Hardware and Software

156
Hardware and Software CompTIA Security+

Transcript of Hardware and Software

Page 1: Hardware and Software

HardwareandSoftware

CompTIASecurity+

Page 2: Hardware and Software

Firewalls

SoftwarevsHardware Stateful vsStateless

Page 3: Hardware and Software

AccessControlLists(ACL)• AccessControlLists,orACL,isasetofdatathatinformsacomputer'soperatingsystemwhichpermissions,oraccessrights,thateachuserorgrouphastoaspecificsystemobject(suchasadirectoryorfile).

• AnexampleofanAccessControlListwouldbeWindowsNTFSpermissions.

• FirewallsalsouseACLstorestrictnetworkaccesstocertainTCPandUDPportsorviasource&destinationIPaddresses.

Page 4: Hardware and Software

Firewall• Afirewallisahardwareorsoftwaredevicewhichisconfiguredtopermit,deny,orproxydatathroughacomputernetworkwhichhasdifferentlevelsoftrust.

• Modernfirewallsutilizestateful packetinspection.

• Statefulpacketinspectionwillblockincomingtrafficthatdoesnotmatchaninternalrequest.

• Afirewallcanmitigateportscanning.

Page 5: Hardware and Software

SoftwareFirewall• Adevice,whetheritissoftwareorhardware,thatinspectstrafficandonlyallowsauthorizedtrafficinoroutofthenetworkorcomputeriscalledafirewall.

• Apersonalfirewallorhost-basedfirewallisanapplicationwhichcontrolsnetworktraffictoandfromacomputer,permittingordenyingcommunicationsbasedonasecuritypolicy.

• Bydefault,yourinboundfirewallruleshouldbesetto“Deny-All”.Thismeansthattrafficoriginatingfromoutsideoftheworkstationwillbedeniedaccessintotheworkstation.ThisisknownasanImplicitDeny

Page 6: Hardware and Software

Hardwarefirewall

• AHardwarefirewall,ornetworkbasedfirewallisaphysicaldevicethatcontrolstheflowoftrafficthroughoutthenetwork.

• CommonlyusedattheentrancetoanetworktoseparateaDMZfromaninternalnetwork.• Alternatively,couldjustbepreventingtrafficfromoneinternalnetworktoanother.

Page 7: Hardware and Software

StatelessFirewall

• AstatelessfirewallisconfiguredwithanACLthatpermitsordeniestrafficbasedonstaticrulesdefinedbyanadmin.

• ThevulnerabilityherewillisifIPaddressingofthepacketisspoofedthenetworkcanbecompromisedasastatelessfirewalldoesn’tsupportcontextualanalysis.

• Theadvantagewithstatelessfirewallsisprocessingisfasterwhencomparedtostatefulfirewalls

Page 8: Hardware and Software

StatefulFirewalls

• AstatefulfirewallinspectsthetrafficleavinganetworkandpermitsthereturntraffictoreturndynamicallybymodifyinganACLontheedgeofthenetworkpointingintotheinternalnetwork.• Createsa“statetable”toallowexternalrepliestoreenterthenetwork.

• Thosepacketsmatchingstatetableentrieswillbepermittedintothenetwork.Theadvantagesincludemoreflexibilityandlesssusceptibletospoofingattackswhencomparedtostatelessfirewalls.

Page 9: Hardware and Software

ImplicitDeny

• Implicitdenyisatermtodescribethedefaultactiontodenyeverythingwhentherearenotanymatchesinentriesthatyouspecify.Thiscouldbedenyingahackerfrompenetratingyourfirewalloritcouldbedenyingasalesrep.fromaccessingcompanypayrollinformation.

• ImplicitdeniescanbesetinrouterACLs,firewallrules,NTFSpermissions,etc.

• Animplicitdenymeansyouwillnothaveaccesstothatresourceunlessexplicitlyallowed.

Page 10: Hardware and Software

VPNConcentrator

TypesofVPNs IPSEC

Split-tunneling Always-onVPN

Page 11: Hardware and Software

VPNConcentrators• VPNconcentratorsincorporatethemostadvancedencryptionandauthenticationtechniquesavailable.

• Theyareideallydeployedwheretherequirementisforasingledevicetohandleaverylargenumber ofVPNtunnels.

• Theywerespecificallydevelopedtoaddresstherequirementforapurpose-built,remote-accessVPNdevice.

Page 12: Hardware and Software

VirtualPrivateNetwork(VPN)

• VPNtechnologyprovidessecureremoteaccessmeansfromacomputertoaremotecomputeroronenetworktoanothernetworkovertheInternet.TherearetwoprimarytypesofVPNs.

Remote Access VPN

RemoteAccessServer

Site to site VPN

RemoteAccessServer

Page 13: Hardware and Software

IPsec• IPSecurityisasetofprotocolsdevelopedbytheIETFtosupportsecureexchangeofpacketsattheIPlayer.• IPsechasbeendeployedwidelytoimplementVirtualPrivateNetworks(VPNs).

• IPsecsupportstwoencryptionandauthenticationheadermodes:• Transportmodeencryptsonlythedataportion(payload)ofeachpacketbutleavestheheaderuntouched.• Tunnelmodeencryptsboththeheaderandthepayload.

Page 14: Hardware and Software

IPsecTransmissionModesTransportMode

PublicNetwork

IPsec

End-to-endIPsecbetweenallorsomeofthecomputers

TunnelMode

Page 15: Hardware and Software

AHvsESP

• AuthenticationHeaderprovidesaframeworkforIPsec• AHThisframeworkwillallowforauthentication,anti-replay,andintegrity(NOTencryption).• AHProvidesbetterperformancethanESP

• EncapsulationSecurityPayloadprovidesaframeworkforIPsec• Thisframeworkwillallowforauthentication,encryption,anti-replay,andintegrity.• CommonlyimplementedwhencomparedwithAH• ESPprovidesbettersecuritythanAH

Page 16: Hardware and Software

SplitTunneling

• Whensplittunnelingisenabledtrafficintendedforthecorporateofficeisforwardedthroughtheprotectivetunnel,whileothertrafficsuchaswebtrafficmaybeforwardedthroughalocalsameconnectionintheclear.Thismaybedowntocutdownonoverheadbothfortheenduserandthecorporateoffice.

• Whensplittunnelingisdisabledalltrafficwillbeforwardedtothecorporateofficethroughtheprotectivetunnel.Thismaybedonetoensurealltrafficfromtheuserisprotectedviathecorporatepolicy.

Page 17: Hardware and Software

TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLShasmanyuses,forexample:

• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.

• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.• CanbeusedtocreateasecureVPNconnectionthroughabrowser,allowingaVPNconnectionwithoutrequiringtheclienttodownloadsoftwareotherthanawebbrowser.

Page 18: Hardware and Software

Always-onVPN

• Always-Onpreventsaccesstotheinternetwhenthecomputerisnotonatrustednetwork,unlessaVPNsessionisactive.• Thisenforcesthatthecomputerbeinasecureenvironment,protectingacomputeronanuntrustednetwork.

• Always-OnshouldestablishaVPNconnectionassoonasauserlogsin,andthecomputerdetectsitisonanuntrustednetwork.Then,theVPNsessionshouldremainopenuntiltheuserlogsout.

Page 19: Hardware and Software

NIDS/NIPS

Signaturebased Heuristic/Behavioral/Anomaly

FalsePositives&Negatives

Page 20: Hardware and Software

IDS

• AnIntrusiondetectionsystem(IDS)issoftwareand/orhardwaredesignedtodetect unwantedattemptsataccessing,manipulating,and/ordisablingcomputersystems.

• IDSareusedtodetect suspiciousbehaviorbutnotreacttoit.

• AmajorconsiderationwhenimplementinganIDSsolutionishavingthepersonneltointerpretresults.

Page 21: Hardware and Software

NIDS(NetworkIntrusionDetectionSystem)

• ANIDS(NetworkIntrusionDetectionSystem)isanintrusiondetectionsystemthatwatchesnetworktrafficinordertoviewifnetworkcommunicationsareusingunauthorizedprotocols.

• ForaNIDStoviewallavailablesegmenttrafficonaswitchmakesurethatyouconfigureamirroredport.

• WhenusingaNIDS,theNICshouldbeplacedinpromiscuousmodetomonitoralltraffic.

Page 22: Hardware and Software

NIPS(NetworkIntrusionPreventionSystem)• AnIPSisaproactivesecurityapplicationthatisusedtoprevent activityfromenteringyournetwork.

• AnNIPS(NetworkIntrusionPreventionSystem)isanetworksecuritydevicethatmonitorsnetworkand/orsystemactivitiesformaliciousorunwantedbehavior.

• Reactsinreal-timetoblockorpreventthoseactivities.

• Usuallyplacedin-linewithdataflowandcanpotentiallydisruptnetworktraffic.

Page 23: Hardware and Software

NIDSandNIPSmisc.• KeepinmindthatencryptingallnetworktrafficwillreducetheeffectivenesswhendeployingandmanagingaNIDSorNIPSbecausetheycannotreadtheencryptedtraffic.

• AnIDS/IPSthatidentifieslegitimatetrafficasmaliciousactivityiscalledafalsepositive.

• AnIDS/IPSthatidentifiesmaliciousactivityasbeinglegitimateactivityiscalledafalsenegative.Example:AnIDSthatdoesnotidentifyabufferoverflow.

Page 24: Hardware and Software

InlinevspassiveIPS

• AnInlineIPSisaproactivedefensemeasureandworkswiththeactivedatathatistraversingyournetwork.• ThisgivetheIPSmuchmorecontrolinordertopreventattacks.

• ApassiveIPSisareactivedefensemeasureandreceivesacopyofthedate,andneverworkswiththeinlineinformation.• ThisgivetheIPSlesscontrol,butreducesthechanceoffalsepositivesandnegatives.

• EssentiallybecomesanIDS

Page 25: Hardware and Software

Signature-based

• Signature-basedIDS,themostbasicformofIDS,employsadatabasewithsignatures/patternstoidentifypossibleattacksandmaliciousactivity.

• Thesesignatures aresimilartotheonesusedbyanti-virussoftware,butinsteadofcontainingvirusinformation,IDSsignaturesdescribeknownattackspatterns.

• Asignature-basedmonitoringtooldependsonreceivingregularupdates.

• Withsignature-basedmonitoring,thevendordecideswhattrafficgetsblockedbyincludingspecifictrafficpatternsinthesignaturefiles.

Page 26: Hardware and Software

Anomaly/Heuristic/Behavior-based• Anomaly-basedIDS usesrulesorpredefinedconceptsabout“normal”and“abnormal”systemactivity(calledheuristics)todistinguishanomaliesfromnormalsystembehavior.

• Anomaly-basedIDSsystemfollowsalearningprocess.

• Thefirststepwhenimplementingananomaly-basedIDS/IPSisdocumentingtheexistingnetwork.

• Anomaly-basedIDSusesstatisticalanalysistodetectintrusions.

• WithAnomaly/Heuristic-based systems,itisuptoyoutodecide whattrafficgetsblockedbydefiningwhatis“normal”.

Page 27: Hardware and Software

NetworkingHardware

Routers Switches

Page 28: Hardware and Software

Router

• Arouterisacomputernetworkingdevicethatforwardsdatapackets fromonenetworktoanother,towardstheirultimatedestinations.• Routingoccursatlayer3(theNetworklayer).• Connectstwoormorenetworkstogether.• Eachinterfaceconnectstoadifferentnetwork.• TherouterinterfacethenbecomestheDefaultGateway.• Doesnotpassbroadcastpackets.

• Arouter’sAccessControlListscanbeusedtoconfinesensitivedataandcomputerstoparticularsub-networks.

• Passwordprotecttheconsoleportonarouteriftherouteritselfisplacedinanunsecurelocation.

Page 29: Hardware and Software

Switch• Anetworkswitchisahardwaredevicethatjoinsmultiplecomputers togetherwithinonelocalareanetwork.• Switchesoperateatlayer2(DataLinkLayer)oftheOSImodel.• ForwardspacketsbyMACaddress.• Devicesoneachconnectioncannotusuallyseeeachother’straffic(exceptforbroadcasts).

• Itisbestpracticetodisableanyunusedportstosecuretheswitchfromphysicalaccess.

Page 30: Hardware and Software

MultilayerSwitch

• MultilayerswitchingissimplythecombinationoftraditionalLayer2switchingwithLayer3routinginasingleproduct.• UsesARPtolearntheIPaddressesofdevicesthatareconnected• Canbeusedtopermitdifferentbroadcastdomainstocommunicatewitheachother

Page 31: Hardware and Software

SpanningTree• Switchingloopsmustbeavoidedbecausetheyresultinfloodingthenetwork

• TheSpanningTreeProtocol(STP)isalinklayernetworkprotocolthatensuresaloop-freetopologyforanybridgedLAN.• Allowsanetworkdesigntoincludespare(redundant)linkstoprovideautomaticbackuppathsifanactivelinkfails,withoutthedangerofbridgeloops,ortheneedformanualenabling/disablingofthesebackuplinks

• Canbeenabledtoavoidbroadcaststorms• 802.1wand802.1dareIEEEdesignationsforspanningtree• TheMACaddresswiththelowestnumberwillbecometherootbridgefor801.2d

Page 32: Hardware and Software

ProxyServers

ForwardProxies ReverseProxies

TransparentProxies

Page 33: Hardware and Software

ProxyServer

• Aproxyserverisaserverthatactsasago-betweenforrequestsfromclientsseekingresourcesfromtheInternet.

• Aproxyservercombinestwofunctions:Itcachesweb-pageslocallytospeedupaccessrequests,whilealsoactingasacontentfiltertoblockusersfromvisitinginappropriatesites.

• Ifyouwanttoknowwhatwebsitesyourusersarevisiting,setupaproxyserver.

• ThebestwaytosecureyouremailinfrastructureistosetupanemailproxyserverintheDMZandtheemailserverintheinternalnetwork.

Page 34: Hardware and Software

ForwardProxyvsReverseProxy

• Aforwardproxyactsasaproxyforoutgoingtraffic,protectingyournetworkfromtheusersinit.• Canpreventusersfromgoingtomalicioussitesandinspecttheirtrafficasitleaves

• Areverseproxyactsasaproxyforincomingtraffic,andcanprotectyournetworkfromexternalintruders.• Canfilteroutrequestsfromexternalattackerswhoaretryingtoinfiltrateyournetwork.

• Canstandasalargenumberofservers,includingbutnotlimitedtowebservers,emailservers,andfileservers.

Page 35: Hardware and Software

TransparentProxy

• Atransparentproxydoesitsnormalfunctionsasaproxy,butdoesn’tappearinthepathoftraffic.Itdoesnotmodifytherequestorresponseforthetrafficpassingthroughit.

• Isseamlessfortheuserconnectingtothenetwork,andmayredirectanewusertoauseragreementscreen,butthenroutesallothertrafficasnormal.• Canstillhandlecachingforspeedingupwebaccess

Page 36: Hardware and Software

LoadBalancer

Typesofloadbalancers

SessionaffinityvsRoundRobin

VirtualIPs

Page 37: Hardware and Software

LoadBalancer• Loadbalancingisacomputernetworkingmethodologytodistributeworkloadacrossmultiplecomputers,networklinks,centralprocessingunits,diskdrives,orotherresourcestoachieveoptimalresourceutilization.

• Basicallyanydevicescanbeloadbalancedtoprovideredundancyandloadsharing.

Page 38: Hardware and Software

SessionAffinityvsRoundRobin

• Sessionaffinityrememberseachuser’ssessionandcontinuestoconnectthatusertothesameservereachtime.• Soifuser1connectstoserver1,user1willcontinuetoconnecttoserver1.

• RoundRobinloadbalancingjustassignssessiontothefirstavailableserver,andcontinuesissequence.• Soiftherewerethreeservers,user1wouldconnecttoserver,user2toserver2,user3toserver3,user4toserver1,andetc.

Page 39: Hardware and Software

ActiveorPassiveServers

• Whileloadbalancing,serversareinoneoftwostates,activeorpassive.Withthosestate,youendupwithtwoconfigurations:• Active-active,whereallserversareactiveandparticipatinginloadbalancing.• Active-passive,whereonlysomeoftheserversareactivelybeingloadbalanced,andothersarewaitingasbackups,or“failovers”.

Page 40: Hardware and Software

VirtualIPs

• Whenmanyserversarebeingloadbalanced,itispossiblethataclientisnotpointingtothephysicalIPaddressbutavirtualIPaddressassociatedwithone“server”.

• Thoughthisvirtualserverdoesnotactuallyexist,itrepresentsallserversbeingloadbalancedonthebackend.• ThisallowsclientstoseeoneIPaddress,whiletheloadbalancerhandleswhichphysicalIPtheyconnectto.

Page 41: Hardware and Software

WirelessAccessPointsSSID MacFiltering

Signalstrength AntennaTypes&Placement

FatvsThin Controller-basedvsstandalone

Page 42: Hardware and Software

AccessPoint

• Awirelessaccesspoint(WAPorAP)isadevicethatallowswirelessdevicestoconnecttoawirednetwork.

• AlthoughseveralWAPscansharethesameSSID,individualWAPs canbeidentifiedbytheirBSSID (BasicServiceSetIdentifier),whichisbasicallytheMACaddressoftheWAP.

• Thefirstthingyoushouldlookatwhenimplementinganaccesspointtogainmorecoverageisthepowerlevelsoftheaccesspoint.

• DecreasethepowerlevelsonyourWAPtolimitthewirelesssignalrange.

Page 43: Hardware and Software

SSID• SSID(ServiceSetIdentifier)arenamesusedtoidentify theparticular802.11wirelessLAN(s)towhichauserwantstoconnect.

• Thesecurityriskofbroadcasting yourwirelessnetworkSSIDisthatanyonecanseeitandifyouarenotusingastrongenoughencryptiontype,anattackercanfindtheencryptionkeyandconnecttoyournetwork.

• YoushoulddisabletheSSIDbroadcasting,orthebeacon,ifyoudonotwantyourwirelessnetworktoautomaticallybediscoverable.

Page 44: Hardware and Software

MACFiltering

• MACFilteringisthewirelessversionofportsecurityandcontrolsaccesstothenetworkbasedonthewirelessNIC’sMACaddress.

• ToallowonlycertainwirelessclientsonyournetworkyoushouldenableandconfigureMACfiltering.

• EnableMACfilteringtomitigateanissuewheremultipleunknowndevicesareconnectedtoyourWLAN.

Page 45: Hardware and Software

Antenna– Omni-directional• AnOmni-directionalantenna,orvertical,isanantennasystemwhichradiatespoweruniformlyinoneplanewithadirectivepatternshapeinaperpendicularplane.Thispatternisoftendescribedas"donutshaped”.

• TwosituationswhereanOmni-directionalantennawouldbebestused:• ToconnecthoststoaWAP.• Toenableroamingaccessforlaptopusers.

Page 46: Hardware and Software

Omni-directionalantennaplacement

• Keepinmindtheplacementofyourantennaewhenconsideringthesecurityofyourwirelessnetwork.• Anantennaplacedtooclosetotheedgeoftheareayoudesiretoprovidewirelessaccesstocouldallowattackertoreachyournetworkfromoutsidetheintendedarea.

• Forexample,ifanantennawasplacedontheedgeofmybuilding,soanattackerisabletopickupthesignalintheparkinglot.

Page 47: Hardware and Software

Antenna- Yagi• AYagiantennaisadirectionalantennasystemconsistingofanarrayofadipoleandadditionalcloselycoupledparasiticelements.• Canbeusedtocreateawirelessbridge

Page 48: Hardware and Software

FatvsThinWAPs

• AfatwirelessaccesspointisanintelligentWAPthathasallofthefeaturesandsoftwareneededtomanageyourwirelessclient.Forexample,itcanenableandsetupMACfilteringandenableordisableSSIDbroadcasting.

• Athinwirelessaccesspointisbasicallyjustthehardware.Itcanpushontheconfigurationthatwereputinplaceelsewhere,butnothingischangedonthedeviceitself.• Easiertoimplement,socansavemoneyandtime

Page 49: Hardware and Software

SecurityInformationandEventManagement(SIEM)

Aggregation Correlation

Automatedalerting Timesync

EventDeduplications

Page 50: Hardware and Software

Aggregation&Correlation

• SIEMsystemscanaggregatedatafrommanydifferentsystems,allowingallinformationtobeconsolidatedandprovideseasiermonitoring.

• SIEMsystemscanalsoprovidecorrelation,detectingcommonattributesandbundlinglikedatatogether,furtherincreasingtheeaseofmonitoringthatdata.

Page 51: Hardware and Software

AutomatedAlertsandTriggering

• SIEMsystemscanbesetuptoprovidealertsautomaticallytoidentifycriticalandimmediateissues.

• Certaintriggerscanbesetuptocatchcertainevents,whichwillthensendanalerttoanadmin,whichallowsfasterreactiontocertainevents.• Couldoptionallysetupsomethingalongthelinesofemailalertsforcertaintriggers.

Page 52: Hardware and Software

Time-syncandeventdeduplication

• SIEMsystemscanalsosynchronizethetimeofeventsacrossmanyservers,allowinganeasilyreadable.

• Withoutsynchronization,itwouldbedifficulttopinpointwhendifferenteventshappenedondifferentsystems,relatedtoeachother.

• ASIEMsystemcanalsoremoveredundanteventsforeasyreadability.Insteadofhavingpossiblyhundredsoflogs,onlyoneiskeptwhilenotingthenumberofoccurrences.

Page 53: Hardware and Software

DLPUSBBlocking

Cloud-based

Email

Page 54: Hardware and Software

DataLossPrevention(DLP)• DataLossPrevention(DLP)isacomputersecuritytermreferringtosystemsthatidentify,monitor,andprotect:• Datainuse(e.g.endpointactions)• Datainmotion(e.g.networkactions)• Dataatrest(e.g.datastorage)

• Thesesystemsusedeepcontentinspection,contextualsecurityanalysisoftransactions,andacentralizedmanagementframework.

• Anetwork-basedDLPisasoftwareorhardwaresolutionthatisinstalledatnetworkegresspointsneartheperimeter.Itanalyzesnetworktraffictodetectsensitivedatathatisbeingsentinviolationofinformationsecuritypolicies.

Page 55: Hardware and Software

USBBlocking

• Preventingtheuseofremovablemediacanbeasimplewaytopreventthelossofdataforanorganization.

• USBportsarecommonlyfoundonmostmoderncomputers,andUSBdrivesareeasilyacquirable,sopreventingtheirusewillblocksomebodyfromtakingdatafromacompanylaptop.

Page 56: Hardware and Software

Email-basedDLP

• Email-basedDLPisessentialforanycompanyconcernedwiththeiremployeessendingoutconfidentialorsensitiveinformationoutsideoftheirnetwork.• Mostifnotallcompaniesutilizeemailintheirdaytodaybusinesspractices.

• Email-basedDLPshouldscananoutgoingemailforsensitiveinformation,likePII,andblockitfromleavingtheworknetwork.• Canatleastenforcedigitalsigningtoprovidenon-repudiationforthecompromisingemail.

• AnEmailgatewayconprovideemail-basedDLP

Page 57: Hardware and Software

EmailGateway

• Anemailgatewaymonitorsemailsbeingsentintoanetworkandbeingsentoutboundfromthatnetwork.• Inboundcanpreventspam,whichwillhelpweedoutmalwarebeforeitentersthenetwork• OutboundcanprovideDLP,preventingthelossofsensitivedatalikePII

• Emailgatewayscanalsoprovideencryptionforemailservices.

Page 58: Hardware and Software

Cloud-basedDLP

• Withmoreandmoreinformationmovingontothecloud,itisbecomingincreasinglyimportanttoprotectdatastoredonthecloud.

• CloudbasedDLPisaDLPsolutionthatpreventssensitivedatafromleavingthecloudbasedstorageofanorganization.• PersonallyidentifiableInformation(PII)isafocushere.

Page 59: Hardware and Software

NACDissolvablevspermanent

HostHealthChecks

AgentvsAgentless

Page 60: Hardware and Software

NAC(NetworkAccessControl)• NACreferstowhateversystemyouhaveinplaceforcontrollingaccesstothenetwork.

• Canbeassimpleasclickingaboxto“agreetothetermsandconditions”ofnetworkusage.

• Canbeascomplexashavingyourmachinescannedforviruses,patches,updates,firewalls,etc.beforeit’sallowedtoconnect.

• Portsecurityand802.1xareexamplesofNAC.

Page 61: Hardware and Software

HostHealthChecks

• OnesimpleformofNACcanbeasimplescanofacomputerconnectingtoanetwork.Thescancanbecheckingforanumberofimportantthings:• UptodateOperatingSystem.• Updatedandrecentlyscannedanti-virussoftware.• Certainsoftwarebeingpresentorabsentfromamachine,basedonacompany’sapplicationpolicy.• Thatcertainsystemconfigurationsmatchthenetwork’sexpectations.

Page 62: Hardware and Software

Agentvs.Agentless

• NACthatrequiresasoftwareagentonthesystemallowsyourNACsolutiontokeeptabsonthesystemusingthatsoftware.

• AgentlessNACdoesnotrequiresoftwareontheendsystemandisreliantonaremotescanofthesystem.

Page 63: Hardware and Software

Dissolvablevs.PermanentNAC

• PermanentNACrequiresanagentsoftwareinstalledonthedevice.

• DissolvableNAConlyprovidesonetimeauthenticationtothenetwork,andisthendeleted.• Canprovidegreaterflexibility.

Page 64: Hardware and Software

HardwareEncryption

HSM TPM

Page 65: Hardware and Software

TrustedPlatformModule• TheTrustedPlatformModule(TPM)isachiponacomputer’s(ortablet’s)motherboardthatcangenerateandstoreencryptionkeysforvariouspurposes.

• TPMcanalsoperformencryptiondutiesinsteadofrelyingonsoftwaretodotheencryption.

• Forexample,Microsoft’sBitLockerusesTPMtoencryptthecontentsoftheharddisk.

Page 66: Hardware and Software

HardwareSecurityModule• IfyoursystemdoesnotcomewithaTPM,youcanaddaHSM (HardwareSecurityModule)instead.It’ssimilartoaTPMbutitisintheformofaplug-incardorexternalsecuritydevicethatcanbeattachedtoaserver.

• AHSMcanbeaddedtoserversthatdoalargeamountofencryption,suchasVPNserversorCertificateAuthorities.

• Hardwareencryptionisalwaysfasterthansoftwareencryption!

• BothTPMandHSMprovidestorageforRSAorasymmetrickeysandcanassistinauthentication.

Page 67: Hardware and Software

SecurityAssessment

CompTIASecurity+

Page 68: Hardware and Software

ProtocolAnalyzer• ProtocolAnalyzerisusedformonitoringandanalyzingdatatrafficonthenetwork.• Canbeusedforlogging,sniffingandinterception,analyzingandnetworkmonitoring,andtroubleshooting.• Canpickupanytypeoftraffic:ICMP,DNS,DHCP,POP3,andSMTPtonameafew.

• ItcanbeusedtodeterminewhatflagsaresetinaTCP/IPhandshake.

• AnexampleofaprotocolanalyzerisWireShark.

Page 69: Hardware and Software

PortScanners• Portscanningisusedtoremotelyfindopenports,listeningservices,andeventhefingerprint/footprintofanoperatingsystem.

• Bannergrabbingiswhenyouuseaportscanner(forexample),andbasedonthebannerinformation(thereply)thatisreturned,youcanoftentellwhichOSthereplyiscomingfrom.

• Nmap isaprogramthatcanbeusedtoperformaportscan.

• Afirewallcanmitigateaportscan.

Page 70: Hardware and Software

PortScanners

• Aportscannercanbeusedtodeterminewhatservicesarerunningonaserverwithoutloggingintotheserver.

• PortscannersusuallyworkbysendingdifferentTCPflag combinationstoatargetandthenanalyzingtheresponse.

• IfyouneedtodiscoverunnecessaryservicesonyourcorporateLAN,startthediscoverywithaportscanner.

Page 71: Hardware and Software

NetworkScanner

• ANetworkscannercanbeutilizedtoscanyournetworkforvulnerabilities.• Roguesystemdetection:ascannercandetectanunauthorizeddeviceonthenetwork,allowanadmintoaddressthesituation.• Networkmapping:ascannercanbeusedtodetectalldevicesconnectedtoanetwork,allowingalogicalnetworkmaptobebuilt,outliningtheconnectiononthenetwork.

Page 72: Hardware and Software

WirelessScanner/Cracker

• Wirelessnetworkhaveauniquevulnerabilityinthefactthattheycannotbephysicallyconstrainedtoacertainlocationormedium.

• Awirelessscannerisadevicethatcansimplyscanforawirelessnetworkandrecorddetailsofthatnetwork.Somescannersgoastepfurtherandautomaticallyattempttocracktheencryptiononweakerwirelessnetworks.• Frequentlyusedinwardriving.

Page 73: Hardware and Software

PasswordCracker

• Apasswordcrackerisapieceofsoftwaredesignedtoperformabruteforceattackonasystem’spassword.Thisishopingtotakeadvantageofoneofafewweaknesses:• Capturedpasswordhasheswhichcanbeattacked• Weakpasswordsthataresimple,andthuscanbecrackedquickly.

• Havingasecurepasswordpolicywillprotectanorganizationfromapasswordcracker.

Page 74: Hardware and Software

VulnerabilityScanners• Avulnerabilityscannerisacomputerprogramdesignedtosearchforandmapsystemsforweaknesses inanapplication,computer,ornetwork.

• Theseutilitiesaretheleastintrusiveandchecktheenvironmentforknownsoftwareflaws.

• Schedulingvulnerabilityscansisamanagementcontroltype.

Page 75: Hardware and Software

DataSanitization

• Sanitizationistheprocessofremovingsensitiveinformation fromadocumentorothermediumsothatitmaybedistributedtoabroaderaudience.

• Degaussing istheactofmagneticallyerasingalldataonadisksoitmaybereused.

• Beforesendingdrivesawaytobedestroyed,firstencrypttheentiredisk,thenwipe/sanitizeit.

Page 76: Hardware and Software

SteganographyTools

• Asteganographytoolisusedtohidedatainsideofanotherfile,suchasagraphicfileorvideofile.

• Itmakessubtlemodificationstothefilethatiscarryingthehiddeninformation,attemptingtomakethenewfileindistinguishablefromtheoriginal.• Mightbeusedbyaphotographertohideawatermarkinaphoto.

Page 77: Hardware and Software

HoneypotandHoneynet• Ahoneypotisatrap settoattract,detect,observe,deflect,orinsomemannercounteractattemptsatunauthorizeduseofinformationsystems.

• Twoormorehoneypotsonanetworkformahoneynet.

• Useahoneypot/nettoprotect yourcompanywhilealsoresearchingattackmethodsbeingusedagainstyourcompany.

• HoneypotsandhoneynetswouldbelocatedintheDMZ.

Page 78: Hardware and Software

CommandLineTools

Ping Tracert

Nslookup/dig Arp

Ipconfig/ifconfig nmap

Page 79: Hardware and Software

PING

• ThePINGcommandisagreatutilitythatcanletyouknowifyouareabletocommunicatewithanothernetworkdevice.• However,justbecauseyouareunabletoPINGadevicedoesnotalwaysmeanyoucannotcommunicatewithsaiddevice.ThedevicemighthaveafirewallenabledandisconfiguredtonotrespondtoICMP,whichisPING,requests.

• Example:pingwww.yahoo.comorping67.195.160.76

Page 80: Hardware and Software

PINGSwitches• Switches:

• -t – PINGthespecifiedhostuntilstopped.• -a – Resolveaddressestohostname.• -ncount – Numberofechorequeststosend.• -lsize – Sendbuffersize.• -f – SetDon’tFragmentflaginpacket(IPv4-only).• -i TTL – TimeToLive.• -vTOS – TypeofService(IPv4-only).• -rcount – Recordrouteforcounthops(IPv4-only).• -scount – Timestampforcounthops(IPv4-only).• -jhost-list – Loosesourceroutealonghost-list(IPv4-only).• -khost-list – Strictsourceroutealonghost-list(IPv4-only).• -wtimeout – Timeoutinmillisecondstowaitforeachreply.• -R – Useroutingheadertotestreverseroutealso(IPv6-only).• -Ssrcaddr – Sourceaddresstouse.• -4 – ForceusingIPv4.• -6 – ForceusingIPv6.

Page 81: Hardware and Software

TRACERT• TRACERTshowstheroutethatanIPpackettakestogetfromthesourcetothedestination.

• Example:tracertwww.yahoo.comortracert67.195.160.76

Page 82: Hardware and Software

IPCONFIG/IFCONFIG

• IPCONFIGgivesyouinformationaboutyourcurrentnetworkconnections.Suchas:• IPAddress• SubnetMask• DefaultGateway• DNS• MACAddress

• IFCONFIGisusedonUnix/Linuxmachines,butdoesthesameasIPCONFIG.• Example:ipconfig /all

Page 83: Hardware and Software

IPCONFIGSwitches• SomeIPCONFIGSwitches:• /all – Producesadetailedconfigurationreportforallinterfaces.• /flushdns – RemovesallentriesfromtheDNSnamecache.• /displaydns – DisplaysthecontentsoftheDNSresolvercache.• /release<adapter> - ReleasestheIPaddressforaspecifiedinterface.• /renew<adapter> - RenewstheIPaddressforaspecifiedinterface.• /? – Displaysthislist.

Page 84: Hardware and Software

ARP• ARP(AddressResolutionProtocol)isusedtofindadevice’sMACaddresswhenonlyitsIPaddressisknown.

• Ahostwishingtoobtainanother’sMACaddressbroadcastsanARPrequestontothenetwork.ThehostonthenetworkthathastheIPaddressintherequestthenreplieswithitsMACaddress.

• ARP isaninsecureprotocolasanattackercould“poison”yourARPtableandgiveyoubadinformation,convincingyouthatheistheDefaultGateway.HewouldthenbesetupasaMan-In-The-Middleandcould“sniff”yourtraffic.

Page 85: Hardware and Software

TroubleshootingIssues

CompTIASecurity+

Page 86: Hardware and Software

Unencryptedcredentials/cleartext

• Cleartextreferstoplainlyreadableinformation,whichallowsanybodywhocanaccessthatinformationtoreadit.

• Nosensitivedatashouldbeleftunencrypted,oritwillbeatriskofbeingstolen.

• PIIisespeciallyatriskhere.

• Penetrationtestingandvulnerabilityscanscanbeutilizedinordertotestifsomethinglacksorhasweakencryption.

Page 87: Hardware and Software

PermissionIssues

• Auserwithouttheproperpermissionswillbeunabletodotheirjob,andwillrequiretheirpermissionsrereviewedinordertogainproperpermissions.

• Auserwithmorepermissionsthanintendedcangainaccesstosystemsorsoftwaretheyshouldnohaveaccessto,potentiallycompromisingasystem.• Privilegeescalationiswhenauserexploitsaknownbugorvulnerabilitytoincreasetheirownaccess.

• Continualprivilegereviewcanpreventthis

Page 88: Hardware and Software

AccessViolations

• AusermightaccessnetworkedresourcesifimproperpermissionsaresetorifnoNACisimplemented.

• Physicalaccesscanbeanissueifanemployeecanfreelyaccessrestrictedareaswithease.

• Networkaccesscanbedeterminedbyperformingaccountreviewsandwithpenetrationtesting.

• PhysicalaccesscanbedetectedwithsomeforofdetectivecontrollikeCCTV.

Page 89: Hardware and Software

DataExfiltration

• Auserabletoexfiltratedatafromasystemisdangerousduetothemyriadofsensitivedatathatcanbestoredonasystem.• USBdrivescaneasilypulldatafromacomputer.• Bluetoothcanpulldatawirelessly.• Datacanbesentoutofthenetworkusingemail.

• Confirmingpropergrouppoliciesareset,andmakingsureUSB/Bluetoothaccessarerestrictedcanpreventexfiltration.DLPcanpreventmanyformsofexfiltration,includinginformationsentoveremail.

Page 90: Hardware and Software

Misconfigureddevices

• Amisconfigureddevicecancauseawiderangeofproblemsfromunwantedaccesstocausingadenialofservice.

• Configurationsshouldbereviewedbyanadmininordertopreventmisconfigurationstogounnoticed.

• Avulnerabilityscannercandetectcommonmisconfigurationsofmanytypesofdevicesonanetwork.

Page 91: Hardware and Software

WeakSecurityConfigurations

• UtilizingtechnologieslikeWPA2insteadofWEPcanprovideamoresecurenetwork.

• Preventingpasswordreuseorshortpasswordsisalsocriticalinsecuringasystem.

• Runningavulnerabilityscannercandetectcertainweakconfigurationswhileatoolsuchasapasswordcrackercanbeusedonyourmasterpasswordfiletoseeifanythingiseasilybroken.

Page 92: Hardware and Software

PersonnelIssues

• PolicyViolationscanbereportedbyotheremployeesordetectedbysecurityguards.• CCTVcandetectpolicyviolationsoccurring• Usereducationcanpreventaccidentalpolicyviolation

• Insiderthreatsarealwaysaconcerntoday,asanemployeealreadyhasaccesstothesystemstheyaretryingtocompromise.• Separationsofduties,jobrotation,andmandatoryvacationscanhelpdeteranddetectinsiderthreats.

Page 93: Hardware and Software

PersonnelIssues:SocialEngineering• SocialEngineeringistheactofobtainingorattemptingtoobtainotherwisesecuredatabyusingdeceptionandtrickery.

• SocialEngineeringisanattackthatcannot bepreventedordeterredsolelythroughusingtechnicalmeasures.

• Theonlywaytopreventsocialengineeringattacksistotrainyourusers.

• Activelyattemptingtosocialengineeryouruserscantellyouhowmanyfallfortheattacks.

Page 94: Hardware and Software

PersonnelIssues:SocialMedia

• Socialmediaisdangerousinregardstoconfidentialinformation.Informationcanleavethecorporatenetworkandbebroadcastedtohundredsorthousandsofpeople.

• Disablingaccesstosocialnetworkingsiteswhileonthecompanynetworkcanhelpmitigatethisissue.

• Keepingtrackofemployeessocialmediaaccountsistheonlywaytotrulymonitorwhatinformationisbeingspread.• Canbeaninvasionofprivacy.

Page 95: Hardware and Software

PersonnelIssues:PersonalEmail

• Anemployee’spersonalemailcanbeeasilycompromisedasitiscontrolledbyathirdpartyorganization.• Notnecessarilyencrypted• NoDLPbuiltintothesystem• Canemailanybodyfreely

• Preventingaccessisrecommended,asemployeescouldeasilyusea3rd partyemailtobypasssomesecuritycontrols.

Page 96: Hardware and Software

UnauthorizedSoftware

• Unauthorizedsoftwarecancompromiseasysteminmanyway,including:• Anunknownpotentialentrypointintoasystem.• Apotentialsourceormalware.• Justanunknownanduntestedpossibleinstability.

• Applicationwhite/blacklistingcanpreventunauthorizedprogramsfrombeingrunandinstalled.Permissionreviewscandetectisauserhastherightstoinstallsoftware.

• Avulnerabilityscancouldpickuptheseunauthorizedsoftware.

Page 97: Hardware and Software

Baselinedeviation

• Abaselineisasetofknowngoodoracceptedconfigurations.

• Deviatingfromthisknowngoodcancauseinstabilitiesorcreatevulnerabilitiesinasystem.

• AIDSorIPScandetectdeviationsfromthebaseline,potentiallynotifyinganadminofanyissues.• AbehaviorbasedIDS/IPSisdesignedthisway.

Page 98: Hardware and Software

ProperLicensing

• Makesureyouandyouremployeesareusinglegitimatesoftwareandhaveproperlicensingforthatsoftware.Considerwhichlicenseyouwantwhen,forexample,buying:• Microsoftoffice• OperatingSystems

• PersonalLicense:Asoftwarelicenseforanindividual.Usedononeofafewdevices.Foroneuser.

• EnterpriseLicense:Asoftwarelicenseforacorporation.Useonalargeamountofnetworkeddevices.Mayrequireaccesstothecompanynetworktoauthenticate.

Page 99: Hardware and Software

AssetManagement

• Physicalassetsareimportanttokeeptrackoffforanorganizationtopreventsomethingfrombeinglostorstolen.

• ImplementingRFIDtagscandetectwhenequipmentleavesthebuildingoracertainareaofabuilding

• CompanycellphonescanbeactivelytrackedwithGPS

• Havinganorganizedinventorymanagementsystemisimportanttoproperlykeeptrackofcompanyassets.

Page 100: Hardware and Software

AuthenticationIssues

• Topreventuser’saccountsfrombeingcompromisedbycontinuallymonitoringlogs;checkingforbruteforceattacks.• Alargenumberoffailedlog-inisanindicatorofabruteforceattack.

• Anotherissuecouldbeauserfailingtoremembertheirpassword,lockingthemselvesoutoftheirownaccount.• Havingmorelenientlockoutpolicescouldpreventthis,aswellasproperpasswordpolicies.

• Forcingtheusertocontactanadminforaccountrecoverycanpreventthisfrombeingabused.

Page 101: Hardware and Software

SecuringMobileDevices

CompTIASecurity+

Page 102: Hardware and Software

ConnectionMethods

Cellular Wi-Fi SATCOM

Bluetooth NFC

Page 103: Hardware and Software

Cellular

• Thecellularnetworkcanbeutilizedbysmartphonesinordertoconnectmobilityfromahugerangeoflocations.

• Limitedtoareaswithcellulartowers.

• Otherdevices,notjustphonescanaccessit:• USBdonglesforPCs• SomeTablets• Wi-FiHotspots

• Usuallyassociatedwithadataplan/datalimit.

Page 104: Hardware and Software

Wi-Fi

• Mobiledevicesarealsoabletoconnecttothewirelessnetwork,lesseningtheirdependenceonthecellularnetwork.• Helpsbysavingdata!

• ConstantlysearchingfornearbyWi-Fiaccesspointscandrainaphone’sbatteryfaster.

• Unsecurewirelessaccesspointscanposeaproblemwithmobiledevices,muchastheycanforlaptopsandothercomputers.

Page 105: Hardware and Software

SATCOM

• AserviceprovidesdatathroughtheuseoflowEarthorbitsatellitestousersworld-wide.• Satelliterequiresline-of-sight.• Thedelayinvolvedindigitalsatelliteconnectioniscalledlatency.

• Canprovideconnectivitytojustaboutanywhereonearth,justneedlineofsighttothesatellite.

• Generallyamoreexpensiveoptionforphoneconnectivity.

Page 106: Hardware and Software

Bluetooth

• Bluetoothisanopenwirelessprotocolforexchangingdataovershortdistances(usingshortlengthradiowaves)fromfixedandmobiledevices,creatingpersonalareanetworks(PANs).NotethatPANsarecenteredaroundaspecificperson.• Usedtoconnecttwodevicesbytheuseofpairing• Canconnectseveraldevices,overcomingproblemsofsynchronization• Bluetooth1.0and2.0hasawirelessrangeofaround30– 33feet(or10meters)

Page 107: Hardware and Software

NFC• MobileDevicescanbeusedforNearFieldCommunication,whichcanbeusedforcommunicationwithanotherdeviceoverashortdistance.

• Iscommonlyusedtodayforelectronicpurchasinginsteadofusingacreditcard,yoursmartphoneisusedtopay.• Canalsobeusedfordatatransfers.

• OldersmartphonesmaynothaveaNFCchip,andwillnotbeabletoutilizeanyNFCpurchasingapps.

Page 108: Hardware and Software

MobileDeviceManagement(MDM)

App/ContentManagement

RemoteWipe Geolocation/Geofencing

Screenlocks PushNotifications Passwords&Pins

Biometrics Containerization Fulldeviceencryption

Page 109: Hardware and Software

App&ContentManagement

• Itisimportanttoselectanoperatingsystemthatsupportstheapplicationsdesiredforbusinessfunctionality.• Someapplicationsaresimplyincompatiblewithcertaintypesofmobileoperatingsystems.

• Itcanalsobeimportanttohaveproperaccesscontrolssetonmobiledevicestorestrictaccesstocertaincontent,andpossiblypreventtheinstallationofcertainapplications.• 3rd partyapplicationscouldcompromisethesecurityofamobiledevice.

Page 110: Hardware and Software

RemoteWipes

• Theremotewipefeatureonasmartphoneisanexcellentwaytoremove thedatastoredonthephoneifsaidphonehasbeenstolenorlost.

• Allowsacompanytoprotecttheirdataonapotentiallystolenphone

Page 111: Hardware and Software

GPSTracking• GPStrackingistheabilitytotrackacellphonebyusingthephone’sbuilt-inGPSradio.

• Geo-tagging isafeaturewhereyoucanencodepictureswiththeGPScoordinatesofthepicture’slocation.Becarefulwiththisfeatureasitcanbeasecurityriskbothforthecompanyandforhomeusers!

• Location-basedservicesisthefeatureinyoursmart-phonethatenablestheGPSfunctionalityforallofyourapps.Ifyouturnthisoff,thennoneofyourappscandogeo-tagging,GPStracking,etc.

Page 112: Hardware and Software

Geofencing

• Geofencingcanbeutilizedtoeitherpreventtheuseofamobiledeviceoutsideofacertainareasoronlyallowtheuseofamobiledeviceoutsideacertainarea.• Preventingtheuseofmobiledevicesoutsideofacertainareacanpreventanemployeefromleavingandtransmittingdataoutsideofanetworkthecompanyhascontrolover.• Preventinguseinsideacertainareacankeepasecureareasecured,possiblypreventingdatafrombeingexfiltrated.

Page 113: Hardware and Software

ScreenLock

• Enforcingascreenlockonemployeemobiledevicescanpreventtheleakageofsensitivecompanyinformation.• Ascreenlockisasimplesecurityfeatureonallmodernsmartphonesthatpreventsaccesstothedeviceswithoutproperauthentication.• Passcode/Pinlock• PatternLock• Biometriclock

Page 114: Hardware and Software

PasscodeLocks• Apasscodelockcanbesetsowhenthephonehasbeenturnedonorwokeupyoumustenterthepasscodetounlockthephone.Thisisagreatwaytopreventsomeoneotherthantheownerfromgettingtothedatathatisonthephoneandusingthephone.• Youmustrememberthatwhensettingapasscodeyouneedtouseamixofnumbers.Don’tuseapasscodesuchas1111,2580,or1337.

Page 115: Hardware and Software

PatternLocks• APatternlockcanbeusedtosecureaphonebyrequiringtheusertoenteraknownpatterntogainaccesstothephone.

• Thoughapatternlockcanbeamoreconvenientaccessmethod,itislesssecurethanasufficientlylongpasscodelock.

Page 116: Hardware and Software

Biometrics

• Biometricsaretheauthenticationtechniquesthatrelyonmeasurablephysicalcharacteristicsthatcanbeautomaticallychecked.

• Thiscouldincludesomethingalongthelinesoffacialrecognitionorafingerprintscanner.

Page 117: Hardware and Software

PushNotifications

• PushNotificationscanbeusedforconvenienceforthecompanyoruser,givingfasteraccesstosomeamountofinformation.• Apushnotificationcansimplypopuponthelockedscreenofaphone,givingaccessinstantlytocertaininformation.• Certainpushnotificationscangiveasmallamountofinformationfromatextoremail,potentiallyrevealingsensitiveinformation

Page 118: Hardware and Software

Context-awareAuthentication

• Context-awareauthenticationdoesnotcheckforasimplepassword,butalsoforthesituationinwhichthepasswordisbeingenteredunder.• Forexample,thepasswordmightworkperfectlyfinewhenonthecompanynetwork,butbecompletelydisabledwhentryingtoconnecttopublicWi-Fi• Couldalsorequirestricterpasswordinsomelocations,asinnowneedingapasswordandhardwaretokentoaccessadeviceonpublicWi-Fi.

Page 119: Hardware and Software

DeviceContainerization

• Wheneveranemployeeisusingasmartphone,theissueofdataownershipneedstobeaddressed.

• Creatinga“container”onthedevicecanseparatecorporateinformationfrompersonalinformationonadevice.

• Thesecurecontainercanberemotelywipedshouldthephonebecompromised.

Page 120: Hardware and Software

FullDeviceEncryption

• Deviceencryptionisusedtoencrypteverybitofdatathatgoesonadevice.Thedataisthende-crypted asitisreadintomemory.

• Theterm"fulldeviceencryption“isoftenusedtosignifythateverythingonadeviceisencrypted.

• Fulldeviceencryptionwouldbebestusedonportabledevices,astheycanbeeasilystolen.

Page 121: Hardware and Software

Enforcement&monitoring

ThirdPartyApps Rooting/Jailbreaking

CarrierUnlocking

CameraUse ExternalMedia GPSTagging

Sideloading CustomFirmware FirmwareOTAUpdates

SMS/MMS Tethering Wi-Fidirect/Adhoc

Page 122: Hardware and Software

ThirdPartyAppstores

• Preventingaccesstothirdpartyapplicationstorescanpreventusersfromhavingaccesstoapplicationsontheirphonesthatcouldcompromisethedevice.

• Preventingunnecessarythirdpartyapplicationscanalsofurtherpreventcompromisefromunknownfactorscausedbythoseapplications.

Page 123: Hardware and Software

Rooting/Jailbreaking

• Rooting/Jailbreakingaphoneisgainingrootaccesstotheoperatingsystemonthedevice.• Rootaccessisadminaccess

• Scanninganynetworkeddevicestocheckiftheyhaverootaccessisimportant,becauseauserwithcompletecontrolcouldchangeanynumberofconfigurations.

Page 124: Hardware and Software

Sideloading

• Sideloadingistheprocessofinstallingsoftwareonwhilebypassingtheuseofanyappstoreorofficialmeansofacquiringanapplication.

• Sideloadingcanbemitigatedbypreventingremovablemediaandcontrollingwhichnetworksamobiledeviceispermittedtoconnectto.

Page 125: Hardware and Software

CustomFirmware

• Customfirmwareisamodifiedversionofmarketfirmwaredevelopedbyathirdparty.

• Customfirmwareisessentiallyamodifiedoperatingsystemthatcanbeusedtobypasscertainsecuritycontrols.• Likesideloaded applications,preventingtheuseofremovablemediacanmitigatetheriskofauserloadingcustomfirmware.

Page 126: Hardware and Software

CarrierUnlocking

• Acompanysmartphonebeingunlockedfromaparticularcarriercanpresentanumberofissues.• Canbreachsomesecuritycontrolsonasmartphone.• Canviolateanagreementacompanyhaswithacarrier.

• Carrierunlockingcanbepreventedbyrestrictingaccessto3rd partyapplicationsandremovablemedia.

Page 127: Hardware and Software

OTAupdates

• OvertheAirupdatesareupdatesthatyourphonereceivesoverawirelessnetwork,allowingattackerstopotentiallyinterceptandmanipulatethatdata.

• Enforcingwirelessencryptionwithasuitablystrongalgorithmcanpreventexploitingthistechnology.• Forexample,usingAESinsteadofDES.

Page 128: Hardware and Software

Camerause

• Preventingcamerauseonanemployeesmartphonecanpreventthemfromtakingpicturesofsensitiveinformation.• Picturesofconfidentialdocuments.• Picturesofsecurelocations• Geotaggedpictures

• Disablingthecameracanfurtherlockdownthecompanyphone.

Page 129: Hardware and Software

SMS/MMS

• SMSwouldbeasimplemessage,muchlikeatext.

• MMSwouldbeamultimediamessagesuchasapictureorshortvideo.

• Monitoringemployeecommunicationsonacompanysmartphonecanbeparamountwhentryingtodetecttheleakageofsensitivedata.

Page 130: Hardware and Software

ExternalMedia

• Allowingexternalmediaonacompanysmartphonecanpresentnumerousissuesforthesecurityofamobiledevice.• Allowsfortheexfiltrationofdata.• Allowssideloadingof3rd partyapplications.• Givesanaccesspointforpotentiallymalicioussoftware.

• Disablingremovablemediaisagoodideaformobiledevices.

Page 131: Hardware and Software

USBOTG

• USBOnTheGo(OTH)allowsotherusb devicestoconnecttoasmartphone,andpassinformationbetweenthetwodevices.• Hasthesamesecurityissueasremovablemedia.

• Allowsfortheconnectingofperipheraldevices,whichcancompromisethesecurityofasmartphone.• Likemostremovablemedia,itisbestpracticetodisableit.

Page 132: Hardware and Software

GPStagging

• GPStagging(alsoknownasGeotagging)includesgeographicalinformationsuchasGPScoordinatesintoitemslikepicturesandvideo.• Cancauseprivacyissuesforusers.

• GeotaggingcanalsorevealtheGPScoordinatesofsecurelocations.

• Ensurelocation-basedservicesaredisabledtopreventGeotagging.

Page 133: Hardware and Software

Wi-Fidirect/ad-hoc/Tethering

• Wi-Fidirectorad-hocmodeallowedwirelessdevicestoconnectdirectlytogetherwithoutrequiringawirelessnetworktoworkoffof.• Thiscancausethesameissueasremovablemedia,butwirelessly.

• Tetheringisaphysicalconnectionbetweenasmartdeviceandapersonalcomputer,forexample.Thiswouldallowdataexfiltrationtooccur.

Page 134: Hardware and Software

DeploymentModels

BYOD COPE

CYOD Corporate-owned

Page 135: Hardware and Software

BYOD

• BYOD =BringYourOwnDevice.Ifallowingemployeestousetheirownmobiledevicesonthecorporatenetwork.• ConfinethemtotheirownVLANforsecurity.

• BYODallowsanemployeetobringtheirownpersonalphoneandconnectittothebusinessnetworktobeusedforbusinesspurposes.

• Employeemaintainsalargeamountofcontroloverthedevice.

Page 136: Hardware and Software

COPE

• COPE=CompanyOwned,Personally-enabled.Acompanyprovidestheiremployeeswithmobilesdevicesfortheiremployeestouseasthoughtheyweretheemployee’sdevice.

• SimilartoBYOD,butattheendoftheday,thecompanyownsthedevice.• GivesslightlymorecontrolthanBYOD.

Page 137: Hardware and Software

CYOD

• CYOD=ChooseYourOwnDevice.WithCYOD,employeesgetachoicefromalimitednumberofdevicesthatareultimatelyselectedbythecompany.• Canlimituserstoparticularoperatingsystems.

• Companyhasmorecontroloverthedevice,andcanlimitittostrictlyworkactivities.

Page 138: Hardware and Software

CorporateOwnedMobileDevices

• ACorporateownedmobiledevicesisamobiledevicethatisowned,administeredby,andcontrolledbythecompany,butisthenhandedouttotheemployeesofthatcompany,

• Employeeshavelittlesayonwhichdevicetheyacquire,ifanyatall.

• Acompanycanregaincompletecontrolofthemobiledeviceifneeded.

Page 139: Hardware and Software

SecureProtocols

CompTIASecurity+

Page 140: Hardware and Software

EmailSecurityProtocols

• Emailcommunicationscanbeencryptedandsignedinordertoguaranteesecurecommunications.• Emailscanbeencryptedtoensureconfidentialityoftheemails• Emailscanbesignedandhashedtoensureintegrity.

• Secureemailprotocols:• S/MIME• SecurePOP• SecureIMAP

Page 141: Hardware and Software

S/MIME

• TheprimarybenefitofusingS/MIMEisthatitallowsuserstosendbothencryptedanddigitallysignedemails.

• S/MIMEallowsausertoselectivelyencryptemailmessagesatrest.

Page 142: Hardware and Software

SecurePOP/IMAP

• POPorIMAPcanbeutilizedtodownloademailfromanemailserver.• POPdownloadsanddeletes.• IMAPkeepsacopyontheserver.

• BothPOPandIMAPcanbesecuredbySSLorTLS,toallowthiscommunicationtobeencrypted.• CausesPOPtorunoverport995insteadof110• CausesIMAPtorunoverport993insteadof143

Page 143: Hardware and Software

SecureWebProtocols

• Browsingtheinternetcanalsobesecuredbyencryptingtrafficbetweenthewebclientandserver.• Usefulwhenpurchasingonline.• Usefulwhenaccessingonlinebankaccounts.• Usefulforanyothersensitiveinternettraffic.

• PrimaryprotocoltousetosecurewebtrafficisHTTPS• SecuredwithSSL/TLS.

Page 144: Hardware and Software

HTTPS

• HTTPS standsforHypertextTransferProtocolSecureandisusedtotransmitdatatoandfromawebbrowserandawebserversecurely.

• HTTPSusesSSLorTLSforitsencryption.

• HTTPSusesTCPport443.

Page 145: Hardware and Software

SSL

• SecureSocketLayer(SSL)usesport443 andisansymmetricprotocol.

• SSLusesbothpublickeysandprivatekeystosecurewebsites.• ThesessionkeyinanSSLconnectionissymmetric.• SSLsessionkeysareencryptedusinganasymmetricalgorithm.

• IfyouareusingSSLtosecureaweborVPNserver,makesurethatport443inboundonyourfirewallisopen.

Page 146: Hardware and Software

TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.

• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.• TLSisusedforencryptionbetweenemailservers.• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.

Page 147: Hardware and Software

FileTransfer

• Transferringfilesbetweensystemscanandshouldbeencryptedfromendtoendtopreventsnoopingofthedataintransit.• Unencryptedfiletransferscanbecapturedandpossiblymodifiedbyamaliciousattacker.

• Examplesofsecurefiletransferprotocolsinclude:• FTPS• SFTP

Page 148: Hardware and Software

SFTP

• SSHcanbeusedtosecureFTPcommunications.ThisiscalledSFTPorSecureFileTransferProtocol.

• SFTP usesTCPport22becauseitutilizesSSHtoencryptthetraffic.

• IsnotcompatiblewiththeoriginalFTP.

• SFTPonlyrequiresonechanneltouse.

Page 149: Hardware and Software

FTPS

• SSLorTLScanbeusedtosecureFTPcommunicationsaswell,thisiscalledFTPS.

• Isbuiltonthesameframeworkasmostinternetcommunications.

• IssplitintotwoconnectionslikeFTP,makingithardtousewithfirewalls.• ControlChannel• DataChannel

Page 150: Hardware and Software

DirectoryServices

• Adirectoryisacollectionofusernames,passwords,emails,orpossiblymanyotherthings.• Thinklikeaphonebookisalistofnamesofphonenumbers.

• AnexampleofadirectoryservicecouldbeActiveDirectory,Microsoft’sdirectoryservice.• LDAPisusedtoadd,delete,search,andmodifydirectoryentries.

Page 151: Hardware and Software

LDAPS

• BeforeandLDAPmessagescanbetransferred,LDAPSrequirestheclienttoestablishasecureTLSsession,providingencryption.

• IftheTLSconnectionisclosed,theLDAPSsessionclosesaswell,preventingconnectionwithoutencryption.

• Runsoverport636

Page 152: Hardware and Software

RemoteAccess

• Afterinitialconfiguration,devicescanberemotelyconfiguredandadministratedoverthenetwork,allowingtheadmintochangeandtestconfigurationsremotely.• Otherwisephysicalaccesswouldbetheonlyoption.

• Twoprotocolsthatcouldallowthisremoteaccess:• Telnet(unsecure)• SSH(secure)

Page 153: Hardware and Software

SSH• SecureShell(SSH)isanetworkprotocolthatallowsdatatobeexchangedusingasecurechannelbetweentwonetworkeddevicessuchasanadministratorcomputerandarouter.

• SSHwasdesignedasareplacementforTelnetandotherinsecureremoteshellswhichsendinformation(notablypasswords)inplaintextleavingthemopenforinterception.

• SSHismostcommonlyusedtoremotelyadministeraUnix/LinuxsystemandusesTCPport22.

Page 154: Hardware and Software

SNMP• SNMP(SimpleNetworkManagementProtocol)isusedinnetworkmanagementsystemstomonitordevicesforconditionsthatwarrantadministrativeattention.• Runsonport161.• Allowsanadministratortosetdevicetraps.• Usedtofindequipmentstatusandmodifyconfiguration andsettingsonnetworkdevices.

• SNMPcanbeusedtogatherreconnaissanceinformationfromaprinter.

• SNMPv3isthemostsecure.

Page 155: Hardware and Software

DomainNameSolution

• ADNS server(DomainNameSystem)convertsaFQDN(FullyQualifiedDomainName)(ex:www.yahoo.com)intotheIPaddressyourcomputerneedstoaccesstheremotedevice.BIND isthede-factostandardDNSsoftware.

• ADNSZonetransferiswhentwoDNSserverssynchronizetheirdatabases.ThisusesTCPport53.

• DNSinformationcouldbepotentiallyforgedoramaliciousDNSservercouldtrytoperformazonetransferwithalegitimateone,poisoningit.

Page 156: Hardware and Software

DNSSEC

• DNSSECisasuiteofspecificationsforsecuringinfoprovidedbyDNS(especiallyauthenticationtothedatathereinstoppingzonetransfer).• PreventstheuseofforgedDNSinformation.• HasallDNSresponsesbedigitallysigned.


Computer Hardware and Software Jinchang Wang. Hardware vs. Software Hardware is something tangible. Computer hardware includes electronic circuitry and.

Computer Hardware and Software Jinchang Wang. Hardware vs. Software Hardware is something tangible. Computer hardware includes electronic circuitry and.

Graphic hardware and software

Graphic hardware and software

Hardware and Software Reliability (323-08) and Software Reliability (323-08) Application and ... One difference between hardware and software is the ... Overview of Hardware and Software

Hardware and Software Reliability (323-08) and Software Reliability (323-08) Application and ... One difference between hardware and software is the ... Overview of Hardware and Software

IT Infrastructure: Hardware and Software - Furmancs.furman.edu/~pbatchelor/mis/Slides/Infrastructure Hardware and... · IT Infrastructure: Hardware and Software LEARNING OBJECTIVES

IT Infrastructure: Hardware and Software - Furmancs.furman.edu/~pbatchelor/mis/Slides/Infrastructure Hardware and... · IT Infrastructure: Hardware and Software LEARNING OBJECTIVES

AQA Computer Science A-Level 4.6.1 Hardware and software ... · software hardware hardware and software. Table 1 Hardware and Hardware software (3 marks) Component Wireless router

AQA Computer Science A-Level 4.6.1 Hardware and software ... · software hardware hardware and software. Table 1 Hardware and Hardware software (3 marks) Component Wireless router

CAD Software and Hardware

CAD Software and Hardware

K-BASEBALL Software & Hardware Software & Hardware … · Software & Hardware Minimum System Requirements This document outlines software operating system as well as hardware configuration

K-BASEBALL Software & Hardware Software & Hardware … · Software & Hardware Minimum System Requirements This document outlines software operating system as well as hardware configuration

Embedded Software Development. Page 2 Hardware and software architectures Hardware and software are intimately related: software doesn’t run without hardware;

Embedded Software Development. Page 2 Hardware and software architectures Hardware and software are intimately related: software doesn’t run without hardware;

Hardware and Software Basics

Hardware and Software Basics

Hardware and software 1

Hardware and software 1

Hardware, software, and thinking.

Hardware, software, and thinking.

NI-XNET Hardware and Software Manual - National … · XNET NI-XNET Hardware and Software Manual NI-XNET Hardware and Software Manual July 2014 372840H-01

NI-XNET Hardware and Software Manual - National … · XNET NI-XNET Hardware and Software Manual NI-XNET Hardware and Software Manual July 2014 372840H-01

Hardware, Software & Automatic input devices LO: Recognise hardware, software. Learning outcome: Correctly identify hardware and software. Recognise and.

Hardware, Software & Automatic input devices LO: Recognise hardware, software. Learning outcome: Correctly identify hardware and software. Recognise and.

Hardware and Software. Engineered to work together. · Hardware and Software. Engineered to work together. ... or functionality, ... Hardware and Software Engineered to Work Together

Hardware and Software. Engineered to work together. · Hardware and Software. Engineered to work together. ... or functionality, ... Hardware and Software Engineered to Work Together

Computer Hardware and System Software Concepts ·  · 2014-07-01Computer Hardware and System Software Concepts ... Main components in a computer system – Hardware – Software

Computer Hardware and System Software Concepts ·  · 2014-07-01Computer Hardware and System Software Concepts ... Main components in a computer system – Hardware – Software

Start page Hardware and Software for VBE On the end of the “Pipeline” : Software Software Hardware Hardware.

Start page Hardware and Software for VBE On the end of the “Pipeline” : Software Software Hardware Hardware.

computer hardware and software

computer hardware and software

Software and hardware

Software and hardware

COMPUTER HARDWARE AND SOFTWARE · COMPUTER HARDWARE AND SOFTWARE ... 3

COMPUTER HARDWARE AND SOFTWARE · COMPUTER HARDWARE AND SOFTWARE ... 3

Open-source Hardware & Software for Irrigation · hardware and software options available to the agricultural and irrigation research community. Hardware and software tools for sensing

Open-source Hardware & Software for Irrigation · hardware and software options available to the agricultural and irrigation research community. Hardware and software tools for sensing