Hardware and Software
Transcript of Hardware and Software
HardwareandSoftware
CompTIASecurity+
Firewalls
SoftwarevsHardware Stateful vsStateless
AccessControlLists(ACL)• AccessControlLists,orACL,isasetofdatathatinformsacomputer'soperatingsystemwhichpermissions,oraccessrights,thateachuserorgrouphastoaspecificsystemobject(suchasadirectoryorfile).
• AnexampleofanAccessControlListwouldbeWindowsNTFSpermissions.
• FirewallsalsouseACLstorestrictnetworkaccesstocertainTCPandUDPportsorviasource&destinationIPaddresses.
Firewall• Afirewallisahardwareorsoftwaredevicewhichisconfiguredtopermit,deny,orproxydatathroughacomputernetworkwhichhasdifferentlevelsoftrust.
• Modernfirewallsutilizestateful packetinspection.
• Statefulpacketinspectionwillblockincomingtrafficthatdoesnotmatchaninternalrequest.
• Afirewallcanmitigateportscanning.
SoftwareFirewall• Adevice,whetheritissoftwareorhardware,thatinspectstrafficandonlyallowsauthorizedtrafficinoroutofthenetworkorcomputeriscalledafirewall.
• Apersonalfirewallorhost-basedfirewallisanapplicationwhichcontrolsnetworktraffictoandfromacomputer,permittingordenyingcommunicationsbasedonasecuritypolicy.
• Bydefault,yourinboundfirewallruleshouldbesetto“Deny-All”.Thismeansthattrafficoriginatingfromoutsideoftheworkstationwillbedeniedaccessintotheworkstation.ThisisknownasanImplicitDeny
Hardwarefirewall
• AHardwarefirewall,ornetworkbasedfirewallisaphysicaldevicethatcontrolstheflowoftrafficthroughoutthenetwork.
• CommonlyusedattheentrancetoanetworktoseparateaDMZfromaninternalnetwork.• Alternatively,couldjustbepreventingtrafficfromoneinternalnetworktoanother.
StatelessFirewall
• AstatelessfirewallisconfiguredwithanACLthatpermitsordeniestrafficbasedonstaticrulesdefinedbyanadmin.
• ThevulnerabilityherewillisifIPaddressingofthepacketisspoofedthenetworkcanbecompromisedasastatelessfirewalldoesn’tsupportcontextualanalysis.
• Theadvantagewithstatelessfirewallsisprocessingisfasterwhencomparedtostatefulfirewalls
StatefulFirewalls
• AstatefulfirewallinspectsthetrafficleavinganetworkandpermitsthereturntraffictoreturndynamicallybymodifyinganACLontheedgeofthenetworkpointingintotheinternalnetwork.• Createsa“statetable”toallowexternalrepliestoreenterthenetwork.
• Thosepacketsmatchingstatetableentrieswillbepermittedintothenetwork.Theadvantagesincludemoreflexibilityandlesssusceptibletospoofingattackswhencomparedtostatelessfirewalls.
ImplicitDeny
• Implicitdenyisatermtodescribethedefaultactiontodenyeverythingwhentherearenotanymatchesinentriesthatyouspecify.Thiscouldbedenyingahackerfrompenetratingyourfirewalloritcouldbedenyingasalesrep.fromaccessingcompanypayrollinformation.
• ImplicitdeniescanbesetinrouterACLs,firewallrules,NTFSpermissions,etc.
• Animplicitdenymeansyouwillnothaveaccesstothatresourceunlessexplicitlyallowed.
VPNConcentrator
TypesofVPNs IPSEC
Split-tunneling Always-onVPN
VPNConcentrators• VPNconcentratorsincorporatethemostadvancedencryptionandauthenticationtechniquesavailable.
• Theyareideallydeployedwheretherequirementisforasingledevicetohandleaverylargenumber ofVPNtunnels.
• Theywerespecificallydevelopedtoaddresstherequirementforapurpose-built,remote-accessVPNdevice.
VirtualPrivateNetwork(VPN)
• VPNtechnologyprovidessecureremoteaccessmeansfromacomputertoaremotecomputeroronenetworktoanothernetworkovertheInternet.TherearetwoprimarytypesofVPNs.
Remote Access VPN
RemoteAccessServer
Site to site VPN
RemoteAccessServer
IPsec• IPSecurityisasetofprotocolsdevelopedbytheIETFtosupportsecureexchangeofpacketsattheIPlayer.• IPsechasbeendeployedwidelytoimplementVirtualPrivateNetworks(VPNs).
• IPsecsupportstwoencryptionandauthenticationheadermodes:• Transportmodeencryptsonlythedataportion(payload)ofeachpacketbutleavestheheaderuntouched.• Tunnelmodeencryptsboththeheaderandthepayload.
IPsecTransmissionModesTransportMode
PublicNetwork
IPsec
End-to-endIPsecbetweenallorsomeofthecomputers
TunnelMode
AHvsESP
• AuthenticationHeaderprovidesaframeworkforIPsec• AHThisframeworkwillallowforauthentication,anti-replay,andintegrity(NOTencryption).• AHProvidesbetterperformancethanESP
• EncapsulationSecurityPayloadprovidesaframeworkforIPsec• Thisframeworkwillallowforauthentication,encryption,anti-replay,andintegrity.• CommonlyimplementedwhencomparedwithAH• ESPprovidesbettersecuritythanAH
SplitTunneling
• Whensplittunnelingisenabledtrafficintendedforthecorporateofficeisforwardedthroughtheprotectivetunnel,whileothertrafficsuchaswebtrafficmaybeforwardedthroughalocalsameconnectionintheclear.Thismaybedowntocutdownonoverheadbothfortheenduserandthecorporateoffice.
• Whensplittunnelingisdisabledalltrafficwillbeforwardedtothecorporateofficethroughtheprotectivetunnel.Thismaybedonetoensurealltrafficfromtheuserisprotectedviathecorporatepolicy.
TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLShasmanyuses,forexample:
• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.
• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.• CanbeusedtocreateasecureVPNconnectionthroughabrowser,allowingaVPNconnectionwithoutrequiringtheclienttodownloadsoftwareotherthanawebbrowser.
Always-onVPN
• Always-Onpreventsaccesstotheinternetwhenthecomputerisnotonatrustednetwork,unlessaVPNsessionisactive.• Thisenforcesthatthecomputerbeinasecureenvironment,protectingacomputeronanuntrustednetwork.
• Always-OnshouldestablishaVPNconnectionassoonasauserlogsin,andthecomputerdetectsitisonanuntrustednetwork.Then,theVPNsessionshouldremainopenuntiltheuserlogsout.
NIDS/NIPS
Signaturebased Heuristic/Behavioral/Anomaly
FalsePositives&Negatives
IDS
• AnIntrusiondetectionsystem(IDS)issoftwareand/orhardwaredesignedtodetect unwantedattemptsataccessing,manipulating,and/ordisablingcomputersystems.
• IDSareusedtodetect suspiciousbehaviorbutnotreacttoit.
• AmajorconsiderationwhenimplementinganIDSsolutionishavingthepersonneltointerpretresults.
NIDS(NetworkIntrusionDetectionSystem)
• ANIDS(NetworkIntrusionDetectionSystem)isanintrusiondetectionsystemthatwatchesnetworktrafficinordertoviewifnetworkcommunicationsareusingunauthorizedprotocols.
• ForaNIDStoviewallavailablesegmenttrafficonaswitchmakesurethatyouconfigureamirroredport.
• WhenusingaNIDS,theNICshouldbeplacedinpromiscuousmodetomonitoralltraffic.
NIPS(NetworkIntrusionPreventionSystem)• AnIPSisaproactivesecurityapplicationthatisusedtoprevent activityfromenteringyournetwork.
• AnNIPS(NetworkIntrusionPreventionSystem)isanetworksecuritydevicethatmonitorsnetworkand/orsystemactivitiesformaliciousorunwantedbehavior.
• Reactsinreal-timetoblockorpreventthoseactivities.
• Usuallyplacedin-linewithdataflowandcanpotentiallydisruptnetworktraffic.
NIDSandNIPSmisc.• KeepinmindthatencryptingallnetworktrafficwillreducetheeffectivenesswhendeployingandmanagingaNIDSorNIPSbecausetheycannotreadtheencryptedtraffic.
• AnIDS/IPSthatidentifieslegitimatetrafficasmaliciousactivityiscalledafalsepositive.
• AnIDS/IPSthatidentifiesmaliciousactivityasbeinglegitimateactivityiscalledafalsenegative.Example:AnIDSthatdoesnotidentifyabufferoverflow.
InlinevspassiveIPS
• AnInlineIPSisaproactivedefensemeasureandworkswiththeactivedatathatistraversingyournetwork.• ThisgivetheIPSmuchmorecontrolinordertopreventattacks.
• ApassiveIPSisareactivedefensemeasureandreceivesacopyofthedate,andneverworkswiththeinlineinformation.• ThisgivetheIPSlesscontrol,butreducesthechanceoffalsepositivesandnegatives.
• EssentiallybecomesanIDS
Signature-based
• Signature-basedIDS,themostbasicformofIDS,employsadatabasewithsignatures/patternstoidentifypossibleattacksandmaliciousactivity.
• Thesesignatures aresimilartotheonesusedbyanti-virussoftware,butinsteadofcontainingvirusinformation,IDSsignaturesdescribeknownattackspatterns.
• Asignature-basedmonitoringtooldependsonreceivingregularupdates.
• Withsignature-basedmonitoring,thevendordecideswhattrafficgetsblockedbyincludingspecifictrafficpatternsinthesignaturefiles.
Anomaly/Heuristic/Behavior-based• Anomaly-basedIDS usesrulesorpredefinedconceptsabout“normal”and“abnormal”systemactivity(calledheuristics)todistinguishanomaliesfromnormalsystembehavior.
• Anomaly-basedIDSsystemfollowsalearningprocess.
• Thefirststepwhenimplementingananomaly-basedIDS/IPSisdocumentingtheexistingnetwork.
• Anomaly-basedIDSusesstatisticalanalysistodetectintrusions.
• WithAnomaly/Heuristic-based systems,itisuptoyoutodecide whattrafficgetsblockedbydefiningwhatis“normal”.
NetworkingHardware
Routers Switches
Router
• Arouterisacomputernetworkingdevicethatforwardsdatapackets fromonenetworktoanother,towardstheirultimatedestinations.• Routingoccursatlayer3(theNetworklayer).• Connectstwoormorenetworkstogether.• Eachinterfaceconnectstoadifferentnetwork.• TherouterinterfacethenbecomestheDefaultGateway.• Doesnotpassbroadcastpackets.
• Arouter’sAccessControlListscanbeusedtoconfinesensitivedataandcomputerstoparticularsub-networks.
• Passwordprotecttheconsoleportonarouteriftherouteritselfisplacedinanunsecurelocation.
Switch• Anetworkswitchisahardwaredevicethatjoinsmultiplecomputers togetherwithinonelocalareanetwork.• Switchesoperateatlayer2(DataLinkLayer)oftheOSImodel.• ForwardspacketsbyMACaddress.• Devicesoneachconnectioncannotusuallyseeeachother’straffic(exceptforbroadcasts).
• Itisbestpracticetodisableanyunusedportstosecuretheswitchfromphysicalaccess.
MultilayerSwitch
• MultilayerswitchingissimplythecombinationoftraditionalLayer2switchingwithLayer3routinginasingleproduct.• UsesARPtolearntheIPaddressesofdevicesthatareconnected• Canbeusedtopermitdifferentbroadcastdomainstocommunicatewitheachother
SpanningTree• Switchingloopsmustbeavoidedbecausetheyresultinfloodingthenetwork
• TheSpanningTreeProtocol(STP)isalinklayernetworkprotocolthatensuresaloop-freetopologyforanybridgedLAN.• Allowsanetworkdesigntoincludespare(redundant)linkstoprovideautomaticbackuppathsifanactivelinkfails,withoutthedangerofbridgeloops,ortheneedformanualenabling/disablingofthesebackuplinks
• Canbeenabledtoavoidbroadcaststorms• 802.1wand802.1dareIEEEdesignationsforspanningtree• TheMACaddresswiththelowestnumberwillbecometherootbridgefor801.2d
ProxyServers
ForwardProxies ReverseProxies
TransparentProxies
ProxyServer
• Aproxyserverisaserverthatactsasago-betweenforrequestsfromclientsseekingresourcesfromtheInternet.
• Aproxyservercombinestwofunctions:Itcachesweb-pageslocallytospeedupaccessrequests,whilealsoactingasacontentfiltertoblockusersfromvisitinginappropriatesites.
• Ifyouwanttoknowwhatwebsitesyourusersarevisiting,setupaproxyserver.
• ThebestwaytosecureyouremailinfrastructureistosetupanemailproxyserverintheDMZandtheemailserverintheinternalnetwork.
ForwardProxyvsReverseProxy
• Aforwardproxyactsasaproxyforoutgoingtraffic,protectingyournetworkfromtheusersinit.• Canpreventusersfromgoingtomalicioussitesandinspecttheirtrafficasitleaves
• Areverseproxyactsasaproxyforincomingtraffic,andcanprotectyournetworkfromexternalintruders.• Canfilteroutrequestsfromexternalattackerswhoaretryingtoinfiltrateyournetwork.
• Canstandasalargenumberofservers,includingbutnotlimitedtowebservers,emailservers,andfileservers.
TransparentProxy
• Atransparentproxydoesitsnormalfunctionsasaproxy,butdoesn’tappearinthepathoftraffic.Itdoesnotmodifytherequestorresponseforthetrafficpassingthroughit.
• Isseamlessfortheuserconnectingtothenetwork,andmayredirectanewusertoauseragreementscreen,butthenroutesallothertrafficasnormal.• Canstillhandlecachingforspeedingupwebaccess
LoadBalancer
Typesofloadbalancers
SessionaffinityvsRoundRobin
VirtualIPs
LoadBalancer• Loadbalancingisacomputernetworkingmethodologytodistributeworkloadacrossmultiplecomputers,networklinks,centralprocessingunits,diskdrives,orotherresourcestoachieveoptimalresourceutilization.
• Basicallyanydevicescanbeloadbalancedtoprovideredundancyandloadsharing.
SessionAffinityvsRoundRobin
• Sessionaffinityrememberseachuser’ssessionandcontinuestoconnectthatusertothesameservereachtime.• Soifuser1connectstoserver1,user1willcontinuetoconnecttoserver1.
• RoundRobinloadbalancingjustassignssessiontothefirstavailableserver,andcontinuesissequence.• Soiftherewerethreeservers,user1wouldconnecttoserver,user2toserver2,user3toserver3,user4toserver1,andetc.
ActiveorPassiveServers
• Whileloadbalancing,serversareinoneoftwostates,activeorpassive.Withthosestate,youendupwithtwoconfigurations:• Active-active,whereallserversareactiveandparticipatinginloadbalancing.• Active-passive,whereonlysomeoftheserversareactivelybeingloadbalanced,andothersarewaitingasbackups,or“failovers”.
VirtualIPs
• Whenmanyserversarebeingloadbalanced,itispossiblethataclientisnotpointingtothephysicalIPaddressbutavirtualIPaddressassociatedwithone“server”.
• Thoughthisvirtualserverdoesnotactuallyexist,itrepresentsallserversbeingloadbalancedonthebackend.• ThisallowsclientstoseeoneIPaddress,whiletheloadbalancerhandleswhichphysicalIPtheyconnectto.
WirelessAccessPointsSSID MacFiltering
Signalstrength AntennaTypes&Placement
FatvsThin Controller-basedvsstandalone
AccessPoint
• Awirelessaccesspoint(WAPorAP)isadevicethatallowswirelessdevicestoconnecttoawirednetwork.
• AlthoughseveralWAPscansharethesameSSID,individualWAPs canbeidentifiedbytheirBSSID (BasicServiceSetIdentifier),whichisbasicallytheMACaddressoftheWAP.
• Thefirstthingyoushouldlookatwhenimplementinganaccesspointtogainmorecoverageisthepowerlevelsoftheaccesspoint.
• DecreasethepowerlevelsonyourWAPtolimitthewirelesssignalrange.
SSID• SSID(ServiceSetIdentifier)arenamesusedtoidentify theparticular802.11wirelessLAN(s)towhichauserwantstoconnect.
• Thesecurityriskofbroadcasting yourwirelessnetworkSSIDisthatanyonecanseeitandifyouarenotusingastrongenoughencryptiontype,anattackercanfindtheencryptionkeyandconnecttoyournetwork.
• YoushoulddisabletheSSIDbroadcasting,orthebeacon,ifyoudonotwantyourwirelessnetworktoautomaticallybediscoverable.
MACFiltering
• MACFilteringisthewirelessversionofportsecurityandcontrolsaccesstothenetworkbasedonthewirelessNIC’sMACaddress.
• ToallowonlycertainwirelessclientsonyournetworkyoushouldenableandconfigureMACfiltering.
• EnableMACfilteringtomitigateanissuewheremultipleunknowndevicesareconnectedtoyourWLAN.
Antenna– Omni-directional• AnOmni-directionalantenna,orvertical,isanantennasystemwhichradiatespoweruniformlyinoneplanewithadirectivepatternshapeinaperpendicularplane.Thispatternisoftendescribedas"donutshaped”.
• TwosituationswhereanOmni-directionalantennawouldbebestused:• ToconnecthoststoaWAP.• Toenableroamingaccessforlaptopusers.
Omni-directionalantennaplacement
• Keepinmindtheplacementofyourantennaewhenconsideringthesecurityofyourwirelessnetwork.• Anantennaplacedtooclosetotheedgeoftheareayoudesiretoprovidewirelessaccesstocouldallowattackertoreachyournetworkfromoutsidetheintendedarea.
• Forexample,ifanantennawasplacedontheedgeofmybuilding,soanattackerisabletopickupthesignalintheparkinglot.
Antenna- Yagi• AYagiantennaisadirectionalantennasystemconsistingofanarrayofadipoleandadditionalcloselycoupledparasiticelements.• Canbeusedtocreateawirelessbridge
FatvsThinWAPs
• AfatwirelessaccesspointisanintelligentWAPthathasallofthefeaturesandsoftwareneededtomanageyourwirelessclient.Forexample,itcanenableandsetupMACfilteringandenableordisableSSIDbroadcasting.
• Athinwirelessaccesspointisbasicallyjustthehardware.Itcanpushontheconfigurationthatwereputinplaceelsewhere,butnothingischangedonthedeviceitself.• Easiertoimplement,socansavemoneyandtime
SecurityInformationandEventManagement(SIEM)
Aggregation Correlation
Automatedalerting Timesync
EventDeduplications
Aggregation&Correlation
• SIEMsystemscanaggregatedatafrommanydifferentsystems,allowingallinformationtobeconsolidatedandprovideseasiermonitoring.
• SIEMsystemscanalsoprovidecorrelation,detectingcommonattributesandbundlinglikedatatogether,furtherincreasingtheeaseofmonitoringthatdata.
AutomatedAlertsandTriggering
• SIEMsystemscanbesetuptoprovidealertsautomaticallytoidentifycriticalandimmediateissues.
• Certaintriggerscanbesetuptocatchcertainevents,whichwillthensendanalerttoanadmin,whichallowsfasterreactiontocertainevents.• Couldoptionallysetupsomethingalongthelinesofemailalertsforcertaintriggers.
Time-syncandeventdeduplication
• SIEMsystemscanalsosynchronizethetimeofeventsacrossmanyservers,allowinganeasilyreadable.
• Withoutsynchronization,itwouldbedifficulttopinpointwhendifferenteventshappenedondifferentsystems,relatedtoeachother.
• ASIEMsystemcanalsoremoveredundanteventsforeasyreadability.Insteadofhavingpossiblyhundredsoflogs,onlyoneiskeptwhilenotingthenumberofoccurrences.
DLPUSBBlocking
Cloud-based
DataLossPrevention(DLP)• DataLossPrevention(DLP)isacomputersecuritytermreferringtosystemsthatidentify,monitor,andprotect:• Datainuse(e.g.endpointactions)• Datainmotion(e.g.networkactions)• Dataatrest(e.g.datastorage)
• Thesesystemsusedeepcontentinspection,contextualsecurityanalysisoftransactions,andacentralizedmanagementframework.
• Anetwork-basedDLPisasoftwareorhardwaresolutionthatisinstalledatnetworkegresspointsneartheperimeter.Itanalyzesnetworktraffictodetectsensitivedatathatisbeingsentinviolationofinformationsecuritypolicies.
USBBlocking
• Preventingtheuseofremovablemediacanbeasimplewaytopreventthelossofdataforanorganization.
• USBportsarecommonlyfoundonmostmoderncomputers,andUSBdrivesareeasilyacquirable,sopreventingtheirusewillblocksomebodyfromtakingdatafromacompanylaptop.
Email-basedDLP
• Email-basedDLPisessentialforanycompanyconcernedwiththeiremployeessendingoutconfidentialorsensitiveinformationoutsideoftheirnetwork.• Mostifnotallcompaniesutilizeemailintheirdaytodaybusinesspractices.
• Email-basedDLPshouldscananoutgoingemailforsensitiveinformation,likePII,andblockitfromleavingtheworknetwork.• Canatleastenforcedigitalsigningtoprovidenon-repudiationforthecompromisingemail.
• AnEmailgatewayconprovideemail-basedDLP
EmailGateway
• Anemailgatewaymonitorsemailsbeingsentintoanetworkandbeingsentoutboundfromthatnetwork.• Inboundcanpreventspam,whichwillhelpweedoutmalwarebeforeitentersthenetwork• OutboundcanprovideDLP,preventingthelossofsensitivedatalikePII
• Emailgatewayscanalsoprovideencryptionforemailservices.
Cloud-basedDLP
• Withmoreandmoreinformationmovingontothecloud,itisbecomingincreasinglyimportanttoprotectdatastoredonthecloud.
• CloudbasedDLPisaDLPsolutionthatpreventssensitivedatafromleavingthecloudbasedstorageofanorganization.• PersonallyidentifiableInformation(PII)isafocushere.
NACDissolvablevspermanent
HostHealthChecks
AgentvsAgentless
NAC(NetworkAccessControl)• NACreferstowhateversystemyouhaveinplaceforcontrollingaccesstothenetwork.
• Canbeassimpleasclickingaboxto“agreetothetermsandconditions”ofnetworkusage.
• Canbeascomplexashavingyourmachinescannedforviruses,patches,updates,firewalls,etc.beforeit’sallowedtoconnect.
• Portsecurityand802.1xareexamplesofNAC.
HostHealthChecks
• OnesimpleformofNACcanbeasimplescanofacomputerconnectingtoanetwork.Thescancanbecheckingforanumberofimportantthings:• UptodateOperatingSystem.• Updatedandrecentlyscannedanti-virussoftware.• Certainsoftwarebeingpresentorabsentfromamachine,basedonacompany’sapplicationpolicy.• Thatcertainsystemconfigurationsmatchthenetwork’sexpectations.
Agentvs.Agentless
• NACthatrequiresasoftwareagentonthesystemallowsyourNACsolutiontokeeptabsonthesystemusingthatsoftware.
• AgentlessNACdoesnotrequiresoftwareontheendsystemandisreliantonaremotescanofthesystem.
Dissolvablevs.PermanentNAC
• PermanentNACrequiresanagentsoftwareinstalledonthedevice.
• DissolvableNAConlyprovidesonetimeauthenticationtothenetwork,andisthendeleted.• Canprovidegreaterflexibility.
HardwareEncryption
HSM TPM
TrustedPlatformModule• TheTrustedPlatformModule(TPM)isachiponacomputer’s(ortablet’s)motherboardthatcangenerateandstoreencryptionkeysforvariouspurposes.
• TPMcanalsoperformencryptiondutiesinsteadofrelyingonsoftwaretodotheencryption.
• Forexample,Microsoft’sBitLockerusesTPMtoencryptthecontentsoftheharddisk.
HardwareSecurityModule• IfyoursystemdoesnotcomewithaTPM,youcanaddaHSM (HardwareSecurityModule)instead.It’ssimilartoaTPMbutitisintheformofaplug-incardorexternalsecuritydevicethatcanbeattachedtoaserver.
• AHSMcanbeaddedtoserversthatdoalargeamountofencryption,suchasVPNserversorCertificateAuthorities.
• Hardwareencryptionisalwaysfasterthansoftwareencryption!
• BothTPMandHSMprovidestorageforRSAorasymmetrickeysandcanassistinauthentication.
SecurityAssessment
CompTIASecurity+
ProtocolAnalyzer• ProtocolAnalyzerisusedformonitoringandanalyzingdatatrafficonthenetwork.• Canbeusedforlogging,sniffingandinterception,analyzingandnetworkmonitoring,andtroubleshooting.• Canpickupanytypeoftraffic:ICMP,DNS,DHCP,POP3,andSMTPtonameafew.
• ItcanbeusedtodeterminewhatflagsaresetinaTCP/IPhandshake.
• AnexampleofaprotocolanalyzerisWireShark.
PortScanners• Portscanningisusedtoremotelyfindopenports,listeningservices,andeventhefingerprint/footprintofanoperatingsystem.
• Bannergrabbingiswhenyouuseaportscanner(forexample),andbasedonthebannerinformation(thereply)thatisreturned,youcanoftentellwhichOSthereplyiscomingfrom.
• Nmap isaprogramthatcanbeusedtoperformaportscan.
• Afirewallcanmitigateaportscan.
PortScanners
• Aportscannercanbeusedtodeterminewhatservicesarerunningonaserverwithoutloggingintotheserver.
• PortscannersusuallyworkbysendingdifferentTCPflag combinationstoatargetandthenanalyzingtheresponse.
• IfyouneedtodiscoverunnecessaryservicesonyourcorporateLAN,startthediscoverywithaportscanner.
NetworkScanner
• ANetworkscannercanbeutilizedtoscanyournetworkforvulnerabilities.• Roguesystemdetection:ascannercandetectanunauthorizeddeviceonthenetwork,allowanadmintoaddressthesituation.• Networkmapping:ascannercanbeusedtodetectalldevicesconnectedtoanetwork,allowingalogicalnetworkmaptobebuilt,outliningtheconnectiononthenetwork.
WirelessScanner/Cracker
• Wirelessnetworkhaveauniquevulnerabilityinthefactthattheycannotbephysicallyconstrainedtoacertainlocationormedium.
• Awirelessscannerisadevicethatcansimplyscanforawirelessnetworkandrecorddetailsofthatnetwork.Somescannersgoastepfurtherandautomaticallyattempttocracktheencryptiononweakerwirelessnetworks.• Frequentlyusedinwardriving.
PasswordCracker
• Apasswordcrackerisapieceofsoftwaredesignedtoperformabruteforceattackonasystem’spassword.Thisishopingtotakeadvantageofoneofafewweaknesses:• Capturedpasswordhasheswhichcanbeattacked• Weakpasswordsthataresimple,andthuscanbecrackedquickly.
• Havingasecurepasswordpolicywillprotectanorganizationfromapasswordcracker.
VulnerabilityScanners• Avulnerabilityscannerisacomputerprogramdesignedtosearchforandmapsystemsforweaknesses inanapplication,computer,ornetwork.
• Theseutilitiesaretheleastintrusiveandchecktheenvironmentforknownsoftwareflaws.
• Schedulingvulnerabilityscansisamanagementcontroltype.
DataSanitization
• Sanitizationistheprocessofremovingsensitiveinformation fromadocumentorothermediumsothatitmaybedistributedtoabroaderaudience.
• Degaussing istheactofmagneticallyerasingalldataonadisksoitmaybereused.
• Beforesendingdrivesawaytobedestroyed,firstencrypttheentiredisk,thenwipe/sanitizeit.
SteganographyTools
• Asteganographytoolisusedtohidedatainsideofanotherfile,suchasagraphicfileorvideofile.
• Itmakessubtlemodificationstothefilethatiscarryingthehiddeninformation,attemptingtomakethenewfileindistinguishablefromtheoriginal.• Mightbeusedbyaphotographertohideawatermarkinaphoto.
HoneypotandHoneynet• Ahoneypotisatrap settoattract,detect,observe,deflect,orinsomemannercounteractattemptsatunauthorizeduseofinformationsystems.
• Twoormorehoneypotsonanetworkformahoneynet.
• Useahoneypot/nettoprotect yourcompanywhilealsoresearchingattackmethodsbeingusedagainstyourcompany.
• HoneypotsandhoneynetswouldbelocatedintheDMZ.
CommandLineTools
Ping Tracert
Nslookup/dig Arp
Ipconfig/ifconfig nmap
PING
• ThePINGcommandisagreatutilitythatcanletyouknowifyouareabletocommunicatewithanothernetworkdevice.• However,justbecauseyouareunabletoPINGadevicedoesnotalwaysmeanyoucannotcommunicatewithsaiddevice.ThedevicemighthaveafirewallenabledandisconfiguredtonotrespondtoICMP,whichisPING,requests.
• Example:pingwww.yahoo.comorping67.195.160.76
PINGSwitches• Switches:
• -t – PINGthespecifiedhostuntilstopped.• -a – Resolveaddressestohostname.• -ncount – Numberofechorequeststosend.• -lsize – Sendbuffersize.• -f – SetDon’tFragmentflaginpacket(IPv4-only).• -i TTL – TimeToLive.• -vTOS – TypeofService(IPv4-only).• -rcount – Recordrouteforcounthops(IPv4-only).• -scount – Timestampforcounthops(IPv4-only).• -jhost-list – Loosesourceroutealonghost-list(IPv4-only).• -khost-list – Strictsourceroutealonghost-list(IPv4-only).• -wtimeout – Timeoutinmillisecondstowaitforeachreply.• -R – Useroutingheadertotestreverseroutealso(IPv6-only).• -Ssrcaddr – Sourceaddresstouse.• -4 – ForceusingIPv4.• -6 – ForceusingIPv6.
TRACERT• TRACERTshowstheroutethatanIPpackettakestogetfromthesourcetothedestination.
• Example:tracertwww.yahoo.comortracert67.195.160.76
IPCONFIG/IFCONFIG
• IPCONFIGgivesyouinformationaboutyourcurrentnetworkconnections.Suchas:• IPAddress• SubnetMask• DefaultGateway• DNS• MACAddress
• IFCONFIGisusedonUnix/Linuxmachines,butdoesthesameasIPCONFIG.• Example:ipconfig /all
IPCONFIGSwitches• SomeIPCONFIGSwitches:• /all – Producesadetailedconfigurationreportforallinterfaces.• /flushdns – RemovesallentriesfromtheDNSnamecache.• /displaydns – DisplaysthecontentsoftheDNSresolvercache.• /release<adapter> - ReleasestheIPaddressforaspecifiedinterface.• /renew<adapter> - RenewstheIPaddressforaspecifiedinterface.• /? – Displaysthislist.
ARP• ARP(AddressResolutionProtocol)isusedtofindadevice’sMACaddresswhenonlyitsIPaddressisknown.
• Ahostwishingtoobtainanother’sMACaddressbroadcastsanARPrequestontothenetwork.ThehostonthenetworkthathastheIPaddressintherequestthenreplieswithitsMACaddress.
• ARP isaninsecureprotocolasanattackercould“poison”yourARPtableandgiveyoubadinformation,convincingyouthatheistheDefaultGateway.HewouldthenbesetupasaMan-In-The-Middleandcould“sniff”yourtraffic.
TroubleshootingIssues
CompTIASecurity+
Unencryptedcredentials/cleartext
• Cleartextreferstoplainlyreadableinformation,whichallowsanybodywhocanaccessthatinformationtoreadit.
• Nosensitivedatashouldbeleftunencrypted,oritwillbeatriskofbeingstolen.
• PIIisespeciallyatriskhere.
• Penetrationtestingandvulnerabilityscanscanbeutilizedinordertotestifsomethinglacksorhasweakencryption.
PermissionIssues
• Auserwithouttheproperpermissionswillbeunabletodotheirjob,andwillrequiretheirpermissionsrereviewedinordertogainproperpermissions.
• Auserwithmorepermissionsthanintendedcangainaccesstosystemsorsoftwaretheyshouldnohaveaccessto,potentiallycompromisingasystem.• Privilegeescalationiswhenauserexploitsaknownbugorvulnerabilitytoincreasetheirownaccess.
• Continualprivilegereviewcanpreventthis
AccessViolations
• AusermightaccessnetworkedresourcesifimproperpermissionsaresetorifnoNACisimplemented.
• Physicalaccesscanbeanissueifanemployeecanfreelyaccessrestrictedareaswithease.
• Networkaccesscanbedeterminedbyperformingaccountreviewsandwithpenetrationtesting.
• PhysicalaccesscanbedetectedwithsomeforofdetectivecontrollikeCCTV.
DataExfiltration
• Auserabletoexfiltratedatafromasystemisdangerousduetothemyriadofsensitivedatathatcanbestoredonasystem.• USBdrivescaneasilypulldatafromacomputer.• Bluetoothcanpulldatawirelessly.• Datacanbesentoutofthenetworkusingemail.
• Confirmingpropergrouppoliciesareset,andmakingsureUSB/Bluetoothaccessarerestrictedcanpreventexfiltration.DLPcanpreventmanyformsofexfiltration,includinginformationsentoveremail.
Misconfigureddevices
• Amisconfigureddevicecancauseawiderangeofproblemsfromunwantedaccesstocausingadenialofservice.
• Configurationsshouldbereviewedbyanadmininordertopreventmisconfigurationstogounnoticed.
• Avulnerabilityscannercandetectcommonmisconfigurationsofmanytypesofdevicesonanetwork.
WeakSecurityConfigurations
• UtilizingtechnologieslikeWPA2insteadofWEPcanprovideamoresecurenetwork.
• Preventingpasswordreuseorshortpasswordsisalsocriticalinsecuringasystem.
• Runningavulnerabilityscannercandetectcertainweakconfigurationswhileatoolsuchasapasswordcrackercanbeusedonyourmasterpasswordfiletoseeifanythingiseasilybroken.
PersonnelIssues
• PolicyViolationscanbereportedbyotheremployeesordetectedbysecurityguards.• CCTVcandetectpolicyviolationsoccurring• Usereducationcanpreventaccidentalpolicyviolation
• Insiderthreatsarealwaysaconcerntoday,asanemployeealreadyhasaccesstothesystemstheyaretryingtocompromise.• Separationsofduties,jobrotation,andmandatoryvacationscanhelpdeteranddetectinsiderthreats.
PersonnelIssues:SocialEngineering• SocialEngineeringistheactofobtainingorattemptingtoobtainotherwisesecuredatabyusingdeceptionandtrickery.
• SocialEngineeringisanattackthatcannot bepreventedordeterredsolelythroughusingtechnicalmeasures.
• Theonlywaytopreventsocialengineeringattacksistotrainyourusers.
• Activelyattemptingtosocialengineeryouruserscantellyouhowmanyfallfortheattacks.
PersonnelIssues:SocialMedia
• Socialmediaisdangerousinregardstoconfidentialinformation.Informationcanleavethecorporatenetworkandbebroadcastedtohundredsorthousandsofpeople.
• Disablingaccesstosocialnetworkingsiteswhileonthecompanynetworkcanhelpmitigatethisissue.
• Keepingtrackofemployeessocialmediaaccountsistheonlywaytotrulymonitorwhatinformationisbeingspread.• Canbeaninvasionofprivacy.
PersonnelIssues:PersonalEmail
• Anemployee’spersonalemailcanbeeasilycompromisedasitiscontrolledbyathirdpartyorganization.• Notnecessarilyencrypted• NoDLPbuiltintothesystem• Canemailanybodyfreely
• Preventingaccessisrecommended,asemployeescouldeasilyusea3rd partyemailtobypasssomesecuritycontrols.
UnauthorizedSoftware
• Unauthorizedsoftwarecancompromiseasysteminmanyway,including:• Anunknownpotentialentrypointintoasystem.• Apotentialsourceormalware.• Justanunknownanduntestedpossibleinstability.
• Applicationwhite/blacklistingcanpreventunauthorizedprogramsfrombeingrunandinstalled.Permissionreviewscandetectisauserhastherightstoinstallsoftware.
• Avulnerabilityscancouldpickuptheseunauthorizedsoftware.
Baselinedeviation
• Abaselineisasetofknowngoodoracceptedconfigurations.
• Deviatingfromthisknowngoodcancauseinstabilitiesorcreatevulnerabilitiesinasystem.
• AIDSorIPScandetectdeviationsfromthebaseline,potentiallynotifyinganadminofanyissues.• AbehaviorbasedIDS/IPSisdesignedthisway.
ProperLicensing
• Makesureyouandyouremployeesareusinglegitimatesoftwareandhaveproperlicensingforthatsoftware.Considerwhichlicenseyouwantwhen,forexample,buying:• Microsoftoffice• OperatingSystems
• PersonalLicense:Asoftwarelicenseforanindividual.Usedononeofafewdevices.Foroneuser.
• EnterpriseLicense:Asoftwarelicenseforacorporation.Useonalargeamountofnetworkeddevices.Mayrequireaccesstothecompanynetworktoauthenticate.
AssetManagement
• Physicalassetsareimportanttokeeptrackoffforanorganizationtopreventsomethingfrombeinglostorstolen.
• ImplementingRFIDtagscandetectwhenequipmentleavesthebuildingoracertainareaofabuilding
• CompanycellphonescanbeactivelytrackedwithGPS
• Havinganorganizedinventorymanagementsystemisimportanttoproperlykeeptrackofcompanyassets.
AuthenticationIssues
• Topreventuser’saccountsfrombeingcompromisedbycontinuallymonitoringlogs;checkingforbruteforceattacks.• Alargenumberoffailedlog-inisanindicatorofabruteforceattack.
• Anotherissuecouldbeauserfailingtoremembertheirpassword,lockingthemselvesoutoftheirownaccount.• Havingmorelenientlockoutpolicescouldpreventthis,aswellasproperpasswordpolicies.
• Forcingtheusertocontactanadminforaccountrecoverycanpreventthisfrombeingabused.
SecuringMobileDevices
CompTIASecurity+
ConnectionMethods
Cellular Wi-Fi SATCOM
Bluetooth NFC
Cellular
• Thecellularnetworkcanbeutilizedbysmartphonesinordertoconnectmobilityfromahugerangeoflocations.
• Limitedtoareaswithcellulartowers.
• Otherdevices,notjustphonescanaccessit:• USBdonglesforPCs• SomeTablets• Wi-FiHotspots
• Usuallyassociatedwithadataplan/datalimit.
Wi-Fi
• Mobiledevicesarealsoabletoconnecttothewirelessnetwork,lesseningtheirdependenceonthecellularnetwork.• Helpsbysavingdata!
• ConstantlysearchingfornearbyWi-Fiaccesspointscandrainaphone’sbatteryfaster.
• Unsecurewirelessaccesspointscanposeaproblemwithmobiledevices,muchastheycanforlaptopsandothercomputers.
SATCOM
• AserviceprovidesdatathroughtheuseoflowEarthorbitsatellitestousersworld-wide.• Satelliterequiresline-of-sight.• Thedelayinvolvedindigitalsatelliteconnectioniscalledlatency.
• Canprovideconnectivitytojustaboutanywhereonearth,justneedlineofsighttothesatellite.
• Generallyamoreexpensiveoptionforphoneconnectivity.
Bluetooth
• Bluetoothisanopenwirelessprotocolforexchangingdataovershortdistances(usingshortlengthradiowaves)fromfixedandmobiledevices,creatingpersonalareanetworks(PANs).NotethatPANsarecenteredaroundaspecificperson.• Usedtoconnecttwodevicesbytheuseofpairing• Canconnectseveraldevices,overcomingproblemsofsynchronization• Bluetooth1.0and2.0hasawirelessrangeofaround30– 33feet(or10meters)
NFC• MobileDevicescanbeusedforNearFieldCommunication,whichcanbeusedforcommunicationwithanotherdeviceoverashortdistance.
• Iscommonlyusedtodayforelectronicpurchasinginsteadofusingacreditcard,yoursmartphoneisusedtopay.• Canalsobeusedfordatatransfers.
• OldersmartphonesmaynothaveaNFCchip,andwillnotbeabletoutilizeanyNFCpurchasingapps.
MobileDeviceManagement(MDM)
App/ContentManagement
RemoteWipe Geolocation/Geofencing
Screenlocks PushNotifications Passwords&Pins
Biometrics Containerization Fulldeviceencryption
App&ContentManagement
• Itisimportanttoselectanoperatingsystemthatsupportstheapplicationsdesiredforbusinessfunctionality.• Someapplicationsaresimplyincompatiblewithcertaintypesofmobileoperatingsystems.
• Itcanalsobeimportanttohaveproperaccesscontrolssetonmobiledevicestorestrictaccesstocertaincontent,andpossiblypreventtheinstallationofcertainapplications.• 3rd partyapplicationscouldcompromisethesecurityofamobiledevice.
RemoteWipes
• Theremotewipefeatureonasmartphoneisanexcellentwaytoremove thedatastoredonthephoneifsaidphonehasbeenstolenorlost.
• Allowsacompanytoprotecttheirdataonapotentiallystolenphone
GPSTracking• GPStrackingistheabilitytotrackacellphonebyusingthephone’sbuilt-inGPSradio.
• Geo-tagging isafeaturewhereyoucanencodepictureswiththeGPScoordinatesofthepicture’slocation.Becarefulwiththisfeatureasitcanbeasecurityriskbothforthecompanyandforhomeusers!
• Location-basedservicesisthefeatureinyoursmart-phonethatenablestheGPSfunctionalityforallofyourapps.Ifyouturnthisoff,thennoneofyourappscandogeo-tagging,GPStracking,etc.
Geofencing
• Geofencingcanbeutilizedtoeitherpreventtheuseofamobiledeviceoutsideofacertainareasoronlyallowtheuseofamobiledeviceoutsideacertainarea.• Preventingtheuseofmobiledevicesoutsideofacertainareacanpreventanemployeefromleavingandtransmittingdataoutsideofanetworkthecompanyhascontrolover.• Preventinguseinsideacertainareacankeepasecureareasecured,possiblypreventingdatafrombeingexfiltrated.
ScreenLock
• Enforcingascreenlockonemployeemobiledevicescanpreventtheleakageofsensitivecompanyinformation.• Ascreenlockisasimplesecurityfeatureonallmodernsmartphonesthatpreventsaccesstothedeviceswithoutproperauthentication.• Passcode/Pinlock• PatternLock• Biometriclock
PasscodeLocks• Apasscodelockcanbesetsowhenthephonehasbeenturnedonorwokeupyoumustenterthepasscodetounlockthephone.Thisisagreatwaytopreventsomeoneotherthantheownerfromgettingtothedatathatisonthephoneandusingthephone.• Youmustrememberthatwhensettingapasscodeyouneedtouseamixofnumbers.Don’tuseapasscodesuchas1111,2580,or1337.
PatternLocks• APatternlockcanbeusedtosecureaphonebyrequiringtheusertoenteraknownpatterntogainaccesstothephone.
• Thoughapatternlockcanbeamoreconvenientaccessmethod,itislesssecurethanasufficientlylongpasscodelock.
Biometrics
• Biometricsaretheauthenticationtechniquesthatrelyonmeasurablephysicalcharacteristicsthatcanbeautomaticallychecked.
• Thiscouldincludesomethingalongthelinesoffacialrecognitionorafingerprintscanner.
PushNotifications
• PushNotificationscanbeusedforconvenienceforthecompanyoruser,givingfasteraccesstosomeamountofinformation.• Apushnotificationcansimplypopuponthelockedscreenofaphone,givingaccessinstantlytocertaininformation.• Certainpushnotificationscangiveasmallamountofinformationfromatextoremail,potentiallyrevealingsensitiveinformation
Context-awareAuthentication
• Context-awareauthenticationdoesnotcheckforasimplepassword,butalsoforthesituationinwhichthepasswordisbeingenteredunder.• Forexample,thepasswordmightworkperfectlyfinewhenonthecompanynetwork,butbecompletelydisabledwhentryingtoconnecttopublicWi-Fi• Couldalsorequirestricterpasswordinsomelocations,asinnowneedingapasswordandhardwaretokentoaccessadeviceonpublicWi-Fi.
DeviceContainerization
• Wheneveranemployeeisusingasmartphone,theissueofdataownershipneedstobeaddressed.
• Creatinga“container”onthedevicecanseparatecorporateinformationfrompersonalinformationonadevice.
• Thesecurecontainercanberemotelywipedshouldthephonebecompromised.
FullDeviceEncryption
• Deviceencryptionisusedtoencrypteverybitofdatathatgoesonadevice.Thedataisthende-crypted asitisreadintomemory.
• Theterm"fulldeviceencryption“isoftenusedtosignifythateverythingonadeviceisencrypted.
• Fulldeviceencryptionwouldbebestusedonportabledevices,astheycanbeeasilystolen.
Enforcement&monitoring
ThirdPartyApps Rooting/Jailbreaking
CarrierUnlocking
CameraUse ExternalMedia GPSTagging
Sideloading CustomFirmware FirmwareOTAUpdates
SMS/MMS Tethering Wi-Fidirect/Adhoc
ThirdPartyAppstores
• Preventingaccesstothirdpartyapplicationstorescanpreventusersfromhavingaccesstoapplicationsontheirphonesthatcouldcompromisethedevice.
• Preventingunnecessarythirdpartyapplicationscanalsofurtherpreventcompromisefromunknownfactorscausedbythoseapplications.
Rooting/Jailbreaking
• Rooting/Jailbreakingaphoneisgainingrootaccesstotheoperatingsystemonthedevice.• Rootaccessisadminaccess
• Scanninganynetworkeddevicestocheckiftheyhaverootaccessisimportant,becauseauserwithcompletecontrolcouldchangeanynumberofconfigurations.
Sideloading
• Sideloadingistheprocessofinstallingsoftwareonwhilebypassingtheuseofanyappstoreorofficialmeansofacquiringanapplication.
• Sideloadingcanbemitigatedbypreventingremovablemediaandcontrollingwhichnetworksamobiledeviceispermittedtoconnectto.
CustomFirmware
• Customfirmwareisamodifiedversionofmarketfirmwaredevelopedbyathirdparty.
• Customfirmwareisessentiallyamodifiedoperatingsystemthatcanbeusedtobypasscertainsecuritycontrols.• Likesideloaded applications,preventingtheuseofremovablemediacanmitigatetheriskofauserloadingcustomfirmware.
CarrierUnlocking
• Acompanysmartphonebeingunlockedfromaparticularcarriercanpresentanumberofissues.• Canbreachsomesecuritycontrolsonasmartphone.• Canviolateanagreementacompanyhaswithacarrier.
• Carrierunlockingcanbepreventedbyrestrictingaccessto3rd partyapplicationsandremovablemedia.
OTAupdates
• OvertheAirupdatesareupdatesthatyourphonereceivesoverawirelessnetwork,allowingattackerstopotentiallyinterceptandmanipulatethatdata.
• Enforcingwirelessencryptionwithasuitablystrongalgorithmcanpreventexploitingthistechnology.• Forexample,usingAESinsteadofDES.
Camerause
• Preventingcamerauseonanemployeesmartphonecanpreventthemfromtakingpicturesofsensitiveinformation.• Picturesofconfidentialdocuments.• Picturesofsecurelocations• Geotaggedpictures
• Disablingthecameracanfurtherlockdownthecompanyphone.
SMS/MMS
• SMSwouldbeasimplemessage,muchlikeatext.
• MMSwouldbeamultimediamessagesuchasapictureorshortvideo.
• Monitoringemployeecommunicationsonacompanysmartphonecanbeparamountwhentryingtodetecttheleakageofsensitivedata.
ExternalMedia
• Allowingexternalmediaonacompanysmartphonecanpresentnumerousissuesforthesecurityofamobiledevice.• Allowsfortheexfiltrationofdata.• Allowssideloadingof3rd partyapplications.• Givesanaccesspointforpotentiallymalicioussoftware.
• Disablingremovablemediaisagoodideaformobiledevices.
USBOTG
• USBOnTheGo(OTH)allowsotherusb devicestoconnecttoasmartphone,andpassinformationbetweenthetwodevices.• Hasthesamesecurityissueasremovablemedia.
• Allowsfortheconnectingofperipheraldevices,whichcancompromisethesecurityofasmartphone.• Likemostremovablemedia,itisbestpracticetodisableit.
GPStagging
• GPStagging(alsoknownasGeotagging)includesgeographicalinformationsuchasGPScoordinatesintoitemslikepicturesandvideo.• Cancauseprivacyissuesforusers.
• GeotaggingcanalsorevealtheGPScoordinatesofsecurelocations.
• Ensurelocation-basedservicesaredisabledtopreventGeotagging.
Wi-Fidirect/ad-hoc/Tethering
• Wi-Fidirectorad-hocmodeallowedwirelessdevicestoconnectdirectlytogetherwithoutrequiringawirelessnetworktoworkoffof.• Thiscancausethesameissueasremovablemedia,butwirelessly.
• Tetheringisaphysicalconnectionbetweenasmartdeviceandapersonalcomputer,forexample.Thiswouldallowdataexfiltrationtooccur.
DeploymentModels
BYOD COPE
CYOD Corporate-owned
BYOD
• BYOD =BringYourOwnDevice.Ifallowingemployeestousetheirownmobiledevicesonthecorporatenetwork.• ConfinethemtotheirownVLANforsecurity.
• BYODallowsanemployeetobringtheirownpersonalphoneandconnectittothebusinessnetworktobeusedforbusinesspurposes.
• Employeemaintainsalargeamountofcontroloverthedevice.
COPE
• COPE=CompanyOwned,Personally-enabled.Acompanyprovidestheiremployeeswithmobilesdevicesfortheiremployeestouseasthoughtheyweretheemployee’sdevice.
• SimilartoBYOD,butattheendoftheday,thecompanyownsthedevice.• GivesslightlymorecontrolthanBYOD.
CYOD
• CYOD=ChooseYourOwnDevice.WithCYOD,employeesgetachoicefromalimitednumberofdevicesthatareultimatelyselectedbythecompany.• Canlimituserstoparticularoperatingsystems.
• Companyhasmorecontroloverthedevice,andcanlimitittostrictlyworkactivities.
CorporateOwnedMobileDevices
• ACorporateownedmobiledevicesisamobiledevicethatisowned,administeredby,andcontrolledbythecompany,butisthenhandedouttotheemployeesofthatcompany,
• Employeeshavelittlesayonwhichdevicetheyacquire,ifanyatall.
• Acompanycanregaincompletecontrolofthemobiledeviceifneeded.
SecureProtocols
CompTIASecurity+
EmailSecurityProtocols
• Emailcommunicationscanbeencryptedandsignedinordertoguaranteesecurecommunications.• Emailscanbeencryptedtoensureconfidentialityoftheemails• Emailscanbesignedandhashedtoensureintegrity.
• Secureemailprotocols:• S/MIME• SecurePOP• SecureIMAP
S/MIME
• TheprimarybenefitofusingS/MIMEisthatitallowsuserstosendbothencryptedanddigitallysignedemails.
• S/MIMEallowsausertoselectivelyencryptemailmessagesatrest.
SecurePOP/IMAP
• POPorIMAPcanbeutilizedtodownloademailfromanemailserver.• POPdownloadsanddeletes.• IMAPkeepsacopyontheserver.
• BothPOPandIMAPcanbesecuredbySSLorTLS,toallowthiscommunicationtobeencrypted.• CausesPOPtorunoverport995insteadof110• CausesIMAPtorunoverport993insteadof143
SecureWebProtocols
• Browsingtheinternetcanalsobesecuredbyencryptingtrafficbetweenthewebclientandserver.• Usefulwhenpurchasingonline.• Usefulwhenaccessingonlinebankaccounts.• Usefulforanyothersensitiveinternettraffic.
• PrimaryprotocoltousetosecurewebtrafficisHTTPS• SecuredwithSSL/TLS.
HTTPS
• HTTPS standsforHypertextTransferProtocolSecureandisusedtotransmitdatatoandfromawebbrowserandawebserversecurely.
• HTTPSusesSSLorTLSforitsencryption.
• HTTPSusesTCPport443.
SSL
• SecureSocketLayer(SSL)usesport443 andisansymmetricprotocol.
• SSLusesbothpublickeysandprivatekeystosecurewebsites.• ThesessionkeyinanSSLconnectionissymmetric.• SSLsessionkeysareencryptedusinganasymmetricalgorithm.
• IfyouareusingSSLtosecureaweborVPNserver,makesurethatport443inboundonyourfirewallisopen.
TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.
• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.• TLSisusedforencryptionbetweenemailservers.• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.
FileTransfer
• Transferringfilesbetweensystemscanandshouldbeencryptedfromendtoendtopreventsnoopingofthedataintransit.• Unencryptedfiletransferscanbecapturedandpossiblymodifiedbyamaliciousattacker.
• Examplesofsecurefiletransferprotocolsinclude:• FTPS• SFTP
SFTP
• SSHcanbeusedtosecureFTPcommunications.ThisiscalledSFTPorSecureFileTransferProtocol.
• SFTP usesTCPport22becauseitutilizesSSHtoencryptthetraffic.
• IsnotcompatiblewiththeoriginalFTP.
• SFTPonlyrequiresonechanneltouse.
FTPS
• SSLorTLScanbeusedtosecureFTPcommunicationsaswell,thisiscalledFTPS.
• Isbuiltonthesameframeworkasmostinternetcommunications.
• IssplitintotwoconnectionslikeFTP,makingithardtousewithfirewalls.• ControlChannel• DataChannel
DirectoryServices
• Adirectoryisacollectionofusernames,passwords,emails,orpossiblymanyotherthings.• Thinklikeaphonebookisalistofnamesofphonenumbers.
• AnexampleofadirectoryservicecouldbeActiveDirectory,Microsoft’sdirectoryservice.• LDAPisusedtoadd,delete,search,andmodifydirectoryentries.
LDAPS
• BeforeandLDAPmessagescanbetransferred,LDAPSrequirestheclienttoestablishasecureTLSsession,providingencryption.
• IftheTLSconnectionisclosed,theLDAPSsessionclosesaswell,preventingconnectionwithoutencryption.
• Runsoverport636
RemoteAccess
• Afterinitialconfiguration,devicescanberemotelyconfiguredandadministratedoverthenetwork,allowingtheadmintochangeandtestconfigurationsremotely.• Otherwisephysicalaccesswouldbetheonlyoption.
• Twoprotocolsthatcouldallowthisremoteaccess:• Telnet(unsecure)• SSH(secure)
SSH• SecureShell(SSH)isanetworkprotocolthatallowsdatatobeexchangedusingasecurechannelbetweentwonetworkeddevicessuchasanadministratorcomputerandarouter.
• SSHwasdesignedasareplacementforTelnetandotherinsecureremoteshellswhichsendinformation(notablypasswords)inplaintextleavingthemopenforinterception.
• SSHismostcommonlyusedtoremotelyadministeraUnix/LinuxsystemandusesTCPport22.
SNMP• SNMP(SimpleNetworkManagementProtocol)isusedinnetworkmanagementsystemstomonitordevicesforconditionsthatwarrantadministrativeattention.• Runsonport161.• Allowsanadministratortosetdevicetraps.• Usedtofindequipmentstatusandmodifyconfiguration andsettingsonnetworkdevices.
• SNMPcanbeusedtogatherreconnaissanceinformationfromaprinter.
• SNMPv3isthemostsecure.
DomainNameSolution
• ADNS server(DomainNameSystem)convertsaFQDN(FullyQualifiedDomainName)(ex:www.yahoo.com)intotheIPaddressyourcomputerneedstoaccesstheremotedevice.BIND isthede-factostandardDNSsoftware.
• ADNSZonetransferiswhentwoDNSserverssynchronizetheirdatabases.ThisusesTCPport53.
• DNSinformationcouldbepotentiallyforgedoramaliciousDNSservercouldtrytoperformazonetransferwithalegitimateone,poisoningit.
DNSSEC
• DNSSECisasuiteofspecificationsforsecuringinfoprovidedbyDNS(especiallyauthenticationtothedatathereinstoppingzonetransfer).• PreventstheuseofforgedDNSinformation.• HasallDNSresponsesbedigitallysigned.