Module 3
Security Appliances Survey: • Jump Server:
(host, box) is a system on a network used to access and manage devices located in another security zone. ◦ Sometimes referred to as a "pivot" server because once you are logged in, you can easily pivot to other devices or servers
Federated Identity Management (FIdM)
A single identity is created for a user and shared with all of the organizations in a federation
FTP Server
A specialized type of file server that is used to host files for distribution across the web § FTP servers should be configured to require TLS connections
Trusted Platform Module (TPM)
A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information § A TPM can be managed in Windows via the tpm.msc console or through group policy
• Stateful
A stateful infection FW inspects headers and packet payload and keeps track of the state of the entire connection from start to end. Stateful firewalls filter packets based on the full context of a given network connection. ◦ Advantage: more granular control
Point-to-Point Tunneling Protocol (PPTP)
A connection between two or more computers or device that are not on the same private network § L2TP is usually paired with IPSec to provide security
Hardware Root of Trust (ROT)
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics § A hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, which we can then use to sign a digital report
Proxy Server
A device that acts as a middle man between a device and a remote server
Modem
A device that could modulate digital information into an analog signal for transmission over a standard dial-up phone line
Self-Encrypting Drives
A disk drive where the controller can automatically encrypt data that is written to it
Perfect Forward Secrecy or Forward Secrecy
A feature of key agreement protocols (like SAE) that provides assurance that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised The AP and the client use a public key system to generate a pair of long-term keys • The AP and the client exchange a one-time use session key using a secure algorithm like Diffie-Hellman • The AP sends the client messages and encrypts them using the session key created in Step 2 • Client decrypts the messages received using the same one-time use session key • The process repeats for every message being sent, starting at Step 2 to ensure forward secrecy
Trusted Firmware
A firmware exploit gives an attacker an opportunity to run any code at the highest level of CPU privilege
Trusted Firmware Update
A firmware update that is digitally signed by the vendor and trusted by the system before installation
Extensible Authentication Protocol (EAP)
A framework of protocols that allows for numerous methods of authentication including passwords, digital certificates, and public key infrastructure § EAP-MD5 uses simple passwords for its challenge-authentication § EAP-TLS uses digital certificates for mutual authentication § EAP-TTLS uses a server-side digital certificate and a client-side password for mutual authentication
Web Security Gateway
A go-between device that scans for viruses, filters unwanted content, and performs data loss prevention functions
Security Template
A group of policies that can be loaded through one procedure
Jumpbox
A hardened server that provides access to other hosts within the DMZ. An administrator connects to the jumpbox and the jumpbox connects to hosts in the DMZ § The jumpbox and management workstation should only have the minimum required software to perform their job and be well hardened
Port
A logical communication endpoint that exists on a computer or server
Outbound Port
A logical communication opening created on a client in order to call out to a server that is listening for a connection
Inbound Port
A logical communication opening on a server that is listening for a connection from a client
eFUSE
A means for software or firmware to permanently alter the state of a transistor on a computer chip
Secure Processing
A mechanism for ensuring the confidentiality, integrity, and availability of software code and data as it is executed in volatile memory
• Security Association (SA):
A negotiation that includes the algorithms that will be used (hashing and encryption), key length, and key information
Types of NAC: Persistent Agents
A piece of software that is installed on the device requesting access to the network
Simultaneous Authentication of Equals (SAE)
A secure password-based authentication and password-authenticated key agreement method § Simultaneous Authentication of Equals (SAE) provides forward secrecy
Jumpbox DMZ
A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports § Everything behind the DMZ is invisible to the outside network
Domain Controller
A server that acts as a central repository of all the user accounts and their associated passwords for the network
Group Policy
A set of rules or policies that can be applied to a set of users or computer accounts within the operating system § Access the Group Policy Editor by opening the Run prompt and enter gpedit § Password complexity § Account lockout policy § Software restrictions § Application restrictions Active Directory domain controllers have a more advanced Group Policy Editor
Access Control List (ACL)
An ordered set of rules that a router uses to decide whether to permit or deny traffic based upon given characteristics § IP Spoofing is used to trick a router's ACL
Key Stretching
A technique that is used to mitigate a weaker key by increasing the time needed to crack it § WPA, WPA2, PGP, bcrypt, and other algorithms utilize key stretching
• Secure IMAP:
IMAP is used to receive email from an email server to a local email account ◦ IMAP allows clear text authentication (port 143) ◦ Secure IMAP is an extension of IMAP that supports SSL/TLS for secure login (port 993)
IP Proxy
IP Proxy is used to secure a network by keeping its machines anonymous during web browsing
IPSec Modes: ◦ Tunnel Mode:
IPsec can be implemented in two modes. is used between server-server, server-gateway, or gateway-gateway (two direct endpoints) ‣ The entire packet is encrypted. ‣ is the default mode for IPSec
• Trusted/Intermediate
Identifies root and intermediate cert authorities
Packet Filtering
Inspects each packet passing through the firewall and accepts or rejects it based on the rules § Stateless Packet Filtering (accept/reject packets based on ips and port number) § Stateful packet filtering tracks the requests leaving the network (so that when something comes back, it can compare what it is expecting)
• Encapsulating Security Payload (ESP):
Integrity, Origin Authentication, Replay attack protection, and confidentiality (uses both an HMAC & Symmetric Encryption)- would choose either AH or ESP
IPSec Components: • Authentication Header (AH):
Integrity, Origin, Authentication, Replay attack protection (by using an HMAC)
Public Branch Exchange (PBX)
Internal phone system used in large organizations
Set Service Identifier (SSID)
Is a code that identifies members with a wireless access point. ◦ All wireless devices that want to communicate on a network must have their SSID set tot he same value as the WAP SSID to establish connectivity with the WAP ◦ By default, an access point broadcasts its SSID every few seconds ◦ This broadcast can be stopped so that an attacker can't automatically discover the SSID and hence the WAP ‣ However, because an SSID is included in the beacon of every wireless frame, it is easy for a hacker equipped with sniffing equipment to discover the value and fraudulently join the network.
• Measured Service:
Metering capability
Anti-Tamper
Methods that make it difficult for an attacker to alter the authorized execution of software § Anti-tamper mechanisms include a field programmable gate array (FPGA) and a physically unclonable function (PUF)
• Always On:
Microsoft Windows 10 solution that establishes a VPN connection as soon as a client is connected to the internet. ◦ User interaction is not required unless 2FA enabled
Secure Network Protocols: • NTP:
Network Time Protocol is a networking protocol for clock synchronization. ◦ NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC) ◦ Current version is v4 ◦ NTP is not considered a secure protocol, however, time synchronization is an important foundational element. ◦ Use case is time synchronization
• Traditional NAT:
Network address translation - private to public IP address mapping
Securing Network Devices
Network devices include switches, routers, firewalls, and more
NTFS
New Technology File System is the default file system format for Windows and is more secure because it supports logging, encryption, larger partition sizes, and larger file sizes than FAT32
Privilege Creep
Occurs when a user gets additional permission over time as they rotate through different positions or roles § Privilege creep violates the principles of least privilege
Propagation
Occurs when permissions are passed to a subfolder from the parent through inheritance
clearance
Official determination of level of access
Account Lifecycle:
Onboarding, Account Request, User agreement, credential management -> authorization, assignment of rights and permissions, User Training -> User account auditing, user access auditing, change re quests, user training -> termination off-boarding
Account Lifecycle Phase 1:
Onboarding, account request, user agreement, credential management • Account creation request. Request may be directed in-house or to an IDaaS provider. • User agreements are signed - AUP/NDA confidentiality agreement • User accounts created and group/role membership established • Credentials assigned (security clearance, if appropriate) • Authentication assets (eg tokens, smart cards, certificates) distributed • Orientation training
FIDO Login:
Online service challenges the user to login with a previously registered device -> user unlocks the FIDO authenticator using the same method used during registration -> Device uses the users account identifier provided by the service to select the correct key and sign the services challenge -> client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user
Circuit-Level gateway
Operates at the session layer and only inspects the traffic during the establishment of the initial session over TCP or UDP
Trusted Third Party (TTP)
Organizations are able to place their trust in a single third-party (also called the bridge model) • Trusted third-party model is more efficient than a cross certification or web of trust model
Digital cert file extensions
PEM o CER o CRT o KEY o P12 o PFX o P7B
Email Security: • Secure POP3:
POP3 is used to receive email from an email server to a local email account ◦ POP3 allows clear text authentication (port 110) ◦ Secure POP3 is an extension of POP3 that supports SSL/TLS for secure login (port 995)
Permissions in Windows
Permissions are broken down into Read, Write, and Execute inside Linux • Full Control • Modify • Read & Execute • List Folder Contents • Read • Write § Permissions are assigned to Owners (U), Groups (G), and All Users (O or A) 777 allows everyone to Read, Write, and Execute
Permissions
Permissions are inherited by default from the parent when a new folder is created Any permissions added/removed from the parent folder will pass to the child by default too! Use Groups for roles and do not assign users directly to a folder's permissions o If you copy a folder, then permissions are inherited from the parent folder it is copied into o If you move a folder, then permissions are retained from its original permissions
Well-Known Ports
Ports 0 to 1023 are considered well-known and are assigned by the Internet Assigned Numbers Authority (IANA)
Registered Ports
Ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols
Dynamic or Private Ports
Ports 49,152 to 65,535 can be used by any application without being registered with IANA
High Availability Flow Chart:
Primary instance send a per-second heartbeat signal -> primary instance (or zone failure). Heartbeat ceases -> Standby instance measures unresponsiveness and if applicable, declares an outage. -> Using a shared static IP address, the standby instance takes over -> The reversal is automatic or manual (when the primary instance comes back online)
• Online Certificate Status Protocol (OCSP):
Process designed to query the status of certificate in real-time
Network Address Translation (NAT)
Process of changing an IP address while it transits across a router § Using NAT can help us hide our network IPs
Baselining
Process of measuring changes in the network, hardware, and software environment § A baseline establishes what is normal so you can find deviations
User Access Recertification
Process where each user's rights and permissions are revalidated to ensure they are correct • Hired • Fired • Promoted
chmod command
Program in Linux that is used to change the permissions or rights of a file or folder using a shorthand number system # chmod 760 filename 7 = Owner can RWX 6 = Group can RW 0 = All Users (no access)
War Dialing
Protect dial-up resources by using the callback feature
• IPSec
Protocol suite used for secure communication between two hosts. is a suite of protocols that provides cryptographic security between two hosts or communication points. - Configuration Options Include: see next ◦ Use case: encrypt application layer data, secure routing data, authenticate data origin, and virtual private networking (VPN)
Remote Authentication Dial-In User Service (RADIUS)
Provides centralized administration of dial-up, VPN, and wireless authentication services for 802.1x and the Extensible Authentication Protocol (EAP) § RADIUS operates at the application layer
EAP-FAST
Provides flexible authentication via secure tunneling (FAST) by using a protected access credential instead of a certificate for mutual authentication
• Public Key
Public Key
IPv6 Attack Response:
Reconnaissance: scans less effective because of the large address space. Identifying routers and key servers become easier because of the new multi-cast addresses • Spoofing: no change • DDoS: amplification attacks are amplified so easier to mitigate • Malware: no change, except that worms may find it harder to propogate through network space due to large address space • Sniffing: becomes more difficult because of mandatory IPSec • MiTM: no change
◦ HA cloud configuration referred to as a ________, provides data redundancy ‣ Within a regional instance, the configuration is made up of a primary instance and a standby instance
Regional instance
Unified Threat Management
Relying on a firewall is not enough o Unified Threat Management § Combination of network security devices and technologies to provide more defense in depth within a single device § UTM may include a firewall, NIDS/NIPS, content filter, anti-malware, DLP, and VPN § UTM is also known as a Next Generation Firewall (NGFW)
Self-Encrypting Drive (SED)
Storage device that performs whole disk encryption by using embedded hardware
Protected EAP (PEAP)
Supports mutual authentication by using server certificates and Microsoft's Active Directory to authenticate a client's password
Telephony
Term used to describe devices that provide voice communication to users
Web browser concerns: Cookies
Text files placed on a client's computer to store information about the user's browsing habits, credentials, and other data
Trusted Execution
The CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running
FIDO Registration:
The user is prompted to choose an available FIDO authentication that matches the online service's acceptance policy. -> User unlocks the FIDO authenticator using biometrics or a security key -> User's device creates a new public/private key pair for the local device, online service and user's account. -> public key is sent to the online service and associated with the users account. The private key and local authentication never leave the local device.
Explicit Allow
Traffic is allowed to enter or leave the network because there is an ACL rule that specifically allows it § Example: allow TCP 10.0.0.2 any port 80
Explicit Deny
Traffic is denied the ability to enter or leave the network because there is an ACL rule that specifically denies it § Example: deny TCP any any port 23
Implicit Deny
Traffic is denied the ability to enter or leave the network because there is no specific rule that allows it § Example: deny TCP any any port any
Presentation Layer (Layer 6)
Translates the information into a format that the sender and receiver both understand
Cross Certification
Utilizes a web of trust between organizations where each one certifies others in the federation
Lattice-based Access Control
Utilizes complex mathematics to create sets of objects and subjects to define how they interact • Mandatory Access Control is a feature in FreeBSD & SELinux • Only in high security systems due to its complex configuration
• WLAN
Wireless Local Area Network. ◦ IEEE Standard; 802.11 standard
• WMAN
Wireless Metropolitan Area Network. ◦ IEEE Standard: 802.16 standard
Wireless Network Configurations: • WPAN:
Wireless Personal Area, Network, (we know it as Bluetooth), ex: keyboards, mice, earbuds ◦ IEEE Standard: 802.15 standard. Interconnects devices within a limited range (eg: keyboards)
• WWAN
Wireless Wide Area Network ◦ IEEE Standard: point-to-point microwave links
• Version
X.509 certificate version
Global Positioning System (GPS):
is a United States owned utility that provides users with positioning, navigation, and timing services. ◦ Consists of three segments: the space segment, the control segment, and the user segment ‣ The space segment consists of 23 operating satellites that transmit one-way signals that give current GPS position and time ‣ The control segment consists of worldwide monitors that track and maintain the satellites ‣ The user segment (GPS receiver) that receives signal and uses the transmitted information to calculate three-dimensional position and time.
Certificate Pinning:
forces a client application to validate the server's cert against a known copy. ◦ Can be preloaded into an app or it can automatically pin against whatever cert the server sends during the first client-to-server call ◦ Preloading protects the app, as an attacker might be able to pin their own cert upon the first call ◦ Use Case: pinning is intended to add a layer of security against man-in-the-middle attacks
Cloud Security Groups:
form logical network perimeters. ◦ Each resource is assigned to at least one logical cloud-based security group. ◦ Each logical cloud based security group is assigned specific rules that govern the communication between the security groups. ◦ Rules function as the TCP and IP layers (ports and source/destination IP addresses)
Secure Protocols
function is to support confidentiality, integrity, authentication, and/or non-repudiation requirements. ◦ Are commonly used in network management and communications; often replacing older insecure protocols. At beginning of internet, designers were not focused on security.
• Permissions
functions that a subject can perform on an object, file, or folder (eg read)
• Network Access Control (NAC):
governs connections to the network based on configuration requirements. ◦ NAC pre-admission policies determine if a device is allowed on the network and if so what segment based on host health (eg: AV, patch level, firewall status) ◦ NAC post-admission policies regulate and restrict access once the connection is allowed.
• Recertification
has management validated that rights and permissions assignment are correct and that they adhere to internal policies and compliance requirements? ◦ Also referred to as access attestation
Certificate Common Properties: • Thumbprint:
hash of the certificate (unique identifier)
‣ Fat (thick) access points
have 802.11 security, management, and performance standalone functionality built-in
public subnet
hosts resources that must be exposed to the internet (eg web server)
◦ Private Subnet:
hosts resources with restricted access that should never be directly accessed from the outside.
Load Balancer:
improves distribution of workloads across multiple computing resources and prevents resource overload. ◦ One of the most commonly used applications of load balancing is to provide a single internet service from multiple servers, sometimes known as a server farm. ‣ Virtual IP: is a single address, presented externally, that maps back to multiple internal physical IP addresses ‣ Persistence: is the process of associating application layer information with a single server for the balance of a session.
◦ Allow-List:
index of specifically approved executable files and/or applications
◦ Block-List:
index of specifically disapproved executable files and/or applications
• Aggregation
individual pieces of data re combined to create a bigger picture that may have greater sensitivity than individual parts.
Trusted Certificate Phases (from top to bottom): • Enrollment:
initiated by user request to a cert authority
• Next-Generation (Next-Gen):
inspects the entire transaction, does surface level, and deep packet inspection and incorporates additional security features and application controls ◦ Use case: suitable for businesses with compliance requirements (eg: PCI DSS) or need high level of protection
Specialized Firewall: • Web-Application:
inspects, filters and monitors HTTP traffic between a web app and an untrusted network - allow or deny decisions based on the actual content of the packet. Will protect against XSS.
Enterprise Endpoint Security: • Endpoint Detection and Response (EDR):
integrated endpoint solution that incorporates AI, incident response automation and threat intelligence. ◦ Primary functions: ‣ Monitor and collect data from endpoints ‣ Analyze data to identify threat patterns ‣ Automatically respond to threats and notify security personnel
◦ Secure Coding:
integrating secure coding practices into the SDLC
• Use
intended use to determine # of access points
Identity and Access Management (IAM)
is a business process of enabling the right individuals to access the right resources at the right times and for the right reasons. ◦ IAM functions include provisioning, education, auditing, and deprovisioning ◦ IAM functions take place throughout the employee lifecycle ◦ IAM functions are a shared responsibility - managers, owners, HR, IT, physical security, information security, and audit.
◦ CSA (Cloud Security Alliance) Cloud Controls Matrix (CCM):
is a cloud-specific security control framework mapped to leading standards, best practices, and regulations. ‣ CCM is composed of a 133 control objectives that are structured into 16 domains covering all key aspects of cloud technology
Database Management System (DBMS):
is a collection of tools used to administer databases. ◦ A DBMS can be configured to meet fundamental security objectives (of confidentiality, integrity availability, and privacy) ‣ Confidentiality: ensuring data is available only to authorized users and objects ‣ Integrity: ensuring state of database is the same after a transaction has occurred as it was prior to the transaction. ‣ Availability: in the event of failure, the data should be available in its original state ‣ Privacy: constraining data disclosure. SUPER concerned about privacy in this environment.
◦ SFTP
is a component of secure shell and it is an extension of SSH 2.0 to provide secure file transfer capabilities
Authentication Protocol
is a component of the user verification process
Secure Shell (SSH)
is a cross platform protocol that establishes a secure connection between an SSH server and an SSH client. ◦ Secure Shell (SSH) is used to administer systems remotely, provided a command shell on a remote network, or tunnel other protocols (TCP port 22). ◦ Secure Shell is a secure replacement for clear text protocols such as telnet, rlogin, rsh, and rsync
Point-to-Point (P2P):
is a data link between two fixed points. ◦ examples include a microwave relay link and lasers ◦ P2P technologies require unobstructed line of sight. ◦ Limited by the visual horizon, so approx 40 miles
‣ Sensor
is a device that collects info about the network or host. A sensor can report and/or take action.
Reader
is a device that has one or more antennas that emit radio waves and receive signals back from the RFID tag. Readers can be mobile so that they can be carried by hand, or they can be mounted on a post or overhead. Reader systems can also be built into the architecture of a cabinet, room, or building.
Key management practices statement (KMPS)
is a document that describes in detail the organizational structure, responsible roles, and rules for key management.
Quality of Service (QoS)
is a feature of network devices which prioritizes traffic. ◦ QoS controls and manages network resources by setting priorities for specific types of data on the network ‣ Video-on-demand ‣ Voice-over-IP (VoIP) ‣ Streamed media ‣ Video conferencing ◦ Measurements of concern to QoS are bandwidth (throughput), latency (delay), jitter (variance in latency), and error rate. ◦ IPv6 supports QoS, the packet header provides fields that facilitate the quality of service.
Access Control Model:
is a framework that dictates how subjects access objects or how objects access objects. • access control models include: ◦ Subject-based ◦ Object based ◦ Attribute based (hybrid)
gateway endpoint
is a gateway that you specify as a target for a route in your route table for traffic destined to a supported service.
Hardware Encryption: Full Disk Encryption (FDE)/Self Encrypting Drives (SED)
is a hardware based mechanism for automatically encrypting all data written to the magnetic media. ◦ Opal security subsystem class (referred to as just Opal) is a non-proprietary standard for applying hardware-based encryption to hard drives, solid state drives and optical drives ◦ The encryption process is transparent to the user with the exception of required boot-up password ◦ Does not affect performance ◦ Use Case: Securing data at rest
◦ Microsegmentation
is a method of creating zones in data centers and cloud environments to isolate workloads from one another and secure them individually. ‣ Data center administrators can tailor unique security policies and rules for each microsegment. ‣ This reduces the surface available for malicious activity
◦ Port
is an identifier for an application within a computer ‣ Applications listen for connections on a port dedicated to a particular service (port 443 - HTTPS) ◦ A port is either UDP or TCP ‣ Ports 1-1023 are assigned by the Internet Assigned Numbers Authority (IANA) • Often referred to as well-known ports ‣ Ports 1024-49151 can be registered with IANA ‣ Ports 49151 to 65353 are dynamic or private ports
Proxy Server:
is an intermediary machine between a client and a server, which is used to filter or cache requests made by the client. ◦ Can be single purpose (supporting one protocol: ex: http) or multipurpose (supporting multiple protocols) ◦ Three proxy configurations - forward, transparent, and reverse.
ABAC (Emerging) (Attribute Based Access Control)
is an logical access control model that controls access to objects by evaluating rules against the attributes of the subject and object, operations and the environment. • ABAC supports complex Boolean rule sets that can evaluate many different attributes. • Policies that can be implemented in ABAC model are limited only to the degree imposed by the computational language and the richness of the available attributes. • Example of an access control framework that is consistent with ABAC is the extensible access control markup language (XACLM)
Cloud Policy
is an object that when associated with an identity or resource, defines permissions. How do we apply permissions
FIDO Authentication (FIDO Universal two-factor (U2F)):
is an open authentication standard that enables internet users to securely access any number of online services with one single security key instantly and with no drivers or client software needed. ◦ The standard uses standard public key (asymmetric) cryptography techniques ◦ Preregistration is required ◦ Can be used with either security key or biometric reader for security
Trusted Boot
is an open source, pre-kernel/VMM module that uses Intel Trusted Execution Technology to perform a measured and verified launch of an OS kernel/VMM. ◦ The boot loader verifies the digital signature of the operating system kernel prior to loading. ◦ The OS is responsible for verifying every other component of the startup process including boot drivers, and startup files. ◦ If a boot loader detects a problem, it will refuse to load that component. ◦ Use Case: protects against malware and rootkits
UEFI (Unified Extensible Firmware Interface)
is an open standard interface layer between the firmware and the operating system that requires firmware updates to be digitally signed. ◦ UEFI was designed as a replacement for traditional PC BIOS. ◦ Additional functionality includes support for Secure Boot, network authentication, and universal graphics drivers. ◦ UEFI protects against BIOS malware attacks including root kits.
Cloud Infrastructure
is comprised of two layers. ◦ Physical and logical components (e.g. processors, memory, connectivity, and storage) used to build the clouds resource pools. ◦ The virtual/abstracted infrastructure: ‣ All clouds utilize some form of virtual networking to abstract the physical network and create a network resource pool. ‣ Typically the cloud user provisions desired networking resources from this pool, which can then be configured within the limits of the virtualization technique used.
Wireless Configuration: • Wireless Networking:
is connectivity through radio frequency transmissions. ◦ Wireless configuration modes include: ‣ Ad Hoc Mode: is a wireless peer-to-peer relationship. ‣ Infrastructure Mode Topology ("wireless networks"): which includes wireless devices, access points, and wired routers.
Virtual Private Network (VPN)
is designed to facilitate secure remote access communication over a public network. ◦ VPNs are a cost effective alternative to dedicated point-to-point connections by transforming the internet into a secure circuit. ◦ VPNs isolate the network frames from the surrounding networking using a process known as encapsulation or tunneling
NIDS/NIPS Placement:
is directly in the flow of traffic and inspects every packet. NIDS and NIPS can be in-band. ◦ Out of band placement (not in the flow of traffic) utilizes a passive tap that receives a copy of the network traffic and can process samples. Only applies to NIDS (bc remember a NIPS has to be able to take action)
IPv6 Address
is made up of 128 bits divided into eight 16-bit blocks. ◦ Each block is converted into a 4-digit hexadecimal number separated by colons.
Hardware/Firmware Components: BIOS (Basic Input Output System)
is non-volatile firmware used to perform hardware initialization during the booting process, and to provide runtime services for operating systems and programs. ◦ A password is generally required to access the BIOS and perform the following functions: ‣ Authorize boot up sequence ‣ Make changes in the BIOS config
Network Address Translation (NAT):
is primarily used in the IPV4 environment and is a stateful process used by the firewall to translate internal private IP addresses to public IP addresses. • NAT can be used to: ◦ Transform nonroutable IP addresses (class A: 10.0.0.0/8, Class B: 172.16.0.0/12, Class C: 192.168.0.0 - 192.168.255.255) to routable IP addresses ◦ Extend IPv4 address space. ◦ Anonymize (hide) internal addresses
Connection Methods: Cellular Network:
is radio frequency distributed network that divides geographic areas into cells. Cells are serviced by a fixed location transceiver (base station). • 4G is the current cellular standard for most wireless communication. ◦ It uses packet switching technology, which organizes data into parts or packets for transmission and reassembles the information at the destination. • 5G uses a set of aggregated frequency bands to unlock bandwidth, reduce latency, expand reach and increase speed (5G is 20x faster than 4G)
Trusted Computing Base (TCB):
is the combination of all the security mechanisms within a computer including firmware, hardware, and software.
Unified Threat Management (UTM):
is the evolution of a firewall into an all-inclusive device performing multiple security functions. ◦ Example functions include: firewall, IDS/IPS, gateway anti-virus and anti-spam, content filtering, data loss preventing, and user activity audit reporting. • Advantages include: reduced operational complexity and overhead cost. • Disadvantages include single-point of failure (SPOF) and vendor dependency
East-West Traffic:
is the lateral transfer of data packets from server to server (physical or virtual) within a data center.
Authentication Protocols: • PAP (Password Authentication Protocol):
is the most basic authentication protocol ◦ Authentication is initialized by the user. ◦ Username and password is presented in clear text to an authentication server. If the creds match what is in the servers credentials table, then the user is authenticated. ◦ Very insecure and susceptible to eavesdropping and MitM attacks
Application Security:
is the process of developing, adding, and testing security features within applications to minimize the risk of unauthorized access (confidentiality), modification (integrity), and downtime (unavailability). ◦ Categories include: ‣ Authentication ‣ Authorization ‣ Obfuscation (encryption, hashing, tokenization) ‣ Logging ‣ Security testing
Authorization
is the process of granting users and systems (subjects) access to resources (objects).
◦ Container Orchestration:
is the process of managing how containers are created and how they are connected. ◦ Docker is an open source platform to deploy and manage virtualized containers ◦ From Gmail to YouTube, to Search, everything at Google runs in Containers!!
Cloud Container Support: • Containers:
offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run. ◦ Containers virtualize CPU, memory, storage, and network resources at the OS-level (lightweight) ◦ Containers can run anywhere ◦ Containers give developers the ability to create predictable environments that are isolated from other applications.
Registration Authority (RA):
offloads some of the work from the CA. ◦ RA can accept and process registration requests and distribute certificates on behalf of CA. ◦ Local registration Authority (LRA) requires physical identification
• Privilege
overriding capabilities; trump rights and permissions needed to accomplish a task (eg root)
Most common types of Firewalls: • Packet Filtering (stateless):
packet filtering FW inspects each packet individually and decides whether a packet is allowed or denied based on the header information (protocol, source, destination, port) ◦ Advantages: fast, efficient, low resource utilization, low cost
IDS Detection Approach: • Signature Based:
pattern matching decisions are based on established known signatures ◦ Signatures must be updated frequently
• Revocation
permanent withdrawal of trust by issuing authority before scheduled expiration date.
• Associated access points:
predicts access point client association
• Data rate
predicts potential client-access point data rate
Firewall
primary objective of a traditional firewall is to isolate network segments and traffic by controlling ingress and egress access. • Firewalls are a deterrent control because a hardened appearance can discourage opportunistic attackers. • Firewalls are a preventative control because they can be configured to restrict ingress and egress network traffic, repel known attacks, manage non-routable IP addresses, and anonymize internal addresses. • Can be a detective control because they can be configured to log events and to send alerts.
• Renewal
prior to a cert reaching its expiration date, it must be renewed.
data mining
process of analyzing data with tools that look for trends, correlations, or anomalies resulting in metadata (data about the data).
• GeoFencing
process of defining a virtual boundary "geofence" around a specific physical area ◦ Define where devices can be used ◦ Identify when a device enters a secure area
Device Tracking using MDM software: • Geolocation:
process of determining an objects position based on its latitude and longitude (GPS, Cell triangulation, Wi-if proximity, IP address) ◦ Activate device tracking ◦ User tracking ◦ Locate a lost device
Host-based Protection: • Antivirus/Antimalware software:
program or set of programs designed to detect and, when possible, isolate or remove malicious software.
◦ Software
programs, procedures, and routines used to execute specific tasks (including operating systems and applications).
• Firewall
protective boundary for the local device that monitors and restricts ingress (incoming) and egress (outgoing) access. ◦ Endpoint firewalls generally employ state full packet filtering that examine source and destination addresses, source and destination ports, and protocol numbers, and compares them to predefined rules.
‣ Authentication Header (AH):
provides data integrity, authentication, and anti-replay protection.
‣ Encapsulating Security Payload (ESP):
provides data integrity, encryption, authentication, and anti-replay protection.
High Availability (HA):
provides for redundancy and automatic failover capability. ◦ Through synchronous replication to each zone's persistent disk, all writes made to the primary instance are also made to the standby instance. In the event of an instance or zone failure, the standby instance takes over.
• Impossible Travel:
proximity of logins (where you are logging in from in what time period)
Wireless Antennas: • Omnidirectional:
radiates transmissions out and receives transmissions in from all directions (360) ◦ Used inside a building
• Signal to noise ratio (SNR):
ratio of signal strength relative to noise in the environment
A cloud instance...
refers to a virtual server
Strength and Workfactor:
strength of a crypto system is a combination of the algo, the algorithmic process, the length of the key, and the secrecy of the key. ◦ If one element is weak, the entire crypto system be potentially be compromised ◦ The work factor: is the amount of time and effort it would take to penetrate (break) a crypto system.
Tokenization
substitutes sensitive data with surrogate values called tokens, which can then be used to represent the original (or raw) sensitive data. ◦ Tokens can be used in multiple ways: ‣ They can retain the format of the original data while revealing only a few characters ‣ They can join tables with extraneous information ‣ They can mask or redact unneeded raw values
Wireless Network Design:
takes into consideration geographic location, RF signal strength, building/site construction, number of users, type of use and equipment options. ◦ Objective of wireless site survey is to avoid common wireless network design problems ‣ Coverage holes ‣ Excessive interference ‣ Incorrect type and number of access points ‣ Waste of time and money
Trusted Platform Module (TPM):
technology is designed to provide hardware-based, security-related functions. ◦ A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. ◦ The chip contains an RSA key used for encryption and authentication. ◦ TPM chips are compatible with most operating systems. ◦ Use Case: Secure Boot, Measured Boot, SED/FED (encrypted drives) ◦ Note: Secure boot and measured boot are only possible on PCs with UEFI and a TPM chip
• Suspension
temporary revocation of a cert until a cert problem can be resolved.
Application Security Practices: ◦ Input Validation:
testing input supplied by a user or application
Virtual/Logical Isolation Options: • Virtual
virtualization technology creates multiple environments (VMs) from a single physical hardware system. ◦ Virtual machines (VMs) provide fault and security isolation at the hardware level including memory and CPU access ◦ Use Case: high security or resource intensive applications
Current 802.11i Security: • WPA2:
◦ Authentication: Enterprise RADIUS, Certificate or Personal PSK, (passwords are hashed and can be captured - this is a downside) ◦ Key: Separate 128-bit keys ◦ Encryption: AES Block Cipher (this is standard for symmetric encryption) ◦ Status: Current Standard, vulnerable if using Wi-Fi Protected Setup (WPS)
• 802.11b
◦ Data rate: 11Mbps ◦ Frequency: 2.4 GHz ◦ Distance: 140m
• 802.11n
◦ Data rate: 150Mbps ◦ Frequency: 2.4Ghz/5Ghz ◦ Distance: 250
802.11 IEEE Standard: • 802.11
◦ Data rate: 2Mbps ◦ Frequency: 2.4 GHz ◦ Distance: 100m
• 802.11g
◦ Data rate: 54Mbps ◦ Frequency: 2.4GHz ◦ Distance: 140m
• 802.11a
◦ Data rate: 54Mbps ◦ Frequency: 5GHz ◦ Distance: 120m
• TACAS+
◦ Device Administration is primary use ◦ Encryption is the entire payload ◦ Separates authentication and authorization ◦ Comprehensive reporting ◦ Vendor is Cisco proprietary
• Directional (Yagi)
focuses the signal in a specific direction ◦ Generally used to connect buildings
802.1x
Standardized framework used for port-based authentication on wired and wireless networks § RADIUS § TACACS+ 802.1x can prevent rogue devices
X (Execute)
1
Rules to make IPv6 cleaner (Addressing Rules):
1) Discard leading zeros 2) If two or more blocks contain consecutive zeros, omit them all, replace with a double colon (::) [note: YOU CAN ONLY DO THIS ONCE] 3) Blocks of zeros can be replaced only once with (::), so if there are still blocks of zeros, they can be shrunk down to a single zero.
Wireless Security Best Practices:
1) change AP default passwords 2) use WPA3 3) protect the SSID (hide or change identifier) 4) restrict access (by MAC, guest) 5) include the wireless network in vulnerability management program (threat intel, patching, assurance)
Mobile Device Considerations:
1) make sure device cant be rooted/jailbroken (removing the iOS restrictions) 2) sideloading (file transfer between 2 devices) 3) camera and microphone use - what apps have access 4) tethering and hotspot - connect device to another device 5) GPS tagging
General Security for Web Browsers
1. Implement Policies • Create and implement web browsing policies as an administrative control or technical control § 2. Train Your Users • User training will prevent many issues inside your organization § 3. Use Proxy & Content Filter • Proxies cache the website to reduce requests and bandwidth usage • Content filters can be used to blacklist specific websites or entire categories of sites § 4. Prevent Malicious Code • Configure your browsers to prevent ActiveX controls, Java applets, JavaScript, Flash, and other active content
Class A
10.0.0.0 to 10.255.255.255 these are PRIVATE IPs, once it wants to go out to internet it will use NAT or PAT to give it public ip and port number
• Rapid Elasticity:
Adapt to changing workload demand by auto provisioning and deprovisioning pooled resources to match current demand
Class C
192.168.0.0 to 192.168.255.255
Salting
Adding random data into a one-way cryptographic hash to help protect against password cracking techniques § A "nonce" is used to prevent password reuse
Class B
172.16.0.0 to 172.31.255.255
W (Write)
2
R (Read) =
4
◦ HTTPS (Hypertext Transfer Protocol Secure)
is an extension of HTTP that adds support for SSL/TLS in order to encrypt communication between a browser and a website (TCP port 443)
Secure Boot
A UEFI feature that prevents unwanted processes from executing during the boot operation
Attestation
A claim that the data presented in the report is valid by digitally signing it using the TPM's private key
Online Certificate Status Protocol (OCSP)
A protocol that allows you to determine the revocation status of a digital certificate using its serial number
Split Tunneling
A remote worker's machine diverts internal traffic over the VPN but external traffic over their own internet connection § Prevent split tunneling through proper configuration and network segmentation
Canonical Encoding Rules (CER)
A restricted version of the BER that only allows the use of only one encoding type
Unified Extensible Firmware Interface (UEFI)
A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security
Subnetting
Act of creating subnetworks logically through the manipulation of IP addresses § Efficient use of IP addresses § Reduced broadcast traffic § Reduced collisions § Compartmentalized Subnet's policies and monitoring can aid in the security of your network
• Context Dependent:
Access Based on a collection or sequence of actions. Enforcement is Rules, security, policy.
Object Based Access Controls: • Rule Based
Access based on situational if-then statements. Enforcement is Rules. Example: a firewall, the firewall doesn't care who the user is, what it cares about is Source ip, dest ip, protocol, port, etc.
• Role-Based Access Control (RBAC) [Non-Discretionary]:
Access is based on the subjects assigned roles. Subjects get assigned roles and roles get assigned permissions and rights. (Ex: in a bank we have the role of a teller, manager, security officer, the user gets assigned the role and the role gets the permissions allowed) Many to many (a subject can have many roles and a role can have many permissions) relationships allows. Enforcement is by access control lists, capabilities tables, and security policy.
• Constrained Interface (Menus and Shells, Database Views):
Access restricted by functionality (you can only do what you can see). Enforcement is Design, Configuration. (If you go to a bank atm, all you can do is the options that are presented to you, if you were an admin, you'd have a different view)
• Guest
Account with very limited resource access
• User/Group:
Accounts designed to be used for normal tasks
Account Types Overview: • Privileged:
Accounts that have overriding rights and permissions ("keys to the kingdom")
• Service
Accounts that provide the security context (access to local and network resources) for running services
• Shared/Generic
Accounts used by multiple users or services.
Wildcard Certificates
Allow all of the subdomains to use the same public key certificate and have it displayed as valid § Wildcard certificates are easier to manage
Firewall Configuration Planning: • Ingress/Egress Filtering:
Allow by default (default allow) if not explicitly denied, then access is allowed. Deny by default (default deny) if not explicitly allowed, then access is denied.
Subject Alternative Name (SAN)
Allows a certificate owner to specify additional domains and IP addresses to be supported
Public Key Pinning
Allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the user's web browser as part of the HTTP header
OCSP Stapling
Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake
Locally Shared Object (LSO)
Also known as Flash cookies, they are stored in your Windows user profile under the Flash folder inside of your AppData folder
Attribute-Based Access Control (ABAC)
An access model that is dynamic and context-aware using IF-THEN statements • If Jason is in HR, then give him access to \\fileserver\HR
Hardware Security Module (HSM)
An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage
Kerberos
An authentication protocol used by Windows to provide for two-way (mutual) authentication using a system of tickets Kerberos • Port 88 § A domain controller can be a single point of failure for Kerberos
Certificate Formats: • PEM
most common cert format. ◦ Can include both the cert and private key in one file or can be separate file ◦ Extensions include .pem, .crt, .cer, .key
• Subject
name of the certificate (DN, CN, 0, OU)
• Trusted
network over which the organization has control
Bastion Hosts
Hosts or servers in the DMZ which are not configured with any services that run on the local network § To configure devices in the DMZ, a jumpbox is utilized
Session Layer (Layer 5)
Manages the establishment, termination, and synchronization of a session over the network (creates unique connection over internet)
• Least Privilege:
Assigning the minimal rights and permissions needed to accomplish a task
Double Tagging
Attacker adds an additional VLAN tag to create an outer and inner tag § Prevent double tagging by moving all ports out of the default VLAN group
Switch Spoofing
Attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN
Caching Proxy
Attempts to serve client requests by delivering content from itself without actually contacting the remote server • Disable Proxy Auto-Configuration (PAC) files for security
Unnecessary Port
Any port that is associated with a service or function that is non-essential to the operation of your computer or network
Network Zones DMZ
Any traffic you wish to keep confidential crossing the internet should use a VPN. Focused on providing controlled access to publicly available servers that are hosted within your organizational network. Sub-zones can be created to provide additional protection for some servers
OAuth 2.0 Process:
App requests authorization from the user to access account resources -> if user authorizes request, the app receives an authorization grant -> app requests an access token from the authorization server (via an API) by presenting its creds and the authorization grant -> if the app Identity is accepted and the authorization is grant is valid, the authorization server issues an access token to the application -> the application presents the access token to the resource server and requests access. If valid, the resource server serves the resource to the application.
Certificate Request Process:
Applicant generates a public/private key pair (by going to CA site) -> applicant submits cert request with all identifying info and their public key -> the CA (or RA) validates identity of the applicant -> the CA generates a cert and signs it with THEIR PRIVATE KEY (this will ensure validated by them) -> The CA (or RA) sends the cert to the applicant
Security Zones: • Untrusted:
networks over which the organization has no control (eg: internet)
• Channel Overlap
number of access points that overlap on a single channel in a given area
Advanced Security Options
Browser configuration and settings for numerous options such as SSL/TLS settings, local storage/cache size, browsing history, and much more
• Users
number of anticipated users - estimate 3-5 devices per user - to determine # of access points
• Number of access points:
number of audible access points
Certificate Validity: • Certification Revocation List (CRL):
CA maintained list of certs that have been revoked ◦ Pull model - CRL is downloaded by the user or org ◦ Push model - CRL is automatically sent out by the CA in regular intervals
Atomic Execution
Certain operations that should only be performed once or not at all, such as initializing a memory location
• CHAP and MS-CHAP:
Challenge Handshake Authentication Protocol: relies on challenge text and a hashing algorithm. ◦ Authentication is initialized by the server and can be performed repeatedly throughout the session. ◦ MS-CHAP is Microsoft's version of CHAP that extends functionality for Microsoft networks. ◦ CHAP Process WalkThrough: ‣ User enters login name and password at login screen ->Workstation (WS) sends username (not password) to the authentication server -> The authentication server (AS) verifies that the username exists in its DB, generates a unique string of challenge text, and sends to the user -> The WS login process receives the challenge text. The WS hashes the user password, appends it to the challenge text, and hashes the entire string -> WS sends the hash value to the AS -> The AS looks up the user account and extracts the stored hash value of the users password, appends it to the challenge text, and hashes the entire string -> AS server compares its calculated hash value with the hash value received from the user. -> if hashes are identical, the user is successfully authenticated. If hashes are different, the authentication fails
Disk encryption: Trusted Platform Module (TPM)
Chip residing on the motherboard that contains an encryption key § If your motherboard doesn't have TPM, you can use an external USB drive as a key
VPN Protocols: • L2TP
Cisco's implementation of secure communication over a VPN ◦ Combines layer 2 forwarding and PPTP ◦ can be used on IP and non-IP networks
• Infrastructure as a Service (IaaS):
Computing resources ("bare metal")
3 Cloud Service Models: • Software as a Service (SaaS):
Computing resources + Operating System + Application
• Platform as a Service (PAAS):
Computing resources + Operating System + Optional Database
• Assurance
Configuration and rule-set audit, scanning, penetration testing
• P&B/PKCS#7:
Contains cert but not the private key (base64 encoded ASCII) ◦ Extensions include .p7b, p7c
Virtual Private Endpoints:
virtual devices that allow secure communication between instances and services in a VPC. ◦ Traffic is never internet exposed
5 Defining Cloud Characteristics (when evaluating cloud providers, these are the characteristics that really define them): • On-Demand Self-Service:
Customer can unilaterally provision computing capabilities as needed, automatically
VPN Concentrator
Specialized hardware device that allows for hundreds of simultaneous VPN connections for remote workers
Extranet
Specialized type of DMZ that is created for your partner organizations to access over a wide area network
Virtual Network Computing (VNC)
Cross-platform version of the Remote Desktop Protocol for remote user GUI access § VNC requires a client, server, and protocol be configured. Port 5900
digital certificates: X.509
Standard used PKI for digital certificates and contains the owner/user's information and the certificate authority's information
DAC Access Permissions:
DAC file system permissions can be explicit (assigned) or implicit (inherited). ◦ User Permissions are assigned to a user account ◦ Group permissions are assigned to the group and are inherited by each member of the group. ◦ Inherited Permissions: refer to permissions that flow from parent to child directories and files. ◦ Cumulative permissions: are the combination of all users and groups assigned and inherited permissions. ◦ The exception is the explicit deny permission which overrules all other assigned permissions. We see this in windows environment
Host-based Data Loss Prevention: • Endpoint Data Loss Prevention (DLP):
DLP technologies locate and catalogue sensitive data based on a predefined set of rules or criteria. DLP enforces policies related to user interaction with sensitive data including: ◦ Copying/moving a sensitive file to an external USB media device, network share, or cloud service. ◦ Printing a sensitive file ◦ Copying sensitive content to the clipboard ◦ Accessing a sensitive file by an unalloyed application ◦ Changes to sensitive files
Bus Encryption
Data is encrypted by an application prior to being placed on the data bus § Ensures that the device at the end of the bus is trusted to decrypt the data
• IPSec
Defacto standard for IP-based VPNs ◦ Requires third-party client software IP security is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication over an IP network. ◦ Can be host-to-host, host-to-site, or site-to-site connections ◦ It is the defacto standard for IP-based VPNs ‣ Native to IPv6 and an add on to IPv4 ◦ Use case: to provide integrity, authentication, confidentiality, and non-repudiation by using cryptographic controls
Data Link Layer (Layer 2)
Describes how a connection is established, maintained, and transferred over the physical layer and uses physical addressing (MAC addresses, switches) § Frames (bits are grouped into frames then sent over network)
• Internet Key Exchange (IKE):
Device authentication and establishing Security Association
Voice Over Internet Protocol (VoIP)
Digital phone service provided by software or hardware devices over a data network (Replaces pbx)
• DNSSEC
Domain Name System Security. The domain name service (DNS) is used to resolve domain names (eg: cnn.com) and associated hosts to IP addresses. ◦ DNS Security Extensions (DNSSEC) was designed to protect applications (resolvers) from using forged or manipulated DNS data caused by DNS poisoning (remember: poisoning is when attacker manipulates a trusted source of data). ◦ DNSSEC is a set of extensions to DNS that includes digitally signing zone data assuring its validity. ◦ Caveat: in order to eliminate the vulnerability from the internet, DNSSec must be deployed at each step in the lookup all the way from root zone to final domain name. ◦ DNS uses TCP port 53, DNSSec also runs here. ◦ Use case: secure domain name resolution.
Defending servers
Email servers are a frequent target of attacks for the data they hold o Web servers should be placed in your DMZ
Cumulative DAC ACL Matrix:
Explicit Rights: File A: File B: File C: Bob (Owner) Full Control Full Control Full Control Alicia Read, Write Read Only No assignment Accounting Read Only Read, Write, DeleteExplicit Deny • assuming bob and Alicia are members of the group Accounting then the cumulative permissions will be as followed: Cumulative Rights (from above): File A: File B: File C: Bob (Owner)Full Control Full Control Explicit Deny Alicia Read, Write Read,Write,Delete. Explicit Deny • since the explicit deny is for the accounting dept, and since Bob, the owner, is apart of the accounting department, he will get explicit deny. Because he's owner, he COULD go back and change that, but that's how the permissions would work without changing bc explicit deny overrides other permissions.
• Content Dependent
Filter based on the data being acted upon. Enforcement is Keywords, Categories. (Ex: if you wanna go to internet, if you have any filtering, ex: violence, guns. Based on categories and keywords of the object will determine if you can get access)
NAT Filtering
Filters traffic based upon the ports being utilized and type of connection (TCP or UDP)
Web Application Firewall
Firewall installed to protect your server by inspecting traffic being sent to a web application § A WAF can prevent a XSS or SQL injection
Firewalls
Firewalls screen traffic between two portions of a network § Software § Hardware § Embedded Application-layer gateway conducts an in-depth inspection based upon the application being used Most operate at Layer 3 (blocking IP addresses) and Layer 4 (blocking ports)
• Host-Based intrusion detection (HIDS) and Prevention (HIPS) System:
HIDS/HIPS monitor, analyzes and reports on local and network behavior. HIPS can be configured to take a corresponding action.
HTTP headers
HTTP response headers can be used to define weather a set of security precautions should be activated or deactivated on the web browser
Network base ids (nids)
Hardware installed on network or switch
• Broad Network Access
Heterogeneous thin or thick client platforms
Secure Communications Protocols: ◦ HTTPS:
Layer SSL/TLS on top of HTTP (port: 443)
Application Layer (Layer 7)
Layer from which the message is created, formed, and originated § Consists of high-level protocols like HTTP, SMTP, and FTP
• LDAP/LDAPS:
Lightweight Directory access Protocol: is a vendor-neutral protocol for accessing and maintaining distributed directory information services. ◦ Directory Service: is a centralized collection and and distributed database (its also sometimes referred to as a domain) of user data, computers, and trusted entities. ◦ LDAPS (LDAP over SSL(TLS)) is used to protect LDAP credentials (TCP port 636) ◦ Microsoft Active Directory (AD) is Microsoft's implementation of LDAP in conjunction with Kerberos (TCP port 389). It IS secure using Kerberos. ◦ Use case: manage objects and users including trust relationships, authentication, rights and permissions.
Processor Security Extensions
Low-level CPU changes and instructions that enable secure processing
Transport Layer (layer 4)
Manages and ensures transmission of the packets occurs from a host to a destination using either TCP or UDP § Segments (TCP) or Datagrams (UDP) (packets formed into these)
Physical Layer (Layer 1)
Represents the actual network cables and radio waves used to carry data over a network § Bits
• Screen locks
Requirement that the screen lock after "x" minutes of inactivity ◦ Force deauthentication
Distinguished Encoding Rules (DER)
Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509
Login Controls: • Time of Day:
Restriction based date and/or time
Port Address Translation (PAT)
Router keeps track of requests from internal hosts by assigning them random high number ports for each request
Routers
Routers operate at Layer 3 o Routers Used to connect two or more networks to form an internetwork § Routers rely on a packet's IP Addresses to determine the proper destination § Once on the network(destination network), it conducts an ARP request to find final destination
S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME is a protocol for sending digitally signed and encrypted emails ◦ Encryption: confidentiality, digital signature (integrity, non-repudiation)
◦ Secure IMAP
Secure Internet Message Access Protocol (port: 993)
AMD
Secure Memory Encryption (SME) Secure Encrypted Virtualization (SEV) (Built into microprocessor)
◦ Secure POP3
Secure Post Office Protocol (SSL-POP, POP3S) (port: 995)
• SRTP
Secure Real-Time Transport Protocol. is an extension of real-time transport protocol (RTP) that incorporates enhanced security features for voice over IP (VoIP), audio, and video transmissions. ◦ uses encryption and authentication to minimize risk of denial of service and replay attacks. ◦ Use case: secure voice and video
• SSH
Secure Shell. ◦ Used to administer systems remotely, provide a command shell on a remote network, or tunnel other protocols (TCP port 22)
◦ Secure SMTP
Secure Simple Mail Transport Protocol (SMTP-SSL) (port: 465, 587)
◦ SSH
Secure channel between local and remote device (includes SFTP) (secure shell) (port: 22)
• Security Parameter Index (SPI):
Security Association Identifier
NIST SETA Model:
Security Education, Training, and Awareness. Look at notes here
Perimeter Security
Security devices focused on the boundary between the LAN and the WAN in your organization's network § Perimeter security relies on several different devices
Network Access Control (NAC)
Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network § If a device fails the inspection, it is placed into digital quarantine. NAC can be used as a hardware or software solution o IEEE 802.1x standard is used in port-based NAC
VLANs
Segment the network o Reduce collisions o Organize the network o Boost performance o Increase security
Defending Servers o File Servers
Servers are used to store, transfer, migrate, synchronize, and archive files for your organization
• SNMP
Simple Network Management Protocol is used to manage and monitor IP devices. ◦ Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, and printers. ◦ Components include: managed devices, agents, and a management station. ◦ Version 3 (SNMPv3) added cryptographic security features and is a replacement for clear text v1 and v2. V1 and V2 are not considered secure. ◦ Agents listen on UDP port 161. Mangers receive notifications (traps) on UDP port 162. ◦ Use case: manage and monitor IP devices including switches and routers.
Add-Ons
Smaller browser extensions and plugins that provide additional functionality to the browser
personal firewall
Software application that protects a single computer from unwanted Internet traffic § Host-based firewalls § Windows Firewall (Windows) § PF and IPFW (OS X) § iptables (Linux)
host-based intrusion detection system (HIDS)
Software on computer or server. IDS can only alert and log suspicious activity... o IPS can also stop malicious activity from being executed o HIDS logs are used to recreate the events after an attack has occurred
Secure Enclave
The extensions allow a trusted process to create an encrypted container for sensitive data
Basic Encoding Rules (BER)
The original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized
• Resource Pooling:
The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources ◦ Location independence ◦ Location abstraction (country, state, data center)
Intel
Trusted Execution Technology (TXT) Software Guard Extensions (SGX)
Internet Content Filter
Used in organizations to prevent users from accessing prohibited websites and other content
OSI Model
Used to explain network communications between a host and remote device over a LAN or WAN Please Do Not Throw Sausage Pizza Away Physical Data Link Network Transport Session Presentation Application
Password Authentication Protocol (PAP)
Used to provide authentication but is not considered secure since it transmits the login credentials unencrypted (in the clear)
Challenge Handshake Authentication Protocol (CHAP)
Used to provide authentication by using the user's password to encrypt a challenge string of random numbers
SAML Process:
User uses a web browser to access a web app and attempts to authenticate -> The web app service provider (SP) requests an assertion from the identity provider about the user -> the identity provider (IdP) prompts the user for creds (single or mfa) -> user provides creds to IdP -> is user creds are accepted, the IdP submits an assertion (secure token) to the service provider (SP) -> the SP identifies the authorization level of the user and provides the appropriate level of access
WPA3 - Enterprise Mode
Uses AES-256 encryption with a SHA-384 hash for integrity checking
WPA3 - Personal Mode
Uses CCMP-128 as the minimum encryption required for secure connectivity Largest improvement in WPA3 is the removal of the Pre-Shared Key (PSK) exchange
Non-Persistent Agents
Uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan
Network Layer (Layer 3)
Uses logical address to route or switch information between hosts, the network, and the internetworks § Packets (frames grouped into packets) (Ex types: IP address)
Subject-Based Access: • Mandatory Access Control (MAC):
access is based on the relationship between subject clearance and need-to-know, and the object classification level. Objects are given classification levels, subjects are assigned a clearance level. Ex: a subject might be given secret clearance, an object might be given secret classification as well, and the relationship matches between the two. They need the same level AND the need-to-know. Enforcement is by security labels of clearance and classification levels. Clearance belongs to subjects, classification belongs to objects.
Simple RBAC ACL Matrix
access is based on the subjects assigned roles. Role: File A: File B: File C: Accountant Read,Write Read,Write Read CFO Read,Write,Delete Read Full Control • If bob is assigned both the accountant and CFO role then his permissions are: Rights: File A: File B: File C: Bob Read,Write,Delete Read,Write Full Control
Wireless Access Point (WAP or AP):
acts as a sender and receiver of wireless signals. ◦ An access point bridges wired and wireless IP traffic
• SAN
additional information about the subject
• Building
age and construction materials (impact signal strength)
• Physical
a physically isolated network is completely disconnected from any other network, period. ◦ Use case: creating digital code certificates
Key escrow is a(n) ________.
a proactive arrangement in which keys needed to decrypt data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.
Physical Isolation Options: • Air Gapped:
air gapped network is isolated from any wired or wireless untrusted network to any other computers that connect to an untrusted network (including the internet). ◦ Use case: industrial control systems (ICS)
Forward Secrecy:
a protocol employed to ensure that if a private key was compromised, all previous uses of the key would remain secure. This effectively protects past sessions against future compromises. ◦ achieved by using temporary key pairs to secure each session, they are generated as needed, held in RAM during the session, and discarded after use.
• Enclave
a restricted network within a trusted network
• Algorithm
algo used to sign the cert
• Logical
a virtual local area network (VLAN) logically compartmentalizes the networks into segments which can be restricted ◦ The physical port and switch they are connected to is associated with a specific VLAN (not to be confused with virtualization) ◦ Use case: third party access ◦ Users can be physically anywhere but will connect them to specific switches so that they all have same policies
Wi-Fi Heat Map:
a visual representation of the wireless signal coverage and strength. Can be used in predictive way or also be used to troubleshoot a current wireless network.
Access Management Concepts: • Rights:
ability of a subject to take an action (eg install software)
Digital Certificate Lifecycle:
all digital Cert's have a finite lifespan from enrollment to expiration. • Cert's are valid for one year, they need to be renewed at the end of their life • There are scenarios where a cert needs to be replaced or retired early (eg: compromise of private key, organizational changes, no longer needed)
Simple MAC Security Label Matrix:
access is based on the relationship between subject clearance and need-to-know, and the object classification level. Object: Object Classification:Subject Clearance:Need-To-Know: File A Top Secret, Top Secret, Yes File B Secret, Top Secret or Secret, Yes File C Confidential Top Secret, Secret, Confidential Yes
Key Management
describes the activities involving the handling of cryptographic keys and other related security parameters (eg passwords) during their lifecycle. ◦ Includes generation, exchange, storage, use, strength, cryto-shredding (destruction), and replacement
• Capacity Health:
determines if the network meets capacity requirements
• Kerberos
a cryptographic authentication system that provides secure mutual authentication ◦ 3 components in the system: user, Kerberos server (3 components: key distribution center, authentication server, ticket granting system), resource (the resource the user is interacting with) ◦ Kerberos process walkthrough: ‣ Initial CHAP based authentication between the user and the Kerberos server -> The Kerberos ticket granting server (TGS) generates a ticket granting ticket (TGT) -> The TGT access token is provided to the user. The TGT is protected using symmetric key cryptography. -> when user attempts to access trusted resource, the user sends a copy of the TGT back to the KDC with details of the request -> the KDC validates the TGT and generates a limited lifetime session ticket. The KDC sends the session ticket back to the user -> the session ticket has 2 encrypted halves (one for the user and one for the resource server) containing authentication details and symmetric session key. -> the user decrypts his half of the session ticket, writes (again) the details of resource request, encrypts it with the session key, and sends the session ticket to the resource server. -> the resource server decrypts its half of the ticket, verifies the details of the request and uses the decrypted session key to decrypt the user request. If matching, the user is authenticated to the resource server. -> using the session key, the resource server encrypts a portion of the users authentication data and sends the encrypted data back to the user. -> if the user can successfully decrypt the message, the mutual authentication is successful. ◦ Kerberos Security: ‣ Kerberos server should be a hardened single purpose server. (In Microsoft environment, we call it a domain controller) • The Kerberos server should be implemented in high availability mode to prevent it from being a single point of failure. If only one authentication server and that server fails, everyone is out of luck.
‣ Collector
a device that performs targeted collection which feeds into an aggregation or correlation engine.
• Extranet
a network accessed by authorized external users generally for the purpose of doing business
• Screened subnet:
a network with connections to both untrusted and trusted networks (formerly known as DMZ)
Measured Boot
allows a trusted device on the network to verify the integrity of a system during the boot process. Here we need two systems, the system that is boot up and another trusted system within the environment. ◦ Each component, from EUFI firmware up through the boot start drivers is measured and those measurements are stored in the Trusted Platform Module (TPM). The system makes available a log that can be tested remotely to verify the boot state of the client. ‣ Use Case: The measured boot process provides anti-malware (AM) software with a trusted log of all boot components that started before AM software. AM software can use the log to determine whether components that ran before it are trustworthy or if they are infected with malware. The AM software on the local machine can send the log to a remote server for evaluation.
key management system
allows management of cryptographic keys and use to encrypt or decrypt data. However, you cannot view, extract, or export the key material itself.
‣ Split tunneling:
allows the routing of some traffic over the VPN while letting other traffic directly access the internet.
Secrets Manager
allows you to store, manage and access secrets as blobs (binary large object) or text strings. ◦ With appropriate permissions, you can view the contents of the secret.
• Geography
an area of the world containing at least one region ◦ Geography defines a discrete market that preserve data residency (sovereignty) and compliance boundaries ◦ Geographies allow customers with specific data-residency and compliance needs to keep their data and applications close ◦ Geographies are fault tolerant to withstand complete region failure through their connection to dedicated high capacity networking infrastructure
Intrusion Detection and Prevention:
an intrusion is any activity or event that attempts to undermine or compromise the confidentiality, integrity, or availability of resources. ◦ Intrusion Detection: process of monitoring for an intrusion ◦ Intrusion Detection System (IDS): monitors and reports on intrusion attempts ◦ Intrusion Prevention System (IPS): monitors, reports on, and responds to intrusion attempts ◦ IPS/IDS can be network based (NIDS/NIPS) or host based (HIDS/HIPS)
• Rule Based:
analyzes behavior for violation of preconfigured rules
• Reverse Proxy:
appears to the client just like an ordinary web server. ◦ The proxy caches all the static answers from the web server and replies to the clients from its cache to reduce the load on the web server. ◦ This configuration is also known as Web Server Acceleration
◦ Subjects
are active entities, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state.
• Buckets
are containers that hold objects and are used to organize data ◦ Buckets cannot be nested
◦ Security Zones:
are divisions of the network based on functional, performance, and/or security requirements.
Cloud Security Controls
are implemented to support confidentiality, integrity, availability, resiliency, and performance ◦ Cloud security controls should take into consideration the cloud platform and service delivery model and be in alignment with organizational policies, standards, and requirements
• objects
are individual stored pieces of data. ◦ Have two components: data and metadata (data about data)
• Membership
are membership assignments correct?
◦ Objects
are passive entities (resource) that contain or receive information or instructions.
SSL Decryptors
are perimeter devices used to decrypt SSL/TLS packets, inspect the contents, re-encrypt, and forward the packet. ◦ This is problematic because the typical expectation is that the packet is to remain encrypted all the way to the destination ◦ SSL decryptors can be built into the firewall or function as a stand-alone appliance
◦ Resource based policies:
are tagged to a specific resource and define who has access to the resource and what they can do.
• Permissions
are the explicit/inherited permissions appropriate? ◦ Is there evidence of authorization creep? - getting more and more rights and permissions as they move around the company and within jobs. We often forget to take those old permissions away.
Digital Certificates:
are the mechanism used to generate a private key and to associate a public key with a collection of components sufficient to authenticate the claimed owner. (Used to generate a private key and to bind a public key to its owner) • the certificate is issued by a trusted certification authority, a web of trust, or self-generated and self-signed • The certificate is a unique id for users, devices, applications and services
◦ AAA protocols:
are used for verifying the user (authentication), controlling access to a resource (authorization), and monitoring network resources and information needed for billing of services (accounting)
AAA Protocols
are used for verifying the user (authentication), controlling access to a resource (authorization), and monitoring network resources and information needed for billing of services (accounting). ◦ RADIUS: Remote Authentication Dial-In User Server ◦ TACAS+: Terminal Access Controller Access Control System
◦ Identity based policies
are user, group, or role designated and define what the identity can do.
• Context-aware:
authentication requirement based on activity (eg: access to a specific resource or application)
• Fuzzing
automated testing technique used to discover coding errors and security loopholes by inputting invalid, unexpected, or semi-random data, called fuzz, and monitoring the application response.
• Behavior Based:
behavior based anomaly decisions rely on predicted norms and deviations ◦ Can be learned over time and/or start with a set of assumptions ◦ Requires fine tuning
• DER
binary form of a PEM ◦ Extensions include .cer, .der
• Separation of duties:
breaking a task into segments so that no one subject is in complete control
hardware security module (HSM)
can be used to store cryptographic keys in tamper resistant hardware providing logical and physical protection (plug-in card or external device)
• Clean Room:
clean room network is a physically isolated network located in a secured room or facility. ◦ Use case: bio-weapon or military research
• Remote Wipe
clean the device ◦ Command sent to a remote device to delete all or selected content ◦ Resent to factory setting
Database Privacy Concerns: • Data Warehousing
combines data from multiple sources into a large database with the purpose of extensive retrieval and trend analysis.
• Logging
configuration of logs, log review, and log archive
• SSL/TLS VPN
connection to a single host (tunnel) or gateway (portal) ◦ Connection via a browser
• PFX/PKCS#12:
contains certificate, intermediate certificate, and private key (binary) ◦ Extension includes .pfx, .12
• Heuristic
continually trains on network behavior and can continually alter detection capabilities based on learned knowledge **most IDS/IPS systems use a combo of these approaches**
• Content Management:
control access to business content ◦ Enforce user permissions required to access/annotate content ◦ Automatically push files to devices
Content Management: • Application Management:
control application installation (APP Catalogue) ◦ Enforce user permission required to install and update APP's ◦ Automate transparent downloads and updates
• Push Notification:
control push notifications ◦ Push notifications are pop-ups - alerts or customized messages
• Endpoint Port Blocking:
controls and manages access to removable devices including: ◦ Requiring encryption, limits file types, limits file size ◦ Providing detailed forensics on device usage and data transfers by person, time, file type, and amount
Cloud Encryption Options: • Data-at-rest:
data is encrypted as soon as it is written to disk
• Discretionary Access Control (DAC):
data owners decide subject access. Enforcement is by access control lists and capabilities tables.
• Valid From/To:
date range in which the cert is valid
◦ North-South Traffic:
describes client to server traffic that moves between the data center and a location outside of the data center network.
Enrollment-Certificate Authority:
digital Cert's are issued by commercial trusted parties, called certificate authorities (CA). ◦ Browsers and devices trust CA's by accepting the root certificate into its root store - essentially a database of approved CA's that come pre-installed within the browser or device. ◦ CAs use these pre-installed root Cert's to issue intermediate root Cert's and entity digital certs ◦ The CA receives certificate requests, validates the applications, issues the certificates, and publishes the ongoing validity status of issued certs.
Issuance
digital Cert's can be issued by a commercial entity or self-generated
Enrollment Self-Generated:
digital certs can be self-generated and self signed. ◦ A self signed cert can be easily impersonated ◦ Presents a warning message when used ◦ Cannot be revoked. ◦ Use case: internal development. Perhaps want to test out a HTTPS site on an internal server before going into staging/test environment. ◦ Note: self-generated certs can also be signed and validated by other users - referred to as a web of trust
◦ Code signing
digitally signing executables and scripts to confirm authenticity and integrity
• Access
does user activity correlate to job functions? Are there privacy violations?
• Data Center:
east-west microsegmentation
Cloud Storage:
enables orgs to store and manage data as a service. • objects and buckets are considered resources • Cloud storage is generally redundant within at least one geographic area ◦ Geo-redundancy means that the object is stored in two separate locations.
Mobile device management:
encompasses deploying, securing, monitoring, integrating, and managing mobile devices in the workplace.
• Server-side:
encryption that occurs as soon as the data is received (prior to being written to disk)
• Client-side:
encryption that occurs before the data is sent to cloud storage (the data arrives encrypted) ◦ Notes: ‣ Encryption keys should be stored separately from the encrypted data to ensure data security ‣ Key backups also should be kept offsite and audited regularly
• DLP
enforce DLP policies ◦ Controls "open in" - when you open a file and it asks you what app you want to open it in ◦ Copy and paste restrictions
• Biometrics
enforce biometric policies ◦ Enable biometric authentication ◦ Control enrollment
Authentication: • Passwords and Pins:
enforce password policies ◦ Require and/or override password/pin ◦ Password characteristics ◦ Password lockout functionality
• Static Code Analysis:
examination of non-running code (static) for vulnerabilities
• Dynamic Analysis:
examination of running code for vulnerabilities (always automated)
Code Security Assessment: • Security Code Review:
examine source code to verify that the proper security controls are present and work as intended.
◦ Unified Endpoint Management (UEM):
extends the functionality of MDM to IoT devices and wearables
Mobile Connectivity:
facilitates portable (mobile) device communication. ◦ A mobile device is a generic term for any legacy or emerging device that is portable and has interactive and connectivity capability - for example, a laptop, a tablet, a smartphone, gaming console, e-reader, wearables. ◦ Communications networks that connect these devices are loosely termed wireless technologies ◦ They enable mobile devices to share voice, data applications (mobile apps) as well as connect to trusted and untrusted networks.
◦ Mobile Application Management (MAM):
focuses on the management of mobile applications
RFID (Radio Frequency Identification):
is a method of data collection using low-power radio waves. ◦ Data is sent and received with a system consisting of RFID tags, an antenna, an RFID reader, and transceiver ◦ Often used for equipment tracking and inventory ◦ The reader is a device that has one or more antennas that emit radio waves and receive signals back from the RFID tag. Readers can be mobile so that they can be carried by hand, or they can be mounted on a post or overhead. Reader systems can also be built into the architecture of a cabinet, room, or building. ◦ Tags can be passive or active. Passive RFID tags are powered by the reader and do not have a battery. Active RFID tags are powered by batteries.
interface endpoint
is a network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
HSM (Hardware Security Module):
is a physical device whose function is secure cryptoprocessing. ◦ HSMs take the form of adapter cards, USBs, or appliances. ◦ HSMs can be clustered for high availability ◦ HSMs are fast, scalable, and expensive ◦ Use Case: used for encryption during secure login/authentication processes, during digital signings of data (eg: certification authority), and for payment security systems (eg: ATMs).
Hexadecimal
is a positional number system that uses base 16. To represent the values in readable format, this system uses 0-9 to represent values from zero to nine and A-F to represent values from ten to fifteen.
Wireless Fidelity (Wi-Fi) Network:
is a radio frequency network that requires a connection be established. ◦ Most mobile devices allow for automatic switching between Wi-Fi and cellular networks depending upon availability and user preference ◦ Range depends on the frequency band, radio power output, antenna gain, and antenna type as well as the modulation technique
Security Key
is a second factor cryptographic device. ◦ Has hardware chip designed to resist physical attacks aimed at extracting firmware and secret key materials ◦ Security keys are available in multiple form factors: USB-A, USB-C, Lightning, Bluetooth, and Near Field Communications (NFC) ◦ Ex: google titan security key
Network Appliances: • Appliance:
is a self contained resource that provides a specific function. ◦ Two of those functions are being:
◦ Firmware
is a set of instructions programmed in a hardware device - typically flash "read only memory" (ROM)
Public Key Infrastructure (PKI):
is a set of people, systems, policies, and procedures that support the distribution and use of public keys and digital certificates. • Organizations implement PKI to enable the use of encryption, authentication, and digital signatures for various applications • PKIX working group was established in the fall of 1995 with the goal of developing internet standards to support X.509-based Public Key Infrastructure (PKIs). ◦ Current version of X.509 is v3 • Public Key Cryptography Standards (PKCS): is a set of voluntary standards created by RSA and other industry leaders.
Internet Protocol (IP):
is a set of rules for routing and addressing packets of data - it is the language of the internet. ◦ originally designed for basic data connectivity.
NFC (Near Field Communication):
is a short range wireless technology that requires close proximity and/or device contact. ◦ NFC is rooted in RFID technology ◦ Range is less than 20cm ◦ NFC is used in commerce (contactless payment like ApplePay), smartphone (sharing contacts, photos, videos, files), identity and access tokens and gaming ◦ Security concerns include eavesdropping, interception and theft.
Wireless USB:
is a short-range, high bandwidth radio bus communication protocol. ◦ Range is 3-10 meters ◦ Wireless USB is used in game controllers, printers, scanners, digital cameras, portable media players, hard disk drives, and USB flash drives.
Bluetooth
is a shortwave radio low power technology based on the 802.15 standard ◦ Originally designed to replace RS-232 data cables ‣ Range is 10-24m depending upon the version ‣ Bluetooth uses include headsets, hearing aids, wireless speakers, PC input/output, health sensors, real-time location systems, GPS receivers, bar coders, traffic control devices, and game consoles. ◦ Bluetooth is subject to both bluejacking and bluesnarfing ‣ Bluejacking is injecting an unsolicited message ‣ Bluesnarfing is unauthorized device access through a Bluetooth discovery connection.
◦ Open Standard:
is a standard that is publicly available and can be freely adopted and extended.
Point-to-multipoint (P2MP):
is a star topology for outdoor wireless networks to connect multiple locations to one central location. ◦ Examples include wireless internet service providers, VoIP, and outdoor video surveillance systems using radio or microwave frequencies. ◦ The channels capacity is shared among the devices connected to the link
• NTLM (NT LAN Manager):
is a suite of Microsoft protocols used for authentication. ◦ NTLM uses challenge response (similar to CHAP) for authentication ◦ Hashed password values are stored on the server not salted (just the pass itself) and are vulnerable to BFA (brute force attacks) ◦ NTLM is also vulnerable to "Pass-The-Hash" attacks where captured creds from one machine can be successfully used to gain control of another machine. ◦ Microsoft recommends not using NTLM anymore and disabling backwards compatibility ◦ Kerberos is the preferred authentication
◦ OCSP stapling
is a time-stamped (cached) OCSP response
◦ Extensibility
is additional functionality or the modification of existing functionality without significantly altering the original structure or data flow.
SSL/TLS Accelerator
is an ASIC appliance that sits between a user and a server, accepting SSL/TLS between a user and a server, accepting SSL/TLS connections from the client and sending them via a private network to the server unencrypted (so the server doesn't have to go through process of encryption/decryption).
◦ FTPS (File Transport Protocol Secure)
is an extension of FTP that adds support for SSL/TLS in order to encrypt the file transfer channel (TCP port 990 or 21)
Endpoint Security
is the process of securing endpoint hosts on a network including mobile, desktop, and data center devices. ◦ Hardening: is the ongoing process of configuring security settings, applying security patches, and implementing least functionality in order to reduce the system footprint, minimize vulnerabilities, and exposure to threats. ‣ The principal of least functionality is that systems and devices should be configured to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and services.
Hypertext Transfer Protocol (HTTP)
is the underlying protocol used by websites and defines what actions browsers and web servers should take in response to commands. ◦ HTTP is a clear text protocol and subject to eavesdropping, replay, and MitM attacks
◦ IP Convergence:
is the use of the internet protocol (IP) as the standard transport for transmitting all information (voice, data, music, video, TV, teleconferencing, and so on) ‣ In order to make these happen, the original structure of IP needed to be modified and added to
Auditing Concepts: • Account:
is this a valid user/service account? Are any accounts inactive?
◦ Transport Mode:
is used for end-to-end protection between client and server. Assuming here there's no direct connection and that the packet has to make multiple hops through multiple routers. ‣ Only the IP payload is encrypted. The header/routing info is all available.
File Transport Protocol (FTP)
is used for file access, file transfer, and file management. ◦ Authentication data and the payload are transmitted in clear text and subject to eavesdropping, replay, and MitM attacks
◦ Mobile device management software (MDM):
is used to control deployment, manage settings (policies), and report on activity and usage
MDM Software
is used to control deployment, manage settings (policies), and report on activity and usage. • MDM control categories include: ◦ Device tracking ◦ Data protection ◦ Authentication ◦ Application and content management • MDM solutions can be local or cloud based
Transport Layer Security (TLS) (443)
is used to establish a secure communication channel between two TCP sessions using a cryptographic key exchange. ◦ Source contacts a destination and says "I'd like to make a connection", destination says "okay we need to establish a secure session", then they do a cryptographic key exchange which will let them establish a session. ◦ TLS is the successor and recommended replacement for SSL ◦ TLS 1.1 or higher should be used as TLS 1.0 has been broken
Secure Socket Layer (SSL) (443)
is used to establish a secure communication channel between two TCP/IP sessions by negotiation. ◦ A computer sends a request to a destination and says "I'd like to make a connection with you". The destination says "okay, well we need a secure connection" and computer says back "okay, well let me tell you what I'm capable of" then based on that they negotiate an encrypted session. ◦ In 2015 SSL 3.0 was deprecated. New vulnerabilities continue to be discovered. SSL 2.0 and 3.0 should be disabled. A lot of times orgs will leave the old ones on for backward-compatibility but this is really dangerous.
• Usage
is user activity and resource utilization within normal boundaries?
Isolation
is when zones, devices, sessions, or even components need to be segregated, so as to not cause harm to be harmed.
• Availability Zone
isolated location within a region ◦ Zone is made up of one or more data centers equipped with independent power, cooling, and networking
◦ FTPS
layer SSL/TLC on top of FTP (file transport protocol) (port: 990)
• CRL distribution:
location of the certificate revocation list
Zero Trust:
means that no one is trusted by default from any zone. ◦ These networks utilize microsegmentation ◦ Verification (multi factor authentication) is required from all subjects trying to gain access to objects on the network. ◦ Zero trust networks enforce least privilidge access
Sandbox
mechanism used for separating running programs. ◦ Sandbox memory and processor environment is isolated from all other running processes. ◦ Use Cases: ‣ URL Sandboxes can be used to inspect URL connections before allowing user access. ‣ Email sandboxing can be used to inspect attachments before allowing the user access. ‣ Sandboxes can be used by developers to examine and test code.
‣ Thin access points
minimize device intelligence and offload configuration features and management to an associated controller.
Cloud Management
refers to administrative control over public, private, hybrid and multi-cloud deployments. ◦ A cloud management platform is a suite of integrated software tools that an enterprise can use to monitor and control cloud computing resources. ‣ Components include automation, orchestration, security, governance (policies), compliance, performance monitoring and cost management. ◦ A cloud management platform can be native or specific to a certain cloud provider or platform, or available from a third-party vendor. ‣ Generally, a management platform that supports multi-cloud deployments will be from a third-party
◦ Hardware
refers to physical components of a computer such as CPU, motherboard, monitor
Cloud Bursting:
refers to the on-demand and temporary use of the public cloud when demand exceeds resources available in the private cloud or on-premise infrastructure. ◦ Hybrid Cloud: describes a mixed use of on-perm infrastructure, private cloud, and public cloud platforms with orchestration among the providers ◦ Hybrid model allows organizations to maintain control of sensitive data while taking advantage of cloud features and functionality.
Topology and Security Zones: • Topology:
refers to the physical and logical structure of a networked environment. ◦ Dividing a topology into security zones is useful for creating and enforcing security policies, controlling information flow, and securing network access.
Cloud Secrets Management
refers to the tools and methods for managing digital authentication credentials (secrets). • secrets can include: ◦ User or auto generated passwords ◦ API or other application keys/creds ◦ SSH keys ◦ Database and other system-to-system passwords ◦ Private Cert's for secure commas, transmitting and receiving of data (TLS, SSL) ◦ Private encryption keys for systems like PGP (pretty good privacy) ◦ RSA and other one-time password devices
‣ Full tunneling
requires all traffic be routed over the VPN.
• Dual Control
requiring more than one subject or key to complete a single task
◦ Secure cookies
requiring that cookies be encrypted in transit
• Full Device Encryption:
requiring the entire device to be encrypted including removable media
• Risky IP:
restriction based on IP address
• Number of attempts:
restriction based on number of failed login attempts resulting in account lockout
• Location
restrictions based on device, network location, geolocation (GPS, cell triangulation, Wi-Fi proximity, IP address), geofencing (virtual boundary)
Virtual Subnets
segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet. • Virtual subnets can be public or private.
• Storage Segmentation
segmenting personal and corporate data ◦ Enforcing different access and encryption policies based on folder ◦ Enforcing different access and encryption policies based on storage location (internal vs. removable)
Geographic Concepts: • Region:
set of connected data centers deployed within a defined perimeter
Heat Map Visualizations: • Signal strength:
signal strength to access points
Site Survey Considerations: • Location
size and complexity of physical location
• Infrastructure
space and equipment availability (eg: Ethernet ports, location of wiring closets)
• Device
specific requirements of devices (tablets, smartphone, laptop)
• Performance
speed and performance expectations
WebAuthn (Web Authentication):
standard enables online services to use FIDO authentication through a web API that can be built into browsers and related web platform infrastructure. ◦ Cryptographic login credentials are unique across every website, never leave the user's device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks. ◦ WebAuthn and FIDO 2UF is currently supported in Win10 and Android platforms, and Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari web browsers
• Business Rules:
strategic alignment of ACL with business requirements. Process for approving a new rule and/or exceptions
Secure Boot
the UEFI secure boot is a mechanism to guard against malicious attacks, rootkits, and unauthorized software updates that could happen prior to OS launching. ◦ Establishes a trust relationship between the UEFI BIOS and bootloaders, operating systems, drivers, and utilities ◦ A list of keys that identify trusted firmware, software, drivers, code (and in some instances, known malware) is embedded in the UEFI - only software or firmware signed with approved keys are allowed to execute. ◦ Can be manually updated and/or disabled for backward compatibility. ◦ NOTE: requires a UEFI and TPM.
Types of Proxy Severs: • Forward Proxy:
the clients (browsers) are configured to send requests to the proxy server ◦ The proxy server receives the request, fetches the requested content (goes out to the internet), and stores a copy for future use (if content is static)
• Issuer
the entity that issued the cert
Application Layer
the path of communication from the transport layer to the application layer is through a port.
• Transparent Proxy:
the same as forward proxy except that the client (browser) does not need to be configured. The proxy server resides on the gateway and intercepts requests.
IP Versions:
there are two versions: IPv4, IPv6 ◦ Deployed in 1981, IPv4 was the first publicly used version (1-3 were experimental) ‣ 32-bit address in dotted decimal format (10.1.1.1) ‣ IP address scarcity ‣ Limited Security options ◦ IPv6 deployed in 1999 ‣ 128-bit address in hexadecimal format (2001:0db8:85a3:0000:0000:8a2e:0370:7334) ‣ 2^128 addresses ‣ Integrated IPSec ‣ Stateful and Stateless auto configuration capabilities
SSL/TLS Application Specific Integrated Circuits (ASIC)
these circuits are processors that are specifically designed to perform SSL/TLS operations
Virtual Private Cloud
this network provides the contracting organization with an isolated and highly-secure environment to run virtual machines and applications. ◦ The contracting organization defines private IP addresses, subnets, and access control policies ◦ Extends on-perm IT environments into the cloud bc we can connect them together.
Data Protection: • Containerization:
use of a secure virtual container ◦ Used to segregate "high risk" applications ◦ Used to segregate and encrypt confidential data
◦ S/MIME
used to send digitally signed and encrypted emails
Predictive Site Survey:
uses software to model the environment ◦ Typically, building floor plans are loaded into predictive site survey software to develop a wireless network design ◦ Predictive site survey tools will account for building materials, square footage, number of end-users, types of applications, antenna models, and other variables to provide a reliable, predictive wireless plan for your site or facility.
• Domain
verifies a domain (wildcards for subdomains)
• Extended Validation:
verifies a domain and an organization subject to additional standardized global verification processes. Requires additional vetting. Requires that an org demonstrate exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove that the entity has authorized the issuance of the cert.
• Organization
verifies a domain and organization
Types of Digital Cert's: • Personal
verifies a user identity (generally used for email)
• Machine
verifies device identity
• Code/Object Signing
verifies origination/ownership as well as object integrity
Wi-Fi Protected Setup (WPS):
was launched by Wi-Fi Alliance in 2006, goal was to make it easy to add new devices to an existing wireless network. ◦ Known vulnerabilities: ‣ Pin Flaw: allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the networks WPA/WPA2 pre-shared key. ‣ All WPS devices are vulnerable to unauthorized access if not kept in a secure area - an unauthorized user can connect by pressing the WPS button to command the router to make a WPS connection.
• Key usage:
what the cert can be used for (is it for email, is it to verify code is good)
• Destruction
when a cert is not longer in use (expired or revoked) the cert and backup copies should be destroyed along with the associated private key
• Validation
when a cert is used, the status is checked to verify that it is still operationally valid
• Local Wipe/Auto Wipe:
wipes a mobile device after a pre-specified number of failed logins or moves outside of a defined physical boundary
Measured Boot
• A UEFI feature that gathers secure metrics to validate the boot process in an attestation report
Simple DAC ACL Matrix:
• As owner, Bob has full control by default and can assign permissions. Assignment: File A Permission: File B Permission: File C Permission: Bob (owner) Full Control Full Control Full Control Alicia Read, Write Read Only No Permissions • Bob is owner, he can decide permissions Alicia has
Account Lifecycle Phase 2:
• Authorization, assignment of rights and permissions, user training • Authorization is granted by data/resource owners(s) or "need to know" is established • Rights and permissions are assigned by the data/resource custodian • User receives initial and ongoing training (Security education training and awareness)
Firewall Access Control List (Rules):
• Permission: ALLOW or PERMIT to allow traffic, DENY to block traffic • Protocol: TCP, UDP, IP (to indicate both) • Source: Where the traffic is coming from (host, range, wildcard, ANY) • Destination: where the traffic is going to (host, range, wildcard, ANY) • Port: listening port (eg: HTTP on port 80) • Deny: Last rule at the end of an ACL to block any traffic that wasn't previously allowed. Can be a statement (explicit) or a command (implicit)
WPA 3 SAE:
• Simultaneous Authentication of Equals (SAE) aka DragonFly Key Exchange: is a secure password-based authentication and password-authenticated key agreement method. ◦ WPA3 uses the SAE to replace WPA2's Pre-Shared Key (PSK) exchange protocol ◦ SAE is a more secure protocol for handling the initial key exchange ◦ SAE, also known as DragonFly Key Exchange, uses forward secrecy and is resistant to offline decryption attacks.
Account Lifecycle Phase 4:
• Termination, Offboarding • Termination tasks include reclaiming physical assets (eg smartphone) and access control assets (eg token), disabling/removing account and access, archiving documents and emails • Offboarding tasks include reassigning file and folder permissions and ownership • Users should be reminded of any agreements that extend beyond employment (eg confidentiality)
Key Management Best Practices:
• Usage: a key should only be used for one purpose (eg encryption) ◦ The use of the same key for different cryptographic purposes may weaken the security provided by one or both • Strength: the strength of a key should be commensurate with the data/process protection requirements • Storage: private keys must be securely stored. The measures taken to protect a private key must be at least equal to the required security of the use of the key.
Account Lifecycle Phase 3:
• User account auditing, user access auditing, change requests, user training • User accounts are audited (validity, group membership, roles, access permissions) • User access is audited (make sure user is not misusing permissions they have) • Change requests based on personnel requirements • Ongoing training
software vs hardware disadvantages
‣ Software: installed on each device individually ‣ Hardware: time, knowledge, and skill to configure and manage the device and rule-set
• WPA3
◦ Authentication: Enterprise RADIUS or Personal SAE (Simultaneous authentication of equals (also known as DragonFly Key Exchange) ‣ Forward secrecy ◦ Key: Enterprise 192-bit key ◦ Encryption: AES block cipher, GCMP-256 mode, HMAC-SHA384 (for integrity) - very strong here ◦ Status: Optional certificate, backward compatible (WPA2)
• EAP (Extensible Authentication Protocol): (RFC 3748)
◦ EAP is an authentication framework for wireless networks and P2P connections ◦ There are more than 40 variations of EAP ‣ PEAP (Protected Extensible Authentication Protocol): • Encapsulates EAP in a TLS tunnel • Jointly developed by Microsoft, Cisco, and RSA ‣ EAP-FAST (EAP - Flexible Authentication via Secure Tunneling): • Lightweight implementation proposed by Cisco ‣ EAP - TLS (EAP - Transport Layer Security): • Defined in RFC 5216 as an open standard that uses TLS • Considered one of the most secure EAP standards
• 802.11e
◦ Quality of Service (QoS) for priority and time sensitive data
• 802.11i
◦ Security for 802.11 technologies ‣ Legacy (WEP, WPA) ‣ Current (WPA2, WPA3)
software vs hardware: • Resource Utilization:
◦ Software: Host CPU and RAM ◦ Hardware: Internal Resources
Software vs. Hardware Firewall: • Configuration:
◦ Software: Installed on a host device ◦ Hardware: Appliance
software vs hardware advantages
◦ Software: can distinguish between programs when filtering traffic ◦ Hardware: efficient - services multiple devices
• RADIUS
◦ Used for network access (VPN, wireless) ◦ Encryption is only the password ◦ It combines authentication and authorization ◦ Reporting is comprehensive ◦ Vendor is commercial and open-source versions
• COPE: Company issued Personal Enabled
◦ Users get issued a device for both professional and personal use ◦ Company owned
Device Ownership and Deployment: • COBO: Company-issued Business Only
◦ Users get issued a device for professional use ◦ Company owned
• CYOD: Choose your own Device
◦ Users get to select their own device for professional use ◦ Company owned
• BYOD: Bring your own Device
◦ Users use their own device in the workplace (and for personal use)
• Status
◦ WEP: Insecure (when this broke, WPA was released) ◦ WPA: Temporary Fix, superseded by WPA2
• Encryption
◦ WEP: RC4 Stream Cipher (we don't want to be using this anymore) ◦ WPA: RC4 Stream Cipher
• Key
◦ WEP: Shared 64- or 128- bit key ◦ WPA: Separate 256-bit keys
Legacy 802.11i Security: • Authentication:
◦ WEP: preshared key (PSK) or open. All services all users used same key, or there was no key. ◦ WPA: Enterprise RADIUS, Certificate or Personal PSK