comptia security + certification - firebrand training · comptia security+ . courseware . version...
TRANSCRIPT
www.firebrandtraining.co.uk
KIT CODE: K-116-01
CompTIA Security+ Courseware for SY0-501 exam
Courseware Version 5
1
CompTIA Security+Section I
Host, Application & Data Security
4/27/2018 2 ©2007 – Body Temple 4/27/2018
2
Security + Exam
Exam number SY0-501
Duration 90 minutes
Number of questions – varies but approximately 70
Questions include scenario based questions plus drag and drop questions which are interactive
Pass mark 750/900
2
4/27/2018 3 ©2007 – Body Temple 4/27/2018
3
What is it all about
Much will be covered but nearly of security is based around the three main tenets of security
Confidentiality – protecting the data from unauthorised access through controls and encryption
Integrity – ensuring that the data has not been tampered with or altered during transmission, preventing unauthorised changes
Availability – the data is available when needed to those authorised to receive it
4/27/2018 4 ©2007 – Body Temple 4/27/2018
4
Securing Host Systems
3
4/27/2018 5 ©2007 – Body Temple 4/27/2018
5
Types of Malware
Malware refers to software or programs that carry out some function on your machine which is unwanted and these actions are usually carried out without your knowledge or permission
Malware now includes a range of software the goes beyond the original problem of viruses
Spyware – software that collects information about users without their knowledge. It can be used to collect information relating to identity or credentials or information about websites visited, applications run etc, for marketing purposes. Keystroke loggers are favourite forms of spyware
Adware – a variation on spyware where pop-up adverts are displayed based upon websites visited targeting adverts to prospective customers
4/27/2018 6 ©2007 – Body Temple 4/27/2018
6
Viruses
Virus – these have been with us for many years and come in a variety of forms. A virus arrives on a computer and replicates on that computer by spreading to other executable programs in memory. The payload varies and can delete files, corrupt data, prevent network access amongst others.
Macro viruses affect files that are typically created by Microsoft Office applications such as Word or Excel
Boot sector viruses modify the boot sector of the hard disk
Polymorphic viruses change their appearance after every infection to evade ant-virus
Metamorphic viruses recompile themselves after every infection to evade detection
4
4/27/2018 7 ©2007 – Body Temple 4/27/2018
7
Viruses
Certain file types are prone to virus infection. These include:
.bat, .com, .exe – executable files
.doc, .docx .mdb – files associated with Microsoft Office – Macros
.scr – screensavers (executable
.dll
.html
.vbs – visual basic script
4/27/2018 8 ©2007 – Body Temple 4/27/2018
8
Keyloggers
These can exist in hardware or software
A hardware keylogger sits in line with the keyboard and intercepts the keystrokes, saving them to the device
A software keylogger is a program that does the same and saves them to a file or emails them to the attacker
5
4/27/2018 9 ©2007 – Body Temple 4/27/2018
9
Types of Malware
Trojan – a piece of software that appears harmless, disguised as something innocent but carrying a malicious payload. Users are typically tricked into downloading and running trojans through attachments or hyperlinks.
A common trojan is where a client computer is compromised and becomes a bot that can be used for launching attacks against other computers.
Other trojans can be used to install remote control agents onto computers
A trojan would be a visible program running in Task Manager
4/27/2018 10 ©2007 – Body Temple 4/27/2018
10
Remote Access Trojans
Sometimes called back doors – these refer to services running or ports open that will allow a remote user to connect and bypass standard authentication mechanisms
Backdoors such as Netcat now allow remote connectivity where a malicious user could do anything he liked on a computer without the logged on user noticing the remote access.
Typically use by hackers to allow them to return to a computer after they have gained initial access
Once access has been obtained the computer could be controlled remotely
6
4/27/2018 11 ©2007 – Body Temple 4/27/2018
11
Types of Malware
Logic bomb – a piece of malicious software that will launch itself until triggered by an event, typically a date or when a particular program is run
Once again, they can perform a variety of functions
Botnet – the name of a group of computers that have been compromised so they can launch denial of service attacks over the network. Botnets can consist of tens of thousands of infected computers.
4/27/2018 12 ©2007 – Body Temple 4/27/2018
12
Types of Malware
Worm – this malicious software tries to spread to other machines over the network, either by using the contacts in the Outlook address book or by looking for open ports on other machines
Spread very rapidly and use a lot of network resources
Can be used to spread viruses to other machines
7
4/27/2018 13 ©2007 – Body Temple 4/27/2018
13
Types of Malware
Ransomware – a new trend where your local files are affected and there is a ransom demand to get them unlocked
4/27/2018 14 ©2007 – Body Temple 4/27/2018
14
Types of Malware
Rootkit – This malicious software hides itself in side the core part of the operating system that is not accessible or visible to users. Called a rootkit because it hides in the root or kernel of the OS.
Cannot be seen using programs like task manager but needs special detection tools
Could be used to capture keystrokes or intercept system calls and divert them to other programs or may be allow remote access to a machine
Once infected with a rootkit the computer can no longer be trusted and the only guaranteed fix is to rebuild from known good media
8
4/27/2018 15 ©2007 – Body Temple 4/27/2018
15
Host Security
There are a range of measures that an administrator should take to ensure host security:
Remember physical security
Supply chain – use authorised components – hardware and software
Establish a security baseline
Harden the operating system
Use a trusted operating system in sensitive environments
Ensure regular updating and patching
4/27/2018 16 ©2007 – Body Temple 4/27/2018
16
Host Security
BIOS & UEFI – protect the BIOS area and also ensure firmware updates are applied
Don’t have unnecessary services running
Use a more secure file system – NTFS
Protect system and administrator accounts – strong passwords
Restrict any administration interfaces to local use
Control host Internet access – use a proxy server
Update and patch software
Protect peripherals – restrict printing, USB access etc
9
4/27/2018 17 ©2007 – Body Temple 4/27/2018
17
Host Security Applications
Whitelists & Blacklists – check that applications execute as planned
Antivirus software
Anti spyware
Anti spam software
Host based firewalls – now standard with all operating systems
4/27/2018 18 ©2007 – Body Temple 4/27/2018
18
Host Security Applications
Web browser security – update
check plugins
trusted sites
pop-up blockers
private browsing
Use Host based IDS
Consider risks attached to virtualisation –
secure hypervisors
multiple vms – different security
10
4/27/2018 19 ©2007 – Body Temple 4/27/2018
19
Types of Network Attack
4/27/2018 20 ©2007 – Body Temple 4/27/2018
20
Denial of Service
Denial of service – this is broken into two categories:
DoS denial of service attack launched from a single to source to a destination
DDoS – distributed denial of service attack coming from multiple sources to a single destination
DoS or DDoS is the process of denying access for legitimate users to a site or service
Denial of service exploits weaknesses in protocols to consume all resources and hang/crash applications or networks. If genuine users cannot gain access – success
DDoS attacks require Botnets of computers to be successful
11
4/27/2018 21 ©2007 – Body Temple 4/27/2018
21
Denial of Service
Common types of DoS attack
Smurf – using ping packets against the broadcast address so the replies return to the victim causing an overload
Fraggle – same principal but using UDP packets against the broadcast address so the ICMP reply returns to the victim
Land attack – the packets received by the victim contain identical source and destination addresses, i.e.. that of the victim so the victim does not know how to respond
Ping of Death – sending a ping packet that is too large, causing a crash
4/27/2018 22 ©2007 – Body Temple 4/27/2018
22
SYN Flood
SYN flood DoS attack is the most common, continuously creating half-open connections to use up all resources
Does not complete the three way handshake but continuously opens more
12
4/27/2018 23 ©2007 – Body Temple 4/27/2018
23
Back Doors
Back doors – these refer to services running or ports open that will allow a remote user to connect and bypass standard authentication mechanisms
Originally used by programmers and developers to allow them access to debug new applications
Backdoors such as Netcat now allow remote connectivity where a malicious user could do anything he liked on a computer without the logged on user noticing the remote access.
Typically use by hackers to allow them to return to a computer after they have gained initial access
4/27/2018 24 ©2007 – Body Temple 4/27/2018
24
Session Hijacking
Session Hijacking – this can happen one of two ways, either taking over an existing authenticated TCP session between to computers or, taking over an existing web session between client and web server.
The idea is to let the communication path be established with any credentials that may be needed then, once the session is in progress, to take over and pretend to be the authenticated client thus gaining access to information
13
4/27/2018 25 ©2007 – Body Temple 4/27/2018
25
Types of Attack
Man in the Middle – a very common attack where the attacker inserts himself in between the target computer and the Internet or server so all traffic can be sniffed and captured
The client does not notice anything amiss and will logon, supply credentials, use the Internet and all the data can be capture by the man in the middle
4/27/2018 26 ©2007 – Body Temple 4/27/2018
26
Types of Attack – man in the middle
The communication path is:
Victim to Attacker then Attacker to Web Server
Return traffic from Web Server to Attacker then Attacker to Victim
The path is transparent to the victim who is oblivious to the man-in-the-middle
14
4/27/2018 27 ©2007 – Body Temple 4/27/2018
27
Types of Attack
Replay attack – the attacker captures traffic from the client and then replays back to the server to try and pretend to be the client. Commonly used with captured authentication packets
Spoofing – pretending to be a legitimate machine by either faking the IP address or using a legitimate MAC address on a wireless network
Spoofing is also commonly used when sending junk mail by pretending to be a legitimate source
4/27/2018 28 ©2007 – Body Temple 4/27/2018
28
Poisoning
Replacing information in a table or cache with incorrect information
DNS poisoning – changing the entries in the DNS server look up tables with IP addresses that point to the attackers systems
Points the user to fake web sites to spread malware or csapturecredentials
ARP poisoning – modifying the IP to MAC address mapping to point machine to wrong destination
Frequently used as part of a man-in-the-middle attack
15
4/27/2018 29 ©2007 – Body Temple 4/27/2018
29
Domain Kiting - Typosquatting
This exploits the domain name registration process where a a new domain has a five day grace period before requiring payment
A domain is registered for five days, deleted then re-registered for anothr five days, and so on, leading to no payment and also no traceability
Used for launching fraudulent websites
A variation on domain name abuse is typosquatting where a domain name is registered with a slight misspelling which could easily be mis typed, i.e. s and d are adjacent on the keyboard
Used to catch people who mistype and take them to a fake copy of the web site
4/27/2018 30 ©2007 – Body Temple 4/27/2018
30
Other attacks
Watering Hole Attack - The concept of installing malware onto a site that is likely to be visited by your target
Someone visits the site, gets infected by the malware and then that could spread around the victims network
Zero day – an attack that is new and unkown with no fix
16
4/27/2018 31 ©2007 – Body Temple 4/27/2018
31
Mobile Device Security
Consider the security available from the different types of connection:
Cellular – usually encrypted
Satellite – interceptable, should be encrypted
Wi-fi – use WPA2, VPN, awareness in public locations
Bluetooth – turn of discovery, authorised pairing only
NFC – use only when needed, awareness in public locations
4/27/2018 32 ©2007 – Body Temple 4/27/2018
32
Deployment Models
BYOD – Bring Your Own Device – use personal device on corporate network
CYOD – Choose Your Own Device – a list of approved devices
COPE – Company Owned Personally Enabled – company device that can be used as a personal device as well
Corporate Owned – good old company owned model
VDI – Virtual Desktop Infrastructure – legacy apps running on a mobile device
17
4/27/2018 33 ©2007 – Body Temple 4/27/2018
33
Mobile Device Issues
Issues with personal devices:
Data ownership – who owns what with BYOD?
Technical support – wide range of devices
Patching & antivirus
On board capabilities, camera, video, audio – espionage!
Acceptable use policy
On/off boarding – retrieval of device, deletion of data
Integration with existing infrastructure
Device loss or theft
4/27/2018 34 ©2007 – Body Temple 4/27/2018
34
Mobile Device Issues
Legal issues include:
Privacy of personal data
Control of company data
Separation of data in the case of examination of device
18
4/27/2018 35 ©2007 – Body Temple 4/27/2018
35
Protection of Mobile Devices
Loss or theft can lead to loss of data or compromise
Password or screen lockout/timeout
Biometric authentication – fingerprint/swipe
GPS tracking
Find my device
Remote wipe
Full device encryption
Voice encryption – provided by network?
MDM – Mobile Device Management
4/27/2018 36 ©2007 – Body Temple 4/27/2018
36
Securing Applications
& Data
19
4/27/2018 37 ©2007 – Body Temple 4/27/2018
37
Application Vulnerabilities
Security for applications is required due to a wide range of application vulnerabilities that can be exploited
Javascript – an interpreted language that executes in the browser, browser security can present a problem and lead to malicious code execution
ActiveX – browser security to ensure only good controls are downloaded
Buffer Overflow – one of the originals, submitting too much data into a buffer will overflow and could crash application or expose data
Resource exhaustion – a form of denial of service attack if the app runs out of resources like sockets or memory
4/27/2018 38 ©2007 – Body Temple 4/27/2018
38
Application Vulnerabilities
Privilege escalation – could lead to an application running at a higher lever of privilege – leading to unauthorised access or execution, frequently a result of a buffer overflow
Hijacking – session hijacking involves the taking over of a previously authenticated session by acquiring the session token and impersonating the user
Attachments – html attachments can contain malware
Browser addons/plugins – could contain malicious elements like keyloggers
CGI scripts – any scripting language could cause security issues of the script is not validated
20
4/27/2018 39 ©2007 – Body Temple 4/27/2018
39
Application Vulnerabilities
XSS or Cross-Site Scripting – XSS exploits the trust a browser has in the web server. You visit a web server and click on a link, malicious script is downloaded into the local browser and executes with unintended consequences. Users are encouraged to clink hyperlinks in emails or to click links in postings on forums or social networking sites
XSRF or Cross Site Request Forgery – an attack that uses the current session data from a previously authenticated connection in a site that contains malicious code
4/27/2018 40 ©2007 – Body Temple 4/27/2018
40
Application Vulnerabilities
Header manipulation – modifying the headers submitted to a web server which could lead to defacement or cookie manipulation
Injection – can take many forms, command injection, sql injection, inserting commands or instructions into the web interface
Directory traversal – trying to navigate beyond the web server content to the host platform directory structure
Arbitrary code execution – the ability to execute commands at will into an application
Zero day – the attacks we do not yet know about so there is no defence
Race conditions – interrupting the execution of a program to obtain privilege or access
21
4/27/2018 41 ©2007 – Body Temple 4/27/2018
41
Application Server Vulnerabilities
FTP servers – remember that FTP is an insecure protocol, additional layers of security/authentication may be required
DNS – the underlying protocol that allows the Internet to function. Malformed requests, zone transfers, poisoning, are all threats against DNS
DHCP servers – the dynamic allocation of addresses to clients is vulnerable to rogue DHCP servers allocating fake information or address exhaustion (a from of DoS)
Database servers – databases should be protected against unauthorised access, encryption where required, harden front end against SQL injection
4/27/2018 42 ©2007 – Body Temple 4/27/2018
42
Application Server Vulnerabilities
LDAP, Directory Services – a directory sevice is a repository of information so should be protected against unauthorised access or LDAP injection trying to bypass security controls
Email servers – authentication required, do not use mail server as open relay use secure versions of IMAP and use encryption between mail servers, s/mime for clients
22
4/27/2018 43 ©2007 – Body Temple 4/27/2018
43
Application Security
SDLC – the Software Development Life Cycle cover stages of software development from concept to use
4/27/2018 44 ©2007 – Body Temple 4/27/2018
44
Application Security
There are different methodologies for software development:
Waterfall – a traditional model, each phase must be complete before the next phase starts
Agile – uses multi-disciplinary teams, iterative, more flexible
Devops – a portmanteau of development and operations – bringing together all interested parties as part ot the development process
Secure coding – all development should include security at all stages of the life cycle, secure coding is one aspect of only using safe functions and libraries
23
4/27/2018 45 ©2007 – Body Temple 4/27/2018
45
Application Security
Change management – al changes to applications have to be carried out in a controlled and structured way
Input validation – all software applications should validate all input prior to execution to reduce the risks of malware and command injection
Escaping – by using escaping characters will be interpreted as data rather than instructions
Code testing – all code should be reviewed and tested for functionality and security
Error handling – how does the application deal with errors or exceptions – fail secure
4/27/2018 46 ©2007 – Body Temple 4/27/2018
46
Application Security
Code reuse – a lot of development is now object oriented reusing blocks of code and libraries. Ensure safe libraries and safe code is used
Secure testing and deployment:
separate development from production
test in isolated environment with test data
once accredited, move to production
develop and test in a sandbox environment
When using databases the decision should be made over using an SQL model or non-SQL
24
4/27/2018 47 ©2007 – Body Temple 4/27/2018
47
Data Security
Data Loss Prevention – DLP – discussed elsewhere. Knowing what data you have, where it is and where it goes. Protecting the data and controlling activities such as USB use, email attachments
Data encryption – the primary solution to confidentiality, van be implemented in several ways:
Trusted Platform Module – TPM – a hardware chip on the motherboard that is used with the encryption process storing passwords and encryption keys. Usually found on laptops
Hardware Security Module – HSM – basically a stand alone cryptoprocessor but could be included as a plug in module
4/27/2018 48 ©2007 – Body Temple 4/27/2018
48
Data Security
Full Disk Encryption – using built in or third party software, ensures no access to data if the device is lost or stolen
Database Encryption – either full or partial, ensures no access to data if unauthorised access is obtained
File or container encryption – only encrypting the area that need that level of security
Removable media/mobile – all media should be encrypted, especially when in transit
25
4/27/2018 49 ©2007 – Body Temple 4/27/2018
49
Data Destruction
There are several techniques for data destruction or sanitisation:
Burning – ideal for paper or tapes but will not necessarily destroy magnetic data on disks
Shredding – physical destruction of paper and optical media
Pulverising – reducing to dust
Pulping – water mixed with paper
Degaussing – using a magentic field to destroy the magnetic data on disks and tapes – not applicable to SSD
Wiping – overwriting media with several passes of data
Physical destruction – physically shred/destroy the media into tiny fragments
4/27/2018 50 ©2007 – Body Temple 4/27/2018
50
Remote Storage
Cloud storage – encrypt data, control access, consider data destruction – how do you verify?
Storage Area Networks – data should be secure whilst in transit and at rest, encryption can be used for both. Access controls for applications accessing data
Big data – data warehouses contain multiple data sets which are used for data analytics. Two issues:
1. Protecting the data at rest
2. protecting the results of the queries which may produce sensitive results
1
CompTIA Security+Section II
Identity and AccessManagement
4/27/2018 2 ©2007 – Body Temple 4/27/2018
2
Access Control
2
4/27/2018 3 ©2007 – Body Temple 4/27/2018
3
CIA
Confidentiality – Encryption
Symmetric – shared secret – key management –static/dynamic – Diffe Hellmen
Asymmetric public/private key pair
Integrity – Hash one way function
Authorization – Password hash, SSL/TLS mutual authentication check each others credentials
4/27/2018 4 ©2007 – Body Temple 4/27/2018
4
Access control
Access control is all about who has access to what
Controls have to be provided in the context of maintaining CIA
Before access is granted we have to consider the levels of control
Identity has to be validated – usually a username
Authentication – proving who you are
Authorisation – the system establishes what you can do
Accounting – a record of what you did and when – audit trail
This is know as the AAA model
3
4/27/2018 5 ©2007 – Body Temple 4/27/2018
5
Security Groups
Establishing the relationship between users, groups and the resources they need
Permissions could be assigned individually but this requires increased administration
Security groups simplify administration and can be based on three attributes:
Job function – group users by role
Department – group users within organisation hierarchy
Location – group users based upon physical location
4/27/2018 6 ©2007 – Body Temple 4/27/2018
6
Access Control Best Practice
“tools” that can help Access Controls:
Separation of Duties – no one user should have too much responsibility which may cross boundaries, i.e. separate administration and security, a payment cheque should need two signatures
Job rotation – no one person stays in the same role for too long. Once again this helps prevent a worker staying in place whilst committing some form of fraud
Mandatory Vacations – common in the finance industry where you have to take a minimum two week break each year. This avoids employees working continuously so they can cover fraud or scams
4
4/27/2018 7 ©2007 – Body Temple 4/27/2018
7
Access Control Best Practice
Implicit Deny – users have no access to resources unless explicitly granted
Explicit Deny – users are explicitly denied access to resources regardless of what other group memberships they have
Least Privilege – users should only be given access to the resources they need to do their job, no more. If you only need to read you only get Read permission
Need to know – another aspect of least privilege, if you don’t need access you don’t get it
4/27/2018 8 ©2007 – Body Temple 4/27/2018
8
Access Control Models
There are the main types of access control
Mandatory Access Control - MAC
Discretionary Access Control - DAC
Role Based Access Control - RBAC
Rule Based Access Control
Attribute Based Access Control
5
4/27/2018 9 ©2007 – Body Temple 4/27/2018
9
Access Controls
Mandatory Access Control is used within high security systems such as that used by the military and governments
Access is controlled through a series of labels that are applied by the operating system
The labels describe the sensitivity of the data:
Unclassified
Sensitive but unclassified (restricted)
Confidential
Secret
Top secret
These labels would typically apply within government systems
4/27/2018 10 ©2007 – Body Temple 4/27/2018
10
Access Controls
Mandatory Access Control can be applied in the commercial world although the labelling would likely be different
Public
Sensitive
Private
Confidential
Users requiring access in a MAC environment would have to be “cleared” to the levels they need for access
6
4/27/2018 11 ©2007 – Body Temple 4/27/2018
11
Access Controls
Discretionary Access Control is the most common system in use today
Access is granted or controlled by the owner of the object – you are the file owner, you decide who has what level of access
DAC uses access control lists to provide controls
4/27/2018 12 ©2007 – Body Temple 4/27/2018
12
Access Controls
Access Control Lists (ACLs) – these can be assigned to network resources like routers, to files and folders on a system, to provide a set of access rules to objects
The ACL defines which users are granted or denied access and what level of access that they may have
ACLs can be applied to groups and users who are members of multiple groups can end up with cumulative permissions but a deny permission will override any other permissions
7
4/27/2018 13 ©2007 – Body Temple 4/27/2018
13
Access Controls
Role Based Access Control can applied as part of one of the other methods, MAC or DAC
Role Based is built around job roles so if you belong to the finance department you get access to finance files
Role Based is best implemented by using groups and applying permissions to the groups, then put users in the groups according to their roles
4/27/2018 14 ©2007 – Body Temple 4/27/2018
14
Access Controls
Implicit Deny exists in many systems that use Access Control Lists
Once permit rules are added to an ACL there is an additional entry appended as the last line of the list which effectively is a “deny all” statement thus if you don’t match any of the rules in the list you are automatically denied
8
4/27/2018 15 ©2007 – Body Temple 4/27/2018
15
Access Controls
Rule Based Access Control
Typically applied with the use of an ACL
Commonly found within network devices such as routers, firewalls and content filters
Rule based access control could also be applied using measures such as time of day restrictions
4/27/2018 16 ©2007 – Body Temple 4/27/2018
16
Access Controls
Attribute Based Access Control
Provides greater granularity than RBAC
Attributes are applied to subjects (users) and objects (what they are accessing)
ABAC allows the creation of rules to allow subjects differing levels of access to objects
9
4/27/2018 17 ©2007 – Body Temple 4/27/2018
17
Account Maintenance
Naming Convention :
Use a standard account naming convention
Do not use account names that identify job functions
Limit logon attempts – set the maximum number of logon attempts prior to lockout or disablement, typically 3 to 5
Set account expiry dates – typically last day of employment
Disable unused accounts – when leaving, long term sickness, maternity these user accounts should be disabled
Set time restrictions – applicable to certain roles like shift workers, they can only log in at certain times
4/27/2018 18 ©2007 – Body Temple 4/27/2018
18
Account Maintenance
Machine restrictions – users can only log in from certain computers
Tokens – use multi factor authentication, hardware tokens or dongles
Restrict certain accounts – guest accounts, multi user accounts should be restricted based upon least privilege
Routine permission reviews – conducted regularly to avoid permission creep
10
4/27/2018 19 ©2007 – Body Temple 4/27/2018
19
Credential Management
The basic authentication mechanism of username and password is still the most method in use because of it’s simplicity to implement and maintain
The system in its basic form is easy to compromise – i.e.. guess the password, so there are systems we can put in place to strengthen security
Password management policies should be clearly understood by all
4/27/2018 20 ©2007 – Body Temple 4/27/2018
20
Password Policies
Password complexity – minimum of eight characters with a mix of upper and lower case letters, symbols and numbers. Typically the password must contain three of the four listed above and should not use dictionary or easy to guess words
Password length, minimum of 8 characters, 12 or more is considered secure and the longer it is the stronger it is
Passphrase – users should be encouraged to use pass phrases instead of passwords. A passphrase is a string of characters, without spaces that make up a phrase, easy to remember but the length makes it very difficult to crack
Password recovery – users forget passwords, the recovery mechanism must be a secure means of reset for a user
11
4/27/2018 21 ©2007 – Body Temple 4/27/2018
21
Account Policies
Password Expiry – a password should require frequent changes so the same password is not in use for too long, typically 30/60/90 days
Password history – you cannot use previously used passwords for a period of time
Administrators should have an ordinary user account for everyday user access and a separate account for administering the system. Many systems no longer an initial logon as administrator – you log on as a user then escalate privileges to that of administrator when you need it
4/27/2018 22 ©2007 – Body Temple 4/27/2018
22
Credential Management
Domain accounts are used for centralised administration and also provide a Single Sign On facility
This simplifies admin but security has to be strictly enforced
Federation takes the concept of single sign on even further and allows a single set of credentials to cross enterprise boundaries
For example: you can log on to various sites using either your Facebook, Twitter or Google credentials
12
4/27/2018 23 ©2007 – Body Temple 4/27/2018
23
Permissions
Different permissions can be applied to files and directories
Permissions are usually defined within an ACL
Typical permissions could be Read, Write, Execute. These are the basic Linux permissions. Windows includes other permissions such as Modify, Delete, Full Control
The usual process is to create a group, give the group permissions against the resource, then put the appropriate users in the group
4/27/2018 24 ©2007 – Body Temple 4/27/2018
24
Physical Access Controls
When looking at securing computer systems never forget physical security
The first line of defence
Physical barriers can deter unauthorised access, examples being:
Fences and wall of varying height with maybe additional deterrent features such as barbed or razor wire
One metre fence deters casual intruders
Two meter fence an deter a more concerted attack
Water can be used as a barrier – a moat, for example
13
4/27/2018 25 ©2007 – Body Temple 4/27/2018
25
Lighting
Different types of lighting can be used to provide enhanced security
Flood lighting – covering an entire area
Trip lighting – illuminates on detection of movement
Project lighting – focussed on an area – a searchlight
4/27/2018 26 ©2007 – Body Temple 4/27/2018
26
Video
Video surveillance is now commonplace
Considerations for an effective system include:
Coverage – fixed or moveable cameras
Quality – camera resolution, choice of lense, colour or monochrome
Recording – how much and for how long are records kept
Review – type of displays
Security of camera system
14
4/27/2018 27 ©2007 – Body Temple 4/27/2018
27
Intrusion detection
There are various types of intruder detection equipment available:
Proximity detector – detects change nearby
Motion detector – detects motion in a chosen area, typically linked to trip lighting
Infrared detector – senses change in body heat patterns
Acoustic detector – listening for sounds
Photoelectric detector – detecting a break in a beam
4/27/2018 28 ©2007 – Body Temple 4/27/2018
28
Locks
Different types of lock are available to enhance physical security#
Hardware locks – key based either using a ward or a tumbler system. Tumbler like a Yale lock with teeth or ward lock where you can see through the keyhole
Smart locks – using a smart card or key card
Digital locks – either manual or electronic
Combination lock – requires a specific code
15
4/27/2018 29 ©2007 – Body Temple 4/27/2018
29
Other Physical Access Controls
Mantrap – the concept of two physical barriers which requires the individual to go through the first barrier which has to close before the second can be opened. Both doors requiring authentication
The primary purpose here is to avoid tailgating and the system could also detect the number or weight of individuals inside the mantrap
Security Guard – a physical person who is capable of discriminating judgement
Guards can also monitor CCTV systems
Access logs – a record of who is in a facility, important for security and life safety
4/27/2018 30 ©2007 – Body Temple 4/27/2018
30
Physical Identification Controls
Personal ID card – photograph, name, company, job function, security clearance could all be defined on an ID card
Smart card – the id card could also be used for physical access based upon proximity or PIN
Common Access Card – an American system used by government and military personnel which can be used for physical and system access across multiple entities dependent upon assigned levels of access
16
4/27/2018 31 ©2007 – Body Temple 4/27/2018
31
Authentication and
Identity Management
4/27/2018 32 ©2007 – Body Temple 4/27/2018
32
Authentication
Before using a resource a user has to identify him/herself as a valid user
The user is then authenticated using different methods
If the authentication is successful then the user gains access
17
4/27/2018 33 ©2007 – Body Temple 4/27/2018
33
Authentication
Authentication is the process of proving identity
Contains one or more of the following:
Something you know ( a password or PIN)
Something you have (smartcard or token)
Something you are ( fingerprint or retina scan)
Something you do (swipe pattern)
Somewhere you are (location based)
4/27/2018 34 ©2007 – Body Temple 4/27/2018
34
Authentication
If only one entity is used it is single factor authentication
If two or are used, i.e.. password and fingerprint, it is multi-factor authentication
Remember that the username is not one of the factors, it is the element that you wish to authenticate
Authorisation follows authentication and allows access to resources
You could, however, be authenticated to the network but not authorised to access all resources
18
4/27/2018 35 ©2007 – Body Temple 4/27/2018
35
Authentication
Multi factor authentication can use any of the following:
Biometrics – fingerprints, palm prints, retina, iris, voice, handwriting
Tokens – RSA tokens, tokens that require PIN entry
Smartcards – card that contains necessary credentials which has to be inserted into device or in close proximity, the US government call this a Common Access Card (CAC)
4/27/2018 36 ©2007 – Body Temple 4/27/2018
36
Single Sign On
When in a workgroup environment each computer contains the resources needed and requires authentication
Centralised administration allows a single server based login which will then provide access to network based resources
Microsoft Active Directory is the best example of a single sign on system
LDAP (Lightweight Directory Access Protocol) is another mechanism for single sign on
19
4/27/2018 37 ©2007 – Body Temple 4/27/2018
37
Remote Access Authentication
Used for employees who require access from offsite locations
Multiple means of remote access including:
Dial-up Using modems, rarely used now
ISDN Tech n ology based upon traditional telephone lines but again, rarely used now
Cable modem Popular for home Internet connections
DSL Probably the most common connection for home users and small businesses
4/27/2018 38 ©2007 – Body Temple 4/27/2018
38
Remote Access Applications
These applications are necessary to provide access from a remote machine
Telnet – once a common remote connection protocol but now little used due to lack of built in security. All communication is in clear text, including authentication
SSH – Secure Shell. A secure alternative to Telnet which uses a secure encrypted tunnel
VPN – Virtual Private Network is a secure channel between two endpoints
Allows secure communication over an untrusted network
20
4/27/2018 39 ©2007 – Body Temple 4/27/2018
39
Remote Access Protocols
PPP – Point-to-Point Protocol, enables a connection between two computers over a serial line
SLIP – Serial Line Internet Protocol, the predecessor to PPP
VPN Protocols include:
Point-to-Point Tunnelling Protocol (PPTP)
Layer 2 Tunnelling Protocol (L2TP)
Internet Protocol Security (IPSec)
4/27/2018 40 ©2007 – Body Temple 4/27/2018
40
Transport Encryption
PPTP is a secure version of the PPP protocol and was developed by Microsoft for their implementation of VPNs
L2TP is also based upon PPP but has no native security, it is normally use to encapsulate IPSec
21
4/27/2018 41 ©2007 – Body Temple 4/27/2018
41
Virtual Private Networks
4/27/2018 42 ©2007 – Body Temple 4/27/2018
42
Remote Access Authentication
Protection of the authentication phase is vital to prevent user credentials from being captured
Common authentication services include:
PAP- Password Authentication Protocol
CHAP- Challenge Handshake Authentication Protocol
LANMAN – LAN Manager (Obsolete)
NTLM – NT LAN Manager authentication, integrity and confidentiality
22
4/27/2018 43 ©2007 – Body Temple 4/27/2018
43
Biometrics
Biometrics implements the “something you are” aspect of authentication
Various methods include:
Fingerprint/Palm scan
Retina/Iris
Voice recognition
Facial recognition
Hand geometry
Signature kinetics
4/27/2018 44 ©2007 – Body Temple 4/27/2018
44
Biometrics
Biometric systems are subject to errors
The FRR (False Rejection Rate) is a measure of the number of valid attempts that have failed
The FAR (False Acceptance Rate) is a measure of the number of false attempts that have been accepted
These errors are mapped on an graph and where they intersect is the CER (Crossover Error Rate). Ideally this should be as low as possible for the device to be effective
23
4/27/2018 45 ©2007 – Body Temple 4/27/2018
45
1
CompTIA Security+Section III
Cryptography
4/27/2018 2 ©2007 – Body Temple 4/27/2018
2
Objectives
General cryptography concepts
Cryptographic tools and products
Concepts of Public Key Infrastructure (PKI)
Implementing PKI
2
4/27/2018 3 ©2007 – Body Temple 4/27/2018
3
Concepts
Cryptography is the process of representing data in a concealed form so that the contents are not readable
Encryption is the process that changes the data and makes it unreadable
Decryption is used to reverse the process and present the data in its original form
The cipher is the algorithm that produces the encryption, usually mathematical
The key is used determine the result of the encryption process
Plain text -> cipher + key -> Encryption -> Cipher text
Cipher Text -> cipher + key -> Decryption -> Plain text
4/27/2018 4 ©2007 – Body Temple 4/27/2018
4
Concepts
Information assurance protects information by providing the following:
Confidentiality – the data remains private when stored or in transit
- not disclosed to unauthorised people
Integrity – the data has not been altered in transit
- protection from damage or manipulation
Authentication – verifying the identity of both parties in communication
Non-repudiation – the sender cannot deny having sent a signed message
Obfuscation –security through obscurity
3
4/27/2018 5 ©2007 – Body Temple 4/27/2018
5
Algorithms
Cryptosystem – a system that provides encryption and decryption
Cryptosystems use algorithms or ciphers to produce ciphertext
The algorithm is usually known
The key is the part that has to remain secret
The key strength depends upon the keyspace – the size of the key
4/27/2018 6 ©2007 – Body Temple 4/27/2018
6
Most modern ciphers work using a combination of the following:
Substitution : substitute or exchange one value or letter for another, i.e. shifting the position in the alphabet a defined number of places
Transposition: Interchanging the order of letters using mathematical permutations
4
4/27/2018 7 ©2007 – Body Temple 4/27/2018
7
Concepts
Three types of encryption processes:
Symmetric encryption – uses a single shared key for encryption and decryption, also called private or secret key cryptography
Asymmetric encryption – also called public key cryptography, uses a pair of keys consisting of a public key and a private key
Hashing – the process of taking a quantity of data and producing a summary of the data in the form of a fixed length digest
4/27/2018 8 ©2007 – Body Temple 4/27/2018
8
Symmetric Encryption
Uses a single shared key for the encryption process.
If encrypting data on a hard drive the owner has the key
If encrypting data using a communications channel, both parties have access to the key
Faster than asymmetric encryption which uses a key pair
Larger keys provide for stronger encryption
The single key must be kept private
When used for communications there must be a secure key exchange process to ensure both parties have the correct key
Key exchange is a consideration
5
4/27/2018 9 ©2007 – Body Temple 4/27/2018
9
Symmetric Encryption
4/27/2018 10 ©2007 – Body Temple 4/27/2018
10
Common Symmetric Algorithms
Name Block Size Key Size (bits)
Data Encryption Standard (DES) 64 56
Triple DES (3DES) 64 168
Advanced Encryption Standard (AES) 128 128,192,256
Blowfish 64 32 to 448
Twofish 128 128,192,256
Rivest Cipher 5 (RC5) 32-128 0-2040
International Data Encryption 64 128
Algorithm (IDEA)
RC4 Stream Cipher variable
6
4/27/2018 11 ©2007 – Body Temple 4/27/2018
11
Common Symmetric Algorithms
All the previous algorithms are block ciphers in that they take a block of plain text and produce an equivalent block of cipher text
The block size can vary as shown in the table
An alternative to block ciphers is the stream cipher where the algorithm operates on one character or bit of data at a time
The only stream cipher to be aware of is
Rivets Cipher 4 (RC4) which can use various key lengths, typically 64 or 128 bits
RC4 was commonly used in wireless encryption with WEP and WPA and was originally used within HTTPS sessions prior to AES
4/27/2018 12 ©2007 – Body Temple 4/27/2018
12
Symmetric Block Ciphers
It may sound confusing but block ciphers can work in either a block mode or a steam node but they are still block ciphers
Block mode implementations
ECB – Electronic Code Book
CBC – Cipher Block Chaining
Stream mode implementations
CFB – Cipher Feedback
OFB – Output Feedback
CTR – Counter Mode
The stream mode is so called because the different ciphers create the keystream in a different way whereas the block ciphers use a fixed keystream and change the input
7
4/27/2018 13 ©2007 – Body Temple 4/27/2018
13
Asymmetric Encryption
Also called Public Key Cryptography
Uses a key pair consisting of a freely available public key and a secure private key stored by the owner
Not as fast as symmetric encryption
Uses much larger key lengths typically 1024 or 2048 bits
A 1024 bit asymmetric key is equivalent to a 160 bit symmetric key
4/27/2018 14 ©2007 – Body Temple 4/27/2018
14
Asymmetric Encryption
8
4/27/2018 15 ©2007 – Body Temple 4/27/2018
15
Asymmetric Encryption
Examples of asymmetric encryption algorithms include:
Digital Signature Algorithm (DSA)
Rivest, Shamir & Adleman (RSA)
Elliptic Curve Cryptography (ECC)
El Gamal
Diffie-Hellman (used within IPSec)
4/27/2018 16 ©2007 – Body Temple 4/27/2018
16
Key exchange
When using symmetric encryption consideration has to be given to the key exchange
In-band key exchange takes place within the normal communication channel but in a secure way
Out-of-band uses a separate channel outside the norm for key exchange
Whichever method used has to ensure the key is not compromised
Diffie-Hellman is best described as a key exchange algorithm
9
4/27/2018 17 ©2007 – Body Temple 4/27/2018
17
Diffie-Hellman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. That's an important distinction: You're not sharing information during the key exchange, you're creating a key together.
Diffie Hellman
4/27/2018 18 ©2007 – Body Temple 4/27/2018
18
Types of keys
Static keys – semi-permanent with a life span of typically one year
Ephemeral keys – temporary by nature. An ephemeral key can be generated each time keys are established and are unique to each session
Perfect Forward Secrecy – if a private key is captured it only leads to the messages relevant to that session being decrypted because the key is unique to each session
10
4/27/2018 19 ©2007 – Body Temple 4/27/2018
19
Random Inputs
There are three types of numbers that can be used as inputs to encryption algorithms:
Salt – a randomly generated input usually used with hashing to provide differing outputs for identical inputs
Initialisation Vector (IV) – randomly generated numbers that ensure different outputs if the same message is encrypted twice
Nonce – numbers that are adde to challenges to avoid replay attacks, not necessarily random
4/27/2018 20 ©2007 – Body Temple 4/27/2018
20
Steganography
The concept of hiding data inside an innocent looking format such as a graphic image or an audio file
Can also require passwords to gain access to the hidden data
Used to protect documents with digital watermarks
11
4/27/2018 21 ©2007 – Body Temple 4/27/2018
21
Steganography
The carrier or vessel can be a variety of formats – graphic, video, audio, the most common practice being text hidden inside a graphic file
The size of the image will dictate the quantity of data that can be hidden
4/27/2018 22 ©2007 – Body Temple 4/27/2018
22
Digital Signatures
A digital signature is used to prove the integrity of a message –that it wasn’t changed in transit, and also provides for non-repudiation
12
4/27/2018 23 ©2007 – Body Temple 4/27/2018
23
Digital Signatures
1. Sender composes message
2. Sender hashes message
3. Sender encrypts hash with sender private key (signs)
4. Sender sends message plus encrypted hash to recipient
5. Recipient removes the signed hash and decrypts with sender public key
6. Recipient hashes message
7. Recipient compares the two hash values
8. If hashes match the message has to have come from the sender and has not been tampered with in transit
The original message may or may not have been encrypted
The recipients public key would be used to encrypt
4/27/2018 24 ©2007 – Body Temple 4/27/2018
24
Non-repudiation
The sender of a message cannot deny they sent it
Achieved by using the sender’s private key to encrypt or sign the message – it must have come from them as only they have the private key
13
4/27/2018 25 ©2007 – Body Temple 4/27/2018
25
Hashing
Although hashing is a type of cryptography it is not true encryption in that it cannot be decrypted.
It is a one-way function that produces a fixed length digest or unique identifier for a piece of data
Also known as digest, checksum, hash, fingerprint
Used to prove the integrity of data
The input can be any length – a word, document, file or entire disk
The output is always a fixed length based upon the hashing algorithm used
4/27/2018 26 ©2007 – Body Temple 4/27/2018
26
Hashing
A typical use is for storing passwords in a concealed manner
14
4/27/2018 27 ©2007 – Body Temple 4/27/2018
27
Hashing
Basic requirements for hashing:
1.The input can be of any length
2.The output is always a fixed length
3.The hash function cannot be reversed
4.The function is fairly simple to compute
5.The hash should be collision free – no two pieces of data should produce the same hash
4/27/2018 28 ©2007 – Body Temple 4/27/2018
28
Hashing
Common hash algorithms in current use:
Hash function Output length
Message Digest 5 (MD5) 128
Secure hash Algorithm (SHA-1) 160
SHA-192 192
SHA-224 224
SHA-256 256
SHA-512 512
RIPEMD 160
HMAC Variable
(HMAC has an additional key appended to the data prior to hashing)
15
4/27/2018 29 ©2007 – Body Temple 4/27/2018
29
Hashing
A fixed block of data will always produce the same hash value
Change one character in the block and the hash changes completely
Could two different blocks of data produce the same hash i.e. a collision – theoretically yes
Collisions – MD5 was once deemed suitable because there are many trillions of variations of 128 bits but because collisions are possible much longer bit lengths such as SHA are now in common use
4/27/2018 30 ©2007 – Body Temple 4/27/2018
30
Hashing
Virtually all computer systems store user passwords in a hashed format
Password cracking usually consists of trying to crack the stored hash of the plain text password
Usually done by taking a word, hashing it, comparing the hash to the password hash, if it matches the password is known, if not, pick another word etc
16
4/27/2018 31 ©2007 – Body Temple 4/27/2018
31
Hashing
Password cracking methods:
Dictionary – take each dictionary word, hash it and compare the hash
Hybrid – take a dictionary word, add some numbers or change letters for numbers and then hash and compare
Brute-force – try hashing every combination of all letters, numbers and special characters until the password hash is matched
4/27/2018 32 ©2007 – Body Temple 4/27/2018
32
Cryptography
One time pads
One time pads provide for the most secure form of cryptography in that they use a sheet which contains totally random codes that are not repeated. The cipher text is derived from these codes and when complete, that sheet of the pad is destroyed and never used again.
The recipient uses an identical sheet to decrypt the message and then destroys his sheet
The main issue with such a system is the production of truly random codes, very difficult to create
17
4/27/2018 33 ©2007 – Body Temple 4/27/2018
33
Implementing Encryption
WEP -Wired Equivalent Privacy
The first wireless encryption using RC4 and an IV (initialisation vector). Had serious weaknesses so rarely used now and easy to compromise
WPA/WPA2 – WIfI Protected Access
WPA also used RC$ but with a longer IV which was more secure although eventually compromised. Superceded by WPA2 which is the current encryption system for wireless using AES
WPA 2 is the only system to conform to the IEEE 802.11i wireless security standard
4/27/2018 34 ©2007 – Body Temple 4/27/2018
34
Email encryption
PGP-Pretty Good Privacy
An encryption tool for encrypting email messages
Uses an asymmetric method with digital certificates
GPG-GNU Privacy Guard
An open-source implementation of the PGP standard
S/MIME- Secure Multipurpose Mail Extensions
An extension of the MIME standard that allows for the signing and encryption of email
18
4/27/2018 35 ©2007 – Body Temple 4/27/2018
35
Transport Encryption
Used to secure information while being transmitted between two endpoints
These can be used for a variety of purposes:
Virtual Private Networks (VPNs)
Secure Web sessions using Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
Secure remote administration using Secure Shell (SSH)
4/27/2018 36 ©2007 – Body Temple 4/27/2018
36
Secure Sockets Layer (SSL)
Used to provide a secure connection for client /server traffic over the Internet
HTTPS uses an encrypted session over port 443
Relies upon the exchange of digital certificates
Uses a combination of asymmetric and symmetric cryptography
Creates a secure asymmetric channel for the exchange of a symmetric key
Now being replaced with Transport Layer Security (TLS) which works in a similar way that is transparent to the user
19
4/27/2018 37 ©2007 – Body Temple 4/27/2018
37
Secure Sockets Layer (SSL)
4/27/2018 38 ©2007 – Body Temple 4/27/2018
38
Transport Encryption - TLS
SSL has several weaknesses that could lead to exploits such as man-in-the-middle attacks so is now regarded as obsolete
TLS – Transport Layer Security builds on the security of SSL with different handshake and authentication functions
20
4/27/2018 39 ©2007 – Body Temple 4/27/2018
39
IPSec
IPSec is a standard architecture for setting up a secure channel
Consists of a modular framework
Supports multiple protocols
Uses public key cryptography
Relies upon security associations
4/27/2018 40 ©2007 – Body Temple 4/27/2018
40
IPSec
There are two main components:
Authentication Header (AH)– provides message integrity, non-repudiation, authentication and access control
Encapsulation Security Payload (ESP) – provides confidentiality and integrity of contents through encryption
IPSec can be used in the following ways:
AH
ESP
AH+ESP (most common)
21
4/27/2018 41 ©2007 – Body Temple 4/27/2018
41
IPSec
IPSec has two modes of operation:
Transport Mode – only the payload is encrypted
Tunnel Mode – the entire packet, header included, is encrypted
4/27/2018 42 ©2007 – Body Temple 4/27/2018
42
Secure Shell (SSH)
A secure connection that provides end-to-end encryption
Designed to replace insecure clear-text protocols such as Telnet, Remote shell (RSH), rlogin, rcp etc.
SSH v1 has now been replaced by version 2
22
4/27/2018 43 ©2007 – Body Temple 4/27/2018
43
Key Stretching
Weak keys can be broken by brute force attacks
Key stretching strengthens weak keys by increasing the time required to test each possible key
Creates an enhanced key made up of initial key + hash function + block cipher
Two common key stretching techniques are:
PBKDF2 – Password Based Key Derivation Function
BCRYPT
4/27/2018 44 ©2007 – Body Temple 4/27/2018
44
Public Key Infrastructure - PKI
23
4/27/2018 45 ©2007 – Body Temple 4/27/2018
45
Public Key Infrastructure
Public Key Infrastructure (PKI) is the framework for deploying asymmetric cryptography systems
Uses digital certificates as a means of authenticating entities and distributing public keys
Certificates are issued by Certificate Authorities (CAs) that are trusted third parties so if two users have certificates issued by a CA they trust each other
PKI is the basis of e-commerce with websites being issued with digital certificates to validate their identity
4/27/2018 46 ©2007 – Body Temple 4/27/2018
46
Public Key Infrastructure
Certificates are based upon the X.509 standard
24
4/27/2018 47 ©2007 – Body Temple 4/27/2018
47
Public Key Infrastructure
Obtaining a certificate:
1. Client requests certificate from CA. The client provides their public key and proof of identity
2. The CA validates the client identity
3. CA produces certificate and signs with CA private key
4. Certificate is issued to the client
5. The certificate can be validated by any other client because their browser contains the CA public key to validate CA signature
4/27/2018 48 ©2007 – Body Temple 4/27/2018
48
Public Key Infrastructure
25
4/27/2018 49 ©2007 – Body Temple 4/27/2018
49
Trust Models
The previous diagram showed a hierarchical model with a root CA and subordinate Cas
Web of Trust is a model that relies on users creating and signing their own certificates – used by PGP and GPG
Third Party Trust – all users trust each other by the the virtue of the certificates have been issued by a single authority
4/27/2018 50 ©2007 – Body Temple 4/27/2018
50
Key Management
Key management involves the generation, distribution, storage and backup of keys.
Secure storage of keys is paramount
Centralised management involves a single place/server where keys are controlled/issued/stored. A scalable solution
Decentralised managed is where each individual is responsible for the storage an dmangement of their own keys
26
4/27/2018 51 ©2007 – Body Temple 4/27/2018
51
Key Escrow
When using asymmetric cryptography it is vital that the private key is kept private
Key escrow is the process of copies of private keys being held by a central system or a third party agency
In the event of a disaster or the corruption of a private key, service can be restored by recovering the copy of the private key from the third party.
Key recovery is carried out by a key-recovery agent who has the permissions necessary to access the key database
4/27/2018 52 ©2007 – Body Temple 4/27/2018
52
Key Recovery
A company could use the services of a third party to act as a recovery agent where keys are backed up
Another method can be where you may need a minimum number of key recovery agents present to be able to recover the key. This is called M of N control where there must be so many recovery agents (N) from the total number (M) to be able to recover the key i.e. 3 agents from a total of 5
27
4/27/2018 53 ©2007 – Body Temple 4/27/2018
53
Multiple Key Pairs
Issuing multiple key pairs increases security
Multiple keys can be used for different purposes including:
• Encryption – protection of data
• Authentication – identifying users through public keys
• Nonrepudiation – impossible to deny a transaction
4/27/2018 54 ©2007 – Body Temple 4/27/2018
54
Certificate Life Cycle
1. Certificate is requested
2. Certificate is issued
3. Certificate is published
4. Certificate is received
5. Certificate is used
6. Certificate is suspended or revoked
7. Certificate expires
8. Certificate is destroyed
28
4/27/2018 55 ©2007 – Body Temple 4/27/2018
55
Certificate Revocation
Certificates have an expiry date after which they are no longer valid but there may be the need to revoke a certificate earlier if it is compromised or stolen
CAs publish Certificate Revocation Lists (CRLs) which are data bases of revoked certificates
The CRL is distributed to users and applications and can always be checked before accepting a certificate
When certificates expire they should be securely destroyed
4/27/2018 56 ©2007 – Body Temple 4/27/2018
56
Certificate Revocation
When a client connects to a secure web server ther needs to be a check to ensure the certificate has not been revoked
Doing this manually is not practical
The Online Certificate Status Protocol (OCSP) is used to do this
The browser sends an OCSP request that checks with the CA that the certificate has not been revoked
29
4/27/2018 57 ©2007 – Body Temple 4/27/2018
57
Certificate Destruction
If the certificate and the associated key have been compromised or expired they must be destroyed
It is difficult to destroy the public key but destroying the private key breaks the link and prevents the certificate from being used
If the private key is deleted from a system it must be deleted securely such that it is not recoverable
1
CompTIA Security+Section IV
Network Security
4/27/2018 2 ©2007 – Body Temple 4/27/2018
2
Secure Network Administration
Network administration is an ongoing function of maintaining systems but this must be done in a secure manner. There are steps that can be taken to enhance security
VLAN Management – vlans are usually assigned on a port by port basis on the switches.
The management vlan 1 should be renumbered
Vlans can be isolated from others if there is a security need
2
4/27/2018 3 ©2007 – Body Temple 4/27/2018
3
Secure Network Administration
Switches should be physically secure and inaccessible to users
Unused ports should be disabled.
Port Security can be applied to individual switch ports
A maximum number of MAC addresses can be set on a port, any more and the port shuts down
Specific MAC addresses can be assigned to specific ports so a port will only function if the address is on the correct port
Ports can be configured to look for rogue DHCP servers which may be sending false information
4/27/2018 4 ©2007 – Body Temple 4/27/2018
4
Switch port administration can also be carried out using external protocols such as 802.1x
802.1x is an authentication protocol that can use an external server such as RADIUS to provide the acceptance to use certain switch ports
802.1x uses EAP – Extensible Authentication Protocol
These aspects are covered in more detail later in the notes
Secure Network Administration
3
4/27/2018 5 ©2007 – Body Temple 4/27/2018
5
Access Control Lists on network devices can be used to allow or deny specific traffic either access to or through that device
ACLs apply a top down approach to process the rules until one matches
ACLs will usually have a default deny rule that is applied if no other rules match
ACLs can be found on routers and firewalls
Secure Network Administration
4/27/2018 6 ©2007 – Body Temple 4/27/2018
6
Routers can be hardened or made secure through applying security configurations
ACLs can control traffic through routers
Remote administration can be secured using protocols such as SSH instead of Telnet
Administrative permissions can be applied at different levels on routers allowing for delegation of routine administration tasks
Routing traffic between routers can be secured with authentication and encryption
Secure Network Administration
4
4/27/2018 7 ©2007 – Body Temple 4/27/2018
7
Firewalls work using rule based administration
A set of rules are configured and when traffic arrives it is examined against those rules to be allowed or denied
The overall rule for a firewall is default deny
Different rules can be defined for inbound and outbound traffic
The order of firewall rules is significant in how they operate with the more specific rules at the top of the list
Firewalls should not respond to ping requests
Secure Network Administration
4/27/2018 8 ©2007 – Body Temple 4/27/2018
8
Network Security
5
4/27/2018 9 ©2007 – Body Temple 4/27/2018
9
Network Security
Network devices fulfil a number of roles within todays networks and include the following:
Firewalls
Routers
Switches
Load Balancers
Proxy Servers
VPN Concentrators
4/27/2018 10 ©2007 – Body Temple 4/27/2018
10
Firewalls
The primary function of a firewall is to provide protection for a network by preventing unwanted traffic entering from other networks
Most commonly used at the perimeter of a private network to protect it from the public Internet
6
4/27/2018 11 ©2007 – Body Temple 4/27/2018
11
Firewalls
In simple terms a firewall is device with two (or more) network interfaces that can examine the traffic between two networks and only allow traffic through that has been defined as allowable
The basic form of firewall is a packet filter that looks at source and destination information such as addresses , port numbers, protocols and makes forwarding decisions on that information
A packet filter examines the information contained in TCP and IP packet headers
A packet filter works at layers 3 & 4 of the OSI model
4/27/2018 12 ©2007 – Body Temple 4/27/2018
12
Firewalls
Circuit level gateways include layer 5 of the OSI model and base the forwarding decisions on the connections between the two endpoints as well as address information
Application level gateways work at layer 7 of the OSI model and are application specific as in web gateway that examines HTTP traffic
Application gateways can examine the data packets so can filter on HTTP requests and content returned
Another term for application gateway would be proxy server
7
4/27/2018 13 ©2007 – Body Temple 4/27/2018
13
Firewalls
Stateful firewalls maintain a record of the state of the connections that pass through to ensure that the flags are correct and the traffic is flowing in the right direction
Stateless firewalls do not look at the flags and purely use ACLs to permit or deny traffic. A stateless firewall could be compromised with certain types of unauthorised traffic such as ACK tunnelling
4/27/2018 14 ©2007 – Body Temple 4/27/2018
14
Firewalls
Stateful multilayer Inspection Firewall
This one combines the functions of the previous firewall types and works from layers 3 to 7 of the OSI model and examines all aspects of packets, headers and data.
This also looks at the state of the TCP flags to ensure the connection is valid and has been setup in the right direction i.e. it will allow a connection from inside to out but not from outside to in
8
4/27/2018 15 ©2007 – Body Temple 4/27/2018
15
Routers
Routers are used to connect network segments together at layer 3 the network layer
They connect IP subnets together
Routers pass traffic towards the destination based upon the destination IP address of the packet.
They base forwarding decisions upon information in their routing tables
The routing tables are built using either static entries or based upon information passed between routers using routing protocols
4/27/2018 16 ©2007 – Body Temple 4/27/2018
16
Routers
9
4/27/2018 17 ©2007 – Body Temple 4/27/2018
17
Switches
Switches connect devices together at layer 2 of the OSI model the Datalink layer
They move frames between switch ports by looking at the destination MAC address
Switches hold a MAC address table in memory that lists which MAC addresses are visible on which ports
If the switch does not know which outbound port to use it floods the frame to all ports
Switches can be connected together to propagate the traffic to further devices at layer 2
4/27/2018 18 ©2007 – Body Temple 4/27/2018
18
Switches
10
4/27/2018 19 ©2007 – Body Temple 4/27/2018
19
Load Balancers
A load balancer is used to distribute traffic between two or more devices
Load balancers can be used to maximise throughput and speed up response times
Commonly found in front of a group of webservers to distribute requests across multiple servers
4/27/2018 20 ©2007 – Body Temple 4/27/2018
20
Proxy Servers
Proxy Servers fulfil a number of roles within the network environment
The proxy server sits between the client and the Internet and acts as a go between for web requests
Their primary role was originally caching where they maintained copies of web content on the proxy to be returned to clients that requested it thus reducing bandwidth requirements
11
4/27/2018 21 ©2007 – Body Temple 4/27/2018
21
Proxy Servers
The Proxy server, because of its position between client and Internet, can provide NAT – address translation so it can protect the clients by mapping the private to public addresses
The proxy logs all traffic that goes through. This was originally to help tune the cache and ensure the correct content was loaded but now has the advantage of producing a record of who goes where
The proxy can also be used to control who goes where. Filters can be applied so users cannot access undesirable content from the Internet
4/27/2018 22 ©2007 – Body Temple 4/27/2018
22
VPN Gateways
VPNs – Virtual Private Networks are now an important tool used by remote workers.
Users can now log in from anywhere with the benefit of a secure connection over the Internet
The remote VPN connections are terminated at the destination on a VPN concentrator or gateway.
This terminates the encrypted connection and forwards the unencrypted traffic to its true destination within the network
12
4/27/2018 23 ©2007 – Body Temple 4/27/2018
23
Data Loss Prevention
Data Loss Prevention (DLP) solutions are used to mitigate the unauthorised leakage of transfer of data outside of an organisation
The first stage of DLP is identifying the information that is critical and where it is
The data can then be tagged according to sensitivity to define what actions can be carried out
For example; preventing the transfer of data to USB devices or requiring encryption prior to transmission
4/27/2018 24 ©2007 – Body Temple 4/27/2018
24
Spam Filters
Spam filters are now commonplace in networks to introduce an element of control over unwanted email
The main function of a spam filter is to identify emails as unwanted or junk and block or remove them
May providers now supply spam filters in the email chain so the junk can be filtered before it reaches the incoming mail server thus reducing the load
13
4/27/2018 25 ©2007 – Body Temple 4/27/2018
25
Spam Filters
Spam filters should be inserted in between the firewall and the email gateway
The filter can be used to detect of the mail is legitimate or not using a variety of techniques:
Spam databases – most filters have a database of known spam
Blacklists – list of known spam mail server IP addresses
URL block lists – messages that can contain malicious URLs
Bayesian filtering – statistical analysis of email messages
Reputation filtering – scoring mail servers with good or bad reputations
4/27/2018 26 ©2007 – Body Temple 4/27/2018
26
Content filtering
Content filters can work in both directions
Inbound – they can look for undesirable content and block it
Outbound – they can spot the transmission of potentially sensitive information in emails such as PII or credit card information
URL filtering – one of the roles of the proxy can also control the ingress of undesirable content or the accessing of prohibited web sites
14
4/27/2018 27 ©2007 – Body Temple 4/27/2018
27
SIEM Systems
Security Information and Event Management systems are a centralised method of collecting information from multiple systems
Log files, traffic captures can be sent to a central system that can provide several functions:
Logging and storage fo log files in one place
Analysis across the multiple inputs
Alerting in the event of potential attacks or threshold breaches
Reporting – collating information and reporting on it
4/27/2018 28 ©2007 – Body Temple 4/27/2018
28
Web Security Gateway
A more complex device than a Proxy server
Scans the web traffic between browser and server for known attack types
Can carry out deep inspection of http traffic
Spots attacks like XSS ( Cross Site Scripting )
15
4/27/2018 29 ©2007 – Body Temple 4/27/2018
29
IDS/IPS
IDS – Intrusion Detection Systems are placed on segments of a network so they can detect unauthorised activity or malicious traffic
IDS are passive devices in that they can detect the presence of malicious traffic and raise an alert but they do not prevent the traffic from reaching its destination
4/27/2018 30 ©2007 – Body Temple 4/27/2018
30
IDS/IPS
IDS can be network based – NIDS – where it monitors segments for malicious traffic or it can be host based – HIDS – where it is installed on a host and monitors traffic coming into the host, and also local activity on the host
IDS uses several methods to detect malicious traffic:
Signature based – IDS has a database of the signatures of known malicious traffic, a bit like anti-virus
Anomaly based – IDS can be trained to know what is normal traffic so when different traffic patterns are seen it raises an alert
Protocol anomaly – protocols construct their packets in certain ways. Once malformed or unusual packets are seen an alert is raised
Heuristics – the ability to make “an educated guess” as to whether traffic is malicious or not
16
4/27/2018 31 ©2007 – Body Temple 4/27/2018
31
IDS/IPS
IPS – Intrusion Prevention System – is where the traffic has to go through the device which has the ability to be proactive and block the suspect traffic
IPS can be network based – NIPS –or host based – HIPS
Works in a similar way to IDS
NIPS placed at the edge of a network is replacing the role of the traditional firewall because the firewall works on fixed rule sets whereas the IPS can react dynamically to threats
4/27/2018 32 ©2007 – Body Temple 4/27/2018
32
Implementing IDS/IPS
17
4/27/2018 33 ©2007 – Body Temple 4/27/2018
33
Protocol Analysers
A protocol analyser can be used to examine traffic at the packet level.
Can be a hardware or software implementation
Packets can be captured and analysed in real time or can be stored for future analysis
Another name for a protocol analyser is “packet sniffer”
4/27/2018 34 ©2007 – Body Temple 4/27/2018
34
Protocol analysers
The best known software packet analyser is Wireshark
18
4/27/2018 35 ©2007 – Body Temple 4/27/2018
35
Network Design Elements
There are a number of features that can be incorporated into network design to provide increased security
DMZ – originally known as Demilitarised Zone is a network segment that hangs off the firewall or is between two firewalls and is neither inside or outside the network
The two firewall implementation is shown below
Two firewalls
4/27/2018 36 ©2007 – Body Temple 4/27/2018
36
Network Design Elements
The single firewall with a DMZ interface
The DMZ provides a segment where public facing servers can be placed which are behind a firewall, giving some protection, but are not on the internal network so the risk of an attacker hopping from the webserver to the internal network is reduced
19
4/27/2018 37 ©2007 – Body Temple 4/27/2018
37
Network Design Elements
Extranets
An extranet is the practice of connecting two private Intranets together with the Internet as the connection medium
The Internet connection would consist of a VPN
Each Intranet would have firewalls in place to provide segregation so that only the required portion of the Intranet is made available to the other party
4/27/2018 38 ©2007 – Body Temple 4/27/2018
38
Network Design Elements
An extranet
Intranet A
Intranet B
VPN Connection via the Internet
20
4/27/2018 39 ©2007 – Body Temple 4/27/2018
39
Network Design Elements
Network Access Control – NAC is a way of controlling client access to a network that goes beyond authentication and looks at the connecting device itself
NAC can be configure to only allow connection if the device meets certain security criteria e.g. patched to the correct level, ant-virus up to date, etc
NAC can also apply post connection controls by monitoring the client for unauthorised activity
4/27/2018 40 ©2007 – Body Temple 4/27/2018
40
Network Design Elements
NAT – Network Address Translation provides for the more efficient use of IP addresses
Every computer on the Internet needs a globally unique public IP address to communicate. Most home and business networks use private IP addresses which are not valid on the Internet
The perimeter network device, typically the DSL router provides the NAT service to translate the internal private address into an acceptable public address
Your Internet connection that has one public useable IP address can have multiple private addresses all translating to the one public address
21
4/27/2018 41 ©2007 – Body Temple 4/27/2018
41
Network Design Elements
NAT
NAT has the following advantages:
Allows for multiple private addresses with only one public
Hides the private addresses, only the public is seen
Acts as a very basic form of firewall
4/27/2018 42 ©2007 – Body Temple 4/27/2018
42
Network Design Elements
Any IP address can be used inside a network using NAT but there a set of IP addresses that are officially allocated for private use
These are based on the document RFC1918
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
In reality when there are multiple private addresses mapping to only one public the correct term is PAT – Port Address Translation. Each private address is mapped to a separate port on the public address
We use the term NAT all the time when really we mean PAT
22
4/27/2018 43 ©2007 – Body Temple 4/27/2018
43
Network Design Elements
Subnetting – the process of taking a block of IP addresses and subdividing them to create smaller networks
By creating smaller networks, separated at the IP layer, security can be increased because network issues can be confined to a subnet rather than the whole network
Reduces the problems caused by broadcasts because the subnetworks are connected by routers which do not forward broadcast packets
The router or default gateway becomes the exit/entry point for that subnet
4/27/2018 44 ©2007 – Body Temple 4/27/2018
44
Network Design Elements
Subnets - straightforward
Subnets –more complicated
23
4/27/2018 45 ©2007 – Body Temple 4/27/2018
45
Network Design Elements
VLANs – Virtual Local Area Networks are created by taking the switch ports on layer 2 device and allocating them to different logical networks i.e.. splitting the switch into multiple virtual switches
4/27/2018 46 ©2007 – Body Temple 4/27/2018
46
Network Design Elements
VLANS can cross switches by the use of trunk connections
This allows users who have the same job function to be separated physically but their computers can still be in the same VLAN and communicate with each other
24
4/27/2018 47 ©2007 – Body Temple 4/27/2018
47
Network Design Elements
Remote Access – the concept of a remote or home worker establishing a connection to the corporate network via either a dial-up or Internet connection
Modems were used in dial-up connections but there is a limitation of 56kbps in the transmission speed
Modems had the call back security feature where the destination would call the client back
War dialling was one of the threats against dial-up systems – the practice of dialling random numbers listening for the modem connect tones
Most connections now use DSL over the Internet where the speeds can vary from 512kbps to several Mbps, establishing VPN connections
4/27/2018 48 ©2007 – Body Temple 4/27/2018
48
Network Design Elements
Virtualisation – the practice of having a host operating system which runs one or more other operating systems that are encapsulated in a separate environment
Virtually any operating system can run on any hardware and the virtual environments consist of a series of files that are portable for backup and resilience purposes
Virtual machines can have snapshots taken that allow very quick restoration
Allows for hardware consolidation and each virtual instance is isolated from others running on the same host platform
25
4/27/2018 49 ©2007 – Body Temple 4/27/2018
49
Network Design Elements
Cloud computing – the big buzzword. Storage and processing performed elsewhere, somewhere on the Internet
Demand can be raised or lowered as required
Backups and recovery all covered by the cloud supplier – the ideal world
PaaS – Platform as a service, a complete solution package where hardware, OS and apps are all running in a cloud somewhere
SaaS – Software as a service, on line applications such Office 365 or Google Docs, free or subscription based
IaaS – Infrastructure as a service, an enhanced version of PaaS which can include the administration and management
4/27/2018 50 ©2007 – Body Temple 4/27/2018
50
Network Design Elements
Private Cloud
This is a cloud service within a corporate network that is for internal use only, isolated from the Internet but providing shared facilities for internal departments
Public Cloud
A cloud service that is publically available, usually subscription based.
There are many public cloud services available such as:
Google Drive
OneDrive
Dropbox
iCloud
26
4/27/2018 51 ©2007 – Body Temple 4/27/2018
51
Secure Network Administration
4/27/2018 52 ©2007 – Body Temple 4/27/2018
52
OSI Reference Model
Use as the basis for all network design
A seven layer model that maps to an equivalent four layer model derived by the department of defence
27
4/27/2018 53 ©2007 – Body Temple 4/27/2018
53
Protocols
The TCP/IP protocol suite consists of many hundreds of protocols that all have specific functions when it comes to networks.
Newer protocols are constantly being developed as technology advances, older ones fall into disuse or get superceded
Most of these are standard protocols but there are some that specifically used to provide security
The protocols described in the following pages are not a complete list but represent the important ones to be aware of from a security perspective
4/27/2018 54 ©2007 – Body Temple 4/27/2018
54
Internet Addressing Schemes
IPv4
The traditional IP addressing scheme where all addresses are based upon a 32 bit binary address represented as a dotted decimal number
e.g. 131.107.2.200
IPv6
The next generation of addressing based upon a much larger 128 bit addressing scheme, represented as groups of hexadecimal numbers
e.g. FE80:0000:0000:012C:A6B3:00FC:2349:6A30
28
4/27/2018 55 ©2007 – Body Temple 4/27/2018
55
ICMP
Internet Control Message Protocol – ICMP is the standard diagnostic and reporting protocol that includes such well known utilities as ping and traceroute
Ping utility uses the echo request and echo reply packets but there is a range of information messages that ICMP can return to clients when a device is unable to complete a transaction
ICMP Type Description
0 Echo reply
3 Destination unreachable
5 Redirect
8 Echo request
11 Time exceeded in transit
4/27/2018 56 ©2007 – Body Temple 4/27/2018
56
ICMP
ICMP and its features are used for scanning networks and for launching some attacks
A ping sweep will tell you which hosts are alive on a network
The SMURF attack uses the broadcast address for a ping
The ping of death sends an ICMP packet bigger than the maximum 65536 bytes
29
4/27/2018 57 ©2007 – Body Temple 4/27/2018
57
HTTP
The primary communications protocol for web browsers to connect to web servers
A stateless protocol – this means the communication is broken after every page has been downloaded and has to be reestablishedfor the next one
Uses port 80 by default
All data is transmitted in clear – hence the need for the secuireprotocol HTTPS
4/27/2018 58 ©2007 – Body Temple 4/27/2018
58
SSL & HTTPS
Secure Sockets Layer –SSL is the protocol used to provide a secure connection between web server and client browsers
Uses a combination of asymmetric and symmetric encryption
Has now been superceded by Transport Layer Security – TLS
SSL uses port TCP 443 ( also known as HTTPS)
TLS uses port 443 but can also use port 80 (the HTTP port)
A certificate based system (certificates are covered later)
HTTPS uses SSL as its transport mechanism to provide security
30
4/27/2018 59 ©2007 – Body Temple 4/27/2018
59
Telnet
A terminal emulator that allows connectivity between dissimilar platforms e.g. Telnet from Windows to UNIX
Allows a remote console to appear on the local machine
Telnet has no security with all communications in clear – including the authentication
Has been largely replaced by SSH but is still used internally
4/27/2018 60 ©2007 – Body Temple 4/27/2018
60
SSH
The Secure Shell –SSH protocol was designed as a replacement for existing clear text protocols that were used for remote access and network file copies
Older protocols such as telnet, rlogin, rsh, rcp, rexec have all been replaced by SSH that can provide remote connection for administration or secure file copy using SCP
SSH uses TCP port 22
31
4/27/2018 61 ©2007 – Body Temple 4/27/2018
61
FTP & TFTP
File Transfer Protocol was the original command utility to provide for the upload and download of files from an FTP server
Very commonly used but insecure with authentication and data transfer in clear
Graphical versions have been developed such as CuteFTP
Trivial File Transfer Protocol – TFTP is a basic form of FTP that is device based not user based and as such does not require any authentication between client and server
4/27/2018 62 ©2007 – Body Temple 4/27/2018
62
FTPS
File Transfer Protocol over SSL – FTPS is a secure version of the FTP protocol that uses the SSL protocol (or TLS now)
FTPS uses TCP ports 990 for control and 989 for data
32
4/27/2018 63 ©2007 – Body Temple 4/27/2018
63
SFTP & SCP
Secure FTP –SFTP is another variant of a secure connection for file transfers
Uses the secure shell SSH as the underlying transport mechanism
Uses the same TCP port 22 for communications
SCP – Secure Copy Protocol is another file transfer tool that is based around the SSH protocol
4/27/2018 64 ©2007 – Body Temple 4/27/2018
64
DNS
The Domain Name System – DNS is used to provide name resolution to map hostnames and urls into IP addresses
DNS uses a hierarchical structure to create what are known as FQDNs – Fully Qualified Domain Names
For example, fourth.internet.co.uk is broken down as follows:
33
4/27/2018 65 ©2007 – Body Temple 4/27/2018
65
DNS
DNS queries are carried out as a series of requests that start at the “root” of the DNS name space and move downwards
4/27/2018 66 ©2007 – Body Temple 4/27/2018
66
DNS
DNS servers hold zone files that contain the records that are pertinent to a particular organisation
34
4/27/2018 67 ©2007 – Body Temple 4/27/2018
67
DNS
DNS has two type of communication
Zone transfers take place when one DNS server sends updated zonefile information to another DNS server
This communication takes place use TCP port 53
The other type of communication is where clients query the DNS server for the IP address of a particular host.
This traffic uses UDP port 53
4/27/2018 68 ©2007 – Body Temple 4/27/2018
68
SNMP
Simple Network Management Protocol – SNMP is a management protocol that can be used to query and configure devices connected to network
Providing the device has an agent that provides support for SNMP it can be managed remotely
Most hardware and OS vendors have provision for allowing their devices to be managed by SNMP
The vendors have a MIB – Management Information Base which specifies which objects and attributes can be managed by SNMP
35
4/27/2018 69 ©2007 – Body Temple 4/27/2018
69
SNMP
SNMP versions 1 and 2 are inherently insecure and should not be used
They put network devices they manage into “communities” called “public” and “private” that are insecure and all communication between devices is in plaintext over the network so can be sniffed
Version 3 of SNMP introduced authentication between devices and also encrypts the traffic between devices
SNMP uses UDP port 161 for sending data to devices
UDP port 162 is used for receiving trap messages from devices
4/27/2018 70 ©2007 – Body Temple 4/27/2018
70
IPSec
IPSec is a protocol that is used within Virtual Private Networks (VPNs) to provide security in terms of authentication and encryption
IPSec consists of a framework that contains multiple protocols, the main ones being
AH – Authentication Header – authenticates sender
ESP – Encapsulation Security Payload – encrypts data
36
4/27/2018 71 ©2007 – Body Temple 4/27/2018
71
IPSec
IPSec can operate in two modes:
Transport Mode – encrypts payload but leaves header
Tunnel Mode – Encapsulates & encrypts header and data
4/27/2018 72 ©2007 – Body Temple 4/27/2018
72
IPSec
Can be a stand alone protocol or can work with L2TP (described elsewhere)
Used either as a secure remote access solution or for secure tunnels between sites – site-to-site implementation
Uses symmetric cryptography with IKE (Internet Key Exchange) to manage the process of exchanging the symmetric key
37
4/27/2018 73 ©2007 – Body Temple 4/27/2018
73
IPSec
IPSec peers (endpoints) agree a security association which contains multiple components including
Symmetric protocol
Key exchange protocol
Hashing mechanism
4/27/2018 74 ©2007 – Body Temple 4/27/2018
74
NetBIOS
Network Basic Input/Output System is the LAN protocol invented by IBM and was the first protocol used by Microsoft for networking in the early day using LAN Manager
Although not used in the same way now NetBIOS is still part of Microsoft networking usually used within the LAN environment alongside TCP
38
4/27/2018 75 ©2007 – Body Temple 4/27/2018
75
iSCSI
SCSI – Small Computer System Interface is a disk interface that is used to connect multiple storage devices through a controller to a computer
iSCSI – Internet SCSI is an IP based protocol that allows the transmission of SCSO commands over a network thus allowing storage devices to be connected remotely
4/27/2018 76 ©2007 – Body Temple 4/27/2018
76
Fibre Channel
Another interface for mass storage connectivity
Fibre channel is a network structure that exists to provide connectivity between storage systems and servers
A separate network from the front end IP network purely for data transfer from storage
Gets its name from the fact that the connectivity is over fibre optic cables
39
4/27/2018 77 ©2007 – Body Temple 4/27/2018
77
RTP
Real Time Transport Protocol is used for transporting voice and video over IP networks
One of the underlying protocols for VoIP
No encryption by default so there is a secure version SRTP
4/27/2018 78 ©2007 – Body Temple 4/27/2018
78
Commonly Used Network Ports
Protocol Port
NTP 123
IMAP 143
SNMP 161/162
LDAP 389
HTTPS 443
NetBios SMB 445
ISAKMP(VPN) 500
Syslog 514
PPTP 1723
Remote Access 3389
(RDP)
40
4/27/2018 79 ©2007 – Body Temple 4/27/2018
79
Authentication Protocols
Password Authentication Protocol (PAP)
Predecessor to CHAP and deprecated due to password being supplied in clear text
4/27/2018 80 ©2007 – Body Temple 4/27/2018
80
Authentication Protocols
Challenge Handshake Authentication Protocol (CHAP)
Used over remote connections to provide authentication credentials in a secure manner
41
4/27/2018 81 ©2007 – Body Temple 4/27/2018
81
Authentication Protocols
LM Hash
Original Microsoft authentication mechanism
Limits passwords to 14 characters in length
Hashes the password in 2 blocks of 7 characters
Disabled in current versions of Windows
NTLM & NTLMv2
Replacement for LM hash
Challenge response based system
4/27/2018 82 ©2007 – Body Temple 4/27/2018
82
Authentication Protocols
EAP – Extensible Authentication Protocol
Used primarily in Wireless networks but can be used in LANs
Provides an extension of authentication by using additional methods such as tokens, biometrics, etc
Variations of EAP include PEAP and LEAP
42
4/27/2018 83 ©2007 – Body Temple 4/27/2018
83
Authentication Services
RADIUS – Remote Authentication Dial-In User Service
As the title indicates RADIUS is an authentication service that was originally popular in the days of dial-up connections, being able to authenticate remote users when they connected
RADIUS is now more commonly used with VPN connections, terminal services and other types of remote access
4/27/2018 84 ©2007 – Body Temple 4/27/2018
84
Authentication Services
RADIUS is also known as an AAA server which indicates the services it can provide:
Authentication – who you are
Authorisation – what you can do (access control)
Accounting – for how long did you do it (for charging or auditing)
43
4/27/2018 85 ©2007 – Body Temple 4/27/2018
85
Authentication Services
RADIUS is a client/server system where the RADIUS server provides the authentication but the RADIUS client is the Remote Access Service requesting the remote connection not the remote computer requesting connectivity
4/27/2018 86 ©2007 – Body Temple 4/27/2018
86
Authentication Services
RADIUS ports and protocols
RADIUS uses UDP for its connections
RADIUS ports are currently:
Port 1812 for authentication
Port 1813 for accounting
RADIUS also historically used another pair of ports which can still be found in use today for backwards compatibility
Port 1645 for authentication
Port 1646 for accounting
44
4/27/2018 87 ©2007 – Body Temple 4/27/2018
87
Authentication Services
Lightweight Directory Access Protocol (LDAP) is a directory service protocol which underpins both Microsoft Active Directory and Novell NDS
The protocol follows the x.500 standard for the format of records and uses TCP port 389 or port 636 for LDAP over SSL
A hierarchical structure that contains a root and branches with leaf objects
4/27/2018 88 ©2007 – Body Temple 4/27/2018
88
Authentication Services
SAML – Security Assertion Markup Language
An extension of XML – Extensible Markup Language
Allows for information about individuals to be exchange between service providers in a secure way
45
4/27/2018 89 ©2007 – Body Temple 4/27/2018
89
Authentication Services
TACACS/TACACS+/XTACACS – Terminal Access Controller Access Control System
The more common of the above products today is TACACS+
Another type of AAA server, works in a similar way to RADIUS
Very common in Cisco networks
Uses a TCP and UDP connections on port 49
4/27/2018 90 ©2007 – Body Temple 4/27/2018
90
Authentication Services
Kerberos is another example of a third party authentication protocol
A generic protocol which is now the standard authentication mechanism used by Microsoft
A centralised authentication solution where the main component is the Kerberos Key Distribution Center (KDC)
46
4/27/2018 91 ©2007 – Body Temple 4/27/2018
91
Authentication Services
Kerberos Authentication
4/27/2018 92 ©2007 – Body Temple 4/27/2018
92
Authentication Services
Kerberos Authentication
1. Client provides credentials which are sent to KDC
2. KDC verifies and issues Ticket Granting Ticket (TGT) to client
3. Client requests access to a service by presenting TGT and requests a Service Ticket (ST)
4. KDC verifies the client TGT and issues ST to client, time stamped
5. Client receives ST and presents it to the requested service which verifies the ticket and initiates a session with the client
47
4/27/2018 93 ©2007 – Body Temple 4/27/2018
93
Authentication Services
Oauth – an authorisation framework that uses tokens to allow client access
OpenID – builds upon Oauth to allow identity verification
802.1X – a port based authentication mechanism that allows devices to connect to wired or wireless networks
HOTP – Hash based One Time Password. HMAC based system that generates a one time password
TOTP – Time-based One Time Password. Extends the use of HOTP and adds a time factor
4/27/2018 94 ©2007 – Body Temple 4/27/2018
94
Secure Network Administration
Network devices should be configured for security
Firewalls – rules set for implicit deny, deep packet inspection
Routers – configured with ACLs
Switches – VLANs configured, port and MAC address security
ACL Rules – set on IP address, port numbers, protocols
Network separation – implementation of security zones, DMZ
UTM – Unified Threat Management – all-in-one device that can do Firewall, IDS, IPS, load balancer, DLP, Spam, Malware
Great idea but single point of failure!!
48
4/27/2018 95 ©2007 – Body Temple 4/27/2018
95
Risks to networks
Weak passwords – strong password policy required
Privilege escalation – apply and enforce rule of least privilege
Default Accounts – rename/remove
Hardening of systems – discussed elsewhere
Apply DDoS mitigation – Cloudflare, Akamai
Apply O/S and firmware updates
4/27/2018 96 ©2007 – Body Temple 4/27/2018
96
Securing Wireless Networks
49
4/27/2018 97 ©2007 – Body Temple 4/27/2018
97
Wireless Network Security
The effective range of a wireless network is very difficult to predict, being dependant on such factors as obstacles, building materials, metal shielding, radiated power etc
A site survey is useful for establishing how far wireless signals can travel and be intercepted
The transmitted power levels can be reduced on most access points to limit the range to within your boundary
The type of antenna in use also affects how far wireless signals can travel, directional will travel further than omnidirectional
Antenna placement should also avoid objects that interfere and be central so that coverage is overall
4/27/2018 98 ©2007 – Body Temple 4/27/2018
98
Wireless Topologies
Ther are two main topologies for wireless networks
Ad-hoc where two devices can communicate wirelessly without the need for an access point
Infrastructure – where more than two clients wish to communicate an access point is required
Large networks will have multiple access points providing total coverage of the required area and allowing the seamless movement of clients between access points
50
4/27/2018 99 ©2007 – Body Temple 4/27/2018
99
Wireless Network Security
The standards for wireless networks are defined by IEEE 802.11
Standard Frequencies Speed
802.11a 5GHz 54Mbps
802.11b 2.4GHz 11Mbps
802.11g 2.4GHz 54Mbps
802.11n 2.4 or 5GHz Up to 600Mbps
802.11ac 5GHz 1Gbps upwards
4/27/2018 100 ©2007 – Body Temple 4/27/2018
100
Wireless Network Security
Service Set Identifier – SSID is the “name of the wireless network
The SSID is transmitted in all frames because there may be more than one network using the same channel
BSSID – Basic Service Set Identifier refers to the MAC address of the access point being used
ESSID – Extended Service Set Identifier refers to the SSID of the network when more than one access point is in use on the same network
The access point periodically broadcasts the SSID in a beacon frame, one security step is to disable SSID broadcasts
Disabled SSIDs can still be discovered by sniffing the traffic
51
4/27/2018 101 ©2007 – Body Temple 4/27/2018
101
Wireless Network Security
Mac Filtering – wireless networks can be made more secure by limiting the clients that are allowed to connect to the network
This can be done by specifying the MAC addresses of the clients that can connect to the wireless network
This is configured on the wireless access point or router
It is not fool proof because MAC addresses can be spoofed by the attacker for one of the allowed addresses
4/27/2018 102 ©2007 – Body Temple 4/27/2018
102
Wireless Encryption
WEP – Wired Equivalent Privacy was the first attempt at wireless encryption
Uses RC4 for encryption and each frame also contains a 24 bit initialisation vector (IV) that is clear text
The encryption level is either 40 bit (+24bitIV) or 104 bit (+24bit IV)
The IV makes WEP very weak
WEP is easily cracked after a number of packets have been captured by sniffing
52
4/27/2018 103 ©2007 – Body Temple 4/27/2018
103
Wireless Encryption
WPA – Wi-Fi Protected Access replaced WEP and initially was more secure. Still in common use but now relatively easy to crack.
Also uses RC4 encryption but this time with a 48 bit IV but uses TKIP as part of the encryption process
TKIP – Temporal Key Integrity Protocol combines the IV with the key before encrypting and also changes the session key dynamically after a number of packets
The weakness of WPA is the passphrase, a length of under 12 characters makes it breakable in a reasonable time
4/27/2018 104 ©2007 – Body Temple 4/27/2018
104
Wireless Encryption
WPA2 is the replacement for WPA and conforms to the 802.11i standard for security
Uses the AES encryption algorithm along with CCMP
Has been broken but is still seen as secure
CCMP – Cipher block Chaining Message authentication Protocol is the process used with AES to provide encryption and provide confidentiality along with authentication of frames
53
4/27/2018 105 ©2007 – Body Temple 4/27/2018
105
Wireless Encryption
Wireless authentication can be handled by the access point or by an external server such as RADIUS
The standard that covers external authentication is IEEE 802.1x
There are other authentication mechanisms that are part of the EAP – Extensible Authentication Protocol framework. This allows for new technologies to be compatible with wireless. EAP is not usually encrypted
LEAP – Lightweight EAP was developed by Cisco and was designed to replace TKIP in WPA
PEAP – Protected EAP encapsulates EAP in a TLS tunnel which provides encryption
4/27/2018 106 ©2007 – Body Temple 4/27/2018
106
802.1X
802.1X is not a wireless standard but is the standard based around external authentication
Usually used in switch port configuration it can be used as part of an enterprise wireless authentication solution where the user is authenticated as opposed to the device
54
4/27/2018 107 ©2007 – Body Temple 4/27/2018
107
WPS
WiFi Protected Setup
Has a twofold purpose:
1. allows users to set up connections between devices and access points simply by pressing buttons on the devices
Allows for the wireless connection of devices where there is no keyboard input for configuration, e.g. printers
There are documented attacks against WPS such as Reaver
4/27/2018 108 ©2007 – Body Temple 4/27/2018
108
Wireless Attacks
Rogue Access Points – The practice of setting up an access point that appears to be part of a legitimate network to encourage users to connect so their information and traffic can be sniffed
Evil twin – an access point that has the same SSID and credentials as a genuine one but is used as part of a man-in –the –middle attack to capture traffic
Interference – the practice of jamming wireless networks with “noise” rendering them unusable
War driving – using monitoring software to look for the presence of wireless networks with the intention of looking for vulnerable access points
War chalking – the outdated practice of marking buildings with graffiti to indicate the presence of wireless networks
55
4/27/2018 109 ©2007 – Body Temple 4/27/2018
109
Wireless attacks
Deauthentication – the process of disconnecting a client from the access point
Can be achieved by transmitting bogus frames into the wireless network to disconnect either a single client or all clients
Usually a prelude to wireless hacking but can also be used to create a DoS attack against the wireless network
4/27/2018 110 ©2007 – Body Temple 4/27/2018
110
Captive Portals
Part of an enterprise solution, commonly found in hotels where you connect to the wireless and are taken straight to a web page
The web page traps the user who has to provide credentials or payment before any further web browsing is permitted
56
4/27/2018 111 ©2007 – Body Temple 4/27/2018
111
Bluetooth
Bluetooth is a wireless technology but differs greatly from traditional wireless networks
Much shorter range – dependent upon the class of device but usually a range up to about 10 metres
Lower power – typically 1 mWatt as opposed a wireless network of 1 Watt
Low data rate – typically 1 mbps – for small data transfers
4/27/2018 112 ©2007 – Body Temple 4/27/2018
112
Bluetooth Attacks
Bluejacking – using Bluetooth technology to send an unsolicited message to another Bluetooth device without the owner’s permission
Bluesnarfing – unauthorised accessing of data from a device using a Bluetooth connection
57
4/27/2018 113 ©2007 – Body Temple 4/27/2018
113
Bluetooth Security
Bluetooth defines three security modes:
Non secure – there are no security features enabled
Service level – the applications nbeing used on the device are responsible for security
Link level – this provides security on the link prior to data being transmitted. Authentication between devices and the option for encryption
4/27/2018 114 ©2007 – Body Temple 4/27/2018
114
NFC
Near Field Communication
Devices communicate when in close proximity with each other
Distance is important but wireless emanations lead to the possibility of interception
Using touch pay is an example of NFC
58
4/27/2018 115 ©2007 – Body Temple 4/27/2018
115
1
CompTIA Security+Section V
Host, Application & Data Security
4/27/2018 2 ©2007 – Body Temple 4/27/2018
2
Securing Host Systems
2
4/27/2018 3 ©2007 – Body Temple 4/27/2018
3
Types of Malware
Malware refers to software or programs that carry out some function on your machine which is unwanted and these actions are usually carried out without your knowledge or permission
Malware now includes a range of software the goes beyond the original problem of viruses
Spyware – software that collects information about users without their knowledge. It can be used to collect information relating to identity or credentials or information about websites visited, applications run etc, for marketing purposes. Keystroke loggers are favourite forms of spyware
Adware – a variation on spyware where pop-up adverts are displayed based upon websites visited targeting adverts to prospective customers
4/27/2018 4 ©2007 – Body Temple 4/27/2018
4
Viruses
Virus – these have been with us for many years and come in a variety of forms. A virus arrives on a computer and replicates on that computer by spreading to other executable programs in memory. The payload varies and can delete files, corrupt data, prevent network access amongst others.
Macro viruses affect files that are typically created by Microsoft Office applications such as Word or Excel
Boot sector viruses modify the boot sector of the hard disk
Polymorphic viruses change their appearance after every infection to evade ant-virus
Metamorphic viruses recompile themselves after every infection to evade detection
3
4/27/2018 5 ©2007 – Body Temple 4/27/2018
5
Viruses
Certain file types are prone to virus infection. These include:
.bat, .com, .exe – executable files
.doc, .docx .mdb – files associated with Microsoft Office – Macros
.scr – screensavers (executable
.dll
.html
.vbs – visual basic script
4/27/2018 6 ©2007 – Body Temple 4/27/2018
6
Keyloggers
These can exist in hardware or software
A hardware keylogger sits in line with the keyboard and intercepts the keystrokes, saving them to the device
A software keylogger is a program that does the same and saves them to a file or emails them to the attacker
4
4/27/2018 7 ©2007 – Body Temple 4/27/2018
7
Types of Malware
Trojan – a piece of software that appears harmless, disguised as something innocent but carrying a malicious payload. Users are typically tricked into downloading and running trojans through attachments or hyperlinks.
A common trojan is where a client computer is compromised and becomes a bot that can be used for launching attacks against other computers.
Other trojans can be used to install remote control agents onto computers
A trojan would be a visible program running in Task Manager
4/27/2018 8 ©2007 – Body Temple 4/27/2018
8
Remote Access Trojans
Sometimes called back doors – these refer to services running or ports open that will allow a remote user to connect and bypass standard authentication mechanisms
Backdoors such as Netcat now allow remote connectivity where a malicious user could do anything he liked on a computer without the logged on user noticing the remote access.
Typically use by hackers to allow them to return to a computer after they have gained initial access
Once access has been obtained the computer could be controlled remotely
5
4/27/2018 9 ©2007 – Body Temple 4/27/2018
9
Types of Malware
Logic bomb – a piece of malicious software that will launch itself until triggered by an event, typically a date or when a particular program is run
Once again, they can perform a variety of functions
Botnet – the name of a group of computers that have been compromised so they can launch denial of service attacks over the network. Botnets can consist of tens of thousands of infected computers.
4/27/2018 10 ©2007 – Body Temple 4/27/2018
10
Types of Malware
Worm – this malicious software tries to spread to other machines over the network, either by using the contacts in the Outlook address book or by looking for open ports on other machines
Spread very rapidly and use a lot of network resources
Can be used to spread viruses to other machines
6
4/27/2018 11 ©2007 – Body Temple 4/27/2018
11
Types of Malware
Ransomware – a new trend where your local files are affected and there is a ransom demand to get them unlocked
4/27/2018 12 ©2007 – Body Temple 4/27/2018
12
Types of Malware
Rootkit – This malicious software hides itself in side the core part of the operating system that is not accessible or visible to users. Called a rootkit because it hides in the root or kernel of the OS.
Cannot be seen using programs like task manager but needs special detection tools
Could be used to capture keystrokes or intercept system calls and divert them to other programs or may be allow remote access to a machine
Once infected with a rootkit the computer can no longer be trusted and the only guaranteed fix is to rebuild from known good media
7
4/27/2018 13 ©2007 – Body Temple 4/27/2018
13
Host Security
There are a range of measures that an administrator should take to ensure host security:
Remember physical security
Supply chain – use authorised components – hardware and software
Establish a security baseline
Harden the operating system
Use a trusted operating system in sensitive environments
Ensure regular updating and patching
4/27/2018 14 ©2007 – Body Temple 4/27/2018
14
Host Security
BIOS & UEFI – protect the BIOS area and also ensure firmware updates are applied
Don’t have unnecessary services running
Use a more secure file system – NTFS
Protect system and administrator accounts – strong passwords
Restrict any administration interfaces to local use
Control host Internet access – use a proxy server
Update and patch software
Protect peripherals – restrict printing, USB access etc
8
4/27/2018 15 ©2007 – Body Temple 4/27/2018
15
Host Security Applications
Whitelists & Blacklists – check that applications execute as planned
Antivirus software
Anti spyware
Anti spam software
Host based firewalls – now standard with all operating systems
4/27/2018 16 ©2007 – Body Temple 4/27/2018
16
Host Security Applications
Web browser security – update
check plugins
trusted sites
pop-up blockers
private browsing
Use Host based IDS
Consider risks attached to virtualisation –
secure hypervisors
multiple vms – different security
9
4/27/2018 17 ©2007 – Body Temple 4/27/2018
17
Mobile Device Security
Consider the security available from the different types of connection:
Cellular – usually encrypted
Satellite – interceptable, should be encrypted
Wi-fi – use WPA2, VPN, awareness in public locations
Bluetooth – turn of discovery, authorised pairing only
NFC – use only when needed, awareness in public locations
4/27/2018 18 ©2007 – Body Temple 4/27/2018
18
Deployment Models
BYOD – Bring Your Own Device – use personal device on corporate network
CYOD – Choose Your Own Device – a list of approved devices
COPE – Company Owned Personally Enabled – company device that can be used as a personal device as well
Corporate Owned – good old company owned model
VDI – Virtual Desktop Infrastructure – legacy apps running on a mobile device
10
4/27/2018 19 ©2007 – Body Temple 4/27/2018
19
Mobile Device Issues
Issues with personal devices:
Data ownership – who owns what with BYOD?
Technical support – wide range of devices
Patching & antivirus
On board capabilities, camera, video, audio – espionage!
Acceptable use policy
On/off boarding – retrieval of device, deletion of data
Integration with existing infrastructure
Device loss or theft
4/27/2018 20 ©2007 – Body Temple 4/27/2018
20
Mobile Device Issues
Legal issues include:
Privacy of personal data
Control of company data
Separation of data in the case of examination of device
11
4/27/2018 21 ©2007 – Body Temple 4/27/2018
21
Protection of Mobile Devices
Loss or theft can lead to loss of data or compromise
Password or screen lockout/timeout
Biometric authentication – fingerprint/swipe
GPS tracking
Find my device
Remote wipe
Full device encryption
Voice encryption – provided by network?
MDM – Mobile Device Management
4/27/2018 22 ©2007 – Body Temple 4/27/2018
22
Securing Applications
& Data
12
4/27/2018 23 ©2007 – Body Temple 4/27/2018
23
Application Vulnerabilities
Security for applications is required due to a wide range of application vulnerabilities that can be exploited
Javascript – an interpreted language that executes in the browser, browser security can present a problem and lead to malicious code execution
ActiveX – browser security to ensure only good controls are downloaded
Buffer Overflow – one of the originals, submitting too much data into a buffer will overflow and could crash application or expose data
Resource exhaustion – a form of denial of service attack if the app runs out of resources like sockets or memory
4/27/2018 24 ©2007 – Body Temple 4/27/2018
24
Application Vulnerabilities
Privilege escalation – could lead to an application running at a higher lever of privilege – leading to unauthorised access or execution, frequently a result of a buffer overflow
Hijacking – session hijacking involves the taking over of a previously authenticated session by acquiring the session token and impersonating the user
Attachments – html attachments can contain malware
Browser addons/plugins – could contain malicious elements like keyloggers
CGI scripts – any scripting language could cause security issues of the script is not validated
13
4/27/2018 25 ©2007 – Body Temple 4/27/2018
25
Application Vulnerabilities
XSS or Cross-Site Scripting – XSS exploits the trust a browser has in the web server. You visit a web server and click on a link, malicious script is downloaded into the local browser and executes with unintended consequences. Users are encouraged to clink hyperlinks in emails or to click links in postings on forums or social networking sites
XSRF or Cross Site Request Forgery – an attack that uses the current session data from a previously authenticated connection in a site that contains malicious code
4/27/2018 26 ©2007 – Body Temple 4/27/2018
26
Application Vulnerabilities
Header manipulation – modifying the headers submitted to a web server which could lead to defacement or cookie manipulation
Injection – can take many forms, command injection, sql injection, inserting commands or instructions into the web interface
Directory traversal – trying to navigate beyond the web server content to the host platform directory structure
Arbitrary code execution – the ability to execute commands at will into an application
Zero day – the attacks we do not yet know about so there is no defence
Race conditions – interrupting the execution of a program to obtain privilege or access
14
4/27/2018 27 ©2007 – Body Temple 4/27/2018
27
Application Server Vulnerabilities
FTP servers – remember that FTP is an insecure protocol, additional layers of security/authentication may be required
DNS – the underlying protocol that allows the Internet to function. Malformed requests, zone transfers, poisoning, are all threats against DNS
DHCP servers – the dynamic allocation of addresses to clients is vulnerable to rogue DHCP servers allocating fake information or address exhaustion (a from of DoS)
Database servers – databases should be protected against unauthorised access, encryption where required, harden front end against SQL injection
4/27/2018 28 ©2007 – Body Temple 4/27/2018
28
Application Server Vulnerabilities
LDAP, Directory Services – a directory sevice is a repository of information so should be protected against unauthorised access or LDAP injection trying to bypass security controls
Email servers – authentication required, do not use mail server as open relay use secure versions of IMAP and use encryption between mail servers, s/mime for clients
15
4/27/2018 29 ©2007 – Body Temple 4/27/2018
29
Application Security
SDLC – the Software Development Life Cycle cover stages of software development from concept to use
4/27/2018 30 ©2007 – Body Temple 4/27/2018
30
Application Security
There are different methodologies for software development:
Waterfall – a traditional model, each phase must be complete before the next phase starts
Agile – uses multi-disciplinary teams, iterative, more flexible
Devops – a portmanteau of development and operations – bringing together all interested parties as part ot the development process
Secure coding – all development should include security at all stages of the life cycle, secure coding is one aspect of only using safe functions and libraries
16
4/27/2018 31 ©2007 – Body Temple 4/27/2018
31
Application Security
Change management – al changes to applications have to be carried out in a controlled and structured way
Input validation – all software applications should validate all input prior to execution to reduce the risks of malware and command injection
Escaping – by using escaping characters will be interpreted as data rather than instructions
Code testing – all code should be reviewed and tested for functionality and security
Error handling – how does the application deal with errors or exceptions – fail secure
4/27/2018 32 ©2007 – Body Temple 4/27/2018
32
Application Security
Code reuse – a lot of development is now object oriented reusing blocks of code and libraries. Ensure safe libraries and safe code is used
Secure testing and deployment:
separate development from production
test in isolated environment with test data
once accredited, move to production
develop and test in a sandbox environment
When using databases the decision should be made over using an SQL model or non-SQL
17
4/27/2018 33 ©2007 – Body Temple 4/27/2018
33
Data Security
Data Loss Prevention – DLP – discussed elsewhere. Knowing what data you have, where it is and where it goes. Protecting the data and controlling activities such as USB use, email attachments
Data encryption – the primary solution to confidentiality, van be implemented in several ways:
Trusted Platform Module – TPM – a hardware chip on the motherboard that is used with the encryption process storing passwords and encryption keys. Usually found on laptops
Hardware Security Module – HSM – basically a stand alone cryptoprocessor but could be included as a plug in module
4/27/2018 34 ©2007 – Body Temple 4/27/2018
34
Data Security
Full Disk Encryption – using built in or third party software, ensures no access to data if the device is lost or stolen
Database Encryption – either full or partial, ensures no access to data if unauthorised access is obtained
File or container encryption – only encrypting the area that need that level of security
Removable media/mobile – all media should be encrypted, especially when in transit
18
4/27/2018 35 ©2007 – Body Temple 4/27/2018
35
Data Destruction
There are several techniques for data destruction or sanitisation:
Burning – ideal for paper or tapes but will not necessarily destroy magnetic data on disks
Shredding – physical destruction of paper and optical media
Pulverising – reducing to dust
Pulping – water mixed with paper
Degaussing – using a magentic field to destroy the magnetic data on disks and tapes – not applicable to SSD
Wiping – overwriting media with several passes of data
Physical destruction – physically shred/destroy the media into tiny fragments
4/27/2018 36 ©2007 – Body Temple 4/27/2018
36
Remote Storage
Cloud storage – encrypt data, control access, consider data destruction – how do you verify?
Storage Area Networks – data should be secure whilst in transit and at rest, encryption can be used for both. Access controls for applications accessing data
Big data – data warehouses contain multiple data sets which are used for data analytics. Two issues:
1. Protecting the data at rest
2. protecting the results of the queries which may produce sensitive results
1
CompTIA Security+Section VI
Security Compliance
4/27/2018 2 ©2007 – Body Temple 4/27/2018
2
Organisational Security & Compliance
2
4/27/2018 3 ©2007 – Body Temple 4/27/2018
3
Risk
Risk – the potential that a given threat will exploit vulnerabilities of an asset or asset group and thereby cause harm to an organisation
Risk, in simple terms, is a combination of the previous two terms
4/27/2018 4 ©2007 – Body Temple 4/27/2018
4
Risk
Risk - the possibility that an incident may disrupt operations, cause damage or cause data loss
Managing risk is an integral part of security
Risk management is the process of identifying possible risks and mitigating that risk to an acceptable level
Risk analysis identifies and evaluates each risk as to the likelihood of occurrence and the cost of the occurrence
Part of risk analysis is identifying and valuing assets, you have to know what needs protecting
You don’t spend more than the value of the asset protecting it
3
4/27/2018 5 ©2007 – Body Temple 4/27/2018
5
Controls
A control is anything that can be used to implement security
Administrative controls – policies, procedures, standards
Technical controls – hardware and software used to manage resources. Encryption, smart cards & passwords are examples
Physical/Operational Controls – mechanisms to ensure security in an ongoing basis, physical access, event auditing, traffic filters, incident response are examples
4/27/2018 6 ©2007 – Body Temple 4/27/2018
6
Risk Assessment
Risk assessment identifies the risks that are present in an organisation
Risk analysis looks at the risks present and identifies the level of threat
Risk management is the product of how the risk is dealt with
Risk calculation attempts to put a value on the cost and implications of particular risks
4
4/27/2018 7 ©2007 – Body Temple 4/27/2018
7
Risk Assessment
Risk assessment consists of our phases:
1. Identify the assets to be protected
2. Identify and assess possible threats and vulnerabilities
3. Rate the risks in terms of likelihood and impact
4. identify cost effective solutions for protection
4/27/2018 8 ©2007 – Body Temple 4/27/2018
8
Assets
An asset is something of value to the organisation
Could be hardware, software, premises, people, data
Some assets can be valued on replacement costs
Other assets the valuation is subjective, the value of data etc
Assets may depreciate over time
Hidden costs such as labour for repairs have to be considered
Don’t spend more on protection than the value of the asset
5
4/27/2018 9 ©2007 – Body Temple 4/27/2018
9
Risk Calculation
Two types of risk assessment methodologies:
Quantitative – this allows for the application of a cost to a specific risk i.e.. a real figure of what the cost would be if “X” occurs
Qualitative – where it is not possible to apply specific figures qualitative risk assessment is subjective and applies possible figures – how do you put a precise cost on data loss?
4/27/2018 10 ©2007 – Body Temple 4/27/2018
10
Risk Calculation
Applying costs to risk, terminology:
Exposure Factor (EF) – the percentage of asset value loss that would occur if an attack took place
Single Loss Expectancy (SLE) – the loss from a single occurrence, calculated by multiplying the value of the asset with the EF
Annualised Rate of Occurrence (ARO) – the probability that this risk may occur so many times a year
Annualised Loss Expectancy (ALE) – the potential cost per year
ALE = SLE x ARO
6
4/27/2018 11 ©2007 – Body Temple 4/27/2018
11
Risk Management
Reducing risk has to be cost effective
The cost of protecting an asset should never exceed the value of the asset
You don’t spend 50k protecting something worth 10k
4/27/2018 12 ©2007 – Body Temple 4/27/2018
12
Risk Assessment
Once the risk assessment is complete you have the following information:
A list of assets
A list of possible threat profiles
An evaluation of the risk of each threat
Impact – the potential loss if the risk is realised
Probability – the likelihood of it occurring
7
4/27/2018 13 ©2007 – Body Temple 4/27/2018
13
Risk Register
Once the risk has been identified a risk register can be created
This is a living document that details all identified risk
It may contain details such as:
risk factors
asset information
likelihood
severity
ownership
action plans for mitigation
4/27/2018 14 ©2007 – Body Temple 4/27/2018
14
Dealing with Risk
Choices we have with risk:
Avoid
Transfer
Mitigate
Accept
8
4/27/2018 15 ©2007 – Body Temple 4/27/2018
15
Reducing Risk
Mitigating or reducing risk can be achieved by implementing various measures that can eliminate vulnerabilities or stop attacks
Mitigation can be technical as in shutting down unused ports and services to prevent unauthorised access
Mitigation can be physical as in considering the location of a data centre to avoid any potential natural threats like floods
4/27/2018 16 ©2007 – Body Temple 4/27/2018
16
Transferring Risk
Risk can be transferred by assigning the risk and its associated costs to others
A common form of risk transference is insurance policies
Another way of assigning risk to others would be through the use of third parties for maintenance and support
Accepting Risk – at the end of the day it is highly unlikely that all risk can be removed. There will be some residual risk and that risk has to be accepted, particularly if the cost of total risk elimination becomes disproportionately high
Ignoring or rejecting risk – something we cannot do. Denying risk is not a valid option
9
4/27/2018 17 ©2007 – Body Temple 4/27/2018
17
False Positives
A false positive is where an alarm or alert has been raised concerning a potential incident and there is no condition to warrant it. i.e. an anti virus alert when there is no virus
False positives are a fact of life, annoying but not damaging
In many cases system tuning can reduce the occurrence of false positives
The worst case is false negatives i.e no alarm when there is an alarm condition, your protective measure is not effective
4/27/2018 18 ©2007 – Body Temple 4/27/2018
18
Policies
Policies can be used to reduce risk
Effective security policies can either reduce, transfer or eliminate risk
The security policy is the overriding document that describe the high level aims
There will be a series of policies that implement specific aspects of security
10
4/27/2018 19 ©2007 – Body Temple 4/27/2018
19
Policies
Security Policy – the security policy is the high level policy for defining the security footprint of the organisation
Defines the main goals of security within the organisation
Defines auditing and compliance requirements
Clarifies areas that are covered within the security policy
Endorsed by management
4/27/2018 20 ©2007 – Body Temple 4/27/2018
20
Policies
Acceptable Use Policy – A company has a duty of care to its employees so an acceptable use policy (AUP) defines what is acceptable behaviour when using company resources like the Internet.
Defines acceptable browsing practices which can be implemented through the use of proxy servers
Considers aspects such as desktop wallpapers, social networking activities, what can be sent within company emails
Defines the limit of personal activities when using company resources
11
4/27/2018 21 ©2007 – Body Temple 4/27/2018
21
Policies
There are several aspects of working practices that are defined within the security policy
Mandatory vacations – the concept of forcing employees to take a minimum holiday each year. This allows for working practices to be audited by others to check for fraud, theft etc. A very common policy in the finance industry
Separation of duties – ensuring that no one individual has too much control over more than one aspect of the business to avoid conflicts of interest and also to prevent fraud and scams. Typically you need two signatures to sign a company cheque or the IT manager can only authorise certain levels of expenditure without oversight
4/27/2018 22 ©2007 – Body Temple 4/27/2018
22
Policies
Least Privilege – the principle that any employee is only given the permissions and levels of access that they need to carry out their job functions – don’t give read/write access if read is sufficient for the job
Job rotation – moving staff internally could uncover fraud or misuse, has the positive benefit of increasing resilience
Routine permission reviews should be carried out to audit the permissions are still aligned with job roles and there has been no “permission creep”
12
4/27/2018 23 ©2007 – Body Temple 4/27/2018
23
Policies
Email policy – use of personal email accounts in the workplace, misuse of business email accounts
Social media policy – keeping work and business separate, not posting company related information
4/27/2018 24 ©2007 – Body Temple 4/27/2018
24
Policies
Privacy Policy – a policy that deals with aspects of how data is disclosed
Designed to prevent accidental or unauthorised disclosure of personally identifiable information (PII)
Controls access to information that is confidential
Covers aspects of personal freedom in the workplace i.e.. monitoring of activities and accessing personal data
Deals with the issue of what is classed as private in the workplace when using company equipment and resources
More important now with the advent of GDPR
13
4/27/2018 25 ©2007 – Body Temple 4/27/2018
25
HR policies
Hiring policy – background checks, qualifications etc
Ethics policy – dealing with moral issues
Codes of conduct – behaviour of staff as company representatives
Termination policy – return of company assets, account disabled
4/27/2018 26 ©2007 – Body Temple 4/27/2018
26
Duty of care
Due Care – the taking responsibility of activities that take place on company premises to ensure a safe environment. The protection of staff and assets
Due diligence – the actions carried out by the organisation to establish due care. The
Due process – if an employee breaks policy or does not follow procedure he is subject to due process
Negligence – the absence of due care or diligence results in negligence
14
4/27/2018 27 ©2007 – Body Temple 4/27/2018
27
Additional Risk Management Strategies
Change management – a policy and process in place for structured change
Incident management – policies and procedures in place for incident management (more later)
Routine audits – audits of policy, procedures, logs
SOPs – Standard Operating Procedures – standard procedures used to implement policy
User permission reviews – avoid permission creep
4/27/2018 28 ©2007 – Body Temple 4/27/2018
28
Change Management
As weaknesses and vulnerabilities are discovered in systems there needs to be a system for patching and updating to improve the security posture
The change management process is designed to maintain the security of systems whilst updating in a controlled manner
Change management should apply to all aspects of systems –hardware, operating systems, applications so that security is not compromised
15
4/27/2018 29 ©2007 – Body Temple 4/27/2018
29
Change Management
Changes should be proposed and planned not just carried out
Changes should be implemented in a controlled manner
Changes should be verified that they have not caused any unforeseen problems and reduced security
Changes should be reversible if required, a back out plan
All changes should be documented
4/27/2018 30 ©2007 – Body Temple 4/27/2018
30
Compliance
There are now many government and industry regulations that are relevant to different industries:
PCI – Payment Card Industry – the requirements for dealing with payment cards and financial transactions
HIPAA – Health Insurance Portability and Accountability Act –mainly American but deals with medical records in devolved healthcare
SOX – Sarbanes Oxley – auditing standards within the financial services industry
DPD – EU Data Protection Directive – soon to be replaced by GDPR –protection and privacy of data
16
4/27/2018 31 ©2007 – Body Temple 4/27/2018
31
Risk associated with third parties
There is an increased risk of compromise when third parties are involved with IT infrastructure
There are different types of agreements for interoperability
SLA (Service Level Agreement) – a contract between a supplier and a customer, specifies the range and obligations of the contract
BPA (Business Partners Agreement) – a contract that defines the business relationship between two parties
MOU (Memorandum of Understanding) – an informal agreement between two parties
4/27/2018 32 ©2007 – Body Temple 4/27/2018
32
Risk associated with third parties
Privacy considerations when integrating computer systems
Possibility of unauthorised data sharing between organisations
Data ownership – clear rules needed to define the ownership of shared data
Data backups – who is responsible for backing up data between organisations
Separate companies may have different policies
Compliance – ensure that any third parties comply with relevant security standards such as PCI or HIPAA
17
4/27/2018 33 ©2007 – Body Temple 4/27/2018
33
Risks associated with Cloud Computing
Cloud solutions are seen as a way of reducing risk by transferring the risk to a fault-tolerant cloud based solution but this does raise a new series of questions with regard to risk
Where is the data? This is important particularly with personal data as different countries have rule about storing such data within their jurisdiction
Who has access to the data? Somebody somewhere may have unauthorised access to your data
Is the person looking after your data qualified? Who is responsible for maintaining the data and are they suitably qualified to do so?
Is the data encrypted correctly? Where are the keys stored? Who has access to the keys?
4/27/2018 34 ©2007 – Body Temple 4/27/2018
34
Security Training & Incident Response
18
4/27/2018 35 ©2007 – Body Temple 4/27/2018
35
Training and Awareness
Security related awareness training should be required for all staff at all levels
The onboarding process can be used to ensure employees are aware of and have agreed to the security policy
Employees should have a record of their awareness training and how current they are
Non Disclosure Agreements (NDAs) should be applied to employees and relevant third parties
4/27/2018 36 ©2007 – Body Temple 4/27/2018
36
Threat awareness
The threat landscape is constantly changing so staff should be aware of emerging threat actors:
Script kiddies – those who disrupt using Youtube as their source of knowledge
Hacktivists – those who hack for a cause, political or moral
OCGs – Organised Crime Groups – there is now a realisation that cyber crime presents a much lower risk to the criminal than guns or drugs so we see an increase in financial crime, ransomware etc
Nation states – there are several nation states now actively involved in the dark side of cyber space
Insiders – employees are still the biggest threat
Competitors – industrial espionage is alive and well
19
4/27/2018 37 ©2007 – Body Temple 4/27/2018
37
User Security Awareness
Awareness training for staff at all levels is vital for effective security
User awareness should be ingrained in all employees
Role-based training assists employees in performing work based tasks securely
Personally Identifiable Information (PII) refers to information that can be used to identify individuals. This should be protected to mitigate against identity theft
4/27/2018 38 ©2007 – Body Temple 4/27/2018
38
Standards and Guidelines
Policies are used to define what the goal is – mandatory
Procedures are the step-by-step instructions that will implement policy – mandatory
Standards – usually set by industry or government, PCIO or ISO27001 – a defined set of processes –mandatory
Guidelines – industry best practice or recommendations -discretionary
20
4/27/2018 39 ©2007 – Body Temple 4/27/2018
39
Classification of data
Data and other objects can be classified with labels that describe levels of sensitivity
Not all data has to be classified at the highest level
Government/military classification has the following classes:
Unclassified – the lowest level
Sensitive/Restricted
Confidential
Secret
Top Secret
4/27/2018 40 ©2007 – Body Temple 4/27/2018
40
Classification of data
Commercial organisations also need to classify their data according to sensitivity
The labels may vary between organisations but can include labels such as:
Public – equivalent to unclassified
Sensitive
Private – typically internal use only
Confidential or Company Confidential
You may also find labels such as High, Medium and Low to describe data sensitivity
21
4/27/2018 41 ©2007 – Body Temple 4/27/2018
41
Data Management
The following issues have to be considered:
Storage and handling – how and who
Retention – for how long and why
Disposal - how
Hardware disposal – control of how assets are disposed of to ensure no data leaks out on hard drives etc
4/27/2018 42 ©2007 – Body Temple 4/27/2018
42
User management
Password policy
Clean desk policy
Use of personal devices
Locking workstations when unattended
Awareness of tailgating and piggybacking
Data handling – what and how and to who
Instant messaging – who users are talking to and what are they sending them
P2P applications – are they allowed or not
Social networking – what is acceptable in the workplace
Compliance with policy, standards and regulations
22
4/27/2018 43 ©2007 – Body Temple 4/27/2018
43
Social Engineering
Phishing – sending emails which try to elicit a response where you part with personal information such as logon credentials or credit card details
Phishing emails purporting to come from your bank are very common and are getting very sophisticated
Another practice is sending invoices from courier companies or alleged refunds from HMRC
Frequently spotted through the bad grammar and spelling of the email.
4/27/2018 44 ©2007 – Body Temple 4/27/2018
44
Social Engineering
Spear phishing – a variation that targets specific individuals or groups within an organisation, again trying to gain personal information
Whaling – the practice of sending phishing mails to specific high-level targets in an organisation, managers and directors etc
Vishing – using VoIP networks to send unsolicited phone calls trying to gain information
Spim – a variation on Spam where Instant Messaging is used to send unwanted messages
23
4/27/2018 45 ©2007 – Body Temple 4/27/2018
45
Social Engineering
Spam – unsolicited (and unwanted) email
Can carry malicious software, especially in attachments
The mail can appear to come from a legitimate address
Viewing the mail header can show the true path of the mail
4/27/2018 46 ©2007 – Body Temple 4/27/2018
46
Social Engineering
Pharming – this is where you are redirected to a fake website that is an identical copy of the real one. This is part of the phishing process where the aim is gather personal information from victims. Pharming is usually as a result of DNS settings being interfered with.
Hoaxes – usually try to scare the user into carrying out some negative action. Not a real threat to the system but exploits the user
24
4/27/2018 47 ©2007 – Body Temple 4/27/2018
47
Incident Management
An event is an occurrence that takes place
An incident – something that occurs on a system that is not expected or is outside the security policy, an event that has a negative outcome affecting the organisation
All incidents have to be managed as defined by the security policy
If applicable, laws and compliance regulations have to be followed so incidents may have to be reported e.g. finance industry regulations and PCI compliance
4/27/2018 48 ©2007 – Body Temple 4/27/2018
48
Incident Management
An incident could be any of the following:
Unauthorised network scanning
Attempting to brute-force logins
Denial of service attack
Attack against web site
In fact, anything that is outside the security policy
25
4/27/2018 49 ©2007 – Body Temple 4/27/2018
49
Incident Management
Many large organisations have incident response teams to deal with such events
CSIRT – Computer Security Incident Response Teams as they are known manage an incident in the following way:
1.Establish the level of damage caused
2.Determine if there is any data loss
3.Take responsibility for the recovery process
4.Recommend and manage any additional security procedures
5.Post event review, lessons learned, improvements to be made
4/27/2018 50 ©2007 – Body Temple 4/27/2018
50
Incident Response
Incidents will occur and must be dealt with in a prepared and defined way
Preparation – incident response has to be planned so employees are trained and prepared for any eventuality
Identification – when an event is reported a decision has to be made whether it qualifies as an incident or not. The incident is initially dealt with by:
First Responder – the person who is notified, responds and carries out the initial investigation. The first responder is responsible for preservation of evidence
26
4/27/2018 51 ©2007 – Body Temple 4/27/2018
51
Incident Response
Containment – the incident has to be contained so that it does not spread or do further damage. Quarantine the suspect machine and remove the user
Damage and loss control – the actions will depend upon the incident or attack. Disconnecting the Internet during a DDoS attack may mitigate the attack but also prevents any outside connections, a balancing act.
Data breaches – if this occurs there is a reporting mandate that goes outside of the organisation if it is personal data. It is a legal requirement to report breaches to the Information Commisionerand is also a requirement of GDPR
4/27/2018 52 ©2007 – Body Temple 4/27/2018
52
Incident Response
Escalation – this can occur at any stage. The severity of the incident may require a decision at a higher level of management
Notification and reporting – there may be a legal requirement to notify certain bodies. There may also be a need for media statements to reduce potential reputational damage
Mitigation and recovery – remove the problem and then look at recovering systems to restore service. Reimaging, restoring backups, may be part of this process
Lessons learned – post attack analysis, what could we do to prevent it happening again, what could we do better?
27
4/27/2018 53 ©2007 – Body Temple 4/27/2018
53
Forensic Procedures
One of the most important aspects of an incident is containment
This is the isolation and preservation of evidence
After an incident has occurred the user should remove themselves from the computer in question and leave it for examination. Any further activity on that computer would contaminate any potential evidence
The incident response team would be responsible for the quarantine of a suspect machine
Any examination has to be carried out in such a way that the original evidence is preserved and not altered in any way
4/27/2018 54 ©2007 – Body Temple 4/27/2018
54
Forensic Procedures
The basic forensic procedures are:
1. Secure the area to prevent contamination
2. Gather volatile information
3. Hash the hard drive
4. Image the hard drive
5. Hash the image to compare
6. Secure the original drive and implement chain of custody
28
4/27/2018 55 ©2007 – Body Temple 4/27/2018
55
Forensic Procedures
The chain of custody is a document that can detail handling of a piece of evidence from the point of seizure
It is used to prove that the original evidence has not been altered and can be produced in court as the original.
Any actions concerning the evidence have to be documented to demonstrate its integrity
If a drive was hashed in court it must match the original hash taken at the point of seizure
Evidence must be transported securely, labelled and stored securely with all activity itemised within the chain of custody
4/27/2018 56 ©2007 – Body Temple 4/27/2018
56
Forensic Procedures
Gathering volatile evidence
If a machine is still running there is evidence to be gathered before the machine is switched off (not shut down). This evidence should be gathered in the following order:
Registers, cache
Kernel routing table, ARP cache, process table, kernel memory
Temporary file systems
Logging data, local and remote if applicable
Configuration information
Historical and archive date and media
29
4/27/2018 57 ©2007 – Body Temple 4/27/2018
57
Forensic Procedures
Image duplication – any examination should never take place using the original storage
A hard disk image should be taken at the earliest opportunity
A recognised forensic utility should be used that will take a bit-stream copy
Hashes should be taken of both original and copy then compared to ensure the image is a true copy
The image can be a drive to drive copy or can be a drive to file copy
4/27/2018 58 ©2007 – Body Temple 4/27/2018
58
Forensic Procedures
Other considerations for forensic evidence gathering:
Capture logging information
Ensure time is consistent between logs so events can be correlated
Capture screen shots of any data visible
Capture any CCTV images if in use
Interview witnesses
Containment is the most important issue and should be managed by the first responder
30
4/27/2018 59 ©2007 – Body Temple 4/27/2018
59
Business Continuity
& Disaster Recovery
4/27/2018 60 ©2007 – Body Temple 4/27/2018
60
Business Continuity
Business continuity is the ability of an organisation to continue running mission critical processes in spite of incidents that could disrupt those processes.
Business continuity may have processes running in spite of reduced capacity or damaged infrastructure
If business is disrupted then the disaster recovery takes over
31
4/27/2018 61 ©2007 – Body Temple 4/27/2018
61
Types of Disaster
Natural – fire, flood, earthquake, tornado, tsunami etc
Human error – accidental deletion, accidental damage, deliberate damage
Network and hacking attacks – malicious outsiders for a variety of reasons
Viruses and worms – random attacks against systems causing disruption
4/27/2018 62 ©2007 – Body Temple 4/27/2018
62
Recovery strategy
A recovery strategy encompasses a series of steps
Creating a DR team
Risk analysis
Business impact analysis
Privacy impact assessment
Creating a DR plan
Testing the plan
Documentation and after action reporting
32
4/27/2018 63 ©2007 – Body Temple 4/27/2018
63
Business Impact Analysis
Risk assessments have already been covered
A Business Impact Analysis is the next stage of preparing for business continuity
This consists of assessing the risk to business processes and designing recovery plans
The analysis identifies which resources are critical to business operations
Where possible single points of failure within infrastructure should be removed by adding redundancy
4/27/2018 64 ©2007 – Body Temple 4/27/2018
64
Privacy Impact Assessment
First it is necessary to establish if a PIA is required, is the organisation dealing with privacy information?
The PIA determines what data is stored, how it is stored
Different types of data will have different requirements, financial data, health data etc
33
4/27/2018 65 ©2007 – Body Temple 4/27/2018
65
Business Continuity
Business Continuity Planning implements the policies and procedures to ensure that any incident has minimum impact on normal operations
All plans should be documented
Documentation should contain:
contact lists
facility and network diagrams
system configurations
backup and recovery procedures
details of essential software, licences etc
4/27/2018 66 ©2007 – Body Temple 4/27/2018
66
Disaster Recovery
The DR plan should cover a range of scenarios from minor disruption to total site destruction
The most important aspect of DR is people come first
The plan should be tested on a regular basis and after any major changes to the plan
The plan should be well documented with multiple copies kept off site
Change management must ensure all copies are at the latest revision
34
4/27/2018 67 ©2007 – Body Temple 4/27/2018
67
All continuity plans and DR processes should be tested periodically to ensure that they achieve the objectives
Testing from a desk check of the plan through to a full scale test of the real thing
After action reporting – how did it go? What did we forget? What needs to change?
4/27/2018 68 ©2007 – Body Temple 4/27/2018
68
Disaster Recovery Summary
Disaster Recovery Planning stages:
1.Initial risk assessment –what are the potential risks
2.Business impact analysis – what is the effect on business
3.DR plan design – what can we do about it
4.DR plan implementation – this is the plan
5.DR test – does it work
6.DR test review – what didn’t work
7.DR plan maintenance and review – what changes
35
4/27/2018 69 ©2007 – Body Temple 4/27/2018
69
Disaster Recovery
Disaster Recovery must include Succession Planning
Any disaster may affect key personnel or there may be a situation where key personnel needed for DR are not currently available
Succession planning identifies key personnel and their replacements in the event of non-availability
4/27/2018 70 ©2007 – Body Temple 4/27/2018
70
Continuity of Operations
Fault tolerance is the ability of a system or network to be able to withstand a series of failures and continue in operation
Fault tolerance also avoids single points of failure
Availability is the fact that systems are accessible for legitimate users when required
High availability is where the system is fault tolerant to a high degree and will continue to be available in the aftermath of a series of incidents
36
4/27/2018 71 ©2007 – Body Temple 4/27/2018
71
Recovery Objectives
There is a range of terminology used to describe the timings involved in equipment downtime and repair:
MTBF – Mean Time between Failure is a measure of the reliability of a piece of equipment, a new hard drive would typically have an MTBF of 500,000 hours
MTTF – Mean Time to Failure, an estimate of the time before a unit fails
MTTR – Mean Time To Repair the average time taken to repair an item
4/27/2018 72 ©2007 – Body Temple 4/27/2018
72
Recovery Objectives
MTD – Maximum Tolerable Downtime, the maximum length of time systems can be down before the business is adversely affected
RTO – Recovery Time Objective, a measure of the time it will take to restore business functions
RPO – Recovery Point Objective, a measure of how much data can be lost when a disaster occurs. This is linked closely to backups. If the system fails two hours after a backup the RPO is two hours
37
4/27/2018 73 ©2007 – Body Temple 4/27/2018
73
Equiopment redundancy
Along with on site spares, the following should be considered:
Redundant servers
Server clustering
Load balancing
Configuration backups
Redundant Internet lines
4/27/2018 74 ©2007 – Body Temple 4/27/2018
74
Clustering
Server Clustering allows for duplicate systems to collectively access one or more data sets
There should always be a path through a server to the data if one server fails
A cluster can vary from 2 – 32 servers
38
4/27/2018 75 ©2007 – Body Temple 4/27/2018
75
Load Balancing
Load Balancing is used to distribute multiple requests between a number of mirrored servers.
Allows for scaling up and down the number of servers
Provides high availability because the site will always be visible even with just one server
4/27/2018 76 ©2007 – Body Temple 4/27/2018
76
Alternate Sites
In the event of a disaster there may be the need to move to an alternate site for operations to continue
An alternate site can range from being ready to go within hours or literally somewhere to go but we have to build the infrastructure
Hot Site – a real-time ready-to-go site with full infrastructure, all facilities, replicated data from the primary site. Can be active from between minutes to hours, the most expensive option
Warm Site – has some infrastructure, may need servers and data to complete. Could be active within hours to days
Cold site – Premises but not much else, would need complete build to be ready to run, active within days to weeks
39
4/27/2018 77 ©2007 – Body Temple 4/27/2018
77
Fault Tolerance
Fault tolerance concepts:
Hot swap – spare hardware that can be interchanged with faulty equipment without having to pause or stop the system
Warm swap – hardware can be changed when the system is in a suspended state. The equipment is in the rack, not powered on and needs provisioning
Cold swap – the replacement hardware is in a box on a shelf. The system has to be stopped for replacement
4/27/2018 78 ©2007 – Body Temple 4/27/2018
78
RAID Systems
Redundant Array of Independent Disks – RAID provides for high availability within disk sub-systems with no loss of data
It uses multiple drive volumes to create a single fault tolerant storage unit or can provide for improved disk performance
RAID 0 provides for performance but not fault tolerance by striping the data across multiple disks, this increases read and write performance but if one unit fails the data is lost. Can contain up to 32 disk units
40
4/27/2018 79 ©2007 – Body Temple 4/27/2018
79
RAID Systems
RAID 1 uses two disk units and mirrors the content of one to the other. If one unit fails then the content is still available on the other unit
Also gives a performance increase because data can be read from more than one drive
4/27/2018 80 ©2007 – Body Temple 4/27/2018
80
RAID Systems
RAID 5 uses a minimum of 3 drives, stripes the data across the drives and also stores parity information distributed across the drives
The parity information allows for the data to be recovered in the event of a single drive failure
41
4/27/2018 81 ©2007 – Body Temple 4/27/2018
81
RAID Systems
RAID 6 uses a minimum of 4 units and stores two lots of parity information
This allows for data to be recovered in the event of the failure of two different drive units
4/27/2018 82 ©2007 – Body Temple 4/27/2018
82
Redundant hardware
Power supplies – many servers now come with two power supplies so they can still function if one fails
Network interface cards – multiple cards can be installed where the they van be teamed or grouped together but still have a network connection if one fails
CPUs – not prone to failure but can install multiple CPUs in most servers
UPS – Uninterruptible Power Supply – can provide mains equivalent power whilst real mains is restored or the transition to backup power supply is completed
42
4/27/2018 83 ©2007 – Body Temple 4/27/2018
83
Backups
DR planning should include planning for redundancy and data recovery
Backups are normal part of daily operations but are a vital component for disaster recovery
Backups should always be tested with trial restores to ensure they are actually valid
There are three main types of backup
Full
Incremental
Differential
4/27/2018 84 ©2007 – Body Temple 4/27/2018
84
Backups
Full – a full backup copies all files and clears the archive bit to say the files have been backed up
Incremental - an incremental backup copies only the files that have changed since the last full backup and then clears the archive bit
Differential – this copies the files that have changed since the last full backup and does not clear the archive bit
43
4/27/2018 85 ©2007 – Body Temple 4/27/2018
85
Backups
Other considerations for backups:
Frequency
Type and amount of data
How many generations of backup
Media rotation and retention
Restoration
Off site storage
4/27/2018 86 ©2007 – Body Temple 4/27/2018
86
Environmental Controls
Location of facility – flood, landslide, civil disturbance
Construction of facility – materials, doors, windows
Server room construction – environment, security, access
Temperature – HVAC, hot and cold aisles, ventilation
Humidity – moisture, static, aim for 40-60% humidity
44
4/27/2018 87 ©2007 – Body Temple 4/27/2018
87
Environmental Controls
Power should be stable to avoid fluctuations
Spike – a momentary increase in voltage
Surge – a prolonged increase in voltage
Sag – a momentary drop in voltage
Brownout – a prolonged drop in voltage
Blackout – a prolonged period of no voltage
A UPS can also act as a line conditioner to eliminate the above situations
4/27/2018 88 ©2007 – Body Temple 4/27/2018
88
Cable shielding
Cables are sensitive to electrical interference
EMI – Electromagnetic Interference – caused by motors and fluorescent lights, can interfere with the data transfer in cables
Crosstalk – where a signal in one wire transfers to another if they run parallel for any length that’s why we use twisted pair
Attenuation – signals degrade over distance, hence the distance limitation in twisted pair
45
4/27/2018 89 ©2007 – Body Temple 4/27/2018
89
Cable Shielding
Coax cables – a single centre core with an outside braid, the braid acts as a shield
Twisted pair, the twists prevent crosstalk. Shielded twisted pair provides greater security against EMI and sniffing
Fibre Optic – immune to EMI using only light as the transfer medium
Wireless networks – prone to interference from objects using the same frequency
4/27/2018 90 ©2007 – Body Temple 4/27/2018
90
Fire Suppression
Fire detection and suppression is an important element of the server environment
Fire can be detected in several ways:
Smoke detectors – photoelectric or ionisation
Flame detectors – optical or detecting the gases of combustion
Heat detectors – based upon the rate of heat rise
Video monitoring – the ability to see if a fire is present
46
4/27/2018 91 ©2007 – Body Temple 4/27/2018
91
Fire suppression
Water is a common suppressant in the workplace but not for computer or other electrical equipment
Foam is effective but is messy, leading to further damage
Fire suppression systems should should use inert gas rather than other mediums
Gas systems remove the oxygen necessary to sustain combustion but do not cause any residual damage
Gases such as Argon or FM200 have replaced Halon as a suppressant because they are less harmful to humans