CIW Managing Web Security
DMZ
-A mini-network that resides between a company's internal network and the external network. -The network is created by a screening router and, sometimes, a choke router. -Used as an additional buffer to further separate the public network from your internal private network. Many systems administrators place Web and DNS servers in a DMZ because it is more convenient. The benefit of this practice is that the screening router provides some protection. The drawback is that any server in a DMZ is not as protected as it would be if it resided behind the actual choke router. Another commonly used term for a DMZ is service network. a DMZ is also known as a screened subnet firewall
disadvantages of screening routers
-The main one is that a high degree of TCP/IP knowledge is required to create proper filters -only a single device is used to protect the network -do not typically have good monitoring or logging features, thus, they should always be combined with another type of firewall.
packet filtering firewall disadvantages
-cannot discriminate between good and bad packets -creating packet filters requires extensive knowledge of TCP/IP -usually need to create more than 100 rules to limit and permit network access -susceptible to spoofing (related to 1st weakness, difficult to discriminate between good and bad data) The biggest problem with packet filters or screening routers is that they cannot discriminate between good and bad packets. If a packet passes all the rules, it will be routed to the destination. Packet filters cannot tell if the routed packet contains good or malicious data. Packet filters are susceptible to embedded code within a standard packet. Using our first FTP example, a hacker could embed a program that scanned all IP addresses on the 192.168.10.0 to create a map of the internal network. As long as the hacker initiated the packet with a source port of 20, the packet filter would pass all the packets. Another weakness ties directly to the one mentioned above. Creating packet filters requires extensive knowledge of TCP/IP. Most TCP/IP applications are client/server-based so the filters will need multiple rules to deal with the client/server communication. Generalizing rules is difficult because most TCP/IP applications have special TCP/UDP port requirements. Another problem with packet filters is that you usually have to create more than 100 rules to limit and permit network access. Creating all these rules can be time-consuming. Another significant weakness of packet filters is their susceptibility to spoofing. Spoofing is similar to the first weakness, which was the inability to discriminate between good and malicious data. If a hacker spoofs his or her source address with a source address that is specifically allowed by a rule within the filter, the firewall will pass or route the packet.
packet filter
-process network traffic on a packet-by-packet basis -operate only at the network layer of the OSI/RM, -can be implemented through standard routers -can also be implemented as dedicated firewall devices (e.g., a Check Point Firewall-1 device). A pure packet filter looks only at the following information: Source IP address Destination IP address Source port Destination port Packet type (ICMP, EGP and so forth) Packet-filtering firewall supplements, such as stateful multi-layer inspection, can help extend this basic capacity. When packets are filtered at a router, it is usually called a screening router. Screening router is another term for a packet-filtering firewall. Packet filters are read and then acted upon on a rule-by-rule basis. After a packet has failed any portion of a filter, the subsequent rules will not be read.
managing malware infections
-removing viruses/malware -repairing damage -updating the signature database
files in windows most likely to contain viruses
.exe — any executable file. .vbs — a file containing VBScript code. .xls — a Microsoft Excel spreadsheet file. .doc — a Microsoft Word document file. .dll — a Dynamic Linked Library (DLL) file. Applications often need DLL files to run; you could easily be tricked into downloading one that contains a virus or trojan. .bat — used to contain scripts and commands that could harm your system. .com — similar to .bat. .jpg, .gif and .png — for images, but can be used to create companion viruses, for example. .zip — used to contain archives. Many hackers will archive executable files to bypass e-mail filtering applications. Unwise users will then open the zip file and execute the program within. other file types that should concern you .html, .scr (for screen savers) and .mdb (Microsoft Access)
well known ports
0-1023
TCP three-way handshake process
1) The client (or requesting end) performs an active open by activating the SYN flag in the TCP header. The TCP header also contains: The desired port number for connection. The sequence number field with the Initial Sequence Number (ISN). This number is generated randomly, and is used to synchronize the client and server when they transfer data on the bytestream. 2) The server performs a passive open by sending its own SYN to the client that specifies: The server's ISN. An acknowledgment (ACK) of the client's SYN. 3) Finally, the client returns an ACK to the server. The client and server can now transfer data using the bytestream, and the connection is established.
4 steps for terminating a TCP connection
1) The server performs an active close by activating the FIN flag (the client usually exits the application, but the server initiates the TCP connection termination). This action terminates the data flow from the server to the client. 2) The client performs a passive close by sending an ACK to the server. 3) The client also sends its own FIN to the server to terminate data flow from the client to the server. 4) Finally, the server sends an ACK back to the client. The TCP connection is terminated.
private IP address ranges
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
faraday cage
A TEMPEST component. Essentially a metal box, often made of aluminum, stainless steel or copper. Can also be made of wire mesh or metal foil. Can be large enough for a computer, a room or even a building. If a Faraday cage is applied to a computer, then the system is reasonably protected against bursts of electromagnetic energy, known as electromagnetic pulses (EMP), which could damage networking equipment. If a Faraday cage is used to contain an entire wireless network, then the network will work only inside of that cage. Faraday cages can be used to secure internal computer components (e.g., processors), as well as computer connections.
daemon
A UNIX program (i.e., service) that is usually initiated at startup and runs in the background until required. BIND - Berkeley Internet Name Daemon. The most widely used daemon used to resolve names to IP addresses.
poisoned web site
A Web site that contains malicious content designed to harm your computer. Poisoned Web sites may also contain drive-by downloads, which download trojans, spyware, viruses or other malware without the user's knowledge or consent. The site may display a link or pop-up window that, when clicked, initiates the drive-by download with no indication to the user of having done so.
hexadecimal
A base-16 number system that allows large numbers to be displayed by fewer characters than if the number were displayed in the regular base- 10 system. In hexadecimal, the number 10 is represented as the letter A, 15 is represented as F, and 16 is represented as 10.
bastion host
A bastion host is defined as any device with a direct connection to a public network. -A bastion is a secure computer system placed directly between a trusted network and an untrusted one, such as the Internet. -You can have a single-homed bastion host. Most often, however, a bastion host uses two network interface cards (NICs). -Each card acts as an interface to a separate network. On one card is your company's production network that you supervise, control and protect. The other card interfaces with another network, usually a public one, such as the Internet. A bastion host can be any of the three types of firewalls: Packet filter Circuit-level gateway Application-level gateway
cross-frame browsing
A bug in a Web browser can allow a malicious Web site to use the Web client to read files on the hard drive. For example, the hacker could read browser cookies, which can contain user name, passwords and sensitive system files, as well as download and execute hostile code on the victim's computer.
RAID
A category of disk drive that employs two or more drives and allows you to store data redundantly.
web 2.0
A concept referring to the changing trends in the use of WWW technology and Web design that have led to the development of information-sharing and collaboration capabilities.
information leakage
A condition in which a system or network unnecessarily reveals information during standard operations.
Perl
A cross-platform programming language that enables users to write custom CGI programs, as well as system management programs.
open network
A group of servers and computers, such as the Internet, which allows free access.
broadcast domain
A group of systems that communicate directly with each other without the aid of a router. If one system can send a packet to the Layer 2 addresses of all systems, then they all exist in the same broadcast domain.
SQL injection
A hacking technique in which malicious commands are passed through a web application for the purpose of gaining access to data contained in a back-end database. a common Web attack mechanism used by hackers to steal data from organizations login pages, search pages, website forms are all susceptible to SQL injections, since they allow for user input from anybody, which enable SQL statements to pass through and directly query a database
key
A key is the special piece of code that is exchanged between two hosts that have established a trust relationship. This key allows a host to encrypt information so that only one remote host can decrypt the information. This encryption is accomplished with public-key encryption.
logic bomb
A logic bomb is code that activates only when certain conditions occur. Also known as a trapdoor attack
trojan
A program disguised as a directory, archive or game that, when downloaded to a system, has an alternative, damaging effect. Illicit servers, such as NetBus, are often made into trojans that end-users unwittingly install on their systems.
Ajax
A programming methodology that uses a number of existing technologies together and enables Web applications to make incremental updates to the user interface without the need to reload the browser page.
CGI script
A protocol that allows a Web server to pass control to a software application, based on a user request. It also allows that program to receive and organize that information, then return it to the user in a consistent format. A CGI script resides on a Web server, enabling the CGI process. Scripts (such as CGI, ISAPI and Perl) should be placed on a separate partition CGI scripts can present two main security problems: They can leak information about the host system, and they can be tricked into executing arbitrary system commands
tunneling protocols
A protocol that encapsulates data packets into another packet. Tunneling protocols include Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec) and Layer 2 Tunneling Protocol (L2TP). Tunneling protocols provide the following benefits: Once a client creates a tunnel (i.e., a VPN), traffic is usually encrypted. The tunnel allows a remote system to gain access to protected resources.
root kit
A root kit is a collection of trojans designed to compromise the system. Traditionally, root kits were threats only to UNIX systems, but versions for Windows 2000, Windows XP and Windows Server 2003 have appeared. A root kit usually consists of a series of programs that replace legitimate programs with trojans often replace or modify these system elements: /bin/login /bin/ps /bin/ls /bin/su root kits can also: create hidden directories install loadable kernal modules (LKM) launch hidden processes popular root kits: Adore T0rn
screening router
A screening router is another term for a packet-filtering router that has at least one interface exposed to a public network, such as the Internet. Another name for a screening router is the outside router, because it presents interfaces to the Internet, not to the internal network. A screening router is different from a bastion host in that it does not use additional services to thoroughly screen packets. A screening router is configured to examine inbound and outbound packets based upon filter rules. A screening router is considered an excellent first line of defense. Because screening routers are nothing more than routers that implement filters, all the needed hardware is already in place
firewall
A security barrier that controls the flow of information between the Internet and private networks. A firewall prevents outsiders from accessing an enterprise's internal network, which accesses the Internet indirectly through a proxy server. A firewall is the most critical component of any security implementation, because it authoritatively defines the difference between the internal network and all other networks.
worm
A self-replicating program or algorithm that consumes system resources.
network appliance
A single machine dedicated to one purpose. Instead of installing firewall software on a standard computer, you can obtain a specialized system meant only to house firewall software. Generally, a system designated as a firewall is not suitable for any other network application because the firewall software will prohibit installation and execution of all programs that it does not specifically recognize. Some firewalls automatically disable applications and services that you may try to run. For this reason alone, you should consider dedicating your firewall system solely to firewall duties.
single-homed bastion host
A singled-homed bastion host is a firewall device with only one network interface. Single-homed bastion hosts are used for application-level gateway firewalls. The external router is configured to send all incoming data to the bastion host, and all internal clients are configured to send all outgoing data to the host. The bastion host will then test the data against the security guidelines and act accordingly. The main disadvantage of this type of firewall is that the router can be reconfigured to pass information directly to the internal network, completely bypassing the bastion host. Also, users can reconfigure their machines to bypass the bastion host and send their outgoing information directly to the router. The disadvantages of this method, compared to packet filtering, are increased cost and reduced performance
site survey
A site survey is a review or inspection of a network that is conducted to assess the network's functionality and the strength of its security measures. Site surveying is a type of security auditing.
phishing
A social engineering scam in which the perpetrator sends e-mail messages to lure personal and financial information from unsuspecting victims.
certificate
A specific form of an asymmetric key. Certificates provide authentication and assign responsibility. ActiveX programs, for example, can be certified to show who wrote them and when. authenticate users and hosts. A certificate is essentially a public key that has been verified by a trusted third party, who ensures that this certificate authenticates a particular host, company or person. A number of companies, called certificate authorities (CAs), issue authentication certificates and sign them with their signatures to indicate a program's validity. One of these companies is called VeriSign. You can also act as your own CA, given that you have the software that allows you to generate certificates. Windows Server 2003 has its own native CA software, and you can use OpenSSL (www.openssl.org) in Linux systems
TEMPEST
A standard developed by the U.S. government meant to help control electromagnetic transmissions that interfere with network connectivity or which are meant to eavesdrop on traffic. Involves placing protective coatings and sheaths on cables and computer connectors (e.g., for network or video connections) and extra shielding for building wiring. Shielding can be as simple as metal or aluminum foil.
backup device
A tape backup or imaging server can ensure that data can be quickly placed back onto a replacement server.
session key
A temporary, sometimes even reusable, item that is the result of the authentication process. A Kerberos "ticket" is an example of a session key. Users can re-deploy session keys during further network exchanges to prove identity. Session keys are not specific to any one security implementation.
DoS (denial of service)
A type of attack waged by a single system on one or more systems. Involves crashing a system completely or occupying system resources (for example, CPU cycles and RAM), which renders the system non-functional.
SSID
A unique identifier for a wireless cell that controls access to the cell A Service Set Identifier (SSID) is a unique name for each wireless cell (i.e., network). A SSID is used to control access into a particular wireless cell. Usually, a SSID is a simple text string entered into a wireless AP, although a SSID can also be established by hosts participating in an ad-hoc wireless network. Once a wireless AP has a SSID entered, this AP immediately becomes differentiated from other wireless cells. SSID values are case-sensitive and can be up to 32 characters long. They can also be encrypted. SSID is not the same as BSSID
buffer overflow
A user's Web browser can be caused to crash, and in some cases, expose the network host to an exploit. A buffer overflow attack centers on flaws inadvertently written into program code. These flaws can lead to a condition called "buffer overflow" (or "buffer overrun"), in which two processes or threads communicate imperfectly with each other. Whenever improperly sized or badly formatted information is placed into a buffer, a buffer overflow can occur. As a result, a shell can be left behind that allows a malicious user to execute arbitrary commands.
VPN
A virtual private network (VPN) is an encrypted tunnel that provides secure access between two hosts across an unsecured network. Once a remote VPN client connects to a VPN server, the client often has access to the same network resources as a client located on the company campus a VPN uses public key encryption (ayssmetric-key encryption) Encryption occurs at the source, and decryption occurs at the destination A tunnel encrypted with public keys that provides secure access between two hosts across an non-secure network
companion virus
A virus that appears to be the same name as a legitimate application, but in fact has a different name. Many people do not configure MIME on their systems to reveal common applications, and thus they can fall victim to an attack in which a hacker tricks them into double-clicking a file that looks legitimate, but is not
security system, 5 attributes
Access control: Allowing access to only legitimate users Ease of use: An intuitive interface that is not difficult to maneuver Appropriate cost of ownership: System costs from initial purchase to maintenance and administration are considered Flexibility and scalability: Organizational and system growth are equal considerations Superior alarming and reporting: Systematic and efficient notifications configured to alert the appointed point of contact (POC)
determine the scope of a breach
After you have confirmed that a hacker has entered your system, analyze the situation. Your first task in the determination process is to find out if the hacker is at Stage 1 (discovery), Stage 2 (penetration), or Stage 3 (control, and spreading to other systems). Very often, not only one system or system daemon is compromised. After a hacker gains access to one system, he or she will probably try to control others on your network. Thus, you should take the following steps: Determine which accounts have been affected. Identify which files have been read, altered or substituted. Trace the hacker's activities in your system. Consult audit logs. Determine whether any permissions have been reset.
security matrix
All components used by a company to provide a security strategy. Includes hardware, software, employee training, security policy, etc.
antenna
All wireless devices (e.g., wireless clients and APs) require one. The element can be encased inside the device or attached to the outside.
non-repudiation
Allows all parties to provide proof of origin and/or proof of delivery concerning any service, process or piece of information. By contrast, repudiation is the ability to deny participation in all or part of a transaction. For networking, one can repudiate an e-mail message or a piece of data, such as a traceroute ping packet or SYN packet, by saying "I did not send that." one of 4 encryption services
wireless access point
Also known as a base station or a hotspot. It is the wireless counterpart to a standard Ethernet hub or switch. Provides centralized access to multiple wireless clients.
spoofing
Also known as a masquerade attack. Involves altering or generating falsified or malformed network packets. A host (or a program or application) pretends it is another entity on a network. The entity under attack is convinced it is dealing with a trusted host, and any transactions that occur can lead to further compromise. spoofing attacks: IP spoofing — the ability to generate falsified information within an IP header. IPv4 is especially prone to this practice, because the IP stack does not contain the innate ability to prove origin of source. However, Internet Protocol version 6 (IPv6) has this ability and improves security considerably (at least for now). ARP spoofing — the ability for a system to spoof another system's MAC address, often resulting in redirection of traffic on a LAN. ARP spoofing is often used to imitate routers. DNS spoofing — the ability to appear to be a true DNS server, but in fact redirect traffic to an attacking host that can gather sensitive information (e.g., user names and passwords).
pharming
An Internet scam in which users are misdirected to fraudulent Web sites without their knowledge or consent.
XMLhttpRequest
An application programming interface (API) that is used to transfer XML and other text data between a Web server and browser.
illicit server
An application that installs hidden services on systems. Illicit servers consist of "client" code and "server" code that enable the attacker to monitor and control the operation of the computer infected with the server code. an illicit server is a service or daemon installed on a host that thwarts authentication by allowing remote users to avoid the password database. Many hackers are capable of remotely controlling a vulnerable system through the use of an illicit server.
VLAN hopping
An attack in which a hacker intercepts packets as they are sent from one VLAN to another on a trunk. VLAN hopping attacks are successful in networks that permit autotrunking. Autotrunking is a function that enables one or more switch ports in a system of VLANs to carry traffic for any or all of the VLANs accessible through a particular switch. This type of switch port is called a trunk port thwarting VLAN hopping: Disabling autotrunking reduces the possibility of VLAN hopping. Another recommended practice to prevent VLAN hopping is to remove the native (default) VLAN setting (VLAN1) from any trunk port. That is, trunking ports should have a unique native VLAN number (other than the default VLAN1).
man in the middle attack
An attack in which a hacker positions himself logically in the middle of a connection in order to intercept (and possibly reroute) packets. types of man in the middle attacks: packet sniffing connection termination (session killing) connection hijacking packet insertion DNS and ARP cache poisoning replay attacks
proxy server
An entity that stands for, or acts for and on behalf of, another person or thing. Like attending a meeting for an absent colleague Proxy servers are very important to firewall applications because a proxy replaces the network IP address with a single IP address. Multiple systems can use this single IP address. A proxy server provides the following services: Hiding network resources — Hackers will see only one IP address instead of all exposed systems. Logging — A proxy server can log incoming and outgoing access, allowing you to see the details of successful and failed connections. Caching — A proxy server can save information obtained from the Internet (for example, Web pages). This cache contains copies of information found on the Internet. A common proxy server problem occurs when the server returns old information. In such cases, the administrator must purge the existing cache, or set the proxy server to update its cache more often. A proxy server requires all clients to connect at a specific port, which effectively hides the actual IP address from the rest of the Internet.
humidity controls
An environment that is too dry will result in excessive static electricity, making computer and telephony systems vulnerable. An environment that is too humid can cause condensation to form on equipment. Humidity should be between 40 to 50 percent in server rooms and wire closets.
back door
An intentional hole in a firewall or security apparatus that allows access around security measures.
virtual network perimeter
An outer corporate network created using VPN technologies, thus extending the corporate network to suppliers and customers.
hacker
An unauthorized user who penetrates a computer host or network to access and manipulate data.
system bugs and backdoors
An unintentional flaw in a program that creates inadvertent access to a system through a network port. Involves code inserted secretly into an application or operating system by developers; the code opens a networking port that allows illicit access into the system.
asymmetric key encryption
Another name for asymmetric encryption is public-key encryption or public-key cryptography. Asymmetric-key encryption uses a key pair in the encryption process, rather than the single key used in the symmetric-key encryption process. A key pair is a mathematically matched key set in which one half of the pair encrypts, and the other half decrypts. What A encrypts, B decrypts; and what B encrypts, A decrypts. asymmetric key elements: RSA Digital Signature Algorithm (DSA) Diffie-Hellman
source routing
Another tactic often found at the network/internet layer exploits source-routed IP datagrams, which have been created to travel only a specific path. This exploit is called source routing. Often, these types of datagrams are created to circumvent security measures such as firewalls.
three elements that should be addressed by a company's security policy
Any company with a network must have a security policy that addresses appropriateness subordination physical security Regarding company security, appropriateness varies greatly from organization to organization.
application gateway
Application gateways provide reverse proxy services. Reverse proxy servers are located outside a network's firewall system and proxy inbound requests. most popular type of proxy server
two types of proxy servers
Application-layer proxy (also called application-layer gateway) Circuit-level proxy (also called circuit-level gateway)
802.1x
Authenticates users who want to access 802.11x wireless networks; allows you to connect a wireless access point to a centralized server (i.e. RADIUS server) so that all hosts are properly authenticated
type of service (TOS)
Bits that can help prioritize certain types of traffic. Routers can mark IP packets with certain ToS bits. For example, you can set ToS bits for all HTTP traffic, so that it is processed before any other traffic type. type of service policies - Together with network routers, firewalls help to implement Type of Service (ToS) policies.
capacity forecasting
Capacity forecasting refers to planning the amount of bandwidth required to provide services for future customers.
RADIUS
Centralizes remote user access; mostly meant for dial-up access; uses UDP as its transport protocol, and listens on UDP Port 1812
4 types of certificates
Certificate authority certificate — used by CAs to validate another CA as a trusted issuer. Only a few CAs are automatically trusted by Web browsers. Server certificate — used to verify a company's Web server. A company applies for a server certificate and sends the request to one of several CAs. The CA will verify that the company is legitimate, then send the company a digital certificate. Specialized server certificates exist. For example, an IPsec client can obtain a certificate that allows a host to participate in an IPsec-enabled network. Personal certificate — used by individuals, usually to encrypt e-mail or authenticate with a Web server. The individual contacts a CA to request a personal certificate. The only verification the CA performs is by e-mail address. The CA sends the certificate to the e-mail address specified by the individual. In theory, only that person would have access to the e-mail account, and would therefore be the only one who could retrieve and use the certificate. Software or publisher certificate — used to validate software code. For example, if a user accesses a Web site that is trying to download a Java applet or an ActiveX control, a security warning usually appears. The publisher certificate is used to validate the code to assure the user that the code does not contain malicious programming. Server and personal certificates are the most common types. When you use a server certificate, you must configure the particular service (i.e., daemon) to use it. When you use a client certificate, you must configure the particular client (e.g., an e-mail client or Web browser) to use the certificate.
steps to setting up a security policy
Classify your systems. Determine security priorities for each system. Assign risk factors. Define acceptable and unacceptable activities. Define security measures to apply to resources. Determine how you will teach all your employees about security. Determine who will administer your policy.
IPsec vulnerabilities
Compromised keys — It is possible for a malicious user to obtain the key used to encrypt the transmissions. As a result, the hacker can defeat encryption and gain access to all information transmitted. Such a compromise is rather rare, however. Compromised certificates — If a malicious user obtains the master CA certificate, then information can be decrypted.
CERT
Computer Emergency Response Team - An organization devoted to dealing with computer-related security issues. CERT is a part of the Internet Society (ISOC), which establishes the protocols that govern the Internet. Maintains information about how to solve specific security problems and publishes security advisories.
MAC address filtering
Configures a wireless access point so that it allows only certain system MAC addresses to communicate with the rest of the network
sandboxed
Containing built-in constraints that protect a program from malicious activity or prevent it from accessing important resources.
polymorphic
Contains programming code enabling it to execute differently each time it is run. Because it appears as a different process each time, this virus avoids being detected by virus-scanning software.
DNSSEC
DNS security extensions - A set of extensions to DNS designed to protect DNS clients from attacks. Uses digital signatures to ensure data integrity and authenticity.
symmetric encryption algorithms
Data Encryption Standard (DES) - DES is a block cipher in the sense that it encrypts data in 64-bit blocks. The same key is used to encrypt and decrypt the data. This standard uses a technique called "diffusion and confusion." The 64-bit block of data is divided into two halves, and each half is successively passed through the key (called a round). DES has 16 rounds, and the key is bit-wise shifted for each round. Forty-eight bits of the key are applied to the 32 bits of data for the round. The advantages of DES are that it is fast and simple to implement. DES has been in production use for more than 30 years, so many hardware and software implementations use the DES algorithm. However, key distribution and management are difficult, again because DES relies upon a single-key model. Triple DES - Normal DES uses a 56-bit key and is considered sufficient for normal information. For sensitive information, some users employ a technique called Triple DES. In this case, the message is first encrypted using a 56-bit DES key, then decrypted with another 56-bit key, and finally encrypted again with the original 56-bit key. The Triple DES thus effectively has a 168-bit key. Because of the several levels of encryption, Triple DES also thwarts man-in-the-middle attacks. Normal DES is fast, and Triple DES is faster than other symmetric algorithms. The biggest advantage of Triple DES is its ability to use existing DES software and hardware. Companies with large investments in the DES encryption algorithm can easily implement Triple DES. RSA algorithms: RC2 - block mode ciphers, which means that they encrypt messages in blocks, 64 bits at a time RC4 - a stream cipher, which encrypts messages as a whole, in real time RC5 - block mode ciphers, which means that they encrypt messages in blocks, 64 bits at a time RC6 - comprises an entire family of algorithms and was created to address the weaknesses of RC5 RSA is best known for its asymmetric encryption algorithm called RSA. Do not confuse symmetric algorithms created by the RSA (e.g., RC2 and RC4) for the asymmetric algorithm called RSA. International Data Encryption Algorithm (IDEA) Blowfish - Blowfish is a very flexible symmetric algorithm by Bruce Schneier, a prominent individual in the cryptography arena who has made significant contributions. Blowfish is a variable-round block cipher that can use a key of any length up to 448 bits. Twofish - symmetric-key encryption algorithm that uses a 128-bit block and 128-, 192-, and 256-bit keys Skipjack - Skipjack is an encryption cipher designed by the U.S. National Security Agency. The actual mathematical formula is top secret but is implemented in such products as the Fortezza and Clipper chips. It uses an 80-bit key and 32 rounds on 64-bit blocks to accomplish its encryption. MARS - A block cipher algorithm, MARS was introduced by IBM. It uses 128-bit blocks and supports a variable key size of between 128 and 448 bits. The MARS algorithm provides better security than Triple DES and is significantly faster than single DES. Like Twofish, it is especially designed to work well on smart cards. Rijndael - adopted as the Advanced Encryption Standard (AES), which replaces DES. Serpent - Serpent is designed to have a 128-bit block design, and supports 128-, 192- and 256-bit keys. It is especially optimized for Intel-based chips. Although much more advanced, Serpent is somewhat comparable to DES in the way it processes information.
firewall configuration default settings
Deny all traffic, in which case you would specify certain types of traffic to allow in and out of your network. Allow all traffic, in which case you would specify certain types of traffic to deny.
access control
Determines what system resources a user or service may use, view or change. After a user has been authenticated, the access control service on an operating system determines where that authenticated user can go. Access control occurs after authentication. Access control does not include working with users; users are part of the ability to authenticate users. However, giving the administrator account access to a database of employee pager numbers is an example of access control, because access control is the practice of determining what an authenticated user account can do.
Diffie-Hellman
Diffie-Hellman is a protocol that provides the secure exchange of keys (thus it is known as a key-exchange protocol). It does not scramble text, and therefore is not actually an encryption algorithm.
DSA
Digital Signature Algorithm (DSA) - DSA was introduced by NIST and is available openly. It is used to sign documents. Although it functions differently from RSA, it is not proprietary and has been adopted as the standard signing method in Gnu Privacy Guard (GPG), the open source alternative to Pretty Good Privacy (PGP).
drive encryption
Drive encryption can help ensure data confidentiality
dual-homed bastion host
Dual-homed bastion hosts function identically to single-homed bastion hosts except that they have at least two network interfaces. Dual-homed bastion hosts serve as application gateways, and as packet filters and circuit gateways as well. The advantage of using dual-homed bastion hosts is that they create a complete break between the external network and internal network. This break forces all incoming and outgoing traffic to pass through the bastion host. For a hacker to access internal devices, he or she must compromise the dual-homed bastion host, hopefully allowing you more time to react and prevent a security break-in.
protecting against spoofing
Encrypt DNS zone transfers, and limit transfers only to trusted hosts. Use IPv6, which demonstrates resistance to spoofing attacks. If you continue to use IPv4, then use IPsec.
encryption strength
Encryption strength is based on three primary factors: -Algorithm strength -Secrecy of the key -Length of the key - the number of possible combinations of bits that can make up a key of any given length can be expressed as 2n, where n is the length of the key. Thus, a formula with a 40-bit key length would be 240 or 1,099,511,627,776 possible different keys
4 potentially vulnerable parts of a network
End-user resources (Windows 2000/XP/2003, Linux or Macintosh hosts used by employees) potention threat: Viruses, trojans and applets can damage local systems. End users can also introduce problems through illicit activity. Network resources (routers, switches, wiring closets, telephony) potential threat: IP spoofing, system snooping and obtaining information. Server resources (including file, DNS, Web, FTP and e-mail servers) potential threat: Unauthorized entry, interrupted service and trojans. Server resources are the primary targets in most cases. Information-storage resources (including human resources and e-commerce databases) potential threat: Obtaining trade secrets, customer data and so forth.
ITSEC
European Information Technology Security Evaluation Criteria (ITSEC): Addresses the issues of integrity and availability, as well as confidentiality.
physical vulnerabilities and their solutions
False ceilings: Make sure that rooms are truly separated from the rest of the office. Exposed communication lines: Check for and correct exposed internal and external wiring. Look for unsecured internal and external wiring closets, as well. Identify and correct unlocked and poorly guarded telephone panels. Review lighting for these resources. Exposed jacks: Conduct thorough audits of the network after downsizing and/or transferring users to make sure that wall jacks are not left active. Exposed heating/cooling ducts: Cordon off exits and entrances. Place bars over ducts, with the approval of the building and heating supervisors. Doors with exposed hinges: Replace the door. Enable surveillance. Inadequate lighting: Use existing lighting or install new fixtures. Lack of surveillance: Use security guards or install surveillance cameras. Poor lock quality: Install keypads and smart card-enabled systems. Biometric authentication can also be used.
GLBA
Gramm-Leach-Bliley Act - security standard that ensures the privacy of financial information and other sensitive information
automated checksum
Hackers often break into a computer to plant a trojan or virus. The hacker hopes that the file will eventually be executed either automatically or when the system is restarted. A very common technique is to create a trojan with the same name as a frequently used operating system file. The hacker then breaks into a server and replaces the original operating system file with the trojan. You may need to analyze the size of key operating programs to ensure that a hacker has not tampered with them. Several programs will automatically scan key files for dates, time stamps and related information. The results are then compared against known values or previous scans. If a file has been modified or the time stamps and size do not match, the file has probably been replaced with a trojan. If a trojan or virus is found, immediately replace it with a known good file and find out where the hacker broke into the system to place the trojan.
hash encryption
Hash encryption, also called one-way encryption, converts a document or information of variable length into a scrambled, 128-bit piece of code, called the hash value. Hash encryption is used for information that you want never to be decrypted or read. Decrypting it is theoretically impossible. An example of such use would be to protect passwords from disclosure. A malicious third party cannot re-engineer the hash through a hash algorithm to decrypt a password. When a user enters a password to access a secure Web site or intranet, the password is encrypted and compared to the stored hashed password in the Web server. If the values match, then access is permitted. Once the password is hashed, the process cannot be reversed. Another use for hash encryption is signing files/data and use in ATM machines
HIPAA
Health Insurance Portability and Accountability Act (HIPAA): Consists of Title I and Title II sections which include regulations for mandating standardized access to personal medical information by authorized parties, encrypting stored and transmitted information, and rules for how information can be passed from company to company.
to learn from an incident ask questions to everyone involved afterwards
How did the hacker(s) bypass the security? By compromising an employee? Through social engineering? By committing a brute-force attack? Modifying the routing tables? Through an inadequate firewall? Ask specific questions and write down the answers. What were the strengths of the actual response effort? What could have been improved? What should be done differently in the future? What personnel and/or software could have helped prevent this attack? What hardware and software updates are necessary? As you analyze and learn, make sure you take steps to reconfigure, update and modify existing systems to ensure that similar attacks do not occur again. Software updates to your Web server, for example, may resolve buffer-overflow issues. Changes to your software and to your network infrastructure may also help your network systems thwart unexpected attacks. What security policy changes are necessary? You may need to establish mandatory continual training sessions and set passwords to expire at specific intervals.
network/internet layer vulnerabilities
IP-based communication has the following weaknesses: Packets are not signed — As a result, IPv4 provides no authentication; there is no way to determine exactly where a packet originated. Packets are not encrypted — Information is not encrypted by default in IPv4 as it passes across the network wire. Thus, IPv4 does not guarantee confidentiality. Packets can be manipulated easily — For example, it is possible to use a special application to forge IP headers so that packets generated by one host appear to come from another. The receiving host cannot determine that the source IP address is inaccurate, and upper-layer protocols must perform some type of check to prevent this problem. This practice is called IP address spoofing. It is also possible to spoof source and destination ports in TCP/IP.
IPv6 vs IPv4
IPv6 uses 128 bit addresses and hexadecimal characters vs IPv4 32 bit and decimal numbers. IPv6 improves upon IPv4 by using routers more efficiently and requiring less administrative overhead than IPv4. Internet Protocol version 6 (IPv6), attempts to fix many of the flaws in the current IPv4 protocol. IPv6 provides authentication and encryption on the internet, and could solve a lot of the existing problems with TCP/IP
4 goals for a firewall strategy
Implement a company's security policy Create a choke point (network perimeter) Log Internet activity Limit network host exposure
signature database
In an anti-virus scanner, a collection of viruses, worms and illicit applications that are listed as security threats.
operating system hardening
In operating system hardening, the firewall's installation program disables or removes all unnecessary services. The logic behind operating system hardening is that when you strip an operating system to its foundation, it is much more difficult to compromise the host by exploiting system bugs.
masquerading
In relation to packet-filtering firewalls, masquerading is the process of altering the IP header. Specifically, a packet filter that masquerades can alter the IP header so it appears to originate from the firewall, rather than from the original host. Masquerading is useful with NAT, because it allows hosts using private network IP addresses to communicate with hosts on the Internet. A commonly used phrase for masquerading is "packet mangling."
object
In security, a file, program, service/daemon or resource that is maintained and controlled by an operating system.
illicit zone transfers
In this attack, a hacker imitates a DNS server and obtains the entire DNS database.
dns poisoning
In this attack, a hacker injects false data into a zone transfer. The result of DNS poisoning is that the DNS server cache becomes populated with false name-to-IP-address pairings. Thus, if someone were to poison the DNS cache of a client's DNS server, any client who entered http://www.yahoo.com, for example, may actually be sent to a hacker's site instead. Also, if a hacker is able to inject a false MX record for a domain, the hacker would be able to intercept e-mail for an entire domain.
macro/script virus
Infects a specific type of document file that can include macros (codes, commands, actions or keystrokes that produce a result), such as Microsoft Word or Excel files. When a document containing a macro is opened, the virus runs.
file-infecting virus
Infects program files on a disk. When the infected program is run, the virus also runs.
internal bastion host
Internal bastion hosts can be any of the three common bastion host types. They are standard single-homed or multi-homed bastion hosts, but reside inside your company's internal network. Thus, they are not bastion hosts in the classic sense, because they are not directly placed between a trusted network and an untrusted one. They provide an additional level of security in case the external firewall devices are compromised.
notify appropriate authorities after a hack
Internal litigants — If an employee has been charged with attacking a system, you will need to provide solid evidence of the attack. Law enforcement — In many countries and states, a security breach must be reported to law enforcement. These parties will expect data to be properly obtained and stored. Insurance companies — Evidence of a security breach is not only used for prosecution and litigation. It can also be used to file insurance claims. Increasingly, insurance companies have been insuring servers and services against business loss.
ISO 17799
International standard that describes specific tasks and safeguards for IT professionals.
IETF
Internet Engineering Task Force - An organization that determines the standards and protocols for the Internet.
IPsec
Internet Protocol Security (IPsec) is an IETF standard that provides packet-level encryption, authentication and integrity between firewalls, or between hosts in a LAN. -can use Authentication Header (AH) and Encapsulating Security Payload (ESP) service to authenticate and encrypt the data payload, or only an authentication header to provide simple authentication. Most IPsec implementations do both. It is important to remember that IPsec is implemented as an add-on to IPv4. These security features are implemented natively in IPv6. Internet Protocol Security (IPsec) is implemented as an add-on to IPv4, and is implemented natively in IPv6. OAKLEY, IKE and ISAKMP are all elements of IPsec.
ISAPI
Internet Services Application Programming Interface - A method developed by Microsoft to write programs that communicate with Web servers through OLE.
stateful multi-layer inspection
Introduced by Check Point, stateful multi-layer inspection allows packet filters to overcome weaknesses inherent in packet filtering. Packet filters that engage in stateful multi-layer inspection can examine packets in context because the firewall can maintain a database of past connections. By analyzing and comparing connections, the firewall can understand the nature of a series of connections. Stateful multi-layer inspection allows you to detect and thwart ping and port scans, and help determine if a packet has been spoofed. The final benefit of stateful multi-layer inspection is that it allows packet filters to inspect packets at all layers of the OSI/RM, not just the network layer. Many companies now use stateful multi-layer inspection in their packet-filtering firewalls.
dictionary attack
Involve repeated attempts to guess a password. Similar to brute-force attacks, but use a file containing a long list of words to repeatedly guess user names and passwords, instead of random values.
social engineering
Involves attempts to trick legitimate employees into revealing information or changing system settings in order to gain access to a network.
scanning
Involves detecting the ports that are open on the system being attacked. The attacker can then learn more about the services found and attempt to compromise weaknesses found in the services.
brute force
Involves repeated guessing of passwords or other encrypted data, one character at a time, usually at random. It can also involve physical attacks, such as forcing open a server room door or opening false ceilings.
DDos (distributed denial of service)
Involves the use of multiple applications found on several network resources to crash one or more systems, denying service to a host. Often used to consume a server's data connection. DDoS involves: a controlling application an illicit service a zombie a target
L2TP
Layer 2 Tunneling Protocol (L2TP) incorporates elements of Point-to-Point Protocol (PPP) and another protocol called Layer 2 Forwarding (L2F) protocol. L2F was introduced by Cisco systems. Like PPTP, standard L2TP uses PPP to allow the tunneling of various network protocols. L2TP also supports Challenge Handshake Authentication Protocol (CHAP). Unlike PPTP, L2TP borrowed its ability to forward connections from the L2F protocol. As a result L2TP is supported by virtually every vendor of VPN hardware and software. L2TP also uses enhanced compression techniques, thereby creating faster connection. Finally, standard L2TP supports various network types, including ATM, frame relay and X.25
level I, II, III of system resources
Level I — systems that are central to the business's operation. For example, an e-commerce company might categorize its Web server as a Level I system. Employee databases, user account databases and e-mail servers all count as Level I resources. Level II — systems that are needed, but are not critical to daily operation. Though they cannot be down for long, a day or two of lost time would not cripple the company. For example, if the database of employee pager numbers were down for two days, the loss would be an inconvenience, but not a fatal problem. Level III — systems whose loss does not affect operations. A local desktop computer would be a Level III system, as long as this computer does not affect systems in Levels I and II.
methods for deterring hackers
Log traffic and send e-mail messages — Check your system logs and determine the origin of the attack. You can also try to trace an existing connection by using a port listener. If you are reasonably sure that your logs' connection trace has given you the true identity of an attacker, you can then send the systems administrator or ISP an e-mail message requesting an explanation. Conduct reverse scans — If you can identify an attacker, consider scanning the system to learn more about the origin of the attack. Drop the connection — You can configure your system to automatically drop the connection. You can also enter this host's IP address into a database so that the host cannot connect to your system again in any way. Often, simply cutting off a hacker is insufficient, because he or she will return, or because you want to continue tracing the connection to discover its true origin. As long as the attacker is not destroying or obtaining sensitive information, you may want to wait and see if you can gain additional information that will help you catch the perpetrator. Contact the ISP — Trace the connection, if possible, and inform the hacker's ISP. The ISP can terminate the connection so the attack can be stopped. The ISP can help you trace the attack.
VLAN
Logical subgroup within a local area network (LAN) created with software instead of hardware.
hash algorithms
MD2 MD4 MD5 SHA - SHA is structurally similar to MD4 and MD5. Although it is about 25 percent slower than MD5, it is much more secure. It produces message digests that are 25 percent longer (160 bit vs 125 bit) than those produced by the MD functions, making it more secure against attacks than MD5.
reasons to use encryption
Make data confidential — Encryption prevents data from being seen by unauthorized people. Help authenticate users — Encryption enables a user to prove his or her identity by showing that the user has an encrypted element. Ensure data integrity — Encryption can be used to prove that data has not been improperly altered.
cluster virus
Makes changes to a disk's file system. Any program run from an infected disk causes the virus to run, giving the impression that the virus infects all programs on the disk.
VPN vulnerabilities
Man-in-the-middle attacks — Weak VPN connections can be subject to hijacking attacks. Also, packets can be captured and decrypted if the encryption algorithms are not strong enough. Old access accounts and permissions — In many cases, VPN servers use their own accounts databases. If the account database is not properly maintained, old accounts may be present, which could allow unauthorized access to the network. Access from unsecured systems — VPN connections have become increasingly popular with telecommuters. However, home systems may not be kept as secure as those residing at the company campus. Home systems often do not update virus signatures regularly, and may not even have anti-virus software installed at all. In such cases, these remote systems may present a new infection source to the network. After all, these remote systems are allowed through the firewall as are any other local system; yet if they are not properly secured, they cause or aid in a virus outbreak that could cripple your company. Rogue VPN servers — Illicit use of VPN connections can be used to avoid compliance with the company's security policy.
backup service
Many services exist that allow you to back up data to a third party without the need to have your own hardware. Such services are increasingly popular.
proprietary asymmetric encryption
Microsoft Exchange Lotus Notes Novell GroupWise The advantage of such proprietary encryption systems is that because the encryption is fully integrated at the mail server level, a user need only click a button to encrypt and decrypt The disadvantage of such a proprietary asymmetric encryption method is that it is compatible only with other servers by the same manufacturer
network analyzer
Monitoring network traffic to identify network trends — This practice helps establish a network baseline. For example, you may notice that network traffic is heaviest in the morning when all users start their computers. Identifying network problems and sending alert messages — Problems (such as traffic exceeding a given parameter) can be predefined by the network administrator. Identifying specific problems — Problems might include error messages generated by a network device, which can then be repaired. Testing network connections, devices and cables — Network analyzers can send test packets over the network. The packets can be traced to discover faulty components or cables.
passive FTP and packet filter rules
Most modern Web browsers and FTP clients do not use standard FTP. Rather, they use passive FTP. Like standard FTP, the server listens for connection on Port 21, and clients use a port above 1023 to make a connection to this server port. However, when a passive FTP client begins the data connection, it does not use the PORT command. Rather, the client uses the PASV command, which tells the server to open up one of its own ports above 1023, rather than Port 20, to build a data channel. In passive mode FTP, a server never uses Port 20. Passive FTP is often called firewall friendly FTP. This is because in a passive FTP session, the server does not initiate a new connection with a client using a well-known port (e.g., Port 20), like it does in a standard FTP session. Although passive FTP sessions do require a server to use Port 21 to connect to a client, this connection takes place as an acknowledgment to a connection first made by the client. Thus, many firewalls recognize that this connection is part of a previous session. In the case of standard FTP, the server initiates the connection between Port 20 and the client, and many firewalls are configured to automatically drop such connections.
dynamic encryption
Most modern dynamic encryption uses a combination of symmetric, asymmetric and one-way encryption
virus (Boot sector/Master Boot Record (MBR))
Moves boot sector (the part of a hard disk that enables it to be read and written to) data to another part of the disk and replaces it with its own code. Whenever the computer starts up, the boot sector virus executes
technologies introduced with 802.11n
Multiple Input, Multiple Output (MIMO) - uses multiple antennae to direct signals from one place to another. Instead of sending and receiving a single stream of data, MIMO can simultaneously transmit three streams of data and receive two channel bonding - two separate non-overlapping channels can be used at the same time to transmit data. This technique also increases the amount of data that can be transmitted Payload optimization (also known as packet aggregation) - technique that enables more data to be included in each transmitted packet.
proxy server advantages
NAT authentication logging and alarming caching fewer rules (than a packet filter) The main advantage of a proxy server is its ability to provide NAT (circuit-level proxies do this). Shielding your internal network from the public is paramount. additional benefits: authentication logging and alarming - often much more robust than those in packet filters and circuit-level gateways. Proxy servers analyze considerably more information than the other two types of firewalls, so they can log nearly every portion of a TCP/IP session, from the network frame up to the application layer. caching fewer rules - A proxy-oriented firewall generally requires fewer rules than a packet filter. Creating the rules generally takes less time, so this is an advantage reverse proxies and proxy arrays - reverse proxies work similarly to standard ones, except that they proxy inbound requests.... A proxy array is several proxy servers configured as one. Proxy arrays are also known as proxy clusters or cascading proxies, and are useful for load balancing and fault tolerance. Proxy arrays can be used in both regular proxy and reverse proxy environments
NAT
Network Address Translation - An Internet standard that allows a local area network to use one set of IP addresses for internal traffic and another set of IP addresses for external traffic. It is the practice of hiding internal IP addresses from the external network. Three ways exist to provide true NAT: -Configure masquerading on a packet-filtering firewall, such as a Linux system. -Configure a circuit-level gateway. -Use a proxy server to conduct requests on behalf of internal hosts. also called IP address hiding traffic originating from public network cannot access private network but traffic originating from private network can access public network
security tool categories
Network scanners - can become outdated very quickly. Operating system updates and add-ons. Logging and log analysis tools - A log analysis tool provides the administrator with network information such as user logins and logouts, mail traffic and file transfers. Log analysis tools can be used to monitor transmissions between the local system and remote networks.
SYN flood
Often used in DoS attacks Takes advantage of the otherwise normal activity of establishing a TCP handshake. Instead of establishing a complete handshake, the hacker drops the connection after the initial SYN bit is sent. While the target is engaged in creating a port to respond to the active open, the hacker then makes another connection and leaves it, only to make another and another, until the target server has opened thousands of half-open connections. Can cause a system to become sluggish, or even crash. One of the most commonly perpetrated attacks against hosts on the Internet.
ping flood
Often used in DoS attacks Uses massive amounts of ICMP packets. Usually, these are Type 8 (echo request) and Type 0 (echo reply) packets.
UDP flood
Often used in DoS attacks Uses massive amounts of UDP packets to bog down network hosts and connections.
authentication in wireless networks
Open System Authentication (OSA) - Authentication occurs in cleartext. Shared Key Authentication (SKA) - Wired Equivalent Privacy (WEP) is employed. Both the wireless AP and the wireless client share the key.
email encryption
PGP (pretty good privacy), (GPG Gnu Privacy Guard) S-MIME are popular ways to encrypt email
scanning attacks
Perhaps the most fundamental attack involves scanning for systems and detecting open system ports Ping scan - A host directs a number of ping packets at a collection of hosts on a network. Used to determine the hosts that exist on a network. Port scan - A host scans some or all of the TCP and UDP ports on a system to see which ports are open. War dialing - A hacker uses software and a modem to discover hosts using modems to attach to the network. War driving - A hacker uses a wireless NIC to see if a wireless network is in the area. Network mapping - A hacker forges custom packets (e.g., ICMP, TCP or UDP) in order to scan and map networks. If the individual and/or application is clever enough, it is possible to map hosts inside of many network firewalls.
FTP and packet filter rules
Port 20 on the server is the data channel (i.e., the port that sends the actual information). Port 21 on the server is the "control" channel, which the server uses to listen for connections and issue commands
malware
Programs or files whose specific intent is to harm computer systems. Includes viruses, worms, Trojans, rootkits, illicit servers, and logic bombs.
data integrity
Protects against active threats (such as altering data) by verifying or maintaining the consistency of information. one of 4 encryption services
data confidentiality
Protects data from unauthorized disclosure. Data confidentiality protects from passive threats, which include users who read data from the network wire using packet sniffers. one of 4 encryption services the ability to ensure that data is not readily viewed by unauthorized parties
PKI
Public Key Infrastructure (PKI) - servers are repositories for managing public keys, certificates and signatures. In addition to authenticating the identity of the entity owning a key pair, PKI also provides the ability to revoke a key if it is no longer valid. A key becomes invalid if, for example, a private key is cracked or made public. The primary goal of PKI is to allow certificates to be generated and revoked as quickly as possible. Corporations are especially interested in the ability to establish quick, secure communication using PKI. PKI is based on the X.509 standard, which is meant to standardize the format of certificates and how they are accessed.
auditing
Reading and interpreting log files to identify hacker activity. it is the primary means of protection against malicious code.
recover from a DoS/DDoS
Recovering from most DOS attacks requires a simple reboot. However, DDOS attacks often require you to reconfigure your switches and routers to drop offending traffic. Only then will you be able to mitigate risk
problems with retaliating against hackers
Remember that hackers often spoof IP addresses, so you may end up retaliating against the wrong host. Also, a hacker can spoof IP addresses that are important to the proper function of your network. For example, consider what would happen if you use the iptables command to automatically block all scanning hosts, and a hacker spoofs your own DNS servers, or the IP addresses of legitimate customers. Further, some hackers might interpret your measures as an insult or a challenge, which might increase their resolve to compromise your network. Therefore, carefully consider the use of retaliatory measures, because they can cause more problems than they solve.
stealth virus
Resides in the computer's memory and conceals changes it makes to files, hiding the damage from the user and the operating system.
virus (bomb)
Resides on the hard disk and is activated when a particular event occurs, such as a date change, a file change or a user or program action.
WPA/WPA2
Secures WiFi networks; the current version is now part of the 802.11i standard, which makes use of the Advanced Encryption Standard (AES) block cipher WPA2 uses AES (advanced encryption standard) block cipher whereas WEP and WPA use the RC4 stream cipher WPA/WPA2 use TKIP and EAP
tripwire script
Security tool that alerts you that a hacker has broken in, or is trying to do so Can inform you about a change in a file or directory, does so either through an email and/or log file entry
bots and botnets
Software applications that run automated tasks over the internet. The software can be used to assume control over infected computers. A group of infected computers. an individual computer in a botnet is called a zombie CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a widely used technique that is effective in distinguishing between a human user and a bot.
WAP configuration software
Software provided by the manufacturer to assist in setting up both the client and AP configuration.
retro virus
Specifically attacks anti-virus software. Often included with other virus types. The virus code contains a retro virus portion that disables the virus-detection software, allowing another portion of the virus code to attack the operating system, applications or stored files.
recommending a proxy oriented firewall
Symantec Enterprise Firewall - a highly respected proxy-oriented firewall Microsoft ISA Server - also commonly used. Many organizations use a product such as Enterprise for the bastion host, but then use ISA Server to handle Web traffic. When they are used in tandem, each proxy server can divide traffic, thereby providing some load balancing and fault tolerance. Squid - Squid has become a popular open-source proxy server for Linux systems. It supports many protocols, and is reliable and highly configurable
after a hacking incident, document everything
System and server logs are, of course, essential to incident documentation. Auditing logs are often the proof that a hacker has infiltrated the system. However, if a security breach occurs, you should also document the responding moves that you make. Audit logs are only half of what you need. At a minimum, a report should include the following information: The time and date of the attack The nature of the attack, including affected systems, the traffic type (e.g., TCP, UDP, ICMP), and so forth The server(s) involved The names of all company employees (e.g., management, other IT workers and so forth) who were contacted during the response Any applications used
virus (terminate and stay resident (TSR))
TSR viruses execute immediately, and appear to no longer be running. However, they remain resident in memory where they can spread to other systems, cause damage to files, and open network ports.
CC
The Common Criteria (CC): Created by European and American governments to unify various evaluation criteria documents.
ICMP
The Internet Control Message Protocol (ICMP) communicates errors or other conditions at the network/Internet layer. An ICMP message is an extension to the IP header and consists of several levels. Malicious users can also use ICMP to scan hosts, crash hosts and clog network connections
IGMP
The Internet Group Management Protocol (IGMP) is used for multicast IP, and is not a standard IP-enabled system
port agility
The ability to dynamically send and receive traffic across any open network port.
web graffiti
The act of defacing a Web site by replacing authorized content with illicit information.
system snooping
The action of a hacker who enters a computer network and begins mapping the contents of the system.
packet trace
The activity of learning where a packet of information has come from. Because any information sent across the Internet has probably passed through at least five or six computers, it is often necessary to learn the route by which that information came.
physical line trace
The attempt to determine the port or telephone line a hacker has used.
2 most effective defenses against malicious email attachments
The best defense against malicious attachments is to purchase or obtain third-party software that scans all messages as they are sent and received via SMTP The second-most effective preventive measure is user education
4 broad categories of attackers (intentional or not)
The casual attacker - The vast majority of hackers fall into this category. sometimes an information seeker, but most often he or she is a thrill seeker The determined attacker - will gain access to your system, regardless of difficulty or consequence. Determined hackers have many motivations. One hacker might be a disgruntled employee, whereas another might be motivated by resentment toward large businesses or governments. Many attacks have occurred as the result of hackers' interest in removing the presence of what they consider to be objectionable or controversial content. Still others — the majority, perhaps — are motivated by financial gain. The spy - Spies have very specific targets and want to gain information or disrupt service. They are well-funded and have nearly unlimited access to resources. Primary motivations for spies include monetary gain and ideological beliefs. These hackers will stop at nothing to gain access to the networks they have targeted. Businesses interested in industrial espionage and various governments often fund spy groups, but some spies are mercenaries who will work for the highest bidder. The end user - constitute the first line of defense in network security. It is common for security professionals to blame specific vendors (e.g., Microsoft, Sun or Ubuntu), protocols (e.g., the fact that IPv4 does not require authentication) or operating systems (e.g., Windows Server 2003 or Solaris) for their security woes. However, most security breaches are caused by end users. End users may cause network security problems through ignorance, carelessness, or a lack of effective and continual awareness training.
chargeback
The concept of billing users for the volume of network traffic they generate. Chargeback is the ability to accurately determine the costs of using various networking security services. Departments and divisions within the same large company often conduct chargebacks. These security services can include tasks performed by IT professionals, including system installation, network engineering and security consulting.
kernel
The core of the Linux operating system. This core can be upgraded to obtain the latest features and the functionality you need.
difference between deterring and distracting hackers
The difference between deterring hackers and distracting them is that deterring hackers extends past catching them; it drops the connection (sometimes permanently), or ensures that the hacker will be contained. It is also important that you are not seen as punishing the hacker, in the sense that you are retaliating. Your goal should be to discourage future attempts to enter your system.
4 common firewall designs
The four common firewall designs each provide a certain level of security. A simple rule of thumb is this: The more sensitive the data, the more extensive the firewall strategy should be. Each of the four common firewall implementations is designed to create a matrix of filters and points that can process and secure information. The four options are: A screening router A single-homed bastion host A dual-homed bastion host A screened subnet
TCP/IP protocol stack
The hierarchy of protocol levels established according to the Open Systems Interconnection (OSI) model. The stack is the portion of the operating system that transmits and receives information on a network.
advantages and disadvantages of symmetric key encryption
The main benefit of symmetric encryption is that it is fast and strong. These features allow you to encrypt a large amount of information in less than a second. The main weakness of a symmetric key is key distribution. That is, all recipients and viewers must have the same key. Therefore, all users must have a secure way to send and retrieve the key. In addition to this concern, hackers can compromise symmetric keys either with a dictionary program, password sniffing, or by looking through a desk, purse or briefcase. Symmetric encryption is most likely to be defeated by brute-force attacks
patch level
The measurement of specific updates given to an operating system
assigning risk factors
The more sensitive the resource, the higher the risk factor. For example, a company that manufactures paper clips may have a corporate Web site. The risk factor associated with this Web site would be much lower than the risk for the Web site of a company that manufactures ballistic missiles.
SYN flood attack
The most common attack with TCP is called a SYN flood attack. A SYN flood begins the TCP session process by issuing a SYN request. However, the SYN request is not complete and leaves the connection request unfinished. The hacker will continue to issue modified SYN requests until the remote host can no longer respond to any new TCP connection requests. The hacker has then effectively crashed the remote host because the remote host cannot respond to any more hosts.
network perimeter
The outer limit of a network as defined by a firewall.
PKI (certificate authority)
The party responsible for issuing a certificate. A CA can delegate actual authentication to a registration authority (RA). An issuing CA creates certificates for individuals (i.e., end entities).
PKI (registration authority)
The party responsible for verifying the actual identity of a person or host interested in participating in a PKI scheme.
authentication
The process of proving identity. These services provide for the authentication of a communications peer entity and the source of data (origin). one of 4 encryption services
triple-homed bastion host
The triple-homed bastion host often separates the Internet, the internal network and the demilitarized zone (DMZ). The DMZ creates a fairly secure space, or subnetwork, to locate servers that are accessed from the Internet, including modem pools, FTP and Web servers. If a company's publicly accessed servers are placed in the DMZ, the firewall can be configured to forward all public traffic from the Internet directly to the DMZ. The advantage of this structure is that Internet traffic avoids the company's internal network, which keeps the internal computers safe from the public
OSI reference model
The upper four layers are used whenever a message passes to or from a host. The lower three layers are used whenever a message passes through a host. If the message is addressed to the particular host, the message is passed to the upper layers. If the message is addressed to another host, it is not passed to the upper layers, but is forwarded to another host. Transport: TCP or UDP segment, encased in an IP packet Network: IP packet Data link: Frame Physical: Bit
active vs passive FTP
There are two types of FTP: active and passive. In active FTP, the ports opened on the server are TCP Port 21 for the command port and TCP Port 20 for the data port. Active FTP causes problems with firewalls In passive FTP, the client system initiates both connections to the server. Instead of sending a PORT command (as in active FTP), the client issues a PASV command. The PASV command tells the FTP server to open a random registered Port P on the server and to then send a PORT command back to the client. In passive FTP, the data port is not always TCP Port 20.
frame spoofing
This attack exploits the use of standard frames in Web browsers. Browser frames allow the main window in a browser to be split into two or more sub-frames. In frame spoofing, a malicious Web site administrator can substitute content from another DNS domain without alerting the reader. As a result, the end user may think that he or she is giving credit card information to a legitimate site, when it is actually being uploaded to a hacker's server.
wireless NIC
This device is installed on a PC to make it a wireless client. It can be attached in any number of ways, including PCI card, USB, or Personal Computer Memory Card International Association (PCMCIA).
TCP/IP
Transmission Control Protocol/Internet Protocol - A suite of protocols that turns information into blocks of information called packets. These are then sent across networks such as the Internet.
TLS/SSL
Transport Layer Security (TLS) / Secure Sockets Layer (SSL) - enables two applications to communicate over the network by authenticating with digital certificates, which are digital IDs issued by a certificate authority (CA) to authenticate and validate Internet data transfer. TLS/SSL sequence 1) The client and the server negotiate a connection and agree upon specific algorithms for encrypting the channel. 2) The client then generates a random session key using a symmetric algorithm. 3) After authentication, all data is encrypted using this session key. The algorithms typically used are DES or RC4. 4) The message authentication hash, or one-way encryption (SHA/MD5), signs all the packets, thereby providing data integrity.
TCSEC
Trusted Computer Systems Evaluation Criteria (TCSEC): Also known as the "Orange Book" and addresses data confidentiality concerns only.
two security concerns associated with Hypertext Transfer Protocol (HTTP)
Two distinct security concerns surround HTTP: the viewer applications that people use the CGI applications used by the HTTP server Web browser viewer applications are used to format the different types of content. To expand and extend the capabilities of a Web server, extended applications can be added to an HTTP server. Extended applications include such things as Java programs, CGI programs, Active Server Pages and numerous other possibilities. These programs introduce a number of security holes
URL filtering
URLs enable remote computers to exchange executable content and commands, and act as a conduit for client/server data. Therefore, it is important to control the URLs that enter and leave your network to reduce the risks posed by spyware, worms and trojans. filter outbound URLs by: -Require users to access the Internet via a proxy server -Consider filtering outbound URLs to enforce compliance with your organization's acceptable Internet usage policies filter inbound URLs by: -Ensure that your Web applications are well-written -Add an application-level firewall to create another line of defense
3 host association states for a wireless client
Unauthenticated and unassociated Authenticated and unassociated Authenticated and associated When a wireless host is transmitting information through a network access point, it must be authenticated and associated. An authenticated but unassociated host has simply been recognized by the wireless AP, but the host is not currently sending information through the AP.
diagnose/detect a DoS/DDoS attack
Using a packet sniffer to view traffic on the network. Using the netstat application to view connections on a system. Using intrusion-detection applications to identify suspicious traffic, or floods of traffic, on the network.
spread spectrum
Various methods for radio transmission in which frequencies or signal patterns are continuously changed. spread spectrum transmissions: Frequency Hopping Spread Spectrum (FHSS) Direct Sequence Spread Spectrum (DSSS) Orthogonal Frequency Division Multiplexing (OFDM)
Uniform scripting standards for wireless devices
WAP includes specifications for Wireless Markup Language (WML), which is roughly analogous to Hypertext Markup Language (HTML), commonly used in Web browsers and e-mail clients. Essentially, compare the functions of HTML and JavaScript to Web browsers; WML and WMLScript provide the same functions to mobile wireless clients (e.g., Web browsers embedded into cell phones and PDAs).
authentication methods
What you know. What you have. Who you are. Where you are. (the weakest form of authentication)
sniffing
When a browser is used to access password-protected sites, it is possible for a hacker to obtain information from unencrypted transactions between the browser and site.
beacon
When a wireless AP is ready to accept connections, it sends a special Ethernet frame to inform clients of its availability.
choke router
When two routers are used in a firewall configuration, the internal router (i.e., the router that presents an interface to the internal network) is often called a choke router. A choke router defines the point at which a public network can access your internal network. It also defines the point at which your internal network users can access the public network. Security administrators use choke points to limit external access to their networks. Using a firewall strategy creates choke points, because all traffic must flow through the firewalls.
stop or contain hacking activity
When you detect and identify an attack, the next step you should take is to either break the connection or contain the activity, as directed by your security policy and the particular situation. Just remember that containment is often dangerous. Even with a sound policy in place, such decisions are still situation-dependent. One of the easiest ways to stop a hacking attack is to simply unplug the network cable or disable the wireless connection to the server. Unplugging the network cable will ensure that as much data as possible will be saved, and it will cut off the attacker's access to the server. It is vital to preserve all data on the server for future forensic analysis. Such data includes not only the data important for the business, but also the data from the actual attack so that you can try to determine who is attacking your system.
WEP
Wired Equivalent Privacy (WEP): Encrypts all data packets sent between all wireless clients and the wireless access point using a four-step handshake when authenticating a client; however, the request and challenge are both unencrypted
WTLS
Wireless Transport Layer Security (WTLS) - The most important WAP element to understand. It is designed to encrypt wireless packets. WTLS is similar to SSL/TLS in that it uses certificates to encrypt data. WTLS is often referred to as wireless PKI.
3 types of VPN
Workstation-to-server — (aka host-to-host) A network is established between one workstation and a central VPN server. The server usually provides two services: access to the network in which the server resides, and an encrypted tunnel for all communications passing between the two hosts. For example, when a telecommuter first establishes a VPN into the network before obtaining e-mail, he or she is using a host-to-host VPN solution. Also called a remote access VPN. Firewall-to-firewall — (aka site-to-site) A tunnel is created between two distinct networks and used to securely connect remote LANs over unsecured networks. Often called a site-to-site VPN. Workstation-to-workstation — Workstations encrypt communications between each other on the same LAN, or on a local enterprise network.
policy and technology within a security infrastructure
Your security infrastructure is the implementation of your security policies at the operations level. This infrastructure should include defense and protection as determined by the following model: People drive policy; policy guides technology; technology serves people.
wireless cell
a collection of wireless clients around a specific wireless AP. The farther away a client is from a wireless AP, the less it is inclined to belong to a particular cell because the AP beacon becomes too weak, and interference results referred to as a sphere of influence
zero-day attack
a computer threat that exposes computer application vulnerabilities before a patch or update is available. Zero-day attacks are dangerous because they take advantage of computer security holes for which no solution is currently available
rounds
a discrete part of the encryption process. An algorithm generally submits information to several rounds. A higher number of rounds is preferable. Most symmetric-key algorithm rounds first process half of the unencrypted data, then process the second half. Then, each half is then reprocessed to make the resulting encryption stronger. Separating information into rounds makes symmetric keys faster
PKI (CA certificate)
a file that contains several fields meant to further identify a particular person or host. An example of a field is the Subject field, in which the person or host is mentioned by name.
profiling
a hacker's ability to determine the nature of a network host. Profiling is often conducted through zone transfers and port scanning. It is also the ability to determine the nature of the traffic passing to and from the host.
PKI (certificate revocation list)
a list containing certificates that have expired before their normal due dates, due to server compromise, or because the owner no longer wants the certificate to be used.
GREP
a pattern-finding command found in many UNIX systems
threat
a potential security violation
PKI (certificate policy statement)
a public document containing rules and procedures agreed upon by the CA and the end entity. This document specifies the certification path and the technologies that enable authentication.
PKI (certification practice statement)
a public document containing the practices that a CA employs in issuing certificates. This document includes details about the certificate life cycle (issuance, management, renewal and revocation).
PKI (repository)
a series of distributed networks that allow access to certificates.
PKI (digital certificate)
a signed public key that verifies a set of credentials tied to the public key of a certificate authority. A digital certificate authenticates a user or host.
screened host firewall
a single-homed bastion used in combination with a screening router
security mechanism
a technology, a software program or a procedure that implements one or more security services. ISO classifies mechanisms as either specific or pervasive. specific - a technology or software program that implements only one security service at a time. Encryption is an example of a specific security mechanism pervasive - lists procedures that help implement one or more of the security services at a time. Another element that differentiates pervasive, or general, security mechanisms from specific mechanisms is that general mechanisms do not apply to any one layer of the Open Systems Interconnection reference model Event detection is an example of a pervasive (general) security mechanism that allows you to detect and report both local and remote incidents.
ACL
access control list - A list of individual users and groups associated with an object, and the rights that each user or group has when accessing that object.
wireless networking modes
ad hoc - in which systems use only their NICs to connect with each other. Infrastructure - in which systems connect via a centralized access point, called a wireless access point (AP).
AES
advanced encryption standard - AES is the encryption standard used by the U.S. government worldwide. the symmetric algorithm chosen for AES had to allow the creation of 128-bit, 192-bit and 256-bit keys; provide support for various platforms (smart cards, 8-bit, 32-bit and 64-bit processors); and be as fast as possible. Rijndael was announced the winner to become AES by NIST in U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001, and it became effective as a standard on May 26, 2002.
advantages and disadvantages of circuit-level proxy
advantages: provide NAT disadvantages: -requires modified applications ---to work with circuit-level proxy firewall an application must be written provide connection info to the SOCKS server ---which can require altering normal practices to accommodate the firewall -cannot discriminate between bad and good packets -susceptible to IP spoofing
application-layer proxy
also called application-layer gateway By far the most popular types of proxy servers are those that proxy application-level traffic
circuit-level proxy
also called circuit-level gateway -operates at the transport layer of the OSI/RM -a firewall that monitors the source and destination of TCP and UDP packets -does not inspect application-layer traffic -does not inspect traffic as thoroughly as does an application-level proxy. Usually composed of two hosts -an encrypted connection between these the first and second firewall hosts -hosts work together to process traffic -provides fault tolerance if one host fails -provides load balancing between the hosts SOCKS is most popular circuit-level gateway -two version v4 and v5 -v5 is more popular and provides support for additional protocols
DNS zone transfer
also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client-server transaction. The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server. The portion of the database that is replicated is a zone.
amoritization
an accounting concept also used in security management, is used to accurately determine the cost of a particular implementation and pay for it over time. Amortization also includes accounting for depreciation of software or hardware.
web security gateway
an application designed to provide security protection from malware by classifying new and dynamic Web content in real-time, determining immediately whether the Web site and its contents are safe. The Web security gateway categorizes actual content on Web sites, not just the sites themselves, which allows users to access Web sites but block portions of sites that are inappropriate or may pose a security risk. Because Web security gateways are designed to analyze Web site content in real-time, they can immediately protect users from malicious Web content.
vulnerability
any weakness that could be exploited to violate a system or the information it contains
asset
anything of value
automated security scans
batch scripts - are extremely powerful; you can use them to administer and watch a wide range of things, and to perform tasks such as automatically initiating responses event logs - Event logs such as those generated by the secrep.bat file are especially useful if you are suspicious of certain system activity. They can yield more pertinent information than poring over many pages of detailed logs. Alternatively, it may be easier to execute the script on the target machine from an internal machine running the scheduler service. Either way, it is another technique in your arsenal to fight system intruders.
parallelization
can refer to the use of multiple processes, processors or machines to work on cracking one encryption algorithm. Individual hosts can be parallelized using a parallel cluster server. Such technology allows many different hosts to work together as one system to crack a piece of code can also refer to the use of an application that is capable of using two algorithms at the same time to encrypt information.
Kerberos
computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The ticket contains a session key that allows the two Kerberos clients to communicate advantages: Authentication, encryption and integrity goals are met even when users do not know each other. Kerberos clients need only enter password information locally. Through the use of public-key cryptography (asymmetric encryption), full passwords are never sent across the network, not even in encrypted form. Kerberos encrypts packets of information as they traverse the wire, making information more secure. Kerberos can limit authentication to a certain time span. Kerberos can control access to various resources. Again, using public-key cryptography, Kerberos allows an end user to use a printer through the use of "tickets." disadvantages: if the KDC (key distribution center) is compromised, all communication becomes vulnerable
Sarbanes-Oxley
describes specific mandates and requirements for financial reporting, and establishes new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act consists of 11 titles that are designed to improve the accuracy and reliability of corporate disclosure to reinforce investment confidence and protect investors
request to send (RTS) threshold
determines the wireless AP's ability to communicate with clients
dummy files/dummy accounts
dummy files - You can create intentionally misleading files to either misinform an information seeker, or simply distract a thrill seeker. For a corporate spy, you could supply false financial spreadsheets, as well as other files. You are limited only by your imagination dummy accounts - By now, you know that system defaults are one of most hackers' first targets. However, you can use default information directly against hackers as well. For instance, the Windows Server 2003 administrator account is called "administrator." This account can be renamed in Windows Server 2003 using the Local Security Policy snap-in. Doing so makes things more difficult for the potential hacker. You can now go one step further by creating a new account called administrator and restricting all access to it. You can then establish heavy auditing and alarms to alert you when an attempt to log on with the account occurs.
things you can do to secure an email server
enable authentication for SMTP; forbid relaying to unauthorized users; scan e-mail attachments; reduce the size of e-mail attachments; impose a limit on the number of e-mail messages a particular account can receive; and eliminate e-mail attachments.
symmetric key encryption
encrypts data using one text string (i.e., key). This same key both encrypts and decrypts a file. Another name for symmetric encryption is secret-key cryptography The main benefit of symmetric encryption is that it is fast and strong. These features allow you to encrypt a large amount of information in less than a second. The main weakness of a symmetric key is key distribution. That is, all recipients and viewers must have the same key. Therefore, all users must have a secure way to send and retrieve the key. Even though single-key encryption is a simple process, all parties must know and trust each other completley, and have confidential copies of the key. All types of encryption are subject to defeat. A countermeasure that can reduce the danger of having a symmetric key compromised is to change your key regularly. Hackers can also compromise symmetric keys either with a dictionary program, password sniffing, or by looking through a desk, purse or briefcase. Symmetric encryption is most likely to be defeated by brute-force attacks
security policy
establishes the foundation of any successful security system A security policy defines each rule to be followed and includes clear explanations of its purpose. An obscure or imprecise security policy may not convey the core security values, roles, and responsibilities to the organization.
ECL
execution control list - A list of the resources and actions that an operating system or application can access/perform while it is executing. Although an ECL may not be able to stop all malicious applications, it can help a malicious application from executing others. An ECL can thus help ensure that an attack does not spread throughout an operating system or to other hosts on the network.
IKE
internet key exchange - this process allows two hosts to establish a trust relationship. IKE allows two hosts to negotiate the exact nature of the connection. Elements of the negotiation include: -The encryption type -How long the SA will be valid (for example, eight hours) -The authentication method IKE occurs in two phases: In the first phase (often called main mode), the Internet Security Association Key Management Protocol (ISAKMP) negotiates the encryption type, the authentication method and so forth. It also maintains security associations (SAs) and is responsible for removing the keys associated with an SA The OAKLEY key-determination protocol generates the actual keys. It then issues messages via UDP to help hosts exchange the strongest keys possible. OAKLEY is used as a subset of ISAKMP. Keys generated at the end of the main mode phase then encrypt the actual traffic that passes between network hosts. This second phase of IPsec is called Phase 2, or quick mode
active auditing
involves actively responding to illicit access and intrusions. Responses might include: Ending the session. Blocking access to certain hosts (including Web sites, FTP servers and e-mail servers). Tracing illicit activity back to the point of origin.
Basic Service Set Identifier (BSSID)
is provided by a wireless AP and has one function: to differentiate one wireless cell from another. The BSSID does not contain authentication information. In fact, it is most often the MAC address of the wireless AP.
honey pot/jail
jail Regarding network security and hacker detection, a jail is a separate system you can create to delay or distract a hacker. A jail looks just like a series of actual network hosts, when in fact it is a series of tripwires designed to issue alerts to the systems administrator. Jails commonly supply deliberately inaccurate information that allows an administrator time to detect and catch the hacker. Jails can be a dangerous way to contain hacker activity, mainly because of the potential for a hacker to "break out" of your jail and into your actual system. Also, make sure that your security policy allows you to use a jail. Systems administrators have sometimes created jails, only to learn later that the company forbids them. The decision to create a jail or other such device should be made by managers who fully understand the benefits and drawbacks of such techniques. honey pot is another name for a jail
most important step in the security response process
learning from the incident
packet filtering firewall advantages
likely already in place The main advantage to using a packet filter is that the devices and software needed are probably already in place, because most routers natively support packet filtering. Because all the devices are already in place, little or no money will need to be spent on new equipment. After you learn how to format the rules, you can begin controlling access. screen entire applications or network IDs Packet filters (used as screening routers) are normally the first line of defense for a firewall system. Packet filters can screen entire applications or network IDs. For example, a packet filter could restrict all inbound traffic to a specific host. This restriction would prevent a hacker from being able to contact any other host within the internal network. less processing power is needed Because packet filters work at the network layer, less processing power is needed. As a result, many high-volume sites, such as Yahoo!, eBay and others, use packet-filtering firewalls, because many proxy-oriented firewalls cannot quickly process high volumes of traffic
virus
malicious applications that spread from system to system with the aid of user intervention. A virus has two parts: The application that activates and spreads the virus The payload, which is the damage the virus does to the operating system or file A virus is a malicious program that replicates itself on computer systems, usually through executable software, and causes irreparable system damage.
International Organization for Standardization definition of security
minimizing the vulnerabilities of assets and resources
Nmap
network mapper - an open-source utility for network discovery and security auditing This tool can identify port scan attacks and take several actions, including automatically dropping all connections to a system
DNS loops
occur when a host makes a simple DNS request to access a remote Web site such as Google (www.google.com), and the routers and firewalls make multiple, infinite DNS requests. As a result, the client system can never resolve a host name to an IP address A DNS loop can be caused by improper entries in the DNS zone database, or when multiple firewalls and routers are working together. In the latter instance, the routers and firewalls can get caught in a loop sending packets to each other, rather than forwarding them to their proper destination. Typical resolutions include removing improperly created canonical name (CNAME) entries (i.e., aliases), and updating router and firewall routing tables.
malformed packets
often used in DoS attacks sending malformed packets to a host, hoping that the target host will crash in the attempt to reassemble them. teardrop/teardrop2 ping of death - crashes a system by sending an ICMP packet that is larger than 65,536 bytes. Generally, it is impossible to send an IP datagram of 65,536 bytes. However, a packet can be divided into pieces, then reassembled at the victim's address. This process causes a buffer overflow in the victim's system. The Ping of Death is an older attack and only affects systems that have not been properly updated. land attack
OTP
one time password
Ipchains vs Iptables
packet filtering rules for Linux Iptables has become the standard, effectively replacing ipchains. Ipchains can still be used but an Iptables ruleset is both faster and more secure than its nearest equivalent in ipchains Iptables manipulates a special area of the kernel called Netfilter Using either ipchains or iptables, you can create packet-filtering rules that accept, drop or masquerade traffic Unlike iptables, ipchains is stateless. In ipchains, the three built-in chains are as follows: input — used to control packets entering the interface output — used to control packets leaving the interface forward — used to control packets being masqueraded, or sent to remote hosts Iptables adds to these: filter — contains the INPUT, OUTPUT and FORWARD chains. The default table reports when you list chains using the iptables -L command. nat — used for creating NAT. Contains the PREROUTING, OUTPUT and POSTROUTING tables. The PREROUTING table alters packets as soon as they enter (used when masquerading connections). The OUTPUT table alters locally generated packets. POSTROUTING alters packets before they are about to be sent on the network. mangle — alters the packets. Generally, you do not use this for establishing NAT. This table has two chains: PREROUTING (alters packets that have entered the system) and OUTPUT (alters packets that have been generated by the local operating system). Before you can masquerade a connection, you must enable IP forwarding and IP defragmentation on the system, regardless of whether you are using ipchains, iptables or a Windows system.
PFS
perfect forward security - IPsec on Windows Server 2003 requires that you first obtain a key to then generate new keys for all data packets. Subsequent transmissions between hosts are encrypted using this key. Perfect Forward Security (PFS) enables IPsec hosts to use multiple keys to encrypt data. PFS is designed to protect transmissions if an IPsec key is compromised, because it requires the system to generate multiple keys during a transmission. However, enabling this feature in some IPsec implementations may adversely reduce performance due to additional processor overhead caused by additional key generation.
PSAD
port scan attack detector - This tool runs on Linux machines and analyzes iptable log messages to detect port scans and other suspicious traffic.
PBX
private branch exchange - allows a company to manage its own telephone infrastructure
wireless application protocol (WAP)
provides a uniform set of communication standards for cellular phones and other mobile wireless equipment but not used in wireless Ethernet networks. WAP provides the following services: Uniform scripting standards for wireless devices Wireless Transport Layer Security (WTLS)
5 steps of implementing a security policy
publish the policy, so that those responsible for network security are aware of it. categorize resources and needs, so available equipment, needs and priorities are documented. secure each resource and service, which includes changing system defaults and monitoring public connections. log, test and evaluate, so the potential security threats can be identified. repeat the process and keep current.
greynet applications
refer to network-based applications that a corporate network user downloads and installs without the permission or knowledge of the IT department. Common examples of greynet applications include instant messaging (IM), peer-to-peer (P2P) applications, streaming media players and RSS readers.
VLAN benefits
security performance ease of administration
security drawbacks
security always involves drawbacks, commonly include: increased complexity and slower system response time
SA
security association - the exchange of data meant to uniquely identify a particular host. Generally, an SA requires the use of public-key cryptography (asymmetric-key encryption). If you want to use IPsec to communicate securely with another host, you must first create an SA
performance management
security management concept is used to determine the existing workload of systems on the network
smurf/fraggle attack
smurf attack - another DDOS attack that involves manipulating ICMP. Routers can be (mistakenly) configured to respond to a specific kind of ICMP address called a directed broadcast address. This address allows a router to generate ICMP packets for up to 255 IP addresses Fraggle attack - is similar to a Smurf attack, except it uses UDP
proxy server disadvantages
speed client configuration -Creating the filters for the TCP/IP applications. -Each application must be configured individually. Given the number of applications that can be used over TCP, firewall administrators will require extensive knowledge of all the applications and unique settings for each to create secure filters client configuration - If the internal users use different client applications for each Internet application (for example, browsers, mail clients, news clients, FTP clients and chat programs), each application must be configured to use the proxy server for remote access. Often the Internet applications will not interface correctly (or at all) with a proxy server. speed - Because proxy-oriented firewalls delve deeply into the IP packet, they need more system resources. At extremely busy sites, a proxy-based firewall can become a liability, because it can cause unacceptable latency
advantages and disadvantages of asymmetric key encryption
strong encryption - Although private and public keys are mathematically related to one another, determining the value of the private key from the public key is so difficult and time-consuming that it is practically impossible. For communication over the Internet, the asymmetric-key system makes key management easier because the public key can be distributed while the private key stays secure with the user. slow - One of the drawbacks of asymmetric-key encryption is that it is quite slow, due to the intensive mathematical calculations that the program requires. If a user wanted even a rudimentary level of asymmetric encryption, hours would be needed to encrypt a relatively small amount of information.
passive auditing
the computer simply records activity and does nothing about it. Therefore, passive auditing is not a real-time detection mechanism, because someone must review the logs and then act on the information they contain Reading activity logs is an example of passive auditing. The principle of passive auditing requires that you take no proactive or pre-emptive action.
PKI (end entity)
the end user or person listed in the Subject field.
PKI (certification path)
the traceable history of the parties who have vouched for the certificate. Certificates depend highly upon the integrity of the party who vouches for them. If a problem exists in a certificate's certification path, the certificate may be deemed invalid, and should be revoked.
3 types of users that need security training
three user levels that should receive training: End users — Users must be informed of new viruses that are introduced on the Web. You can notify them via a companywide e-mail message or conference call. Administrators — Security administrators must remain informed about the latest threats and countermeasures. A good idea is to assign each security administrator a topic or area. For example, one security administrator can keep current with the latest viruses, and another could keep up with the latest hacker tools and techniques. Then administrators can cross-train each other. Executives — Executives need to be kept aware of the latest tools that can be used to keep a site's security up to date. A useful technique is to tell the executives of a successful break-in at a related site. With this information, they will probably be willing to fund projects to improve security.
encryption at file level
transforms an easily read plaintext file into ciphertext. The only way someone can read this text is to gain access to the key that was used to transform the text into ciphertext Data that is not encrypted can be sniffed by packet sniffers
public key distribution
used in asymmetric encryption Applying encryption means establishing a trust relationship between hosts. On the most basic level, a trust relationship involves exchanging a special piece of code, called a key. This key allows a host to encrypt information so that only one remote host can decrypt the information. This encryption is accomplished with public-key encryption. This form of encryption demands that you create a private key and a public key. After you have generated a key pair, you can then give the public key to someone. these keys are distributed using two methods: Manually — You have to first trade public keys with a recipient, then encode messages to the recipient's public key. This method is usually required for encrypting e-mail messages between recipients. Automatically — SSL and IPsec can exchange information (including private keys) in a reasonably secure manner through a series of handshakes.
PPTP
used to create VPN connections, capable of tunneling and encrypting connections across multiple networks. Point-to-Point Protocol (PPP) cannot perform these tasks; PPP allows encryption to occur only between the client and the ISP's dialup server. PPTP works at the data link layer (Layer 2 of the OSI/RM), and is capable of using PPP to tunnel various protocols (e.g. TCP/IP, IPX/SPX and NetBEUI). PPTP does require a client to first create a connection to an ISP, the subsequent encrypted connection does not have to be made to the ISP. The VPN connection can be made across many networks to any remote server on any remote network. Thus, with PPTP, the use of encryption is no longer tied to the ISP. Finally, PPTP uses Challenge Handshake Authentication Protocol (CHAP), which uses hash encryption to ensure that passwords are not easily stolen
SNMP
uses UDP ports 161 and 162 three version exist SNMPv1, v2 and v3 v1 uses a simple text string to authenticate users.
avoiding malware
virus protection application management and testing configuration management use trusted media install file-signature-checking software
VoIP
voice over IP - Routers and switches can be configured to handle voice data. In these cases, a security break-in will cause problems not only for database, Web and e-mail servers, but also for your telephone systems. With the advent of VoIP, router and switch security becomes paramount.
PKI (certificate store)
where clients and CAs store certificates. These stores can be managed so that only the most current certificates are listed.