Security Training at Security Training at CCSFCCSF

Last revised 8-22-13Last revised 8-22-13

A.S. DegreeA.S. Degree

CNIT 120: Network CNIT 120: Network SecuritySecurity

Fundamentals of Network SecurityFundamentals of Network Security

Preparation for Security+ CertificationPreparation for Security+ Certification

Essential for any Information Essential for any Information Technology professionalTechnology professional

CNIT 40: DNS SecurityCNIT 40: DNS Security

Configure and defend DNS Configure and defend DNS infrastructureinfrastructure

CNIT 121: Computer CNIT 121: Computer ForensicsForensics

Analyze computers for evidence of Analyze computers for evidence of crimescrimes

Recover lost dataRecover lost data

CNIT 122: FirewallsCNIT 122: Firewalls

Defend networksDefend networks

Two Hacking ClassesTwo Hacking ClassesPerform real cyberattacks and block themPerform real cyberattacks and block them

CNIT 123: Ethical Hacking and Network DefenseCNIT 123: Ethical Hacking and Network Defense

CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical Hacking

99

Supplemental Supplemental Materials Materials

Projects from recent researchProjects from recent research

Students get extra credit by Students get extra credit by attending conferencesattending conferences

1010

Certified Ethical Certified Ethical HackerHacker

CNIT 123 and 124 help prepare students for CEH CNIT 123 and 124 help prepare students for CEH CertificationCertification

1111

CNIT 125: Information CNIT 125: Information Security ProfessionalSecurity Professional

CISSP – the most respected certificate in CISSP – the most respected certificate in information securityinformation security

CNIT 126: Practical CNIT 126: Practical Malware AnalysisMalware Analysis

Incident response after Incident response after intrusionintrusion

Ch 1: Ch 1: Mastering the Basics of Security Mastering the Basics of Security

CompTIA Security+: CompTIA Security+: Get Certified Get Get Certified Get Ahead: SY0-301 Ahead: SY0-301

Study GuideStudy Guide

Darril GibsonDarril Gibson

Exploring Core Security Exploring Core Security PrinciplesPrinciples

The CIA of SecurityThe CIA of Security

Confidentiality

Integrity Availability

ConfidentialityConfidentiality

Prevents unauthorized disclosure of dataPrevents unauthorized disclosure of data

Ensures that data is only viewable by Ensures that data is only viewable by authorized usersauthorized users

Some methodsSome methods– Authentication combined with Access controlsAuthentication combined with Access controls– CryptographyCryptography

IntegrityIntegrity

Assures that data has not been modified, Assures that data has not been modified, tampered with, or corruptedtampered with, or corrupted

Only authorized users should modify dataOnly authorized users should modify data

Hashing Hashing assures integrityassures integrity– Hash types: MD5, SHA, HMACHash types: MD5, SHA, HMAC– If data changes, the hash value changesIf data changes, the hash value changes

Hash Value for DownloadHash Value for Download

AvailabilityAvailability

Data and services are available when Data and services are available when neededneeded

Techniques:Techniques:– Disk redundancies (RAID)Disk redundancies (RAID)– Server redundancies (clusters)Server redundancies (clusters)– Site redundanciesSite redundancies– BackupsBackups– Alternate powerAlternate power– Cooling systemsCooling systems

Balancing CIABalancing CIA

You can never have perfect securityYou can never have perfect security

Increasing one item lowers othersIncreasing one item lowers others

Increasing confidentiality generally lowers Increasing confidentiality generally lowers availabilityavailability– Example: long ,complex passwords that are Example: long ,complex passwords that are

easily forgotteneasily forgotten

Non-RepudiationNon-Repudiation

Prevents entities from denying that they Prevents entities from denying that they took an actiontook an action

Examples: signing a home loan, making a Examples: signing a home loan, making a credit card purchasecredit card purchase

TechniquesTechniques– Digital signaturesDigital signatures– Audit logsAudit logs

Defense in DepthDefense in Depth

Layers of protectionLayers of protection

ExampleExample– FirewallFirewall– AntivirusAntivirus– Deep FreezeDeep Freeze

Implicit DenyImplicit Deny

Anything not Anything not explicity allowed explicity allowed is deniedis denied

Common Access Common Access Control Lists forControl Lists for– FirewallsFirewalls– RoutersRouters– Microsoft file and Microsoft file and

folder permissionsfolder permissions

Introducing Basic Risk Introducing Basic Risk ConceptsConcepts

RiskRisk

RiskRisk– The likelihood of a The likelihood of a threat exploiting threat exploiting a a

vulnerabilityvulnerability, resulting in a , resulting in a lossloss

ThreatThreat– Circumstance or event that has the potential to Circumstance or event that has the potential to

compromise confidentiality, integrity, or availabilitycompromise confidentiality, integrity, or availability– Insider threatInsider threat

VulnerabilityVulnerability– A weaknessA weakness

Risk MitigationRisk Mitigation

Reduces chance that a threat will exploit a Reduces chance that a threat will exploit a vulnerabilityvulnerability

Done by implementing Done by implementing controls controls (also (also called countermeasures and safeguards)called countermeasures and safeguards)

Even if a threat can't be prevented, like a Even if a threat can't be prevented, like a tornadotornado– Risk can still be reduced with controls, like Risk can still be reduced with controls, like

insurance, evacuation plans, etc.insurance, evacuation plans, etc.

ControlsControls

Access controlsAccess controls– After After AuthenticationAuthentication, only authorized users , only authorized users

can perform critical taskscan perform critical tasks

Business continuity Business continuity and and Disaster Disaster Recovery PlansRecovery Plans– Reduce the impact of disastersReduce the impact of disasters

Antivirus softwareAntivirus software– Reduces the impact of malwareReduces the impact of malware

Exploring Authentication Exploring Authentication ConceptsConcepts

Identification, Authentication, Identification, Authentication, and Authorizationand Authorization

IdentificationIdentification– State your name (without proving it)State your name (without proving it)

AuthenticationAuthentication– Proves your identity (with a password, Proves your identity (with a password,

fingerprint, etc.)fingerprint, etc.)

AuthorizationAuthorization– Grants access to resources based on the Grants access to resources based on the

user's proven identityuser's proven identity

Identity ProofingIdentity Proofing

Verifying that people are who they claim to Verifying that people are who they claim to be prior to issuing them credentialsbe prior to issuing them credentials– Or when replacing lost credentialsOr when replacing lost credentials

Sarah Palin's Sarah Palin's EmailEmail

Link Ch 1aLink Ch 1a

Three Factors of AuthenticationThree Factors of Authentication

Something you Something you knowknow– Such as a passwordSuch as a password– Weakest factor, but most commonWeakest factor, but most common

Something you Something you havehave– Such as a smart cardSuch as a smart card

Something you Something you areare– Such as a fingerprintSuch as a fingerprint

Password RulesPassword Rules

Passwords should be strongPasswords should be strong– At least 8 characters, with three of: uppercase, At least 8 characters, with three of: uppercase,

lowercase, numbers, and symbolslowercase, numbers, and symbols

Change passwords regularlyChange passwords regularlyDon't reuse passwordsDon't reuse passwordsChange default passwordsChange default passwordsDon't write down passwordsDon't write down passwordsDon't share passwordsDon't share passwordsAccount lockout policiesAccount lockout policies

– Block access after too many incorrect passwords are Block access after too many incorrect passwords are enteredentered

Password historyPassword history– Remembers previous passwords so users Remembers previous passwords so users

cannot re-use themcannot re-use them

Account Lockout PoliciesAccount Lockout Policies– Account lockout thresholdAccount lockout threshold

The maximium number of times a wrong password The maximium number of times a wrong password can be entered (typically 5)can be entered (typically 5)

– Account lockout durationAccount lockout durationHow long an account is locked (typically 30 min.)How long an account is locked (typically 30 min.)

Previous Logon NotificationPrevious Logon Notification

Gmail has it, at the bottom of the screenGmail has it, at the bottom of the screen

Something You HaveSomething You Have

Smart CardSmart Card– Contains a Contains a

certificatecertificate– Read by a card Read by a card

readerreader– Image from made-in-Image from made-in-

china.com/china.com/

Token or Key FobToken or Key Fob– Image from tokenguard.comImage from tokenguard.com

Smart CardsSmart Cards

Embedded certificateEmbedded certificatePublic Key InfrastructurePublic Key Infrastructure

– Allows issuance and management of Allows issuance and management of certificatescertificates

CAC (Common Access Card)CAC (Common Access Card)– Used by US Department of DefenseUsed by US Department of Defense

PIV (Personal Identity Verfication) cardPIV (Personal Identity Verfication) card– Used by US federal agenciesUsed by US federal agencies

Something You Are (Biometrics)Something You Are (Biometrics)

Physical biometricsPhysical biometrics– FingerprintFingerprint

Image from amazon.comImage from amazon.com

– Retinal scannersRetinal scanners– Iris scannersIris scanners

Behavioral biometricsBehavioral biometrics– Voice recognitionVoice recognition– Signature geometrySignature geometry– Keystrokes on a keyboardKeystrokes on a keyboard

False Acceptance and False False Acceptance and False Rejection Rejection

False Acceptance False Acceptance RateRate– Incorrectly identifying Incorrectly identifying

an unauthorized user an unauthorized user as autnorizedas autnorized

False Rejection False Rejection RateRate– Incorrectly rejecting Incorrectly rejecting

an authorized useran authorized user

Multifactor AuthenticationMultifactor Authentication

More than one ofMore than one of– Something you knowSomething you know– Something you haveSomething you have– Something you areSomething you are

Two similar factors is Two similar factors is not not two-factor two-factor authenticationauthentication– Such as password and PINSuch as password and PIN

Exploring Authentication Exploring Authentication ServicesServices

Authentication ServicesAuthentication Services

KerberosKerberos– Used in Windows Active Directory DomainsUsed in Windows Active Directory Domains– Used in UNIX realmsUsed in UNIX realms– Developed at MITDeveloped at MIT– Prevents Man-in-the-Middle attacks and Prevents Man-in-the-Middle attacks and

replay attacksreplay attacks

Kerberos RequirementsKerberos Requirements

A method of issuing tickets used for A method of issuing tickets used for authenticationauthentication– Key Distribution Center (KDC) grants ticket-Key Distribution Center (KDC) grants ticket-

granting-tickets, which are presented to granting-tickets, which are presented to request tickets used to access objectsrequest tickets used to access objects

Time synchronization within five minutesTime synchronization within five minutesA database of subjects or usersA database of subjects or users

– Microsoft's Active DirectoryMicrosoft's Active Directory

Kerberos DetailsKerberos Details

When a user logs onWhen a user logs on– The KDC issues a ticket-granting-ticket with a The KDC issues a ticket-granting-ticket with a

lifetime of ten hourslifetime of ten hours

Kerberos uses port 88 (TCP & UDP)Kerberos uses port 88 (TCP & UDP)Kerberos uses symmetric cryptographyKerberos uses symmetric cryptography

LDAP (Lightweight Directory LDAP (Lightweight Directory Access Protocol)Access Protocol)

Formats and methods to query directoriesFormats and methods to query directoriesUsed by Active DirectoryUsed by Active DirectoryAn extension of the X.500 standardAn extension of the X.500 standardLDAP v2 can use SSL encryptionLDAP v2 can use SSL encryptionLDAP v3 can use TLS encryptionLDAP v3 can use TLS encryptionLDAP uses ports 389 (unencrypted) or LDAP uses ports 389 (unencrypted) or

636 (encrypted) (TCP and UDP)636 (encrypted) (TCP and UDP)

Mutual AuthenticationMutual Authentication

Both entities in a session authenticate Both entities in a session authenticate prior to exchanging dataprior to exchanging data– For example, both the client and the serverFor example, both the client and the server

MS-CHAPv2 uses mutual authenticationMS-CHAPv2 uses mutual authentication

Single Sign-OnSingle Sign-On

Users can access multiple systems after Users can access multiple systems after providing credentials only onceproviding credentials only once

Federated Identity Management SystemFederated Identity Management System– Provides central authentication in Provides central authentication in

nonhomogeneous environmentsnonhomogeneous environments

IEEE 802.1xIEEE 802.1x

Port-based authenticationPort-based authentication– User conects to a specific access point or logical portUser conects to a specific access point or logical port

Secures authentication prior to the client gaining Secures authentication prior to the client gaining access to a networkaccess to a network

Most common on wireless networksMost common on wireless networks– WPA Enterprise or WPA2 EnterpriseWPA Enterprise or WPA2 Enterprise

Requires a RADIUS (Remote Authentication Requires a RADIUS (Remote Authentication Dial-in User Service) or other centralized Dial-in User Service) or other centralized identification serveridentification server

Remote Access Remote Access AuthenticationAuthentication

Remote AccessRemote Access

Clients connect through VPN (Virtual Clients connect through VPN (Virtual Private Network) or dial-upPrivate Network) or dial-up

A VPN allows a client to access a private A VPN allows a client to access a private network over a public network, usually the network over a public network, usually the InternetInternet

Remote Access Authentication Remote Access Authentication MethodsMethods

PAP (Password Authentication Protocol)PAP (Password Authentication Protocol)– Passwords sent in cleartext, rarely usedPasswords sent in cleartext, rarely used

CHAP (Challenge Handshake Protocol)CHAP (Challenge Handshake Protocol)– Server challenges the clientServer challenges the client– Client responds with appropriate Client responds with appropriate

authentication informationauthentication information

MS-CHAPMS-CHAP– Microsoft's implementation of CHAPMicrosoft's implementation of CHAP– DeprecatedDeprecated

Remote Access Authentication Remote Access Authentication MethodsMethods

MS-CHAPv2MS-CHAPv2– More secure than MS-CHAPMore secure than MS-CHAP– Seriously broken by Moxie Marlinspike at Seriously broken by Moxie Marlinspike at

Defcon 2012 (Link Ch 1c)Defcon 2012 (Link Ch 1c)– He recommends using certificate He recommends using certificate

authentication insteadauthentication instead

Remote Access Authentication Remote Access Authentication MethodsMethods

RADIUS (Remote Authentication Dial-in RADIUS (Remote Authentication Dial-in User Service) User Service) – Central authentication for multiple remote Central authentication for multiple remote

access serversaccess servers– Encrypts passwords, but not the entire Encrypts passwords, but not the entire

authentication processauthentication process– Uses UDP Uses UDP

Remote Access Authentication Remote Access Authentication MethodsMethods

TACACS (Terminal Access Controller TACACS (Terminal Access Controller Access-Control System)Access-Control System)– Was used in UNIX systems, rare todayWas used in UNIX systems, rare today

TACACS+TACACS+– Cisco proprietary alternative to RADIUSCisco proprietary alternative to RADIUS– Interacts with KerberosInteracts with Kerberos– Encrypts the entire authentication processEncrypts the entire authentication process– Uses TCPUses TCP– Uses multiple challenges and responses Uses multiple challenges and responses

during a sessionduring a session

AAA Protocols:AAA Protocols:Authentication, Authorization, Authentication, Authorization,

and Accountingand AccountingAuthenticationAuthentication

– Verifies a user's identificationVerifies a user's identification

AuthorizationAuthorization– Determines if a user should have accessDetermines if a user should have access

AccountingAccounting– Tracks user access with logsTracks user access with logs

AAA Protocols:AAA Protocols:Authentication, Authorization, Authentication, Authorization,

and Accountingand AccountingRADIUS and TACACS+ are both AAA RADIUS and TACACS+ are both AAA

protocolsprotocolsKerberos doesn't provide accounting, but Kerberos doesn't provide accounting, but

is sometimes called an AAA protocolis sometimes called an AAA protocol

Cert Test Review Cert Test Review Questions from Questions from

TextbookTextbook