trust: the hacker exploits our human nature to trust—either by appearing to need the victims help, or by offering to help the victim
- impersonation
- many social engineering attacks begin with the hacker using impersonation-- the act of pretending to be somebody else.
- phishing
- the hacker typically casts out a broad net of emails that appear to be from a tust source requesting that users click on a hyperlink.
- the phishing attack may emply the principles of authority and urgency in order to get the victim to respond
- Whaling
- very similar to a phishing attack, however, instead of casting a wide net in order to get a few responses, the hacker targets a whale or big fish—somebody with a lot to lose
- Vishing
- A phishing attack that is conducted over the telephone
- Hoax
- Emplys to principle of consesus/social proof in order to get the victim to perform an action.
- Shoulder surfing
- a type of engineering attack that relies upon the hacker being able to see the victims screen or keyboard
- Dumpster diving
- the attacker goes through the trash of a person or organization in an effort to discover sensitive information
- Tailgating
- a social engineering attack that is usually used to bypass physical security.
---
Common types of wireless attacks
By their nature, wireless networks tend to be more vulnerable than wired networks.
The best security for any network is for an attacker to not even realize that there is a network to be hacked. Since wireless networks depend upond transmitting data over public radio frequencies.
- war driving / war chalking
- the practice of attempting to sniff out unprotected or minimally protected wireless networks.
- Rogue access point attack
- An unauthorized wireless access point (WAP) that gets unstalled on the network
- the biggest culprit are end usersl they often install their own WAPs for convenience and don’t properly secure them, opening a vulnerability in the network.
- Jamming attack
- all wireless networks use radio frequency channels to transmit data on the network. It is possible to create enough interfence on the RF channel that it is no longer usable on the network.
- Evil twin attack
- A type of rogue access point attack.
- A wap is installed and configured with a service set identifier SSID that is very similar to the authorized version.
- as users access the twin, their keystrokes are captures in the hope of gaining sensitive information.
–-
Application attacks
Often the hackers goal when attacking an application is to create the ability to execute arbitrary code remotely.
Arbitrary in this sense, refers to the fact that the application was not designed to execute the code. If the attack can gain this ability, the code will often be executed at an administrative account level.
- Divulging weaknesses in some applications.
- Cookie
- Text file that web developers use to store information about users.
- if captured the cookies may reveal sensitive information about either the user or the website, which can lead to an exploit.
- Flas cookie/Locally shared object(LSO)
- a method that adobe flash programmer use to store information on a users computer.
- LSOs can be used to track a users internet activity
- Attachment
- A file attachment is a document or application that is attached to an email message
- it is commonly used threat vector used to deliver malicious applications.
- malicious addon
- an addon that is installed into browsers to allow for additional features.
- what you don’t know is that it is malicious and wants to hurt you
- Header manipulation
- Hackers can modify the header data of an application in order to change how the application functions.
Session hijacking usuually combines both a network and an application attack
with session hijacking, the hacker wiats until a communication channel has been opened between atleast two parties and then disconnects one of the parties and inserts herself/himself into the communication channel
---
Network security enhancement techniques
If properly setup and reviewed, log files are an effective tool in helping to ensure the security of any networked system.
Log files tend to generate a lot of information. Unfortunately, all to often, they are not reviewed until after a security incident has occurred. By carefully establishing the paramters that will be logged, and properly training personnel on how to review the logs, security can be enhanced.
- Monitoring system logs.
- Event log
- Audit log
- Security log
- Access log
- Hardening individual systems
- security personnel should strive to harden all systems against attacks
- disable unnecessary services
- disable unnecessary user accounts
- protect management interfaces and applications
- use password protection on all critical systems.
- Emply network security measures.
- Security peronnel should strive to harden all networks against attacks.
- implement MAC limitations and filtering on switch and router interfaces
- Disable all unused switch and router interfaces
- Whenever possible, use strong authentication protocols
- consuct periodic site surveys, both wireless and wired, to detect and remove rogue systems
- Establish a security posture.
- An initial baseline of the security configuration must be created and reviewed on a periodic basis. All systems brought online must meet or exceed the initial security baseline,
- Continuous security monitoring should be conducted to ensure that all systems continue to meet or exceed the baselines that have been established
- As new vulnerabilities become known, they must be removed and the security baseline updated.
Detection controls vs Prevention controls.
Along with log files, there are other reporting methods that can be used to enhance the security of both a network and a facility.
Alarms should be placed on all access points to critical areas of the facility, including unmanned fireexits, server rooms, and network equipment rooms.
Alerts should always be enabled for both authorized and unauthorized humans
Should use graphs when reviewing monitor logs.
- IDS (intrusion detection system) vs IPS
- An IDS is a pssive system that is designed to detect unauthorized system intrusions or attacks.
- an IDS is an active system
- Camera vs Guard
- Camera are a passive system that can be used to detect when an intrusion or security has occurred at a facility
Types of security assessments
Security assessments are a necessity, but they will not do any good if the results are misinterpreted
It is vital that the personnel conducting the security assessments understand how to do them properly or the results may not be accurate. This could lead to an unknown weakness in the security of an organization.
Just as important as using the proper tools, is properly interpreting the results. A mistinterpretation of the results can lead to an incorrect conclusion on the security posture of the organization.
Assessment types
- Risk assessments or risk analysis: identifying all the risks to all assets within an organization and fermining how those threats will be treated.
- Threat assessments: identifying the individual threats to individual assets within an organization. They are conducted as part of the risk assessment process.
- Vulnerability assessments: the process of identifying any weaknesses that may be present in the configuration of computing systems, network appliances, and networks.
Assessment techniques.
- Baseline reporting: using a baseline—how the system operates under normal conditions—after an incident has occurred to help determine what may be causing system issues.
- Code review: having a security tester review and analyze application code developed by in house programmers before deploying an application
- Attack surface review: having a security expert review all of the software and services that are running on any system.
- Architecture review: a review of the underlying structure to ensure that all applications and services operate in the correct manner
- Design review: a careful review of systems and solutions from a security point of view.
Assessment tools
- Protocol analyzer(packet sniffer) (wireshark)
- A tool that will passively collect information that is traversing the network. It can be used to determine what systems and processess are in operation.
- Port scanner. (nmap)
- A tool that will actively scan the network for the status of ports
- Vulnerability scanner. (nessus)
- A tool that is similar to the port scanner, but is actively searching the system for known vulnerabilities.
- Banner grabbing.
- often used in conjunction with a port scan or vulnerab ility scan type of assessment.
- when used with either the port or vulnerability scan, it will return what software is operating on the port.
- Honeypots and honeynets
- A computing system or network established wit the sole purpose of attracting any hackers who breach the network.
- They have a high level of auditing in place in order to help determine how the hacker entered the system and any actions that the hacker engaged in while in the system.
Some assessment tools are passive and some are active. It is important to know which are which.
Passive assessment tools are used to collect information on the network but do not actually attempt to exploit any weaknesses. Active assessment tools do the same thing, but then probe the vulnerabilities to actively determine if they can be exploited.
**Using an active assessment tool without explicit permission from the organization being examind can lead to being prosecuted. Active assessments are a form of hacking.**
--–
Vulnerability scanning and penetration testing
vulnerability scanning is usually conducted using specialized applications in an effort to find weaknesses in a network.
It is usually conducted using protocol analyzers and port scanners. These applications can be used to determine which protocols and services are being used on a network. Protocol analyzers can also be used to determine which ports are open on a network. This information can be used by security experts to help harden the network against attacks.
Vulnerability scanniung does not attempt to exploit any weaknesses that are found. It only identifies them for the security personnel.
- Vulnerability scanning(nmap)
- The purpose is to assess the configuration of systems and networks to determine what can be done to increase the level of security.
- this is done passively by collecting information and reporting on the information collected in a non-intrusive manner.
- The scan can help to identify different issues.
- lack of security controls.
- common misconfigurations
- other vulnerabilities.
- Two different types of vulnerability scans should be conducted.
- As an authorized user—a credtialed scan should be conducted from an administrative account
- A false positive may be reported by vulnerability scan.
Penetration testing or pen testing is actively seeking to find vulnerabilities in networks and systems that can be exploited.
Once weakness is found, the pen tester then attempts to exploit the vulnerability. Many organizations use pen testing as a means of increasing the security of their organiuzationsl however, hackers also use pen testing as a means of finding networks and systems that they can exploit.
As a result every security expert must be sure to receive explocit authorization to perform pen testing before beginning the test. If such authorization is not obtained, a security expert could face dire consequences. Un authorized pen testing is illegal-- it is a form of hacking.
- Penetration testing (pen testing).
- the purpose is to assess the security of a system or network by actually using the same methods that a hacker would use to breach security.
- the test can be used to verify that a threat exists.
- the test seeks to actively test and bypass any security controls that may be present.
- it is designed to exploit any vulnerabilities that may be present on the system or network
- unauthorized pen testing may lead to legal issues
Levels of testing.
IT is vital that, when security tests are conducted on systems and networks, the testing be conducted at a variety of levels.
The first level of security testing should be done at the white box level. White box testing is when the person conducting the test has exact details of the system or network; the tester has intimate knowledge of what is present and how it is configured.
The next level of security testing is done at the gray box level. With gray box testing, the tester has an intermediate knowledge of how the system or network is configured.
The final level of security testing is done at the black box level. With black box testingm the tester is given no prior knowledge of the configuration or what is present.
–--
Secure coding concepts.
Hackers will often focus on applications when they are attempting to breach network security
Because of this, application developers need to focus on security controls at the beginning. An application designed with security in mind is much easier to defend than an application that doesn’t use sech methods.
- Error handling
- thoroughly testing an application during the development process will catch most errors.
- the developer should put processes in place that trap all run time errors before such an error crashes the application.
- Exception handling
- A more advanced method of error handling.
- Exception handling code will use a try/catch block-- try this/ catch that error if it occurs.
- a major cause of runtime errors and other security issues in applications is users inputting invalid data into the application.
Secure coding requires that input validation be done before that data is actually placed into the application. Input validation is when the user supplied data is examined against a set of rules that outline what type of data the application is expecting
one method of testing input validation rules is to use fuzzing. During testing pohase of the app the developer will input invalid or random data into the input fields to test the rules.
Other security controls techniques and concepts
- Client side and server side validation.
- Initial validation should occur on the client before it is sent to the application on the server.
- Additional input validation should occur at the server before the input is passed onto the application.
- Cross-site scripting (XSS) prevention.
- XSS occurs when a hacker inserts script code into a form on a website so that when other users access the form the script is executed.
- Proper input validation of data is usually an effective means of preventing XSS from occuring.
- Cross-site request forgery(XSRF) prevention
- XSRF is when a user is automatically directed to a linked Web page and logged in using data supplied by a cookie from the original page—when this what not the web developers intent.
- Application configuration baseline.
- The initial setting up of an application should be done with security in mind
- The baseline should be as secure as possible
- Application hardening.
- Disabling all features and functions that users should not be allowed to use.
- Application patch management.
- New exploits and threats against applications are created all the time, requiring that applications be updated on a regular basis.
- SQL vs NoSQL databases.
- SQL databases are the most common relational database management system used today
- NoSQL databases are designed to store and retrive large amounts of data—big data.
---
mobile security concepts and technologies.
Since the introduction of the mobile device, loss and theft have been a large concern
Just about everyone has either lost a mobile device or had one stolen. In the early years, the major concern was that a cell phone was going to be used to call some foreign country or toll number and the owner would get stuck with a large bill.
Now – with the rise in popularity of smartphones and tablets and the greater portability of data – much more may be at stake.
Mobile device security ( best practices )
- Screen locks
- Lockout settings
- GPS
- Remote wiping.
- full device encryption
- Disable unused features
- removable storage
- application controls(permissions)
- storage segmentation
- inventory control
- mobile device management
- device access control.
mobile application security
- Encryption
- Ensure that the mobile application is encrypting sensitive data that is stored on the device.
- credentials management
- security credentials used by applications must be implemented in a secure manner, including storing the credentials in an encrypted format.
- Authentication
- A best practice is for the mobile application to authenticate the user and to base access to data on the users authentication level
- GEOtagging
- some mobile applications store geographical information when they are used. A determintaion must be made as to whether or not to allow it.
- geotagging may present a privacy concern
- Application whitelisting.
- Some mobile applications allow for whitelisting—a list of allowed applications that can access features in the original application.
- any white listing capabilities should be managed
- Transitive trust/authentication.
- An application will trust an unknown security environment if it is trusted by a security environment that the application trusts.
- For example, app I trusts environment L. ENV L trusts ENV T, therefore app I trusts ENV T
-------
Solutions used to establish host security
Hardening physicial hosts
The individual hosts on a network are the target of hackers. It is the resources that they contain that the attackers are after.
Basic hardening methods (host)
- OS hardening: remove or disable any unnecessary features and services to reduce the OS’s attack surface.
- OS security settings: review all security settings available in the OS and enable as many of them as make sense to help harden the OS
- Anti Malware: install to protect against common attacks.
- Patch management: ensure that the OS is kept up to date with current security patches supplied by the manufacturer.
- use trusted OS
- whitelist applications: only applications that are specifically designated in the white list are allowed to run.
- blacklist applications: explicitly deny named applications from being ran on the host
- host based firewalls: using host based firewalls to control what network traffic can be allowed into or out of the host
- Host based intrusion detection system (HIDs): implemented to monitor the host to help detect when an intrusion has occurred to help minimize any damages
- Host software baselining: baselining software can be used to ensure that all Oss and applications on a host meet or exceed the minimum level of security that is required.
Hardening physical hosts
Physical security controls can be overlooked when implementing host hardening methods.
If an attacker has enfettered physical access to a host, it will not matter how much hardening has been done to the host system. If nothing else, the attacker can just walk away with the asset in order to breach it at his or hers home.
Virtual host hardening.
- Snapshot: an image of the virtual host created at a point in time when that host is secure.
- Patch management: some considerations as with physical hosts.
- Host availability: high availability methods, should be used to ensure that virtual host systems are available to users as needed, removing single points of failure.
- Security control testing: separate security testing should be conducted on virtual systems to ensure that they operate as expected.
- Sandboxing: when high security is needed, a sandboxed environment can be created.
----
Controls to ensure data security
data breach = bad
- Data encryption
- Whenever possible, data should be maintained in an encrypted format.
- Full disk encryption: all of the contents of storage drive are encrypoted.
- Database encryption: sensitive information contained in databases should always be kept in an encrypted format
- Individual encryption: encrypting all sensitive files.
- Removable media encryption: when data is allowed onto removable media, controls should be put in place that ensure thjat it is always encrypted on that media
- mobile device encryption: because of their nature, all mobile devices that are allowed to contain organizational data should also implement device encryption.
- Hardware based encryption.
- in most cases, hardware based encryption will outperform software based encryption solutions—as the chipset in the device is optimized to perform the necessary algorithmic calculation.
- TPM(trusted platform module): a specialized chip is used on the motherboard to contain the cryptographic keys and perform the encryption
- HSM(harware security module): a specialized add on card is installed into the system to perform the harware encryption
- USB and portable hard drive encryption: when data is allowed onto portable media, only devices that support encryption should be used.
- File and folder permissions.
- A method of specifying who can access files and folders and what manipulations can be performed on the data once it has been accessed.
- Permissions are usually established through the use of a type of ACL (access control list)
- Data policies
- Policies should be put in place that outline the technological controls that detail how data should be handled. The policies should outline at least the following controls:
- Storage: controls put in place that determine where and how data may be stored
- Retention: controls put in place that determine specifically how long data must be kept and maintained and when data must be disposed of.
- Disposal: controls put in place that specify how data must be disposed of; the controls cover both physical and electronic data
- Wiping: controls put in place that specify how data on devices that are no longer in use or are going to be repurposed must be handled.
- the storage area network situation (SAN) :
- many organizations will utilize SAN method of storing and accessing data.
- as most SANs reside on their own networks, controls must be put in place to ensure the security of the communication channel and keep data secure.
- Cloud storage situation
- Cloud storage is another situation where special controls must be put in place to keep(think PII) data secure.
- Big data system situation.
- Big data storage and transmission methods should have specific controls in place to ensure that communication channels are secure and that sensitive data is maintained in a secure manner.
----
Alternative environments
- SCADA(supervisory control and data acquisition):
- a type of industrial control system(ICS) that is designed to control large scale deployments of equipment. The controlled equipment is usually at more than one site.
- Often deployed in the energy industry—both on creation and distribution side
- SCADA tends to have a lack of security in the monitors and controller that are used to manage the system
- Physicial security components should be limited.
- Embedded systems.
- A self contained computing system that can be found within a larger system.
- Often these embedded systems lack basic security features or implement weak security
- The devices tend to utilize very basic versions of well known operating systems
- Security hardening techniques should be used to secure these devices.
- smartphones
- mobile phones are increasingly becoming an important tool in the modern workplace
- because of their portability, smartphones are subject to loss and theft.
- Game consoles.
- Most modern game consoles can be connected to networks.
- in many cases, the console must be connected to the network in or to use
- Security features for gaming consoles have been increasing.
- updates should be in place for any gaming console that is placed on a network.
- Mainframes
- High cost, powerful computing systems that contain significant processing power.
- due to their cost, mainframes are not replaced very frequently and may be using older versions of operating systems.
- In vehicle computing systems.
- Car manufacturers have been using processors in vehicles for many years.
- Modern vehicles are coming with more connected systems that may represent a challenge to security.
Risk mitigation techniques
- Segmentation.
- A network design element in which resources are separated by function and security requirements-- into their own networks.
- can be used to control communicatio and security within the network.
- Security layers.
- Placing security at different places and levels within a network will increase the security of the network as a whole.
- Application firewalls.
- Can be used to filter traffic based on what applications are allowed to operate on the network and which are not allowed to work on the network.
** focus on making the hacker cry**
- updates
- patches and system updates should be used to help keep computing enironments secure.
- Firmware version control.
- updates to firmware should be done if they will lead to an increase in security or in vital functionality
- Wrappers.
- A host based ACL that can be used in conjunction with a firewall to increase the effectiveness of security.
- found in linux and unix environments and can be used to specify how an individual host can access a specific service.
* when implementing a layered security mitigation technique, it is important to use a variety of products *
---
Auth services
- RADIUS (Remote authentication Dial in user service)
- a remote access service that is used to authenticate remote users and grant them access to authorized network resources.
- TACACS+ (Terminal access controller access control system plus)
- A remote access service that is used to authenticate remote devices and grant them access to authorized networks.
- Kerberos
- authentication protocol, which uses TCP or UDP port 88
- A system of authentication and authorization that works will in environments that have a lot of clients.
- The key distribution center (KDC) is the main component
- The KDC has two parts—the authentication server (AS) and the ticket granting service (TGS)
- when a user logs in, a hash of his or her username and password is sent to AS; if the AS likes the hash, it responds wit a ticket granting ticket (TGT) and a timestamp
- the client sends the TGT with tmiestamp to the TGS
- the TGS responds with a service ticket
- The TGS responeds with a service ticket
- the service ticket authorizes the user to access specific resources
- as long as the TGT is still valid, the TGS will grant authorization by issuing a new service ticket.
- LDAP (lightweight directory access protocol)
- a directory service protocol that can be used to authenticate clients.
- LDAP requests are sent over TCP port 389
- Apps that are LDAP compliant will validate the client and then retrieve the requested information stored in the directory
- Secure LDAP
- encrypted version of LDAP using SSL(secure socket layer) over TCP port 636
- All communication between the client and LDAP is secure
- SAML (security assertion markup language)
- An XML standard that is used to allow systems to exchange authentication and authorization information.
Identification, authentication, and authorization.
- Common identification methods.
- Username: needs to be unique
- Personal identification verification card: usually issued by an accepted authority
- BIOmetrics
- Common identification factors.
- something you know
- something you are
- something you have
- something you do
- somewhere you are
- Multifactor authentication.
- requiring more than one of the authentication factors to be present before the authentication process can be completed.
- Single sign-on(SSO)
- Requiring the user to identify and authenticate only once to achieve access to all authorized services within a network.
- identity federation
- SSO method used in organizations with multiple networks that allows authenticated users to sign on once and receive access to authorized resources across all of the organizations networks
- Transitive trust authentication.
- The process of authenticating and entity based on that entity already being auhtenticated by a security entity that is trusted.
- HMAC (hashed based message authetication code).
- A secret key—in which both parties have the secret key—is combined with an algorithm to create the message authetication code(MAC)
- HOTP (HMAC based one time password)
- A HMAC based algorithm is used to creat a password for auth
- TOTP (time based one time password).
- An authentication process for creating passwords based on the current time.
- commonly used with security tokens that are used for two factor authetication.
- PAP (password authentication protocol)
- When logging in to a network resource, the user or device is required to supply a username and password
- the username and password are sent in clear text format, so this method is considered unsecure and should only be used as a last resort.
- CHAP(challenge handshake authentication protocol)
- When logging in to a network resource, the user or device is challenged to supply a username and secret password and it authenticate through a three way handshake process:
- the resource issues a challenge—what is the hashed value of the username and secret password?
- the users device sends the hashed value to the resource device.
- the resource evaluates the hashed value and either accepts or rejects the connection.
- Token
- utilizes TOTP to authenticate users via two factor authentication.
- Smartcard
- utilizes a card—usually credit card sized-- that has an embedded circuit and a PIN to provide two factor authentication
- Common access card (CAC)
- a type of smartcard issued by the US military that is used for identification and authentication purposes.
Authorization Concepts
- Separation of duties
- the process of taking a critical organizational task and seperating it into smaller jobs
- Principle of least privilege.
- Only granting the minimum amount of rights and responsibilities that are required for employees to perform their job.
- Time of day restrictions.
- Establishing technological controls that limit what actions may be taken based on time.
- Rule based access control (RBAC)
- the creation of rules within a system that either allow or disallow authorization to perform actions based on the rule.
- ACL (access control list)
- A type of RBAC implementation that can be used for authorization purposes—typically in the form of a list of rules.
- Role-based access control
- A process of creating authorization levels based on the role that a person fulfills within an organization.
- Discretionary access control (DAC)
- A technological control that is used to determine authorization to resources based on a specific list—the discretionary access control list (DACL)
- Mandatory access control (MAC)
- An access control model in which each individual is assigned to a clearance level
- Authorization to resources is based on the resource’s classification.
---
Cryptographic services
- Cryptography
- The process of deriving a code value from a set of data—taking a clear text message and creating a ciphertext message
- offers three basic services: encryption, hasing, and authentication
- Encryption services.
- The process of taking a clear text message and scrambling it through the user of a cipher-- an algorithmic process.
- There are different types and methods of encryption that can be used,
- Hashing service
- the process of taking a set of data and using an algorithmic process to generate a value that only the original data value can generate
- if data with the hashed value, is sent to another party, that poarty can use the same hashing algorithm on the data and compare the two hashed values
- Authentication services.
- A cryptographic method used to prove that the creators of messages are in fact who they say they are.
- Used for non repudiation purposes-the person sending the mssag, once authenticated cnanot claim that the message did not come from him or her.
- usually achieved through the use of digital signatures.
- Basic encryption methods
- stream cipher: the encryption occurs one BIT at a time.
- Block cipher: the encryption takes place on predetermined blocks of data (EG., 64-bits at a time)
- Steganography
- the process of encoding data within a graphic file
- Can be used to place an encoded message on a graphic image on a website that a recipient can retrieve and decode.
- Transportation encryption
- it may be vital that certain information flowing across public networks be kept secure during transportation process.
- these protocols have been developed to secure
- HTTPS(HTTP secure): utilizes ssl or tls
- SSL/TL:S(secure socket layer/transport layer security) used to encrypt communication channels. Usually at transport layer (Layer 4) of the OSI model
- S/MIME:(secure/multipurpose internet mail extension): used to encrypt email messages.
- IPSEC (internet protocol security): a suite of protocols that are used to authenticate users and encrypt the communication channel.
-----
Hashing
The idea behind hashing is to create a method of easily verifying the integrity of a set of data.
- Hashing concepts
- Hashing algorithms do not work on the header of a file.
- the hashed value returned is a fixed length that depends on which algorith is used
- it is theoretically possible to recreate a hashed value by running enough data through the hashing algorithm
- HMAC (high based message authetication code)
- the process of using a secret key combined with the data set to derive the hashed value.
- common algos
- MD (message digest)
- MD5: current standard used and always returns a 128-bit hashed value
- SHA (secure hash algorithm) – created by NSA
- SHA-1 is the most popular of the version of SHA and returns a 160 bit hashed value
- SHA-256 is a newer version that returns a 256 bit hashed value
- SHA-512 is also a newer version that return a 512 bit hashed value
- Crypto topics
- Key escrow
- The process of storing or giving encryption keys to a third party;
- Ephemeral key.
- a temporary key that is used to encrypt a single message within a communication channel
- Perfect forward secrecy.
- A process that generates a random public key(ephemeral key) for each session, so that the private key exchange can be kept secure.
- Digital signature.
- created to digitally sign messages in order to prove the integrity of the sender.
- Elliptic curve.
- A newer asymmetrical encryption algorithm that employs diffie Hellman for the exchange of keys and the digital signature algortihm (DSA) for the digital signature
- Quantum Cryptography.
- Encryption standard that is used with fiber optic communication to determine if the message has been intercepted.
- Relies upon the fact that any interaction with the photons in transit will cause the state of the photons to change.
---
Cipher suites
A cipher suite is when a group of cryptographic solutions are combined to provide user authentication, encryption, and message authentication solutions.
- PAP (password authentication protocol)
- An authentication protocol that does not use any cryptographic methods to ensure the integrity of the message.
- CHAP (challenge handshake authentication protocol)
- A cryptographic authentication protocol used to authenticate remote clients based on hashed values.
- CHAP is considered to be a type of HMAC (hash based message authentication code).
- RIPEMD (RACE integrity primitives evaluation message digest)
- A cryptographic hashing algorithm developed as an open source solution
- When implemented, the most common version is RIPEMD-160
- NTLMv2 (NT LAN manager version 2)
- A cryptographic hashing process used in windows operating systems for storing passwords in the registry as hashed values.
- replaced NTLM, which used MD4 as the hashiong algorithm for the HMAC.
- MD (message digest)
- a cryptographic hashing algorithm developed by Ron Rivest as a method of using hashed values for authentication purposes, particularly to ensure that the data that is received is the data that was sent.
- MD5 is the most popular version and always generates a 128-bit hashed value
- While still in use, MD5 has been proven to be a broken cryptographic solution and should not be used for mission critical security needs
- SHA (secure hash algorithm)
- A cryptographic hashing algorithm developed by the NSA (national security agency) as a method of using hashed values for authenticating data-- to ensure the datas integrity
- SHA-1 is the most popular version and always generates a 160 bit hashed value
- in theory, SHA-1 has been broken(the thoeretical weaknesses have yet to be proven) and most US government agencies now require the use of SHA-2—an improved version of the original SHA family of hashing algorithms.
-----
Key stretching
the greatest vulnerability in any cryptographic implementation tends to be in the security key that is used in the process.
- In many cases the security key is either a password or passphrase that is used in the cryptographic process. Both passwords and passphrases-- when used on their own-- are suceptible to brute force type attacks, leading to a weakness in the cryptography.
The solution to this is to use a process called key stretching to harden the keys against these attacks. With key stretching, the password or passphrase is processed by and algorith to stengthen the password by increasing the complexity of the key. Two popular algorithms used for key stretching are bcrypt and PBKDF2(password based key derivation function 2)
- One time pad (OTP)
- A symmetrical cryptographic encryption method in which a random security key is used to encrypt a message only one time
- it is particularly resistant to hacking, as the key will change with every message that is sent
- when the random key used is the same length as the message, it is even more difficult to break.
- DES (data encryption standard)
- A symmetrical cryptographic encryption standard developed by the US government
- it is a block cipher that utilizes 56 bit encryption algorithm, it is not considered secure.
- 3 DES (Triple DES)
- An improvement on DES that utilizes three separate 56 bit encryption keys to create a 108 bit encryption method.
- RC (Rivest cipher)
- A fmaily of symmetrical cryptographic encryption methods developed by Ronald Rivest
- RC4 is a stream cipher ised by other cryptographic solutions including SSL, it is considered to be weak encryption standard.
- RC5 is a block cipher algorithm that is much more secure than RC4
- Blowfish
- A symmetrical cryptographic encryption method developed by Bruce Schneier as a replacement for the weaker DES standard
- Utilizes a variable encryption bit length—can offer anywhere from single bit encryption to 448 bit encryption
- Twofish
- a symmetrical cryptographic encruption method developed by Bruce Schneier based on the development of Blowfish
- utilizes 128-bit encryption
- AES (advanced encryption standard)
- A symmetrical cryptographic encryption method developed on behalf of the national institute of Standard and technology NIST, an agency of the US government.
- It is a block cipher encryption method in which the block size is always 128 bits, but the key used for the encryption can be 128 bits, 192 bits , or 256 bits
- AES has been adopted worldwide as an acceptable level of encryption and performance.
- RSA (Rivest Shamir Adleman)
- an asymmetrical cryptographic encryption method that is named after the developers
- IT is the first widely used encryption standard to employ the use of public and private security keys.
- An entity’s public key can be used by anyone to encrypt messages
- Only the entity’s private key can be used to decrypt messages encrypted by the public key
- PGP (pretty good privacy)
- An asymmetrical cryptographic encryption method that can be used to generate security keys and to publish the public security keys in a secure manner.
- Allows for the secure use of email between two endpoints with minimal effort
- GPG is a GNU systems implementation of PGP
---
Public key infrastructure
- Asymmetric encryption
- in asymmetric encryption, two separate cryptographic keys are used to encrypt data, the two keys are mathematically linked through special algorithms.
- One key can encrypt the data, the other key is then used to decrypt the data
- if the parties in the communication are note closely associated with each other an issue arises on how to exchange security keys
- Requires more computing resources than symmetric encrpytion methods
- Solution to the overhead issue
- Often, an asymmetric encryption session is used to establish a trust relationship between two entities—verification that the parties are who they say they are.
- once verification has taken place the parties then agree upon a secret key that can be used with an agreed upon symmetrical encryption standard—thus reducing the computing overhead required for communication.
Asymmetrical encryption revolves around a public key infrastructure (PKI)
PKI is a process that is used to generate and manage the two security keys that are necessary for asymmetric encryption. With PKI, two keys are created—a public key and a private key.
The public key is made known and is readily associated with a specific entity. That same entity is responsible for maintaining the security and integrity of the private key. Messages encrypted with the public key can only be decrypted with the private key, thus ensuring the security of any message. PKI is established with the assistance of a certificate authority (CA)
------------------------------
cert auth and digital cert
- Public CA
- A third party entity that is in the business of issuing the digital certificates that are used with PKI
- useful when there is not an existing trust relationship between two parties that require the use of asymmetrical encryption
- many applications automatically trust certificates issued by public Cas (eg., VeriSign or GoDaddy etc)
- Has the power to revoke an entitys digital certificate
- Private CA
- The process used when an organization creates its own PKI
- the Organization self signs its own digital certificates that are used to support asymmetrical encryption
- an advantage to the private CA is that the organization doesn’t need to pay for each individual certificate.
- a disadvantage to the private CA is that it may be difficult to get other organizations to accept the self signed certificate.
- Levels of certificate authorities
- the PKI model requires that there be a hierarchal structure to the Cas
- The first CA to be installed in PKI is the root CA
- the root CA issues digital certificates to all other Cas—which are called subordinate Cas—that are installed in the PKI model.
- By default, the root CA must self sign its own certificate.
- Digital certificate.
- an electronic file that is used to store the public key of the entity that the certificate is issued to.
- It is bound to and uniquely identifies the entity that it is issued to, which eases the asymmetrical encryption process used by PKI.
- Components of digital certificates.
- Public key: the public key encryption key of the entity that the certificate was issued to.
- Serial number: a unique number assigned to the certificate to help identify it.
- Algorithm: the asymmetrical algorithm used by the certificate
- Subject: the entity that was issued by the certificate
- Issuer: the entity that issued the certificate.
- Valid from: the start date of the certificate.
- Valid to: the end date of the certificate.
- Thumbprint algorithm: the hash algorith to use when verifying the integrity of the certificate.
- Thumbprint: the actual hashed value of the certificate.
---
- Main responsibilities of a certificate authority(CA)
- Issue the digital certificates that are used when implemeneting a public key infrastructure PKI solution.
- requires that the CA review information supplied by the client making the request.
- the requester begins that process by providing the CA with a certificate signing request (CSR)
- Revoke digital certificates that the CA has issued in the case of fraud
- Create maintain and publish a list of revoked digital certificates to help ensure that the PKI process remains trusted.
- One method of achieving this is through a certificate revocation list (CRL), which is periodically published to the CA’s website
- Another method of achieving this is through the use of Online Certificate Status Protocol (OCSP). OCSP is a protocol that uses HTTP to verify the status of a certificate directly with the CA that has issued the certificate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment