Skip to content

Latest commit

 

History

History
1009 lines (987 loc) · 53.6 KB

2.md

File metadata and controls

1009 lines (987 loc) · 53.6 KB

2.0 Technologies and Tools

2.1 Install and configure network components, both hardware and software-based, to support organizational security.

(Mike Meyers 1, Mike Meyers 2)

2.1.1 Firewall

(James Messer)

  • Keeps bad traffic from coming in; sometimes from leaving too

  • Controls traffic flow

  • Content control as well

    • Inappropriate content
    • Malware

  • The three basic types of firewalls are packet filtering, circuit-level gateway, and application-level gateway. A fourth type combines features from these three and is called a stateful inspection firewall.(Stewart)

  • ACL , Access control lists

    • Rules for allow/disallow
    • Usually validate the rules from top to bottom
    • "Access control lists (ACLs) are lists of users and their permitted actions." (Conklin)

  • Application-based vs. network-based

    • Network based firewalls
      • Is a hardware device, typically called an appliance
      • Provide broad protection for an entire Network
      • Filter traffic by port number OSI layer 4 (TCP/UDP) , modern firewalls support L7
      • Mostly L:3 devices (routers), usually sits on the ingress/egress of the network
    • Application-based firewalls (aka application-layer firewalls)
      • Can be a device, server addon, virtual service or a system filter
      • can analyze traffic at an even deeper level, examining the application characteristics of traffic and blocking specific actions while allowing others, even inside web-connected applications. This gives application-based firewalls much greater specificity than network-based firewalls that only look at IP addresses and ports." (Conklin)
      • Controls traffic flows based on application (SQL server/ browser)
      • Used with IPS
      • Host based firewalls

  • Stateful vs. stateless

    • Stateless
      • Doesn't keep track of sessions, only use ACL to allow or disallow
      • Act as a Packet filter, each packet is individually examined regardless of the past history
      • Need ACL rules for inbound and outbound traffic
    • Stateful
      • Keep track of what traffic flows are active
      • Only need one rule on ACLs, firewall automatically make a session table with source / destination and port number
      • "A stateful packet inspection firewall can act upon the state condition of a conversation—is this a new conversation or a continuation of a conversation, and did it originate inside or outside the firewall?" (Conklin)

  • Implicit deny

    • Implicit deny is the default security stance that says if you aren’t specifically granted access to or privileges for a resource, you’re denied access by default.(Stewart)
    • Most firewalls include deny at the bottom (if traffic is not specified with the ACL it will be denied)
    • Prevents "any traffic from passing that is not specifically recognized as allowed." (Conklin)

2.1.2 VPN concentrator

(James Messer)

  • VPN concentrator

    • A VPN concentrator is a dedicated hardware device designed to support a large number of simultaneous VPN connections, often hundreds or thousands. It provides high availability, high scalability, and high performance for secure VPN connections.(Stewart)
    • A device thats use to encrypt and decrypt VPN traffic, often integrated in to a firewall
    • Deployed as specialized cryptographic hardware or software based options

  • Remote access vs. site-to-site

    • Remote access VPN (tunnel) have On-demand access from a remote device (PC VPN software to VPN concentrator)
    • Site to site VPN are usually always on
    • "When the VPN is set up to connect specific machines between two networks on an ongoing basis, with no setup per communication required, it is referred to as a site-to-site VPN configuration. If the VPN connection is designed to allow remote hosts to connect to a network, they are called remote access VPNs." (Conklin)

  • IPSec (Internet protocol security) (Mike Meyers)

    • IPSec is a security architecture framework that supports secure communication over IP. IPSec establishes a secure channel in either transport mode or tunnel mode. It can be used to establish direct communication between computers or to set up a VPN between networks.(Stewart)

    • Authentication and encryption for every packet. (OSI L3)

    • Confidentiality and Integrity check/ Anti-replay

    • Two different modes of communication (Image1, Image2)

      • Transport mode
        • Data is encrypted
        • IPSec headers and trailers
        • Original IP header used
        • Typically used for remote-access VPN.
      • Tunnel mode
        • Both IP header and data are encrypted
        • Completely different IP header put on front of packet
        • Typically used for site-to-site VPN.

    • Two core IPSec protocols (two methods for implementing IPsec) Image

      • AH: Authentication header
        • Provide integrity
        • AH is the Hash of the packet (IP Header + Data) plus shared key( MD5/SHA1/2)
        • "The AH, when added to an IP datagram, ensures the integrity of the data and also the authenticity of the data’s origin." (Conklin)
      • ESP: Encapsulating Security Payload
        • Provide confidentiality and Integrity
        • ESP provides encryption of the transferred data as well as limited authentication.(Stewart)
        • "Provides security services for the higher-level protocol portion of the packet only, not the IP header." (Conklin)

  • Split tunnel vs. full tunnel

    • "Split tunnel is a form of VPN where not all traffic is routed via the VPN." (Conklin)
    • "A full tunnel solution routes all traffic over the VPN, providing protection to all networking traffic." (Conklin)

  • TLS (Mike Meyers)

    • "TLS-based VPNs have some advantages over IPSec-based VPNs when networks are heavily NAT encoded, because IPSec-based VPNs can have issues crossing multiple NAT domains." (Conklin)

  • Always-on VPN

    • They use "pre-established connection parameters and automation. Always-on VPNs can self-configure and connect once an Internet connection is sensed and provide VPN functionality without user intervention." (Conklin)

2.1.3 NIPS/NIDS

(James Messer, Jason Dion 1, Jason Dion 2, Mike Meyers)

  • Both NIDS / NIPS watch network traffic
  • Detection - Alarm or Alert
  • Prevention - Stop it before it gets in to the network
  • Inline vs. passive
    • Passive
      • No way to block traffic
      • Receives copy of traffic (port mirror/ SPAN, network trap)
      • Isn't sitting in middle of traffic
      • When malicious traffic is detected IPS can send TCP RST (reset) frames , this is called Out of band response
      • Out-of-band response
        • After-the-fact malicious traffic detected
        • Sends TCP RST (reset), closes connection
        • limited capability, UPD doesn't allow reset
    • Inline
      • Traffic passes through
      • May be dropped
      • Response is In-band response which is immediate
  • Identification technologies
    • Signature-based
      • Look for a perfect match
    • Anomaly
      • Build a baseline of what's normal
  • Heuristic/behavioral
    • Use artificial intelligence to identify
  • Rules
    • Block, allow, sent alert, etc.
  • Analytics
    • False positive
      • False alarm
      • e.g. quarantining sites, files which are legitimate
    • False negative
      • Should have been caught, but passed
      • Malicious traffic not identified

2.1.4 Router

(James Messer, Jason Dion)

  • A router forwards traffic between IP subnets
  • Layer 3 devices
    • They make decisions on the network level on the OSI model
    • Typically "layer 2" is referring to a switch
    • Routers inside of switches sometimes called "layer 3 switches"
    • Often connects diverse network types (LAN/WAN/copper / fiber)
  • ACLs: Access Control Lists
    • Used by routers, firewalls and switches
    • Used to allow or deny traffic (also used for NAT, QA)
    • Can be configured on ingress or egress of an interface
    • Evaluate traffic on certain criteria
      • Source IP, destination IP, TCP port numbers, UDP port numbers, ICMP
    • "The ACLs should be deployed on the routers. The ACLs will improve network security by confining sensitive data traffic to computers on a specific subnet. By implementing ACLs and rules, you can ensure that a secure router configuration is implemented, which will protect the routers and the subnets they manage." (uCertify)
  • Antispoofing
    • Prevent others from using someone else's address
    • Man-in-the-middle, DDoS
    • router can Filter reserved IP addresses (RFC 1918 should not be open to the internet)
    • RPF: Reverse Path Forwarding
      • The response to an inbound packet should return the same way
      • If it doesn't, then drop the packet right now

2.1.5 Switch

(James Messer, Jason Dion)

  • OSI layer 2 device
    • Uses MAC address based forwarding
  • Bridging done in hardware ASIC: Application-specific integrated circuit
  • Port security
    • Inside of network less secure
    • IEEE 802.1X - Port-based Network Access Control (NAC)
      • You don't get access until you authenticate
      • Makes extensive use of EAP and RADIUS
      • Physical ports (not TCP/UDP)
      • Administrative enable/disable unused ports
      • Duplicate MAC address checking
        • Stop the spoofers
  • "A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes." (uCertify)
  • Loop prevention
    • Two switches connected together will send traffic back and forth forever
    • Easy way to take down a network
    • STP: Spanning Tree Protocol
      • 802.1D
      • Prevents loops
  • Flood guard
    • Configure a maximum number of MAC addresses on an interface
    • Configure specific MAC addresses
  • Layer 2 vs. Layer 3
    • Layer 3 switches
      • Switching operates at OSI layer 2
      • Routing still operates at OSI layer 3

2.1.6 Proxy

(James Messer, Mike Meyers)

  • A proxy server is a variation of an application-level firewall or circuit-level firewall. A proxy server is used as a proxy or middleman between clients and servers.(Stewart
  • Receives the user requests and sends the request on their behalf (the proxy)
  • Useful for caching information, access control, URL filtering, content scanning
  • Modes of operation
    • Explicit proxy
      • OS or browser must be configured to explicitly use proxy
    • Transparent
      • Invisible; end users have no idea there is a proxy in the middle
  • Application proxies (most common)
    • The proxy understands the way the application works
    • NAT (network address translation)
      • Network-level proxy
      • One of the simplest proxies
    • Some proxies may only know one application (e.g. HTTP)
    • Other proxies are multipurpose proxies
      • HTTP, HTTPS, FTP
  • Forward and reverse proxy (different ways proxies can operate)
    • Forward proxy image
      • An "internal proxy"
        • Commonly used to protect and control internal user access to the internet
    • Reverse proxy image
      • Inbound traffic from the internet to your interal service (e.g web server)
  • Open proxy
    • A third-party, uncontrolled proxy
      • Can be a significant security concern (owners can add malicious code)
      • Often used to circumvent existing security controls (e.g URL filtering)

2.1.7 Load balancer

(James Messer)

  • Distributes the load
    • Multiple service
    • Invisible to the end-user
  • Large scale implementations
    • Web server farms, database farms
  • Fault tolerance
    • Server outages have no effect
    • Very fast convergence
  • SSL offload
    • Encryption/decryption
  • Caching
    • Fast response
  • Prioritization
    • QoS Quality of service, some applications get priority
  • Content switching
    • Application centric balancing, (different number of servers based on the application )
  • How traffic is Scheduled to go to different servers
    • Round-robin
      • Each server is selected in turn
      • Dynamic round-robin
        • Distribute load to server with lowest use
      • Weighted round-robin
        • Prioritize the server use (some servers might get more traffic)
    • Affinity
      • Since loadbalancer sending traffic to different server each time, its challenging for some applications to maintain the session
      • Uses the same server for a particular user or instance
      • Tracked through IP address or session IDs
  • Active-active
    • All servers are active, request can send to these servers at any time
  • Active-passive
    • Some servers available
    • Others on standby
    • Passive servers take place of failed servers
  • Virtual IPs
    • "Allow for multiple systems to be reflected back as a single IP address." (Conklin)

2.1.8 Access point

(James Messer)

  • Not a wireless router

    • A wireless router is a router and a WAP in a single device
    • WAP is a bridge
      • Extends the wired network onto the wireless network
      • An OSI layer 2 device

  • SSID: Service Set Identifier

    • Name of the wireless network
    • Change the SSID to something not-so obvious

  • Disabled SSID broadcasting?

    • This was never designed to be a wireless security feature
    • SSID easily determined through wireless network analysis
    • Security through obscurity - not recommended

  • IEEE Standards for wireless networks

    • 802.11 is the IEEE standard for wireless network communications.
    • Versions include 802.11a (2 Mbps), 802.11b (11 Mbps), 802.11g (54 Mbps) and 802.11n (150+ Mbps).
    • The 802.11 standard also defines Wired Equivalent Privacy (WEP).

  • MAC filtering

    • Limit access to only certain physical devices
    • Keep neighbors out of AP
    • But MAC addresses can be spoofed
      • Use packet-capturing device to discern MAC address

  • Signal strength

    • Power level controls
      • Limit power of signal
      • Set it as low as possible
    • "The power levels will dictate how far an access point can transmit its signal. For more coverage, increase the power levels, but be careful not to go beyond your organization's work area, or other neighboring entities might try to compromise your network." (uCertify)

  • Band selection/width

    • Throughput
      • Maximum theoretical throughputs (because its hard to determine the actual value)
      • Actual throughput can vary
    • Frequency
      • 2.4 GHz and 5 GHz
      • Sometimes both

  • Band selection and Bandwidth

    • 2.4 GHz frequency is more crowded - 3 non overlapping IEEE channels, 1,6,11 - all 3 are 20 MHz
    • 5 GHz has much larger spectrum (ranging from 20 MHz to 160 MHz)

  • Antenna types and placement

    • Omnidirectional antennas
      • Most common
      • Signal can't be focused
    • Directional antennas
      • Focus the signal
      • Increased distances
      • Double power every 3dB of gain (logarithmic scale)
      • Yagi antenna
        • Very directional
        • High gain
      • Parabolic antenna
        • Focus on a single point

  • Controller-based vs. standalone

    • Wireless LAN controllers
      • Centralized management of WAPs (one screen to control all)
        • Deploy
        • Security Monitor
        • Configure and deploy changes to all sites
        • Report on AP use
      • Controllers use LWAPP - Lightweight Access Point Protocol to communicate with the APs
        • LWAPP is Cisco proprietary
        • CAPWAP is an RFC (open) standard, based on LWAPP
        • Manage multiple points simultaneously
      • Fat vs. thin
        • Thick AP
          • The access point handles most wireless tasks
          • The switch is not wireless-aware
        • Thin AP
          • Just enough to be 802.11 wireless
          • The intelligence is in the switch
          • Less expensive

2.1.9 SIEM: Security Information and Event Management

(James Messer, Mike Meyers)

  • Logging of security events and information
  • Aggregation
    • "The collecting of information in a central place, in a common format, to facilitate analysis and decision making." (Conklin)
  • Correlation
    • Link diverse data types
    • "The connection of events based on some common basis. Events can correlate based on time, based on common events, based on behaviors, and so on. Although correlation is not necessarily causation, it is still useful to look for patterns, and then use these patterns to find future issues." (Conklin)
  • Time synchronization
    • Challenge: each device has its own clock setting
    • Synchronization becomes critical
    • Automatic update with NTP (Network Time Protocol)
      • Very accurate: within 1 millisecond
  • Syslog
    • Standard method for transferring logs between devicesk
    • Diverse systems, consolidated log
    • Integrated in to the SIEM
  • Logs/WORM drive technologies
    • Write once, read many (WORM) - DVD-R
    • Protect important security logs
  • Event de-duplication
    • Event storms (when WAN goes down , did you loose one connection or 50 connections )
    • Filter out the noise (focus on the real problem)
    • Flapping (e.g an interface go down, back up and goes down again, this will fill up the syslog) - use timers to prevent this.
  • Automated alerting and triggers
    • Track important statistics
    • Email, text, call

2.1.10 DLP: Data Loss Prevention

(James Messer)

  • Data loss prevention (DLP) is the idea of systems specifically implemented to detect and prevent unauthorized access to, use of, or transmission of sensitive information. DLP can include hardware and software elements designed to support this primary goal.(Stewart)

  • Stop the data before the bad guys get it - data leakage

  • Data Loss Prevention (DLP) can stop unencrypted sensitive and personally identifiable information (PII) from inadvertently leaving the company. It cannot scan encrypted data.

  • Data in use

    • In the memory on your computer
    • Endpoint DLP tools can watch for that data and prevent accessing

  • Data in motion

    • Insecure data sent over network

  • Data at rest

    • "Data-at-rest is the data that is currently inactive but stored in digital form in places such as nonvolatile memory." (Dion)
    • On your server

  • USB blocking

    • e.g. ban removable flash media

  • Cloud-based DLP

    • Located between users and internet - watch the data traffic
    • Block custom defined data stings
    • Manage access to URLs
    • Block virus and malware

  • Email

    • Track, monitor, and filter email, inbound and outbound
    • Block forgeries

2.1.11 NAC: Network Access Control

(James Messer)

  • Contrary to firewalls (edge devices) Access control can control people from inside or outside , access can be base on many rules and these rules are easily revoked or changed (compare to firewalls)

  • The goals of NAC are to prevent or reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control. (Stewart)

  • Posture assessment

    • You cant trust everyone's computer specially with BYOD
    • Before connect to network perform health check
    • Agents that do Posture assessment can execute it in many different ways
    • Dissolvable vs. permanent Agents
      • Persistent agents
        • Permanently installed
        • Periodic updates
      • Dissolvable agents
        • No installation required
        • Runs during the posture assessment
        • Terminates when no longer required
    • Agentless NAC
      • Integrated with Active Directory
      • Checks are made during login and logoff
      • Can't be scheduled

  • Failing assessment

    • Put on quarantine network
    • Just enough access to fix issue

  • Host health checks

    • "Some common host health checks include verifying an antivirus solution is present, has the latest patches, and has been run recently, and verifying that the OS and applications are patched." (Conklin)

  • Agent vs. agentless

    • "In agent-based solutions, code is stored on the host machine for activation and use at time of connection. In agentless solutions, the code resides on the network and is deployed to memory for use in a machine requesting connections, but since it never persists on the host machine, it is referred to as agentless." (Conklin)

  • "Computers must have the authentication agent installed; otherwise, the NAC system will not ask

  • 2.1.12 Mail gateway

(James Messer)

  • Filtering
    • Examine inbound or outbound email
    • Antivirus
    • DLP on email server
  • Spam filter
    • Only receive email from trusted senders
    • SMTP standards checking
    • rDNS - Reverse DNS
      • Block email where the sender's domain doesn't match the IP address
    • Tarpitting
      • Intentionally slow down the conversation so spammers will give up
    • Recipient filtering
      • Block all email not addressed to a valid recipient address
  • Encryption
    • Based on policy
    • Force encryption, send a password to the sender
  • DLP
    • "Most enterprise-level DLP solutions have built-in gateway methods for integration with mail servers to facilitate outgoing mail scanning." (Conklin)

2.1.13 Bridge

  • "Operates by connecting two separate network segments and allows communication between the two segments based on the layer 2 address on a packet." (Conklin)

2.1.14 SSL/TLS accelerators

(James Messer)

  • Asymmetric encryption is hard
    • Transfer the symmetric key using the asymmetric encryption (handshake process)
    • Much more computationally intense than symmetric encryption
    • Accelerator offloads the process from the actual webserver (SSL Offload / SSL termination)
  • "Includes hardware-based SSL/TLS operations to handle the throughput, and it acts as a transparent device between the web server and the Internet. When an enterprise experiences web server bottlenecks due to SSL/TLS demands, an accelerator can be an economical solution." (Conklin)

2.1.15 SSL decryptors

  • An SSL decryptor or TLS decryptor is a dedicated device used to decode secure communications for the purpose of filtering and monitoring. (Stewart)
  • SSL proxy
    • Uses internal CA certificate
  • Decrypts and inspects traffic before re-encrypting and sending it to destination

2.1.16 Hardware security module (HSM)

  • A cryptoprocessor used to manage and store digital-encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication.(Stewart)
  • High-end cryptographic hardware
  • Key backup
    • Secured storage
  • SSL endpoint

2.1.17 Media gateway

  • A media gateway is any device or service that converts data from one communication format to another. A media gateway is often located at the intersection of two different types of networks. (Stewart)
  • Converts between PSTN (public switched telephone network) and VoIP
  • Hacker could disabled all voice communications
    • Make outbound calls
    • Listen to communications

2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization.

(James Messer)

2.2.1 Protocol analyzer

(Jason Dion, Mike Meyers)

  • Gather packets on the network
  • View traffic patterns
    • Identify unknown traffic
    • verify packet filtering and security controls
  • Large scale storage for big data analytics

2.2.2 Network scanners

(Mike Meyers)

  • Scan for IP addresses and open ports to determine what services running on a remote device
    • Also for operating systems, services, etc.
  • Scan IP range
  • Rogue system detection
  • e.g. nmap, zenmap, Angry IP scanner
  • Visually graph devices
  • Rogue system detection
  • Network mapping

2.2.3 Wireless scanners/cracker

  • A wireless scanner is used to detect the presence of a wireless network. Once a wireless network is discovered, WEP network encryption can be compromised with a wireless cracker in moments, due to its poor implementation of RC4. WPA networks, which are also based on RC4, are better, but their encryption can be cracked in less than 12 hours.(Stewart)
  • Wireless monitoring
    • Packet capture
  • Wireless attacks to determine the security of your own device
    • Rogue access point
    • de-authentication attacks
  • Cracking
    • try to find a wireless network key
  • Open source projects
    • Aircrack-ng Suite, Fern (find and crack wireless passwords)

2.2.4 Password cracker

  • Hashes not salted easier to crack
  • But getting the hashes is not trivial
  • John the Ripper, Ophcrack

2.2.5 Vulnerability scanner

(Mike Meyers)

  • Active test, but minimally invasive (unlike pen test)
  • e.g. Microsoft Baseline Security Analyzer, Tenable Nessus, Nikto
    • Scan one or many devices
    • Automate the process, report on findings by the priority

2.2.6 Configuration compliance scanner

  • Need to comply with internal or and industry regulations
  • Operating system version, install applications, network settings, anti-virus/anti-malware settings and versions, server configuration, etc.
  • Auditing may be ongoing , info is stored in a central DB
    • Report on current status , can easily identify the changes
    • Integrated with login process and/or VPN connection

2.2.7 Exploitation frameworks

  • Instead of writing exploit from scratch
  • e.g.
    • BeEF - The browser exploitation framework project
    • RouterSploit - router exploitation framework
    • Metasploit - build your own vulnerability tests

2.2.8 Data sanitization tools

  • Overwrite the data once, and it's gone
  • e.g.
    • Darik's Boot and Nuke (DBAN) -sanitize entire HD
    • Microsoft's SDelete - individual files or folders
    • Dont forget about caches and temp files

2.2.9 Steganog raphy tools

  • Embed data inside image
  • Network based
    • Embed messages in TCP packets
  • Invisible watermarks on print

2.2.10 Honeypot

(Mike Meyers)

  • Attract the bad guys
  • Bad guys are probably a bot doing reconnaissance
  • Create virtual world to explore
  • projecthoneypot.org, honeyd

2.2.11 Backup utilities

  • Real-time file sync
    • rsync
  • Regular partial backups
    • Hourly incremental backups
  • Full backups
  • Complete coverage, fast recovery

2.2.12 Banner grabbing

  • "Banner grabbing is a process where someone connects to a web server and gathers information by 'grabbing their banner' which can be done through netcat fairly easily." (Dion)
  • Applications can be chatty
    • They can say too much
  • capture with telnet, nc, nmap

2.2.13 Passive vs. active

  • Passive
    • Watches traffic
  • Active
    • Sends traffic to a device, watch the results
    • Query a login page
    • Try a known vulnerability
    • Check account access

2.2.14 Command line tools

(James Messer, Mike Meyers 1, Mike Meyers 2)

  • ping
    • Test if device is available
    • Determine round trip
    • Uses ICMP
  • netstat
    • Show all active connections: netstat -a
    • Show active connections and binaries (Windows): netstat -b
    • Do not resolve names: netstat -n
  • tracert
    • traceroute
    • Determine the route a packet takes to a destination
    • Map the entire path
    • tracert (Windows) or traceroute (POSIX)
    • Uses ICMP Time to live (TTL) exceeded error message
      • The time in TTL refers to hops, not seconds/min
      • TTL=1 is 1st router , TTL=2 is second router etc.
    • Not all devices will reply with ICMP TTL
      • some firewalls filter ICMP
      • ICMP is low priority for many devices
  • nslookup/dig
    • Lookup information from DNS servers
    • Canonical names, IP addresses, cache timers, etc.
    • nslookup
      • Both Windows and POSIX-based
      • Lookup names and IP addresses
      • Deprecated (use dig instead)
    • dig (domain information groper)
      • More advanced domain information
  • arp Address resolution protocol
    • Determine MAC address based on IP address
    • View ARP table: arp -a
  • ipconfig/ip/ifconfig
    • determine TCP/IP and network adapter info
  • tcpdump
    • "Tcpdump is a packet sniffer made for Linux but has been/can be ported to Windows." (Dion)
    • Capture packets from the command line
    • save data in standard pcap format so other applications can view it
  • nmap
    • Network mapper, find and learn more about network devices
    • Port scan to see what devices are available
    • nmap [ip]
    • sudo nmap -O - determine OS
  • netcat
    • "Read" or "write" to the network
    • Open a port and send or receive some traffic
      • Listen to a port number (act as a shell or backdoor)
      • Transfer data
      • Scan ports and send data to a port
    • Become a backdoor
    • Also: Ncat

2.3 Given a scenario, troubleshoot common security issues.

(James Messer)

  • Unencrypted credentials/clear text
    • Some protocols send authentication information in the clear (Telnet. FTP,SMTP,IMAP)
      • Capture the packets with packet capture and see its secure
  • Logs and events anomalies (Mike Meyers)
    • Gather as much information as possible (switches, routers, firewalls, servers and IPS)
    • Consolidated to SIEM nd correlate data, extensive reporting
    • These loging systems can identify the anomalies
  • Permission issues
    • Information is not properly protectoed on server
    • Door left open; no lockpicking required
    • Files left open on S3 buckets
    • Confirm permissions on intial config, provide a process for changes and updates, proform periodic audits
  • Access violations
    • Segmentation fault (error that happen when your OS trying to access a restricted area of memory)
    • Prevent access to a restricted area
  • Certificate issues
    • A certificate should be signed by someone you trust
    • Should be relatively new
    • Proper TLS checks; prevent man-in-the-middle
  • Data exfiltration
    • "Data exfiltration is where an attacker attempts to steal a copy of your data and export it from your system." (Conklin)
  • Misconfigured devices
    • Leaving defaults in place can make it easy to guess user/pass
    • Outdated software
    • Debug/ Mainentance code
    • Firewall
      • Rules that provide too much access
      • Can be difficult to audit
    • Content filter (urls are not specific enogh, some protocols are not filtered)
    • Access points
      • Ensure management console not accessible via wireless side
  • Weak security configurations
    • Expired, weak, cracked encryption standards
      • e.g. DES (56 bit key), WEP (RC4 ciphers and IV), SHA-1 (collision attacks)
  • Personnel issues
    • Policy violation
      • See Acceptable use policy (AUP) document
    • Insider threat
      • Authenticated users have more free reign than non-authenticated
      • Important to assign correct permissions
    • Social engineering
      • We're always willing to help someone in need
      • They're steal everything over the phone
    • Social media
      • Internal information made available to anybody on the outside
      • Most organizations have policy and marketing team
    • Personal email
      • Emails sent from work imply endorsement by the organization
      • Uses company resources
  • Unauthorized software
    • Malware, spyware, randomsare
    • May conflict with organization's mission-critical software
    • Licensing
  • Baseline deviation (Jason Dion)
    • Everything should be well documented
    • Changes to the norm should be identified
    • Common with VPNs
      • Securit posture analysis before connecting to the network
      • if something deviates from the baseline, no access and you must fix it untill everything matches the baseline
  • License compliance violation (availability/integrity)
    • Valid licenses required
    • Availability
      • Meeting expiration date may cause problems
    • Integrity
      • Invalid license: app my only work part of the time
  • Asset management
    • Identify and track computing assets
    • Respond faster to security problem
    • Track licenses
  • Authentication issues
    • Determining if someone is really who they say they are
    • Use more factors
    • Lapse in any part of authentication can open the entire network

2.4 Given a scenario, analyze and interpret output from security technologies.

(James Messer, Mike Meyers)

  • HIDS/HIPS: Intrusion (host based detection|prevention) system (Mike Meyers)
    • A host-based IDS (HIDS) monitors a local machine for symptoms of unwanted activity. (Stewart)
    • Now integerated into many endpoint products
    • Protects based on signatures
    • Because it's on the host, it can read decrypted data
    • Protect based on activity
      • Why are you modifying that file?
  • Antivirus
    • Stop download, prevent execution
    • Quarantine
  • File integrity check
    • Integrity check of OS
      • sfc /scannow
  • Host-based firewall (Jason Dion)
    • Restrict access to your personal computer
    • Log connection attempts
  • Application whitelisting
    • Only allow specific applications on OS
    • Application hash
      • Identifier of app
    • Certificate
      • Digitally signed apps
    • Path
      • Only run applications in these folders
    • Network zone
  • Removable media control
    • USB drives, portable hard drives
    • Drives brought from home
    • Exfiltration
    • Windows Event Log
      • Security auditing
  • Advanced malware tools
    • Specialized removal and recovery tools
    • Malware is pervasive
    • Usually best to delete and restore from good backup
  • Patch management tools
    • List of patches installed
  • UTM: Unified Thread Management / Web security gateway
    • An all-in-one security appliance or unified threat management (UTM) is a hardware device designed to operate inline between an Internet connection and a network. Its goal is to detect and filter all manner of malicious, wasteful, or otherwise unwanted traffic.(Stewart)
    • All-in-one security appliance
    • URL inspection
    • Malware inspection
    • Spam filter
    • CSU/DSU
    • Router/Switch
    • IDS/IPS
    • Bandwidth shaper
    • VPN endpoint
  • DLP Data loss prevention (Jason Dion)
    • Data loss prevention (DLP) is the system designed to reduce the occurrence of and/or prevent data loss or data leakage to external unauthorized entities. If a violation of DLP occurs, its report should indicate the data that was involved, the user(s) related to the breach, and the applications involved in the exfiltration.(Stewart)
    • Watch traffic and identify certain kinds of traffic
      • e.g. SSNs, CC numbers
    • Stop information from getting out
  • Data execution prevention
    • Data execution prevention (DEP) is a memory security feature of many operating systems aimed at blocking a range of memory abuse attacks, including buffer overflows. DEP blocks the execution of code stored in areas of memory designated as data-only areas. (Stewart)
    • No-eXecute bit
      • Intel calls it the XD bit (eXecute disable)
      • AMD calls it Enhanced Virus Protection
  • WAF: Web application firewall
    • A web application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and all visitors. It’s intended to be an application-specific firewall to prevent cross-site scripting, SQL injection, and other web application attacks. (Stewart)
    • "Performs restrictions based on rules associated with HTTP/HTTPS traffic. By definition, web application firewalls are a form of content filter." (Conklin)
    • Not like a normal firewall, allow or deny based on expected input
    • Can be used to protect a web server from XSS attacks

2.5 Given a scenario, deploy mobile devices securely.

(Jason Dion)

2.5.1 Connection methods

(James Messer, Mike Meyers)

  • Cellular
    • Cell phones, antenna coverages a cell with certain freq
    • Security concerns
      • Traffic monitoring
      • Location tacking
      • Worldwide access
  • WiFi
    • Local network access
    • Data capture
      • Encrypt data
    • MitM
    • DOS- frequency interference
  • SATCOM: Satellite communications
    • Remote locations, natural disasters
    • Handheld devices can be security risk
  • NFC: Near field communication
    • Payment systems
    • Bootstrap for wireless
    • Identity system
    • Security concerns
      • Remote capture
      • Frequency jamming - DOS
      • Relay / replay attack - MitM
      • Loss of device
  • ANT: Wireless sensor network protocol
    • 2.4 GHz ISM band
    • Fitness devices, heart rate monitors
    • IoT, low power protocol
    • Encryption optional, no method to maintain integrity
  • Infrared
    • Included on many smartphones
    • Control entertainment system
    • file transfers are possible
    • other phones can be used to control your IR device
  • USB: Universal Serial Bus
    • Physical access is always a concern
    • Exfiltration
  • Bluetooth (Jason Dion)
    • "Bluetooth is a short-range, low-power wireless protocol that transmits in the 2.4-GHz band, the same band used for 802.11." (Conklin)

2.5.2 Mobile device management (MDM) concepts

(James Messer, Mike Meyers)

  • Application management
    • Some organizations whitelist
    • "Your company may have to restrict the types of applications that can be downloaded and used on mobile devices. If you need very strong protection, your company can be very proactive and provide an enterprise application store where only company-approved applications are available." (Conklin)
  • MCM: Mobile Content management Management
    • Secure access to data
    • Protect data from outsiders
    • DLP: Data Loss Prevention
    • Managed from the Mobile Device Manager (MDM)
  • Remote wipe
    • Security administrator can remote delete all information on device
    • Awlays have a backup
  • Geolocation
    • Track location of device within a few feet
  • Geofencing
    • Restrict or allow features when device is in particular area
  • Screen locks
    • Numbers vs. alphanumeric
    • Simple or strong
    • Keep people out of your data
    • Define a lockout policy
  • Push notification services
    • Message appears on screen with no intervention required
  • Passwords and pins
    • Password, patterns, pins
    • Trigger recovery process from MDM
  • Biometrics
    • Fingerprint, face
    • Managed from MDMk
  • Context-aware authentication
    • Where you normally login
    • Where you frequent
    • Other devices paired
  • Containerization (Mike Meyers)
    • Separate personal and company data
    • Wipe only company data if employee leaves
  • Storage segmentation
    • "Storage segmentation is similar to containerization in that it represents a logical separation of the storage in the unit. Some companies have developed capabilities to create separate virtual containers to keep personal data separate from corporate data and applications." (Conklin)
  • Full device encryption
    • Scramble all the data on the mobile device
    • Isn't trivial
      • Uses lots of CPU cycles

2.5.3 Enforcement and monitoring

(James Messer, Mike Meyers)

  • Third-party app stores
    • MDM can allow or deny app store usage
  • Rooting/jailbreaking
    • Replace operating system to have complete access to device
    • Sideloading
      • Downloading from somewhere other than the app store
    • Custom firmware
  • Carrier unlocking
    • If carrier allows
    • Carrier lock may be illegal in your country
    • Moving to another carrier can circumvent the MDM
  • Firmware Over the air (OTA) updates
    • Operating system updates
    • No cable required
    • Security patches
    • MDM can manage what OTA updates are allowed
  • Camera use
    • Corporate espionage, inappropriate use
    • Camera use controlled by MDM
    • Geo-fencing
  • SMS/MMS
    • Text messages, video, audio
    • MDM can enable/disable
  • External media
    • Removable drives
    • SD card flash memory
    • MDM can prevent use
  • USB OTG: On-the-go
    • Device acts as both host and storage device
    • Makes data transfer easy
  • Recording microphone
    • Microphone on every mobile device
    • Every state has different laws
  • GPS tagging
    • Location services
    • Geotagged pictures
  • WiFi direct/ad hoc
    • SSID configurations
    • WiFi Direct simplifies the process
      • Easily connect many devices together
      • Common to see in home devices
    • "In Wi-Fi direct, two Wi-Fi devices connect to each other via a single-hop connection. In essence, one of the two devices acts as an access point for the other device." (Conklin)
  • Tethering
    • Turn phone into hotspot
    • Could turn phone into rogue access point
  • Payment methods
    • NFC
    • Disabling this may limit liability organization has

2.5.4 Deployment models

(James Messer, Mike Meyers)

  • BYOD: Bring Your Own Device (Jason Dion)
    • Needs to meet the company's requirements
    • Difficult to manage
    • Contains both personal and corporate data
  • COPE
    • Corporate owned, personally enabled
    • Company buys
    • Organization manages device
    • Information is protected using corporate policies
  • CYOD
    • Choose your own device
    • similar to COPE but users choise of device
  • Corporate-owned
    • Where security is extremely important
    • No personal use
  • VDI: Virtual Desktop Infrastructure / Virtual Mobile Infrastructure
    • Applications are completely separate from the mobile device
    • Mobile device is window into application
    • Apps built for one VMI platform

2.6 Given a scenario, implement secure protocols.

(James Messer, Jason Dion, Mike Meyers 1, Mike Meyers 2)

  • Voice and video
    • SRTP: Secure Real-Time Transport Protocol / Secure RTP
      • Secure version of the RTP
      • Keep VOIP conversations confidential
      • Uses AES encryption to encrypt voice/video flow
      • Integrity, replay protection
        • HMAC-SHA1 - Hash based message authentication code using SHA1
  • Time synchronization
    • NTPsec: Secure network time protocol
  • Email and web
    • S/MIME (Jason Dion)
      • Secure/Multipurpose Internet Mail Extension
      • Emerging standerd for encrypted messages instead of using PGP
      • Digitally sign and encrypt mail content in mail client
      • Requires PKI
    • Secure POP/IMAP
      • Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL
    • SSL/TLS (Jason Dion)
      • If the email is browser based, always encrypt with SSL/TLS
    • HTTPS
      • HTTP over SSL
      • Uses combination of asymmetric and symmetric encryption
      • Public key on server
  • File transfer
    • FTPS
      • FTP over SSL (FTP_SSL)
      • This is not SFTP
    • SFTP: SSH File Transfer Protocol
      • Resume interrupted transfers, directory listings, remote file removal
  • Directory services
    • LDAP is Lightweight Directory Access Protocol
      • Read and write directories over IP network (e.g phone directory)
      • Windows AD, Apple OpenDirectory and OpenLDAP
    • LDAPS: Lightweight Directory Access Protocol Secure
      • Non-standard implementation of LDAP over SSL
    • SASL: Simple Authentication and Security Layer
      • Provides authentication using many different methods
      • Kerberos or client certificate
  • Remote access
    • SSH: Secure Shell (Jason Dion)
      • Don't use Telnet
      • Encrypted terminal communication
  • Domain name resolution
    • DNSSEC: Domain Name System Security Extensions
      • DNS has not security in the original design, cannot verify the information is legitamate, easy to poison
      • Validate DNS responses
        • Origin authentication
        • Data integrity
      • Public key cryptography
        • DNS records are signed with a trusted third party
        • Signed DNS records are published in DNS
  • Routing and switching
    • SNMPv3: Simple Network Management Protocol version 3 (Jason Dion, Mike Meyers)
      • "SNMP (Simple Network Management Protocol) is used when a person installs agents on client computers to monitor those systems from a single remote location." (uCertify)
      • "SNMP (Simple Network Management Protocol) can pass passwords over the network." (uCertify)
      • SNMPv3 in cludes
        • Confidentiality - Encrypted data
        • Integrity - No tampering of data
        • Authentication - Verifies the source
  • Network address allocation
    • This will automatically allocate IP addesses
    • Securing DHCP
      • No built-in security
      • No secure version of the DHCP protocol
    • Challenges to DHCP
      • Rogue DHCP servers
        • In Active Directory, DHCP servers must be authorized
        • Some switches can be configured with trused interfaces
        • DHCP distribution is only allowed from trusted interfaces
        • Cisco calls this functionallity as DHCP Snooping
      • DHCP client DoS - DHCP Starvation attack
        • Use spoofed MAC addresses to exhaust the DHCP pool (constantly request DHCP adresses from a spoofed MAC address)
        • Limit the MAC addesses per interface
  • Subscription services
    • Automated subscriptions
      • Anti-virus / anti-malware
      • IPS updates
      • Malicious IP address databases / firewall method
    • Check for encyption and integrity checks
      • May require an additional public key configuration
      • Set up a trust relationship