COMPTIA Security+ SYO:601 Module 2
Security Information and Event Management (SIEM)
Aggregation, Correlation, Automated alerting,Time sync,Event Deduplications
Mobile Device Management (MDM)
App/Content Management Remote Wipe Geolocation/ Geofencing Screen locks Push Notifications Passwords & Pins Biometrics Containerization Full device encryption
Deployment Models
BYOD COPE CYOD Corporate-owned
Connection Methods
Cellular, Wi-Fi, SATCOM, Bluetooth, NFC
Proxy Server Types
Forward Proxies Reverse Proxies Transparent Proxies
Hardware Encryption Types
HSM, TPM
Command Line Tools
Ping, Tracert, Nslookup/dig, Arp, Ipconfig/ifconfig,nmap
Wireless Access Points types
SSID, Mac Filtering, Signal strength, Antenna Types & Placement, Fat vs Thin, Controller-based vs standalone
Enforcement & monitoring
Third Party Apps Rooting/ Jailbreaking Carrier Unlocking Camera Use External Media GPS Tagging Sideloading Custom Firmware Firmware OTA Updates SMS/MMS Tethering Wi-Fi direct/ Ad hoc
Load Balancer Types
Types of load balancers Session affinity vs Round Robin Virtual IP's
Networking Hardware
Types= Router and Switches
DLP Types
USB Blocking Cloud-based Email
Virtual Private Network (VPN)
VPN technology provides secure remote access means from a computer to a remote computer or one network to another network over the Internet. There are 2 types: Remote Access VPN Site to Site VPN
FTPS
• SSL or TLS can be used to secure FTP communications as well, this is called FTPS. •Is built on the same framework as most internet communications. • •Is split into two connections like FTP, making it hard to use with firewalls. •Control Channel •Data Channel
Corporate Owned Mobile Devices
•A Corporate owned mobile devices is a mobile device that is owned, administered by, and controlled by the company, but is then handed out to the employees of that company, • •Employees have little say on which device they acquire, if any at all. • •A company can regain complete control of the mobile device if needed.
Domain Name Solution
•A DNS server (Domain Name System) converts a FQDN (Fully Qualified Domain Name) (ex: www.yahoo.com) into the IP address your computer needs to access the remote device. BIND is the de-facto standard DNS software. •A DNS Zone transfer is when two DNS servers synchronize their databases. This uses TCP port 53. •DNS information could be potentially forged or a malicious DNS server could try to perform a zone transfer with a legitimate one, poisoning it. •
Hardware firewall
•A Hardware firewall, or network based firewall is a physical device that controls the flow of traffic throughout the network. •Commonly used at the entrance to a network to separate a DMZ from an internal network. •Alternatively, could just be preventing traffic from one internal network to another.
NIDS (Network Intrusion Detection System)
•A NIDS (Network Intrusion Detection System) is an intrusion detection system that watches network traffic in order to view if network communications are using unauthorized protocols. • •For a NIDS to view all available segment traffic on a switch make sure that you configure a mirrored port. • •When using a NIDS, the NIC should be placed in promiscuous mode to monitor all traffic. Types Of NIDS and NIPS: Signature based, Heuristic/Behavioral/Anomaly, False Positives & Negatives
Network Scanner
•A Network scanner can be utilized to scan your network for vulnerabilities. •Rogue system detection: a scanner can detect an unauthorized device on the network, allow an admin to address the situation. •Network mapping: a scanner can be used to detect all devices connected to a network, allowing a logical network map to be built, outlining the connection on the network.
Pattern Locks
•A Pattern lock can be used to secure a phone by requiring the user to enter a known pattern to gain access to the phone. • •Though a pattern lock can be a more convenient access method, it is less secure than a sufficiently long passcode lock.
Antenna - Yagi
•A Yagi antenna is a directional antenna system consisting of an array of a dipole and additional closely coupled parasitic elements. •Can be used to create a wireless bridge
Baseline Deviation
•A baseline is a set of known good or accepted configurations. •Deviating from this known good can cause instabilities or create vulnerabilities in a system. •A IDS or IPS can detect deviations from the baseline, potentially notifying an admin of any issues. •A behavior based IDS/IPS is designed this way.
Software Firewall
•A device, whether it is software or hardware, that inspects traffic and only allows authorized traffic in or out of the network or computer is called a firewall. •A personal firewall or host-based firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. •By default, your inbound firewall rule should be set to "Deny-All". This means that traffic originating from outside of the workstation will be denied access into the workstation. This is known as an Implicit Deny
Directory Services
•A directory is a collection of usernames, passwords, emails, or possibly many other things. •Think like a phonebook is a list of names of phone numbers. • •An example of a directory service could be Active Directory, Microsoft's directory service. •LDAP is used to add, delete, search, and modify directory entries.
Fat vs Thin WAPs
•A fat wireless access point is an intelligent WAP that has all of the features and software needed to manage your wireless client. For example, it can enable and set up MAC filtering and enable or disable SSID broadcasting. • •A thin wireless access point is basically just the hardware. It can push on the configuration that were put in place elsewhere, but nothing is changed on the device itself. •Easier to implement, so can save money and time
Firewall
•A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust. •Modern firewalls utilize stateful packet inspection. •Stateful packet inspection will block incoming traffic that does not match an internal request. •A firewall can mitigate port scanning.
Forward Proxy vs Reverse Proxy
•A forward proxy acts as a proxy for outgoing traffic, protecting your network from the users in it. •Can prevent users from going to malicious sites and inspect their traffic as it leaves •A reverse proxy acts as a proxy for incoming traffic, and can protect your network from external intruders. •Can filter out requests from external attackers who are trying to infiltrate your network. •Can stand as a large number of servers, including but not limited to web servers, email servers, and file servers.
Honeypot and Honeynet
•A honeypot is a trap set to attract, detect, observe, deflect, or in some manner counteract attempts at unauthorized use of information systems. •Two or more honeypots on a network form a honeynet. •Use a honeypot/net to protect your company while also researching attack methods being used against your company. •Honeypots and honeynets would be located in the DMZ.
Misconfigured devices
•A misconfigured device can cause a wide range of problems from unwanted access to causing a denial of service. • •Configurations should be reviewed by an admin in order to prevent misconfigurations to go unnoticed. • •A vulnerability scanner can detect common misconfigurations of many types of devices on a network.
Switch
•A network switch is a hardware device that joins multiple computers together within one local area network. •Switches operate at layer 2 (Data Link Layer) of the OSI model. •Forwards packets by MAC address. •Devices on each connection cannot usually see each other's traffic (except for broadcasts). •It is best practice to disable any unused ports to secure the switch from physical access.
Password Cracker
•A password cracker is a piece of software designed to perform a brute force attack on a system's password. This is hoping to take advantage of one of a few weaknesses: •Captured password hashes which can be attacked •Weak passwords that are simple, and thus can be cracked quickly. • •Having a secure password policy will protect an organization from a password cracker.
Proxy Server
•A proxy server is a server that acts as a go-between for requests from clients seeking resources from the Internet. •A proxy server combines two functions: It caches web-pages locally to speed up access requests, while also acting as a content filter to block users from visiting inappropriate sites. •If you want to know what websites your users are visiting, setup a proxy server. •The best way to secure your email infrastructure is to setup an email proxy server in the DMZ and the email server in the internal network.
Router
•A router is a computer networking device that forwards data packets from one network to another, towards their ultimate destinations. •Routing occurs at layer 3 (the Network layer). •Connects two or more networks together. •Each interface connects to a different network. •The router interface then becomes the Default Gateway. •Does not pass broadcast packets. •A router's Access Control Lists can be used to confine sensitive data and computers to particular sub-networks. •Password protect the console port on a router if the router itself is placed in an unsecure location.
SATCOM
•A service provides data through the use of low Earth orbit satellites to users world-wide. •Satellite requires line-of-sight. •The delay involved in digital satellite connection is called latency. • •Can provide connectivity to just about anywhere on earth, just need line of sight to the satellite. • •Generally a more expensive option for phone connectivity. •
Stateful Firewalls
•A stateful firewall inspects the traffic leaving a network and permits the return traffic to return dynamically by modifying an ACL on the edge of the network pointing into the internal network. •Creates a "state table" to allow external replies to reenter the network. •Those packets matching state table entries will be permitted into the network. The advantages include more flexibility and less susceptible to spoofing attacks when compared to stateless firewalls.
Stateless Firewall
•A stateless firewall is configured with an ACL that permits or denies traffic based on static rules defined by an admin. •The vulnerability here will is if IP addressing of the packet is spoofed the network can be compromised as a stateless firewall doesn't support contextual analysis. •The advantage with stateless firewalls is processing is faster when compared to stateful firewalls
Steganography Tools
•A steganography tool is used to hide data inside of another file, such as a graphic file or video file. •It makes subtle modifications to the file that is carrying the hidden information, attempting to make the new file indistinguishable from the original. •Might be used by a photographer to hide a watermark in a photo.
Data Exfiltration
•A user able to exfiltrate data from a system is dangerous due to the myriad of sensitive data that can be stored on a system. •USB drives can easily pull data from a computer. •Bluetooth can pull data wirelessly. •Data can be sent out of the network using email. •Confirming proper group policies are set, and making sure USB/ Bluetooth access are restricted can prevent exfiltration. DLP can prevent many forms of exfiltration, including information sent over email.
Access Violations
•A user might access networked resources if improper permissions are set or if no NAC is implemented. • •Physical access can be an issue if an employee can freely access restricted areas with ease. • •Network access can be determined by performing account reviews and with penetration testing. • •Physical access can be detected with some for of detective control like CCTV.
Permission Issues
•A user without the proper permissions will be unable to do their job, and will require their permissions rereviewed in order to gain proper permissions. • •A user with more permissions than intended can gain access to systems or software they should no have access to, potentially compromising a system. •Privilege escalation is when a user exploits a known bug or vulnerability to increase their own access. • •Continual privilege review can prevent this
Vulnerability Scanners
•A vulnerability scanner is a computer program designed to search for and map systems for weaknesses in an application, computer, or network.
access point (AP)
•A wireless access point (WAP or AP) is a device that allows wireless devices to connect to a wired network. •Although several WAPs can share the same SSID, individual WAPs can be identified by their BSSID (Basic Service Set Identifier), which is basically the MAC address of the WAP. •The first thing you should look at when implementing an access point to gain more coverage is the power levels of the access point. •Decrease the power levels on your WAP to limit the wireless signal range.
ARP
•ARP (Address Resolution Protocol) is used to find a device's MAC address when only its IP address is known. • •A host wishing to obtain another's MAC address broadcasts an ARP request onto the network. The host on the network that has the IP address in the request then replies with its MAC address. • •ARP is an insecure protocol as an attacker could "poison" your ARP table and give you bad information, convincing you that he is the Default Gateway. He would then be set up as a Man-In-The-Middle and could "sniff" your traffic.
Access Control Lists (ACL)
•Access Control Lists, or ACL, is a set of data that informs a computer's operating system which permissions, or access rights, that each user or group has to a specific system object (such as a directory or file). •An example of an Access Control List would be Windows NTFS permissions. •Firewalls also use ACLs to restrict network access to certain TCP and UDP ports or via source & destination IP addresses.
External Media
•Allowing external media on a company smartphone can present numerous issues for the security of a mobile device. •Allows for the exfiltration of data. •Allows sideloading of 3rd party applications. •Gives an access point for potentially malicious software. • •Disabling removable media is a good idea for mobile devices.
Always-on VPN
•Always-On prevents access to the internet when the computer is not on a trusted network, unless a VPN session is active. •This enforces that the computer be in a secure environment, protecting a computer on an untrusted network. •Always-On should establish a VPN connection as soon as a user logs in, and the computer detects it is on an untrusted network. Then, the VPN session should remain open until the user logs out.
NIPS (Network Intrusion Prevention System)
•An IPS is a proactive security application that is used to prevent activity from entering your network. •An NIPS (Network Intrusion Prevention System) is a network security device that monitors network and/or system activities for malicious or unwanted behavior. •Reacts in real-time to block or prevent those activities. •Usually placed in-line with data flow and can potentially disrupt network traffic.
Inline vs passive IPS
•An Inline IPS is a proactive defense measure and works with the active data that is traversing your network.\ •This give the IPS much more control in order to prevent attacks. •A passive IPS is a reactive defense measure and receives a copy of the date, and never works with the inline information. •This give the IPS less control, but reduces the chance of false positives and negatives. •Essentially becomes an IDS
IDS (Intrusion Detection System)
•An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems. •IDS are used to detect suspicious behavior but not react to it. •A major consideration when implementing an IDS solution is having the personnel to interpret results.
Antenna - Omni-directional
•An Omni-directional antenna, or vertical, is an antenna system which radiates power uniformly in one plane with a directive pattern shape in a perpendicular plane. This pattern is often described as "donut shaped". •Two situations where an Omni-directional antenna would be best used: •To connect hosts to a WAP. •To enable roaming access for laptop users.
Email Gateway
•An email gateway monitors emails being sent into a network and being sent outbound from that network. •Inbound can prevent spam, which will help weed out malware before it enters the network •Outbound can provide DLP, preventing the loss of sensitive data like PII •Email gateways can also provide encryption for email services.
Personnel Issues: Personal Email
•An employee's personal email can be easily compromised as it is controlled by a third party organization. •Not necessarily encrypted •No DLP built into the system •Can email anybody freely •Preventing access is recommended, as employees could easily use a 3rd party email to bypass some security controls.
Anomaly/Heuristic/Behavior-based
•Anomaly-based IDS uses rules or predefined concepts about "normal" and "abnormal" system activity (called heuristics) to distinguish anomalies from normal system behavior. • •Anomaly-based IDS system follows a learning process. • •The first step when implementing an anomaly-based IDS/IPS is documenting the existing network. • •Anomaly-based IDS uses statistical analysis to detect intrusions. • •With Anomaly/Heuristic-based systems, it is up to you to decide what traffic gets blocked by defining what is "normal".
AH vs ESP
•Authentication Header provides a framework for IPsec •AH This framework will allow for authentication, anti-replay, and integrity (NOT encryption). •AH Provides better performance than ESP •Encapsulation Security Payload provides a framework for IPsec •This framework will allow for authentication, encryption, anti-replay, and integrity. •Commonly implemented when compared with AH •ESP provides better security than AH
BYOD (bring your own device)
•BYOD = Bring Your Own Device. If allowing employees to use their own mobile devices on the corporate network. •Confine them to their own VLAN for security. • •BYOD allows an employee to bring their own personal phone and connect it to the business network to be used for business purposes. • •Employee maintains a large amount of control over the device. •
LDAPS
•Before and LDAP messages can be transferred, LDAPS requires the client to establish a secure TLS session, providing encryption. • •If the TLS connection is closed, the LDAPS session closes as well, preventing connection without encryption. • •Runs over port 636
Biometrics
•Biometrics are the authentication techniques that rely on measurable physical characteristics that can be automatically checked. • •This could include something along the lines of facial recognition or a fingerprint scanner.
Bluetooth
•Bluetooth is an open wireless protocol for exchanging data over short distances (using short length radio waves) from fixed and mobile devices, creating personal area networks (PANs). Note that PANs are centered around a specific person. •Used to connect two devices by the use of pairing •Can connect several devices, overcoming problems of synchronization •Bluetooth 1.0 and 2.0 has a wireless range of around 30 - 33 feet (or 10 meters) •
Secure Web Protocols
•Browsing the internet can also be secured by encrypting traffic between the web client and server. •Useful when purchasing online. •Useful when accessing online bank accounts. •Useful for any other sensitive internet traffic. • •Primary protocol to use to secure web traffic is HTTPS •Secured with SSL/TLS.
COPE(Company owned, Personally Enabled)
•COPE = Company Owned, Personally-enabled. A company provides their employees with mobiles devices for their employees to use as though they were the employee's device. • •Similar to BYOD, but at the end of the day, the company owns the device. •Gives slightly more control than BYOD.
CYOD (Choose Your Own Device)
•CYOD = Choose Your Own Device. With CYOD, employees get a choice from a limited number of devices that are ultimately selected by the company. •Can limit users to particular operating systems. •Company has more control over the device, and can limit it to strictly work activities.
Unencrypted credentials/clear text
•Clear text refers to plainly readable information, which allows anybody who can access that information to read it. • •No sensitive data should be left unencrypted, or it will be at risk of being stolen. • •PII is especially at risk here. • •Penetration testing and vulnerability scans can be utilized in order to test if something lacks or has weak encryption.
Context-aware Authentication
•Context-aware authentication does not check for a simple password, but also for the situation in which the password is being entered under. •For example, the password might work perfectly fine when on the company network, but be completely disabled when trying to connect to public Wi-Fi •Could also require stricter password in some locations, as in now needing a password and hardware token to access a device on public Wi-Fi.
Custom Firmware
•Custom firmware is a modified version of market firmware developed by a third party. • •Custom firmware is essentially a modified operating system that can be used to bypass certain security controls. •Like sideloaded applications, preventing the use of removable media can mitigate the risk of a user loading custom firmware.
DNSSEC
•DNSSEC is a suite of specifications for securing info provided by DNS (especially authentication to the data therein stopping zone transfer). •Prevents the use of forged DNS information. •Has all DNS responses be digitally signed.
Data Loss Prevention (DLP)
•Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect: •Data in use (e.g. endpoint actions) •Data in motion (e.g. network actions) •Data at rest (e.g. data storage) •These systems use deep content inspection, contextual security analysis of transactions, and a centralized management framework. •A network-based DLP is a software or hardware solution that is installed at network egress points near the perimeter. It analyzes network traffic to detect sensitive data that is being sent in violation of information security policies.
Full Device Encryption
•Device encryption is used to encrypt every bit of data that goes on a device. The data is then de-crypted as it is read into memory. • •The term "full device encryption" is often used to signify that everything on a device is encrypted. • •Full device encryption would be best used on portable devices, as they can be easily stolen. •
Email Security Protocols
•Email communications can be encrypted and signed in order to guarantee secure communications. •Emails can be encrypted to ensure confidentiality of the emails •Emails can be signed and hashed to ensure integrity. • •Secure email protocols: •S/MIME •Secure POP •Secure IMAP
Email-based DLP
•Email-based DLP is essential for any company concerned with their employees sending out confidential or sensitive information outside of their network. •Most if not all companies utilize email in their day to day business practices. •Email-based DLP should scan an outgoing email for sensitive information, like PII, and block it from leaving the work network. •Can at least enforce digital signing to provide non-repudiation for the compromising email. •An Email gateway con provide email-based DLP
Screen Lock
•Enforcing a screen lock on employee mobile devices can prevent the leakage of sensitive company information. •A screen lock is a simple security feature on all modern smartphones that prevents access to the devices without proper authentication. •Passcode/Pin lock •Pattern Lock •Biometric lock
GPS Tagging
•GPS tagging (also known as Geotagging) includes geographical information such as GPS coordinates into items like pictures and video. •Can cause privacy issues for users. • •Geotagging can also reveal the GPS coordinates of secure locations. • •Ensure location-based services are disabled to prevent Geotagging.
GPS tracking
•GPS tracking is the ability to track a cell phone by using the phone's built-in GPS radio. • •Geo-tagging is a feature where you can encode pictures with the GPS coordinates of the picture's location. Be careful with this feature as it can be a security risk both for the company and for home users! • •Location-based services is the feature in your smart-phone that enables the GPS functionality for all of your apps. If you turn this off, then none of your apps can do geo-tagging, GPS tracking, etc. •
Geofencing
•Geofencing can be utilized to either prevent the use of a mobile device outside of a certain areas or only allow the use of a mobile device outside a certain area. •Preventing the use of mobile devices outside of a certain area can prevent an employee from leaving and transmitting data outside of a network the company has control over. •Preventing use inside a certain area can keep a secure area secured, possibly preventing data from being exfiltrated.
HTTPS
•HTTPS stands for Hypertext Transfer Protocol Secure and is used to transmit data to and from a web browser and a web server securely. • •HTTPS uses SSL or TLS for its encryption. • • HTTPS uses TCP port 443. •
IPsec
•IP Security is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. •IPsec has been deployed widely to implement Virtual Private Networks (VPNs). •IPsec supports two encryption and authentication header modes: •Transport mode encrypts only the data portion (payload) of each packet but leaves the header untouched. •Tunnel mode encrypts both the header and the payload.
IPCONFIG/IFCONFIG
•IPCONFIG gives you information about your current network connections. Such as: •IP Address •Subnet Mask •Default Gateway •DNS •MAC Address •IFCONFIG is used on Unix/Linux machines, but does the same as IPCONFIG. •Example: ipconfig /all
Hardware Security Module
•If your system does not come with a TPM, you can add a HSM (Hardware Security Module) instead. It's similar to a TPM but it is in the form of a plug-in card or external security device that can be attached to a server. •A HSM can be added to servers that do a large amount of encryption, such as VPN servers or Certificate Authorities. •Hardware encryption is always faster than software encryption! •Both TPM and HSM provide storage for RSA or asymmetric keys and can assist in authentication.
Implicit Deny
•Implicit deny is a term to describe the default action to deny everything when there are not any matches in entries that you specify. This could be denying a hacker from penetrating your firewall or it could be denying a sales rep. from accessing company payroll information. •Implicit denies can be set in router ACLs, firewall rules, NTFS permissions, etc. •An implicit deny means you will not have access to that resource unless explicitly allowed.
App & Content Management
•It is important to select an operating system that supports the applications desired for business functionality. •Some applications are simply incompatible with certain types of mobile operating systems. • •It can also be important to have proper access controls set on mobile devices to restrict access to certain content, and possibly prevent the installation of certain applications. •3rd party applications could compromise the security of a mobile device.
NIDS +NIPS
•Keep in mind that encrypting all network traffic will reduce the effectiveness when deploying and managing a NIDS or NIPS because they cannot read the encrypted traffic. •An IDS/IPS that identifies legitimate traffic as malicious activity is called a false positive. •An IDS/IPS that identifies malicious activity as being legitimate activity is called a false negative. Example: An IDS that does not identify a buffer overflow.
Omni-directional antenna placement
•Keep in mind the placement of your antennae when considering the security of your wireless network. •An antenna placed too close to the edge of the area you desire to provide wireless access to could allow attacker to reach your network from outside the intended area. • •For example, if an antenna was placed on the edge of my building, so an attacker is able to pick up the signal in the parking lot.
Load Balancer
•Load balancing is a computer networking methodology to distribute workload across multiple computers, network links, central processing units, disk drives, or other resources to achieve optimal resource utilization. • •Basically any devices can be load balanced to provide redundancy and load sharing.
MAC Filtering
•MAC Filtering is the wireless version of port security and controls access to the network based on the wireless NIC's MAC address. •To allow only certain wireless clients on your network you should enable and configure MAC filtering. •Enable MAC filtering to mitigate an issue where multiple unknown devices are connected to your WLAN.
Proper Licensing
•Make sure you and your employees are using legitimate software and have proper licensing for that software. Consider which license you want when, for example, buying: •Microsoft office •Operating Systems •Personal License: A software license for an individual. Used on one of a few devices. For one user. • •Enterprise License: A software license for a corporation. Use on a large amount of networked devices. May require access to the company network to authenticate.
NFC
•Mobile Devices can be used for Near Field Communication, which can be used for communication with another device over a short distance. • •Is commonly used today for electronic purchasing instead of using a credit card, your smartphone is used to pay. •Can also be used for data transfers. • •Older smartphones may not have a NFC chip, and will not be able to utilize any NFC purchasing apps.
Wi-Fi
•Mobile devices are also able to connect to the wireless network, lessening their dependence on the cellular network. •Helps by saving data! • •Constantly searching for nearby Wi-Fi access points can drain a phone's battery faster. • •Unsecure wireless access points can pose a problem with mobile devices, much as they can for laptops and other computers.
Multilayer Switch
•Multilayer switching is simply the combination of traditional Layer 2 switching with Layer 3 routing in a single product. •Uses ARP to learn the IP addresses of devices that are connected •Can be used to permit different broadcast domains to communicate with each other
NAC (Network Access Control)
•NAC refers to whatever system you have in place for controlling access to the network. •Can be as simple as clicking a box to "agree to the terms and conditions" of network usage. •Can be as complex as having your machine scanned for viruses, patches, updates, firewalls, etc. before it's allowed to connect. •Port security and 802.1x are examples of NAC.
Agent vs. Agentless
•NAC that requires a software agent on the system allows your NAC solution to keep tabs on the system using that software. • •Agentless NAC does not require software on the end system and is reliant on a remote scan of the system.
Host Health Checks
•One simple form of NAC can be a simple scan of a computer connecting to a network. The scan can be checking for a number of important things: •Up to date Operating System. •Updated and recently scanned anti-virus software. •Certain software being present or absent from a machine, based on a company's application policy. •That certain system configurations match the network's expectations.
Secure POP/IMAP
•POP or IMAP can be utilized to download email from an email server. •POP downloads and deletes. •IMAP keeps a copy on the server. • •Both POP and IMAP can be secured by SSL or TLS, to allow this communication to be encrypted. •Causes POP to run over port 995 instead of 110 •Causes IMAP to run over port 993 instead of 143
Dissolvable vs. Permanent NAC
•Permanent NAC requires an agent software installed on the device. • •Dissolvable NAC only provides one time authentication to the network, and is then deleted. •Can provide greater flexibility.
Asset Management
•Physical assets are important to keep track off for an organization to prevent something from being lost or stolen. • •Implementing RFID tags can detect when equipment leaves the building or a certain area of a building • •Company cellphones can be actively tracked with GPS • •Having an organized inventory management system is important to properly keep track of company assets.
Personnel Issues
•Policy Violations can be reported by other employees or detected by security guards. •CCTV can detect policy violations occurring •User education can prevent accidental policy violation • •Insider threats are always a concern today, as an employee already has access to the systems they are trying to compromise. •Separations of duties, job rotation, and mandatory vacations can help deter and detect insider threats.
Port Scanners
•Port scanning is used to remotely find open ports, listening services, and even the fingerprint/footprint of an operating system. •Banner grabbing is when you use a port scanner (for example), and based on the banner information (the reply) that is returned, you can often tell which OS the reply is coming from. •Nmap is a program that can be used to perform a port scan. •A firewall can mitigate a port scan. •A port scanner can be used to determine what services are running on a server without logging into the server. • •Port scanners usually work by sending different TCP flag combinations to a target and then analyzing the response. • •If you need to discover unnecessary services on your corporate LAN, start the discovery with a port scanner.
Third Party App stores
•Preventing access to third party application stores can prevent users from having access to applications on their phones that could compromise the device. • •Preventing unnecessary third party applications can also further prevent compromise from unknown factors caused by those applications.
USB Blocking
•Preventing the use of removable media can be a simple way to prevent the loss of data for an organization. •USB ports are commonly found on most modern computers, and USB drives are easily acquirable, so preventing their use will block somebody from taking data from a company laptop.
Protocol Analyzer
•Protocol Analyzer is used for monitoring and analyzing data traffic on the network. •Can be used for logging, sniffing and interception, analyzing and network monitoring, and troubleshooting. •Can pick up any type of traffic: ICMP, DNS, DHCP, POP3, and SMTP to name a few. • •It can be used to determine what flags are set in a TCP/IP handshake. • •An example of a protocol analyzer is Wireshark.
Push Notifications
•Push Notifications can be used for convenience for the company or user, giving faster access to some amount of information. •A push notification can simply pop up on the locked screen of a phone, giving access instantly to certain information. •Certain push notifications can give a small amount of information from a text or email, potentially revealing sensitive information
Rooting/Jailbreaking
•Rooting/ Jailbreaking a phone is gaining root access to the operating system on the device. •Root access is admin access • •Scanning any networked devices to check if they have root access is important, because a user with complete control could change any number of configurations.
Aggregation & Correlation
•SIEM systems can aggregate data from many different systems, allowing all information to be consolidated and provides easier monitoring. •SIEM systems can also provide correlation, detecting common attributes and bundling like data together, further increasing the ease of monitoring that data.
Time-sync and event deduplication
•SIEM systems can also synchronize the time of events across many servers, allowing an easily readable. • •Without synchronization, it would be difficult to pinpoint when different events happened on different systems, related to each other. • •A SIEM system can also remove redundant events for easy readability. Instead of having possibly hundreds of logs, only one is kept while noting the number of occurrences.
SNMP
•SNMP (Simple Network Management Protocol) is used in network management systems to monitor devices for conditions that warrant administrative attention. •Runs on port 161. •Allows an administrator to set device traps. •Used to find equipment status and modify configuration and settings on network devices. • •SNMP can be used to gather reconnaissance information from a printer. • •SNMPv3 is the most secure.
SFTP
•SSH can be used to secure FTP communications. This is called SFTP or Secure File Transfer Protocol. • •SFTP uses TCP port 22 because it utilizes SSH to encrypt the traffic. • •Is not compatible with the original FTP. • •SFTP only requires one channel to use.
SSID
•SSID (Service Set Identifier) are names used to identify the particular 802.11 wireless LAN(s) to which a user wants to connect. •The security risk of broadcasting your wireless network SSID is that anyone can see it and if you are not using a strong enough encryption type, an attacker can find the encryption key and connect to your network. •You should disable the SSID broadcasting, or the beacon, if you do not want your wireless network to automatically be discoverable.
Data Sanitization
•Sanitization is the process of removing sensitive information from a document or other medium so that it may be distributed to a broader audience. •Degaussing is the act of magnetically erasing all data on a disk so it may be reused. •Before sending drives away to be destroyed, first encrypt the entire disk, then wipe/sanitize it.
SSH
•Secure Shell (SSH) is a network protocol that allows data to be exchanged using a secure channel between two networked devices such as an administrator computer and a router. • •SSH was designed as a replacement for Telnet and other insecure remote shells which send information (notably passwords) in plaintext leaving them open for interception. • •SSH is most commonly used to remotely administer a Unix/Linux system and uses TCP port 22. •
SSL
•Secure Socket Layer (SSL) uses port 443 and is an symmetric protocol. • •SSL uses both public keys and private keys to secure web sites. •The session key in an SSL connection is symmetric. •SSL session keys are encrypted using an asymmetric algorithm. • •If you are using SSL to secure a web or VPN server, make sure that port 443 inbound on your firewall is open. •
Session Affinity vs Round Robin
•Session affinity remembers each user's session and continues to connect that user to the same server each time. •So if user1 connects to server1, user1 will continue to connect to server1. •Round Robin load balancing just assigns session to the first available server, and continues is sequence. •So if there were three servers, user1 would connect to server, user2 to server2, user3 to server3, user4 to server1, and etc.
Sideloading
•Sideloading is the process of installing software on while bypassing the use of any app store or official means of acquiring an application. • •Sideloading can be mitigated by preventing removable media and controlling which networks a mobile device is permitted to connect to.
Signature-based
•Signature-based IDS, the most basic form of IDS, employs a database with signatures/patterns to identify possible attacks and malicious activity. •These signatures are similar to the ones used by anti-virus software, but instead of containing virus information, IDS signatures describe known attacks patterns. •A signature-based monitoring tool depends on receiving regular updates. •With signature-based monitoring, the vendor decides what traffic gets blocked by including specific traffic patterns in the signature files.
Personnel Issues: Social Engineering
•Social Engineering is the act of obtaining or attempting to obtain otherwise secure data by using deception and trickery. • •Social Engineering is an attack that cannot be prevented or deterred solely through using technical measures. • •The only way to prevent social engineering attacks is to train your users. • •Actively attempting to social engineer your users can tell you how many fall for the attacks.
Personnel Issues: Social Media
•Social media is dangerous in regards to confidential information. Information can leave the corporate network and be broadcasted to hundreds or thousands of people. • •Disabling access to social networking sites while on the company network can help mitigate this issue. • •Keeping track of employees social media accounts is the only way to truly monitor what information is being spread. •Can be an invasion of privacy.
IPCONFIG Switches
•Some IPCONFIG Switches: •/all - Produces a detailed configuration report for all interfaces. •/flushdns - Removes all entries from the DNS name cache. •/displaydns - Displays the contents of the DNS resolver cache. •/release <adapter> - Releases the IP address for a specified interface. •/renew <adapter> - Renews the IP address for a specified interface. /? - Displays this list.
ping switches
•Switches: •-t - PING the specified host until stopped. •-a - Resolve addresses to hostname. •-n count - Number of echo requests to send. •-l size - Send buffer size. •-f - Set Don't Fragment flag in packet (IPv4-only). •-i TTL - Time To Live. •-v TOS - Type of Service (IPv4-only). •-r count - Record route for count hops (IPv4-only). •-s count - Timestamp for count hops (IPv4-only). •-j host-list - Loose source route along host-list (IPv4-only). •-k host-list - Strict source route along host-list (IPv4-only). •-w timeout - Timeout in milliseconds to wait for each reply. •-R - Use routing header to test reverse route also (IPv6-only). •-S srcaddr - Source address to use. •-4 - Force using IPv4. -6 - Force using IPv6.
Spanning Tree
•Switching loops must be avoided because they result in flooding the network •The Spanning Tree Protocol (STP) is a link layer network protocol that ensures a loop-free topology for any bridged LAN. •Allows a network design to include spare (redundant) links to provide automatic backup paths if an active link fails, without the danger of bridge loops, or the need for manual enabling/disabling of these backup links •Can be enabled to avoid broadcast storms •802.1w and 802.1d are IEEE designations for spanning tree •The MAC address with the lowest number will become the root bridge for 801.2d
TRACERT
•TRACERT shows the route that an IP packet takes to get from the source to the destination. •Example: tracert www.yahoo.com or tracert 67.195.160.76
Ping
•The PING command is a great utility that can let you know if you are able to communicate with another network device. •However, just because you are unable to PING a device does not always mean you cannot communicate with said device. The device might have a firewall enabled and is configured to not respond to ICMP, which is PING, requests. • •Example: ping www.yahoo.com or ping 67.195.160.76
Trusted Platform Module
•The Trusted Platform Module (TPM) is a chip on a computer's (or tablet's) motherboard that can generate and store encryption keys for various purposes. •TPM can also perform encryption duties instead of relying on software to do the encryption. •For example, Microsoft's BitLocker uses TPM to encrypt the contents of the hard disk. •
Cellular
•The cellular network can be utilized by smart phones in order to connect mobility from a huge range of locations. • •Limited to areas with cellular towers. • •Other devices, not just phones can access it: •USB dongles for PCs •Some Tablets •Wi-Fi Hotspots • •Usually associated with a data plan/ data limit.
S/MIME
•The primary benefit of using S/MIME is that it allows users to send both encrypted and digitally signed emails. • •S/MIME allows a user to selectively encrypt email messages at rest. •
Remote Wipes
•The remote wipe feature on a smartphone is an excellent way to remove the data stored on the phone if said phone has been stolen or lost. • •Allows a company to protect their data on a potentially stolen phone
Authentication Issues
•To prevent user's accounts from being compromised by continually monitoring logs; checking for brute force attacks. •A large number of failed log-in is an indicator of a brute force attack. • •Another issue could be a user failing to remember their password, locking themselves out of their own account. •Having more lenient lockout polices could prevent this, as well as proper password policies. •Forcing the user to contact an admin for account recovery can prevent this from being abused.
File Transfer
•Transferring files between systems can and should be encrypted from end to end to prevent snooping of the data in transit. •Unencrypted file transfers can be captured and possibly modified by a malicious attacker. • •Examples of secure file transfer protocols include: •FTPS •SFTP
TLS
•Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks such as the Internet. •Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks such as the Internet. • •TLS is a competitor to SSL and is currently the preferred protocol for securing communications. •TLS protects against man-in-the-middle attacks by enforcing the client to compare the actual DNS name of the server to the DNS name on the certificate. •TLS is used for encryption between email servers. •TLS can encrypt the protocols LDAP, HTTP, and SMTP. •TLS is a competitor to SSL and is currently the preferred protocol for securing communications. •TLS has many uses, for example: •TLS protects against man-in-the-middle attacks by enforcing the client to compare the actual DNS name of the server to the DNS name on the certificate. •TLS can encrypt the protocols LDAP, HTTP, and SMTP. •Can be used to create a secure VPN connection through a browser, allowing a VPN connection without requiring the client to download software other than a web browser.
USB OTG
•USB On The Go (OTH) allows other usb devices to connect to a smart phone, and pass information between the two devices. •Has the same security issue as removable media. • •Allows for the connecting of peripheral devices, which can compromise the security of a smart phone. •Like most removable media, it is best practice to disable it.
Unauthorized Software
•Unauthorized software can compromise a system in many way, including: •An unknown potential entry point into a system. •A potential source or malware. •Just an unknown and untested possible instability. • •Application white/black listing can prevent unauthorized programs from being run and installed. Permission reviews can detect is a user has the rights to install software. • •A vulnerability scan could pick up these unauthorized software.
Weak Security Configurations
•Utilizing technologies like WPA2 instead of WEP can provide a more secure network. • •Preventing password reuse or short passwords is also critical in securing a system. • •Running a vulnerability scanner can detect certain weak configurations while a tool such as a password cracker can be used on your master password file to see if anything is easily broken.
VPN Concentrators
•VPN concentrators incorporate the most advanced encryption and authentication techniques available. •They are ideally deployed where the requirement is for a single device to handle a very large number of VPN tunnels. •They were specifically developed to address the requirement for a purpose-built, remote-access VPN device.
Virtual IPs
•When many servers are being load balanced, it is possible that a client is not pointing to the physical IP address but a virtual IP address associated with one "server". •Though this virtual server does not actually exist, it represents all servers being load balanced on the back end. •This allows clients to see one IP address, while the load balancer handles which physical IP they connect to.
Split Tunneling
•When split tunneling is enabled traffic intended for the corporate office is forwarded through the protective tunnel, while other traffic such as web traffic maybe forwarded through a local same connection in the clear. This maybe down to cut down on overhead both for the end user and the corporate office. •When split tunneling is disabled all traffic will be forwarded to the corporate office through the protective tunnel. This may be done to ensure all traffic from the user is protected via the corporate policy.
Device Containerization
•Whenever an employee is using a smart phone, the issue of data ownership needs to be addressed. • •Creating a "container" on the device can separate corporate information from personal information on a device. • •The secure container can be remotely wiped should the phone be compromised.
Active or Passive Servers
•While load balancing, servers are in one of two states, active or passive. With those state, you end up with two configurations: •Active-active, where all servers are active and participating in load balancing. •Active-passive, where only some of the servers are actively being load balanced, and others are waiting as backups, or "failovers".
Wi-Fi direct/ad-hoc/Tethering
•Wi-Fi direct or ad-hoc mode allowed wireless devices to connect directly together without requiring a wireless network to work off of. •This can cause the same issue as removable media, but wirelessly. • •Tethering is a physical connection between a smart device and a personal computer, for example. This would allow data exfiltration to occur.
Wireless Scanner/Cracker
•Wireless network have a unique vulnerability in the fact that they cannot be physically constrained to a certain location or medium. • •A wireless scanner is a device that can simply scan for a wireless network and record details of that network. Some scanners go a step further and automatically attempt to crack the encryption on weaker wireless networks. •Frequently used in war driving.