Untitled

 

Introduction to Security+ 2008    

 

        6 domains

        open standard

        derived from J.T.A   job task analysis

    Domains...............

    Systems Security

    Network Infrastructure

    Access Control

    Cryptography

    Organizational Security

    OSI Model  http://www.freesoft.org/CIE/Topics/15.htm https://secure.cbtnuggets.com/it-training-videos/series/411/4679

 

 

 

Evaluating Common Security Threats

 

    Privilege Escalation

        increasing permissions beyond those allowed by the security policy

    Malware

        intentional threats

        unintentional threats

        internal  60%

        external

    Viruses

        primarily spread by email

        polymorphic, can modify to avoid detection

        mutation, can encrypt itself to avoid detection

        stealth, hides by masking itself, fake file size

        retrovirus attacks antivirus software

        multipartite, attacks in multiple ways, common target MS Word

        armored is hard to analyse, covered with protected code

        companion, attaches to programs, games, shareware and change extension

        phage, alter and modify other apps and dbs, apps have to be reinstalled

        macro, runs in MS Office apps and runs mini programs

    Worms

        doesn’t need to attach to existing app

        usually consumes resources, doesn’t modify files

        some are only designed to spread

        common payload is to install to a backbone for a DDOS attack

        has 3 parts:

            enabling vulnerability

            propogation mechanism

            payload has an attack using local exploit

    NSP-SEC Response  (network service provider security forum incident response team)

        Prepare:  resources needed to respond to attacks

    Identify:  identify the worm or virus

    Classify:  classify the type it is

    Traceback:  trace it back to its origin

    React:  isolate and repair the affected system

    Document:  document to process for future repairs

 

Trojan Horses

 

        Malware that looks desirable like a game, anti virus or device driver

        Love Bug was a good example of a trojan horse virus and a worm propogated using email address book

 

System hardening,  turn off systems and services you don’t need and turning on ones that help like Firewall or Phishing filters

 

Spam  can be a DDOS, junk email, safe list (whitelist)

 

Rootkits, software exploitation,  database, other apps (office, macro), doesn’t show in taskmanager or netstat, exploits the OS, can be a trojan as well

 

Botnets, automatic software robots on internet, zombie hosts, installed by worms & trojan horses, controlled by remote server (usually in Windows), uses buffer overflows often

 

Logic Bombs, launched when conditions are met.  April fools day, 911

 

Spyware and Adware

 

        spyware can take control, monitor, redirect

        collect personal info, surfing habits, redirect browsers to bad sites

        spyware can change configs

        adware auto displays ads and popups

        most adware is legit, some are spyware

            adobe reader, aim, yahoo, mess, smiley, zango, kazaa

        ad-aware and spybot are tools for removal

        browsers have popup blocker settings and filter levels

 

 

    Risks to hardware and peripherals

 

        exploit cpu microcode errors

        USB devices are todays floppies

        any removable storage

        dvd rw:  a virus can write to a dvd buffer called ‘eek’

        cell phones:  security protocols WTLS (wireless transport layer security), ECC  Eliptic Curve Cryptography

        nas: network attached storage

        san:  storage area network

        connects to sever farms or large data centers using high speed

        DDOS (distributed denial of service) would spread quickly here

        IPSEC solution provides encryption and authentication and data integrity between devices.

        Routers or servers can use IPS (intrusion prevention services) based on signature, pattern matching or anomaly detection.        

 

       

 

Operating System Hardening

    Service Packs and Hotfixes, not all can be rolled back

 

    Patches and Patch Management

 

            patch is a small bit of code to fix problems or applications

            updates can be time based or event based (new attack)

            schedule when the happen, weekends, friday night etc

            test the patch in a similar setup

            change Management, performing the update, tracking the update, testing, documentation, committee, contigency/backout plans for failure, based on the ITIL

            Audit and Assessment, quarterly, audit to make sure the process is being done properly.  What systems have to be patched and how often.

            Documentation, surveys, whitepapers, reports, display success and failures

 

 

    Group Policy & Security Templates

 

        Microsoft NT/2000/2003/2008 feature

        Centralized mgmt / config via active directory

        controls: registry, ntfs security, audit and security policy, software installation, scripts, app settings (IE),  Use SMS or RIS for installing OSs.

        GP uses Admin & Security Templates

        Create / Edit …..Link.....Apply,  GPO (group policy object) gets linked to a site, domain or organizational unit.... inheritance applies and you can block it too and apply without

        Policies might be account lock policy, security policy, computer policy, user policy

        All stored in Active Directory database

 

 

    Configuration Baselines

 

 

Application Security

 

    Active X, Authenticode uses certs, require confirmation for download using Authenticode

    JAVA, from SUN,  can allow attackers to exploit unsafe applets, solutions include blocking java applets at the firewall using IDS and IPS, intrusion detection services and intrusion protection services, application firewalls can keep these applets from running.  Manually disable in IE under Security tab / custom level

    Scripting, small chunks of code that deliver functionality, cgi scripts can be problematic, javascript is more secure, JS can’t read/write files, interact with other pages in the same frameset from same site, JS can’t access cookies.

    Cookies

    XSS, cross site scripting, over 80% of documented security vulnerabilities, Allow code injection into web pages, also does phishing attacks and browser exploits, attack often transparent to user, XSS written in several languages, many XSS atack since 1990s, Three kinds of XSS:  dom-base (type 0), non-persistent (type 1, most common, data is provided by a web client and is used by server side scripts to place bad code in the results page), persistent (type 2, when data is offered by a user and is stored on a server and is later displayed on a web page),  prevent by: eliminating all scripts or on a domain basis, Input validation forms prevents sql injection, cookie security can tie session cookie to the IP of user

    Buffer Overflows, DOS (denial of service), 2nd most common attack, app receives more data than expected, program terminates or writes beyond its memory addresses, may leave system vulnerable, could be innocently from program errors or it could be from malicious code, Code Red and SQL Slammer worms are examples

    SMTP Open Relays: SMTP email server that permits third party relay of email messages, AKA insecure relay or third party relay, malicious senders can send large volumes of spam, server owner who misconfigures is often unaware, can lead to system crashes, equipment damage and loss of business, M.A.P.S (mail abuse prevention system blacklist) is now owned by TrendMicro

    P2P File Sharing, morpheus, kazaa, emule, bittorrent, takes bandwidth, copyright issues, adware, spyware, viruses

    Instant Messaging, can reduce productivity, clear-text, send files, gets around policies, view webcam, has additional applets that can be vulnerable,  if company uses IPSEC to encrypt data that can be more safe, can be picked up with wireless users, uses specific TCP and UDP ports

    Email Phishing:   mimic companies websites like paypal, ebay, facebook to get confidential data, check the url that is supposed to be the real site, spear phishing appears to come from someone you know like your employer

 

   

Implementing Security Applications

 

    HIDS/HIPS, host based intrusion detection and preventions systems.

        IDS (reactive), analyzes copies of the data, doesn't’ affect throughput, will allow some mal traffic into nets/systems, needs up to date signatures.

        IPS (proactive), inline solution monitors Layer 2 through 7, must be able to handle network traffic, stops malicious traffic from entering nets/ systems, needs up to date signatures.

        ISO OSI Model:

            7-application, dns smtp

            6-presentation, translation to ascii text, encryption

            5-session, allow ftp, muliple browsers, IM, telnet, remote desktop working together

            4-transport, TCP and UDP operate

            3-network, routed protocols

            2-data link, nics, frame relay

            1-physical, turns into zeros and ones, encoding

        Host Based solution is installed on target laptops, know as Defense in Depth or Layered Solution

        HIPS chqaracteristics

            software installed on hosts, not hw

            audits log files, files systems, resources

            provides individual host detection (HIDS) / prevention (HIPS)

            can be centrally manager (cisco MARS, NAC, NAP)

            stop attacks in real time, anomaly detection

            some HIPS combine best features of A/V, personal FW, and App FWs (doing deep applicatino inspection) in one.  cisco CSA (cisco security agent) can do this.

            Policy groups define your policies for different groups,  HIPS intercepts operating system and application calls

            HIPS is both signature based and signature based

    Personal Firewalls: zone alarm, HIPS, mcafee, norton protection center, microsoft live one care.  You can block at application level, port, protocol level & network connections

    Anti-Virus, quarantine, schedule updates, scans, exclude files, virus definition file

    Anti-Spam

    Anti-Spyware & Popup blockers, phishing settings are in advanced tab of Internet Options in IE

 

   

 

 

Network Infrastructure Attacks (Part 1)

 

    Legacy Protocols, old unix programs, telnet should use ssh instead which encrypts creating a vpn, https => SSL/TLS cert based, get rid of NTP, instead use NTP.V3, SNMP, instead use SNMP.V3 using 3DES and AES encryption, disable protocols and services not used in OSs, routers and other HW devices.

    TCP/IP Hijacking: is a type of Session Hijacking.  Scripts can create IP sequence numbers to help with hijacking.

    Null Sessions: windows biggest vulnerability, SMB (server message block) communication for file/print sharing, gives the mal user the ability to connect to unsecured IPC$ share (net use), once established, many tools can be used. windows xp, vista, 2003, 2008 are safe, unpatched NT4 & 2000 machines are rampant, need most recent updates or upgrade

    Spoofing: can occur at different network layers.  ARP at layer 2 (address resolution protocol) bad mac address, IP at layer 3,  uses a false source address (mac at layer 2 or ip at layer 3) to hide identity, spoofing mac addresses lets you create rogue dhcp servers or rogue wireless access points.  DNS service servers can get unrequested replies that cache bad information that get applied to valid requests for DNS.  RFC 1918 allocates private address space.  10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255.  

    Man in the middle: attacker is between client and server (two network communicating devices), sometimes a switch or router, most try to impersonate the server

    replay:  when attacker captures data with a packer sniffer, retransmits for malicious purposes, credentials, financial data, privacy data, CHAPv2 protocol will mitigate and so will IPSEC implementation

    DOS and DDOS (Availability attacks): action against availability, falure of systems and services, includes botnets, DOS, DDOS, TCP SYN & ICMP Floods etc.  Botnets are often put on free hosting and fast university networks.  They aim to overwhelm servers and bandwidth.  DDOS use Handler systems to find other Agent systems that are loaded with the attack software.  DOS Flood Attacks:  TCP SYN flood starts a tcp 3 way handshake and keeps flooding as they server trys to respond.  The handshake never completes.  Limit the number of half open sessions.  Use firewall services.  Source address is typically spoofed or forged.  ICMP is used often for diagnostic tools and is used for attacks like the Ping of Death: ICMP fragments are too large and brings down the server or router, ICMP fragmentation: fills up reassembly buffers on servers or routers, Smurf attack: uses spoofed broadcast ping to get a huge number of responses.  The ping will exploit the echo request packets directed at IP broadcast addresses from remote sites.

 

 

Network Infrastructure Attacks (Part 2)

 

    Domain Name Kiting:  coined by Bob Parsons of Godaddy.com, scam involving a few domain name registrars who purchase many well indexed expired domains.  Temporary web sites host these domains loaded with paid as link via search engines, domains are then dropped before 5 day grace periods, domains are perpetually trapped in scheme and unavailable to the public, ICANN presently allows this practice.

 

    DNS Poisoning: DNS works at the application level.  Problem since early days of DNS.  A.K.A DNS Cache poisoning, poisons with data w/ non-authoritative origins.   DNS Poisoning can be unintentional like from a misconfigured DNS servers or buggy code.  Malicious users poison a DNS with their IP and reroute you to their malicious site.  

        Redirecting NS (name service) of attacking domain to target

        Redirecting NS of another unrelated Domain

        DNS Forgery, beats the real response before the legitimate server can, can use DNSSEC to add certs to DNS in Active Directory

        Pharming is a related vulnerability.  Done by exploiting DNS vulnerabilities or by changing the client’s ‘hosts’ file.  A hacker redirects traffic to a bogus website.

    ARP Poisoning:  

        How ARP works:  Computer A asks who has this IP address.  Computer B says I have that IP and here is my MAC address additionally.  The switch in between them stores it in it’s CAM table.

        With Reverse ARP, Computer A says who has this MAC address.  Computer B says I have that MAC and here is my IP additionally.

        Some devices accept ARP replies without a request allowing a switch, client or server to be poisoned.  CAM tables get flooded with a ton of entries.

        ARP operates at level 2 and 3 of the OSI model,  you can poison the ARP Cache on a server or workstation, you can poison the CAM tables  on switches, you can poison routing tables that have dynamic routing protocols like RIPv2 and OSPF.

        Poisons memory buffers (layer 2 MAC addresses).

        MAC Address Flood: port security commands limit the number of MAC addresses on a port.

        VLANs: Virtual Area Networks, configure ports to a subnet/broadcast domain.  You can hop from one VLAN to another.

        Spoofing: masquerading the DHCP protocol,  STP (spanning tree protocols) which provides loop prevention on those switches,  MACOF, ARP

        DHCP snooping: listen to ports and only allow DHCP servers on specific ports, thereby limiting rogue dhcp servers.  DHCP has a field in the header that is 8 bits with 255 options that can be changed and spoofed (what domain, wins server, mail server).

        Telnet sends clear text, use SSH VPN instead with Putty or Teraterm

        Bad: sniffing, spoofing,  Good: snooping

        HTTP GUI to manage switches for example, need HTTPS

        Switches operate at layer 2

    Weak Passwords:  10 or greater chars, uppercase, lowercase, numbers and symbols.  Account locked after 3 or 5 times failure, password history so you can’t reuse passwords for x new passwords.  Use mnemonic to memorize a passphrase.

    Back Doors:  programs: Subseven, backorrifice, netbus, master paradise.  Programs allowing unauth remote access to system, attacker can steal, damage, excalate or deply other programs like DDOS or logic bomb...etc.  Backdoors are often planted via Trojan Horses, freeware and shareware, phishing and pharming.  Need up to date anti-virus / anti-spyware apps.  Multiple levels of programs.  They can also be code that is written into a program that allows the compromise.

    Default Accounts:  Disable Wireless lan accounts or change the name and password used. Disable Guest accounts and any predefined user accounts.  Administrator account:  don’t share the admin account.  Should work as a basic user and only RUN AS administrator as needed.

 

 

Network Design Elements and Components

 

    DMZ: Demilitarized Zones (aka Screened Subnets or Security Zones),  has servers on the perimeter of your network for public servers,  HTTP, SMTP, DNS, Ecommerce and FTP servers in their own security zone, protected by a firewall.  You typically have limited access from inside hosts being able to manage them.  They are being exposed to the internet or extranet partners.  It’s typically for the untrusted network (internet).  You can setup a Private Zone, Public Zone and DMZ.  Some use ZFW, zone based firewalls.  They can prevent traffic from unsafe protocols like http, imap, pop3, esmtp, rpc, peer to peer file sharing, Instant messengers.  

        3 armed firewall used in small to medium sized businesses, goes into a single firewall appliance with a Public arm, Private arm and DMZ.    You can make multiple zones in the DMZ in their own VLAN or Private VLAN which prevents communicating or limited to certain rules.

        Medium to Enterprise size business go further with something like a Screened Subnet which has a perimeter router with access control filters and security, then a firewall, then a switch (layer 2 or layer 3) that feeds the DMZ and then another firewall which feeds your inside corporate network.

    VLANS: Virtual Lan.  A VLAN is the capability on a layer 2 switch to create a virtual or simulated network or subnetwork in the same way that routers do.  They can all be a member of the same broadcast domain.

    NAT: Network Address Translation, allows us to hide internal IP addresses from outside network.   PAT (port address translation) translates internal IP/port data to “sockets” that go out over the external network.  This way the NAT device knows what IP/port to reply to by linking IP packets each socket.  This allows many internal IPs to be mapped to a single external IP address.  NAT is not a security mechanism.

    NAC: Network Admission Control, sponsored by CISCO, Microsoft has NAP (NAC-NAP), enforces policy compliance on all devices using servers and agents running on trusted endpoint devices, part of defense-in-depth/layered security, works to proactively defend agains malware attacks enforcing security compliance.

    Telephony: VOIP (voice over IP), phone conversations sharing wired & wireless media, leveraging inexpensive channels over the untrusted internet, VOIP introduces over 175 unique vulnerabilities to AVAYA, CISCO & Nortel,  Attacker using variety of attack methods up and down TCP/IP stack ( app, transport, internet, physical)

 

 

Network Security Tools

 

    NIDS/NIPS:

        Network Intrusion Detection Systems, detect and alert but allow traffic through

        Network Intrusion Prevention Systems, detect and alert inline and prevent traffic through, provides detailed traffic inspection in real time.  Signature based compares against a known database.  Anomaly based looks for changes in network characteristics like change in traffic patterns.  

            An NIPS can:

                Deny attackers based on IP

                Deny, attacker services based on port/protocols

                Isolate a Victim and then can deny traffic from the victim to prevent DDOS

                Deny connections

                Deny individual packets

                Do logging of attacker packets, victims packets

                Modify packets on the fly

                Produce alerts to management software

                Produce verbose alerts (memory dump)

                Create requests to block connections and individual hosts

                Rate limiting, throttling of bandwidth for a channel to stop a DOS

                Request SNMP trap information

                Reset TCP connections

    FW (Firewalls):  HW and or SW solution to enforce network access security policy,  modern FWs do: access controls, terminate vpn tunnels and vpn services (IPSEC), QoS (with rate limiting) and redundancy - even IDS/IPS (intrusion detection/prevention) for total C.I A (confidentiality, integrity, availability) .  The first step towards defense-in-depth even for hosts,  hardware zone-based FW’s are superior because software based depends on the OS which adds vulnerabilities.  Some models provide multiple virtual firewalls (security contexts).  This allows you to have a firewall for a DMZ and each security zone can be managed with separate firewalls.  If you are an ISP you can have each customer have a security context.

    Honeypots:  A trap to deflect, detect and counteract attacks, typical a computer, subnet, data or site which is isolated, unprotected (various degrees) & logged, for surveys, early-warning of attacks, capturing, trapping, some are designed to counteract spam for example, honeyd can simulate a large network on one host.  Honeynet connects Honeypots,  Collection of Honeypot tools is a Honeyfarm

    Proxy Servers:  Gateway or Intermediary device between networks to provide a variety of services, Firewall proxies Intercept all packets and reprocesses them, NAT is a form of a Proxy Service because it represents a public IP and does translation to private addresses.  Web Server Proxies and other Application are gateways and can provide translation services.  Web Proxies can serve as a gateway for translation of XML for business servers, caching of web pages for internal users for performance, filtering and inspection for policy enforcement (no bad web sites) or apps like P2P file sharing.  Operates at several layers of the OSI model.

    Protocol Analyzers: Monitors networks for capacity planning, growth, optimization, adherence to security policies and file transfer policies, but also for security but is also a vulnerability for security.  Task Manager is a basic Protocol Analyzer.  Wireshark is a free analyzer for wired and Aeropeek for wireless.   Can show from layer 1 all the way to the application layer.  These are also called packet sniffers, so they can be a vulnerability if someone installs one.

    Penetration Testing: Is more of a process.  Used for evaluating security, doing risk assessment and risk management.  It’s part of the auditing process and part of the initial process of creating a security policy to see where you have risks and are vulnerable.  Checks to see if your Defense-in-depth is sufficient.  White hat hackers or crackers probe the security of systems.  Vigorously attempts to breach system.  They think like hackers and provide a regular auditing assessment of the organization’s state.

 

 

Wireless Network Security

 

    Weak Encryption = WEP (wired equivalent privacy),  early standard of authentication was Open System that let anyone to connect.  Shared Key is where you put in a password on your laptop and the admin puts in one on the wireless point (WEP key).  WEP is nowhere as secure as ethernet.  The encryption uses RC4 which is good.  WPA is better because it has per user/per frame keying (generated password for each), sequence counters, larger initialization vectors.  WPA uses 48 bit IV. TKIP message integrity code(MIC) checks integrity of frame.  WPA2 is the new standard using 802.11i  (RSNA, robust security network associations)

    SSID Broadcast:  is like a workgroup name.  Change it to a unique name and don’t broadcast it.  Using Aeropeek it can find out hidden SSIDs.  802.11g is one of the best choices for profile.

    802.1x authentication: sits on top of ethernet and 802.11 wireless.  Can work for wired and wireless environment.   Wireless router sends credentials from a laptop to a “radius” server for authentication.   In your wireless router you can add Firewall rules.  Can also authenticate with MAC Addresses

    MAC Filtering: Allows you to set a wireless router to ONLY allow a list of specific MAC addresses.  This is not secure because MAC addresses can be spoofed.

    Rogue Access Points: is any device that is unauthorized.

    WAR Driving:  WAR Driving with Aeropeek software shows people with no authentication, people with WEP and default SSIDs or weak WEP keys like SSID or company name.  WAR Chalking puts symbols to tell people the SSID and other credentials.

    Blue Jacking:  Sending unwanted spam messages over Bluetooth.  PAN (personal area network).  Uses Bluetooth OBEX protocol.  Typically harmless guerilla marketing but now becoming vulnerable to trojan horses.  Bluesnarfing is illegal hacking of a mobile phone.

    BlueSnorting:  is a free open source NIDS/NIPS for packet logging of bluetooth wireless .

 

 

Access Control (Part 1)

 

    Subjects: users, systems, applications and they access objects.

    Objects:  data, peripheral devices, files

    Best Practices

        Defence-in-Depth

        Attack Surface, minimize and understand all physical, logical, electronic points of entry and exit

        Least Privilege, only giving required privileges.  Add privileges granularly as needed.  Limit web page functionality by user or group.

        Implicit Deny,  all access is denied by default.

        Separation of Duties:  only certain people have certain permissions and get jobs rotated.

        Job Rotation

    Access Control Models

        MAC: Mandatory Access Control.  Predefined file permission on server managed by admins.  Good for military.  Subjects get a clearance label, objects get a classification label and they get mapped.

        DAC: Discretionary Access Control.  Allows an object owner to grant access to other users and applications.  Is vulnerable to trojan horses.   Labels are not mandatory.

        RBAC, Role Based Access Control: Combination of MAC and DAC

            Can simulate both MAC and DAC

            Roles are created for various job functions and then permissions are assigned for the roles

            Permission are assigned to roles

            Users are not assigned access directly

            RBAC is not an ACL method!  It’s a whole different application.  This is saying “What can people do”.  This person has the role of doing this particular action to a medical record.

            Introduces Role Hierarchy and constraints.  A constraint places a restrictive role on inheritance of permissions from opposing roles.   You create formulase

                S (subject: person, system, service), can have more than one role

                R (role, job function or job title), can have multiple subjects and permissions

                P (permissions: approvals of certain type of access to an object or resource), can be assigned to many roles

                SE (session is a mapping of a subject, role or permission)

                SA: subject assigmnent

                PA: permission assignment

            RBAS is considered an industry best practice

        Rule Based Access Control

            Doesn’t use RBAC acronym

            A combo form of MAC and DAC

            Access to resources is based on administratively defined rules.  Only admins define rules.

            Access properties are stored in ACL’s (access control lists) that have rules contained in them.

            Like MAC, users can’t change access controls, only system admins can

        Applying Access Controls, they can be applied on a domain by domain basis using built-in accounts or admin defined.  Then groups like Domain Users can be nested in a Universal group, then a Domain Local group.

        Access Control List is simply a list of permissions attached to an object and then assigned to a user.  ACLs can be used on firewalls, routers and multi layer switches to control access.  They can filter out IP address or entire networks, tcp/udp applications

    Logical Access Controls

    Authentication Models

        Single Factor is something you know or something you have.  Enter a username/password or a PIN number.  If you have a badge you flash that’s single factor.

        Two Factor: combines something you know with something you have, or something you have with something you are.

            something you know.  PIN number

            something you have.  ATM card, smart card

        Three Factor

            something you know.  PIN number

            something you have.  ATM card, smart card or smart token

            something you are.  biometrics, facial scan, fingerprint scan, iris scan

        Single Sign On allows you to sign on one time be granted a “ticket” and get access to everything you should be able to get to.

 

 

 

Access Control (Part 2)

 

    Authentication Components and Protocols:  protocol is run on servers to create centralization of access management between authenticating devices and another resource.  They can store their info on back end databases.  These control access from Switches, Firewalls, Routers and NAS. TACACS+

        RADIUS:     Uses UDP.  Everyone supports RASIUS.  RADIUS is used by Microsoft and encrypts just the password.  Used by Microsoft’s IAS “internet authentication service”.  Uses Unidirectional CHAP (Challenge Handshake Authentication Protocol).   Has better accounting features for hot spots to track timed usage like if you are paying for an hour of usage.  A RADIUS accounting server is a good choice.  RASIUS is more often used with 802.1x IEEE

        TACACS+:  Uses TCP.  TACACS+ is more secure encrypting the entire communication and is used with 802.1x IEEE.    Separates the Authentication and Authorization features.   The Authorization server can provide access to objects, systems, services and applications.  Uses Bidirectional CHAP (Challenge Handshake Authentication Protocol), authenticating the network device and the TACACS+ server.

        802.1x + EAP(extensible authentication protocols):  Has port based Access Control.  Works on top of 802.3 for a switch or 802.11 for a WAP.  Laptop is called supplicant and sends a request to get on the network by authenticators like a Switch that forwards the request to a RADIUS/TACACS server.

        EAP-TLS will let you use certificates and public key infrastructure technique.

    RRAS: Routing and Remote Access.  Combines hardware and Software running on a server to allow users remote access.  Supports Dialup networks, VPN using PPT/MPPE (tunneling/encryption) or VPN using L2TP/IPSEC

    LDAP:  Lightweight Directory Access Protocol

    KERBEROS: Runs on Active Directory, KDC (key distribution center), TGS (ticket granting server).  As users log into the RRAS server it talks over LDAP protocol to the Active Directory server and tickets are used to prove the users identity.  It can also serve as a SIngle Sign On solution because the get granted tickets for each server, app, partition, os they need access to.  Kerberos is built on “symmetric key cryptography” PKI.

    Policies are network and connectivity settings for users:  time of day they can log on, for how long, filtering of IP/TCP/UDP.

    PAP:  Password Authentication Protocol.  Sent in clear text.

    CHAP: Challenge Handshake Authentication Protocol.  Very popular and works with ppp.   One way hash is done against password and is sent to the networks access server.    Provides protection against playback attacks.  Microsoft has MS-CHAP.  and CHAP has CHAPv2.  CHAPv2 has the ability to authenticate the server too.

    EAP: Extensible Authentication Protocol used in 802.1X

    VPN extends your network to a larger network.  Could be someone dialing up or over an external network.

    Identification vs Authentication:  Identification can be done on two endpoint devices with a shared user name/id, system name or router name.  Authentication is about challenging the claim by who provided the identification which might use Fingerprint, Facial or Iris scans.

    Physical Access Security Methods

        Access logs/lists

        Hardware Locks on workstations and laptops,  lock USB ports with software locks.  Use the fingerprint scanner on the pc.

        ID Badges can have tokens like RFID you can pass in front of a sensor

        Door Access Systems,  Fail secure locks when power goes out.  Fail safe lock unlocks when power fails.  Can add biometric sensors with locks.

        Man-Trap, 2 door system

        Video Surveillance, cameras to watch.  Keep aware of diversion techniques and piggybacking.

 

 

Assessments and Audits (Part 1)

 

    Risk Assessment

        Key component of security strategy (threat analysis comes first)

        Includes process of anticipating risk

        Will govern steps to take in addressing vulnerabilities and threats

        Asset ID & Valuation → Risk (threat/vulnerability) → Controls & Counter Measures → Evaluation Auditing → Action Plan → Residual Risk  →  (back to Asset ID & Evaluation)

        Controls include kerberos, authentication systems, physical security, vpns

        Counter measures include intrusion detection, intrusion prevention, firewalls, honeypots

        Evaluation includes evaluating the effectiveness by doing some pilot testing and staging and auditing  the of the counter measures and controls on our existing security posture

        Action Plan:  decides what need to be purchased or configured.

        Residual Risk:  the risk you are willing to accept or get insurance for

    Qualifying Risk:

        Exposure Factor is a % that indicates how much damage an incident can cause on a specific asset.  You have to do it for each asset.

        Annualized Rate of Occurence is how often an incident occurs per year, based on information gathering statistics, historical data, case studies or information from insurance companies.

        Asset Value x Exposure Factor (EF) = Single Loss Expectancy (SLE)

        SLE x Annualized Rate of Occurence (ARO) = Annual Loss Expectancy (ALE)

        Assign risk levels 5 high........2 low, 1 none, used for logical assests, good will, forumulas, intellectual property.

    Defining Risks

        Origin: is the risk an internal structured attack or internal unstructured (an accident, poor planning, lack of enforcement of security policies) or is it external structured attack or just a bot working our perimeter routers.  Hostile employees, consultants, people not properly trained.  Is your risk being defined by HIPPA or Sarbanes Oxley.

        Activity or Event:   Somebody stealing confidential data, power failures, DOS attacks

        Consequences: results, impacts, unavailability of ecommerce servers, losing market share, having legal authorities coming into your facility, reduction of good will

        Specific Causes: Floods, human error, design error, hurricanes, human intervention, failure to plan.

        Lack of Protective Mechanisms: no firewall, no security suites on laptops

        Time and Place: Are you in the wrong place at the wrong time, vulnerable to environmental disasters.

    Major Risk Management Strategies

        Accept the risk: we have valued our assets and a specific risk is too expensive to address

        Mitigate the risk:  spend the money and time on people, physical security, controls and counter measures (IDS, IPS, VPN, IPSEC internal and external solution, CIA, FWs, ACLs, honeypot)

        Transfer the risk:  if we have an incident we will charge more and pass it to the customer or insure the risk

        Cease and Desist:  stop doing whatever causes the risk

    Vulnerability Assessment: is done after you have a prepared team of people with a knowledge of threats.  Get information about known vulnerabilities.

        Port scanners: nmap, shows ports used and open, nmap.org, insecure.org

        Ping scanners (net mapping)

        Protocol Analyzers

        Password Crackers

        Oval - Open Vulnerability Assessment Software: sponsored by NCSD (national cyber security division of homeland security) and provides it’s content to US-CERT and others.  It is a common language to look for vulnerabilities.  Provides formats in XML and SQL.  Provides baseline CVE (common vulnerabilities and exposures).  Characteristics include: OS, Software apps, Registry settings, Config files, Files system attributes and more.  So you want OVAL compliant tools so you are standardized.

        Wireless Analyzers

    Mitigation: Controls and Countermeasures:  

        Technical: Access control mechanisms, identification schemes, authentication mechanisms, encryption, intrusion detection software.

        Non-Technical:  Operational controls (written security policies), policies and procedures,  best practices, operational procedures, personal security, physical security and environmental security.

        Preventative Controls:  stops attempts to violate security policy C.I.A.

        Detective Controls:  IDS, IPS, Alerts, Auditing, checksums at layer 2,3,4 of OSI model

        Corrective Controls: after the fact, Incident management, remediate vulnerabilities, backup procedures, IPS that works with firewalls to block ports and processes.

        Compensatory:  they compensate for increased risk by adding additional control steps to mitigate risk.  You might add a challenge / response to weak access controls.  You might add another factor to authentication. Single for Two factor, might add a Third factor.

        Deterrent:  things to deter hackers.  Offering a reward to identify hackers.

    Penetration Testing Overview:   evaluates the security of an organization, a server or a service

        Evaluating security by simulating an attack

        Proactive analysis for vulnerabilities

        Determines feasibility of attack and BIA (business impact analysis), what would be the impact.

        Leads to GAP analysis then Action plan,  finds gaps / holes in security.  Penetration testing and Security gap analysis are part of a full blown audit process.

        Black Box vs. White Box Penetration, black box has no prior knowledge of the system, white box has all the infrastructure data.

        Full Disclosure: you know services available and the entire configuration , Partial: you know what the services / apps and security policy are but not configuration specifics, Blind Tests

        OSSTMM (open source security testing methodology manual)

        NIST (national institutes of standards and technology)  OSSTMM is more comprehensive.

        ISSAF (Information system security assessment framework)

 

 

Assessments and Audits (Part 2)

 

    Monitoring and Analysis Tools: AiroPeek, iNetTools, can be used as an attack if you run continuous ping.  Ping Scan scans an address range for information gathering and risk assessment.  Trace Route shows the hops through the network.  DNS Lookup, Name to IP Scan, Name lookup.  Port scan shows what ports are open on TCP/UDP ports. Service scanning looks for services by port.  Finger (name protocol) uses TCP port 79 to show if a user is logged on, email address, files in users home dir.  Finger is very insecure as shown by the Morris Worm.  Whois shows who owns a domain name.  Throughput shows speed of data on network.  

        Certificate templates, shows all templates and security templates that can be used for certificate services using PKI

        Event Viewer

            Security log has success audits

        IAS (radius server)

        IP Security Monitor Tool to view IPSEC VPN traffic

        Performance Logs and Alerts

        Routing and Remote Access for Dialup access

        Security Configuration and Analysis tools

        Security Templates, predefined domain security template

        Wireless Monitor

        Reliability and Performance Monitor:  shows reliability and availability for hardware, app, windows and misc failures.

        Windows Firewall:  Monitoring of domain profile, private profile, public profile, log location.

    IDS (intrusion detection systems) Detection / Monitoring Methodologies

        Signature Based:  defined signatures used to detect attacks or vulnerabilities, compares data in the network traffic against a database of known signature.

        Anomaly Based: Monitors the network for a departure in “normal” baseline behaviour.  When norms are deviated, they can trigger an anomaly.  Statistical Anomaly Detection checks baseline statistics and compares with current activitiy..  Non-statistical has predefined definition of known behaviour.  They can find if routing protocols originated from an end user workstation or a TCP packet where the source and destination address/port are the same or IPX traffic where only TCP traffic is used.  On a wireless device it could find a rogue DHCP server.

        Behaviour Based (policy): triggers on violation of policy or configured behaviour.  It must have a clear view of what the expected behaviour or security policy is.  Typically very reliable and focused.  Can make custom signatures with XML.  Takes a good amount of work up front.

    Logging Procedures: Event Viewer: Application log, Security log, System log,   IPSEC log.  Syslog server is third party to log events.  Syslog is a popular protocol.  Kiwi is a free syslog server.  Logging is a proactive process.

        SDEE (Security Device Event Exchange), proposed by the ICSA (international computer security association): secure standard to replace syslog and defines the format of messages to communicate between security devices.

    SNMP:  Simple Network Management Protocol.  SNMP can manage servers, routers, switches, hubs, vpn concentrators.... etc.  One or more systems can manage them.  Agents send data to the managing systems using SNMP protocol.  This has a security hole because it passes a lot of data.  The passwords use “community strings” in clear text (read only or read/write).  SNMP is a WEAK protocol.

        SNMP v3 is the current standard in 2004 and has 3 important features:

            Authentication

            Encryption with 3DES, AES or DES

            Access Control mechanisms

 

 

General Cryptography Concepts

 

    Cryptography Defined

        Cryptography is where you develop and use codes.  Cryptanalysis is where you break the codes.

        Cryptography is used mainly for encryption & authentication

        Cryptography is the process of rendering data unreadable

        Cryptography uses authentication and can be applied to the involved parties (users or systems) to verify they are who they say they are.

        Cryptography can also be applied to the message contents to improve the integrity of the data so it doesn’t change in transit.

        Encryption changes clear text to cipher text

        Hashing takes the original message and runs it through an algorithm and getting a result which is appended to the message and compared by the receiver.

        Caesar Cipher: is a substitution cipher that substitutes letters of the alphabet.

            Keying variable:  tells you how vulnerable you are.  Like if you have just 26 letters it’s easier for a brute force attack.

            Crypto Algorithm:  how the letters are being substituted.

            Plain Text:  the text being ciphered

    Symmetric vs Asymmetric:

        Overview

            Desirable attributes include:

            Resist cryptographic attacks

            Support variable and long key lengths (password used in the process)

            Be scalable

            Import / Export the keys

            Avalanche effect (changing a few 0’s and 1’s) should cause the result (cipher text) to completely change.

            Sym algo: means you have the same key you encrypt with to decrypt with

            Asym algo:  uses different keys to encrypt and decrypt the data.  PKI: public key, private key

            Key + Algo + Data

        Symmetric key algorithms:  

            sender has the same key as the receiver.  

            Key range from 40 bit to 256 bit.

            DES-56 (cracked already), 3DES-112,   AES - (128, 192, 256), IDEA -128, Blowfish 32 to 448, RC2, RC4 (used by WEP wireless), RC5, RC6 - 40 to 256 bit keys

            Commonly use techniques are block ciphers (blocks of data), stream ciphers (streams of data), message authentication codes (MACs) used for the hashing process.

            Symmetric algorithms are speedy and can be accelerated by hardware easily.

            Key management is a drawback since they have the same key at both ends.

            Diffie Helmen is a key management algorithm for key exchange

        Asymmetric Encryption Algorithms

            A.K.A. Public Key Algorithms,  encrypt/decrypt keys are different

            Key lengths 512 - 4096 bits

            Good for digital signatures and setting up secure channels where encrypted data can later be sent.

            Much slower than symmetric and good for low volume exchanges.

            RSA, ElGamal, Elliptic curves and DH (Diffie Helman)

 

    C.I A.N: Confidentiality, Integrity, Availability/Authenticity, Non-Repudiation

        Confidentiality:  protect information so only accessed by authorized users and only when there is a need.

        Integrity:  means the data cannot be created, modified or deleted without authorization.  Data stored in one part of a data system is going to have agreement with other data in other parts of the system.  $2500 transaction should agree from source to destination.

        Availability: system uses the right controls to keep data available and functioning properly when needed.  Like to prevent a DOS

        Authenticity: verifies that the user, object or system is genuine and have not been forged or spoofed.

        Non-Repudiation:  One party cannot deny having received a transaction, nor can the other deny having sent a transaction.

 

    Algorithm Comparision:

        Block:   Block cipher transforms a fixed length block of text data to a block of cipher data of the same length.  DES uses an 8 byte block size.  Cipher text is longer than plain text usually.  DES, 3DES AES IDEA, Blowfish, Skipjack

        Stream:  Operate on bits 0s and 1’s.  The size of the message won’t typically change.  Transformation of smaller plain text units will vary depending on when they are encountered in the encryption.   DES, 3DES in output feedback mode (OFM) or cipher feedback mode (CFM), RC4, SEAL,

            RSA & DH are considered trusted

        DES is no longer trusted.  Does the algo provide enough protection against a brute force attack.  AES is highly recommended.

        The longer the key the more processing overhead.

 

    Trusted Platform Module (TPM):  used to authenticate hardware devices.  It’s a spec for software written to firmware.   provides secure generation of cryptographic keys and hardware pseudo random number generator.  The hardware has an RSA key burned into it.

        Remote attestation:  creates a nearly unforgeable hash key summary of hardware and software configuration.

        Supports full disk encryption,  example:  bitlocker

        Supports digital rights management, software license protection and enforcement, password protection

 

 

Cryptography Algorithms and Protocols

 

    First battle won by cryptographic failure: Tanenberg.  Russians sent out communications in clear and Germans intercepted it.

    Hashing concepts and protocols, used to secure passwords on network devices, or in authentication protocols like CHAP (for 2 devices or 2 users), or to provide data integrity when sent over the wire.  Based on one way mathematical functions.  Fixed length hash is known as a digest or fingerprint.  Hashing is similar to a CRC checksum that’s done in basic layer 2 communications with frames but it’s much stronger.

        It’s almost impossible to reverse a one way hash to the original text.  With CHAP it can pass a hash over the network and not the username and password.

        Rainbow Crack is a list of hashes that can match captured hashes with a database.

        On a Cisco router you can run ‘service password-encryption’ and it hashes all existing paswords on the system.  It is not as safe as MD5 which comes from “enable secret” command.

        SNMP V3 uses HMAC with MD5 or SHA protocol to authenticate the devices.

        Hashing algorithms: used to generate one time and one way responses to challenges and authentication protocols like CHAP.  Also used with EAP (extensible access protocol) in wired and wireless environment specifically with EAP MD5.  Hashing can also be used to provide data integrity with file integrity checkers with digitally signed contracts and public key infrastructure certificates.  It can also provide proof of authenticity when used with symmetric secret authentication keys such as in an IPSEC environment.  Routing protocols also use it to authenticate routers to one another.

            SHA (secure hash algorithm), designed by NSA (national security agency), published in the NIST(national institute of standards and technology).  Types include  SHA1 and SHA2(224,256,384, 512).  SHA1 gives a message digest 160 bits in length and is the most used.  SHA3 is coming.  It’s used in SSL/TLS, PGP, SSH, SMIME and IPSEC

            MD5:  Message Digest Algorithm 5,  widely used but not completely secure.  Uses 128 bit.  Designed by Ron Rivest in 1991.   Used worldwide for integrity mechanisms.  Fileservers often provide them for file downloads.  Popular in Unix and in Cisco.

                It’s used in SSL/TLS, PGP, SSH, SMIME and IPSEC

            Lanman:  obsolete in Microsoft Windows pre NT.  Was used to store windows passwords.  Is a block cipher based on DES and easily cracked.

            NTLM:  (NT LanManager) Used with SMB (Server Message Block protocol), (has been replaced by Microsoft with CIFS and refers to MS-CHAP.  Use with remote access protocols. MS-CHAP1 and MS-CHAP2 are widespread.  NTLM V2  was introduced in Windows NT SP4 and is used most often.  Kerberos (designed by MIT) is now preferred in Active Directory domains replacing NTLM.

                NTLM is used when clients authenticate to a server with an IP, or if a user authenticates to server that belongs to a different active directory forest or a server that has no domain at all (workgroup or peer to peer network).  NTLM is also used if a firewall restricts the ports that Kerberos needs.

    Encryption Algorithms Revisited

        DES: obsolete with 56 bit key size, designed by IBM

        3DES:  much more secure, approved by NIST through 2030

        RSA:  used for PKI digital signatures.  Widely used in electronic commerce protocols.

        PGP:  Pretty Good Privacy.  An application that provides cryptographic privacy and authentication.  Used for signing, digital signatures for users, applications, drivers, hardware.  Use for emails to encrypt and decrypt.  Follows Open PGP standard and is an asymmetric solution with private and public keys.   Uses public key cryptography.   It also supports message authentication and integrity checking (using a hash or message digest from the plain text and then creates a digital signature from that hash using the sender’s private keys).  PGP3 is the latest version and is widely used.

        Elliptic Curve:  (ECC)  For handheld wireless devices.   Diffie Helmen group 7 uses ECC.

        AES / AES 256:  The defacto standard recommended by the US government.  Uses a substitution permutation method.  AES is fast in hardware and software and easy to implement. Doesn’t use much memory and is very popular.  Used for winzip, pkzip, full disk encryption, Open SSL, Secure FTP.  AES is now an option for an IPSEC implementation.

        One Time Pad:  OTP.  Original plain text gets grouped up with a pad / random key and is only used one time.   It is used for perfect secrecy.

    Additional Protocols:  

        SSL/TLS:   SSL (secure socket layer).   TLS (transport layer security) is the successor to SSL.  Used to provide secure communications over untrusted networks like the internet and is used for things like: faxing, email, instant messaging, web browsing and data transfers.  They are essentially the same protocols.  Current browsers are using TLS.  It provides endpoint authentication and privacy using cryptography.    When a TLS connection starts, the following happens:

            Peer negotiation for support of different algorithms

            Key exchange and authentication process

            Symmetric cipher encryption and message authentication

            Typically they use public key algorithms or preshared TLS keys.  

            Typical algorithms used for the key exchange process are RSA, Diffie Helman, PSK (pre shared key).  

            For authentication typically you use RSA, DSA, RC3, 3DES, AES or IDEA

            For the hashing function typically you use  HMAC MD5 or HMAC SHA which is stronger

        S/MIME: Secure Multipurpose Internet Mail Extensions.  Open standard for public key encryption and is used to digitally sign email that is in the MIME protocol.  Developed by RSA Data Security.

            Provides cryptographic security for email applications including privacy and data security through encryption, authentication, message integrity and non-repudiation.  All email apps and browsers have it.   It’s a PKI technology using certificate authorities like Verisign or Thawte.

        PPTP:  Point to Point Tunneling Protocol works with Point to Point protocol by sending a regular PPP session to it’s peer within the generic routing GRE protocol.  PPTP is PPP in a GRE tunnel.    Was the first protocol supported by Microsoft’s dial up networking.

            Authentication:  PPTP does the tunneling for VPNs but connections are validated with MS-CHAP v2 or EAP-TLS (extensible authentication protocol)

            Encryption:  MPPE (Microsoft Point to Point Encryption protocol as defined in RFC 3078)

        HTTPS:   Hypertext transfer protocol over Secure Sockets Layer, secures web traffic on port 443 using SSL or more commonly TLS, adds a layer of encryption and authentication between HTTP and TCP layer 4.  Designed by Netscape.  

        SHTTP:  Alternative, Used for ecommerce but not used often.  Pretty much dead.

        L2TP:    Layer 2 Transport Protocol,  VPN tunneling at Layer 2.  Born from Ciscos Layer 2 Forwarding and Microsofts PPTP.  L2TP version 3 adds additional security, improved encapsulation and the ability to  transfer data links other than simply PPP over an IP network, the familiar things like Frame Relay, Ethernet and ATM.  L2TP acts and performs like an OSI Layer 2 protocol for tunneling network traffic between two endpoints over untrusted networks like the Internet.  Its actually a Layer 5 session layer protocol and it uses UDP (User Datagram Protocol)  on port 1701.  It’s very common to carry PPP sessions over an L2TP tunnel.  It doesn’t provide confidentiality or strong authentication.  It’s really a tunneling protocol that is combined with IPSEC to secure the L2TP packets.

        IPSEC:   Internet Protocol Security framework.  Provides confidentiality, authentication and integrity.  Is a suite of protocols to provide secure IP communications by authenticating and encrypting each packet in the data stream.   It also provides cryptographic key establishment which is why it is used in a Public Key infrastructure. IPSEC is a Layer 3 protocol, the network layer of the OSI model, whereas SSL, TLS and SSH operate at layers 4 through 7 of the OSI model.  IPSEC is more flexible and can protect layer 4 protocols that include TCP and UDP.  IPSEC is superior over SSL and TLS because the applications don’t have to be designed to use IPSEC.  It uses the IKE (Internet Key Exchange) protocol to handle the negotiation between the two peers.  It negotiates the protocol and algorithms based on security associations and policies.

        SSH:   Secure Shell.  Creates a secure channel to exchange data on a network.  Started in Unix/Linux and is used to replace the insecure Telnet.  SSH uses public key cryptography to authenticate the remote computer and let the remote computer authenticate the user optionally.  SSH server listens on port 22.  SSH can secure FTP, synchronization, SCP, SSH login.  SSH can be a full VPN using Putty or TeraTerm.

 

Public Key Infrastructure (PKI)

 

    Key Management:  strength of key is based almost entirely on the length of the key.  3DES or AES can only be broken with brute force and is theoretically impossible.  The number of bits depends on the level of sensitivity of the information.  Longer keys have a bigger hit to performance through routers, servers or firewalls.

        Generation: typically automated by good random number generators

        Verification: makes sure weak keys can’t be used in generation

        Storage: store on highly available system, with fault tolerance on a secure system, private keys need to be kept private.

        Exchange: need a secure channel to distribute and exchange keys.

        Revocation:  need a way to revoke outdated, invalid keys that may have expired certificates.

        Destruction: erases keys so malicious hackers can’t get to them.

    Digital Signatures: provide unique proof of data source generated by a single party.  They can authenticate users by using the private key of that user and a signature that private key generates.  They can prove authenticity and integrity of PKI certificates.  They provide a secure timestamp.  They provide the same functionality of a handwritten signature.

        provides authenticity of digitally signed data

        provides integrity of digitally signed data

        provides non-repudiation of digitally signed data

    Asymmetric Encryption Revisited:  deals with a public key / private key.  They have two main goals:  confidentiality and authentication.  They offer non-repudiation and integrity of a secure channel. Think RSA for the digital signature.    Symmetric encryption on the other hand is used to encrypt large chunks of data or email messages.  

        a user uses a signature algorithm with her signature key or private key.  Based on the input of the private key into the signature algorithm the output becomes her digital signature.  

            The sending device will attach the digital signature to her original message resulting in a digitally signed message.  The receiving device verifies the signature with her public key.  The sender and receiver are relying on some CA (certificate authority) to issue these keys.  

            The receiving device is going to input the message, the digital signature and the public key into the signature algorithm and it will check the validity of the signature.  If successful the it is a verified signature and the document has integrity and was originated by the user.

            They can also be used to authenticate code or device drivers to verify integrity and the source.

            They are built on extremely complex mathematical formulas.

            Great for exchanging symmetric keys when the symmetric algorithm has no facility to exchange keys like to exchange private shared keys.  The asymmetric encryption can  protect the channel for exchange.

            Uses key pairs (public & private):  both keys can encrypt but

                if you encrypt with the private key, then the public key decrypts the data.

                if you encrypt with the public key, then the private key decrypts the data.

                only one host has the private key, thereby validating the authenticity of the sender.

            Also known as Public Key Encryption

            RSA, DSA, DH, ElGamal, ECC (elliptic curve technology for hand helds)

                RSA is the most common (Rivest, Shamir and Adleman),  in the public domain.  Easiest to understand an implement.  It’s very flexible because it has variable key lengths that allow you to trade off speed for security if necessary.  512 to 2048 bits range.  RSA is based on the difficulty of factoring extremely large numbers.  Typically used for the long haul, are changed regularly and can be renewed after months or years.  RSA signatures are at the core of PKI.

            512 to 4096 bits (1024 + are trusted)

        DH Key Exchange (Diffie Hellman):     With symmetric encryption we know there is a shared secret key between both parties.  Diffie Hellman is at the foundation of most modern key exchange methodologies.  The IKE protocol and IPSEC and VPN use Diffie Hellman extensively to give us a reliable and trusted methodology for exchanging keys over untrusted channels.  DH can generate keying material and also provides key management for other algorithms like 3DES and AES.

            Provices secure key exchange over untrusted channels like the internet.

            Once exchanged, those keys can be used to generate other keys that can be used for IPSEC for example.

            Establishes secret keys taht can be used for Symmetric Encryption like 3DES or AES or to generate the secret keys used for hashing like data integrity and HMAC’s like MD5 and SHA1.

            DH is in RFCs 2409 and 3526.

    PKI Principles, Standards, and Roles:

        Framework to support large scale public key based technologies

        Set of Tech, Org and Legal components to establish C.I.A.N. (confidentiality, integrity, authenticity, and non-repudiation)  through public key cryptography (ASYMM key cryptography).

        Certificate: Digital doc that binds entity name and public key signed by certificate authority.  It also defines the protocol used.  The CA is the trusted third party that signs the public keys of the players in the PKI based system.  The certificate of a user will always be signed by a CA.  Every CA has its own certificate that contains its public key that is self signed.  This is called a self-signed CA certificate.

        PKI Areas: CA’s, PKI Users (people, companies, devices, vpn concentrators, firewalls and servers), Storage and Protocols, LRA’s (local registration authorities), Supporting Legal Framework

        CA’s: Verisign, Thawte, Entrust, RSA, CyberTrust, Microsoft, Novell

            Root CA that generates directly to users is not scalable but can be used for a segregated authority like Microsoft might for it’s inside employees.

            Multiple CAs is more scalable.  Top level CA can generate certs to subordinate CAs.  This has better scalability, managability and you can distribute trust decisions down to smaller branches or sub organizations.  A large multi national corporation might have a Root CA that generates certificates to level 2 CAs who put the certs out to the end users.  Every cert has a path (chain) that leads back to the Root CA.  

            Cross Certifying:  Multiple flat single root CA’s that have trust relationships horizontally by cross certifying their own certificates.  

                Usage Keys:  some PKIs’ require the user to have 2 key pairs.  

                    One pair is for encryption only using 3DES with a short key length for example.

                    The other pair is for signing only using RSA for example with 1024 to 2048 bit lengths.

            Certificate Authorities

                X.509 format is often used.  X509.3 is the most widely used and is found in secure web servers using SSL and TLS, used in web browsers with SSL and TLS, used with S/MIME, PGP, used in IPSEC VPNs and specifically the IKE protocol

                PKI requires interoperability with other standards and protocols like the X.500, the PKCS (public key cryptography standard) and LDAP

                    PKCS defines of algorithms, application protocol interfaces and data formats that are used in PKI.  There are many standards:  

                        PKCS1 is the RSA standard

                        PKCS3 is the Diffie Hellman key exchange standard

                IETF is responsible for the PKI standards

                public keys are used for authentication

                trusted third party certs provide scalability

                Certs are also used in an 802.1X environment which includes 802.3 which is Ethernet and 802.11 which is wireless using EAP.TLS (extensible authentication protocol).

                CAs are the most scalable, global authentication solution and X.509 format is the most ubiquitous format

 

 

Organizational Security (Part 1)

 

    Alternate Disaster Recovery Sites

        Hot Sites:  offsite facility with redundant systems so you can simply move over to that location in an emergency.  Hot Site is also called the “Active Backup Model”.  This allows the fastest way to get back up in an emergency.

        Warm Sites:  similar to hot site but requires some level in installation, setup and administration in and emergency. Bringing systems online, restoring data etc.  Some companies create Reciprocal Agreements to share the costs of a warm site.  Should be outside your common geographic area.  Requires advance planning, testing and access to media for recovery.  

        Cold Sites:  have no configuration, might be an empty warehouse with electricity.  Might be a wireless network environment.  Used when you might be there for a long time.  They are least expensive but require the most planning, pilot testing and the most resources to get going. Cold sites might not have security either.

 

    Redundancy Planning:

        Single Points of Failure: can occure in all mission critical devices, email server, routers, switches, IPS sensors, Sharepoint, Kerberos in a Windows 2003 environment, file servers.   A cluster of servers might be represented by one IP but behind it you have a wide variety of devices, using network load balancing, round robin techniques, a cluster using active active clustering.  If one device goes down, the other can take over transparently.  The goal is 99.999 % uptime.  Duplicates !

        RAID (redundant array of independent disks): use for redundancy of data using inexpensive arrays of disks.  Keep spare drives to rebuild arrays.

        Redundant Servers / ISP / Conns:

        U.P.S.:  uninteruptible power supply

        Backup Generators:

        Spare Parts:  you need to have spares to keep things going.  Drives, power supplies, memory.

    Redundancy Components:

    Disaster Recovery Procedures:

        Non Disaster: business is unavailable for a few hours either intentionally or not.  It’s simply a non disaster.

        Disasters:  loss of operability for over 24 hours.  Doesn’t mean total distruction.  It makes the facility unstable.

        Catastrophes:   Destroys the entire facility,  fire earthquake or other man made or natural disasters.

        Disaster Recover Objectives:

            Protecting People

            Protecting the Goodwill or name of company, shareholders, competitive advantage.

            Protecting Data

            Resuming of Business Functions: get back in a timely manner

            Minimize Decision Making During Disaster:  comes from good planning, documentation, clear thinking from leaders.

            Rehearsed Plans and Procedures

        Requires Planning, Exercises, Backup and Storage (offsite) and Restoration

    Incident Response:  often under Incident Manager role.

        Incident response defined:  an occurance that has caused damage or has the potential to cause damage.  Incident response is about a teams capability to respond to unexpected events to control or limit damage and to maintain or restore normal operations.  A plan must be in place to define the responses.  AIW (acceptable interuption window).

        Forensics:

            AAA:  

                Acquire: gather information on disks, usb keys, ram and system logs

                Authenticate:  making sure evidence presented is the actual evidence collected in the investigation.

                Analyze:  

            Investigation procedures includes:  Identification, Preservation, Collection, Examination, Analysis, Presentation and Decision

        Chain of Custody: is a log or diary of the chain that evidence was collected

            Who collected it, How and Where was it taken?

            Who took possession w/ date and timestamp

            How was it transported

            How was it stored and protected while there.

            Who removed it from storage and why ?

            if it’s compromised it’s “tainted” evidence.

            www.sans.org has several pages dedicated to this activity,  SCORE (security consensus operational readiness evaluation)

        First Responders: these are the incident response handlers and must have good communications to everyone in the company and outside authorities like police and fire departments.

        Damage / Loss Controls:  Damage Controls describes actions necessary to deal with any problem that could jeopardize a particular project or endeavor or security implementation process.  Loss Controls deal with retail industries like shoplifting and losing of inventory to your own workers and can even be losing information or data to our own employees.  Involves monitoring and auditing of our own employees to make sure they are not installing company software on their own computers or taking company devices home.

 

 

Organizational Security (Part 2)

 

    Secure Disposals:

        Info storage and retention policy:  must be able to downgrade information and limit the amount of time that information is going to be retained or reviewed or hardware and storage is going to be retained.  Review on a regular basis if information is going to be retained or removed.  It be mandated by DOD or some other organization like Sarbanes Oxley or HIPAA.

        Disposition workflow:  determining when data is being created how long it will be retained so someone is messaged to start a workflow process.

        Information Destruction Policy:  should include shredding or incineration.

        Re-Sale of Systems:  drives should be zeroed out and degaussed (disk wiping).  Low level format. Windows systems can use debug command to do a low level format.  Licensed software must be removed or it violates EULA.

    AUP (acceptable use policy): deal with computers provided by an organization and lays out what activities are allowed and prohibited on the equipment.  It could say they are for company business only.  I might cover usage policies for: web, email, private usage.  Also information and procedures regarding telephone system usage.  How to deal with questions for grey areas.  Might have to call HR or IT.

    Mandatory Vacations: they create opportunities for cross training of duties (rotation of duties).   Helps prevent single point of failure and cuts down on fraud.

    PII (personally identifiable info):  OPPA (online privacy protection act).  This makes forensics more difficult.

    Due Care and Diligence: the process of learning all the risks that are known, weaknesses in the code.  Can tie into risk assessment and analysis when looking at other companies and their security or someone to become a strategic partner

    Due Process: a person has a right to be notified and be heard in an orderly proceding to protect their own rights.  If you are going to terminate someone and try to prosecute them in a court of law, you need to follow the concepts and principles of due process giving individuals the ability to enforce their rights.

    SLA (service level agreement):

        Agreement between service provider / vendor and you or your company

        May be security or availability related

        Outline contractual obligations and deliverables

        May even exist inter-department internally

        Also known as maintenance contracts

        MTBF (mean time between failure)  vs  MTTR (mean time to repair).  MTTR doesn’t often include the time to get the part.

    Security Aware HR:

        Hiring and termination, process based on voluntary or involuntary, locking accounts

        Training and awareness

        Ethics Policies: CPSR (Computer Professionals for Social Responsibility)

        Background Checks

        Privacy (HIPAA)

 

 

Organizational Security (Part 3)

 

    Environmental Controls:  used to control heat and humidity, fire suppression, the three components of a fire are heat, fuel and oxygen (trilogy of fire).  Shielding with a faraday cage can prevent EMI (electromagnetic interference) and RFI (radio frequency interference).  Lights and motoers can cause EMI so make sure all signal lines are shielded and grounded properly.  Things that generate EMI should be as physically separated from cabling as possible.

    Social Engineering:  

        teaching how Phishing can be presented in email,  instant messaging

        Hoaxes,  a person claims to be an IT admin and need credentials or personal info.  Someone describing themselves as a janitorial service, maintenance worker, pest control trying to get information.

        Someone piggybacking into a secure area.

        Shoulder surfing, looking over someone’s shoulder, using telescopes or binaculars

        Have admin timeout so inactivity logs  people out.

        Make sure users know to logoff or lock OS when not in use

        Dumpster divers looking for information, don’t throw old hard drives away until zeroed out.

        End user education and awareness training should be happening constantly quarterly or semi-annually.

    Survey of Security + Acronyms

        3DES — Triple Digital Encryption Standard

        ACL — Access Control List

        AES - Advanced Encryption Standard

        AES256  — Advanced Encryption Standards 256bit

        AH - Authentication Header

        ALE - Annualized Loss Expectancy

        ARO - Annualized Rate of Occurrence

        ARP - Address Resolution Protocol

        AUP - Acceptable Use Policy

        BIOS — Basic Input/Output System

        BOTS — Network Robots

        CA — Certificate Authority

        CAN - Controller Area Network

        CCTV - Closed-circuit television

        CHAP — Challenge Handshake Authentication Protocol

        CRL— Certification Revocation List

        DAC — Discretionary Access Control

        DDOS — Distributed Denial of Service

        DES— Digital Encryption Standard

        DHCP — Dynamic Host Configuration Protocol

        DLL - Dynamic Link Library

        DMZ — Demilitarized Zone

        DNS — Domain Name Service (Server)

        DOS - Denial of Service

        EAP - Extensible Authentication Protocol

        ECC - Elliptic Curve Cryptography

        FTP - File Transfer Protocol

        GRE - Generic Routing Encapsulation

        RIDS- Host Based Intrusion Detection System

        HIPS - Host Based Intrusion Prevention System

        HTTP - Hypertext Transfer Protocol

        HTTPS - Hypertext Transfer Protocol over SSL

        HVAC - Heating, Ventilation Air Conditioning

        ICMP - Internet Control Message Protocol

        ID - Identification

        IM - Instant messaging

        IMAP4 - Internet Message Access Protocol v4

        IP - Internet Protocol

        IPSEC - Internet Protocol Security

        IRC - Internet Relay Chat

        ISP - Internet Service Provider

        KDC - Key Distribution Center

        L2TP - Layer 2 Tunneling Protocol

        LANMAN - Local Area Network Manager

        LDAP - Lightweight Directory Access Protocol

        MAC - Mandatory Access Control Media Access Control

        MAC - Message Authentication Code

        MAN - Metropolitan Area Network

        MD5 - Message Digest 5  

        MSCHAP - Microsoft Challenge Handshake Authentication  Protocol

        S/MIME - Secure.' Multipurpose Internet Mail Extensions

        SCSI - Small Computer System Interlace

        SHA - Secure Hashing Algorithm

        SHTTP - Secure Hypertext Transfer Protocol

        SLA - Service Level Agreement

        SLE - Single Loss Expectancy

        SMTP - Simple Mail Transfer Protocol

        SNMP - Simple Network Management Protocol

        SPIM - Spam over Internet Messaging

        SSH - Secure Shell

        SSL - Secure Sockets Layer 550- Single Sign On

        SIP - Shielded Twisted Pair

        TACACS - Terminal Access Controller Access Control System

        TCRIP - Transmission Control Protocol Internet Protocol

        TKIP - Temporal Key Integrity Protocol

        TKIP - Temporal Key Interchange Protocol

        TLS - Transport Layer Security

        TPArt- Trusted Platform Module

        UPS - Uninterruptible Power Supply

        UR L - Universal Resource Locator

        USE - Universal Serial Bus

        UTP - Unshielded Twisted Pair

        VLAN Virtual LOCal Area Network

        VolP - Voice over IP

        VPN - Virtual Private Network

        WEP - Wired Equivalent Privacy

        WPA - Wi-Fi Protected Access

 

 

Network Security Domain Update

 

    All In One Security Applicances:

        Firewall device

        Can inspect traffic and make sure protocols are operating properly.  

        Can do url  filtering with white/black lists.  

        Threat detection to look for scanners on traffic.  

        Anti-spoofing.  

        Can be a certificate server and manage certificates.  

        Can be a concentrator or gateway for different types of VPNs.  

        Even includes virtual appliances.

        Modular lets you add IPS module

        Content Security:  anti spam, spyware, virus, url filtering, anti-phishing

    Layer 2 Security: consider what devices are connected to each port.  Can people do VLAN hopping attacks or VLAN double tagging attacks.  Make sure latops, ip phones, pcs, workstations, biz hubs and printers are hard coded as access ports.  Ports that connect to other switches carrying VLANs are trunk ports.  Set the switchport mode to nonegotiate and not dynamic.  Set switchport to protected.  That isolates the port from communicating with other protected ports.  Port security maximum 3 only allows 3 mac addresses on that port.  Prevents flooding of CAM or MAC address table.  Hard code the mac addresses that can connect.  Use port based authentication.  Violation determines the consequences of rules: protect, restrict or shutdown the port.  Set aging policy for how long mac addresses stay in the table based on time or inactivity. Don’t forget about 802.1X (whatever that means).

    Virtualization and Cloud Computing: Virtualization is a security problem because people can easily install virtual servers and virtual software on a machine and make rogue servers, dhcp, dns, default gateways or routers.  We can also virtualize firewalls and IPS sensors.  Desktop Managers can deny access if a client has a host being emulated with a VM.  They can also check for keystroke loggers.  Some backend servers like a URL filtering service could be performed by someone like TrendMicro in the cloud who would provide the black lists of bad URLs.

    IPv4 vs IPv6:   www.ipv6vsipv4.com   ipv6 has 128 bits, ipv4 has 32 bits.  

        Both have most of the same threats - IPv6 closes some doors but opens others

        Coexistence and Migration = Vulnerability

        Reconnaissance:  early attack used to gather information, using port scanners, ip scanners and sniffers.  Scanning with ipv6 isn’t feasible because the address space is so big.

        Viruses and Worms:  in both version but worms that do random addresses are not as big of a risk

        Unauth Access:  ipv6 has new extension headers that open new attack vectors.

        Mobile lP:  is embedded in ipv6 with some new security.

        Header Manipulation: ipv6 has new extension headers that open new attack vectors.

        Sniffing:  works in both ipv4 and ipv6 and is countered using cryptographic measures to convert the information to cypher text.

        Fragmentation:  is a big problem in ipv4, ipv6 doesn’t have as much a problem

        Application Layer Attacks:  IPSEC increases security

        Spoofing:  still a problem in ipv6 since you still have tunneling.

        Rogue Devices:  big problem in ipv4.  in ipv6 we can use IPSEC to use 802.1X port based authentication to block unauthorized devices from connecting.

        Resolution Attacks:  still has dhcp vulnerabilities but using stateless autoconfiguration in ipv6 instead of ARP so it is an improvement.

        Man-In-the-Middle Attacks:  using a good key management strategy with IPSEC will help out.  Make sure your keys are protected.

        Smurf Attacks:  a broadcast amplification attack and not in ipv6

        Flooding Attacks: new types of traffic in IPv6 does open up some vulnerabilities.

        Routing Attacks:  native support for IP security will countermeasure these.

    Wireless Security Enhancements

        WPA2 (WiFi Protected Access):  Based on 802.11i (RSN, robust security networks) and is the next generation of  WPA which was an interim solution for WEP.   WPA2 is the WiFi Alliance delivery or version of the 802.11i.  There is WPA2 Personal or WPA2 Enterprise.    WPA2 Personal uses weak preshared keys and passphrases which is a vulnerability.   Risks:  Encryption keys are compromised or network resources are placed at risk.  Crackers get the passphrase by using social engineering or an offline brute force dictionary attack.  WPA2 Corporate uses CCMP/AES for Confidentiality and 802.1X/EAP for Authenticity and Integrity

        EAP (Extensible Authentication Protocol):   Is the original extension of PPP - now 802.1X (3748).  Very flexible - 1 way or 2 way Authentication,    

            Messages sent with EAPOL (EAP Over Lan) from supplicant to authenticator

            Messages sent from authenticator to back end (AAA) server is RADIUS

        LEAP:  weak EAP protocol, do not use. Was easy to deploy, used static WEP encryption.  ASLEAP is a tool that can compromise (crack / exploit)LEAP.  EAP-FAST uses PACs (protected access credentials) which are like certificates.

        PEAP:  an extension of LEAP.  Considered a strong EAP extension.  Uses encrypted TLS tunnels.  Most common widely supported EAP method.  Flavors of PEAP:  uses EAP MS-CHAPv2, uses SSL/TLS, EAP-GTC (supports token based authentication)

        TKIP (Temporal Key Integrity Protocol):  Meant to replace WEP.

            Firmware upgrade to improve security.

            Still uses RC4 like WEP but adds:

                temporal keys (dynamically generated temporary keys)

                sequencing: sequences the protocol data units and drops TKIP data units if out of order

                key mixing: complex 2 step cryptographic mixing process that generates stronger seeding material for RC4 as opposed to WEP that had that weak 24 bit initialization vector

                better data integrity from MIC (message integrity code/check) which defeats bit flipping and forgery attacks that were used against the WEP protocol

        CCMP:  Counter mode with cipher block message authentication code protocol

            802.11i replacement for WEP and TKIP

            Uses AES block instead of RC4 stream

            Usually needs new hardware

            Has many components, different key sizes because of AES.  

            Any new wireless security implementation will be using CCMP as your Confidentiality, Authenticity and Integrity mechanism.

        Antenna Placement:  place antennas so you don’t have interference from other neighbors and don’t extend too far from your building where outside people can sniff.

        Power Controls:  If boosting power, consider the radiation pattern and if it goes too far.

 

 

Compliance and Operational Security Domain Update

 

    Handling Risk

        Risk management vs. Risk Avoidance

            Reduce to acceptable levels  or Ignore the risk

            Basic yet difficult or Insure the risk level

            Put together the best practices or Offload to a third party consulting firm

 

            Will management traffic like Telnet, SSH, SSL/TLS or SNMP on it’s own VLAN or In Band with your data traffic.  Will you use IPSEC or SSL/TLS

            Will you use secure version of time servers like NTPv3 to synchronize ?

            Do you have a strict password policy, badges, do you allow piggybacking ?

            Do you have a wireless production network ?  Is it secure.

            Are you using SNMP v2c and are you using read/write community strings ?  Use Read Only.

            E-banking: requires identifying the threats, performing a risk assessment and risk analysis and implement risk management.  

    Basic Forensics Procedures

        Introduction:  IOCE (international organization on computer evidence), SWDGE (scientific working group on digital evidence)

        Basics of forensics:  MOM (motive, opportunity & means)

            motive, who did the crime and why did they do the crime

            opportunity, where, when of cybercrime, exploit of a vulnerability, AUP, holes in firewall, unpatched servers, no anti-virus, spam

            means, capabilities to successfully perform an exploit or attack, admin access, weak password policy

            network analysis: analyze all ingress/egress points, dialup networks, wan/lan connections, choke points where routers/firewalls are, be able to analyze logs in servers, firewalls or IPS,  need to use path tracing back to the source of an incident

            media analysis: be able to image disks and pull info off disks and how disks can be cleaned and how to extract data after cleaning.  Steganography.  

            software analysis: can it be reverse engineered, is your software protected with digital signatures, review and look for malicious code on your systems, look for potential exploits using penetration testing.

        Investigative Phases:

            Identification: detect events, listen to complaints, do monitoring and auditing, do profile detection

            Preservation: involves chain of custody, have a proper system to maintain evidence, time synchronization

            Collection: collection of evidence

            Examination: taking the basic facts and information gathering

            Analysis:  analyzing the data

            Presentation: presentation to law enforcement, stake holders, steering committees

            Decision: how to act, may involve law enforcement or internal discipline

        Anti-forensics: works around forensics

            hiding data: by obfuscation or encrypting the data or using steganography, using slackspace in memory

            artifact wiping: eliminating files or file systems, data remanence, also programs can do the wiping and then delete themselves

            trail obfuscation: confuses examiners, cleaning up logs, using layer 2 or 3 spoofing, misinformation, fake accounts, trojan commands,  TimeStomp is a tool that lets you modify files

        Standards of Evidence:

            Best: signed contract, not oral, video

            Secondary: not as reliable, like oral evidence or copies of documents

            Direct: can prove facts by itself to prove a point, typically from a witness

            Conclusive: irrefutable and uncontradictable evidence

            Circumstantial: can prove intermediate fact, can be used to deduce or assume the existence of another existing fact.

            Corroborative: supports other evidence like circumstantial or secondary evidence

            Hearsay: oral or written evidence from 2nd hand information. similar to circumstantial evidence

        Tools of the Trade:

            tags and labels

            forms and documentation

            gloves & anti-static bands

            pliers, screwdrivers, tweezers, cutters

            evidence bags, tape, ties, markers & pens

            magnifier glass

            recorder, laptop to mp3 files

            experience

    Security Awareness and Training

        ATE: Awareness Training and Education

            Awareness, WHAT, informational, retaining information about how to be the best most secure employee you can, teach through videos, posters, newsletters.  Is a short term thing.  Bring up in Bi-monthly meetings

            Training: is the HOW, it’s the knowledge/skillset, through lectures, case studies, hands on practice, CBT nuggets, problem solving, recognition of attacks. Intermediate time frame

            Education is the WHY and is long term deep understanding, reading and study, seminars and discussions, degrees, certifications.

        Review user habits: sometimes force user habits with NAC (network admission control) or NAP (network access policy) software to force updates.  Is the desk clean and free of sensitive information and that passwords are not on sticky notes.  Limit personally owned devices in the office.  Do you have a strict password policy and procedures for handling data?  USB keys or external portable devices.  Policies on piggybacking.

        Compliance:  DOD, Sarbanes Oxley, HIPAA, C.E. continuing education

        Threat awareness system: send out global emails on intranet for attack problems from IDS and IPS

        Social Networking and P2P: Twitter, Facebook, P2P file sharing, distributing Youtube videos, should be part of a security policy defining what level if any these can be used.  Send all traffic through headquarters where you can provide URL filtering, or proxy services or content services.

    Risks of Virtualization, pros and cons

        Pros: consolidation, energy efficient, resource utilization, management, enhanced provisioning of virtual servers, load balancing, automation, cloud support, DRP (disaster recovery planning), VDI (virtual desktop infrastructure)

        Cons:  Another vulnerable OS, traditional IDS/IPS have problems (hard to place sensors inline between servers), malware is virtual aware, data confidentiality (exploit of one server could escalate to another in the same box), outsourcing challenges (do they know how to work with VMs)

    Risks of Cloud Computing

        public cloud computing - how safe is your data really

            using same passwords is bad, use unique ones for a cloud

        data deletion is not controllable

        loss of control - access, housing, mgmt, maintenance

        corporate security policy include Cloud Computing / SLA’s

        Reputation / Marketing over Research, you have to research and test with the companies

        Compliance Issues: is there any conflict with destruction or disposition policies with Sarbanes Oxley or HIPAA requirements

 

 

Threats and Vulnerabilities Domain Update

 

    Phishing:  Delivery of email messages, phone calls that try to steal information/money.  False links in emails, threats (account will be disabled) using a popular company.  Look for bad grammar.  

    SPIM (spam over instant messaging):  launched most often by bots, harvest IM screen / profile names, usually contains link to website, A.K.A ‘instant span’ or IM Marketing, SPIMMER is the sending entity.  A firewall is the main source of defense.

    Vishing: (SPIT is voip spam)  Voice Phishing, intercept voice mail messages, change hold music, denial of service, eavesdropping

    Pharming: Hacker's attack intended to redirect a website's traffic to another, bogus site

    DNS/ARP Poisoning: improperly formatted packets, weakness in headers, packet that depends on the receiving device processing it improperly.  DNS Cache poisoning via tcp sequence numbers, spoofing DNS query response, or through vulnerable DNS servers.  Layer 2 ARP poisoning can be done by poisoning the MAC addresses.  The CAM tables can be flooded with MACOF which forces the switch to be a HUB.

    Application Attacks:  defended with limiting commands, number of connections,  timeouts, limits how apps can be accessed

    Assessment Types & Techniques:  

        Risk: the likelihood a threat or threat agent will implement a particular exploit or attack

        Threat: looking at individual exploits or agents that can take advantage of a vulnerability.  Like in house developed software.

        Vulnerability: finding weaknesses in systems, design, implementation, vpns, protocol limitations, configurations of routers, firewalls, devices etc...

        Assessment Techniques

            Baseline reporting: reference for anomalies from a knowledge base

            Code review: is code tested, digitally signed with a PKI

            Determine attack surface:  access control rules on routers, switches etc so only certain hosts and vlans can control the devices, reducing footprint of wireless transmission.

            Architecture:  will you use SSL VPN or PKI and what is your compliance.

            Design reviews:  are there improvements we can make to move from IPSEC to SSL full tunnel, move from pre shared keys to PKI or token based or one time passwords for authentication / authorization.

 

 

Application, Data, and Host Security Domain Update

 

    Fuzzing

        A.K.A fuzz testing - black box software testing

        Find bugs using automated malformed data injection

        Developed in 1989 at U of Wisc Madison

        Automatic bug finding to locate software faults

        Programs are called “fuzzers”

            numbers, chars, metadata, binary sequences

    Cross-Site Scripting (XSS):  very common exploit for public facing server, vulnerability found in web applications where code can be injected into a web page (html or client side scripts).  Can bypass “same origin” policy which allows access to pages and variables from the same site.

        Cracker finds an XSS hole in Site A

        Good guy hits site A and sends many requests to Site B (victim) via a META refresh to hide the referrer without his knowledge

        Good guy sends many requests to Site B and eventually finds a hole which is then sent to site C without his knowledge.

        Good guy sends successful attempts to hack site B to site C which are logged so that Bad Guy can view them at a later date (done without Good guys knowledge)

        Bad guy checks Site C for successful hack attempts against Site B to launch further attacks having never visited Site B (the victim)

        Web master of victim Site B never sees Site A (origin of XSS attack) in his logs and never sees Bad guy in his logs (and will think Good Guy is to blame)

    XSRF: Cross Site Request Forgery.  Esoteric obscure offshoot of XSS.  Can force your pc to go to banking, brokerage sites and modify account info.  Is very devastating but not hard to counter measure.  One example is an image tag that has the source of a server in the src attribute.  Always close your browser window when leaving a site like a bank or broker.

    Mobile Device Security

        Should be in written policy,  AUP (acceptable use policy) w/enforcement

        Personal or Provisioned (should be tightly managed and controlled)

        Risks: What is stored and sent on the device.

        Risks: infected apps, identity/content theft, lost/stolen device, banking, pharming

        Rapid deployment with poorly tested devices.

    Hardware Based Encryption

        HW encry/decr is much faster than software

        HMAC hashed message authentication, adds a hash to detect changes in data.

        Secret keys on hardware are not as vulnerable due to exposure; fewer brute force attacks

        Often part of organizational policy

        Downside is it has to be replaced to be upgraded usually.

 

 

Access Control and Identity Management Domain Update

 

    AAA services:  often use RADIUS / TACACS (+) / LDAP servers

        Authentication Review: is identification and authenticating a peer or a device.

        Authorization Review:  is what you can do,  what protocols, actions, services can you take ONCE you are authenticated.

        Accounting:  is when did you start, finish and for how long.  Used for billing, auditing and reporting.

        802.1x is port based authorization and allows you to authenticate devices like a nic on a laptop

 

 

Cryptography Domain Update

 

    Additional Cryptosystems

        RIPEMD has 160 bits is most widely used

            Race Integrity Primitives Evaluation Message Digest

            Message Digest provides Authenticity and Integrity because it comes from a shared secret key and the matching hash guarantees Integrity..

            Avalanche effect happens if a single bit is different creates a hugely different result.

            RIPEMD - 160 is European Message Digest Crypto Hash

            128-256-320 bit version also exist

            Developed in open academic community - no patents

            Closest alternative is SHA-1 but is slightly faster than SHA-1

        PGP/GPG: Nice way for users to secure email and files over untrusted internet.  Early version was from Phillip Zimmerman in 1991.  Some version are free.  GPG is the new open source version.  Uses public keys and private keys.  Each user has one of each.  Typically the public key encrypts the message and the private key decrypts them.  PGP adds a trusted introduction concept where a User can provide an introduction to another user to establish a trust relationship to exchange public keys.  PGP can be used in a PKI for more sophisticated uses.

        GPG, an infrastructure like IPSEC and PKI

            Free version of OPEN PGP Standard RFC 4880

            Encrypt & Digitally sign data and communication and messages

            Versatile Key management - S/MIME Support

            Can replace PGP; more functionality and is enhanced.

            Decrypts / Verifies PGP 5,6 & 7

            Multi Algorithm and Multi Language like ElGmal, (uses DSA & RSA for key pair generation),  for symmetric encryption it can use AES, 3DES, Blowfish, TwoFish, CAST5.  For hashing and integrity it can use MD5, SHA-1, RIPEMD 160 and TIGER

            Check out gnupg.org

            Is extensible to add new modules

            Supports many languages besides english

        Whole Disk Encryption

            There are many disk encryption softwares that encrypts the entire hard disk or volume

            Bit Locker, Drive Sentry, File Vault, PGPDisk, SafeGuard, TrueCrypt, Kryptos, SecuBox and many others

            Protects all data in storage like confidential information like Sarbanes Oxley and HIPAA, customer data and partner data.

            They can encrypt user data files, swap files (memory files), system files, hidden files.

            Uses Variety of Cryptosystems

            Most often automated key management, recovery, Muti-platform support, rapid depoloyment, Defense-In-Depth

        TwoFish

            Free, unpatented, open source, no copyright

            Heavily crypto-analyzed

            Highly Efficient, runs fast, works on smart cards, smart tokens and hardware

            is a Block cipher

            Created by Bruce Schneier

            128 bit block cipher, keys of 128, 192, 256

    SSL/TLS Operations

        used in browsers, web based protected access to devices

        gives endpoint authentication for client and server, can authenticate the server to the client and vice versa

        gives data encryption, data encryption, data authentication, and data integrity.

        creates a TLS tunnel for protection of application data and / or UDP flows or TCP connections

        Session establishment phase where you negotiation parameters and do peer authentication.  Use RSA or DH as the key exchange method.  One way or two way authentication

        Data transfer phase that offers a protected path between the client and server Both phases occur in the SSL/TLS record protocol.  

    PKI Advanced Topics

        Revocation Methods: CRL, OCSP, AAA  identifes certificates that are not valid

        Connect Users with Mapping.  Apply a policy based on contents of a users certificate

        AAA servers for per-user settings

    Review of Acronyms