Welcome to the CompTIA Security+ Sy0-401 exam study notes. This is quite the wall of text so a fair warning if you're allergic to large amounts of words.

As much as I wanted to throw in images and videos, it just made this article load too slow.

The information in this guide is organized in structure and in similar content to Darril Gibson's book, CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. Between his book, his website, and Wikipedia, you'll have what you need to pass.

When I passed this exam a little while ago (again), I mentioned I used his book and I also viewed Professor Messer's YouTube videos. Professor Messer's videos were great to see hands-on application of the tools and concepts mentioned.

Again, I did not order this guide by the Sy0-401 exam objectives. This study guide is based on Darril Gibson's book. I used a bit of my words, Darril's structure (including a few Simpsons references he makes), Wikipedia, and a few other publicly available study guides to format this guide.

Hopefully the result is more readable than the huge amount of notes I took in my Evernote on the subject.

CompTIA Security+ Get Certified Get Ahead Book Notes

Know going into this that you won't retain all industry knowledge at all times. I'll happily admit I don't have this entire page of notes memorized. What's more important is taking notes and knowing where to look when you need to recall something or fix an issue.

Treat these notes as a review. You should be shaking your head yes as you go through these notes. Learn and retain as much of the concepts as possible. There's no shortcut to being an IT pro. Put in the work and and do great.

Let me know how you do. Good luck!

Table of Contents

  1. Security Basics
  2. Network Security
  3. Advanced Network Security
  4. Securing Hosts and Data
  5. Malware and Social Engineering
  6. Identifying Advanced Attacks
  7. Managing Risk
  8. Preparing for Business Continuity
  9. Understanding Cryptography
  10. Exploring Security Policies
  11. Review Those Ports

Security Basics

Confidentiality (CIA)

  • Encryption
  • Access Controls
    • Identification (user)
    • Authentication (password)
    • Authorization (permissions)
  • Steganography
    • Hidden messages in plain sight (hidden within files or photos)

Integrity (CIA)

  • Data hasn't been tampered with
  • Hashing
    • Creating a derivative code through an algorithm
    • Hashes will change when data is changed
  • Digital Signatures, Certificates, and Non-Repudiation
    • Unique digital signatures allow verification of senders
    • Those who receive messages digitally signed know the sender sent it and hold the sender accountable
    • Other forms of Non-Repudiation include user tracking
    • PKI – Public Key Infrastructure
      • Enables signatures and certificates to function by maintaining encryption keys and certificate management

Availability (CIA)

  • Redundancy and fault tolerance set to ensure that data is retrievable when it's needed
  • SPoF (Single Point of Failure)
    • One failure area that can cause the whole system to go down
  • Disk Redundancy
    • Raid 1, 5, 6, 01, 10
  • Server Redundancy
    • Clustering, fail over to redundant servers
    • Virtualization
  • Load Balancing
    • Multiple servers supporting a service so one doesn’t get overloaded
  • Site Redundancies
    • If a fire or flood takes out one location, another backs it up
      • Hot Site: ready and available 24/7, most expensive
      • Cold Site: location where equipment, data, and personnel can be moved when needed, least expensive
      • Warm Site: mix between hot and cold site
  • Backups
    • Data stored in multiple locations
  • Alternate Power
    • UPS and power generators
  • Cooling Systems
    • HVAC
  • Patching
    • Updates and security fixes

Safety

  • Safety of People
    • Emergency escape plans, drills, and training
    • Secure facilities will fail open in case of emergency to ensure human safety
  • Safety of Assets
    • Physical security measures like locks, lighting, fencing, CCTV, and more

Layered Security/Defense

  • No single approach is enough (defense in depth)
  • Every step, layer, and phase needs its own security protocols
  • Smart card including readable ID info for secure environments
    • CAC (Common Access Card)
    • PIV (Personal Identity Verification)
  • HOTP (HMAC-based One-Time Password)
    • An example of a rolling key-based password like the ones used in tokens
    • HOTP passwords are usable once
    • Open-source and affordable systems
    • TOTP (Time-based HOTP)

Authentication Services

  • Kerberos
    • Functions on Unix and Windows Active Directory domains
    • Prevents MitM attacks through use of mutual authentication
    • Uses tickets to prevent repeat incidents
    • Requirements
      • KDC (Key Distribution Center)
      • TGT (Ticket Granting Tickets)
        • Certificates are packaged within digital authentication tickets or tokens
      • Time-Stamping and Synchronization
        • Tickets are only valid for a certain amount of time, so systems must be within 5 minutes of each other
        • Time-outs prevent replay attacks (intercepted authentication data so third party can connect)
    • Uses Symmetric Key Cryptography
      • One key encrypts and decrypts
  • Asymmetric Encryption Key
    • Utilizes two keys: a public encryption key (hosted by PKI) and a private decryption key
  • LDAP and Secure LDAP (Lightweight Directory Access Protocol)
    • Specifies formats and methods to query a directory of objects (users, computers, and directory objects)
    • Microsoft Active Directory
    • Enables a single location to interact with all resources on a directory
    • Secure LDAP
      • Uses TLS (Transport Layer Security) session to encrypt data
      • Secure LDAP v2 used SSL encryption
      • Secure LDAP v3 uses TLS encryption
  • SSO (Single Sign On)
    • Feature enabled in both Kerberos and LDAP
    • User signs into the network once and receives a token which can sign them into all necessary systems
    • Federations
      • Enables two non-homogenous networks to coordinate permissions for users
      • User holds credentials on both networks, but signs into the federation (treats them as a single account)
    • SAML (Security Assertion Markup Language)
      • XML based
      • Allows websites to enable federation like trust privileges so that users can access resources on both
      • Principal: user
      • Identity Provider: identity management utility
        • Contains IDs and passwords
      • Service Provider: serves principles
        • Redirecting to different hosts or domains
  • RAS (Remote Access Service) authentication
    • Accessed via dial-up or VPN
    • PAP (Password Authentication Protocol)
      • Cleartext, insecure, single authentication
      • Utilizes PPP (Point-to-Point Protocol)
        • Uses cleartext since wiretapping dial-up wasn't a legitimate risk at the time
    • CHAP (Challenge Handshake Authentication Protocol)
      • Server challenges client, can happen multiple times a session
      • More difficult to crack because of a hashed code at the start of session
    • MS-CHAP
      • Microsoft's CHAP
    • MS-CHAP v2
      • CHAP + mutual authentication
    • RADIUS (Remote Authentication Dial-in User Service)
      • Centralized method of authentication for multiple remote servers
      • Encrypts password, but not the whole authentication process
      • Uses UDP for best effort connection
    • Diameter
      • RADIUS but uses EAP for better encryption
      • Uses TCP for guaranteed connections
    • XTACACS (Extended Terminal Access Controller Access Control System)
      • Cisco proprietary TACACS improvement
      • Outdated
    • TACACS+
      • Cisco proprietary alternative to RADIUS
      • Interoperable with Kerberos
      • Works on a wide host of environments
      • Encrypts full authentication
      • Uses TCP for guaranteed connections
      • Also used to secure network devices like routers by corporations
    • AAA Protocols
      • Authentication
        • Proves identity
      • Authorization
        • Level of access
      • Accounting
        • Tracks actions
      • Radius and TACACS+ are AAA protocols
      • Kerberos is considered one but it does not have accounting

Control Implementation Methods

  • Technical controls: uses technology
  • Management controls: uses administrative or management methods
  • Operational controls: uses people in day-to-day operations

Technical Controls

  • Technology installed by an administrator that automatically provides protection and reduces vulnerabilities
  • Encryption
  • Antivirus Software
  • IDSs (Intrusion Detection Systems)
    • Monitors a host and reports on intrusions
  • Firewalls
    • Restrict I/O traffic to a server or host
  • Least Privilege
    • Only allows each user the minimum privileges they need to do their work
    • Limits risk if something goes wrong
  • Motion detectors, fire suppression systems, and other devices that help provide additional protection and safety are also technical controls

Management Controls

  • Also known as administrative controls
  • Uses planning and assessment to reduce risk
  • Risk Assessment
    • Quantitative Assessment
      • Uses cost and asset values to determine the amount for protection
    • Qualitative Assessment
      • Categorizes risks based on probability and impact
  • Vulnerability Assessment
    • Used to discover current vulnerabilities and weaknesses to help prioritize the implementation of additional controls
  • Penetration Tests
    • Actual commissioned attempts to exploit vulnerabilities
    • Determines hackability and actual effects of compromise

Operational Controls

  • People driven practices in compliance with an overall security plan
  • Awareness and Training
    • Prevention and behavior change
  • Configuration and Change Management
    • Ensures that each system starts in a baseline of security and that changes do not invalidate security features
  • Contingency Planning
    • Reduces overall impact if something goes wrong by having prepared responses
  • Media Protection
  • Physical and Environmental Protection
    • Cameras, door locks, HVAC systems, and more

NIST (National Institute of Standards and Technology)

  • Hosts the ITL (Information Technology Lab)
  • SP 800 (Special Publication 800) which are security standard documents that many IT professionals and certifications reference directly

Control Goals

  • Preventative controls
    • Hardening
      • Making a system more secure than it is by default
      • Deactivating unnecessary features, creating restrictions, disabling accounts, and more
    • Security Awareness and Training
      • Ensuring users are aware of vulnerabilities and social engineering attempts
    • Security guards
      • Often will deter potential attackers
      • Can verify identities of people
    • Change Management
      • Changes aren’t made on the fly
      • They're tested and authorized for production
    • Inactive account policy
      • Disabling old or terminated accounts
  • Detective controls
    • Log Monitoring
    • Trend Analysis
      • Taking note of an increase of firewall denials and more
    • Security Audit
      • Can detect if users are using good passwords or if users have more rights than they need
    • Video Surveillance
      • CCTV
    • Motion Detector
  • Corrective controls
    • Active IDS
      • Detect attacks and modify environment to stop them
    • Backups and System Recovery
  • Deterrent controls
    • Cable Locks
    • Hardware Locks
  • Compensating controls
    • Temporary controls while waiting to implement other projects
    • Also helpful when things break or go out

Physical Security Controls

  • Perimeter
  • Building
  • Secure Work Areas
  • Server and Network Rooms
  • Hardware

Doors

  • Have fewer points of entry
  • Use different types of controls such as locks, security guards, cameras, biometrics, and laser beams
  • Cipher Locks
    • Press buttons in the right order and the door opens
  • Proximity Cards
    • You can identify people with special cards
    • Theft is high risk
  • Biometrics
    • Identification through your body parts
  • ID Badges
  • Tailgating
    • Allow people to use their own security credentials
    • Man traps limited the number of people that can pass through
  • Access Lists and Logs
    • Track who goes in and why
    • Tailgating is likely if someone exits a building without logging in
    • Video surveillance provides excellent proof
  • Motion detectors and fences can provide a heads up for anomalies
  • Security isn't all one sided, motion detectors can modify lighting to help save money
  • Barricades can be positioned to force vehicles and people to zigzag in, allowing more time to stop or identify someone
  • Bollards are short vertical polls that also prevent people from driving through an area
  • No Trespassing signs can be a good deterren

Logical Access Controls

  • Least Privilege: only give users access to what they need to do their job
  • Group Policy: allows you to change a setting once and have it affect entire groups

Access Control Models

  • Subjects
    • Users or groups
  • Objects
    • Files, folders, shares, or printers
  • Role-Based Access Control (RBAC)
    • Instead of assigning permissions to users, assign permissions to specific roles, and assign roles to specific users
    • The Microsoft Project Server operates in a role fashion with four chief roles:
      • Administrators: access anything and adjust settings
      • Executives: access anything but have no control over settings
      • Project Managers: full control over data and settings within their project
      • Team Members: can only report on work that was specifically assigned to them by project managers
    • These systems can often be seen as hierarchical, as higher-level accounts have more access
    • Matrix planning documents set up tables explaining the permissions before the roles have been created to make sure they make sense and cover all possibilities
  • Rule-Based Access Control (RBAC)
    • Such as when firewalls and routers use Access Control Lists (ACL)
    • Static rules such as allow or disallow traffic on a specific port
    • Dynamic rules
      • When in IDS adjusts rules to block specific traffic
      • When Marge has more permissions when Homer is absent
  • Discretionary Access Control (DAC)
    • Every file/folder has an owner who sets permissions
    • NTFS is known for this
      • Every NTFS object has a DACL (Discretionary ACL) which notes the SID (Security ID) of users
      • DACL is filled with Access Control Entries (ACE) which contain an SID and associated permissions
    • Trojan Risk if you install malware with Admin privileges, that malware can continue to operate with those same privileges
    • Mandatory Access Control (MAC)
      • Operates under the principle of least privilege
      • Both users and objects have sensitivity labels
      • Only if the user has equal or greater label AND the appropriate need to know can access the specific file
      • In high security situations multiple levels of checks are enabled before deciding a user is need to know in any given matter
      • This system is slow and inflexible, but very secure

Network Security

Protocols

Basic Connectivity Protocols

  • TCP – session-oriented communication with handshakes
  • UDP – best effort communication
  • IP – host identification
  • ICMP – basic connectivity
    • Examples: traceroute, ping
    • Can cause DoS vulnerabilities
  • ARP – IPv4 to MAC address
    • ARP poisoning gives false updates to redirect or interrupt traffic
  • NDP (Neighbor Discovery Protocol)
    • IPv6 protocol similar to ARP
    • Also identifies default gateway and performs other autoconfiguration efforts

Encryption Protocols

  • SSH – encrypts SCP (Secure Copy) and SFTP (Secure File Transfer Protocol) among a wide variety of others
    • SSH can also encrypt TCP Wrappers, a type of access control list on Unix systems
    • Uses port 22
  • SCP – based on SSH and copies encrypted files over a network
  • SSL (Secure Socket Layer)
    • Secures HTTP into HTTPS with the use of certificates
    • Can also secure SMTP and LDAP
    • TCP 443 for HTTPS
    • TCP 465 for SMTPS
    • TCP 636 for LDAP with SSL
  • TLS (Transport Layer Security)
    • Designated replacement for SSL
    • Same ports as SSL
  • IPsec
    • Encrypt IP traffic
    • Native to IPv6 but works on IPv4
    • Encapsulates and encrypts packets and then uses tunnels to protect VPN traffic
    • Authentication Header (AH): protocol ID number 51
    • Encapsulating Security Payload (ESP): protocol ID number 50
    • Uses Internet Key Exchange (IKE): UDP 500 for VPN security

Application Protocols

  • HTTP
    • Port 80
  • HTTPS
    • Port 443
  • FTP
    • Port 21 for connection
    • Port 20 for data
  • SFTP (Secure File Transfer Protocol)
    • Port 22 for data because it uses SSH
  • FTPS (File Transfer Protocol Secure)
    • Like SFTP but uses SSL or TLS
    • Ports 989 or 990
  • TFTP (Trivial File Transfer Protocol)
    • UDP port 69
  • Telnet – Outdated CLI based remote connection protocol
    • Sometimes still used to connect to routers
    • Cleartext, insecure
    • Port 23
    • PuTTY operates similarly to telnet but includes SSH
  • SNMP (Simple Network Management Protocol)
    • Monitors and manages network devices like routers and switches
    • Sends requests to SNMP agents on devices on UDP 161
    • Receives info back from agents on UDP 162
  • NetBIOS
    • Allows for basic LAN identification and sessions
    • UDP Ports 137 and 138
    • TCP Port 139, and rarely 137
  • LDAP
    • Communicates with directories like Microsoft Active Directory and Novell Network Directors Services (NDS)
    • Provides a single location for object management
    • TCP Port 389
    • When encrypted with TLS or SSL, Port 636
  • Kerberos – Authenticates in Windows domains and some Unix environments
    • Uses KDC (Key Distribution Center) to issue timestamped tickets
    • UDP Port 88
  • Microsoft SQL Server
    • SQL server hosts databases that web servers and applications use
    • Port 1433
  • RDP (Remote Desktop Protocol)
    • Connect to systems from remote locations
    • Used in Remote Desktop Services and Remote Assistance
    • TCP or UDP Port 3389

E-mail Protocols

  • SMTP
    • Transfers email between client and SMTP server
    • TCP port 25
    • Secure SMTP with SSL or TLS uses Port 465
  • POP3
    • Transfers emails from servers to clients
    • TCP Port 110
    • Secure POP3 with SSL or TLS uses TCP Port 995
  • IMAP4
    • Stores email on a server
    • Allows user to organize and manage email in folders on server
    • TCP Port 143
    • Secure IMAP4 with SSL or TLS uses TCP Port 993

DNS Info

  • DNS uses UDP 53 for URL queries
  • DNS uses TCP 53 for zone transfers (name servers exchange updated records)
  • DNS uses BIND (Berkley Internet Name Domain) software on Unix/Linux servers

Ports

  • IANA (Internet Assigned Numbers Authority) maintains a list of official port assignments
  • Ports are default routes that different protocols use for data
    • Administrators can block certain protocol interactions by closing or opening ports
  • 65,535 UDP and TCP ports
  • Well-Known Ports 0-1023
  • Registered Ports 1024-49151
    • Can be registered by single companies for proprietary use or by multiple companies to establish a standard
  • Dynamic and Private Ports: 49,151-65,535
    • Any application can use these and they can be temporarily mapped
  • Most attacks are on well-known ports
  • Port scanners check what ports are open and then know which data can be tampered with
  • Protocol IDs are not to be confused with ports
  • You can allow or block traffic by the protocol ID, but the ID does not match up with ports

Basic Network Security

  • Switches are more secure than hubs because they limit where traffic is sent and received
    • Essentially able to disable sniffers
  • Switches can be affected by loops
    • When a cable is connected between two ports and data is unicast looped through the connection
    • STP (Spanning Tree Protocol) and RSTP trivialize this risk
  • Switches can also group several computers into a VLAN
    • Helps isolate network traffic
    • Allows people who are not in the same physical proximity to work together securely
  • Physical ports that are not being used can also be disabled on the switch
  • MAC address filtering can also accomplish this
    • Port only accepts specified MAC addresses for connections
  • 802.11x is much better security than MAC address filtering or physical port disabling
    • Works as RADIUS or Diameter user
    • Requires authentication to connect
    • Can customize features
      • Example: allowing non-authenticated users internet access but not to local data

Routers

  • Routers don’t pass broadcasts
    • Segments separated by routers are broadcast domains
  • Routers allow the use of ACLs (just like firewalls) to identify allowed traffic
    • This filtering can be for IP addresses, ports, protocols
    • This means you can block traffic from specific computers or network segments
    • Implicit Deny is pretty important for security
      • Anything not specifically allowed is denied

Firewalls

  • Similar ACL based security features as routers
  • Advanced firewalls that fall under Unified Threat Management can do more than simple packet filtering
  • Host Based Firewalls operate for a single host and can prevent invasions and exploitation through a NIC
    • These are essential when using public WiFi
  • Network Based Firewalls
    • Controls traffic going in and out of larger network segments
    • Best between internal network and internet
    • Usually a dedicated system with monitoring, filtering, and logging
    • Sidewinder is a dedicated server with proprietary firewall software
  • Rules
    • Similar to routers ACL
    • Permit/Allow or Deny
      • Protocol ID/Port
      • Source
      • Destination
    • Start with implicit deny and allow wanted traffic
  • Web Application Firewall (WAF)
    • Specifically protects web apps hosted on a server
    • Blocks traffic such an NOOP sleds and NOOP ramps
    • Detects malicious code sent to web server
  • Advanced Firewalls
    • First Gen – packet filtering rules, stateless (works only according to ACL)
    • Second Gen – stateful inspection (tracks sessions and inspects traffic based on session status)
    • Third Gen – application Level firewalls
      • Aware of specific commands used in apps or protocol
      • WAF are third gen that inspect HTTP
    • Next Gen – closer to UTM and frequently adding new features
  • Firewall Logs and Analysis
    • Log all allowed traffic, all blocked traffic, or both
    • Scripts and apps make it easier to review logs
    • IDS use firewall logs to identify intrusions
      • Example: a port scan attack will query lots of well known logical ports
      • If logs are enabled, this is visible and can be used to prevent further attacks

Protecting the Network Perimeter

  • DMZ
    • A section of the network available to external hosts
    • Segmented and secured so that it does not allow direct access to internal systems
    • Mail servers are often in the DMZ but surrounded by firewalls on both sides
    • Servers within the DMZ can communicate with internal hosts/servers in order to relay information while remaining secure
    • Requires special permissions with the second firewall
  • NAT and PAT
  • Proxies
    • Can cache content for easier access or restrict content with advanced filtering
    • Exists on the far edge of the intranet
    • Filters HTTP and HTTPS, though its capable of also filtering protocols like FTP
    • Filtering is typically through URL filtering, which blocks specific websites
      • Many services sell lists of URLs that fit under certain categories a company may want to block
    • Proxy servers also watch and log everything
  • Unified Threat Management
    • All-in-one tools with antivirus, URL filtering, and more
    • Web Security Gateway
      • Blocks malware in email or web pages and spam
      • Often include firewall capabilities
      • Their golden tool is content filtering, where they analyze all packets for malicious code
      • Cisco has a WSA (Web Security Appliance) product
        • Includes Data Loss Prevention which means it scans outgoing data for confidential information as well
    • UTM Security Appliance
      • All-in-one UTM
      • URL Filtering
      • Malware Inspection
      • Content Inspection
    • Very little difference between the two, and most are just referred to as UTM

Advanced Network Security

  • IDS (Intrusion Detection Systems) & IPS
    • Detect and notify, though some active IDS can take steps to block attacks
    • Either detect predefined attack signatures or note anomalous behavior
      • First establishes a baseline of normal operation and notes when it changes
      • Good at detecting zero-day issues that haven’t been identified yet
      • Needs regular updating of baseline after system or network changes to keep accuracy
    • HIDS – Host Based
      • Installed on individual servers or workstations
      • Primarily monitors traffic through NIC
      • Many now also monitor application activity on a system
      • HIDS can identify malware that some antivirus would miss
        • Many organizations install a HIDS and antivirus on every workstation (sometimes it's software with multiple functions)
    • NIDS – Network Based
      • Installed on network devices like routers or firewalls
      • Installed on network devices but report to central monitoring server with a NIDS console
      • NIDS don’t usually detect anomalies on individual hosts and cannot decrypt data
      • Mostly analyze larger network trends and plaintext transmissions
      • You can place NIDS sensors at different points in a network configuration to detect different kinds of issues
        • What attempts are made and what attempts get through the firewall
    • Passive IDS logs an alert and may notify personnel
    • Active IDS logs and notifies personnel, but also changes the rules of the environment accordingly
    • An IPS is always placed in-line with traffic so it can prevent the likelihood of an attack
    • IDS and IPS sniff packets for info gathering
      • Physical sniffing requires being plugged in
      • Wireless sniffing can intercept over the air
    • SYN Flood Attack
      • DoS attack
      • Repeatedly sends the initial Syn packet in a handshake, but never sends the final Ack
      • All of these incomplete sessions drain resources until the server crashes or the server begins denying legitimate connections
      • IDS and IPS can detect these attacks and many firewalls include a flood guard that will detect the attacks and close the open sessions
  • Honeypots
    • Basic security setup used to observe attackers
    • Typically filled with bogus data and fake transactions
    • Two Goals: distract and analyze
    • Honeynet
      • Virtualized servers that work like a live network
      • Even more appealing and distracting
      • Provides more time to assess attackers
  • Don’t Counterattack
    • Attackers have more time than you and possibly more skill than you
    • You also run the risk of attacking a fellow victim instead of the attacker
  • Using Multiples NIPS
    • You can put NIPS 1 between the internet and the local web/mail servers
    • Secondary NIPS goes between those servers and another batch of internal private network
    • This means that if malware sneaks past the first wall, it can’t launch attacks directly at everything
    • Advance Persistent Threats (APTS)
    • RATs (Remote Access Tools)

Securing WLAN

Wireless Principles

  • Antennas
    • Isotropic
      • Theoretical perfect 360 horizontal/vertical spread
      • Most omnidirectional antennas try to emulate this
    • Dipole
      • Most common
      • 360 horizon, 75 vertically
      • Looks like a normal pencil antenna
    • Yagi
      • Dipole antenna with additional director element
    • dBi/dBd indicate the gain of the antenna based on its physical characteristics
    • dBm indicates the power level of the WAP and can be adjusted
    • Not all WAPS are routers, some just allow access to the network
    • Users want good coverage, administrators want low coverage for security
  • Security Protocols
    • WEP
    • WPA
    • WPA2 – IEEE 802.11i
      • WiFi Alliance requires all WiFi Certified devices to meet WPA2 standards
      • This includes Counter Mode with Cipher Block Chaining Message Authentication Code Procotol (CCMP)
      • WPA2 has theoretically been cracked, but a 20 character complex key should work
    • Authentication with Enterprise Mode
    • TKIP and CCMP
      • Temporal Key Integrity Protocol TKIP was used with WPA before CCMP
      • Each packet in TKIP gets a new key, making it more secure than WEP
      • Some WPA security uses AES instead of TKIP, which is pretty secure, it can be a solution for hardware that only supports WPA
    • 802.11x in implemented as a RADIUS or Diameter server and can be used with WPA or WPA2 using enterprise mode
      • WPA/WPA2 in personal mode just use a pre-shared key, which doesn’t authenticate
      • Enterprise mode authenticates users, who have individual signons and passkeys
      • RADIUS uses port 1812, but occasionally 1645
    • EAP
      • System to create a secure encryption key, known as PMK (Pairwise Master Key)
      • Used by both TKIP and AES-based CCMP
    • PEAP
      • Encapsulates and encrypts the EAP conversation in a TLS tunnel
      • MSCHAPv2 uses this
      • Requires certificate on server, but not on clients
    • EAP-TTLS
      • Allows older authentication methods such as PAP within a TLS tunnel
    • EAP-TLS
      • Most secure EAP standards and widely used
      • Requires certificates on the 802.1x server and each client
    • Lightweight EAP (LEAP)
      • Modified version of CHAP
      • Doesn’t require digital certificate, and less secure
    • Small device security
      • WTLS (Wireless Transport Layer Security)
      • ECC (Elliptic Curve Cryptography)
    • Captive Portals
      • Pages to sign into the network in order to use the internet
      • Mostly seen in hotels and large organizations with guest network access
    • Hotspots with Isolation Mode
      • Isolation mode prevents people from accessing or sharing data across a network
      • This is good to provide users with internet access in an unsecured fashion
    • Mac Filtering
      • Limit wireless access to specific Mac addresses
      • Attackers can spoof an allowed Mac address
  • Wireless Attacks
    • War driving
    • War biking
      • Article where a security leader went around with an unsecured hotspot to collect user data
      • In two days, 2900 people logged into it
      • He found most used unsecured wireless that he could easily impersonate
    • Disabling SSID display doesn't mean the SSID is hidden
    • WEP/WPA attacks
      • WEP uses the RC4 stream cipher and reuses encryption keys
      • IV attacks
        • The encryption key is created by combining the WEP with an IV (Initialization Vector)
        • IV is sent to the client in plaintext
        • This IV range is limited and easily cracked
        • Packet injection (making it send more response packets) can make cracking take less than a minute
      • WPA Cracking
        1. Use a wireless sniffer to capture wireless packets
        2. Wait for client to authenticate, and steal the encrypted passphrase
        3. Use a brute force attack, offline the user can break the encryption on that passphrase and then go back online once they have that passphrase
        4. If nobody is active on a wireless, it can’t be cracked
        5. But if someone is active, the attacker can disconnect someone and steal the encrypted passkey when they try to reconnect
      • WPS cracking
        • PIN can be guessed in ten hours
    • Rogue Access Points
      • A WAP placed by an attacker meant to look friendly
    • Evil Twin
      • A WAP meant to impersonate a friendly WAP
    • Near-Field Communication
    • Bluetooth
      • Don’t let someone connect to you while in discovery mode
      • Bluejacking: sending unsolicited messages to a device over Bluetooth
      • Bluesnarfing: data theft over Bluetooth
      • Bluebugging: taking over a device through Bluetooth to log phone conversations, forward calls, send messages, etc.

Remote Access

  • Dial-up RAS
    • Uses POTS and modems and PPP
    • Not secure if lines are tapped
  • VPN and VPN Concentrators
    • VPN Concentrators (often housed on VPN servers) provide all the tools required to run the VPN including encryption and authentication
    • VPNs allow you to run tunnels through public spheres to logically separate and secure traffic
    • IPsec and VPN
      • IPsec offers both Tunnel Mode and Transport Mode
      • Tunnel Mode is used with VPN and encapsulates the entire IP packet
      • Transport Mode only encrypts the payload and is more efficient in private networks
      • IPsec also uses ESP (Encapsulating Security Payload) to encrypt data and provide confidentiality
        • ESP uses protocol ID 50
      • IPsec uses the IKE (Internet Key Exchange) protocol over port 500
        • Between the PID and that port, there are many ways to customize ACL rules
    • L2TP is a good tunneling protocol, but does not encrypt data
      • IPsec can work in conjunction with L2TP
    • IPsec and NAT issues
      • NAT and IPsec are incompatible
      • Instead of IPsec, you can use tunneling protocols that rely on SSL or TLS
      • SSTP (Secure Socket Tunneling Protocol) encrypts VPN traffic over SSL using port 443
        • OpenVPN and OpenConnect are similar programs that use TLS
    • PPTP (Point To Point Tunneling Protocol)
      • Uses Microsoft's encryption
      • Unused today because of known vulnerabilities
      • TCP Port 1723
    • Site-to-Site VPN
      • Uses two VPN servers in different locations to form gateways
      • From user point of view it's like there's a single network
      • Can be slow
    • VPN over open wireless
      • Two easy methods to secure yourself over open wireless
      • HTTPS connections only
    • NAC (Network Access Control) is essential on VPNs
      • Admins can't control home user computers
      • Health and Control
        • When a client accesses a VPN, an authentication or health agent queries the status of that client
        • Current user antivirus definitions, OS, and status of their personal firewall
        • If the client doesn’t meet health standards, they can be put on a quarantine network including resources to upgrade the health
        • They have internet access, but cannot communicate with other devices on the network

Securing Hosts and Data

  • OS and application hardening
    • Disabling unnecessary services
      • FTP or RDP for example
      • Improves overall security
      • Reduces open port risks
      • Reduces attack surface
    • Eliminate unneeded applications
      • Base OS installations have a lot of apps that may be unnecessary or unused
      • If a major vulnerability is discovered for one of those apps you could be in unnecessary trouble
    • Disable default and unused accounts
      • Pay special attention to backdoor accounts that bypass security
    • Protect management interfaces
  • Establish baselines
    • Set up standards for all computers so it's easier to prepare them for use
    • Set up monitors that check against the baseline to ensure computers remain secure
    • Set up NAC and a quarantine server for when things go wrong
    • Security baselines
      • Might have requirements like FTP disables, all antivirus up to date, and host-based firewall installed
      • Most organizations will have different baselines for different hosts
      • Imaging is where you configure one computer and take a snapshot of its installs and settings to copy to other computers
        • Symantec Ghost and Windows Server 2012 offer this feature
        • Could be worth taking weeks or months to develop and test the source image
        • This greatly reduces cost and time of deploying new systems and allows administrators to focus their efforts
        • You can check actual settings on live computers against the image for easy remediation
      • Group policy
        • Forces certain configuration on all devices in a group
        • Account settings
        • Password and lockout settings
        • Audit policies – logs certain events such as logon logoff or file access
        • User rights – such as remote desktop usage or power off privileges
        • System services – disable services like FTP
        • Software restrictions – what software can be installed and/or run
    • Configuration baselines
      • Printer config, app settings, TCP/IP settings, etc.
      • If something stops working, you can check against baseline to identify the issue
      • Configuration baselines must be kept up to date with new changes in policy
      • USGCB (US Gov Configuration Baseline)
        • Covers most common security issues and are easy to deploy
        • Good for agencies with limited resources
        • These images are compatible with SCAP (Security Content Automation Protocol) which verifies security settings are preventing known vulnerabilities
    • Host software baselines
      • What software is on and allowed
      • Includes ability to scan systems
    • Application configuration
      • Settings within an application
    • Performance baseline
      • Identifies resource utilization and overall performance to check against future status
    • Trusted OS
      • Meets security guidelines, doesn’t allow things to run which shouldn’t

Virtualization

  • Virtual machines or networks running on a single physical platform
  • Hypervisor
    • Software that creates and runs the virtual machine
    • VM-Ware, Microsoft Hyper-V, Windows Virtual PC, Oracle VM Virtual Box
  • Host
    • Physical server
    • Many processors
    • Large amounts of memory
    • Large amounts of storage
    • Scales to be smaller and cheaper than multiple physical machines
  • Guests
    • Operating systems running on the host
  • Patch compatibility
    • VMs need patched
    • If it works on a physical machine, it’ll work on the virtual one
  • Host availability and elasticity
    • The ability to redirect resources to the VM guest that needs it
  • Sandboxing
    • Creating an isolated testing area that does not affect the physical machine or other VM machines
    • You can test virus, antivirus, patches, software, etc.
  • VM files
    • VHD files
      • Contains the content of Virtual Hard Disk (VHD)
    • XML files
      • Contain configuration of VM as well as snapshots
    • AVHD files
      • Differencing disks – contain the differences between current VHD and snapshots
    • VSV files
      • Similar to hibernate for VM
    • BIN files
      • Memory for systems in a save state
    • Because of VM files, it’s easy to move VM from one server to the next or to backup whole servers
  • Virtual network connectivity
    • Virtual NICs, Virtual switches, and virtual networks
    • You can configure full VLANs on VM servers to segment traffic
    • This also helps testing malware because you can see how it will operate across a network, though some Malware can detect when its in a virtual environment and change its behavior
  • VM risks
    • VM escape
      • A very serious threat where a malware program tries to get access to the hypervisor from within the virtual machine
      • Hypervisor runs with elevated admin privileges, so gaining access to hypervisor allows it to take control of the physical system and all the virtual hosts
    • Loss of confidentiality
      • Because a VM is just files, whole systems can be fairly easy to steal
      • Encrypt!

Patches

  • Patches keep software secure
  • Auto-deployment of patches works sometimes
  • It can be a serious issue if a conflict occurs
  • Patch Tuesday is a big day when Microsoft releases patches, so Wednesdays can be dangerous
  • Also if a patch crashes a system, it can crash a thousand
  • Test out patches on systems very like the deployed systems

Security in Static Environments

  • System examples
    • Supervisory Control and Data Acquisition Systems (SCADA)
      • Industrial control systems within power plants and water treatment facility
      • These are typically disconnected from the internet
    • Embedded systems
      • Computing components in printers, HVAC, etc.
      • Not usually connected to the internet so unlikely attack vectors
      • Dangerous if someone figures out how to control them
      • HVAC compromise can be lethal
    • Mobile systems
      • Smart phones and the like
      • Non-static devices
    • Mainframes
      • High powered systems specific to an organization
      • Might be contained on isolated networks, but often connected to the primary network so personnel can access it
    • Game consoles
    • In-vehicle computing systems
  • Stuxnet
    • Stuxnet was a worm designed to attack a specific embedded system in an Iranian nuclear facility
    • It made all the centrifuges spin fast enough to tear themselves apart
    • Methodology:
      • Infection – hidden on a flashdrive
      • Search – worm located the target systems
      • Update – downloaded updated version of the worm
      • Compromise – takes advantage of zero-day vulnerabilities
      • Control – makes the system go nuts
      • Deceive and destroy – send false data to engineers
  • Protecting static systems
    • Redundancy – make sure there are backups for failure
      • This means firewalls from different vendors, SCADA backup controls, etc.
    • Network segmentation – keeps all systems off primary network
    • Security layers – firewall, NIPS, etc.
    • Application firewalls – can identify specific commands in a protocol
      • Good for services that don’t use many protocols
    • Manual updates – only install verified updates
    • Firmware version control – keep firmware up to date
    • Wrappers – filter traffic (like TCP wrappers)
  • Securing mobile devices
    • Encryption
    • Authentication and device access control – Username/Password
    • Locator services – lost mode
    • GPS can be used to track you
    • Removable storage risks – If you don’t encrypt your data, removable storage is easily lost or stolen
    • Storage segmentation – keep low-security data separate from secure data
    • Screen locks
    • Lockout – limited password attempts or lost mode
    • Remote wiping
    • Disabling unused features
    • Asset tracking – where is the thing
    • Inventory control – RFID tracking
  • BYOD concerns
    • Device security and personally identifiable information
    • Acceptable use policy – user responsibilities in return for privileges
    • Privacy – not everything is private on company time
    • User acceptance – user must agree to the rules and the privacy restrictions
    • Data ownership – organization owns everything done internally, including exchange emails
    • Support ownership – Does IT have to support user devices?
    • Architecture and infrastructure – what access do users have?
      • What VLAN segmentation do they have?
    • Forensics – can you see in-depth what users are using?
    • Legal concerns – set policies and expectations clearly
    • On-boarding and off-boarding – employees must read BYOD policies and there must be rules for adding or removing devices
    • On-board camera/video – should there be restrictions for security?
  • Mobile device management
    • Many configuration managers like Microsoft ConfigMgr 2012 and Airewatch support mobile devices
    • Patch management
    • Antivirus management
    • Application control
    • If devices don’t meet regulations, they can't connect
    • Application security
      • Many apps have credential managers and caches
      • Many cameras have geotagging features which are also risky

 Protecting Data

  • Data categories
    • Data at rest
      • Any data stored on hard drives, flash drives, backups, or mobile phones
    • Data in transit
      • Any data traveling over a network
      • Data Loss Prevention (DLP) analyze and detect sensitive data over a network, and you can also encrypt data using IPsec, SSH, or SFTP
    • Data in use
      • Data in temporary memory
      • Usually protected by the application using it
  • Protecting data with confidentiality
    • ENCRYPT
    • Be careful to encrypt stored data, and keep it encrypted when its transmitted
    • Other tools besides encryption are less secure
      • Example: NTFS ACL permissions
      • If someone takes your NTFS hard-drive and puts it in another computer, they can give themselves access
    • Software based encryption
      • Slower than hardware encryption, but secure with strong algorithms
      • File- level encryption
        • Linux uses GNU Privacy Guard (GPG)which is a command line tool used to encrypt and decrypt files with a password
        • NTFS includes Encrypting File System (EFS) in Windows Explorer
        • File/folder encryption allows you to add one more layer of security, even against Admin privileges
          • One risk to this is that if you copy to a file system that doesn’t support NTFS encryption, it may decrypt the files before copying
      • Full disk encryption
        • TrueCrypt is available to do this on Linux and many OS
        • Requires a password and encrypts and decrypts drive on the fly
      • Encrypting database content
        • Oracle and Microsoft SQL and others allow you to encrypt specific elements, or the entire database
        • Encrypting specific fields saves processing power
    • Hardware based encryption
      • You can use a Trusted Platform Module (TPM) or other hardware security module for higher performance encryption
      • TPM
        • Chip in motherboard
        • Full disk encryption
        • Performs platform authentication (ensures drive not moved)
        • Includes 3 keys:
          • Endorsement key (burned into chip)
          • Endorsement key is Rivest, Shamir, Adleman (RSA)
          • Storage root key generates and protects other keys
            • Application keys – derived from storage root key
        • To activate the TPM, you often use an application like Bitlocker
        • Without access to the TPM chip and authenticated credentials, the data remains secure
      • Hardware Security Module (HSM)
        • A security device that can be added to a machine to manage, generate, and securely store keys
        • High-performance HSM are connected to a network with TCP/IP
        • Smaller HSM are expansion cards plugged into a server
        • HSM performs very similar to TPM, but it is removable
  • Data leakage
    • Data exfiltration – when data is transferred outside of an organization
    • Data Loss Prevention (DLP)
      • Examines data looking for unauthorized leaks
      • Can examine stored data, moving data, and data in use
      • Data in motion
        • UTM devices include DLP to scan emails and files
        • A lot of data is labeled as classified, confidential, private, and sensitive
        • Once data is labelled, it can be inspected in transit and blocked if necessary
      • Endpoint protection
        • Can include preventing flash drive usage or printing

Understanding SANs

  • Might include Hard drives, disks, tape, and optical media
  • Often configured in fault-tolerant arrays for high-performance
  • Robotic devices often assist in loading and unloading optical jukeboxes or tape libraries
  • SANs often rely on high speed internal transfers
  • Virtual SANs are a newer tech
  • Fiber channel
    • Speeds of up to 16 gigabits per second
    • Require special hardware and cabling
    • Expensive, but efficient
    • Some support copper, not just fiber
  • iSCSI (Internet Small Computer System Interface)
    • Transfers SCSCI commands over IP
    • Use existing network infrastructure
    • Allows SAN without specialized hardware
  • FCoE (Fiber Channel over Ethernet)
    • Uses FC commands, but transmits them over ethernet networks
    • FCoE encapsulated the commands within standard protocols
    • Allows ethernet LAN to act like Fiber Channel without the cost
  • Handling big data
    • Data sets that are too large for traditional tools to analyze them so they are hoarded and stored indefinitely
    • Use many of the same tools, plus some special ones

Understanding Cloud Computing

  • Amazon’s Elastic Compute Cloud (EC2) service provides elastic, on-demand servers to companies with variable traffic demands
  • Software as a Service (SaaS)
    • Gmail, GDocs, etc.
    • Management as a Service (MaaS)
      • Third party helps run IT resources, monitoring logs, etc.
    • Multi-tenancy architecture
      • Like running multiple tabs in a web browser
      • One application instance for multiple users
    • Single tenancy architecture
      • Individual app instance for each user
  • Platform as a Service (PaaS)
    • Preconfigured computing platform for customers
    • Also known as Managed Hardware Solution
    • Buying servers as web hosts
    • Can include OS, antivirus, spam protection, security, etc.
      • Often includes up-to-date patches
    • You can manage the software you need for your uses and let the rest of the server be handled by the company
  • Infrastructure as a Service (Iaas)
    • The IaaS provider owns the equipment, the data center, and performs hardware maintenance, but the customer rents access to the equipment's functionality
    • Also known as Self-Managed Solution
    • Customer must configure the OS, software, etc.
    • This means less hardware per company, so saves money on equipment, power, HVAC, and personnel
  • Public vs private cloud
    • Public is like Boxsync or Google Drive
    • Private is specific for a corporation
    • Hybrid clouds are another option
  • Cloud computing risks
    • You lose physical control of the data
    • You don’t always know where the data is
    • You don’t control the security for your data and cloud employees can be thieves themselves
    • Only data you should put on cloud storage is data you’re willing to give away

Malware and Social Engineering

Types of Malware

  • Viruses
    • Attached to host application which must be run to activate virus
    • Tries to infect other application
    • May delete files, cause reboots, join computer to a botnet, or allow backdoors
    • Armored virus
      • The first step to dissecting a virus is to decompile it
      • Armored viruses make this difficult
      • Complex code
        • It’s unclear what the virus is trying to do because it runs so many weird loops
      • Encryption
        • Some compilers encrypt the code with the virus
      • Hiding
        • Some viruses confuse the AV as to where they’re really located
  • Polymorphic malware
    • Virus that changes as it executes, sometimes into thousands of forms
    • Hard to detect, especially if its encryption changes
  • Worm
    • Self-replicating malware that travels without a host
    • Resides in memory and can ride transport protocols
    • Can replicate hundreds of times, draining network bandwidth
  • Logic bomb
    • Script that activates in response to an event like a date or a program launch
  • Backdoor
    • Trojans commonly cause these
    • Provides another way to access a system
  • Trojans
    • Fake software
    • Drive-By Downloads
      • Attackers take over a website
      • Install a trojan into the website’s code
      • Attackers trick users into visiting the site
      • Website tries to download the code
    • Fake antivirus is called RogueWare
      • Runs a fake scan, and offers to fix fake issues for money
  • Botnet
    • Computers in a botnet are called zombies
    • Bot herders manage these zombies to use their processing power and anonymity
  • Ransomware
    • Pay to get your computer back or clean
  • Rootkit
    • Stealthy software
    • Modify system processes and the registry, as well as system access files
    • Prevents antivirus from making calls to the OS that would detect it
      • Antivirus can scan memory to discover this
    • Safe mode helps get around this, but not always
  • Spyware
    • Monitors stuff
    • Changing a user’s home page, redirecting web browsers, installing software
    • Privacy invasive software
      • Tries to get the good data to drain your bank and steal your identity
    • Keyloggers
  • Adware
    • Learn a users habits for ad-targetting
    • Pop-ups

Recognizing Common Attacks

  • Social engineering
    • Using social tactics to trick users into doing something unusual or revealing info
      • Flattering and conning
      • Assuming a position of authority
      • Encouraging someone to perform a risky action
      • Encouraging someone to reveal sensitive information
      • Impersonating someone
      • Tailgating without credentials
  • Shoulder surfing
    • Position desk away from hallways and doors
    • Use privacy screens
  • Hoaxes
    • Trick people into downloading programs
    • Trick people into deleting system programs
    • Trick people into changing key system settings
  • Tailgating and mantraps
  • Dumpster diving
    • Company directories are especially good treasure
    • Detailed company, personnel, or client information should be destroyed
  • Spam
    • Often has malicious attachments or links
  • Phishing
    • Social engineering over email
    • Many people use fake accounts to look like your friends
    • Sometimes links are beacons
    • When you click the beaconed links, the tail-text tells that server that your email is active
    • Spear phishing
      • More targeted at a user or user group
    • Whaling
      • Targeting CEOs and big positions
      • Might install a keylogger
      • Might threaten subpoenas or other very specific things
  • Spim
    • IM spam
  • Vishing
    • VOIP spam
    • Spoofs caller ID and asks for sensitive info
  • Privilege escalation
    • Trying to get higher system privileges to access more information

Blocking Malware and Other Attacks

  • Anti-malware on mail servers
  • Anti-malware on all systems
  • Boundaries or firewalls
  • Antivirus software
    • Signature based detection
      • Detects known patterns by checking against signature files
    • Heuristic-based detection
      • Watches for viral behavior rather than specific signatures
    • Checking file integrity
      • If system file hashes change, you can tell they’ve been modified and there might be a virus
    • Pop-up blockers
    • Spam filters
      • UTM contains spam filtering
      • Email servers can also scan for spam
      • User systems scans for spam
    • Anti-spyware
      • Specifically protects user info

Why Social Engineering Works

  • Authority
    • Impersonation
    • Whaling
    • Vishing
    • If someone looks legit, users don’t want to question them
  • Intimidation
    • Bullying tactics, making things seem urgent and critical
    • Make the risk of non-compliance high
  • Consensus or social proof
    • Fake testimonials or reviews
    • Fake popularity
  • Scarcity
    • Limited quantities imply urgency
  • Urgency
    • Give people limited time to respond to panic them
  • Familiarity and likability
  • Trust

Identifying Advanced Attacks

Comparing Common Attacks

  • Spoofing
    • Digital impersonation
    • Example: changing the from address in an email to appear as if it were from someone else
  • DoS and DDoS
    • How many computers are attacking a target?
    • The goal is to get the target to use up enough resources that it can’t serve real users
    • Indicated by sustained, abnormally high traffic
    • Smurf attacks
      • Spoofs the source address of a directed broadcast ping to flood a victim with ping replies
      • Smurf attack sends a ping as a broadcast but pretends the victim was the source
      • This makes all the recipients of the original ping ping back against the victim
      • Most routers block directed broadcasts by default
        • This protects them from becoming part of an amplifying network
    • SYN flood attacks
      • Utilize the TCP handshake by sending swarms of SYN, but never sending the final ACK
      • Most servers will stop accepting new connections until the half-connections are settled
      • Some servers just crash
      • Flood guards
        • Use a variety of means to prevent floods
        • Can detect the IP of the attacker and block them
        • Can reduce the wait time for the ACK packet
  • Xmas attacks
    • Port scan used to get details about an OS
    • It sends bits in the packet header of the TCP port scan that resemble Christmas lights
    • This gives it info about how the system responds and what OS it is
    • It’s more for recon than anything else
    • Many IDS and IPS can detect this easily
  • Man-in-the-Middle attacks (MITM)
    • Active interception or eavesdropping
    • Sits in the middle and takes both streams of traffic, and can send on malicious code
    • Kerberos mutual authentication can thwart it
  • Replay attacks
    • Steal all the authentication data transferred between two clients, then try to send out that authentication data again to pretend to be one of the two
    • Timestamps and sequence numbers thwart this
    • Kerberos uses timestamps
  • Password attacks
    • Attempts to discover or bypass passwords
    • Online password attack
      • Attempt to discover password from online system or guess
    • Offline password attack
      • Capture database or packet and try to decrypt it
      • WPA cracking
    • Brute force attack
      • Get yourself some complex passwords with account lockout policies
    • Dictionary attack
      • Brute forces all the easy words
    • Password hash
      • Attack the stored hash of a password rather than the password
      • Websites like MD5 Online and CrackStation can reverse these hashes
    • Birthday attacks
      • Named after birthday paradox in probability theory
      • Works on easy hashes where you just come up with a password that produces the same hash
      • SHA-2 (Secure Hash Algorithm 2) used 512 bits (compared to MD5’s 128) so it's much harder to match
    • Rainbow table attacks
      • Rather than hashing every guess individually, you use large tables of preconfigured hashes to check the password hash against
      • Salting passwords makes this more difficult, wherein two random digits are added to a password to make the hash more complex
        • Bcrypt and Password-Based Key Deviation Function 2 (PBKDF2) both use salting to increase the complexity of passwords
    • Hybrid attacks
  • DNS attacks
    • DNS poisoning
      • Modifies or corrupts DNS results
      • Example: some types google.com and ends up somewhere else
      • DNSSEC (Domain Name System Security Extensions) protects DNS records and prevents poisoning
    • Pharming attacks
      • Tries to corrupt DNS server or DNS client to redirect users to the wrong site
      • Example: modifying the host file on client computers to change the default entry of specific websites
      • Started as a prank but can have serious implications
  • Arp poisoning attacks
    • Misleads computers or switches about the MAC address of a system
    • ARP sends requests and replies, and its easy to spoof a reply
    • ARP MitM attack
      • Spoof the ARP cache on a switch so it sends data to the attacker, who saves it and forwards it along like usual
    • ARP DoS attack
      • Spoof so everyone caches a bogus default gateway MAC address
      • Nobody can communicate properly
  • Typo squatting  and URL hijacking
    • Similar domain names that people often misspell
  • Watering hole attacks
    • Figures out where employees of an organization spend their web time and then infects those locales or tries to redirect them to a malicious website
    • Often to install RATs to get access to the organization
  • Zero-day attacks
    • Exploits undocumented vulnerability
    • Serious until patched
    • Relevancy depends on how known it is
  • Web browser concerns
    • Malicious add-ons
    • Cookies and attachments
      • Normally only the site that makes a cookie can read it, but cross-site scripting can allow attackers to steal personal info from them
    • Session hijacking
      • You can also use cookies to session hijack
    • Flash cookies and Local Shared Objects (LSOs)
      • Cookie made by Adobe Flash Player
      • Flash cookies can be stored in special places and aren’t always cleared with the rest of the cookies
      • They track data discretely which has led to a lot of lawsuits
    • Arbitrary code execution and remote code execution
      • Allows attackers to run specific code on a system without user consent
      • Software bugs often allow this
  • Header manipulation attacks
    • Manipulate the flags in TCP/IP headers to change behavior or change session ID within the packet
    • This session ID can allow the attacker to steal your sign-in and access your stuff

Understanding Secure Coding Concepts

  • Input validation
    • Checking data before accepting it
    • Can either clear out malicious data or reject the whole submission
    • Verifying proper characters – only the right characters for that field
      • Example: allowing only numbers in a US zip code field
    • Implementing boundary or range checking – if max purchase is 5, can only submit 5 purchases or less
    • Blocking HTML code
    • Preventing the use of certain characters – such as dash, apostrophe, and equal sign
  • Client-side and server-side input validation
    • Client side is quicker, but vulnerable
    • Server side takes longer, but is secure
    • If you disable javascript, you can often get through client side validation in a web browser
  • Avoiding race conditions
    • Don’t let two parts of an app, or two apps, attempt to access a single resource at once
    • This can cause obvious conflicts
  • Error and exception handling
    • Provide user feedback when there’s an error
      • Errors to users should be general so you don’t give an attacker too much information
      • Detailed information should be logged and the debug information should be sent to the support team

Identifying Application Attacks

  • Web servers
    • Apache
      • Free
      • Runs on Unix, Linux, Windows
    • Internet Information Services (IIS)
      • Microsoft web server and free with Windows server products
  • Buffer overflows and buffer overflow attacks
    • When an app receives more or different input than it expects
    • Can expose system memory that should be protected
    • A skilled attacker can use this exposed vulnerability to rewrite their own malicious code into system memory
      • This relies on some educated guesses normally
      • NOP (No-op) commands make this easier
        • Many Intel processors use hexadecimal 90 as a NOP command, so a string of x90 characters is a NOP sled
        • When the processor comes across a string of x90 NOP, it jumps to the next memory location, which the attacker has filled with malicious code
        • BufferOverflowData:NOPs:Malicious Code
  • Integer overflow
    • By knowing what bitrate the server stores numbers, you know the upper limits of numbers it can store
    • You can push it above that limit to make it throw an error
  • Injection attacks
    • SQL queries and SQL injection attacks
      • Structured query language
      • SQL queries
        • Translates user input into a clear database call and returns the selected information
      • SQL injection attacks
        • By understanding SQL syntax, you can often inject several extra commands into this search to get the database to return information that its not supposed to be returned
        • Error handling will prevent these injections if configured properly
          • These errors can often give more info about the kind of database being used
        • You can also use logic to tell the computer to return all results 1 = 1
      • XML injection
        • Pretty similar, but in XML
      • NoSQL and SQL databases
        • Also include documents, graphs, and key-value pairs
        • Allows developers more storage flexibility
        • Uses Unstructured Query Language (UQL)
          • Attackers can learn this, though it may vary with vendor
    • Cross-Site Scripting (XSS)
      • Embed malicious HTML or javascript code into an email or website error
      • News story of someone embedding code on Twitter that infected computers when people looked at the tweet
    • Cross-Site Request Forgery (XSRF)
      • Adding tails to URLs that automatically make people perform actions
      • Combined with auto-logon cookies can be dangerous
      • Making users re-authenticate before making changes helps
    • Directory traversal and command injection
      • Injecting full system commands and pathways into web page forms
    • LDAP injection
    • Transitive access and client-side attacks
      • Uses transitive trust properties and injections to piggyback connections and access even more data from an initial SQL injection
    • Fuzzing
      • Using a program to send random data to an app
      • Might crash or provide unexpected results
      • May also reveal a vulnerability

Managing Risk

  • Threats and threat vectors
    • Natural threats
    • Malicious human threats
    • Accidental human threats
    • Environmental threats
      • Long term power failure leading to chemical spills and much, much more
    • Malicious insider threat
      • Someone with legitimate access to internal resources and seeks to exploit them
      • Least privilege really helps here
  • Threat assessments
    • How likely are specific things and what will cause the most harm?
    • Vulnerabilities
      • Lack of updates
      • Default configurations
      • Lack of malware protection
      • Lack of firewalls
      • Lack of organizational policies
      • Just because it hasn’t been attacked, doesn’t mean it’s not vulnerable
      • Audit regularly and look for new things each time
  • Risk management
    • Risk avoidance
      • Not participating in a risky activity or opt not to provide a risky service
      • If something requires you to open several insecure ports, is it really worth it?
    • Risk transference
      • Can you share the risk with another entity?
      • Insurance, outsourcing, etc.
    • Risk acceptance
      • Would it be more expensive to protect the device than the device is worth?
    • Risk mitigation
      • Reduce the risk with up-to-date tech
    • Risk deterrence
      • Security controls make it harder to attack you
      • The harder it is, the more likely you are a less appealing target
  • Risk assessment
    • Identify assets and their values
    • Identify threats and vulnerabilities to the highest value assets
    • Set recommendation for what controls will mitigate those risks
    • These assessments should change as conditions do
    • Quantitative risk assessment
      • Lists the specific monetary value of assets vs specific cost of mitigating controls
      • Single Loss Expectancy (SLE)
        • Cost of a single loss
      • Annual Rate of Occurrence (ARO)
        • How often will that loss occur in a year?
      • Annual Loss Expectancy (ALE)
        • SLE x ARO = ALE
      • Compare the ALE to the annual cost of mitigating controls
      • How much do you spend to save how much more?
    • Qualitative risk assessment
      • Judged based on probability and impact
      • Qualitative risk might say that even though it costs a little more for the protection, it's worth it (for savings in privacy, company’s status, etc.)
      • Impact includes loss of confidentiality, integrity, or availability of system data
      • You might use a host of experts in a focus group to determine the risk and impact
      • You can assign numbers on a 1-10 scale to make it easier to assess risk
    • Documenting the assessment
      • File a report including the numerical risk values and recommended solutions
      • Management can review these reports to make final decisions
      • A final report can document what risks were accepted and what risks were mitigated
      • Keep these reports confidential
    • Metrics to assess risk
      • Mean Time Between Failure (MTBF)
        • System’s reliability in hours
        • Lists average hours between failures
      • Mean Time To Failure (MTTF)
        • Length of time a device can be in service before it fails
        • Primarily indicates a device that cannot be repaired
      • Mean Time To Recover (MTTR)
        • Average length of time to restore a system

Checking for Vulnerabilities

Anatomy of an Attack

  • Recon on the larger target
  • Honing in for details (fingerprinting) of individual targets
    • Identifying IP addresses of targets
      • Starts with geographic location
      • Use ICMP sweep to identify operational systems in a region using ping scanner
      • It's possible to block ICMP at a firewall to prevent ping scanners
    • Identifying open ports with a port scanner
      • By noting open ports, you know what protocols and applications are likely in use
      • Advanced scanners send further queries to some known ports to make sure a protocol is running and find out more info about the system
      • For instance, HTTP can tell you whether its on Apache or IIS
      • Nmap, Netcat, and Nessus all include port scanning abilities
      • Security professionals use port scanners to perform self scans and analysis
    • Fingerprint system
      • Sends specific protocol queries to identify what OS is running based on details of query responses
      • Banner grabbing
        • Gain info about a service running on an open port
        • Example: telnet into a website (port 80) and send a HTTP request
          • You'll then see information like OS, server type, version, content type, and time
    • Identifying vulnerabilities
      • Once you know the fingerprint details, you get experts on the specific infrastructure you’re trying to attack
      • You can test input validation, default accounts, and use vulnerability scanners to identify current patches
    • Attack
      • Once everything is planned, attackers try to move quickly so nothing can be patched or updated
      • It's harder to detect them
      • They’ll smash and grab, trying to get as much as possible before they’re blocked out
    • Advanced Persistent Threats (APT)
      • Can be government funded, well-organized, and resourceful
      • They have the skills and patience to break through defenses
      • This is why it’s important to segment traffic and data, limit user permissions, and train people to avoid malware
      • Limit the damage that can be caused by a single attack

Vulnerability Assessment

  • Use vulnerability scanners, port scanners, etc.
  • Identify assets and risks
  • Prioritize what mitigating factors you’ll use
  • Vulnerability scanning
    • Identifies vulnerabilities
    • Identifies misconfigurations
      • Open ports
      • Weak passwords
      • Default accounts and passwords
      • Sensitive data (DLP)
      • Security and configuration errors
    • Passively tests security controls
      • Identifies only, does not exploit
      • Does not interfere with normal operations until an admin can assess
    • Identifies lack of security controls
      • Lack of patches or antivirus
  • Other assessments
    • Checking for tailgating spots, social engineering risks, etc.
    • See if employees are dumb enough to give out passwords
    • Baseline reporting
    • Code review
    • Attack surface review
    • Architecture review
      • Is a database accidentally in a DMZ? Add a firewall
    • Design review
      • How do apps interact?
      • What’s the building layout?
  • Credentialed and noncredentialed
    • Scanners can run with a variety of credentials to see the risk at different levels of user access
  • Penetration testing
    • Tries to exploit vulnerabilities to detect impact of an attack
    • You can also use this to see how a company will respond in case of an emergency
    • Verify a threat
    • Bypass security controls
    • Actively test security controls
    • Exploit vulnerabilities
    • A fake attacker could try an SQL injection to get credentials, then press forward
    • This can disrupt daily ops, but is very informative
  • White, gray, black box testing
    • Black box
      • Testers have 0 knowledge of environment just like an attacker
    • White box
      • Full knowledge of environment and documentation
    • Gray box
      • Testers have some familiarity
  • Obtaining consent
    • Don’t pentest without consent in writing
    • Use a rules of engagement document
  • Passive and active tools
    • Vulnerability scanning is PASSIVE
    • Pentesting is ACTIVE
  • Continuous monitoring

Identifying Security Tools

  • Sniffing with a protocol analyzer
    • Captures and analyzes packets sent over a network
    • Can be used by admins or attackers
    • Any open wiring or switch could be vulnerable
    • Wireshark is a free protocol analyzer you can use
    • Analyzing packets is tedious, but full of information
    • An NIC must use promiscuous mode to capture all traffic
      • Allows it receive traffic without being the designated IP
  • Routine audits
    • Double checks to ensure everything is at baseline and rules are being followed
  • User reviews
    • Ensure least privilege is being followed and users aren’t accessing what they shouldn’t
    • Privilege creep and inactive accounts are both threats
    • If someone keeps transferring departments and getting new access, does anyone ever clear the old access?
    • Role-based privileges make this easier to manage
  • Monitoring events with logs
    • Don’t waste disk space, log whats important
    • Operating system event logs
      • Security log
        • Includes logons and logoffs and resource access
        • You can configure auditing to denote what should be logged
      • Application
        • Records events logged by applications or errors
      • System
        • Starts, shut downs, service starts or stops, driver loads or failures
    • Firewall and router access logs
      • Packet sources and destinations including IPs, ports, MAC addresses
      • Antivirus logs
      • Application logs
      • Performance logs
    • Reviewing logs
      • NetIQ has a suite of apps that will review logs on multiple servers and computers
      • Note of interest events and send alerts
      • Likely centralizes logs beyond individual hosts

Preparing for Business Continuity

Adding Redundancy

  • Disk redundancy with RAID
  • Server redundancy with failover clusters
  • Power redundancy with UPS or generator
  • Site redundancy with hot, cold, or warm sites
  • Identify single point of failure
    • If it breaks, will something take its place, or does everything go down?
    • Disk
      • Will a system crash without this disk?
      • Will the data be lost forever?
    • Server
      • Will the service stop if this goes down?
      • What else relies on that service?
    • Power
      • If there’s a power outage, what takes its place?
  • Server redundancy
    • 99.999% availability = 5 nines
    • Less than six minutes of downtime a year
    • Expensive, but could be justified depending on costs of downtime
    • Failover clusters
      • Two or more servers as nodes in a cluster
      • At least one inactive node
      • If active node fails, inactive node takes over
    • Load balancers for high availability
      • Distributes traffic and data loads across system devices
      • Allows for scalability
      • Load balancing also detects failed devices
  • Power redundancy
    • UPS
      • Provides power until any one of three goals
      • System should have enough time to shut down
      • Generators have enough time to power up and stabilize
      • Commercial power returns
    • Generators
      • Expensive to run, but cheaper than failure
      • Should be able to run for a long time
  • Protecting data with backups
    • Ensure that when data is lost or corrupted, it can be retrieved
    • Redundancy does not remove the need for backups
    • Tapes
      • Full backup
      • Differential backup
        • Backs up all changes since full backup
      • Incremental backup
        • Backs up all changes since last differential or incremental backup
        • Each incremental tape needs to be kept because the backups are not cumulative
      • Which setup you go with depends on maintenance time throughout the week and loss acceptance
      • Restorations take longer with smaller incremental backups
    • It's important to test backups, because recovery failures hit hard
    • Protecting backups
      • Use clear labeling in storage and physical security to protect them from theft
      • Protect it well if its being moved from one location to another
      • Destroy backups when they’re no longer needed
  • Backup policies and plans
    • Identify data to backup
    • Requires off-site backups
    • Requires labeling media
    • Mandates testing of backups
    • Identifies retention requirements
      • Note related laws on how long data needs to be stored
      • Also note how much data you want available if you go to court
    • Designate frequency of backups
    • Protects backups
    • Identifies acceptable disposal methods

Comparing Business Continuity Elements

  • Disasters can come from
    • Fires
    • Attacks
    • Power outages
    • Data loss
    • Hardware or software failure
  • Business Continuity Planning (BCP)
    • Complete a Business Impact Analysis (BIA)
    • Develop recovery strategies
    • Develop recovery plans
    • Test recovery plans
    • Update plans
  • Business Impact Analysis (BIA)
    • Some systems can be delayed, like loan processing, but accessing and withdrawing funds should not be
    • What are critical systems and functions?
    • Are there dependencies related to those systems?
    • What is the maximum downtime of those systems?
    • What scenarios would most likely affect those systems?
    • What is the potential loss from these scenarios?
    • You might decide that your maximum downtime is five hours, so now you need to plan how you would recover from any disaster in less than that time
    • You might recognize that losing data from a secure server could cost you millions
      • Now you know you should be willing to spend a lot to make sure you never lose data from it
  • Recovery Time Objective (RTO)
    • Max duration systems can be down
    • Might have different RTOs for different systems
  • Recovery Point Objective (RPO)
    • How often you need to backup data in order to ensure you have acceptable data loss
  • Continuity of Operations Planning (COOP)
    • Setting up an alternate location that can run things if things go nuts, like in a hurricane
    • Hot site
      • When you need ops in 60 minutes
    • Cold site
      • When you have a few days
    • Mobile site
      • Set up and tear down for when a company doesn’t want a permanent alternate site
      • Could be in a semi trailer
    • Mirrored site
      • 100% identical to the primary location including real-time data transfer
  • Disaster Recovery Plans (DRP)
    • Includes a hierarchical list of critical systems indicating the order to restore systems
      • Activate disaster recovery plan
      • Implement contingencies
        • Backup sites, systems, etc.
      • Recover critical systems
      • Test recovered systems
      • Document and review
  • Planning for communications
    • War room
      • Conference room where people get their updates and report in
    • You must be able to communicate with these people even if cell lines are down:
      • Disaster response team members
      • Employees
      • Customers
      • Suppliers
      • Media
        • Use a PR agency
        • Don’t let a tech talk to the press
      • Regulatory agencies
  • IT contingency planning
    • Focused only on IT instead of the full business
  • Succession planning
    • Who takes over and when?
    • Who has authority and when?
  • BCP and DRP testing
    • Tabletop and functional exercises
      • Backups
      • Server restoration
      • Server redundancy
      • Alternate sites
    • Testing controls
      • Try turning stuff off and see what breaks or what takes over
    • Escape plans
      • Escape routes
      • Drills
  • Implementing environmental controls
    • Heating, Ventilation and AC
      • If HVAC fails, your servers will be next
      • Sometimes its worth shutting down the systems if the HVAC can’t keep up with the load or if it fails
    • Hot and cold aisles
      • Some aisles exhale hot air, some pull in cold
      • Make the backs of two racks face each other
    • HVAC and fire
      • HVAC often have fire alarm systems due to the ability to pump oxygen into a fire
      • Some HVAC systems can fight the fire with dampers
  • Fail-safe and fail-open
    • Does it fail to be most secure or most safe for people?
    • Doors should fail open, firewalls should fail-safe
  • Fire suppression
    • Remove the heat with chemical fire extinguishers
    • Remove the oxygen with CO2
    • Remove the fuel
    • Disrupt the chain reaction with chemicals
    • Four classes of fires:
      • Class A – Ordinary combustibles – wood, paper, cloth, rubber, trash, and plastic
      • Class B – Flammable liquids – gasoline, propane, solvents, oil, paint, etc.
      • Class C – Electrical equipment – computers, wiring, etc. NO WATER
      • Class D – Combustible metals – magnesium, lithium, titanium, and sodium
  • Environmental monitoring
    • Includes temperature and humidity sensors
    • Shielding
      • Protects from EMI
      • If data radiates outside a cable through EMI, it can be stolen
      • Shielding cables
      • Protected distribution of cabling
        • Planning where you route cables so it's not easy for an attacker to install a RJ45 or Fiber end
      • Faraday cages
        • Room that prevents signal radiation past the barrier

Understanding Cryptography

Basics

  • Confidentiality
    • Symmetric encryption
      • Same key to encrypt and decrypt data
    • Asymmetric encryption
      • Two keys, public and private, created to match
      • Anything encrypted with the public key can only be decrypted by the private key
      • Anything encrypted with the private key can only be decrypted by the public key
    • Stream ciphers encrypt data one bit at a time
    • Block ciphers encrypt data in blocks
    • Steganography provides a level of confidentiality by hiding data within other files
  • Integrity
  • Authentication validates identity
  • Non-repudiation refers to the ability to ensure that a party cannot deny the integrity of their own signature
  • Digital signature provide authentication, nonrepudiation, and integrity
    • A digital signature in an email is a hash of the email encrypted with the sender's private key
    • Only the sender’s public key can decrypt the hash which verifies it was sent by the sender’s private key

Hashing

  • An algorithm run on data that can be used again later to confirm that data hasn’t been changed, without having to parse the entire data
  • MD5 (Message Digest 5)
    • Produces 128-bit hash in hexadecimal
    • Often used to verify files and downloads
    • Website can display the hash and then you can test the hash after download to make sure its the same
  • SHA (Secure Hash Algorithm)
    • SHA-0 unused
    • SHA-1 creates 160-bit hashes similar to MD5
    • SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512
    • SHA-3 uses a different method than SHA-2
      • Supports 224, 256, 384, and 512 bits as well
    • Some HIDS and antivirus capture hashes of files when they first scan through and then capture new hashes to compare
    • If any hashes are different, there is a possibility of malware
  • HMAC (Hash-based Message Authentication Code)
    • Such as HMAC-MD5 and HMAC-SHA1
    • Uses a standard hash string of bits in conjunction with a secret key only known by the sender and receiver
    • Creates the hash with the basic bits, then calculates on top of that with the secret key
    • Not only does it protect integrity, but it also adds authenticity by ensuring that the message could only come from the verifiable sender
    • IPsec and TLS often use HMAC
  • Hashing
    • Most applications perform hashes automatically, but programs like md5sum.exe will allow you to run them manually
    • Passwords are often stored in hashes for security reasons
    • If an attacker can change a message, they could also change a hash
    • HMAC is more secure, because the hacker can’t properly fake the hash
  • Other hashing algorithms
    • RIPEMD (RACE Integrity Primitives Evaluation Message Digest)
      • Creates 128, 160, 256, and 320 bit hashes
    • LANMAN and NTLM
      • Older Microsoft hashing algorithms for passwords
      • LANMAN (Lan Manager)
        • Windows 95, 98, and ME
        • Can’t handle passwords longer than 14 characters
        • Easy to crack because of the way it fills with trailing spaces and hashes two 7 character codes
      • NTLM (NT LAN Manager)
        • Improved LANMAN
        • NTLMv1 uses an MD4 hash and occasionally LANMAN
        • NTLMv2 uses an MD5 hash which is hard to crack
          • Before Vista, many systems leave LANMAN enabled by default for backwards compatibility (this is bad)
        • The reason for 15 character passwords is to prevent LANMAN from being used

Encryption

  • Two main parts to encryption
    • Algorithm
      • Always the same
    • Key
      • Provides variability for encryption
      • Goes into the algorithm
      • Either private or changes often
  • Symmetric encryption
    • Same key to encrypt and decrypt
    • Also called secret key or session key encryption
    • AES uses 128, 192, or 256 bit keys
    • Keys can be changed whenever a session is authenticated or re-authenticated
      • This is how RADIUS works
    • Block and stream ciphers
      • Stream ciphers are more efficient when streaming
      • Block ciphers are more efficient when size of data is known
      • WEPs vulnerability came from reusing keys on a stream cipher, so an attacker just had to be patient
    • AES
      • Strong symmetric block cipher
      • National Institute of Standards and Technology (NIST) adopted AES from Rijndael encryption algorithm
      • AES uses 128, 192, or 256 bit keys
      • Fast, efficient, and strong
    • DES
      • Symmetric Block Cipher used since the 70s
      • 64-bit blocks with a key of 56-bits
      • Easy to crack these days
    • 3DES
      • DES improvement
      • Encrypts in three passes
      • Strong, but resource intensive
      • Useful when AES isn’t supported
    • RC4
      • Used in WEP, but not to blame for WEP’s insecurity
      • Recommended in SSL and TLS for encrypting HTTPS
      • Speculation that NSA can crack RC4
      • AES is still better
      • Stream cipher
    • Blowfish and Twofish
      • 64-bit blocks and keys from 32 to 448 bits
      • Faster than AES in some situations
        • Twofish
          • 128-bit blocks
          • 128, 192, or 256 bit keys
          • Almost used for AES, but Rjindael beat it
    • One-time pad
      • One of the most secure algorithms, but very labor intensive
      • Each key is on a page of a pad and destroyed after use
      • Tokens and fobs are like digital successors to these
  • Asymmetric encryption
    • Private keys are never shared
    • Public keys are freely shared within a certificate
    • More resource intensive than symmetric encryption
    • Often asymmetric encryption is only used to privately share a symmetric key
    • Certificates
      • Certificate Authorities (CA) issue and manage certificates
      • Serial number
        • Unique to certificate
        • CA uses to validate and if it's revoked, a CRL (Certificate Revocation List) will update
      • Issuer
      • Validity dates
      • Subject
      • Public key
      • Usage
    • RSA (Rivest, Shamir, Adleman)
      • Asymmetric encryption that’s widely used
      • Email often uses RSA to share a symmetric key
      • TPM and HSM both store RSA keys
      • Supports a minimum of 1,024-bit keys
      • Often 2048 or 4096 are recommended
    • Static and ephemeral keys
      • Static keys are semi permanent
      • Ephemeral keys are recreated each session
      • RSA uses static keys that are valid for the lifetime of a certificate, often a year
      • Diffie-Hellman can use either static or ephemeral keys
      • Perfect forward secrecy is an important characteristic for ephemeral keys
        • Public keys are random, not deterministic
    • Elliptic Curve Cryptography
      • Often used with wireless devices because it requires less processing power to encrypt, but is still hard to crack
      • Even the NSA endorsed ECC
    • Diffie-Hellman
      • Means for sharing symmetric keys securely
      • DHE and ECDHE both use ephemeral keys
  • Steganography
    • Hiding data in other data
    • Hide data by manipulating bits without affecting the final product
    • Hide data in the white space of a file.
    • GIFs and JPEGs save in blocks, so they can be modified without changing the file size
    • Steganalysis uses hashing to detect changes
  • Quantum cryptography
    • Exploiting quantum mechanical properties, such as Heisenberg's Uncertainty Principle, to perform cryptographic tasks
    • If Lisa and Bart try to establish a key and Homer tries to gain information about this, key establishment will fail

Using Cryptographic Protocols

  • Basics
    • Email digital signatures
      • Sender’s private key
      • Sender’s public key
    • Email encryption
      • The recipient’s public key
      • The recipient’s private key
    • Website encryption
      • The website’s public key encrypts (symmetric)
      • The website’s private key decrypts (symmetric)
      • The symmetric key encrypts data in the web session
    • Often asymmetric encryption is used to securely share symmetric keys
    • Just knowing that a private key is encrypting is enough to know its being used as a digital signature
  • Protecting email
    • To send a digital signature on an email, you click a button which hashes the message
    • App uses her private key and encrypts the hash
    • App sends the hash and message to receiver
    • Receiver’s system uses Lisa’s public key from either the network or an attached certificate
    • Email decrypts the hash with Lisa's public key
    • App calculates a hash on the message
    • Compares decrypted hash with calculated hash
  • Encrypting email
    • With only asymmetric
      • Lisa retrieves Bart’s certificate and public key
      • Lisa encrypts the email with his public key
      • Lisa sends the email
      • Bart uses his private key to decrypt
    • With both
      • Lisa picks a symmetric key to encrypt her email
      • Lisa encrypts her email with that key
      • Lisa gets Bart’s certificate to take his public key
      • Lisa uses Bart’s public key to encrypt the created symmetric key
      • Lisa sends the encrypted email and encrypted symmetric key to Bart
      • Bart decrypts the created symmetric key with his private key and then uses the created key to decrypt the email
    • S/MIME (Secure/Multipurpose Internet Mail Extension)
      • Very popular email standard for signing and encryption
      • Uses RSA for asymmetric
      • Uses AES for symmetric
      • Requires PKI to distribute and manage certs
    • PGP (Pretty Good Privacy)
      • OpenPGP is a PGP standard that circumvents licensing
      • GNU Privacy Guard is free and based on OpenPGP
      • PGP uses asymmetric and symmetric
      • Some versions follow S/MIME
  • Transport Encryption
    • SSH
      • SFTP
      • SCP
      • Telnet
    • HTTPS
      • SSL or TLS over port 443
    • IPsec
      • Can encrypt data in tunnel mode with VPNs such as L2TP/IPsec
      • Uses Authentication Header through HMAC which not only hashes, but uses a private key encryption on top of the hash
      • Can use Encapsulating Security Payload (ESP) to provide confidentiality with AES or 3DE
        • Protocol ID 50
      • In ESP packet, there’s an additional IP header over the whole packet
        • Doesn’t allow attackers to see anything more than just that this is an ESP packet
      • Mandates HMAC, AES/3DES
    • SSL
      • HTTPS and FTPS both utilize to encrypt web traffic
      • Certificate based authentication
      • Both asymmetric and symmetric keys
      • Netscape made SSLv3
        • When Netscape disappeared nobody maintained SSL properly
        • TLS fills this gap
    • TLS
      • Replaces SSL
      • TLS 1.0 is actually SSL 3.1
      • Cert based authentication
      • Asymmetric and symmetric encryption
      • EAP-TLS is the most secure version of EAP (802.1x servers that authenticate users signing into a network) because it requires certs on both host and server
  • Cipher suites
    • Cipher suites are how two systems know which sets of cryptographic algorithms they’re going to use together
    • These provide encryption, authentication, and integrity solutions
    • There are over 200 named cipher suites that identify:
      • Protocol
      • Key exchange method
      • Authentication
      • Encryption
      • Integrity
    • You can enable or disable cipher suite options in a system
  • Strong versus weak ciphers
    • Only use the strength you need to limit resource drain
    • Don’t go too weak
  • Encrypting HTTPS traffic with SSL or TLS
    • Client requests secure session
    • Server sends its certificate including its public key
    • The client creates a symmetric key and and encrypts it with the servers public key
    • The client sends the encrypted symmetric key to the server
    • The server decrypts the symmetric key using its private key
    • All of the session data from thereon is encrypted with the symmetric key
  • Key stretching
    • Technique used to increase the strength of stored passwords
    • Bcrypt
      • Based on Blowfish
      • Salts passwords by adding extra bits before encrypting with Blowfish
    • PBKDF2
      • WPA2 and iOS use this
      • Salts with at least 64-bits
  • In-band versus out-of-band key exchange
    • In-band means you send keys and data in the same channel
    • Out-of-band means you share the key outside of the channel that you share data

Exploring PKI Concepts

  • Allows two entities to communicate securely without previous contact
  • Certificate Authority (CA)
    • Issues, manages, validates, and revokes certificates
    • Large companies like Verisign, which services Amazon, or small service
    • CA’s must be trusted, because they make money by selling certs
  • Certificate trust paths and trust models
    • CAs are trusted by placing their root certificate into a trusted root CA store
    • CAs have to negotiate with web browsers to get their certificates added into that browser
    • Hierarchical trust model
      • Root CA issues intermediate CAs
      • Intermediate CAs issue certs to child CAs
      • Child CAs issue certs to devices or users
    • Self-signed certs
      • You can create your own CA and use it internally in your company
      • If a third party tries to connect, their web browser will reject it
      • In order to make computers trust it, you need to copy the root certificate to each computer that will be connecting to the CA
    • Wildcard certificates
      • Certificate good for additional level of domains such as store.google.com or docs.google.com
  • Registration
    • Use something like SSL to make a public/private key pair
    • Create a Certificate Signing Request (CSR) for the cert, including the purpose, info about the website, the public key, and yourself
      • This may follow PKCS #10 specification for formatting
    • Send this to CA and the CA will make a cert with the public key
    • May be a Registration Authority (RA) that assists with this process
  • Revoking certificates
    • Key compromise
    • CA compromise
    • Change of affiliation
    • Superseded
    • Cease of operation
    • Certificate hold
    • CA creates CRL which tells systems to stop using certain certs
  • Validating certs
    • Systems check if cert is expired, check if the CA issuer is trusted, then query the CA to ensure its valid and not on a CRL
    • Online Certificate Status Protocol (OCSP)
      • Allows clients to query the serial number of a cert for status
      • Unknown, good, or revoked
    • Key escrow
      • Safe environment to hide private key
    • Recovery agent
      • Designated person who can recover or restore keys
      • Typically security professional
      • Sometimes there’s a second private key for emergencies

Exploring Security Policies

  • Written security policies are management controls that identify a security plan
  • Security controls and tools should enforce these policies
  • Personnel policies
    • Expectations and discipline
    • Acceptable use policy
      • Includes what is or isn’t private
      • What users can or cannot do
    • Mandatory vacations
      • At least 5 consecutive business days
      • Prevents embezzlement because the villain should be present to modify files and respond to inquiries
      • Limits the likelihood that one person can cover something up forever
    • Separation of duties
      • Prevents a single person from having complete control over a sector
      • Prevents fraud and mistakes
      • Checks and balances
      • Developers can’t implement code with admins testing it
      • IT Admins may have oversight from Security Admins
    • Job rotation
      • Learn processes in each job
      • Increases oversight
      • Prevents collusion
    • Clean desk policy
      • Ensures protection of secure data
      • Prevent unnecessary exposure
      • Keep desk clean when away to prevent unknown theft:
        • No keys
        • No cell phones
        • No access card
        • No sensitive papers
        • No logged-on computers
        • No printouts
        • No displayed passwords
        • No unlocked filing cabinets
        • No PII
  • Account management policies
    • Least privilege
    • Account disablement
    • Admins need two accounts
    • No shared accounts
  • Third party issues
    • Use NDA
    • Use least privilege
    • Communicate and reference:
      • Privacy
      • Data ownership
      • Data backups
      • Unauthorized data sharing
      • Security policy and procedures
      • Reviews
  • Interoperability agreements
    • Interconnection Security Agreement (ISA)
      • Specifies technical and security guidelines for maintaining secure connection and encryption
    • Service Level Agreement (SLA)
    • Memorandum of Understanding (MOU)
      • Indicates intention to work together for a goal
      • Less formal than SLA and doesn’t include financial penalties
    • Business Partner Agreement (BPA)
      • Details relationship between business partners including obligations, shares, and leaving rules
  • Change management policy
    • Ensure changes don’t cause unintended side effects
    • Provide accounting and documentation for changes
    • Changes need to be reviewed and approved
  • Data policies
    • Information classification
      • How secure is each bit of data
      • Data labeling and handling
        • Not everyone knows how important everything is, unless it's labeled
    • Data wiping and disposal
      • Bit-level overwrite
      • Degauss the disks
      • Physical destruction
    • Wiping files
      • Cluster-tip wiping
      • Bit-level wiping
    • Storage and retention policies
    • PII protection
    • Privacy policy
      • What info a site can collect and what it can do with that
    • Social media security usage
      • Single-sign on risks
      • Banner ads and malvertisements
      • P2P
        • Can lead to hosting inappropriate data or sharing secure data
  • Responding to incidents
    • Captures the entire contents of a drive
    • Some tools can read data bit-by-bit without modifying it
    • Dd command in Linux
    • Incident response team defines different incidents and how to respond
      • Senior management
      • Network admin or engineer
      • Security expert
      • Communication expert
    • Team often has extensive training to cope with a variety of situation
    • Incident response procedures
      • Preparation
      • First responders
      • Incident identification
      • Incident isolation
      • Damage and loss control
      • Escalation and notification
      • Reporting
      • Data breach
      • Recovery and reconstitution procedures
      • Lessons learned
      • Mitigation steps
  • Implementing basic forensic procedures
    • EnCase by guidance software
    • Forensic Toolkit by AccessData
    • Order of volatility
      • Order in which to collect evidence before its modified
        • RAM data doesn’t last after power down
      • Data in cache
        • Processor and hard drive cache
      • Data in RAM
      • Swap file or paging file
      • Data stored on local disks
      • Remote logs
      • Archived media
    • Capture system image
    • Take hashes
    • Analyze copies, not original
    • Network traffic and logs
      • Look for MAC addresses of possible suspects
      • Protocol analyzers can help monitor traffic
      • Trace IP to ISP
    • Chain of custody
      • Indicate everyone who touched evidence and where it was stored
    • Capture video CCTV
    • Record time offset
    • Screenshots
    • Witnesses
    • Track man-hours and expense
    • Big data analysis
  • Raising security awareness
    • Security policy training and procedures
    • Role-based training
      • Executive personnel
      • Incident response team
      • Administrators
      • End users
    • Can include:
      • Security policy content
      • Keeping cipher codes private
      • Acceptable use and user responsibilities
      • PII
      • Data labeling, handling, and disposal
      • Information classification
      • Compliance with laws, practices, and standards
      • Threat awareness including malware and phishing
      • User habits that present risks
      • Social Networking and P2P
    • Training and compliance issues
      • Metrics to validate compliance
      • Measure security incidents

Review Those Ports

  • Well-known/System Ports
    • 0-1023
  • User Ports/Registered Ports
    • 1024-49151
  • Dynamic/Private/Ephemeral Ports
    • 49152-65535
  • Port Numbers and their Applications
    • 20 – FTP (Send file data)
    • 21 – FTP (Session info)
    • 22 – SSH, SFTP, SCP
    • 23 – Telnet
    • 25 – SMTP
    • 49 – TACACS+
    • 53 UDP/TCP – DNS
    • 67 UDP – DHCP and BOOTP
    • 69 – TFTP
    • 80 – HTTP
    • 88 – Kerberos
    • 110 – POP3
    • 119 – NNTP (Network News Transfer Protocol)
    • 123 – NTP (Network Time Protocol)
    • 137,138,139 – NetBIOS
    • 143 – IMAP
    • 161 – SNMP (Agents receive requests)
    • 162 – SNMP (Controller receives data)
    • 389 – TCP – LDAP Lightweight Directory Access – 389
    • 443 – HTTPS (over TLS/SSL)
    • 443 – SSTP (Over TLS/SSL) Secure Socket Tunneling Protocol
    • 445 – SMB Server Messaging Block – 445
    • 465 – SMTP Secure Mail Transfer Protocol
    • 500 – IKE Internet Key Exchange
    • 636 – LDAPS w/ TLS
    • 989/990 – FTPS
    • 1701 – L2TP, L2F Layer 2 Tunneling Protocol – 1701
    • 1720 – H.323
    • 1723 – PPTP Point to Point Transfer Protocol – 1723
    • 1812,1813 – RADIUS RADIUS – 1813,1812
    • 2427 – MGCP Media Gateway Control Protocol – 2427
    • 2727 – MGCP
    • 3389 – RDP Remote Desktop Protocol – 3389
    • 5004 – RTP Real-time Transport Protocol – 5004
    • 5005 – RTP (Default)
    • 5060 – SIP (unencrypted) Session Initiation Protocol – 5060
    • 5061 – SIP (encrypted with TLS)
  • Protocol IDs
    • PID 50 – ESP IPsec IPsec
    • PID 51 – AH IPsec Authentication Headers

Conclusion

Woohoo. We did it. Over 14K words of CompTIA Security+ Sy0-401 goodness. Let me know what was easy for your and of course, what you had trouble with.

If anything needs to be corrected or added, please sound off in the comments below.

Thanks and good luck on the exam!

Update: If you're interested in going further, the next certification that makes sense is the CompTIA CySA+ exam. Head over to the CS0-001 exam overview to read more. When you're ready for the exam, jump into the CS0-001 exam study notes post to review your stuff. This one isn't too bad. It's essentially a continuation of the CompTA Security+ certification. However, you'll still need to practice and review to learn the processes!

Pin It on Pinterest