Security+ Slides

CompTIA Security+ Training

CompTIA Security+ Training Instructor: Lisa Szpunar

Getting Started with CompTIA Security+

Training


Getting Started with CompTIA Security+ Training

In This Lesson:

About Your Instructor

About This Course



• Masters degree in computer science

–Specialization in systems design and analysis and security

• Certifications

–CompTIA Security+ SY0-201 and SY0-301

–MCTS

About Your Instructor

Lisa Szpunar



• Suitable for someone who has passed the CompTIA Network+ certification or whom has equivalent knowledge

• Covers 100% of the CompTIA Security+ SY0-301 objectives

• Lessons are best watched in order

• Lesson layout

1. Overview of what will be covered in the lesson

2. Lesson content

3. Vocabulary list of new terminology introduced in that lesson

4. A quick review of what was covered in the lesson

About This Course



• You will learn about:

–The fundamentals of IT security

–How to analyze the threats you will be up against

–Topics to educate employees and users about

–Helping to integrate security with business needs

–So much more!

About This Course

About This Course


Introduction to IT Security

Types of Attacks

Malware Prevention and Cleanup

Network Device Security

Secure Network Administration

Secure Network Design

TCP/IP Protocols and Port Security

About This Course

Attacks on Wireless Networks

Securing Wireless Networks

Host Security

Securing Applications

Data Security

Authentication, Authorization, and Access Control

Physical and Environmental Security

Authentication Services

User Account Management

About This Course

Risk Management

Threat and Vulnerability Assessment and Detection

Risk Mitigation and Deterrence

Log Monitoring and Reporting

Business Continuity

Disaster Recovery Planning

Incident Response

User Education

Social Engineering

About This Course

Cryptography Concepts

Cryptography Tools

Public Key Infrastructure (PKI) Concepts

PKI Implementation

Preparing for your CompTIA Security + SY0-301 Certification Exam

Next Steps





In This Lesson:

What is IT Security?

Key Terms You Should Know

Confidentiality

Integrity

Availability

Authentication

Authorization

Accounting

Exam Objective:

2.8 Exemplify the concepts of confidentiality, integrity and availability



• Precautions taken to guard against incidents

–Attacks

–Mischievous behavior

–Human error

• Physical devices, software, configurations, policies, and user education

• Prevent, detect, and recover from an incident

• Keeps data safe from unauthorized access, modification, or destruction during storage and transmission

• Must use a multifaceted approach – security in layers





Term Definition

Assets Any type of data or device that helps to support your information systems

Attacker An entity that is attempting to gain unauthorized access or do harm to a system or information

Mitigation Any method used to lower the likelihood or impact of a threat

Non-Repudiation

Prevents a party from denying involvement in a transaction after it has taken place. Also proves that the transaction was complete and the intended party received the data




Term Definition

Vulnerability Any sort of weakness in a system that can be exploited. This can include software bugs, human errors, or a bad configuration

Threat Any potential person, action, or circumstance with the ability to cause damage to a system

Risk The likelihood that a vulnerability will be used or exploited by an attacker as well as the impact of the exploit

Exploit The actual action that compromises the security or integrity of a system or information

The Information Security Triad – CIA

Data And

Services


Protects data and communications from being seen by unauthorized people


Data should not be able to be modified without being detected


What good is a service if it’s not up and running?

Authorization

Authentication

Accounting

The AAA Protocol

The AAA Protocol

Authentication

A process where the person’s identity is determined. This is usually done by providing evidence to prove that the person or system is who they claim to be.

The AAA Protocol

Determines whether the person or object is permitted to perform an activity or access a resource.

Authorization

The AAA Protocol

All access to resources (and failed attempts at access) are recorded for later review.

Accounting



What We Covered



Confidentiality

Integrity

Availability

Authentication

Authorization

Accounting


Types of Attacks


Types of Attacks

In This Lesson:

Exam Objective:

3.2 Analyze and differentiate among types of attacks

Attacks on Data in Transit

Spoofing/Poisoning

Pharming

Man-in-the-middle

Replay

Denial of Service (DoS)

Distributed DoS

Smurf

Scanners and Sniffers

Attacks Via Email and

Other Communications

Spam

Phishing

Other Attacks

Privilege Escalation

Transitive Access

Client-side Attacks



Types of Attacks

Making data appear to have come from somewhere it did not or be something that it is not.

Example: An attacker changes the MAC address of his wireless card to look like it is from a valid internal machine and uses it to gain access.

Spoofing/Poisoning

Common Spoofing Type

What is Spoofed

Result

IP Spoofing IP Source Address

Data appears to have come from a trusted host

ARP Spoofing/Poisoning

MAC Address Data looks like it came from a network that it didn’t

DNS Spoofing/Poisoning

DNS Info Users are sent to the wrong website. Email is rerouted to the wrong place.


Types of Attacks

Take traffic intended for one destination and redirect it to another.

• DNS spoofing or change the host file on the victim’s computer

• Bogus pharming site usually looks nearly identical to the legitimate site

• Tricks you into entering personal data like username and password

Example: You think you are going to a website that you frequent. The site looks fine and you enter your login information. You receive a login error even though you have given the correct credentials.

Pharming


Types of Attacks

Two parties think they are communicating with each other. The attacker is actually between the two intercepting and controlling the communication.

• Active attack

• Attacker could be just eavesdropping or altering data

Man-in-the-Middle

Mitigation

• Strong mutual authentication

• Public Key Infrastructure

•One-time pads


Types of Attacks

Man-in-the-Middle

MITM Client Server

A B


Types of Attacks

The attacker captures information during transition and then re-sends it later.

Example: Attacker obtains a copy logon/authentication info and uses it later to gain access to a system

Replay

Mitigation

•One-time-use session tokens

• Clock Synchronization


Types of Attacks

The attacker attempts to overload resources like a web server using large amounts of data.

• DoS aims to

–Deny access to resources or information

–Crash a website or operating system

• DoS works by

–Occupying all available bandwidth and/or computing power


Mitigation (just a little)

• Patch Management

• Firewall

• Intrusion Prevention System (IPS)

Symptoms

•Unusually slow network performance

•Website down


Types of Attacks


Common DoS Types

Ping of Death Ping for acknowledgement with too many IMCM packets to handle

Buffer Overflow Overflow the buffer with larger data than it can handle

TCP SYN Flooding Open too many TCP sessions to handle


Types of Attacks

Uses multiple systems to magnify the intensity of the DoS attack. The attacker uses a master system that coordinates third-party zombie nodes to participate in the DoS attack.

Distributed Denial of Service (DDoS)


Types of Attacks

An attacker spoofs ICMP packets that are to look like they came from a host that is the target for the attack.

These packets are broadcast to ping a group of hosts on a network.

All the hosts reply to the target host overloading it and possibly overloading the network along the way.

Smurf


Types of Attacks

Smurf

Spoofed Ping Requests

ICMP Ping Replies


Types of Attacks

• Network Scanner/Sniffer

–Captures and displays network traffic

–Attacker must have internal access

–Mitigation: Proper physical security and security policies

• Port Scanner/Sniffer

–Systematically query ports to see which ones are open

–Attacker can be internal or external

–Xmas scan is an advanced scanner that can get around firewalls

–Mitigation: Properly configure routers and employ firewalls


Attacks Via Email and Other Communications


Types of Attacks

• Any unwanted or unsolicited communication

• Sent in bulk

• Normally refers to unwanted email

–Spim is spam over instant messenger

– Forums, newsgroups, text, everywhere

• Can contain malware or links to sites infected with malware

• Costs companies productivity and money for anti-spam services

Spam

Mitigation

• Anti-Spam filter


Types of Attacks

Trying to get personal information by pretending to be as a trusted person, company, or website.

• Often comes as email

• Uses logos and color schemes to try to mimic the legitimate entity

• Tries create a sense of urgency or fear

–Poses as the security team or customer service rep

• Mitigation

–User education

–Spam filter

Phishing

Whaling

Spear Phishing targeted at executives or people with access to epically sensitive information

Vishing

Phishing over VoIP

Spear Phishing

Using information specific to a person/company to make a phishing attempt seem more legitimate

Other Attacks


Types of Attacks

The ability of someone or an application to gain privileges and access that are not intended to have.

•Configuration oversight

•Debugging backdoor left in code

•Could be an outside attacker, a fortuitous insider, or even a malicious insider


Mitigation

• Account Auditing and Management

• Least Privilege

• Code Review


Types of Attacks

When trust is transferred to a third party through a known trusted entity.

• Examples: Joint ventures, consultants

• Mitigation: Don’t give trust to your entire forest. Instead create a separate forest with just the resources you want to share.

Transitive Access

Trust Trust

Trust


Types of Attacks

An attack that exploits the client–server relationship. A user downloads something from a trusted server (FTP, file share, email, web, etc.) and unknowingly get malicious code too.

• Allows attacker to execute programs on the infected machine

• Programs run at the permission level of the user

• If a client does not interact with the server there is no risk of getting any harmful data from the server.

Client-side Attacks

Mitigation

• Firewall with Intrusion Prevention System


Types of Attacks


Term Definition

Spoofing Data that masquerades as something it isn't. Data that looks like it is from a legitimate source

Pharming An attack that takes traffic intended for one destination and redirects it to another

Man-in-the-Middle The attacker impersonates two endpoints and controls the communication between them

Replay An attacker captures a data transmission and resends it later


Types of Attacks


Term Definition

Denial of Service Deprive the indented users access to a system by overwhelming resources and bandwidth with larger amounts of data than it can handle

Distributed DoS Using the resources of many different systems (usually without their consent) to launch a DoS attack

Smurf Broadcasting spoofed ICMP pings to many hosts on a network and aiming the replies to one target machine creating a DoS attack


Types of Attacks


Term Definition

Spam Unsolicited bulk email or other communication

Spim Spam over instant messenger

Phishing Pretending to be a known company or person and asking for personal information like passwords or credit card numbers

Spear Phishing Using knowledge of a person on company to appear trustworthy and extract sensitive information

Whaling Spear phishing aimed at a high ranking person to gain access to especially sensitive information

Vishing Using the anonymity of VoIP to employ phishing schemes


Types of Attacks


Term Definition

Privilege Escalation Obtaining permissions, privileges, and access that one is not intended to have

Transitive Access A trusts B, B trusts C, so A trusts C. May be without their knowledge or consent

Client-side Attacks A malicious server doles out rogue code to the clients that access it

Malicious Insider Threat

A employee that has malevolent intent against his or her company


Types of Attacks

What We Covered


Spoofing/Poisoning

Pharming

Man-in-the-middle

Replay


Distributed DoS

Smurf


Attacks Via Email and

Other Communications

Spam

Phishing

Other Attacks


Transitive Access

Client-side Attacks

Malicious Insider Threat

Drag the red check boxes over the box bullet point of your choice. To edit or reorder the animations, go to the Animations Tab in the Ribbon Click Custom Animation and use the

Custom Animation task pane to edit the animations.





In This Lesson:

Viruses

Worms

Trojans

Spyware

Adware

Rootkits

Backdoors

Logic Bombs

Botnets

Ransomware

Malware Mitigation

Malware Removal

Exam Objective:

3.1 Analyze and differentiate

among types of malware



• A combination of the words malicious and software

–Broad category of software threats

–Created with the intent of being damaging (or just annoying)

• Malicious payloads can:

–Consume bandwidth and resources

–Vandalism – delete files

– Install a backdoor

–Make the PC part of a botnet

–Data theft

–Keystroke logging

– Install unwanted software like other malware

–Display advertisements

Malware



• Computer viruses can replicate themselves

• In order to spread to another computer it must attach itself to a program or file

• Spread from by direct action

– send an email attachment

– share files on removable media

Viruses

Host

Program or

File Virus



Program/File Viruses that create or infect executable files

Parasitic Appends itself to a legitimate host file. When the host file is opened the virus executes first

Companion Creates a new program with the same name as an existing program

Macro Written in macro language. This virus is embedded in Microsoft Office templates and runs when the document is opened

Virus Types



Concealment Viruses that attempt to avoid detection by antivirus software

Polymorphic Changes its code or mutates each time it runs while keeping the function intact

Retrovirus Attacks the antivirus software itself

Stealth Hides by intercepting the antivirus software’s processes. Example: the process of checking a file’s size to see if a virus has been added

Virus Types



Other

Boot Sector Infects the master boot record

Multipartite Infects and spreads in multiple ways

Virus Types



Worm

• Has the ability to spread without human interaction

• Can replicate itself on your system and send those copies to other machines

• Uses communication/transport features already set up on your machine – like email

Example: A worm uses your email program to send copies of itself to everyone in your address book.

Worms

Worm Worm Worm



• Appears to be some kind of desired software or file

• Is actually concealing malicious code

• User is tricked into opening or installing it

• Can not replicate itself

• A computer with trojan malware installed can now be used by attackers

–Botnet

–Data theft, modification, or deletion

–Proxy

Trojans



• Cannot spread on its own

• Collects computer and user information

– Internet usage

–Passwords/account numbers

• Can control as well as monitor

– Install additional software – adware

–Redirect browser activity

–Change settings

• Usually installed without the user’s knowledge or consent

• Presence is hard to detect

• Forwards information to attacker

Spyware



• Automatically displays or downloads advertisements

• Whether or not the user has consented

• Not necessarily malware

–Can be used in exchange for free or discounted access to a program or service

• Mobile phone apps

Adware

• Not all pop-ups and pop-unders are adware

• Use anti spyware/pop-up blocker program like Windows Defender

Pop-ups



• Allows continued root access to a computer

• The attacker must have obtained root access to install the rootkit

–Clicking yes to a prompt asking for permission

• Actively hides from administrators, OS, and antivirus

Rootkits



• A hidden method of bypassing the normal authentication process

• Can be hard coded in by a program’s creator

• Can be added by malware

–Trojans

–Rootkits

Backdoors



• Malware designed to launch based on a predetermined event

–Date and time (time bomb)

–Deletion of a particular user account

–Reboot

• Delivers a malicious payload

–Delete data

–Destroy network infrastructure

Logic Bombs



A colony of remote machines that are infected with malware allowing an attacker to use their resources to coordinate an attack.

• Example uses

–Distributed denial of service attacks

–Sending spam

–Brute force attacks

• Spammers or others can purchase the use

of botnets that are already set up

Botnets



• Holds systems or data hostage by encrypting it

• Threatens harmful or destructive action

• Demands ransom money for the return of the data or the removal of malicious code

Ransomware



• Install antivirus software

and

• Update antivirus software

• Disallow common vehicles for viruses

– .exe files

• Macros

• Least privilege

• User education

–Acceptable use policy

• Backups

Malware Mitigation Virus Found!

Click Here to Remove

!

Continue Unprotected

Viruses Cause: • Privacy Invasion • Security Risks • System Crashes • Infecting other Computers

Scareware



1. Remove the infected computer from the network

2. Take an image or backup files to an isolated drive

3. Antivirus software

4. Internet search (be very cautious)

• Malware removal tools

• Infection specific tools or tutorials

• Forums and blogs

5. Restore or reinstall the OS

Malware Removal




Term Definition

Viruses Malicious code that must attach itself to another piece of code to replicate

Worms Independent malicious code that self-replicates

Trojans Appears to provide one desired service but also (or instead of) has a hidden purpose

Spyware Malware that works on behalf of a third party to gather information and install more malware on a infected machine

Adware Software that automatically downloads and displays advertisements




Term Definition

Rootkits Code that offers the attacker prolonged remote root access

Backdoors An intentional or forced way around normal authentication and access control

Logic Bombs Malicious code that is set to launch after a specific condition is met

Botnets A group of remote hosts with code installed that allows an attacker to use their resources to anonymously send attacks and spam

Ransomware Malicious code that holds data or systems hostage and will only release them once a random is met



What We Covered

Viruses

Worms

Trojans

Spyware

Adware

Rootkits

Backdoors

Logic Bombs

Botnets

Ransomware

Malware Mitigation

Malware Removal





In This Lesson:

Firewalls

Routers

Switches

Load Balancers

Proxies

Web Security Gateways

VPN Concentrators

Network-based Intrusion Detection and Intrusion Prevention

Other Security Appliances

Protocol Analyzers / Sniffers

Host-based Filtering Tools

Exam Objective:

1.1 Explain the security function

and purpose of network devices and technologies



• Purposes

– Isolate a network or part of a network

–Control and filter traffic from untrusted sources

–Network address translation (NAT)

–Create a demilitarized zone (DMZ)

• Form of

–Hardware – Stand-alone – Network-based

–Software – Integrated – Host-based

Firewalls

Firewall Best Practices

• All inbound and outbound communication should be filtered

•Deploy firewalls between different departments and/or security levels

• Keep patched and updated



• Packet Filter

– Filters packets based on their header information

• Source / Destination address (port number)

–Doesn’t look at packet contents

Example: a packet filtering firewall has a rule to disallow Telnet access. The firewall looks at the IP header and if port 23 is present, the packet is dropped or denied.

Firewall Types

Strengths

• Already in your environment

• Fast

Weaknesses

• Static and “unintelligent”

• Spoofing / malicious content



• Proxy Firewall

–Acts as an intermediary between your network and the outside

– Intercepts, inspects, and repackages

• Can look at packet content

• Forwards or rejects data based on a set of rules

• Application Level

–More advanced rules for one application/service/port

Firewall Types

Strengths

•Hides internal users from

the external network

Weaknesses

• Slower

•Harder to set up



• Web Application Firewall

–Server-side firewall that protects a the web-client web-server interactions

–Application specific

–Works to prevent:

• SQL injection

• Cross-site scripting (XCC)

• Other web application attacks

Firewall Types



• Stateful Inspection (or Stateful Packet Filtering)

–Keeps track of the state of network connections

• Uses a state table to log every communication channel

–Knows what to expect from a given communication session

–Keeps ports closed unless they are in use

Firewall Types

Strengths

• Application-layer awareness

• Faster then proxy firewalls

Weaknesses

•Denial-of-Service attack can

overload the state table



Routers

• Purposes

–Communication between separate networks

–Segmentation

–Determine the best path for data packets to travel

– Firewall

• Form of

–Hardware – Stand-alone

– Integrated

Router Best Practices

• Configure the router to prevent unauthorized modifications to the routing tables

• Change the default password




Routers

• Security Functions

–Segmentation

• Limits broadcast traffic

• Isolation

–Access Control Lists (ACL)

– Filtering

• Vulnerabilities

–Poor configuring and hardening

–Unauthorized routing table entry

Internet

Internal Network 2

Internal Network 1



• Purposes

–Create networks or subnets

– Join resources together

• Form of stand-alone hardware

Switches



• Security Function

–Data not broadcast (unlike hubs) so it can’t be sniffed

–MAC address filtering rules (basic firewall)

• Vulnerabilities

–ARP Spoofing / Man-in-the-Middle

–Older switches use Telnet to configure

–An attacker with access can turn on mirroring to sniff all traffic

Switches

Switch Best Practices

•Hubs should be replaced with switches

• Configuration of the switch should be done over secure ports/protocols




• Purpose

–Distributes computing workload across multiple machines

• Form of


–Software – Integrated (NAT, Routing, Firewall)

Load Balancers

Redundant Servers

Client Load Balancer




–Availability

–Can provide failover

–Usually integrated with other security features

• Vulnerabilities

–Depends on what it is integrated with

–Model specific vulnerabilities

• Keep it patched and up-to-date

Load Balancers



• Purposes

– Intermediary device or software that acts on behalf of a system or person

–Keeps copies of commonly used items for quick delivery (cache)

• Form of

–Computer system

–Application

Proxies

Proxy Best Practices

• Internal user interaction with the outside internet should go through a proxy

• Automatically update the list of and block known malicious sites

• Cache often accessed sites



Resource www.example.com Web Server

1.1.1.1

2.2.2.2


– Filter and control outbound traffic

• Proprietary data

• Outgoing malicious content

• Prevent visiting restricted sites

–Keep internal machines anonymous

• Vulnerabilities

–Single point for an attacker to

gain access to data

Proxies

Client

Proxy



• Purposes

–Proxy, content filtering, and other security functionally in one device

• Form of

–Appliance


–Malware inspection/filtering

–URL filtering

–Content monitoring

–Productivity monitoring

–Data leak prevention (DLP)

–Policy compliance




• Purposes

–Establish and handle large amounts of simultaneous virtual private network (VPN) tunnel connections

–Provide authentication and access control

• Form of

–Appliance


–Authentication

–Authorization

–Accounting

–Encryption

• Weakness

–Denial-of-Service

VPN Concentrators



• Purposes

– Inspect network traffic and identify suspicious patterns

– Issue alerts when potential attacks have taken place

• Form of

–A system of sensors, controllers, and other components


–Software – Integrated

Tap

Network-based Intrusion Detection Systems (NIDS)

Internet Network




– Filter traffic to look for unauthorized use or attacks

• Weaknesses

– False positives and false negatives

–Can not inspect encrypted data

–Needs active manual involvement

–High traffic volume

Network-based Intrusion Detection Systems (NIDS)

Passive Response Active Response

•Log event details •Terminate the offending process or session

•Notify or send an alert to the IDS administrator

•Make configuration changes to block the offending port or IP address

•Ignore attacks that are harmless •Isolate attack in honeypot and monitor it



• Purposes

– Filter and detect just like IDS

–Respond to an attack in process

• Form of

–A hardware and software system


–Able to combat attacks in real time

• Weaknesses

–More expensive

–Harder to configure

Network-based Intrusion Prevention Systems (NIPS)



Kinds of NIDS and NIPS

Attack Signature Database

• Signature-based

– Compares traffic to a database of known attack signatures

• Keep this database up-to-date!

• Content-based signatures

– Particular flag set, string of characters, etc.

• Context-based signatures

– An usually high level of ICMP pings and port scans

• Behavior-based/Anomaly-based/Heuristic

– Looks for changes to usual network behavior

• Higher traffic volume

• Repeated policy violations

– Compare the current traffic and events to a network history database

Network History

Database



• Spam Filters

–Appliance filters messages before they get to the mail server

–Block messages from known spammers

–Scan message for common spam elements

• Flag, separate, or completely block

– Looks at both incoming and outgoing mail

• All-in-one Security Appliance

–Stateful firewall – Content filtering

– IDS and IPS – Load balancing

–Data leak prevention – VPN

–Antivirus – Network analyzer

–Anti-spam – Reporting




• Purposes

– Find unusual types/amounts of traffic

– Look for the traffic that infected systems send

– Find misconfigurations like open ports

–Capture traffic during incident response

–Can be placed to look at inbound, outbound, and internal traffic

• Form of

–Software on a PC that has a NIC in promiscuous mode

–A switch with port mirroring turned on

–A switch with a built-in port analyzer port

–Hardware taps




• URL Filtering

–Web browser blocks websites based on their URL address

–Checks URL against a list of known malware sites before showing the page

– Internet Explorer SmartScreen Filter, McAfee SiteAdvisor

• Content Inspection

–Scans the data you are trying to access for red flags

– Internet Explorer Content Advisor

–Can find network level content inspection software that works with proxies or other network devices

• Malware Inspection

–OS software that attempts to stop malware from entering a host

–Microsoft Security Essentials





Term Definition

Firewalls Hardware and/or software that protects the internal network from attackers on the outside public internet

Web Application Firewall

Used to secure a web-server against XSS and injection attacks

Routers A device that connects two or more networks and determines the path that data packets will take

Switches A device joins clients, servers, printers, and other resources to create a network

Load Balancers A network device that distributes computing workload across multiple machines

Proxies Acts as an intermediary and prevents direct connection between two parties




Term Definition


Proxy and content filtering functionally in one device that filters all communication between the internal clients and the outside internet

VPN Concentrators A device that creates and secures multiple VPN connections

NIDS A system that inspects network traffic and issues alerts for suspicious, malicious, or undesirable behavior

NIPS A system that detects and responds to suspicious, malicious, or undesirable network traffic

Spam Filters An appliance that works at the network layer to block spam messages before they enter the email system




Term Definition

All-in-one Security Appliances

An appliance that offers unified threat management

Protocol Analyzers and Sniffers

Software or hardware tool used to observe network traffic for troubleshooting or to create a baseline

URL Filtering Software that determines which websites a user can access based on a list of known unsafe URLs

Content Inspection Software that inspects the content on a requested website and blocks unsafe or undesirable content

Malware Inspection Software that attempts to block malware before it enters a machine



What We Covered

Firewalls

Routers

Switches

Load Balancers

Proxies


VPN Concentrators

Network-based Intrusion Detection and Intrusion Prevention








In This Lesson:

Rule-based Management

Access Control Lists (ACLs)

Firewall Rules

Secure Router Configuration

Port Security

Flood Guards

Loop Prevention

Network Separation and Network Bridging

Log Analysis

Exam Objectives:

1.2 Apply and implement secure network administration principles

3.6 (Partial) Analyze and differentiate among types of mitigation and deterrent techniques



• Controlling communications and access to resources based on a list of rules that are configured by the administrator

• Examples

–ACLs and firewall rules

– Firewalls, routers, proxies, and more

• Rules are processed in a top-down order

–The first rule that matches is executed, all others are ignored

–The last rule on the list must be a catch-all

• Deny all or implicit deny

• Allow all or allow any




Access Control Lists (ACLs)

• Defines who is allowed to do an activity, access a resource, or use a communication pathway

• Allow administrators to customize and adapt security to deal with the specific needs and threats of the network

• Access Control Entries (ACE) on the ACL define these rules

–Network devices: what hosts or types of traffic can access which ports or services

–Computer file system: permissions attached to an object



• Define what traffic is allowed and what traffic is denied

–Criteria: source or destination address, port, content

–Action: allow, deny, allow only if secured

• Should line up with your organization’s needs and security polices

• Use the principles of least access and implicit deny

• Perform regular rule audits

–Temporary rules that ended up being permanent

–Exceptions placed before the general rule

–Orphaned rules

–Typos

Firewall Rules

Virus

Firewall Rule Best Practices •Use a deny-by-default or implicit deny policy instead of allow-by-default

• Close ports above 1024 unless you have a specific application that needs one

Firewall Rules: Ports to Remember

Find more port information at: www.iana.net

Virus

Service Acronym

Service Name Number TCP UDP

FTP File Transfer Protocol 20 – data transfer

x 21 – control

SSH Secure Shell 22 x x

SCP Secure Copy 22 x x

TELNET Telnet 23 x

SMTP Simple Mail Transfer Protocol 25 x

TFTP Trivial File Transfer Protocol 69 x

HTTP Hypertext Transfer Protocol 80 x x

POP3 Post Office Protocol v3 110 x

SFTP Secure/SSH File Transfer Protocol 115 x

NetBIOS Network Basic Input/Output System

137 – name service

x x 138 – datagram service

139 – session service

IMAP Internet Message Access Protocol 143 x

HTTPS HTTP Secure 443 x

FTPS FTP Secure 989 – data transfer

x x 990 – control




• Change the default username and password

• Keep the firmware patched and updated

• Study the documentation or hardening guide for your specific model

• Create and maintain a baseline document for your router

• Backup configurations before making any major changes or performing updates (keep this backup secure too)

• Remotely manage the router only over secure channels (not Telnet)




• Never pass the admin password in cleartext

• Use and configure MAC address

filtering (firewall) on the router

• Use in conjunction with other security devices and technologies

• Physically secure the router device



• Disable Unused Ports

–Any port not in use should be closed

– Frequently audit your settings

• MAC Limiting / MAC Filtering

–Only allow network access to the MAC address of known machines

– Layer 2

–Don’t forget that a MAC can be spoofed

Port Security



• IEEE 802.1X Standard

–EAPOL: Extensible Authentication Protocol (EAP) over LAN

–An additional layer of authentication between client and the authentication server (like RADIUS)

–Unauthorized State: limits communication to the form of encapsulated EAPOL messages until the client has authenticated with the 802.1X authenticator device (like an edge switch)

–Once the client is authenticated normal ports are opened

Port Security

802.1X Vulnerabilities

•Man-in-the-Middle

•Hijacking



• Feature built into firewalls and routers

• Allows the administrator to change the tolerance for unanswered login attacks

• Once that tolerance is reached the flood guard will automatically begin blocking that type of request

• Reduce the likelihood of a DoS attack

Flood Guards



• A loop is a transaction pathway that repeats itself

• Layer 2 switches can be configured to offer loop protection

Loop Protection

Resolve Ethernet Looping

Spanning Tree Protocol (STP) Make sure there is only one active path between two nodes



• A loop is a transaction pathway that repeats itself

• Layer 2 switches can be configured to offer loop protection

Loop Protection

Resolve Ethernet Looping

IP Loop Protection

Disable Broadcast Forwarding

Spanning Tree Protocol (STP) Make sure there is only one active path between two nodes

Adds Time To Live (TTL) counters to packets Limit the distance packets are allowed to travel before discarding

Protects against duplicate ARP requests



• Set up more than one physical network to separate groups inside one company

–Sensitive proprietary data

–Customer’s personal information

–Test environment

• Network Bridging happens when a device has more than one network interface, each connected to a different network

–Doesn’t limit broadcast domains

–Can cause latency and loops

• Use routers and firewalls for higher control if you must join separate networks




• Administrators can turn logging on in many places

–Routers, switches, proxies, IPS, every device!

–More useful after an event than real-time

• Many products are available to help compile and parse logs

–Spunk

–Microsoft System Center Operations Manager

• Decide on a log analysis plan and the accompanying tools based

on your environment’s needs and budget

Log Analysis




Term Definition


Controlling actions and access through rules or filter based systems

Firewall Rules A list of rules that are excited in order and define what ports, addresses, or other criteria are allowed to pass

Implicit Deny The action or access is not allowed unless there is a rule specifically permitting it. Found at the end of a rule set or ACL




Term Definition

Access Control Lists

(ACL) A list or table that defines what hosts, users, or types of traffic are allowed to access what resources or communication channels

MAC Limiting MAC Filtering

A list of the MAC addresses that are allowed to access the network

802.1X The IEEE standard the defines a port based authentication technology based on EAP. Think of it as an authentication proxy




Term Definition

Flood Guards Protections in place to avoid large amounts of a type of traffic and lower the likelihood of DoS attacks

Loop Protection Using the STP and TTL counters to prevent repeating transmission pathways or bridge loops

Spanning Tree Protocol (STP)

A tree list of all available connections. Used to prevent looping and help determine the least cost path

Network Bridging Using a multihomed device with more than one network interface to connect separate networks



What We Covered


Access Control Lists (ACL)

Firewall Rules


Port Security

Flood Guards

Loop Prevention


Log Analysis





In This Lesson:

Security Zones

DMZ (Demilitarized Zone)

Subnetting

Virtual LAN (VLAN)

Network Address Translation (NAT)

Remote Access

Virtual Private Network (VPN)

Telephony

Network Access Control (NAC)

Virtualization

Cloud Computing

Exam Objectives: 1.3 Distinguish and differentiate network

design elements and compounds

Security Zones

T h

r e

a t

L

e v

e l

Low

Extremely High

Extranet

Internet

DMZ

Intranet

The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst

An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live

Web like services and other services that are in the internal network and can be accessed by employees or trusted guests

An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate




Security Zones

T h

r e

a t

L

e v

e l

Low

Extremely High

Extranet

Internet

DMZ

Intranet

Web like services and other services that are in the internal network and can be accessed by employees or trusted clients

Intranet Best Practices

• Have a firewall and proxy at the edge of the intranet filtering inbound and outbound traffic

• Implement IPSec for communications between internal hosts and server

• Have enterprise level and host level antivirus software

• Write, implement, and audit security policy

• Least privilege and implicit deny



Web like services and other services that are in the internal network and can be acceded by employees or trusted clients

Security Zones

T h

r e

a t

L

e v

e l

Low

Extremely High

Extranet

Internet

DMZ

Intranet


Extranet Best Practices

• Use digital certificates along with usernames and passwords to authenticate

• Use tunneling across the public internet to connect external users




Security Zones

T h

r e

a t

L

e v

e l

Low

Extremely High

Extranet

Internet

DMZ

Intranet


DMZ Best Practices

• Have one!

• Use the layered firewall approach instead of a single multi-homed firewall

• Regularly back up data in the DMZ and don’t keep the only copy of something in the DMZ




Security Zones

T h

r e

a t

L

e v

e l

Low

Extremely High

Extranet

Internet

DMZ

Intranet


Internet Best Practices

• Consider all interactions to be potential attacks

• Use tunneling and encryption whenever communicating sensitive data over the public internet

• Educate your users and have acceptable use polices for internet usage



• Why a DMZ?

–Servers exist that users outside the LAN need to access

• Email, IIS, FTP, DNS, IPS, honeypots, …

–Public facing servers are the most vulnerable

–They still need protection and limited access to internal hosts

–Servers in the DMZ can provide services to both internal and external clients while maintaining security


–Adds a layer of security between the LAN and the public internet

–Attackers only have access to the perimeter machines

DMZ (Demilitarized Zone) DMZ



• Multiple Interfaces

–1 firewall with 3 or more

network interfaces

–Can be less secure

DMZ Design

Protected Network

Internet

Multi-homed Firewall

DMZ

FTP Server Mail Server



• Layered

–Put DMZ systems between two separate firewalls

–Can be more secure

DMZ Design

Protected Network Internet

Front-end Firewall

Back-end Firewall

DMZ

FTP Server Mail Server



• Process of taking a large network and dividing it into smaller networks to increase efficiency and manageability

Example:

–Before

–After

Subnetting

Accounting Subnet 192.168.1.0 254 hosts

Customer Service Subnet 192.168.2.0 254 hosts

Marketing Subnet 192.168.3.0 254 hosts

Subnet Mask 255.255.255.0

Whole Network 192.168.0.0 65534 hosts

Subnet Mask 255.255.0.0




–Network separation

–Easier to administer

–Speed up the network

Subnetting



• VLAN Basics

–A VLAN is:

• A group of hosts, servers, and users that are logically connected by layer 2 switches

• An isolated broadcast domain

–Trunks use a point-to-point connection to physically connect each switch that are part of the same VLAN

Virtual Local Area Network (VLAN)



• Use VLANs to

–Confine traffic to one area of the network

–Hide segments of the network from other segments to control access

–Control the path that data takes from one point to another

–Segment off users with common needs and data sensitivity levels together

• Security Considerations

–Do not use VLAN as a security measure by itself

– Layer 2 switching is not stateful

–Vulnerabilities

• MAC flooding, spanning tree attack, ARP spoofing, more

VLAN Management




• Translates between two addressing schemes – internal and external IP addresses

– Firewalls, routers, proxies

• Developed to conserve IPv4 addresses

• Also performs vital security roles

–Hides the structure and addressees of the internal network

–Forces all inbound/outbound traffic through a perimeter device

Static NAT A 1:1 scheme used for incoming communication with services like a web server

Dynamic NAT A pool of public addresses assigned to internal addresses for outbound communication

Port Address Translation PAT allows a single public IP address to be used for multiple simultaneous connections from internal clients



• Source Network Address Translation

–Keeps internal machines and network topology anonymous

– Internal machines are inaccessible unless they have requested communication


Internet

192.168.42.3

192.168.42.4

192.168.42.11

75.27.113.72 Public 192.168.42.1 LAN

NAT Device

I would like to access

TrainSignal.com TrainSignal.com responds to 75.27.113.72



• Destination Network Address Translation

–A firewall with NAT can be configured to only let specific types of traffic through


Internet

Protected Network

Edge Email Server

I would like to access your

email server at 75.27.113.73

192.168.42.3

75.27.113.73 Public 192.168.42.1 LAN

NAT Device



• Sharing resources between physically separated LANs and users

• Remote Access Concepts

–Remote Access Server

• Establishes and supports remote connections

–Remote Authentication

• The method used to authenticate remote users

– RADIUS, TACACS, CHAP, 802.1x

–Point-to-Point Protocol (PPP)

• Encapsulation using Network Control Protocol (NCP)

• Authentication using Link Control Protocol (LCP)

• No encryption – not secure

• Use aline only on dedicated connections and dial-up

Remote Access



• Tunneling

–Encapsulating packets before sending them over the public internet

• Tunneling Protocols

– Layer 2 Tunneling Protocol (L2TP)

• Integrity, confidentiality, authentication, replay prevention

• Does not offer encryption on its own – uses IPSec

• Two levels of authentication: computer level and user level

–Point-to-Point Tunneling Protocol (PPTP)

• Older, less secure, less flexible

– Internet Protocol Security (IPSec)

• Not a true protocol but a standard for encrypting data

• Network layer

Remote Access



• A private network connection that happens over the public network

• Provides authentication, access control, confidentiality, and integrity

• Used to connect physically separated LANs or to allow remote users to access LAN resources

• Employs tunneling to keep this communication private

• Tunneling only provides some protection

–Need encryption like IPSec





Remote User

• Site-to-site VPN

–Home office and branch office appear to be logically connected

• Remote Access VPN

–Remote user has VPN client software installed

Branch Office LAN

Internet



• VPN Best Practices

–Avoid PPTP if possible

– Instead use L2TP with IPSec

–Use the strongest encryption and authentication available

–Keep disconnected when not in use

– Force re-authentication for long sessions

–Use extra layers of intrusion detection, access control, and policy compliance (NAC) for users that are connecting from locations outside the company LANs




PBX / Telecom

• Private Branch Exchange

• Used in larger organizations

• Routes many internal extensions out on limited public phone numbers

• Feature rich

Telephony

VoIP

• Voice over IP

• Tunneling voice and other data over the existing network and public internet

• Offers video conferencing

• Cost saving

PBX Security Concerns

•Denial-of-service

•Modern phreakers

• Remote access – turn off if no

maintenance is being performed

VoIP Security Concerns

• Vishing and Caller ID Spoofing

•Denial-of-service

• Sniffing

• Extra security: Encrypt with VPN



• A baseline security standard that a workstation must adhere to before it can interact with network resources

–Updates and patches installed

–Antivirus software running and updated

–Other configuration policies

–Must authenticate as a trusted machine/user

• Software client installed on each workstation that communicates with the NAC appliance

–Standard met: can connect as normal

–Standard not met: blocked or remediation is attempted

• Called Network Admission Control by Cisco

• Called Network Access Protection by Microsoft





– If a VM is compromised can malware or an attacker break out of the virtual machine?

• This has never been seen in “the wild”

• Keep up to date on virtualization news to keep track of this idea

–Misconfiguration is the biggest concern

• Virtual environments can grow very quickly

• Dynamic environments

• Stale, unpatched, and forgotten systems

• Virtual networking is the biggest area for misconfiguraiton

–A denial-of-service attack on one VM can effect the performance of the other VMs in the cluster

Virtualization



• Security Best Practices

–Use security tools that are created for virtualization

• vShield, Hytrust, more

–Use design guides, hardening papers, and other resources for solid virtual architecture

–Virtual machines have the same risks as physical machines

• Do everything we are discussing in this course on the VM’s too

– Log analysis, auditing, least privilege, baselining, hardening, security policies, everything!

Virtualization



• Security Best Practices

–Employ security at each layer of the virtual environment

Virtualization

Hypervisor

Physical Networking Devices

Physical Host

Virtual Machines

Hypervisor



Cloud Computing

Software as a Service Offering software to end users from within the cloud instead of installing it on each hardware machine

Platform as a Service Apps can be created and run on a cloud-based platform

Infrastructure as a Service Contracting data centers, VMs, or other infrastructure services

Internet

IaaS

PaaS

SaaS




–The third party

• Time delay

• Regulatory compliance

• Data mingling

–You are ultimately responsible

• Encrypt data before it leaves your site

Cloud Computing




Term Definition

Bastion Host A device that is visible to the public internet and specifically configured to withstand attacks

Multi-homed A device that has more then one network interface

Broadcast Domain A segment of a network where all the nodes can reach each other by broadcast at the data link layer

Phreaker A person who exploits or attacks telephone systems

Private Branch Exchange

(PBX)

A telephone routing system for use by businesses that allows many local extensions to use a limited number of public phone numbers

Voice over IP (VoIP)

Sending of voice communications and other media data over IP




Term Definition

Point-to-Point Protocol (PPP)

A data link protocol used to send IP packets between two directly connected nodes

Tunneling Encapsulating packets to create a secure path through an unsecured network

Layer 2 Tunneling Protocol (L2TP)

A protocol used to create VPN tunnels by encapsulating PPP packets

Point-to-Point Tunneling

Protocol (PPTP)

An older protocol used to create VPN tunnels by encapsulating PPP packets. Initialization is not encrypted




Term Definition

Demilitarized Zone (DMZ)

A semi-protected network segment that separates the local network from the public internet

Subnetting Using separate IP address ranges to split a network into segments

Virtual LAN (VLAN) Separating a network/subnet into separate logical segments even though they share a common network switch


Readdressing packets between local non-routeable and public addresses at the network boundary gateway




Term Definition

Remote Access Allowing physically separated users and LANs to share resources


A networking technique used to send private data through a public network by creating a secure path through the public network.

Telephony The technology of voice data service


Monitoring and remediating client security before allowing them to access the internal network



What We Covered

Security Zones

DMZ (Demilitarized Zone)

Subnetting

Virtual LAN (VLAN)


Remote Access


Telephony


Virtualization

Cloud Computing





In This Lesson:

Exam Objectives: 1.4 Implement and use common protocols

1.5 Identify commonly used default network ports

TCP/IP

Application Layer

• FTP

• SSH and SCP

• Telnet

• SMTP

• DNS

• TFTP

• HTTP

• SFTP

• SNMP

• HTTPS

• FTPS

• SSL and TLS

Transport Layer

• TCP

• UDP

Internet Layer

• IP

– IPv4 vs. IPv6

• ICMP

• ARP

IPSec



Network Access Layer

Internet Layer

Transport Layer

Application Layer

TCP/IP

• Internet Protocol Suite

• A suite of protocols used to communicate between hosts

• Each layer has it own rules and protocols

• The layers only pass information to and from the layer directly above or below it




Internet Layer

Transport Layer

Application Layer

Provides the application layer with session and datagram services, reliability, flow control, and multiplexing. Also called the host-to-host layer

Does process-to-process communications

across an IP network

Responsible for packaging,

addressing, and routing IP packets

Places and removes packets on the physical network. Also called the Link Layer




Internet Layer

Transport Layer

Application Layer Payload

Message

Segment

Datagram

Frame




Internet Layer

Transport Layer

Application Layer

FTP

• Description

– File Transfer Protocol

–Used for remote data access

– File transfer

• Client to server

• Server to client

–Widely available and widely used


–Provides basic access control with file permissions

–Not secure – transmissions sent in plain text

• Credentials can be sniffed and used for MitM or replay




Internet Layer

Transport Layer

Application Layer

SSH and SCP

• SSH Description

–Secure Shell

–A tunneling protocol

–Used alone for remote configuration

–Add security to other protocols


–Encrypts transmissions for confidentiality

–SSH-2 has strong integrity checking

–Uses PKI for authentication

• Secure Copy (SCP)

–Used for secure unattended file transfer

–Uses SSH for authentication and confidentiality




Internet Layer

Transport Layer

Application Layer

Telnet

• Description

–Used for remote access and

remote configuration


–No encryption – all communications sent in clear text

–Do not make Telnet sessions between the internal and external network

–Disable port 23 if not needed




Internet Layer

Transport Layer

Application Layer

SMTP

• Description

–Simple Mail Transfer Protocol

–Used for email delivery

–POP and IMAP move mail from server to client


–No encryption on its own

• Uses S/MIME and PGP for encryption

–Disable the SMTP open relay feature




Internet Layer

Transport Layer

Application Layer

DNS

• Description

–Domain Name System/Service

–Used to switch between IP addresses

and human friendly hostnames


–Vulnerable to DNS poisoning

–Can be spoofed for phishing




Internet Layer

Transport Layer

Application Layer

TFTP

• Description

–Trivial File Transfer Protocol

–Can be used to transfer files unattended

without user interaction


–No security at all

–No error checking

–Anonymous

–Avoid!




Internet Layer

Transport Layer

Application Layer

HTTP

• Description

–Hypertext Transfer Protocol

–Rules for viewing text and other media file types on the web

–A web servers wait for http requests and responds as they arrive


–Header injection

–Man-in-the-Middle

–Eavesdropping




Internet Layer

Transport Layer

Application Layer

SFTP

• Description

–Secure FTP

or

–SSH File Transfer Protocol

–Provides remote file transfer, access, and management


–Encrypts control info and data with SSH

• Note: Do not confuse with “FTP over SSH”




Internet Layer

Transport Layer

Application Layer

SNMP

• Description

–Simple Network Management Protocol

–Used for remote management, reporting, and maintenance for IP network devices

– Install agent software is on the devices you want to manage

–Use network management system to manage all the nodes from one place


–Brute force attack

–Dictionary attack

–Some versions are vulnerable to sniffing




Internet Layer

Transport Layer

Application Layer

HTTPS

• Description

–Hypertext Transfer Protocol Secure

or

–Hypertext Transfer Protocol over SSL

–Used for secure webpages


–HTTP over SSL or TLS for encryption

–Can be used for client authentication

• Note: Do not confuse with S-HTTP

–Secure Hypertext Transfer Protocol

–Adds messages security with RSA or digital certificates




Internet Layer

Transport Layer

Application Layer

FTPS

• Description

– FTP Secure

or

– FTP over SSL

–Used for secure file transfer


–Uses TLS/SSL for encryption

–You can turn the encryption off




Internet Layer

Transport Layer

Application Layer

SSL and TLS

• SSL

– Secure Sockets Layer

– A cryptographic tool

– Widespread implementations

• TLS

– Transport Layer Security

– Newer, based on SSL


– Adds confidentiality and data integrity by encapsulating other protocols

– Initiates a stateful session with a handshake procedure




Internet Layer

Transport Layer

Application Layer

TCP

• Description

–Transmission Control Protocol

–Provides session service to

the application layer


–One-to-one connection oriented

–Error checking

• The packets arrived and are in the correct order

–Vulnerable to:

• TCP/IP hijacking

• TCP sequence number attack

• TCP SYN flood attack



TCP

• TCP 3-way Handshake

SYN

SYN/ACK

ACK



TCP

• TCP 3-way Handshake

Communication Session



TCP

• TCP/IP Hijacking

The attacker disconnects the host after a communication session has begun and replaces it with another machine with the same IP address (spoofed)




TCP

• TCP Sequence Number Attack

The attacker takes control of an in-progress communication session by correctly guessing the next sequence number




TCP

• TCP SYN flood attack

The attacker half opens multiple sessions but never completes the handshakes causing the server to become overloaded

SYN

SYN/ACK

ACK

SYN

SYN/ACK



UDP


Internet Layer

Transport Layer

Application Layer • Description

–User Datagram Protocol

–Provides datagram service

to the application layer


–Connectionless

–Faster than TCP

–No error checking

–Vulnerable to UDP flooding attacks




Internet Layer

Transport Layer

Application Layer

IP

• Description

– Internet Protocol

–Used for addressing and routing


–Does not verify message

accuracy (leaves this to TCP)



• IPv4

–32-bit address space

• IPv6

–128-bit longer address

–Mandatory use of IPSec built-in

–New packet format

–More flexible and scalable

IPv4 vs. IPv6


Internet Layer

Transport Layer

Application Layer

Both can be run at the same time but they are not directly compatible. A conversion gateway is needed




Internet Layer

Transport Layer

Application Layer

ICMP

• Description

– Internet Control Message Protocol

–Provides reporting and maintenance

–Used to share path information between routers

Example: Use the PING command to

test connectivity between hosts


–Ping-of-Death

–Smurf attack




Internet Layer

Transport Layer

Application Layer

ARP

• Description

–Address Resolution Protocol

–Resolves IP address (Internet layer) to the hardware’s network interface addresses (Network Access Layer)


–Does not do authentication – relies

on higher layer protocols for that

–Vulnerable to ARP spoofing

• Also called ARP cache poisoning

TCP/IP Ports to Remember

Find more port information at: www.iana.net

Virus

Service Acronym

Service Name Port Number TCP UDP

FTP File Transfer Protocol 20 – data transfer

x 21 – control

SSH Secure Shell 22 x x

SCP Secure Copy 22 x x

TELNET Telnet 23 x

SMTP Simple Mail Transfer Protocol 25 x

TFTP Trivial File Transfer Protocol 69 x

HTTP Hypertext Transfer Protocol 80 x x

POP3 Post Office Protocol v3 110 x

SFTP Secure/SSH File Transfer Protocol 115 x

NetBIOS Network Basic Input/Output System

137 – name service

x x 138 – datagram service

139 – session service

IMAP Internet Message Access Protocol 143 x

HTTPS HTTP Secure 443 x

FTPS FTP Secure 989 – data transfer

x x 990 – control



• IP Security

• Defines a policy but does not dictate the exact implementation

• Options:

–Authentication Header or Encapsulating Security Payload

–Transport Mode or Tunnel Mode

IPSec

Authentication Header (AH) Encapsulating Security Payload (ESP)

Provides authentication Does authentication and encryption

Digitally signs the packets for authentication and integrity

Adds confidentiality with encryption



IPSec

Payload IP

Header IPSec

Header

Not Encrypted

Transport Mode

Encapsulates the IP packet’s payload

Makes a secure connection between two host endpoints

Internet

LAN1 LAN2

Transport Mode



IPSec

Tunnel Mode

Encapsulates the entire IP packet

Makes a secure “hop” between: - Two IPSec gateways - A host and a gateway

Payload IP

Header IPSec

Header

Not Encrypted

Internet

Tunnel Mode

LAN1 LAN2




Acronym Term Function

FTP File Transfer Protocol Used to transfer files from local to remote systems

SSH Secure Shell A more secure alternative to Telnet. Used for remote access and configuration

SCP Secure Copy An unattended file transfer protocol that uses SSH for security

TELNET Telnet An unsecure method to create a terminal connection to remote devices





SMTP Simple Mail Transfer Protocol Used to transfer email

TFTP Trivial File Transfer Protocol A connectionless and unsecure file transfer protocol

HTTP Hypertext Transfer Protocol Used to display multimedia files on the web

SFTP Secure/SSH File Transfer Protocol

An extension of SSH that offers file transfer functionality

SNMP Simple Network Management Protocol

Used to manage and report on network devices

HTTPS HTTP Secure Adds SSL/TLS security to the HTTP protocol





FTPS FTP Secure FTP with added SSL/TLS security

SSL Secure Sockets Layer The predecessor to TLS

TLS Transport Layer Security Provides encryption and authentication to other protocols

TCP Transmission Control Protocol Offers a reliable connection-oriented connection

UDP User Datagram Protocol Offers fast connectionless datagram communication

IP Internet Protocol Responsible for routing packets across network boundaries





IPv6 Internet Protocol Version 6 Offers longer IP address and more security than IPv4

ICMP Internet Control Message Protocol

Used to send pings and error messages

ARP Address Resolution Protocol Resolves IP addresses to network interfaces

IPSec Internet Protocol Security

An open standard that uses AH and ESP to add security features like authentication, data integrity, and confidentiality



What We Covered

Transport Layer

• TCP

• UDP

Internet Layer

• IP

– IPv4 vs. IPv6

• ICMP

• ARP

IPSec TCP/IP

Application Layer

• FTP

• SSH and SCP

• Telnet

• SMTP

• DNS

• TFTP

• HTTP

• SFTP

• SNMP

• HTTPS

• FTPS

• SSL and TLS





In This Lesson:

Rogue Access Points

Evil Twin

Wardriving

Warchalking

IV Attack

Packet Sniffing

Attacks on Bluetooth

• Bluejacking

• Bluesnarfing

Interference

Exam Objectives: 3.4 Analyze and differentiate among types of wireless attacks



• A wireless access point that has not been authorized

• With extended access an attacker can:

–Run key cracking software

–Create an evil twin

–Establish a Man-in-the Middle

Rogue Access Points

Rouge AP Mitigation

•Use an intrusion detection system to report about a new a AP or • Regularly audit your environment to manually to find them

– Have a baseline of all the authorized AP equipment



• A access point that looks like it is legitimate

–Could use spoofed MAC addresses

• Entices users to connect through it

–Stronger signal

–Friendly name

– Interfere with the signal for the legitimate AP

• Analyzes all transmissions that go through it

Evil Twin

Evil Twin Mitigation

• Educate users about bogus APs at “Wi-Fi hotspots”

• Regularly audit your environment to manually to find them

Wardriving

Looking for open access points or wireless networks with weak encryption

Wardriving

Driving around with:

• A laptop with a NIC set to promiscuous mode

•Often homemade equipment

• Specialized software

Wardriving

Once a network is found

• Run sniffers or key cracking programs

• Use it for free internet access

Wardriving Mitigation

•Use wardriving as a tool to find the open APs before the attackers do

•Watch for unfamiliar cars driving or parking near your buildings

• Look for warchalking symbols

•Don’t have open access points!

Wardriving



• Using symbols to mark the location of wireless network access points

• For future personal use or to let other wardrivers know

Warchalking



• Warchalking symbols:

Warchalking

Open Node WEP Node Closed Node

SSID SSID SSID

Bandwidth Bandwidth

Access Contact

W



• Initialization vector

–Supposed to be used to reduce predictability and repeatability of encryption keys

• The IV is vulnerable to attack if it is

–Too short

–Exchanged in cleartext

–Often repeated

IV Attack



• IV attacks are used to crack Wireless Equivalent Privacy (WEP)

–RC4 algorithm only has a 24 bit IV causing them to repeat

–The attacker’s cracking program examines the repeating IV datastreams to deduce the secret key

IV Attack

Message Cyphertext IV

Key IV Keystream

Keystream



What can Eavesdroppers See?

• Installing a sniffer on a wireless network can happen from outside the walls of your building

Packet Sniffing

POP3 email usernames and passwords

Web-based email messages if no encryption is used

FTP usernames and passwords and data

HTTP connections

Instant messages



• Installing a sniffer on a wireless network can happen from outside the walls of your building

Packet Sniffing

Packet Sniffing Mitigation

•Have layers of protection

– Use strong wireless encryption, don’t broadcast the SSID, and other wireless hardening best practices

– Independently secure all services • Turn on optional encryption •Use VPNs •Don’t use unsecure protocols

•Use sniffers and other network monitoring tools



• Bluejacking

–Unsolicited messages over Bluetooth (Bluetooth spam)

–Can happen when Bluetooth on a device is set to discoverable

• Bluesnarfing

–Unauthorized access to a device through Bluetooth

–Theft of:

• Contact lists, calendar info, email, texts, images, or video


Bluetooth Attack Mitigation

• Turn Bluetooth off when not in use

•When Bluetooth is turned on make sure it is not discoverable

•Disable Bluetooth on devices that are known to be vulnerable to bluesnarfing



Interference

• Wireless signals can be corrupted or interfered with

• To do this on purpose is illegal in the US

• There are numerous devices that can cause interference

• Spectrum analyzers are available to see if an attacker (or your own equipment) is interfering with your wireless network

Dealing with Wireless Interference

•Move your access point

• Change the frequency of the access point

• Boost the access point’s signal

• Find the source of the interference

•Notify law enforcement if the interference is intentional




Term Definition

Rogue Access Points

An unauthorized access point to your wireless network

Evil Twin An access point that entices users to connect through it by spoofing a legitimate device or offering exceptional signal strength

Wardriving Trying to discover unprotected or lightly protected wireless networks to use for free or attack

Warchalking Using symbols to share knowledge about the location and details of access points




Term Definition

IV Attack Using initialization vectors that are passed in cleartext to crack weak encryption like WEP

Packet Sniffing Passively analyzing the communications across a network

Bluejacking Unwanted spam messages sent over Bluetooth

Bluesnarfing Unauthorized access and theft of data over Bluetooth

Interference Degrading or completely jamming wireless signals



What We Covered

Rogue Access Points

Evil Twin

Wardriving

Warchalking

IV Attack

Packet Sniffing


• Bluejacking

• Bluesnarfing

Interference





In This Lesson:

WEP

WPA and WPA2

TKIP

CCMP

WAP

EAP, LEAP, and PEAP

Securing Wireless Routers and Access Points

• SSID Broadcast

• MAC Filter

• Antenna Placement and Power Level Controls

Exam Objectives: 1.6 Implement wireless networks in a secure manner

IEEE 802.11x Wireless Standards

Standard Bandwidth Frequency Compatibility

802.11 1 or 2 Mbps 2.4GHz 802.11

802.11a < 54Mbps 5GHz 802.11a

802.11b < 11Mbps 2.4GHz 802.11b

802.11g < 54Mbps 2.4GHz 802.11g/b

801.11n < 600Mbps 2.4GHz

and 5GHz 802.11n/g/b

802.11i A security amendment that outlines WPA2

For more information: www.standards.ieee.org



• Wired Equivalent Privacy

• An older weak 802.11 wireless encryption protocol for WLANs

–Uses the RC4 stream cipher encryption algorithm

–Attempts to do confidentiality and authentication

–Uses a checksum for some integrity

• Vulnerable to IV attacks

–Can be cracked in a few minutes with easily obtainable software

WEP

WEP Best Practices

•Only use WEP if newer protocols are not supported

• Place a WEP access point outside your

firewall and then VPN in



• The access points and clients must share a secret key

• Authentication

–Open Authentication

• Knowing the SSID is the only thing clients needs to associate with the AP

• The WEP keys can still be used to encrypt data

– Clients need to have the WEP key in this case

WEP



• The access points and clients must share a secret key

• Authentication

–Shared Key Authentication

• Uses a 4 step challenge-response handshake

• Attackers can figure out the key from this handshake

WEP

Authentication Request

Cleartext Challenge

Encrypts cleartext with

WEP key Cyphertext

Decrypts and matches text to original

Positive Reply



• Wi-Fi Protected Access

• More secure than WEP alone

• Based on the 802.11i standard

WPA and WPA2

WPA WPA2

Does most of the 802.11i standard Full implementation of the 802.11i

TKIP used for extra encryption layer CCMP used for extra security

RC4 encryption algorithm still used Uses the AES encryption algorithm

Backward compatible with WEP Not backward compatible with WEP



• Temporal Key Integrity Protocol

• Wraps a 128-bit layer of encryption around WEP

• Uses a second key based on the MAC address of the machine and the serial number of the packet

• Mixes this additional key with the initialization vector for a per-packet key

• Is backward compatible with WEP

• Unfortunately TKIP is also quickly crackable

TKIP



• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol

• Used by WPA2

• 128-bit AES encryption

• 48-bit initialization vector

• Much reduced vulnerability to cracking and replay attacks

• Offers real confidentiality, authentication, and integrity

• Use WPA2 and CCMP!

CCMP



• Wireless Application Protocol

• Used to provide mobile devices (phones, tablets) with internet connection

• Equivalent to TCP/IP for wireless devices

• Wireless Transport Layer Security (WTLS)

–Provides authentication, encryption, and data integrity

–Secures the communication between the WAP mobile device and the WAP server

–Similar to TLS

WAP



• Extensible Authentication Protocol

• A set of authentication frameworks for wireless networks

• LEAP and PEAP are types of EAP

EAP, PEAP, and LEAP

Lightweight Extensible Authentication Protocol (LEAP)

• Created by Cisco – did not have Windows support • Requires mutual authentication • Easy to set up – no digital certificates • Weak

– Passwords only no digital certificates

–Vulnerable to dictionary attacks

–Cleartext transmissions



Protected Extensible Authentication Protocol (PEAP)

• Replaces LEAP • Created by Cisco, Microsoft, and RSA together • One digital certificate is used on the authentication server • The authentication process is encrypted within a TLS tunnel

between the client and the server

• Extensible Authentication Protocol

• A set of authentication frameworks for wireless networks

• LEAP and PEAP are types of EAP

EAP, PEAP, and LEAP


Securing Wireless Routers and Access Points Best Practices

• Change the default admin account and password

• Change the SSID and turn off SSID broadcast

• Consider using MAC filtering

• Work with antenna placement and power level controls

• Configure the strongest encryption and authentication available

• Change keys and passwords often

• Keep your firmware patched and up-to-date

• Only use wireless when absolutely necessary and for users that absolutely need it

• Use additional layers of security like pre-authentication, IPSec tunneling, network separation, and host security



• SSID

–Service Set Identifier

–Name of the wireless LAN

• Change the default SSID

–Something unique

–No identifiable information in the name

• Hide the SSID from being broadcast

–This keeps honest people honest

–Security through obscurity

–The SSID can still be sniffed

Change the SSID and Turn off SSID Broadcast



• A list of MAC addresses for known trusted devices

–The 48-bit unique identifier for the network interface on a

physical device

• Only those on the list can connect to the network

• You can blacklist certain MAC addresses too

• Requires manual administration

–Need to update the list for new or guest devices

–Not recommended for larger environments

• MAC addresses can easily be spoofed

–Only use as one layer of protection

Consider Using MAC Filtering



• Antenna Placement

–Not near outside walls or windows

–Not near other networks

– Find and avoid obstructions and interference

–Consider multiple access points on different channels

–Some antennas allow you to change the direction they point

• Power Level Controls

–Turn the power as low as possible while still covering your users

–Might need to play with this to get it perfect

Work with Antenna Placement and Power Level Controls




Term Definition

Wired Equivalent Privacy (WEP)

An weak protocol used for encryption on 802.11 WLANs

Wi-Fi Protected Access (WPA)

A weak wireless protocol that uses RC4 with TKIP

Wi-Fi Protected Access 2 (WPA2)

The 802.11i standard WPA2 is a more secure wireless protocol that uses AES encryption with CCMP




Term Definition

Temporal Key Integrity Protocol (TKIP)

An extra layer of encryption for WEP that uses a new keyspace for every packet

Counter Mode with Cipher Block Chaining Message

Authentication Code Protocol (CCMP)

Encryption and authentication used by WPA2 that provides confidentiality, authentication, and integrity

Wireless Application Protocol (WAP)

The protocol stack used by wireless devices. Security is done at the WTLS




Term Definition

Extensible Authentication Protocol (EAP)

A set of 5 authentication frameworks for wireless networks

Lightweight Extensible Authentication Protocol

(LEAP)

A easy to set up version of EAP that uses passwords for authentication

Protected Extensible Authentication Protocol

(PEAP)

A version of EAP that uses digital certificates

Service Set Identifier (SSID) The name of the wireless network



What We Covered

WEP

WPA and WPA2

TKIP

CCMP

WAP

EAP, LEAP, and PEAP


• SSID Broadcast

• MAC Filter

• Antenna Placement and Power Level Controls


Host Security


Host Security

In This Lesson:

Securing Workstations

• Antimalware

• Host-based Firewalls

• Updates and Patch Management

• Disabling Unused Services

• Users and Accounts

• Virtualization

• Host Software Baselining

Securing Servers

Securing Mobile Devices

Exam Objectives: 4.2 Carry out appropriate procedures to establish host security



Host Security

• Antivirus and antispyware

–Software that is designed to identify, prevent, and remove/quarantine malicious code

–Antispyware is often included with antivirus

–Study and understand your tool’s licensing

• Methods

–Known virus/spyware signatures

–Behavior based

–Real time prevention that monitors all incoming files

– Full scans look for malware that has already been installed

Antimalware


Host Security

• Antivirus and antispyware

–Software that is designed to identify, prevent, and remove/quarantine malicious code

–Antispyware is often included with antivirus

–Study and understand your tool’s licensing

Antimalware

Antivirus and Antispyware Best Practices

• A trustworthy tool should be installed on every workstation

• Choose a tool that does real time monitoring

• Configure the software to automatically update

• Schedule full scans to run on a regular basis

• Educate your users on how to interact with prompts from your antimalware software


Host Security

• Antispam

–Determines if a message is likely to be spam and then labels, quarantines, or blocks it

• Blacklist

• Rule-based

• Bayesian

–Host-based

• Integrated with your email client

• Part of a complete antimalware package

–Not often a host-based solution

• Done by your email system, a third party service, or an appliance

Antimalware


Host Security

• Pop-up Blockers

–Block pop-up windows from appearing over or under you browser window

–Built into your browser

• Configure to be off for any work related website that use legitimate pop-ups

• Have the blocker turned on for every other website

–Configure pop-up blockers and other browser-based tools for every workstation

• Content inspection

• URL filtering

Antimalware


Host Security

• Filters all incoming traffic

• Should be on every workstation especially mobile computers

• There are free firewalls included with current operating systems

• Customized protection

–Applications installed

–Configurations

• Protects the workstation from other users on the same network

Host-based Firewalls


Host Security

Host-based Firewalls

Host-based Firewall Best Practices

•Keep it turned on and configured on every workstation

•Set the firewall to automatically update

•Configure according to the needs of the machine and its user

•Educate your users on how to interact with prompts from the firewall

•Remember to turn the firewall back on if you turned it off during troubleshooting

•Consider using with a host-based IDS system


Host Security

• Patches

–A quick fix that is not meant to be permanent

–A full update or new software version will fully fix the issue

• Hotfixes

– A bug fix or other change without

disrupting normal operation

• Service Packs/Support Packs

–A group of many different fixes

–Can add functionality

Consider update automation tools

Updates and Patch Management

Update Best Practices

• Configure the OS to update automatically

• Keep informed so you can install non-automatic updates

• Perform a backup before installing any updates

•Document updates performed


Host Security

Updates and Patch Management

Plan

Test

Install Audit

Document


Host Security

• Shrink the attack surface!

• Remove/Disable Unneeded

–Applications

–Programs

–Ports

–Services

• Do not permit users to install applications that are not needed for their job

Disabling Unused Services


Host Security

• User accounts

–Not also the workstation’s admin

–No registry access

–Remove unused local accounts

• Least privilege for users access to resources and data

• Strong policies

–Passwords

–Acceptable use

• Educate your users

Users and Accounts


Host Security

Virtualization

Hypervisor


Physical Host

Virtual Workstations/Servers

Hypervisor


Host Security

Virtualization

Hypervisor


Physical Host

Virtual Workstations/Servers

Hypervisor

Do provide the same security as you do for physical hosts

Single point of failure Single point of attack


Host Security

• A standardized minimal level of security that all hosts must comply with

–Services and applications installed / disabled

–Security updates applied

– Firewall and antimalware configured

• Document each system after it is hardened and meets

the baseline

• Frequently compare workstations to this documented baseline state to see if they still comply

–Use configuration automation tools

• Update your baseline when changes are made

Host Software Baselining

Securing Servers


Host Security

• Everything from the workstation security section

–Disable unused services, ports, and applications

–Have antimalware and a host based firewall

–Create and maintain security baselines

• Consider the server’s purpose when designing security

– Intrusion protection system

• Administrator accounts

–Have super strong passwords

–Are only known by people who need them

–Never log on with admin/service account when not doing administration tasks

Securing Servers



Host Security

• Strong Passwords

–A thief with your device has unlimited time to try a brute force attack

–A long string of letters, numbers, special characters, and no real words

• Screen Lock

–When a device is inactive for a short time the screen times out and will not display again until a password is entered



Host Security

• Device Encryption

–A stolen device is worthless to the thief if it is encrypted

–Not accessible without a password

–The stronger the encryption the more the performance is effected

–Choose a tool that meets your needs

• Which platforms

• Key management

• Cost

• Voice Encryption

–Encrypts the communications of mobile phones

–Will effect the performance and battery life of your device



Host Security

• GPS Tracking

– If a device has GPS functionality (enabled) you can use it to find a lost device

–The device needs a GPS tracking app installed and configured

• Remote Wipe/Sanitation

–Offers the ability to erase the device if it has been lost or stolen

–A device with a remote wipe tool configured can be sanitized from a web browser or management console

–An added feature to messaging solutions

• Microsoft Exchange

• Google Apps for Business



Host Security

• Mobile devices should be treated as an entrance point for malware and attacks

• Avoid mobile devices connecting to the LAN

–Any connections need to be filtered

• Educate users

–Vulnerabilities of mobile devices

–Keeping personal and company data separate



Host Security


Term Definition

Antimalware

Software that prevents, detects, quarantines, and removes malware from the system it is protecting. This includes antivirus, antispyware, and antispam software

Antivirus

A type of antimalware that prevents, detects, quarantines, and removes viruses, trojans and other malicious code from the system it is protecting

Antispyware

A type of antimalware that prevents, detects, quarantines, and removes spyware from the system it is protecting


Host Security


Term Definition

Antispam Uses different methods to filter incoming messages and label, quarantine, or block those that appear to be spam

Baselining

Matching systems to a minimum standard of security actions and configurations and making sure those systems stay compliant


Host Security

What We Covered


• Antimalware

• Host-based Firewalls

• Updates and Patch Management

• Disabling Unused Services

• Users and Accounts

• Virtualization

• Host Software Baselining

Securing Servers






In This Lesson:

Application Attacks and Vulnerabilities

Cookies

Session Hijacking

Header Manipulation

Cross-site Scripting

Cross-site Request Forgery

Injection Attacks

Buffer Overflow

Java Applets and JavaScript

ActiveX Controls

Malicious Add-ons

Attachments

Zero Day Exploits



In This Lesson:

Exam Objectives:

3.5 Analyze and differentiate among types of application attacks

4.1 Explain the importance of application security

Application Security

Secure Coding Concepts

Fuzzing

Application Hardening


• Configuration Baseline




• Little text files that contain information about you

• Created by websites that you visit and stored locally your machine

• Used for

–Session IDs

–Browsing or shopping history

–Shopping cart contents

–Personal information or preferences

• A stolen cookie is stolen information

–A privacy concern

–A security issue

• Browser settings can disallow cookies from first or third-parties

• Browser add-ons can manage on a cookie-by-cookie basis

Cookies



• A session token can be stolen (or guessed) and then replayed

–Often a cookie

• Used to carry out MitM and replay attacks

• A sniffer can capture session information

• Cross-site scripting can steal cookies

Session Hijacking

Session Hijacking Prevention

•Log out of all websites while not using them

•Do not allow persistent login cookies

•Encrypt sessions when possible

•Web server requires secondary authentication or re-authentication for performing critical functions



• Changes values in HTTP headers

– In an HTTP request

– Force into as HTTP response

• Used to carry out other attacks and spoofs

–Cache-poisoning, cross-site request forgery, etc…

• There are tools available to easily manipulate headers

Header Manipulation



• Exploits the trust a user has for a specific website

–The website must be vulnerable to XSS attacks

• Tricking a user into running a malicious script on their machine

–Victim must click on the attacker‟s URL or open the attacker‟s message

• Sends the victim to the XSS vulnerable site

• Runs a script on the victim„s browser

– The script runs at the permission level of the victim

–Malicious script steals session cookies or other information and sends it back to the attacker

Cross-site Scripting (XSS)



• Reflected XSS (Non-persistent)

–URL for the attack is sent to the victim in an email or other message

–URL points to a trusted (XSS vulnerable) website but also contains the malicious code

• Stored XSS (Persistent)

–Malicious code is stored on the server and displayed on social networking or other website

–A greater number of victims will click on it





Cross-site Scripting Prevention

•Client Side

–Disable script running

– Log out of all websites while not using them

– Do not use “remember me” or allow browsers to store login credentials

– Patch management of browsers and applications

– User Education – don‟t click links in emails

•Server Side

– Secure coding and testing of webpages

• Input sanitation



• Exploits the trust that a website has for a user‟s browser

• Requests are sent to the web server from a trusted user that were not authorized by the user (victim)

• Victim must have an open session or unexpired cookie with the target website at the time of attack

• Attack is initiated when the victim clicks on or opens something from the attacker

–URL links in social networking or email

– Image tags

Cross-site Request Forgery (XSRF or CSRF)



• Attacker targets forms or other actions on the website

–Must know exactly what info the website will ask for

• Attack may:

–Change email address and password to hijack the account

–Take screenshots of personal information

–Transfer money

Cross-site Request Forgery (XSRF or CSRF)

Cross-site Request Forgery Prevention

•Client Side

– Disallow social networking website access

– Log out of all websites while not using them

– Do not use “remember me” •Server Side

– Header checking



Cross-site Scripting vs. Request Forgery

Sends a URL to the victim for that site with the malicious script inside

Clicks on the link to visit the site

A website that dynamically creates pages using unsanitized user input

The script runs stealing the victim's cookie

Finds a XSS vulnerable site

Echoes back the malicious script



Cross-site Scripting vs. Request Forgery

Uses social engineering to get the victim to click on a link that contains the attack

Attack uses an unexpired session ID on the victim's computer to interact with the web server

The web server processes the forged request as usual

Social Networking

Site

Injection Attacks

Attack Type Also Called Description

SQL Injection SQL Insertion SQLi

Entering malicious text/commands either along with or instead of the expected user input to manipulate the database or return unauthorized information

LDAP Injection

Lightweight Directory Access Protocol Injection

Exploiting a week LDAP instance by entering unexpected user input that executes commands, returns unauthorized data, or modifies content

XML Injection

XPath Injection Using XPath to exploit XML vulnerabilities and return data that was not intended or expected by the data owner

Command Injection

Code injection

Inserting commands into an application through user input. Used in Directory Traversal and other attacks both to the server and client

When user-supplied data is used to dynamically create commands without validation and sanitation, injection attacks can occur.



• Secure coding practices

–Proper type assignment for variables and parameters

– Input validation / filtering / sanitation

• Validate all user input to make sure it is exactly what is expected

• Filter out all commands, escape characters, null, and parameters of the wrong type

• Vulnerability scanning and fuzzing

• Patch management

Preventing Injection Attacks



• More data is sent to an application that it can process or store in the buffer

– Junk data

–Malicious commands

• Results:

–Application crash

–Good data overwritten

–Executing code with

escalated privileges

–Changes in application behavior

Buffer Overflow

Buffer Overflow Attack

Prevention

•Patch management

•Vulnerability testing

•Secure coding practices and testing



• Java Applets

–Run in a virtual machine/sandbox on the client

–Applets can get outside a flawed Java virtual machine (JVM)

–Only run Java Applets from tested and trusted websites and vendors

• JavaScript

–Executable and potentially dangerous

–Browsers do have built-in policies for what JavaScript is allowed to do

–Tools available to help control which JavaScripts are allowed

• Security Zones in Internet Explorer

• NoScript Firefox plug-in (advanced users)




• Microsoft‟s version of applets

• Stored and run directly on the local machine – not in a sandbox

• Runs with the permission level of the logged in user

• Should be digitally signed (Authenticode)

–You know who the author is

–You know it has not been tampered with

–Do not allow unsigned ActiveX controls

• Even signed ActiveX have been known to have security holes

• Keep browser prompts on for ActiveX downloading and running in all IE Security Zones

• Educate your users about ActiveX browser prompts

ActiveX Controls



• Browser add-ons can be a good thing

–Add functionality to your browser

• Many add-ons are not authored by the browser creator

–Anyone can download the SDK and create an add-on

• Browser creators do attempt to keep malware out of add-ons

• Research and test an add-on before using it your production environment

Malicious Add-ons



• Security Zones

• Protected Mode

• InPrivate Browsing

• Tracking Protection

• ActiveX Filtering

• Cross-site Scripting Filter

Internet Explorer Security Settings Demonstration



• Email attachments are a security threat

• A very common attack vector

• Could contain virus, worms, trojans, or other malware

• May be part of phishing or social engineering attacks

Attachments

Preventing Attacks

Through Attachments

•Do not allow script or executable attachments

•Consider disallowing all attachments

•User education – do not open attachments unless you were expecting that attachment from someone you know

•Run all attachments through an antivirus scanner



• Attackers taking advantage of a new found vulnerability before the developer can release a patch

• Often happens before you realize it

• If known – turn off that application or service until a patched is released

• Your other layers of security can help mitigate these attacks

Zero Day Exploits




• Error and exception handling

–An exception is an error that the programmer did not foresee

–Explicitly program what should happen in all possible cases

• Including a catch-all general case

–Program in “human” error messages so that any compiler errors or codes are not displayed to the end-user

• Gives away too much information

• Input validation

–Ensure that all user-supplied input is exactly what is expected and all other characters are not allowed




• Technique of inputting unexpected values into applications to see what happens

–Random, invalid, unanticipated

• Results can be

–Client-side crash

–Server-side crash

–Unauthorized access to data

• Automated tools are available

• Can be an attack if done by an unauthorized person

• Utilize fuzzing in your environment before an attacker does

–Time consuming but worth it

Fuzzing



• Keep up with application patch management

–Regularly research, test, install, audit, and document updates to the applications in your environment

• Updates may reset your configurations

–Hotfixes, patches, upgrades, new versions

–Application updates come from the application vendor

–Once a vulnerability is found attackers will exploit it

• Remove programs that are no longer used

• Restrict access to only the users that need each application for their job




• Have, maintain, and use application configuration baselines

– For performance and security

–The application‟s author and third-party authorities often offer best practice guidelines

–Use baselines when an application is deployed

• Creates consistency

– Frequently recheck for continued compliance

• Secure all your management consoles against unauthorized access

–Change default account

–Strong passwords

– Log out when not using

–Consider third-party or secondary authentication





Term Definition

Cookies Little text files that are created by websites and stored by web browser that contain information about the user

Session Hijacking An unauthorized third-party stealing and using a session token and impersonating the rightful user

Header Manipulation Changing fields in the header to carry out various attacks

Cross-site Scripting Tricking users into running malicious scripts on their machine. Used to steal cookies and other info


Forged requests are sent to a web server from a trusted user that were not authorized by the user




Term Definition

SQL Injection Using unexpected user input that is not properly validated and sanitized to exploit SQL

LDAP Injection Using unexpected user input that is not properly validated and sanitized to exploit LDAP

XML Injection Using unexpected user input that is not properly validated and sanitized to exploit Xpath/XML

Command Injection Inserting commands into user input fields in order to exploit the application used to carry out directory traversal attacks

Directory Traversal The attacker is able to gain access directories outside of what is authorized. The attacker gets to the website‟s root or even worse the OS root directory




Term Definition

Buffer Overflow The application is given more data than it can process and store in the buffer. Leads to malicious code being written outside the designated buffer area

Malicious Add-ons Browser add-ons that include malicious code

Zero Day Exploits Attackers taking advantage of an exploit before a patch is released




Term Definition

Error and Exception Handling

A secure coding practice where all errors are accounted for and any exceptions will be handled gracefully with a “human” error message

Input Validation The practice of making sure user-supplied input is of exactly the type and length that is expected so no code or unexpected characters are accepted

Fuzzing The practice of entering in random or unexpected data into user input fields to find vulnerabilities and exceptions



What We Covered


Cookies

Session Hijacking

Header Manipulation

Cross-site Scripting


Injection Attacks

Buffer Overflow


ActiveX Controls

Malicious Add-ons

Attachments

Zero Day Exploits



What We Covered



Fuzzing



• Configuration Baseline


Data Security


Data Security

In This Lesson:

Data Loss Prevention (DLP)

Software-based Data Encryption

• Individual Files/Folders

• Full Disk/Whole Disk

• Database

• Removable Media

• Mobile Devices

Hardware-based Data Encryption

• Trusted Platform Module (TPM)

• Hardware Security Module (HSM)

• USB Encryption

• Hard Drive Encryption

Data Encryption Key Management

Data in the Cloud

Exam Objective:

4.3 Explain the

importance of data security


Data Security

• Making sure your data is available and not being accessed by unauthorized people or systems

– Internal or external breaches

• DLP systems monitor and report on data

• Best to monitor data in all locations

–At rest

– In transit/motion

– In use

• Examples

–Microsoft Forefront

–MyDLP


DLP System Functions

Availability Not deleted or moved

Confidentiality Not sent in email or put on removable media

Access Control Watches for unauthorized access



Data Security

Encrypting specific files/folders where they are stored or for confidentiality during transit

• End user controlled

• Encryption/decryption is done by the file system or application

• The file/folder stays encrypted if it is moved

• Often includes access control

Individual Files/Folders


Data Security

Encrypting specific files/folders where they are stored or for confidentiality during transit

• Examples:

–Windows Encryption File Standard (EFS)

–Microsoft Office

–Many third-party providers have moved to whole disk encryption

Individual Files/Folders


Data Security

Encrypting an entire physical hard disk or logical volume

• The entire volume is encrypted including the file system

• Can be transparent to the end user

• Data is only protected while it is on the encrypted drive

• Examples:

–Microsoft’s BitLocker

–Mac’s Disk Utility creates encrypted virtual disk images

–TrueCrypt

–Pretty Good Privacy (PGP)

Full Disk/Whole Disk


Data Security

Can be whole database-level encryption or encrypt only specific rows, columns, fields, cells, etc.

• Protects the data “at rest”

• Might be mandatory for regulatory compliance

• Is done either by the DB management system or by a separate encryption server

• Examples:

–Microsoft SQL Server’s Transparent Data Encryption (TDE)

Database


Data Security

Encrypting the data on removable media like CDs and DVDs and portable devices like USB drives, SD cards, and external hard drives

• Helps protect data if the device is lost or stolen

• Encryption software is often included on USB and removable hard drives

–User controlled

–Great for personal use

• A enterprise wide solution transfers control to administrators

–Often included with a full featured enterprise encryption solution

– Look for logging and auditing capabilities

–May include remote management

Removable Media


Data Security

Encrypting the data on digital phones, PDAs, and tablets

• Helps protect data if the device is lost or stolen

• Platform specific apps are available to encrypt and password protect mobile devices

• Enterprise solutions are available that work across platforms

• Remote wipe functionality is often included

Mobile Devices



Data Security

• The TPM specification is a standard created by the Trusted Computing Group

• A built-in physical TPM chip stores keys, passwords, or certificates for encryption

• Includes a cryptographic processor

• Adds extra security to software-based encryption by storing keys on a separate hardware chip

• Used for disk encryption, password protection, software licensing enforcement, and configuration integrity checking

Trusted Platform Module (TPM)


Data Security

• Physical device (often a PCI adaptor)

• Used in larger environments

• Offloads cryptographic processes to save CPU resources

• Stores keys separate from the protected data

• Includes key management

–Often used by the certificate authority in public key infrastructure systems

Hardware Security Module (HSM)


Data Security

• Encryption that is done by a chip built in to the USB drive or external USB hard drive

–Whole device encryption for the data on the USB drive

• Also used as key/token for authentication or encryption of the device you plug the USB drive into

USB Encryption


Data Security

• Hardware-based encryption built into a hard drive

or

• A separate device that sits between the hard drive and motherboard

• Invisible to the user and operating system

• Separates the key from the data and operating system

Hard Drive Encryption


Data Security

• Where and how is the key stored

–At the same location as the data (less secure)

–On separate hardware

• Who has access to keys and passwords

–Attacks can happen from internal employees or contractors

–Your solution should support the ability to share encrypted files

• Strong password policies in use

• What happens if the key is lost

–Key backup

• Protect keys through their entire life-cycle

Encryption Key Management


Data Security

• Know what happens to your data when it leaves your network

–Software as a service

–Platform as a service

– Infrastructure as a service

• May effect regulatory compliance

• Encrypt data transfer with SSL/TLS or VPN

• Consider encrypting data before it leaves your network

Data in the Cloud


Data Security


Term Definition

Encryption File Standard (EFS)

NTFS file system file/folder level encryption built into Windows operating systems

Trusted Platform Module (TPM)

A chip built into laptops and other devices that create and store keys for encryption

Hardware Security Module (HSM)

A hardware device that performs encryption and key management


Data Security

What We Covered



• Individual Files/Folders

• Full Disk/Whole Disk

• Database

• Removable Media

• Mobile Devices


• Trusted Platform Module (TPM)

• Hardware Security Module (HSM)

• USB Encryption

• Hard Drive Encryption

Data Encryption Key Management

Data in the Cloud


Authentication, Authorization, and

Access Control



In This Lesson:

Authentication and Authorization

Identification vs. Authentication


Something You Know, Something You Have, and Something You Are

• Passwords

• Tokens

• Smart Cards

• Common Access Cards (CAC)

• Personal Identification Verification Cards (PIV)

• Biometrics

Single Factor vs. Multifactor Authentication



In This Lesson:

Access Control


Types of Access Control

• Mandatory Access Control (MAC)

• Discretionary Access Control (DAC)

• Role-based Access Control (RBAC)

• Rule-based Access Control (RBAC)

Information Models

Exam Objectives:

5.2 Explain the fundamental concepts and best practices related to

authentication, authorization, and access control

Policies and Best Practices

Mandatory Vacations

Job Rotation

Separation of Duties

Trusted OS




• Identification

–The actual identity of the user is verified

–A human has confirmed that the person with the credentials is the owner of them

• Driver’s license

• Employee ID card

• Authentication

–User knows or has the authentication credentials

• Username, password

–That user should be but is not guaranteed to be the true owner of the credentials

–Even the credential owner’s real identity may be anonymous




• Authorization

–Permitting or denying access

–Access control or authentication system defines what level of access a particular authenticated user has

–Subject to rules like time of day restrictions

• Allows access to only specific times and days

• Protects systems from attacks while no one is working

• A user must be authenticated before they can do/access what they are authorized



Authentication by Knowledge (Type I)

• A string of characters entered from memory

–Passwords

–PIN number

–Pass codes

–Pass phrases

–Security questions

–Combinations

• Can be stolen, guessed, or cracked

• Have strong password policies

Something You Know

Something You Have

Something You Are


Authentication by Ownership (Type II)

• Keys

–To open locked doors and cabinets

• Tokens

–Hold information about the user like access privileges

–Digital (session token)

• Issued by the system at authentication

• To be used for that session

–Physical Hardware (security token)

• Many forms:

– Keychain fob, USB dongle, scan card

• Often a one-time password generator

– SecureID

Something You Are

Something You Know

Something You Have



• Smart Cards

–A physical card

–Stores access permissions and other data

–Hard to duplicate but easy to steal

• Often blank, so if lost the finder doesn’t know who it belongs to or where to use it

• Used along with pin numbers

– Lock out happens if the incorrect pin is entered too many times

Something You Are

Something You Know

Something You Have



• Smart Cards

–A physical card






–Common Access Cards (CAC)

• US Department of Defense

• Identification and authorization

– Access to computers

– Signing email

– PKI

Something You Are

Something You Know

Something You Have



• Smart Cards

–A physical card






–Personal Identification Verification Cards

–Also called Personal Identity Verification Card (PIV)

– For U.S. government employees and contractors

–Physical access to government buildings

– Logical access to government information systems

Something You Are

Something You Know

Something You Have


Authentication by Characteristic (Type III)

• Biometrics

–Use a unique biological trait as the authentication credential

• Fingerprint, handprint, retina scan, facial recognition

–Starting to include behavior traits as well as physical ones

–Can be built into laptops and other devices

–Can be used for physical access to buildings or rooms

–Concerns

• False positives and false negatives

• Inability to change your “password” if it is stolen

• Privacy issues

Something You Are

Something You Know

Something You Have



• Single Factor Authentication

–Only one set of authentication values are checked

–Example: Username and Password

• Multifactor Authentication

–More than one type of authentication happens

–Example: Username and Password + Smart Card scan

• Identity Proofing

–Answering an additional question

• When you forget your password

• When logging in from a new computer


Know

Know Have

Access Control




• Permissions, Privileges, or Rights

–The level of access granted to users, groups, and roles

• Objects

– Files

– Folders

–Printers

–Applications

–Databases

• Subjects

–Users

–Processes

–Services




–Access is predefined and inflexible

–Controlled by administrators

–Users can’t choose to share objects themselves

–More secure but less flexible

–More overhead management that can fall into disrepair


MAC Example

Military Classifications

•Use of data labels like Secret or Top Secret

•Users have a clearance level and can only access data at that level




–Allows users to share objects with other users

–More flexible

– Less secure


DAC Example

Unix Permissions

•Users are in different groups Owner, group, or other

•The owner of an object sets the permission for each group Read, write, or execute




–Permissions are set based on roles

–A person/subject can be added to one or more role groups

–Simplifies administration

–When a person’s role changes so does his/her permissions


RBAC Example

Microsoft Active Directory

•Users and computers are put into groups based on their job role

•Permissions are set per group




–Access is determined by a set of rules

–Access control lists (ACLs) list who can access what

• Implicit Deny rejects anything not explicitly allowed by the list


RBAC Example

Firewall Rules

•A list of rules that specify what is permitted through the firewall under what conditions

• IP addresses, ports, sources, destinations, and others



• Bell-LaPadula

– Focus on confidentiality

–No read-up (Simple Security Policy)

–No write-down (-property)

Information Models

Unclassified

Confidential

Secret

Top Secret



• Biba

– Focus on integrity

–No write-up (Simple Integrity Axiom)

–No read-down ( Integrity Axiom)

Information Models

Unverified

Trusted

Confirmed



• Clark-Wilson

–Constrained data items only accessed through transformative procedures

–Different applications for read and write

–Separation of duty

Information Models




• Helps prevent and uncover misuses or illegal activities by internal employees

• Lets others at the company see what that employee does

• An audit can be performed while the employee is away

• Acts as a deterrent if employees knows about the vacations and audits

• May only be mandated for higher ranking or those with financial responsibilities

Mandatory Vacations



• Employees are moved between two or more jobs in a scheduled system

• Helps prevent and uncover misuses or illegal actives by internal employees

• Also provides redundant skills and reduces boredom

• Does not work well in smaller companies

Job Rotation

Database Admin

Website Admin

Network Admin



• Limits misuse of systems and data

• Helps prevent fraud and error

• Split an important job into parts/steps and have them be performed by two or more people

• SoD in IT Security

–Restrict the amount of power held by any one individual

–A deferent person designs/implements as tests/audits security systems

–Any single system administrator account should be limited in its abilities

– Least Privilege – each IT person should only have permissions to what they need for their job




• An operating system has been tested and is certified to be secure

• Common Criteria (CC)

• International standard ISO/IEC 15408

• A product receives a Evaluation Assurance Level (EAL) after testing

• Also applies to hardware, devices, and software

• For high security environments like government or military

Trusted OS




Term Definition

Identification Verifying the true identity of a person

Single Factor Authentication

Using only one type of credentials for authentication

Multifactor Authentication

Using more than one type of credentials for authentication

Biometrics Using a biological trait such as fingerprint as an authentication credential




Term Definition

Security Tokens A hardware device used for authentication most often in a challenge-response situation

Smart Cards Hardware cards that include electronics to be scanned or read for access to areas or resources

Common Access Cards US Department of Defense smart cards that are used to access computers and digital signatures

Personal Identification Verification Cards

US Government smart cards used to access buildings and computer systems




Term Definition

Mandatory Access Control (MAC)

Inflexible access control that is controlled by administrators

Discretionary Access Control (DAC)

More flexible access control that allows object owners to share access

Role-based Access Control (RBAC)

Access control is based on the roles that a subject belongs to

Rule-based Access Control (RBAC)

Access is defined by a set of rules

Trusted OS

An operating system that meets the Common Criteria's requirements for security at a EAL of 4 or above




Term Definition

Permissions, Privileges, or Rights

The level of access granted to users, groups, and roles

Objects

When referring to access control an object is what we are grating uses access to these can be riles, folders printers, or databases

Subjects

When referring to access control an subject is who we are granting object access to these can be people, computers, or processes



What We Covered





• Passwords

• Tokens

• Smart Cards

• Common Access Cards (CAC)

• Personal Identification Verification Cards (PIV)

• Biometrics




What We Covered


Mandatory Vacations

Job Rotation


Trusted OS

Access Control







Information Models





In This Lesson:

Exam Objectives:

2.6 Explain the impact and proper use of environmental controls

Partial Coverage of 3.6 and 4.2

Physical Security

Fencing

Mantraps

Access List

Proximity Readers

Video Surveillance and Monitoring

Hardware Locks • Cable Locks • Safe • Locking Cabinets

Environmental Security

HVAC

Hot and Cold Aisles

Environmental Monitoring and Controls

• Temperature and Humidity Controls

Fire Suppression

Power Systems

Electromagnetic Emissions

• Interference and Shielding

Physical Security

c

Fencing

c c

c

c

Server

Room

P

P

P

Security

Office

Fencing

• The outer layer of physical security

c

Mantrap

c c

c

Server

Room

P

P

P

Security

Office Access

List

Mantrap

• An small area that limits access to an area or individual

• A person must be allowed through the mantrap by someone with authority

• Access lists specify who is allowed into what areas

c c

c

c

Server

Room

Proximity Readers

P

P

P

Security

Office

#

Proximity Readers

• Reads the electronic signal from proximity devices

– Electronic ID cards or fobs

• Use Radio Frequency Identification RFID

• Can use one-time password authentication

c c

c

c

Video Surveillance

c c

c

Server

Room

P

P

P

c

Security

Office

#


• Closed Circuit television (CCTV)

• Recorded for later review

•May be monitored live



• Cable Locks

– Laptops have a built-in slot meant for cable locks

–Secure a laptop or even a desktop and other devices to the desk

– Lock PC cases to keep people from removing or destroying hard drives and other components

• Safes and Locking Cabinets

–Store backups, documentation, and other important information in a locked cabinet or safe

• Rack mounted servers and appliances should be locked to the racks

• Don’t forget key management!

Hardware Locks




• Heating, ventilation, and air conditioning

• Server rooms, data centers, and computer labs need extra HVAC considerations

• Extra cooling and heat transfer

–Separate zone or separate system from the rest of the building

• HVAC on at all times – not turned down or off on weekends and holidays

• Contract experts that have experience with computer specific HVAC

HVAC Considerations

Raised Floor

Rack

Rack

Rack

Rack

HVAC

Hot Aisle

Hot Aisle

Hot Aisle

Hot and Cold Aisles



• Systems for monitoring alerting on environmental variables

–Temperature

–Humidity

–Moisture

–Dust

–Smoke

–Chemical

• Temperature and humidity controls

–Needed for older systems and larger modern systems like communication equipment and datacenters

– Low humidity causes equipment damaging static shocks

–High humidity causes corrosion




• Fire extinguisher

–Portable

–Unplug equipment if possible

Fire Suppression

http://www.usfa.fema.gov



• Fire suppression system

–Built-in and integrated with fire/smoke detectors

–Water-based

• Not preferred for computers

• Should cut the power to computers first

Fire Suppression

Wet Pipe Dry Pipe Pre-action

Pipes could freeze, burst, or leak

Pipes remain undamaged

Pipes remain undamaged

Fast acting Slower acting Slow acting

No time to stop the system from starting

Allows time to shut off valve for false alarms

Gives you time to use extinguisher to put out a small fire before system goes off



• Fire suppression system

–Built-in and integrated with fire/smoke detectors

–Gas-based

• Safer than water for electronics

• More expensive and more maintenance

• Could harm humans

Fire Suppression



• Surge protector

–Protect electronics from a surge of electricity

–Range in size

• Small for a few devices

• Large for the entire building

–Can protect phone, coaxial, and Ethernet cables as well

–Passively wait for a spike in power

–Often one time use

Power Systems



• Power conditioner

–Actively normalizes and improves the quality of electricity

–Different models do different things

• Regulate power voltage

• Filter noise

• Load balance

• Surge protection

• Battery backup

–Rack sized or building sized

Power Systems



• Backup power

–Uninterruptable Power Supply (UPS)

• Instantaneous protection form power interruptions

• Short term solution

–Backup generators

• Not instantaneous

• Often used in conjunction with backup batteries

• Run on gas or diesel

• Require regular maintenance

Power Systems



• Interference

–EMI: Electromagnetic Interference

• Electronic emissions that interrupt, obstruct, degrade, or desensitize the performance of electronics

–RFI: Radio Frequency Interference

• EMI that is projected across the radio spectrum

– From fluorescent lights, motors, and other outside equipment

–Also from the computer components themselves

Electromagnetic Emissions: Interference and Shielding



• Shielding

–Prevents interference and protects your electronic emissions from being gathered by attackers

–Comes in many forms: spray, tape, filter, cage, and more

• Built into devices and computer components

–TEMPTEST certified systems

• Certified by the government to be electromagnetic emission free and safe to contain classified information

–Shielded Twisted Pair (STP) vs. Unshielded Twisted Pair (UTP)


STP UTP




Best Practices

• Use shielded conduit when running cables

• Do not have communication cables in the same conduit as power cables

• Keep cables away from sources of EMI and RFI

• Use fiber optic cable if possible




Term Definition

Electromagnetic Interference (EMI)

Interference caused by the electronic emissions of other devices and cables

Radio Frequency Interference (RFI)

Electrical byproduct that is projected across the radio spectrum

Proximity Reader A device that reads proximity cards or fobs for authentication and entrance into a building or restricted area

Mantrap A small area between two doors where that a person can not get past without authorization



What We Covered


HVAC

Hot and Cold Aisles


• Temperature and Humidity Controls

Fire Suppression

Power Systems

Electromagnetic Emissions

• Interference and Shielding

Physical Security

Fencing

Mantraps

Access List

Proximity Readers


Hardware Locks • Cable Locks • Safe • Locking Cabinets





In This Lesson:

Introduction to Authentication Services

RADIUS

TACACS+

TACACS and XTACACS

Kerberos

LDAP

Exam Objective: 5.1 Explain the function and purpose of authentication services

Partial coverage of 5.2



• Centralizes authentication

–Removes the need for multiple user databases

–Ease of maintenance

–Single Sign-on

• Allows users to log in from different places and through different means

– Internal clients

–Remote clients

–Mobile devices




• Widely used

–Used by internet service providers (ISP)

• Every network access server relies on a central authentication server

–Used by corporate networks

• Every resource, storage, and application server uses a single authentication service

• Offers more than just authentication

–Who you are? (Authentication)

–What you are allowed to access? (Authorization)

–What you did? (Accounting)




• Remote Authentication Dial-in User Service

• Does authentication, authorization, and accounting

–Authentication and authorization together

–Accounting separate

• Consolidates authentication of dispersed users onto a centralized server

• Flexible: works with varied systems and protocols

–Can use PPP, CHAP, PAP, EAP, and UNIX login

• UDP ports 1812 and 1813 (connectionless)

–1812 for authentication and authorization

–1813 for accounting

–Or the older standard of ports 1645 and 1646

RADIUS

RADIUS

User initiates connection to NAS

NAS asks user for credentials

User replies with credentials

Access-Request sent to RADIUS Server

RADIUS Server responds with Access-Accept or Access-Reject

Share a secret key



• Remote Authentication Dial-in User Service

RADIUS

Security Concerns

•Sniffing – Entire payload of client/server

communication not encrypted

– Client/user communication vulnerable depending on implementation

•Spoofing

•Denial-of-Service

•Replay attacks

•MD5 associated vulnerabilities

Mitigations

•Harden the RADIUS server

•Use over other protocols like IPSec or SSL to layer on protection

•Choose unique shared secrets for each NAS



• Terminal Access Controller Access Control System Plus

• Newest protocol based on TACACS

• Does authentication, authorization, and accounting separately

• Encrypts not just the users password but the entire payload

• TCP port 49 (connection-oriented)

• Proprietary to Cisco

• Works well with router management and terminal services

TACACS+

TACACS+ Weaknesses

• Accounting information is sent in clear text

• Limited integrity checking



• Older version of TACACS

• Considered end-of-maintenance

• TACACS

–Had authentication and authorization in a combined process

–Used connectionless UDP

–Did not offer accounting

–Did not support multifactor authentication

• XTACACS (Extended TACACS)

–Separated authentication and authorization

–Had less granular accounting processes

–Used connectionless UDP

TACACS and XTACACS



• Network authentication

–Works with multiple OS’s

• Single Sign-on (SSO)

–A user signs on once and all resource access is based on that logon

• Mutual authentication possible

• All authentication transactions are secure

• 3 heads of mythical Kerberos

–Key Distribution Center (KDC)

–Authentication Server (AS)

–Ticket Granting Server (TGS)

• Tickets and sessions are time-sensitive

Kerberos

TGS

AS

Kerberos

Principal presents credentials to AS and requests a Ticket Granting Ticket

AS responds with TGT and session key for TGS

Principal uses TGT to request a Service Ticket for the application server

TGS responds with Service Ticket

Principal presents Service Ticket to Application Server

Data transfer



• Lightweight Directory Access Protocol

• Directory services queries (and modifications) made over an IP network

• X.500 directory

–A set of objects with attributes

–Organized in a hierarchical structure

–Examples:

• Microsoft Active Directory

• Novell eDirectory

• TCP/UDP port 389

–Other ports/services work with LDAP

LDAP

LDAP Distinguished Names

dc=globomantics, dc=local

ou=locations

ou=chicago ou=new york

ou=computers ou=computers ou=users ou=users

cn=eliberman

cn=hackmann

DN: cn=hackmann, ou=users, ou=chicago, ou=locations, dc=globomantics, dc=local



• Lightweight Directory Access Protocol

LDAP

Security Concerns

•No security by itself – Simple authentication only adds

clear text authentication

– The Simple Authentication and Security Layer protocol (SASL) adds encrypted authentication

Mitigations

•Harden LDAP servers

•Use SASL

•Use LDAP over SSL/TLS (LDAPS)

•Block port 389 at the border firewall (or 636 for LDAPS)




Term Definition

Remote Authentication Dial-in User Service

(RADIUS)

A standard protocol for providing AAA services that uses UDP and combines authentication and authorization

Network Access Server/Remote Access Server

(NAS/RAS)

The client to the RADIUS or TACACS+. A user communicates with this server instead of direction with the authentication server

Terminal Access Controller Access Control System Plus

(TACACS+)

A standard protocol for providing AAA services that uses TCP and separates authentication and authorization

Extended Terminal Access Controller Access Control

System (XTACACS)

An older version of TACACS that had limited accounting functionality




Term Definition

Terminal Access Controller Access Control System

(TACACS)

The original TACACS that used UDP and had no accounting

Kerberos A strongly encrypted network authentication protocol that offers a single sign-on for all network resources

Key Distribution Center (KDC)

A component of the Kerberos system that includes the AS for authentication and TGS for secure distribution of keys

Authentication Server/Service (AS)

A component of the Kerberos system that handles authentication




Term Definition

Ticket Granting Server/Service (TGS)

A component of the Kerberos system that handles the secure distribution of keys

Single Sign-on (SSO) A user only needs to enter one set of credentials one time and can access all authorized resources and applications

Lightweight Directory Access Protocol (LDAP)

A directory services protocol used to access and modify x.500 hierarchical directories across a TCP/IP network

Distinguished Name (DN) The unique name given to a directory object based on its location in the hierarchy



What We Covered


RADIUS

TACACS+

TACACS and XTACACS

Kerberos

LDAP





In This Lesson:

Exam Objective: 5.3 Implement appropriate security controls

when performing account management

Privilege Management

• User Assigned Privileges

• Group Based Privileges

User Account Policy

• Users with Multiple Accounts/Roles

• System/Administrator Accounts

• Logon Time Restrictions

• Temporary Access

• Account Disablement

Password Policies

• Complexity and Length

• Expiration

• Recovery

• Lockout



• The administrating what resources and data that is available to users and groups within an organization

• User assigned privileges

–Privileges are granted specifically and individually for each user

–Not scalable

–Difficult to make global changes

• Group based privileges

–User privileges are inherited from the group

–Can be as simple as locations or departments

–Can be very granular and have a group for each job role (Role-based management)

• Users can be members of multiple groups


Accounting Department

Full Access

Read Only

Accounting Department Group

Group Based Privileges

AR Resource

AP Resource Accounts Payable

Accounts Receivable

Accounting Managers

Accounting Department Group


Read Only

Full Access

Accounts Payable

Accounts Receivable

Accounting Managers

AR Resource

Accounts Payable Group

Accounts Receivable Group

Accounting Managers Group

AP Resource



• Users with multiple accounts/roles

–Create separate accounts for administration and regular use

• Only use an admin account for doing admin tasks

• The user must have different passwords for each account

– Even for accounts outside the company

• Multifactor authentication forces this

–When separation of duties is not needed

• Add users to multiple groups depending on their roles

• Understand how conflicting permissions are handled

User Account Policy



• System/administrator accounts

–Do not have accounts that have company wide administrative privileges

–Give admin accounts only the privileges they need

• Logon time restrictions

– Limits the amount of time that attackers can use accounts


–Grant least privileges

–Set the expiration date

User Account Policy



• Add users to groups

• Assign permissions to groups

• Configure time of day restrictions

• Create a temporary account and set it to expire

Microsoft Active Directory Users and Groups Demonstration



• Account disablement

–Account expiration

• Temporary or guest accounts can be set to automatically expire

– Inactive accounts

• Accounts are configured to automatically enter a lock-out state if they are inactive for a period of time

– Even accounts that are not set to expire

–User account and data deletion policy

• Breaks the audit trail

• Transfer data first including encryption keys

User Account Policy




–At least 8 characters (longer is better)

–Must include uppercase and lowercase letters

–Must include at least one number or special character

• Expiration

–Passwords expire at a regular interval

–Require passwords to be different from the password history

Password Policies



• Recovery/Reset

– Identification and/or authentication should happen as part of the reset process

• Lockout

–Account lockout threshold for failed logon attempts

–Thoroughly plan your lockout policy

• Cached credentials

• Service accounts

• Educate users on protecting their password and choosing strong passwords

Password Policies

User Best Practices for Passwords

Protecting Your Passwords

• Never tell your password to anyone

– Emails asking for your password are fraudulent

• Do not write passwords down

– If you must write them down, store the paper in a secure place (not tacked

to your bulletin board) and destroy (not just throw away) it once you have

memorized it

• Change your password immediately if you suspect it has been compromised

• Use a different password for every account

– Using the same password means that if someone gets the password for

one of your accounts, it can be used on your other accounts too

• Do not let applications like web browsers store important passwords. If your

computer is compromised then those passwords are available to the attacker

• Be sure you are entering your password into the real website (not a faked

version) every time

• Create strong passwords


Creating Strong Passwords

• Should be at least 8 characters in length – longer for more important

accounts

• Should include numbers and special characters

– Should not be numbers associated with you like your address

– Special characters are not numbers or letters. Examples are *, &, $, _

– Consider placing your special characters in the middle of the password

instead of the last character

– Don’t just replace a letter with a common special character replacement

like replacing S with $ or O with 0

• If passwords are case sensitive, use a combination of upper and lowercase

letters

– Put uppercase letters in the middle of the password, not just

as the first or last character


Creating Strong Passwords

• Should not be a single real (dictionary) word

– It should not include names of your pets or family members

• The best method to creating a seemingly random, strong password is to use

a string of characters that corresponds with a phrase that helps you

remember

– Password: i8ccc&T4b

– Reminder Phrase: I ate chocolate chip cookies and tea for breakfast




Term Definition

User Assigned Privileges The data and resources that users are allowed to access and change are set on a user-by-user basis


Users are grouped together by a common criteria. Privileges are set for the group and the users inherit the group privileges



What We Covered


• User Assigned Privileges

• Group Based Privileges

User Account Policy

• Users with Multiple Accounts/Roles

• System/Administrator Accounts

• Logon Time Restrictions


• Account Disablement

Password Policies


• Expiration

• Recovery

• Lockout


Risk Management


Risk Management

In This Lesson:

Exam Objective: 2.1 (Partial) Explain risk related concepts

3.7 (Partial) Implement assessment tools and techniques to discover security threats and vulnerabilities

Risk Management Vocabulary

• Asset

• Vulnerability

• Threat

• Risk

• Impact

• Qualitative Assessment

• Quantitative Assessment

Risk Calculation

• Impact Analysis

• Threat vs. Likelihood

• Annualized Loss Expectancy (ALE)

Options for Handling Risk

• Risk-avoidance

• Transference

• Acceptance

• Mitigation

• Deterrence

Control Types

• Technical

• Management

• Operational


Risk Management


• Asset

–What we are tying to protect: people, property, information, and reputation

• Vulnerability

–A flaw, weakness, or gap that can be exploited by threats to gain unauthorized access to an asset

• Threat

–Something that can exploit a vulnerability and can potentially cause loss/harm to assets

• Risk

–The possibility of damage, destruction, or theft of an asset


Risk Management


• Impact

– The result of a risk


– An assessment based on the sensitivity of an asset

– Assigns a weight, grade, or class to an asset instead of a dollar amount


– An assessment based on the monetary worth of an asset

– Calculates the cost impact of an incident


Risk Management

Evaluation Mitigation and Deterrence

Risk Calculation

Threat and Vulnerability Assessment

Asset Identification

Risk Management Steps


Risk Management

• What properties, belongings, resources, data, systems, and people does a company possess?

• Inventory and prioritize

• Which assets have the most value? (Quantitative)

• Which assets are most important? (Qualitative)

–Mission critical

– Irreplaceable

• Once assets are identified and it can be determined what risks could affect them and what the impact would be

Asset Identification


Risk Management

Threat and Vulnerability Assessment

• Methods

– Interviews

–Evaluations

–Penetration testing

–Vulnerability scanning

• Prioritize

• Coordinate with business impact analysis


Risk Management

• Determine the impact of a successful exploitation of a vulnerability

• For all assets

–Theft, loss, damage of asset

• For IT systems

– Loss of confidentiality, integrity, and/or availability

Impact Analysis

Impact Level

Tangible Assets and Resources

Intangible: Mission, Reputation, Interest

Human Assets

Low Some Notable --

Moderate Costly Violate, harm, or impede Injury

High Very costly Significantly violate, harm, or impede

Serious injury or death

Risk Calculation


Risk Management

Risk Calculation

vs.

Risk Calculation

Threat

•An event that intentionally or accidentally exploits a vulnerability • Steals, damages, or destroys an asset

Likelihood

•What are the chances that a threat will take place? •High, moderate, or low •Annualized rate of occurrence


Risk Management

Asset Value AV How much money something is worth

Exposure Factor EF A frequency rate, measure of magnitude, or other multiplier specific to each asset

Single Loss Expectancy AV x EF = SLE

SLE How much is estimated to be lost on a signal occurrence of a given risk

Annualized Rate of Occurrence ARO Probability of a SLE happening or how many times a SLE is expected to happen in a given year

Annualized Loss Expectancy ALE How much is estimated to be lost each year to a given risk

Risk Calculation

Risk Calculation


Risk Management

Annualized Loss Expectancy Example

A web server for an e-commerce business generates $5,000 per hour. This web server’s probability of failing within one year is 10%. If the web server goes down, it takes 2 hours to get back up and running again.

Risk Calculation

AV

EF ARO

AV x EF = SLE SLE x ARO = ALE

5,000 x 2 = $10,000 10,000 x .1 = $1000

Risk Calculation


Risk Management

Annualized Loss Expectancy Example

A web server for an e-commerce business generates $5,000 per hour. This web server’s probability of failing within one year is 10%. If the webs server goes down, it takes 2 hours to get back up and running again. The estimated cost to replace failed components in the server is $200.

Risk Calculation

AV x EF = SLE SLE x ARO = ALE

5,000 x 2 = $10,200 10,200 x .1 = $1020 + 200

Risk Calculation


Mitigation and Deterrence

Risk-avoidance

Transference

Mitigation

Deterrence

Acceptance

Avoid the risk by no longer having or doing what is associated with the risk

Share some of the burden of the risk with another entity like an insurance company

Take action to try to reduce the likelihood or impact of the risk

Make the risk less enticing to attackers with threat of prosecution or other public safeguards

Retain a risk if the cost to mitigate is more costly than the impact of an attack


Risk Management

Control Types

Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 available at http://csrc.nist.gov/

Management Assessment and

Planning

Technical Systems

Operational Actions



Risk Management

Control Types

Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 available at http://csrc.nist.gov/

Management Assessment and

Planning

Technical Systems

Operational Actions


Control Type Families

Control Type/Class Family

Management Security Assessment and Authorization

Planning

Risk Assessment

System and Services Acquisition

Program Management

Technical Access Control

Audit and Accountability

Identification and Authentication

System and Communications Protection


Control Type Families

Control Type/Class Family

Operational Awareness and Training

Configuration Management

Contingency Planning

Incident Response

Maintenance

Media Protection

Physical and Environment Protection

Personnel Security

System and Information Integrity



Risk Management

Evaluation

• Review the adequacy of security controls – Did they eliminate the risk? – Did they reduce risk?

• Is there any residual risk?

• Continue to look for new threats and vulnerabilities


Risk Management


Term Definition

Asset What we are tying to protect: people, property, information, and reputation

Vulnerability

A flaw, weakness, or gaps that can be exploited by threats to gain unauthorized access to an asset

Threat Something that exploits a vulnerability and can potentially cause loss/harm to assets

Risk The possibility of damage, destruction, or theft of an asset


Risk Management


Term Definition

Quantitative

In terms of risk assessment, a quantitative assessment is one based on the monetary value of an asset or the cost of a risk’s impact

Qualitative

In terms of risk assessment, a qualitative assessment is one based on the importance or sensitivity of an asset

Impact

The outcome of a risk happening. The cost of a risk or the damage or loss of assets cased by a risk

Likelihood The probability that a risk with happen


Risk Management


Term Definition

Annualized Loss Expectancy (ALE)

How much money is expected to be lost from a particular risk in one year

Annualized Rate of Occurrence (ARO)

The probability of a SLE happening or how many times a SLE is expected to happen in a year

Single Loss Expectancy (SLE)

How much money is expected to be lost from a single incident of a risk

Asset Value (AV) How much an asset is worth. Based on how much money it is making for the company as well as the cost to replace

Exposure Factor (EF)

A frequency rate, measure of magnitude, or other multiplier specific to each asset


Risk Management


Term Definition

Risk-avoidance No longer using or doing something that is vulnerable

Transference Sharing a risk with a third party

Acceptance

Deciding to tolerate the impact of a risk. Often used with low level risks or residual risk after mitigation

Mitigation Actively employing controls to lower the likelihood or impact of a risk

Deterrence Making a threat less attractive to attackers


Risk Management

What We Covered


• Asset

• Vulnerability

• Threat

• Risk

• Impact



Risk Calculation

• Impact Analysis

• Threat vs. Likelihood

• Annualized Loss Expectancy (ALE)


• Risk-avoidance

• Transference

• Acceptance

• Mitigation

• Deterrence

Control Types

• Technical

• Management

• Operational





In This Lesson:

Assessment Types

• Vulnerability

• Threat

• Risk

Assessment Techniques

• Baseline Reporting

• Code Review

• Determine Attack Surface

• Architecture

• Design Review



In This Lesson:

Exam Objective: 3.7 (Partial) Implement assessment tools

and techniques to discover security threats and vulnerabilities

3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning

Testing and Scanning

Tools

• Protocol Analyzer / Sniffer

• Port Scanner

• Honeypot and Honeynet

Vulnerability Scanning

Penetration Testing

• Black, White, and Gray Box Testing



Assessment Types

Assessment Type

Definition Benefits

Vulnerability Finding security flaws Baselines and ongoing security

Threat

Determining what threats line up with the vulnerabilities for your particular systems Analyzing the tools and resources that attackers have

Zero in on specific security implementations

Risk Determining what the risks are and the likelihood and impact of those risks

Prioritize security Help determine security budgeting




– First you need a baseline

–Compare the current to the baseline after changes or events

–Software can automatically generate reports about differences that don’t match the baseline (change detection)

–Good for regulatory compliance




• Code Review

– Looking at custom made code to find holes

• Injection or cross-site vulnerabilities

–Manual assessment

• A detailed reading through the source code (should be done by skilled developers)

–Automated assessment

• Using tools to scan the code


Black Box

White Box

Gray Box




–The part of an application or system that is accessible or visible

–Can include interfaces, protocols, code, data, and more

–Practice attack surface reduction (ASR) to limit potential damage

• Turn off unnecessary services and functions

• Allow only least privileges

• Strengthen authentication services




• Architecture

–Reviews how a system or application is interconnected with the network architecture

• How it interacts with the users, databases, devices, browsers, and services

• How do those interconnections effect security




• Design Reviews

–Application design review

• Done during the development process

• Looks at the attack surface of an application

– User inputs and interactions

–Network design review

• Reviews the network and system design

– What ports and protocols are open?

– What rules and access controls are in place?

– What information models are used?






–Captures packets in route and then analyzes them

• Resources, ports, and source/destination addresses

–Used for troubleshooting as well as security

• Malicious traffic

• Misconfigurations

• Network baselines

–Wired and wireless options

–Applications/appliances have GUIs and reports

• Wireshark

• Tcpdump (Linux command line)

• NAI Sniffer

Tools



• Port Scanner

– Find out what ports are open, closed, or filtered

– Find ports you didn’t know were open

–SYN packets are one way to test how ports respond

–Attackers use port scanning to find ports that provide services that can be exploited

–Applications

• Nmap

• Included with vulnerability scanners

Tools

SYN Packet Response

SYN/ACK RST No response

Open Closed Filtered



• Honeypot

–A system created for the purpose of letting attackers attack it and studying the results

–Honeynet

• More than one honeypot working together

• An entire network set up to invite attack

– Applications, services, and user accounts

• Uses virtualization

• Sometimes integrated with a larger IDS/IPS

–Uses

• Development and research

• Information gathering and decoy

Tools



• Tests for known vulnerabilities

• Passively tests security controls

• Performs scans that look for the latest vulnerabilities

• Many types of vulnerability scanners available

• Plan vulnerability scanning

–Backup first –Do during off hours

–Once a month or once a quarter




• Applications/appliances have GUI interfaces and reports

–Nessus

–Retina

–SAINT

• Interpreting the results

–Reports from commercial scanners list open ports and vulnerabilities

• Identify false positives

• Identify vulnerabilities

• Identify lack of security controls

• Identify common misconfigurations




• Using any and all methods to try to break in to your fully protected network

• An experienced tester uses a variety of tools and methods

• OSSTMM and NIST have standard penetration testing methodologies

• Actively test and try to bypass your security controls

• Verify a threat exists without exploiting vulnerabilities

Penetration Testing



• Black, white, and gray box testing

Penetration Testing

Black Box Penetration Testing

Tester acts as an outside hacker

Has no inside knowledge of the network prior to the test

Typically, most of the IT staff does not know the test is taking place




Penetration Testing

White Box Penetration Testing

Tester acts as a malicious insider with full network understanding

Has knowledge of code, systems, topology, a user account, ect.

IT staff knows about the test




Penetration Testing

Gray Box Penetration Testing

Tester acts as if he is an outsider working with a malicious insider




Term Definition

Vulnerability Assessment

Finding and assessing the holes and weaknesses in applications and systems

Threat Assessment Finding and assessing the source and means of the attacks that our systems are vulnerable to

Risk Assessment Determining the impact and likelihood of risks

Attack Surface

The area of an application or system that is visible, accessible, and therefore potentially vulnerable




Term Definition

Honeypot

A computer that is intentionally left open to attack in order to study how attacks are carried out and lure attackers away from legitimate systems

Honeynet More than one honeypot connected together or an entire virtual network meant to be attacked


Using a database of known vulnerabilities to scan a system or network looking for weaknesses

Penetration Testing Actively testing your network security using any and all methods to simulate what attacks from hackers or malicious insiders would use




Term Definition

Black Box Testing Testing code or systems without any prior information about the inner workings of that application or system

White Box Testing Testing code or systems with full disclosure of the inner workings of that application or system

Gray Box Testing

Testing code or systems from the outside with some understanding of the inner workings to help guide the test



In This Lesson:

Assessment Types

• Vulnerability

• Threat

• Risk



• Code Review


• Architecture

• Design Review



In This Lesson:


Tools


• Port Scanner

• Honeypot and Honeynet


Penetration Testing

• Black, White, and Gray Box Testing





In This Lesson:

Mitigation Strategies

Security Posture

• Initial Baseline Configuration

• Continuous Security Monitoring

• Remediation

Manual Bypassing of Electronic Controls

• Failsafe vs. Failopen

Change Management

Implement Security Controls Based on Risk

Detection vs. Prevention Controls

Hardening

Perform Routine Audits

• User Rights and Permissions Reviews

Data Loss or Theft Prevention



In This Lesson:

Exam Objective: 2.1 (Partial) Explain risk related concepts

2.2 Carry out appropriate risk mitigation strategies

3.6 (Partial) Analyze and differentiate among types of mitigation and deterrent techniques

Policies

Security Policies

Privacy Policies

Acceptable Use Policies

Other Policies




• The overall approach an organization takes to security

• Creating and maintaining your security posture

– Initial baseline configuration

• Take into account regulatory compliance

• Remember patch management

–Continuous security monitoring

• Utilize your monitoring systems

• Perform audits

• Keep up on the latest information with security organizations, websites, and blogs

–Remediation

• Quarantine that system until it meets the baseline

• Document and verify results

Security Posture



• Electronic controls can be bypassed

– Turning off or short circuiting the power

– Overloading or confusing sensors


– Failsafe: Failure happens in a secure way

– Failopen: Failure happens in an unsecure way


Failsafe Examples Failopen Examples

A failed electronic lock blocks any entry

A failed electronic lock remains unlocked

A failed application closes A failed application remains open

A failed firewall blocks all traffic A failed firewall allows all traffic



• Working within predefined procedures and timelines for change

• Evaluating, authorizing, testing, carrying out, and documenting changes

• Changes to systems, configurations, what software is installed, etc.

– Configuration control of systems that have been baselined

• New deployments, expansion, and reorganization also falls under change management

Change Management



Change Management

Change Management Goals

•Prevent new security vulnerabilities due to change

•Prevent loss of functionality due to change

•Schedule and stage change to minimize impact to users

•Communicate downtime in advance of implementing change

•Document change for communication and auditing purposes

•Allow changes to be reversed with a rollback strategy

•Require separation-of-duties through management oversight

•Follow up with changes after they are implemented

•Follow security minimum baselines and uncover changes to configuration baselines



Risk-avoidance

Transference

Mitigation

Deterrence

Acceptance

• Risks are prioritized as a part of risk assessments and calculations

• The risks that will cost the most harm warrant the most resources to mitigate

• Security controls must be chosen and implemented in a systematic way

– The cost of the control must be less than the impact of the risk

• Including maintenance and monitoring

– The benefit of the control must be measurable or verifiable




• Detection controls watch for and issues alerts about possible attacks

• Prevention controls work to keep attacks from happening or take action to stop them once they start

• Examples:

– Intrusion detection systems vs. intrusion prevention systems

–Security camera vs. security guard




• Intrusion Detection Systems vs. Intrusion Prevention Systems

– IDS

• Monitors network traffic and compares it to known attacks and network history

• Creates alerts when a possible attack or anomaly is detected

• Able to preform limited active controls

– IPS

• Does intrusion detection plus prevention

• Takes action in real time to stop attacks in progress




• Security camera vs. security guard (have both for the most benefit)


Camera Guard

Technical solution Non-technical solution

May deter some wrongdoing if cameras are visible

Can proactively deter, prevent, and respond to issues

Always running Can have gaps in coverage

Records everything within range Relies on memory

Footage can be replayed later Relies on memory

Creates evidence for criminal cases Can collect evidence

Stationary with a limited field of view Able to move around

Has no intelligence Flexible and can adapt to situations

Less expensive More expensive

(Detection) (Prevention)



• Reducing the attack surface of a system or application

–Disabling unnecessary services

–Protecting management interfaces and applications

• Restrict access

• Change default passwords

• Encrypt remote connections

–Protecting passwords

–Disabling unnecessary accounts

–Keeping patches, updates, and hot-fixes up to date

Hardening



• Checking to make sure policies, procedures, and regulations are being followed

• Do on a routine schedule

• Often carried out by a third party


Plan

Conduct

Evaluate

Communicate Results

Make Changes

Document and Follow Up



• User rights and permissions reviews

– Private audit

– Do users have the access and privileges that they should and no more?

– Who has administrative privileges?

– Work with management to determine what the expected rights and permissions should be


Plan

Conduct

Evaluate

Communicate Results

Make Changes




• Usage audit

– How are applications, systems, and resources being used?

– Often done after an incident

• Log file audit

– Studying logs for trends and correlations

– Making sure log files are not growing too large in size


Plan

Conduct

Evaluate

Communicate Results

Make Changes




• Administrative audit

– Are all change management and documentation procedures being carried out?

• Escalation audit

– Are communication and procedures in place to deal with incidents and disasters?

• Regulatory compliance audit

– PCI

– HIPPA

– SOX


Plan

Conduct

Evaluate

Communicate Results

Make Changes




• Data loss policy

–A legal statement that gives an overview of how a company protects its data under normal circumstances

–Also includes a statement that the company is not responsible for data loss due to some situations

• Data loss procedures

–Secure data disposal

–DLP system

–Monitoring

– Information models

–Backup and high availability

–Encryption


Policies



• How a company intends to secure its assets

– Includes expectations for employee behavior, physical access, technical security controls, digital certificate handling, data handling, and more

• Policy sub-types

–Standards

• Mandatory rules that must be followed

–Guidelines

• General rules and recommendations that may require judgment on how and when to follow

–Procedures

• Step-by-step methods for how standards are carried out

Security Policies



• For consumers

–A legal statement of what personal information a company collects from customers and what, if any, of this info is shared with third parties

• For employees

–What information should not be shared outside the company

–A statement to employees about what a company can do with the stored data and transmissions that happen within its network

• Must comply with applicable laws and regulations

• Dictates how data is collected, stored, and transmitted

Privacy Policy



• Outlines how employees can use company systems and resources

– Internet

–Email

–Software

–Telephones

• How and if personal software and devices are allowed

–Phones

–Tablets

–USB drives

Acceptable Use Policy (AUP)



–Mandatory vacations

– Job rotation

–Separation of duties

– Least privilege

–Password policy

–Clean desk policy

–Due care

–Document disposal and destruction policy

– Incident response

Other Policies




Term Definition

Security Posture The overall approach a company takes to security

Failsafe When a system or application fails, it does so in a secure way

Failopen

When a system or application fails, it does so in an unsecure way leading to privilege escalation and bypassing of security controls

Change Management

A systematic approach to plan, approve, test, implement, and document change




Term Definition

Detection Controls

Security controls that are designed to detect and alert you to possible security issues. Examples are IDS and security cameras

Prevention Controls Security controls that are designed to prevent security issues. Examples are IPS and security guards

Security Policy Standards, guidelines, and procedures that outline how a company secures its assets

Privacy Policy

States how customer information is collected and used and if employee data and communications are subject to monitoring

Acceptable Use Policy

States how employees are allowed to use company resources. It also lists rules for how or if personal devices are allowed



What We Covered


Security Posture

• Initial Baseline Configuration

• Continuous Security Monitoring

• Remediation



Change Management



Hardening


• User Rights and Permissions Reviews




What We Covered

Policies

Security Policies

Privacy Policies

Acceptable Use Policies

Other Policies





In This Lesson:

Reporting

• Alerts

• Alarms

• Trends

Monitoring and Analyzing Logs

Log Types

• Event Logs

• Audit Logs

• Security Logs

• Access Logs

Log Management

Exam Objective: 3.6 (Partial) Analyze and

differentiate among types of mitigation and deterrent techniques



• Alerts

–Automated messages triggered by predetermined events

–Administrators set the alert triggers

• Low disk space

• Large number of failed login attempts

• Higher than normal CPU or memory usage

• Higher than normal network bandwidth use

• Patch/update failure

–Alert levels: green, yellow, or red

• Alarms

–A critical alert that needs immediate attention

Reporting



• Trends

– Looking at events, alerts, and alarms over time can reveal many things

• Tendencies, underlying problems, equipment starting to fail, and more

–Graphs and reports make it easier to visualize trends

• False Positives

–Alerts that are not actual issues

–Reduce

• Tweaking metrics

• Looking for correlations

Reporting



• Why Log?

–Keeps track of who, what, and when

–Accountability

– Intrusion detection

–Reconstruction after an incident

–Problematic trend detection

–Demonstrating compliance with policy or regulations

• Logs Are Created by Many Sources

–Routers, switches, firewalls, antimalware, IDS, authentication systems, and more




• Many Uses

–Machine health, network performance, user data, and more

–Security

• Incorrect login attempts

• Frequency of database access

• Number of active sessions

• Network traffic

• Automation and Consolidation Software Should Be Used

–Reporting

–Post-event analysis

–Real-time analysis




• Event logs

–Records system events

• Shutdowns, service starts, state changes, and more

Log Types



• Event logs

–Records system events

• Shutdowns, service starts, state changes, and more

• Performance logs

–Records system performance

• CPU usage, memory usage, disk activity, and network usage

Log Types



• Audit logs

–Records the activities of users and services

• Logins, object access, account changes, and configuration changes

–Holds users accountable

• Catches mistakes, reduces fraudulent activities, and tracks and logs network activity

– In accordance with the organization's security policies

Log Types



• Security logs

– Logs from security devices, software, and services

• IDS/IPS, firewalls, antivirus software, authentication services

• Access logs

–Records access to resources

–Records physical access to buildings or secure areas

Log Types



• Generating, transferring, storing, analyzing, and disposing of logs

• Security of logs

–Contains info about your network and users

–Restrict access, encrypt, and hash (integrity)

–Protect your log files while at rest and in transit

Logs Management

Issues to Be Aware Of

•Limited resources for log analysis and storage

•Lack of clear log analysis goals

•Incompatible or proprietary log formats

•Inconsistent time stamps on logs



• Storage and Backup

–Store logs separate from the devices you are monitoring

–Keep logs in a easy to access database for 60-90 days

• Ready for analysis, forensic investigations, and audits

– Log retention

• May be needed for regulatory compliance or legal reasons

• Logs can be compressed for log term storage

• Log Disposal

–Security destroy logs once the data retention period has ended

Logs Management




Term Definition

Alerts Error, warning, or information notifications

Alarms The most severe alerts that need immediate attention

Trends Patterns of events that happen over time reveal trends that can point to underlying problems

False Positive A reported security issue that once examined turns out to be a false alarm



What We Covered

Reporting

• Alerts

• Alarms

• Trends


Log Types

• Event Logs

• Audit Logs

• Security Logs

• Access Logs

Log Management


Business Continuity


Business Continuity

In This Lesson:

Exam Objective: 2.5 Compare and contrast aspects of business continuity

Business Continuity vs. Disaster Recovery

Business Continuity Planning (BCP) and Testing

Business Impact Analysis

IT Contingency Planning

• Removing Single Points of Failure

Continuity of Operations

Succession Planning


Business Continuity


Business

Continuity

Disaster

Recovery

The continued operation of the organization

Recover from and rebuild the organization after a disaster has occurred


Business Continuity

• Writing the policies and deciding on procedures for business continuity

– Identify the critical business functions (CBF)

• CBF are complex and interconnected

– Almost everything goes through IT

–Determine what threats are most likely to cause a disruption

–Create countermeasures that will minimize disruptions

• BCP involves

–Risk mitigation planning

–Change management

• Testing

–Test your BCP before you need it!


–Business impact analysis

–Recovery planning

Document



Develop Solutions

Implement and Train

Test

Maintenance


Business Continuity

• Focuses on the impact of an event and recovering from that event

– Loss of asset or significant change to the business or market

• Not concerned with how the event was caused (threat and vulnerabilities)

• Steps

1. Define and prioritize what the critical business functions (CBF) are

2. Determine the impact of a disruption to a CBF

3. Calculate the amount of time that is acceptable for the disruption to last (recovery time objective)

4. Document the procedures for how to recover and what resources are needed for recovery



Business Continuity

• A part of the overall BCP that covers:

–Security threats

–System failure

–Disaster

• Implement preventative controls

• Remove single points of failure

– IT infrastructure, utilities, or facilities

– Implement redundancy and fault tolerance

–Use analysis calculations to decide which single points of failure to remove

• Document contingency strategies and procedures

• Perform and test backups



Business Continuity

• Some refer to a continuity of operations plan (COOP) as the same as a BCP

• NIST refers to a COOP as a plan for how to restore essential functions at an alternative site

–Order of succession

–Order of functions to be brought back up

–Human resources management

–Budget



Business Continuity

• Having individuals prepared to fulfill/replace key positions within the company

–Planned or unplanned

–A comprehensive succession plan funnels down the line

• Minimize disruption that a gap in leadership could cause

• What does that mean for IT?

–Digital certificate key management

–Account management

Succession Planning


Business Continuity


Term Definition

Business Continuity Planning

Analyzing, developing, implementing, training, testing, and maintaining the policies and processes that keep critical business functions going day-to-day and minimizes the impact of disruptions


Determines the most important critical business functions, the impact of a disruption to those functions, and how to recover from the disruption

Single Point of Failure

A component of a system that, if fails, will cause the entire system to fail

Critical Business Functions (CBF)

A process that is vital to the health of the business. If this process were to sustain a long disruption the company would suffer great loss


Business Continuity

What We Covered





• Removing Single Points of Failure


Succession Planning





In This Lesson:

Disaster Recovery Plan

Service Level Agreement (SLA)

• Mean Time to Restore (MTTR)

• Mean Time Between Failures (MTBF)

• Recovery Time Objectives (RTO)

• Recovery Point Objectives (RPO)

Utilities



In This Lesson:

Backup and Recovery

Backup Types

Backup Plans

Backup Storage Options

Recovering from Backups

Backup and Recovery Considerations

Exam Objective: 2.7 Execute disaster recovery plans and procedures

High Availability

Redundancy

Fault Tolerance

RAID

Load Balancing

Clustering

Alternate/Backup Sites

• Hot, Cold, and Warm Sites



• Scope

– IT backup and recovery procedures

–People

– Locations

• Develop, test, train, maintenance, and document

• Who sees the plan?





–Also called mean time to repair

–The average time it takes to repair a given component or system


–Estimation of how often an outage will happen


–The longest acceptable duration of downtime

–What is the benchmark for what is considered “uptime”?


–How much data loss or other loss is acceptable?

–Measured in hours




• Power, phones, and internet connectivity can be lost in a disaster

• Single points of failure outside of the company's control

–Know the backup policy for your ISP

• Disaster recovery plans can have provisions for utilities

–Back up generators

Utilities

Backup and Recovery



Backup Types

Backup Type Description Archive Bit Cleared?

Full Backs up all files Yes

Incremental

Backs up only the files that have changed since last incremental backup

Yes

Differential

Backs up the files that have changed since last full backup

No

Copy A copy of all data No

Snapshot/Image Taking an copy of the entire system at a point in time

N/A

(Cumulative Incremental)

(Differential Incremental)



• What to backup?

– Databases, email database, user files, etc.

• What method and frequency of backups?

– Full Archival Method

– Grandfather, Father, Son Method (GFS)

– Progressive Paradigm (Incremental Forever)

• How long to retain backups?

• Short-term

• Long-term

• Do not confuse backups with archives

Backup Plans

Backup Plans

Grandfather, Father, Son Method

2010

2009

2008

2007

2006

2005

2004

January

February

March

April

May

June

July

August

September

October

November

December

Week 1

Week 2

Week 3

Week 4

Week 5

Son

Father

Grandfather



• Backup Media

– Tape

– Disk

– Optical

– Online

• Location of Backups

– Secure backup media wherever it is

– Onsite: less expensive, easier, but is not protected against local disasters

– Offsite: more expensive, requires more overhead, but data is protected against local disasters

– Both would be ideal




• Practice the restoration process

–Depending on the backup type you can restore individual files, mailboxes, databases, whole systems, etc.

• Be sure your backups are usable

–Configuration auditing

–Error detection

–Keep old backup hardware




• Backup vs. Backout

–Backup: Used to restore data due to data corruption, data loss, or hardware failure

–Backout: Used to restore back to a previous point

• A way to undo a change that has been made

– Updates, configuration changes, software installs, migrations, and firmware updates

• A good backout policy prepares for this with images, snapshots, or other backups




Examples


Sun Mon Tues Wed Thur Fri Sat

Full Diff 1 Diff 2 Diff 3 Diff 4 Diff 5 Diff 6

Sun Mon Tues Wed Thur Fri Sat

Full Inc 1 Inc 2 Inc 3 Inc 4 Inc 5 Inc 6

Incremental Backups to Tapes

Differential Backups to Tapes

Tapes Needed for Full Restore

Full, Inc 1, Inc 2, Inc 3, Inc 4

Tapes Needed for Full Restore

Full, Diff 4

Backup Challenges

•Growing amount of data

•Remote office locations

•24 hour business

•Regulatory and legal requirements

Backup and Recovery Best Practices

•Have onsite or online backups for fast recovery

•Keep copies of backups and archives offsite

•Have point-in-time versions in case of accidental

changes or deletions

•Include error checking to make sure backups

were created correctly

•Continually revisit the organization's backup

needs as technology changes

•Do practice recoveries to test your backups


High Availability (HA)



• Having duplicate systems, devices, or data paths to failover to when a failure occurs

–Redundant servers can be clustered or load balanced

–Can also have redundant hardware like firewalls and routers

• Redundant components and spare parts

• Ensure functionality continues

–Might not be automatic failover (high availability)

Redundancy



• The ability for a device or system to remain operational in the event of a component failure

–Might have reduced functionality or efficiency

• Redundant hardware components

• Backup power or at least an uninterruptable power supply (UPS)

Fault Tolerance

I’m Ok!



• Also called redundant array of inexpensive disks

• Using multiple disks to provide fault tolerance and improve performance

RAID: Redundant Array of Independent Disks

RAID Level Name Redundant?

0 Disk Striping No

1 Disk Mirroring Yes

5 Disk Striping with Distributed Parity Yes

6 Disk Striping with Dual Parity Yes

10 (1+0) Mirrored Stripe Set Yes



• Distributes computing workload across multiple machines

• If one redundant server goes down the load balancer will compensate (availability)

Load Balancing

Redundant

Serv

ers

Clients Load Balancer Switch



• A team of servers running the same applications or services

• Monitors and load balances themselves with the use of a heartbeat connection

• When the active node does not respond to the heartbeat the passive node takes over

• More complex clustering has all nodes active at the same time

Clustering

Clients

Secondary Node

Primary Node

Shared Storage




Real Time Replication

Main Site Hot Site




Main Site Cold Site




Main Site Warm Site




Term Definition

Mean Time to Restore (MTTR)

The average time required to repair a failed component or device

Mean Time Between Failures (MTBF)

The predicted time between failures of a system during operation

Recovery Time Objective (RTO)

The maximum amount of time a process must be restored in before causing an unacceptable impact to business continuity

Recovery Point Objective (RPO)

How many hours of data can be lost or how far back in time is acceptable to recover to

Backout Plan

The policies and procedures for preparing for and carrying out a backout. A backout is rolling back a system to a specific point in time




Term Definition

High Availability

The approach and system implementation that ensures a high level of continued operations (uptime). What is considered an acceptable amount of downtime is decided on a case by case basis

Redundancy The duplication of critical components, systems, or functions to increase reliability and uptime

Fault Tolerance The ability of a system to continue operation, rather than failing completely, when a component fails

Redundant Array of Independent Disks

(RAID)

Using different configurations of disk drives and their data distribution to improve performance and fault tolerance




Term Definition

Clustering Using a group of linked computers working together to improve performance and availability

Hot Site A remote location with redundant systems and data that is updated in real time

Cold Site

A remote location that has no data or systems but is available as a contingency location to rebuild systems from backups

Warm Site

A remote location that has some infrastructure and/or data ready but does requires some time and human effort before systems are up and running



What We Covered







Utilities



What We Covered

Backup and Recovery

Backup Types

Backup Plans




High Availability

Redundancy

Fault Tolerance

RAID

Load Balancing

Clustering


• Hot, Cold, and Warm Sites


Incident Response


Incident Response

In This Lesson:

Exam Objective: 2.3 Execute appropriate incident response procedures

Incident Response Plan

Damage and Loss Control

Chain of Custody

First Responder

Basic Forensic Procedures

• Order of Volatility (OOV)

• Record Time Offset

• Capture System Image

• Document Network Traffic and Logs

• Collect Relevant Backups

• Capture Video

• Take Hashes

• Capture Screenshots

• Interview Witnesses

• Track Man Hours and Expense


Incident Response

• “Incident”

• Polices and procedures

–Response procedures

– Incident response team

–Resources available

– Forensic policies

• Evidence gathering procedures

–Communication


High Med Low

High 1 2 3

Med 2 3 4

Low 3 4 5

Urgency

Im

pa

ct

Prio

rity


Identify and Report

• Detection

• Confirmation

• Log

Investigate

•Diagnose •Categorize and Prioritize •Escalate •Create Recovery Plan

Resolve/Recover

• Carry Out

• Test

Debrief

• Document

• Lessons Learned

• Make Improvements


Incident Response

• Minimizing loss due to an incident

• Know how many and which systems are affected by the incident

• Disconnect the affected systems from the network

• Keep critical business functions available


Forensics


Incident Response

• Maintain the CIA of the evidence

• Imperative for using evidence in a court of law

• Document and label when, where, who, and how each piece of evidence was collected

• Seal in tamper evident bags with evidence tags on the outside

• Log when and who touches or transports any piece of evidence

• Store long term under lock and key

Chain of Custody


Incident Response

• What to do if you are the first person to uncover or respond to an incident

• Assess the situation and contain the incident

–Unplug the affected systems from the network

* If allowed by incident respond policies

• Don’t disturb the environment if evidence needs to be collected

–Think about the chain of custody

• Follow the escalation policy

–Who to notify

–What policies and procedures to follow

• Negate all the above restrictions if human life is in danger

First Responder


Incident Response


–Collect the shortest living evidence first


–Note how much time the clock on each affected system is off from the real time

– Important for reconstructing an accurate timeline

• Capture System Images

–Make duplicates of the exploited system to gather information from

–Some forensic polices require the original to stay intact (best evidence rule)



Incident Response


–Useful to reconstruct the attack

– Look for trends


–Secure any backups created for the affected systems during and before the incident took place

• Capture Video

–Record the state of the physical environment

–While carrying out forensic procedures



Incident Response

• Take Hashes

–A way to know if a file or image has changed

–A 128 bit MD5 hash


– Using screen snagging applications of the duplicate image

– Use a digital camera if on the exploited system


–Ask and document (record interview if possible)

–Sooner rather than later



Incident Response


–Keep track of how much an incident coasted to investigate and resolve

–Document the time it takes for each step and the cost of all resources used

• Document everything and maintain the chain of custody



Incident Response


Term Definition

First Responder

When referring to an IT incident response the first person to discover or respond to an incident attempts to contain the incident and notifies the proper personnel

Chain of Custody

Detailed documentation about the gathering, custody, transfer, analysis, and disposing of evidence

Order of Volatility

When referring to an IT incident respond the information that will disappear like RAM should be gathered before less volatile info


Incident Response

What We Covered



Chain of Custody

First Responder




• Capture System Image



• Capture Video

• Take Hashes





User Education


User Education

In This Lesson:

Security Policy Training and Procedures

• Compliance with Laws, Best Practices, and Standards

Threat Awareness

• New Viruses

• Phishing Attacks

• Zero Day Exploits

Regulatory Compliance

Personally Identifiable Information

Social Networking

Peer to Peer (P2P) File Sharing


User Education

In This Lesson:

Exam Objective: 2.4 Explain the importance of security

related awareness and training

User Habits

• Password Behaviors

• Data Handling

• Clean Desk Policies

• Personally Owned Devices

Information Classification

Data Labeling, Handling ,and Disposal


User Education

• Compliance with laws, best practices, and standards

• Communication and awareness

• Communicate the importance and rationale for the policies

• Foster user acceptance and buy-in

• Get feedback on user experience and concerns

• Education and training

–Expectations for behavior

–Types: On-the-job, mandatory meetings, classroom, online, CBT



User Education

• Keep informed of the latest threats

–Zero day exploits

• Communicate with users about current threat topics

–Monthly email

–SharePoint

• Topics include:

–Phishing attacks – remind users to not click on links in emails or IMs

–Social engineering tactics

–New viruses and zero day exploits – remind users to keep their home computers patched and up to date

Threat Awareness


User Education

• HIPAA: Health Insurance Portability and Accountability Act

–Heath and insurance institutions must keep patients’ health information secured

• PCI DSS: Payment Card Industry Data Security Standard

–Designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment

• SOX: Sarbanes-Oxley Act

–Mandates strict reporting requirements and internal controls of financial information



User Education

• GLBA: Gramm-Leach-Bliley Act

–Requires banks and financial institutions to communicate their privacy polices about disclosing customer information

• FERPA: Family Educational Rights and Privacy Act

–Says that student information can not be disclosed without the student's permission

–A student must be given access to their own records if requested



User Education

• Information that can be used to identify an individual

–Social Security number, birth date, address, biometric info

• Information linked to an individual

–Medical records, financial information, employee file

• What PII that is and is not protected can be found in the company's privacy policy

Personally Identifiable Information (PII)


User Education

• Users must safeguard customer and employee PII against identity theft

• Educate users on

–Regulatory policies and procedures concerning PII

–Examples of PII breaches in the news

–The latest scams that target PII to be aware of



User Education

• Users should not post sensitive company information on social networking sites

• Malware, XSRF, phishing, and other attacks are common on social networking sites

• Shortened URLs can lead anywhere

Social Networking


User Education

• Ban and disable on company devices

• Train users on the dangers of personal use

• Why?

–Music or other file sharing sites are ripe with malware downloads

–Pirated software is not allowed on company assets

–An avenue for data breaches

• Accidently or by malicious insiders



User Education

• Password behaviors

–Don’t use dictionary words or anything associated with the user

–Don’t use the same password for multiple accounts

• Clean desk policies

–Employees are responsible for clearing their workspace of sensitive papers when they leave the office

–Have a clearly stated policy that users read and sign

User Habits


User Education

• Data handling

–Encrypt data before emailing, putting on removable media, or using unsecured file transfer protocols

–Store files in the appropriate place on the network

–Take care that only authorized people see printouts and faxes

–Properly label and dispose of data

–Don’t share credentials or ID badges with anyone

• Safe computing

–Connecting to wireless networks

–Being aware of spoofing and phishing

–Downloading files and attachments

User Habits


User Education

• Personally owned devices

–The most secure method would be to not allow personal devices

• Proprietary data can be leaked

• Malware can be introduced

– If devices are allowed the acceptable use policy needs to clearly spell out rules and restrictions

• Extensive awareness training needs to be done

• Couple with data loss systems and other security controls

User Habits


User Education

• Sensitivity of data

–Different data is more sensitive that other data

–Hard vs. soft

–Use different classifications to label data sensitivity levels

• Government: Unclassified, Sensitive, Confidential, Secret, Top Secret

• Public, Internal, Confidential, Secret

• Data availability classifications

– Labels can also be created based on how imperative data is to critical business functions



User Education


Information Security Scheme

• Examples

Public Internal Confidential Secret

Viewable By Everyone Select

Employees Select

Employees Select

Leadership

Data Integrity Desired Required Required Vital

Impact of Disclosure

Acceptable Inconvenience Damaging Catastrophic

Impact of Loss Acceptable Inconvenience Damaging Catastrophic

Value to Competitor

Minimal Interesting Significant

Gain Significant

Gain


User Education


Nice to Have

Important Very

Important Mission Critical

Downtime 1 Week 2 Days 8 Hours 1 Hour

Hours N/A 6 am – 6 pm 6 am – 6 pm 24h x 7d

% Available 70% 85% 95% 99.99%

Information Availability Scheme

• Examples


User Education

• Labeling

–Clearly label data media used for backup, archival, and transport

• Handling

–Have a clean desk policy and other hard data policies

–Users should not share their credentials

• Disposal

–Decommissioning devices

• What is data and information on the device worth?

• Physically destroy

–Deleting old data

• Secure wipe using a specialized utility

–Shred paper copies

Data Labeling, Handling, and Disposal


User Education


Term Definition


Information that can be used to identify a person or be linked to a person

Clean Desk Policy

A policy that states that employees must have their workspace cleared of any sensitive company information before leaving the office


Clients share media files through an interconnected network of nodes with no centralized server


User Education

What We Covered


• Compliance with Laws, Best Practices, and Standards

Threat Awareness

• New Viruses

• Phishing Attacks

• Zero Day Exploits


Personally Identifiable Information

Social Networking



User Education

What We Covered

User Habits

• Password Behaviors

• Data Handling

• Clean Desk Policies

• Personally Owned Devices


Data Labeling, Handling, and Disposal


Social Engineering


Social Engineering

In This Lesson:

Exam Objective: 3.3 Analyze and differentiate among

types of social engineering attacks

Social Engineering Overview

Impersonation

Tailgating

Dumpster Diving

Shoulder Surfing

Phishing

• Vishing

• Spear Phishing

• Whaling

Hoaxes

Reverse Social Engineering


Social Engineering

• Manipulating people into performing actions or divulging information

• Varied techniques used by attackers

–Both technical and non-technical

• Technical controls are useless if users can be convinced to bypass them for attackers



Social Engineering

• Why social engineering works

– Fear

– Laziness

–Desire to obtain free awards or money offered

–Wanting to be helpful

–Flattery or distraction

– Lack of awareness

Awareness and education

• Policies and procedures

• Mandatory training

• Continued follow-up



Social Engineering

• On the phone

– Fellow employee or the boss

–Authority figure like a fire marshal

–Survey taker

–Customer

Define what information should never be told over the phone

• In person

–Maintenance person

–Delivery person

Train users to check credentials and verify that all outside people are allowed to enter. Escort non-employees while in the building

Impersonation

Tailgating Tailgating

• A person follows someone past a security checkpoint without using their own credentials

• Also called piggybacking

–The term piggybacking sometimes accompanies consent while tailgating is done without consent

• Methods

–Confidently following the authorized person past the door after they have swiped in

–Blending in with a large crowd

–Having full hands so that someone will hold open the door

–Convincing an authorized person that the unauthorized person has forgotten or lost their ID

Train employees to insist that every person authenticates

Tailgating

Dumpster Diving

Dumpster Diving

• Someone looking through the trash or recycling to gain information

–Passwords

–Details an “insider” would know to use in future attacks

• Have a proper disposal policy

–Third-party disposal companies are available to securely throw away or recycle trash

Train users to follow the paper shredding and media/equipment disposal policy


Social Engineering Shoulder Surfing

Shoulder Surfing

• Directly observing unauthorized information

–Password

–Pin number

• Attacker must have physical access

• Eavesdropping

– Listening in on a conversation to gain information

• Snooping

– Looking through files and papers to gain information

– Looking under your keyboard or other obvious places for passwords

Train employees to be aware of their surroundings


Social Engineering

• Trying to get personal information by pretending to be a trusted person, company, or website

• Often comes as email

–Reply to email with personal info

–Click on a link

–Call “customer service” representative on the phone

• Uses logos and color schemes to try to mimic the legitimate entity

• Tries to create a sense of urgency or fear

Train users to never follow instructions in an email without verifying that it isn't a scam first

Phishing

Phishing Example


Social Engineering

• Sub-types of phishing

Phishing

Whaling

Spear phishing targeted at executives or people with access to especially sensitive information

Vishing

Phishing over VoIP

Spear Phishing

Using information specific to a person/company to make a phishing attempt seem more legitimate


Social Engineering

• Chain emails or social media that contain misinformation

• Wastes time and resources

– Lost productivity

–Email database space and backups

–Paper printouts

• Concerned and frightened users will notify IT staff

• Stay abreast of current hoaxes

• Use spam filters to filter hoax emails from getting to users

Train users on how to check if a email is a hoax

• Snopes

• Antimalware vendors

>>>>>Hoaxes


Social Engineering

• The attacker makes themselves interesting or available to the victim

–Most common example is offering help for a future problem

• The victim contacts the attacker and readily offers information

–The victim calls or emails the “helper” to ask for help to fix a problem

• Other social engineering methods or reconnaissance are done first to set up for the reverse attack

Train users to verify that anyone that offers help does in fact work for the company



Social Engineering


Term Definition

Social Engineering Deceiving a person into revealing confidential information or performing a task

Impersonation In regards to social engineering, the attacker pretends to be someone who is authorized

Tailgating

A person follows an authorized person through a security checkpoint (like a door with a scan card reader) without authenticating themselves

Dumpster Diving Looking through trash for details about an organization


Social Engineering


Term Definition

Shoulder Surfing Observing confidential information like a password being typed in

Hoaxes

Misinformation that leads to wasting of time and resources. Normally comes in the form of emails or in social media


The victim is lured into contacting the attacker resulting in a higher amount of trust for the attacker. This is normally done by offering help or gifts


Social Engineering

What We Covered


Impersonation

Tailgating

Dumpster Diving

Shoulder Surfing

Phishing

• Vishing

• Spear Phishing

• Whaling

Hoaxes






In This Lesson:

Exam Objective: 6.1 Summarize general cryptography concepts

Cryptography Overview

Symmetric vs. Asymmetric Encryption

Digital Signatures

Non-repudiation

Encryption/Decryption Methods

• Block Cipher

• Stream Cipher

• Elliptic Curve Cryptography (ECC)

• Quantum Cryptography

Cryptographic Hashing

Transport Encryption

Steganography

Use of Proven Technologies



• What is Cryptography?

–The science and study of hiding information

• Hiding information by converting plaintext into ciphertext (encryption)

• Then back from ciphertext to plaintext (decryption)


If you can dream and not make dreams your master; If you can think and not make thoughts your aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If you can

Plaintext

If you can dream and not make dreams your master; If you can think and not make thoughts your aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If you can

Plaintext

ec40619a9ebccd6ce2b5ef1a256e03eb697aaa34aad84ae9d0fff1817e9a7bddab3a5c8083dcf449bf53b8f14c5f05006576a223b26b36372619e249509d1413504fd67d878ee3e323cfdede6f2e41

Ciphertext

Key

Encryption Algorithm

Key

Decryption Algorithm



• Benefits of cryptography

–Confidentiality

• Protecting data in transit

• Protecting data at rest

–Non-repudiation and authentication

• A message encrypted with your private key or signed with your digital signature had to come from you




• Benefits of cryptography

–Access control

• With symmetric encryption only the secret key holder can decrypt the ciphertext

• With asymmetric encryption a digital certificate can be used for authentication and thus access control

– Integrity

• Message digests can be used to know if a message was tampered with during transit




• How cryptography works

–A cipher and a key(s)

• An algorithm encrypts data by applying a key to plaintext

• Another algorithm decrypts data by applying a key to ciphertext

–Different ciphers/algorithms are stronger than others

– Longer keys make stronger encryption

• 40-bit key is not secure

• Classic ciphers

–Substitution ciphers

–Transposition ciphers


Substitution Cipher Example

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

ROT6 Caesar Substitution Cipher

Plaintext: asparagus

Ciphertext: gyvgxgmay



• Symmetric Encryption

–The same secret key is used for encryption and decryption

• Key management is the biggest concern

– Getting the secret key securely to both parties

– Keeping the key a secret

–Generally faster than asymmetric encryption alone

–Strength is effected by

• Length of the key

• Number of iterations through the algorithm

–Vulnerable to brute force attacks




• Asymmetric Encryption

–A key pair is used: one key is used for encryption and the other for decryption

• Public key is publicly available

• Private key must be kept secret

–Either key can encrypt and either key can decrypt

• Encrypt with public decrypt with private

• Encrypt with private decrypt with public

• Messages encrypted with private cannot be decrypted with private

• Messages encrypted with public cannot be decrypted with public




• Digitally sign data and messages

• Provides authenticity, non-repudiation, and integrity

• Confirms that the data or message you have received is from who it says it is from

• Confirms that the message was not altered during transit

Digital Signatures



–Assuring that the author of a message can not later refute the fact that they sent that message

–Extra non-repudiation services can be built in to encryption and digital signatures

• Proof of origin

• Proof that the data has been received and received correctly

–Does not account for unauthorized physical access

• Sending a message from someone else’s computer

Non-repudiation



• Block cipher

– Fixed length chunks of bits (blocks) are encrypted

–Blocks can be padded if the data is too short

–Result is the same sized blocks of ciphertext

–Use initialization vectors to avoid reusing symmetric keys

–A good block cipher does not allow someone to deduce the key from looking at the ciphertext


Secret Key

Block Cipher

If you can dream and not make dreams your master; If you can think and not make thoughts your

aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If

you can bear to hear the truth you've spoken Twisted by knaves to make a trap for fools, Or watch the

03bab3582044427ecc114c9601acc97814c63096338f76e8b290c8662c9f9d7451270bd8bcfc2ace029a7f

4293922215717bfc2f6c0fffab1fb0e85a7826d2a1d1bc19e818c420b9502e59ace94bc5e3fc1f230ed90012

22945c54ec8bad1f6e292c3c1bbef4df8035ed22e8a64be498ad30302c741f79d56af4f70acf90ccd80200eb



• Stream cipher

–Symmetric key

–A continuous stream of bits/bytes are encrypted one at a time

– Faster and uses less processing power than block ciphers

–Pseudorandom keyspace generators will repeat eventually

• The longer the period of time before a repeat the better


Secret Key

Stream Cipher



• Elliptic curve cryptography (ECC)

–Asymmetric keys

–Has a compact mathematical design that allows stronger encryption with shorter keys

–Uses elliptical curves instead of integers as keys

–Used in many varied implementations including mobile devices




• Quantum cryptography

–An emerging and expensive concept that is still being researched

–When we measure data we disturb the data

• When you inspect polarized photons you change their polarization

–Quantum cryptography allows us to tell if data was eavesdropped on during transit

• Polarize the photons in one direction for 0 and another direction for 1

–One implementation is quantum key distribution




• Hashing algorithms create a unique numeric hash value that is a summary or digest of a message

• One way only

–You can not get plaintext from a hash

• Used for integrity: if data is modified then a different hash value will result

–Message digest (another name for the hash value)

–Digital signatures

–Message authentication codes (MAC)

• Used for password storage

–Allows passwords to be stored securely

–Check the hash of the entered password against the stored hash




• A mathematical function that takes any sized blocks of data and returns fixed-sized bit streams


Digital Signatures and Hashing

#

Sent to Recipient

Message Hash Function

# Hash

Encrypt with Sender’s

Private Key

Digital Signature

# #

Decrypt with Sender’s

Public Key

Hash Function

Compare Hashes

Attach Signature to

Message



• Encryption is used to protect transmissions that pass over the public internet

–VPN

• IPSec

–Web browser / web server communication

• TLS/SSL

• HTTPS

–Data transfer and remote management

• SSH




• Hiding or embedding one message within another

• The main purpose is to not draw attention

• Text can be hidden in image, audio, or video files

–One method for image steganography involves using the last bit in the color code of each pixel to hide the message

–Can encrypt data before and/or after the message is hidden

• Sometimes called electronic watermarking when referring to labeling an image for anti-piracy purposes

• Steganography tools are readily available

–Often used for illicit activities like data theft

Steganography



• Only use algorithms that, as of today, are considered strong

–Think about the tradeoff between security, speed, and ease of implementation

• Stay informed on cryptography news

– In the past widely used algorithms were “broken”

–New methods are being developed all the time

• Leverage strong encryption with good key management





Term Definition

Cryptography The science and study of the methods and procedures for encrypting and decryption data

Cipher or Cypher The pair of algorithms that encrypt and decrypt the data

Key A string of bits used by a cryptographic algorithm during the encryption/decryption process

Plaintext The original unencrypted data or message

Ciphertext or Cyphertext

The data after it has been encrypted. Data is not useable in this form




Term Definition

Non-repudiation A method of assuring that the author of a message can not later refute the fact that they sent a message

Symmetric Encryption Encryption/decryption using a single shared secret key

Asymmetric Encryption Encryption/decryption using a mathematically related key pair

Block Cipher A symmetric encryption method that processes data in fixed-length blocks

Stream Cipher A symmetric encryption method that processes data one bit or byte at a time




Term Definition

Elliptic Curve Cryptography

An asymmetric encryption method that uses elliptical curves to achieve stronger and faster encryption with shorter key lengths

Quantum Cryptography An encryption method that uses physics instead of mathematics

Transport Encryption Encrypting data for protection during transit

Hashing One way encoding that is used for data integrity

Digital Signature

Used to electronically sign a message so that the receiver can verify the sender’s identify and confirm that the message was not altered during transit



What We Covered



Digital Signatures

Non-repudiation


• Block Cipher

• Stream Cipher

• Elliptic Curve Cryptography (ECC)

• Quantum Cryptography



Steganography



Cryptography Tools


Cryptography Tools

In This Lesson:

Symmetric Encryption

DES

3DES

AES

RC4

Blowfish

Twofish

Asymmetric Encryption

Diffie-Helman

RSA

ECC


Cryptography Tools

In This Lesson:


SHA

MD5

RIPEMD

HMAC


SSL/TLS and HTTPS

SSH

IPSec


Cryptography Tools

In This Lesson:

Exam Objective: 6.2 Use and apply appropriate

cryptographic tools and products

Wireless Encryption

WEP vs. WPA/WPA2

Wi-Fi Authentication

Other Encryption Tools

PGP/GPG

One-time Pads

CHAP and PAP

NTLM and NTLMv2

Whole Disk Encryption

Comparative Strengths of Algorithms

Data Confidentiality Algorithms

Data Integrity Algorithms



Cryptography Tools

Data Encryption Standard

• Used For

–Data confidentiality

• How It Works

–Key is broken into 16 subkeys

–Each of the 16 rounds or Feistel cycles use a different subkey

–Each round has a substitution phase and a permutation (scrambling) phase

DES

Key Length

64-bit

(8 bits of parity)

Block Size

64-bit


Cryptography Tools

Data Encryption Standard

• History

–One of the oldest encryption standards

–Selected to be the official U.S. encryption in 1979


–Very vulnerable to brute force attacks

–Not secure by today’s standards

• Can be cracked within a day’s time

DES

Key Length

64-bit

(8 bits of parity)

Block Size

64-bit


Cryptography Tools

Triple Data Encryption Standard

• Used For


• How It Works

–Uses three rounds of DES

• Either three different keys or two alternating keys

–3 times slower than DES

• History

–Created to increase the strength of DES


–Still in use but less secure than AES

3DES

Key Length

168-bit

Block Size

64-bit

DES with Key 1

DES with Key 1

DES with Key 2

Ciphertext

Plaintext


Cryptography Tools

Advanced Encryption Standard

• Used For


–WPA2

–Can be used in low processing power implementations

• How It Works

–The 128-bit block is broken into 4 parts

–Uses iterative rounds instead of Feistel rounds

–Number of rounds depends in the key size

AES

Key Length

128-bit

192-bit

256-bit

Block Size

128-bit


Cryptography Tools

Advanced Encryption Standard

• History

–The Rijndael algorithm became the U.S standard for encryption in 2002


–Considered strong by today’s standards

AES

Key Length

128-bit

192-bit

256-bit

Block Size

128-bit


Cryptography Tools

Rivest Cipher 4

• Used For


–SSL and WEP

• How It Works

–Stream cipher

RC4

Key Length

40 to 204-bit


Cryptography Tools

Rivest Cipher 4

• History

–Developed by Ron Rivest in 1987

–Ron Rivest has several different ciphers RC1-RC6

–RC4 has been the most widely used stream cipher


–Not in use much today

–Different implementations are more secure than others

• It all comes down to the key

RC4

Key Length

40 to 204-bit


Cryptography Tools

• Used For

–Multipurpose

• How It Works

– Fast block cipher

–Uses 16 Feistel rounds

–Very complex key schedule

• History

–Produced by Bruce Schneier

–Unpatented since its creation


– Fewer than 16 Feistel rounds are vulnerable to attack

–Considered strong if implemented correctly

Blowfish

Key Length

1 to 448-bit

Block Size

64-bit


Cryptography Tools

• Used For

–Multipurpose

• How It Works

– Fast block cipher

–Uses 16 Feistel rounds

–Very complex key schedule

• History

–Also created by Bruce Schneier with help from other cryptographers

–Was in contention to become AES


– Fewer than 16 Feistel rounds are vulnerable to attack

–Considered strong if implemented correctly

Twofish

Key Length

128 to 256-bit

Block Size

128-bit



Cryptography Tools

Named for Whitfield Diffie and Martin Hellman

• Used For

–Key exchange

• Lets two (or more) parties that don’t know each other to establish a jointly shared secret key

• How It Works

–Easy to compute but hard to reverse

• History

–The original public/private concept


–No authentication by itself

Key Length

Variable

Diffie-Hellman


Cryptography Tools

Named for Ron Rivest, Adi Shamir, and Leonard Adleman

• Used For

–Key exchange

–Data confidentiality and digital signatures

• How It Works

–Uses two large prime integers

• It is easy to find the product of the two primes but hard to find the primes from the product

–100 times slower than DES

• History

–Published in the late 1970s


–Problems arise when using prime numbers that are too small

RSA

Key Length

1,024 to 4,096-bit


Cryptography Tools


• Used For

–Smaller less powerful devices like

• How It Works

–An elliptic curve and one point of the curve is chosen and made public

–Multiplying the chosen point on the curve by a secret number will produce another point on the curve

• It is very difficult to find out what number was used

ECC

Key Length

Variable


Cryptography Tools


• History

–A cryptography concept with many implementations

–Many companies have their own version of ECC


–Still being studied but currently considered strong if parameters are chosen properly

ECC

Key Length

Variable


Collisions

d131dd02c5e6eec4693d9a0698aff95c 2fcab50712467eab4004583eb8fb7f89

55ad340609f4b30283e4888325f1415a 085125e8f7cdc99fd91dbd7280373c5b

d8823e3156348f5bae6dacd436c919c6 dd53e23487da03fd02396306d248cda0

e99f33420f577ee8ce54b67080280d1e c69821bcb6a8839396f965ab6ff72a70

d131dd02c5e6eec4693d9a0698aff95c 2fcab58712467eab4004583eb8fb7f89

55ad340609f4b30283e488832571415a 085125e8f7cdc99fd91dbdf280373c5b

d8823e3156348f5bae6dacd436c919c6 dd53e2b487da03fd02396306d248cda0

e99f33420f577ee8ce54b67080a80d1e c69821bcb6a8839396f9652b6ff72a70

79054025255fb1a26e4bc422aef54eb4

Input A

Input B

Same Hash Value

Example Collision for MD4


Cryptography Tools

Secure Hash Algorithm

• Used For

–Digital signatures

• How It Works

–Breaks the message into words and groups the words into blocks before processing for 64 or 80 rounds

–SHA-2 is the current version that outputs a 256-bit hash length or longer

–The longer hash length version (SHA-512) accepts larger inputs and process larger block sizes

SHA

Hash Length

256-bit

512-bit

Block Size

512-bit

1024-bit

SHA-256

SHA-512


Cryptography Tools

SHA

Secure Hash Algorithm

• History

–Designed and published by NSA and NIST

–SHA-1 used 160-bit hash and has been replaced with SHA-2

–The SHA-3 algorithm has not been chosen from the finalists


–SHA-1 has been found to have collisions

Hash Length

256-bit

512-bit

Block Size

512-bit

1024-bit

SHA-256

SHA-512


Cryptography Tools

Message Digest 5

• Used For

–Message digest

• How It Works

–Breaks the message into 512-bit blocks with a mandatory 64-bits of padding

–Then breaks the blocks into 32-bit chunks

–Does 4 rounds of processing

MD5

Hash Length

128-bit

Block Size

512-bit


Cryptography Tools

Message Digest 5

• History

–Developed in 1991

–Others in the series are MD2, MD4, and, MD6

–MD5 is slightly slower but more secure than MD4


–Collisions are possible and is not considered secure

MD5

Hash Length

128-bit

Block Size

512-bit


Cryptography Tools

RACE Integrity Primitives Evaluation Message Digest

• Used For

–Message digest

• How It Works

–Three rounds of processing on block of variable sizes

• History

–RIPEMD is based on MD4 and RIPEMD-160 is based on MD5


• The 128-bit version was found to have collisions

• Higher hash outputs than 160 are in use but are no stronger than the 160-bit version

RIPEMD

Hash Length

160-bit or 128-bit (unsecure)

Block Size

Variable


Cryptography Tools

Hash-based Message Authentication Code

• Used For

–Message authentication codes

• Data integrity and authentication

• How It Works

–Use a hashing function with a secret key

–Can use MD5 or SHA

• Example: If SHA-256 is used the result is referred to as HMAC-SHA256

HMAC


Cryptography Tools

Hash-based Message Authentication Code


–The strength of HMAC depends on the hashing function used and the length of the key

• The addition of the secret key makes HMAC stronger than the hashing function alone

HMAC



Cryptography Tools

Secure Sockets Layer / Transport Layer Security and

Hypertext Transfer Protocol Secure

• Used For

–SSL/TLS allows HTTPS and other client/server applications to communicate securely across an unsecure network

• Offers protection from eavesdropping, tampering, and message forgery

• How It Works

–TLS uses a handshake for both parties to authenticate and agree on parameters including a symmetric key

SSL/TLS and HTTPS


Cryptography Tools

Secure Sockets Layer and Transport Layer Encryption Security

• History

–SSL was created by Netscape

–TLS improved on and superseded SSL


–Only as strong as the ciphers and hashing agreed upon by both sides

SSL/TLS and HTTPS


Cryptography Tools

Secure Shell

• Used For

–Secure remote sessions, file transfers, tunneling, port forwarding, and more

• How It Works

–Uses a handshake to set up parameters and performs a key exchange


–Only as strong as the ciphers and hashing algorithms agreed upon by both sides

SSH


Cryptography Tools

Internet Protocol Security

• Authentication Header (AH)

– Digitally signs the packets for authentication and integrity

• Before a packet is sent hash is taken of the packet plus the shared secret key

• That hash is added to the header and the packet is sent

• On the recipient's end the message payload and the secret key are hashed again

• If the original hash and the new hash match we have authentication and integrity

IPSec Payload AH Original

IP Header

TCP


Cryptography Tools

Internet Protocol Security

• Encapsulating Security Payload (ESP)

– Adds confidentiality and optionally integrity checking

• Adds a header, a trailer, and an integrity check value (ICV)

• Optional ICV works like the AH

• ESP Header includes properties for the packet like a sequence number

• ESP Trailer is for padding

IPSec

Payload ESP

Header

Original IP

Header TCP

ESP Trailer

ESP Authentication

Wireless Encryption

WEP vs. WPA/WPA2

WEP WPA WPA2

Algorithm RC4 RC4 AES

Key Size 64-bit or 128-bit 128-bit 128 bit

Added Security

None TKIP CCMP

Weakness Can be cracked in a matter of hours

TKIP is vulnerable to spoofing

Denial of Service

Strength

Uses an IV and a second key to produce dynamic per-packet keys

48-bit initialization vector

Integrity Check

Cyclic redundancy check

Message integrity check

Backward Compatible

N/A Yes No


Cryptography Tools

• Pre-shared Key (PSK)

–WPA-Personal

– Intended for personal or home networks

–A key must be configured on the client devices that matches the key on the access point

–All the clients share a key

• WEP: It is possible to derive the key from capturing packets

• WPA: Uses this key to generate the dynamic keys

– This method is still vulnerable especially if a weak passphrase is chosen as the pre-shared key



Cryptography Tools

• Enterprise Authentication

–WPA-Enterprise

–Uses 802.1x and a RADIUS or another authentication server to handle authentication




Cryptography Tools

Pretty Good Privacy and GNU Privacy Guard

• Used For

–An encryption system most often used for email

• Data confidentiality, authentication, and digital signatures

• How It Works

–Uses several algorithms

• Both symmetric and asymmetric encryption

–Both ends of communication need a PGP/GPG client

–Creates a web of trust with certificates

• A certificate binds a key to its owner

• If you trust a person and their certificate you sign their cert

• You can trust the certs signed by the people you trust

PGP/GPG


Cryptography Tools

Pretty Good Privacy and GNU Privacy Guard

• History

–PGP was introduced in the 1991 and is commercially available

–GPG was originally released in 1999 and does not use any restricted or patented algorithms by default


–Pretty good!

PGP/GPG


Cryptography Tools

• Used For


• How It Works

–A shared secret key (pad) is used that is the same length as the message

• The key is a completely random string of text therefore the keyspace is infinite

–The characters in the key are added one by one to the message characters (numeric equivalents)

–The reverse is done for description

One-time Pads (OTP)


Cryptography Tools

• History

–An old concept that was described in the 1800’s and patented in the early 1900’s

–Used by the U.S. military as an early cryptography tool


–Not vulnerable to brute force attacks

One-time Pads (OTP)


Cryptography Tools

Challenge-Handshake Authentication Protocol and

Password Authentication Protocol

• Used For

–Authentication for PPP

• How PAP Works

–Usernames and passwords are sent in cleartext to be checked

CHAP and PAP


Cryptography Tools



• Used For

–Authentication for PPP

• How CHAP Works

–Uses a challenge response procedure to authenticate the client

1. The server sends a string of challenge text to the client

2. The client hashes the challenge string using a shared secret as a key and sends the result back to the server

3. The server compares the hash to a stored hash

CHAP and PAP


Cryptography Tools



• History

–CHAP was specified in RFC 1994

–Microsoft has their own versions called MS-CHAP and MS-CHAPv2


–PAP has no encryption and is completely unsecure

–A weak password used as the secret key makes CHAP vulnerable to brute force and dictionary attacks

–Usernames and passwords may be stored in plaintext on the client or server side

CHAP and PAP


Cryptography Tools

NT LAN Manager and NT LAN Manager Version 2

• Used For

–Windows authentication

• NTLM for early versions of Windows NT

• NTLMv2 after Windows NT SP4

• How It Works

–Challenge response

–Uses MD4/MD5 hashing

–NTLMv2 takes additional steps for randomization and security

NTLM and NTLMv2


Cryptography Tools

NT LAN Manager and NT LAN Manager Version 2

• History

–A replacement for LANMAN


–NTLM is vulnerable to spoofing attacks

–Still in use for backward compatibility

NTLM and NTLMv2


Cryptography Tools

• Used For


–Protects an entire disk in the event a laptop or other mobile device is lost or stolen

• How It Works

–Uses a key to encrypt everything on the drive including the operating system

– Included on operating system, third party software, USB hardware, HSM, or built into some hard drives

–Some options require a TPM chip


– If you lose your key you lose your data

• Some enterprise systems have key recovery options



Comparative Strength of Data Confidentiality Algorithms

Algorithm Key Length Mode Should I Use It?

DES 65-bit Block

3DES 168-bit Block K

AES

128-bit

192-bit

256-bit

Block

RC4 Variable Stream

Blowfish 64-bit Block

Twofish 128-bit Block

One-time Pad ≥ Message Length Block K

Comparative Strength of Data Integrity Algorithms

Algorithm Hash Length Rounds Should I Use It?

SHA-1

160-bit 80

SHA-2 256-bit or more 64 or 80

MD5 128-bit 4

RIPEMD Variable 3

RIPEMD-160 160-bit 3 K

HMAC

Dependent on hashing algorithm used

Dependent on hashing algorithm used


Cryptography Tools

What We Covered


DES

3DES

AES

RC4

Blowfish

Twofish


Diffie-Helman

RSA

ECC


Cryptography Tools

What We Covered


SHA

MD5

RIPEMD

HMAC


SSL/TLS and HTTPS

SSH

IPSec


Cryptography Tools

What We Covered

Wireless Encryption

WEP vs. WPA/WPA2



PGP/GPG

One-time Pads

CHAP and PAP

NTLM and NTLMv2



Data Confidentiality Algorithms

Data Integrity Algorithms





In This Lesson:

Exam Objective:

6.3 Explain the core concepts of public key infrastructure

Public Key Infrastructure (PKI) Overview

The Public and Private Key Pair

Digital Certificates

Certificate Authorities (CA)

How PKI Works

Registration Authorities (RA)

Certificate Revocation Lists (CRL)

Recovery Agent: What if a Key Gets Lost?

Key Escrow



• A two key (asymmetric) encryption system for communication

• A framework not a specific technology

• Universal infrastructure that can work across multiple systems

and vendors

• Provides authentication and confidentiality

–Authentication: Confirms the owner of the keys using Digital Certificates

–Confidentiality: Encrypts data transmissions



You request Alice’s public key

Alice sends her public key

You use Alice’s public key to encrypt the message

You send the encrypted message to Alice

Alice uses her private key to decrypt the message and read it



• Helps with authentication

• Associates a public key with an individual/company

• Issued by a Certificate Authority

Digital Certificates x.509 Certificate

Version

Serial Number

Algorithm ID

Issuer

Validity Not Before Not After

Subject

Subject Public Key Info Public Key Algorithm Subject Public Key

Issuer Unique Identifier (optional)

Subject Unique Identifier (optional)

Extensions (optional)

Certificate Signature Algorithm

Certificate Signature




• Responsible for issuing, revoking, and distributing certificates

• Often a trusted third-party organization. Examples:

• DigiCert

• VeriSign

• Companies or organizations can have an in-house CA

• Stores the public key in a directory that is available to anyone that wants to verify your certificate

How PKI Works CA

You encrypt your message using Alice’s verified public key contained within the certificate

You send the encrypted message to Alice

Alice decrypts the message with her private key



• The front end entity that you actually interact with

• You provide the RA with your information (and payment)

• Verifies identity documentation before confirming that the CA

can issue the certificate

• Does not sign the certificate


CA

RA



• The CA publishes a list of certificates that can no longer be used

• Reasons a cert might be on the CRL

–Certificate Expiration

–Certificate Revocation (Permanent)

• Compromised private key

• Human Resources reasons

• Company changes names, physical address, DNS

• Any reason prior to expiration

–Certificate Suspended

• Will say “Certification Hold” as the reason for revocation

• Certificate owner/administrator can request the cert be revoked




• A live person!

• Has access to the key recovery server

• Normally used by in-house CA implementations

• Sometimes two different recovery agents are both needed to recover one key

• Key recovery information (KRI)

–Proof that the request is from an authorized recovery agent

–Name of key owner

–Time key was created

– Issuing CA server




• A copy (or copies) of your private key is kept in a key escrow agency or key archival system

–Sometimes there are multiple databases with only part of the private key is kept in each

• Used for law enforcement (with a warrant)

Key Escrow




Term Definition

Public Key Infrastructure

PKI is the framework for encryption that associates a public key with a verified person/system

Public Key The part of the key pair that is available and distributed to the public

Private Key The part of the key pair that is secret and used only by the key owner

Certificate Authorities

CAs are responsible for issuing, revoking, and distributing digital certificates


A certificate that verifies whom the public key belongs to




Term Definition

Registration Authority

The RA verifies the prospective key owner’s identify and sends it to the CA to issue a certificate

Certificate Revocation Lists

A list of certificates that are no longer useable. The list is frequently published

Recovery Agent A person who is authorized to recover lost private keys

Key Escrow Keeping secured copies of private keys for law enforcement purposes



What We Covered





How PKI Works




Key Escrow

Drag the red check boxes over the box bullet point of your choice. To edit or reorder the animations, go to the Animations Tab in the Ribbon Click Custom Animation and use the

Custom Animation task pane to edit the animations.


PKI Implementation


PKI Implementation

In This Lesson:

Exam Objective: 6.4 Implement PKI, certificate

management, and associated components

Publicly Trusted Certificate Authorities

Internal Certificate Authorities

Working with Registration Authorities

Key Management

Certificate Management

Trust Models

• Hierarchical

• Bridge

• Mesh

• Hybrid


PKI Implementation

• A trusted third party (TTP) issues and signs your digital certificate

• Web browsers already trust these TTP CA’s

• Available commercially

–VeriSign, Go Daddy, DigiCert

• Best used for publicly facing websites

–A self signed cert will confuse and alarm customers

• Pros

–Publically trusted

–Very little management overhead

• Cons

–Expensive to purchase multiple certificates



PKI Implementation

• Used for intranets and other internal uses

–Hard drive and file encryption

–Digitally signing documents

–Email

• Pros

– Lower cost

–Greater control

• Cons

– Intensive management overhead

• Configuring and troubleshooting support for the protocols, systems, and applications at your company

• What trust model to use and its scalability

• Interoperability with business partners



PKI Implementation

• Server operating systems can be configured to provide PKI services

• Microsoft Stand-alone CAs vs. Enterprise CAs

–Stand-alone CA’s do not need Active Directory directory services to function

• There can still be subordinate CA’s

–Enterprise CA’s rely on Active Directory for its directory services



PKI Implementation

Chicago Branch Office New York Central Office

• Great for verifying user credentials in person

• Local registration authorities (LRA)

–Useful for internal PKIs that have distributed locations


LRA

CA


PKI Implementation

• Key generation and signing

• Centralized keys

– Created and stored by the CA

• Decentralized keys

– Created by the user and submitted to the CA to sign

• Key repository

–Public keys can be centrally located in a key repository

Key Management


PKI Implementation

• Key recovery

–Key archiving

• Configure tools built in to your internal PKI to do this automatically

–Assign users to be recovery agents

–M of N control

• M number of employees out of N number of recovery agents need to be involved in key recovery

Key Management


PKI Implementation

• Created and handled PKI certs in accordance with the organization's overall security policy

• Certificate policies

–Policies for certificate issuing, usage, renewal, and archiving

• Certificate Practice Statement (CPS)

–The procedures that a CA will follow and expects its users to follow

Certificate Management Security Policy

Certificate Policies

Certificate Practice

Statement

Certificate Management: Life Cycle

Request or Renewal

• A request is sent to the RA or directly to the CA if a RA does not exist

• A renewal request is made prior to an existing certificate’s expiration

• The requester’s identity is verified

Request

or

Renewal

Issuing

Use

Expiration

or Revocation

Destruction

Request

or

Renewal


Issuing

• A key pair is generated

• The corresponding cert is created, signed, and sent to the requester

Request

or

Renewal

Issuing

Use

Expiration

or Revocation

Destruction


Certificate Use

• The certificate is used by its owner until its expiration date

• If the private key is compromised the owner must notify the CA

Request

or

Renewal

Issuing

Use

Expiration

or Revocation

Destruction


Expiration or Revocation

• The user must notify the CA/RA immediately if a private key was lost or compromised

• An expired or revoked certificate is placed on the CRL

• The CRL is published and the information is disseminated

Request

or

Renewal

Issuing

Use

Expiration

or Revocation

Destruction


Destruction

• Permanently removing keys/cert that are no longer needed

• Only the private key needs to be deleted because the public key is useless without its private counterpart

Request

or

Renewal

Issuing

Use

Expiration

or Revocation

Destruction


PKI Implementation

• Single CA

–A small PKI implementation with only one root CA

• Hierarchical

–A top down trust structure

–The higher CAs sign the certificate of their subordinate CAs

• Mesh

–Two way trust (cross certification) happens between all CAs

–Each CA is both the root and the subordinate

• Bridge

–A two way trust exists between two hierarchical PKIs

• Hybrid

–A mix of two or more of models for the most flexible structure

Trust Models

Hierarchical Trust Model

CA

RA

Root CA

Intermediate CAs

Leaf CAs

CA CA

CA

CA CA CA

Subord

inate

CAs

Mesh Trust Model

CA

CA

CA

Bridge Trust Model

Bridge CA


PKI Implementation


Term Definition

Local Registration Authority

A local authority used to identify an individual for certificate issuance even if the CA is located elsewhere

M of N Control

When referring to private key recovery: out of N total recovery agents only M are needed to be present to recover a key

Certificate Policies

PKI certificate polies that align with the overall security policies for the organization. Incudes policies for certificate issuing, usage, renewal, and archiving certificates and keys

Certificate Practice Statement

The procedures that a CA will follow and expects its users to follow. These procedures are derived from the PKI certificate policies


PKI Implementation


Term Definition

Hierarchical Trust Model

A top down trust model where each level of CAs sign the certificate for the CAs directly below them except for the root CA which signs its own certificate

Bridge Trust Model A bridge CA creates a cross-certification between two PKI trust structures

Mesh Trust Model

A cross-certification happens between pairs of CAs creating a mesh structure. Every CA is both the root and the subordinate

Hybrid Trust Model A combination of any two or more trust models


PKI Implementation

What We Covered




Key Management

Certificate Management

Trust Models

• Hierarchical

• Bridge

• Mesh

• Hybrid


Preparing for Your CompTIA Security+

SY0-301 Certification Exam


Preparing for Your CompTIA Security+ SY0-301 Certification Exam

In This Lesson:

About the Exam

Mapping Exam Objectives to This Course

Studying for the Exam

Test Day Tips



• Exam code SY0-301 (replaced SY0-201) in December 2011

• 100 questions

• 90 minutes

• A passing score is 750 out of 900 points

• Recommended experience:

–CompTIA Network+ certification

–Two years of technical networking experience, with an emphasis on security

• Take the exam through Pearson VUE or Prometric

About the Exam



• Accredited by

– International Organization for Standardization (ISO)

–American National Standards Institute (ANSI)

• Topic Domains

–Network security

–Compliance and operational security

–Threats and vulnerabilities

–Application, data, and host security

–Access control and identity management

–Cryptography

About the Exam

Mapping Exam Objectives to this Course

1.0 Network Security Course Lessons

1.1 Explain the security function and purpose of network devices and technologies


1.2 Apply and implement secure network administration principles


1.3 Distinguish and differentiate network design elements and compounds


1.4 Implement and use common protocols


1.5 Identify commonly used default network ports


1.6 Implement wireless networks in a secure manner



2.0 Compliance and Operational Course Lessons

2.1 Explain risk related concepts Risk Mitigation and Deterrence Risk Management

2.2 Carry out appropriate risk mitigation strategies


2.3 Execute appropriate incident response procedures

Incident Response

2.4 Explain the importance of security related awareness and training

User Education

2.5 Compare and contrast aspects of business continuity

Business Continuity

2.6 Explain the impact and proper use of environmental controls


2.7 Execute disaster recovery plans and procedures


2.8 Exemplify the concepts of confidentiality, integrity, and availability


Security


3.0 Threats and Vulnerabilities Course Lessons

3.1 Analyze and differentiate among types of malware


3.2 Analyze and differentiate among types of attacks

Types of Attacks

3.3 Analyze and differentiate among types of social engineering attacks

Social Engineering

3.4 Analyze and differentiate among types of wireless attacks


3.5 Analyze and differentiate among types of application attacks


3.6 Analyze and differentiate among types of mitigation and deterrent techniques






3.0 Threats and Vulnerabilities (cont.) Course Lessons

3.7 Implement assessment tools and techniques to discover security threats and vulnerabilities

Risk Management Threat and Vulnerability Assessment and Detection

3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning

Risk Management Threat and Vulnerability Assessment and Detection

4.0 Application, Data, and Host Security Course Lessons

4.1 Explain the importance of application security


4.2 Carry out appropriate procedures to establish host security

Host Security Physical and Environmental Security

4.3 Explain the importance of data security

Data Security


5.0 Access Control and Identity Management

Course Lessons

5.1 Explain the function and purpose of authentication services


5.2 Explain the fundamental concepts and best practices related to authentication, authorization, and access control

Authentication Services Authentication, Authorization, and Access Control

5.3 Implement appropriate security controls when performing account management



6.0 Cryptography Course Lessons

6.1 Summarize general cryptography concepts


6.2 Use and apply appropriate cryptographic tools and products

Cryptography Tools

6.3 Explain the core concepts of public key infrastructure


6.4 Implement PKI, certificate management, and associated components

PKI Implementation



• Rewatch lessons

• Transcender study materials

• Vocabulary document

• Acronym document

Studying for the Exam



• Arrive 15 - 30 min before the test is scheduled to begin

• You must bring two forms of identification

–One must be a current, government-issued photo ID

–Both must have your signature

• Do not bring personal items into the testing center

–No notes, mobile phones, or calculators

• Be prepared

–Study!

–Get a good night of sleep

Test Day Tips


Next Steps


Next Steps

In This Lesson:

What We Have Covered in This Course

My Favorite Supporting Resources

Get Certified

Continue Learning

Join the Community

We Value Your Opinion




Types of Attacks









Host Security


Data Security






Risk Management




Business Continuity


Incident Response

User Education

Social Engineering



Cryptography Tools


PKI Implementation

Preparing for your CompTIA Security + SY0-301 Certification Exam

Next Steps


Next Steps

My Favorite Supporting Resources

• Information About the Exam: http://certification.comptia.org/getCertified/certifications/security.aspx

• My Favorite Security+ Book:

Dulaney, Emmett A. CompTIA Security+ Deluxe Study Guide: Exam SY0-301. Indianapolis: Wiley Technology Pub., 2011.

• National Institute of Standards and Technology – Information Technology Portal:

http://www.nist.gov/information-technology-portal.cfm


Next Steps

• Aligned with This course

–CompTIA Security+ exam number SY0-301

–Watch the lesson titled, “Preparing for Your CompTIA Security+ SY0-301 Certification Exam“

–Watch the Transcender lessons

• Entry Level Networking

–CompTIA Network+

• Advanced Security Certifications

–CASP: CompTIA Advanced Security Practitioner – CompTIA

–CISSP: Certified Information Systems Security Professional – ISC2

• Specific Security Specialization Certifications

Get Certified

Continue Learning: Specialized Certifications

Topic Acronym Certification Name Certified

By

Auditing Techniques

GSNA GIAC Systems and Network Auditor

GIAC

CISA Certified Information Systems Auditor

ISACA

Penetration Testing CEH Certified Ethical Hacker EC–Council

Wireless Security CWSP Certified Wireless Security Professional

CWNP

Computer Forensics CHFI Computer Hacking Forensic Investigator

EC–Council

Secure Coding Practices

CSSLP Certified Secure Software Lifecycle Professional

ISC2

GSSP GIAC Secure Software Programmer

GIAC

http://certification.comptia.org/getCertified/certifications/security.aspx

http://certification.comptia.org/getCertified/certifications/security.aspx








Next Steps

• Topics for Further Study

–Windows or other OS specific security

–Application security

–Auditing techniques

–Penetration testing

–Wireless security

–Computer forensics

–Mobile device security

Continue Learning


Next Steps

• Blogs/Newsletters

–Schneier on Security: www.schneier.com

• Magazines

–Search Security: searchsecurity.techtarget.com

–SC MAGAZINE: www.scmagazineus.com

• Podcasts

–Network Security Podcast: netsecpodcast.com

–CyberSpeak's Podcast: cyberspeak.libsyn.com

Continue Learning


Next Steps

• Professional Organizations

– Information Systems Security Association (ISSA)

• www.issa.org/

– Information Systems Audit and Control Association (ISACA)

• www.isaca.org/

– Information Security Forum

• www.securityforum.org/

• Connect with other IT security pros, organizations, and vendors through social media

– Forums

–Twitter

Join the Community

http://www.schneier.com/

http://searchsecurity.techtarget.com/

http://www.scmagazineus.com/

http://netsecpodcast.com/

http://cyberspeak.libsyn.com/

http://www.issa.org/

http://www.isaca.org/

http://www.securityforum.org/


Next Steps

We Value Your Opinion

Next Steps

There are so many ways to reach us!

• Call us at 1-888-229-5055 (worldwide: 1-847-776-8800)

• Email us at [email protected]

• Post on our forums at http://forums.trainsignal.com/

Join the TrainSignal Conversation

http://www.trainsignal.com/blog

http://www.facebook.com/trainsignal

http://twitter.com/trainsignal

http://twitter.com/Lisa_Spooner

http://www.trainsignal.com

http://www.youtube.com/trainsignalinc

Become a Fan on Facebook

View Our YouTube Channels

Follow Us on Twitter

Check Out Our Blog

Find Info on IT Training

Follow Me on Twitter

http://www.facebook.com/TrainSignal









http://www.trainsignaltraining.com/



http://www.trainsignal.com/






Documents

Security+ Slides