Chapter 21 - Common Types of Attacks.pdf

Full Transcript

Chapter 21 Common Types of Attacks THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: Domain 4.0 Network Security 4.1 Explain the importance of basic network security concepts. Physical security Camera Locks Deception technologies Honeypot...

Chapter 21 Common Types of Attacks THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: Domain 4.0 Network Security 4.1 Explain the importance of basic network security concepts. Physical security Camera Locks Deception technologies Honeypot Honeynet Network segmentation enforcement Internet of Things (IoT) and Industrial Internet of Things (IIoT) Supervisory control and data acquisition (SCADA), industrial control System (ICS), operational technology (OT) Guest Bring your own device (BYOD) 4.2 Summarize various types of attacks and their impact to the network. Denial-of-service (DoS)/ distributed denial-of-service (DDoS) VLAN hopping Media Access Control (MAC) Flooding Address Resolution Protocol (ARP) poisoning ARP spoofing DNS poisoning DNS spoofing Rogue devices and services DHCP AP Evil twin On-path attack Social engineering Phishing Dumpster diving Shoulder surfing Tailgating Malware 4.3 Given a scenario, apply network security features, defense techniques, and solutions. Device hardening Disable unused ports and services Change default passwords Network access control (NAC) Port security 802.1X MAC filtering Key management Security rules Access control list (ACL) Uniform Resource Locator (URL) filtering Content filtering Zones Trusted vs. untrusted Screened subnet It's true…you're not paranoid if they really are out to get you. Although “they” probably aren't after you personally, your network—no matter the size—is seriously vulnerable, so it's wise to be very concerned about keeping it secure. Unfortunately, it's also true that no matter how secure you think your network is, it's a good bet that there are still some very real threats out there that could breach its security and totally cripple your infrastructure! I'm not trying to scare you; it's just that networks, by their very nature, are not secure environments. Think about it—the whole point of having a network is to make resources available to people who aren't at the same physical location as the network's resources. Because of this, it follows that you've got to open access to those resources to users you may not be able to identify. One network administrator I know referred to a server running a much-maligned network operating system as “a perfectly secure server until you install the NIC.” You can see the dilemma here, right? With all this doom and gloom, what's a network administrator to do? Well, the first line of defense is to know about the types of threats out there because you can't do anything to protect yourself from something you don't know about. But once you understand the threats, you can begin to design defenses to combat bad guys lurking in the depths of cyberspace just waiting for an opportunity to strike. I'm going to introduce you to some of the more common security threats and teach you about the ways to mitigate them. I'll be honest—the information I'll be giving you in this chapter is definitely not exhaustive. Securing computers and networks is a huge task, and there are hundreds of books on this subject alone. To operate securely in a network environment, one must understand how to speak the language of security. As in any field, there is specific terminology. In this chapter, you will learn the common types of attacks that all network professionals should understand to secure an enterprise network. To find Todd Lammle CompTIA videos and practice questions, please see www.lammle.com. Technology-Based Attacks All attacks upon an organization are either technology-based or physically-based. A technology-based attack is one in which the network and operating systems are used against the organization in a negative way. Physical attacks use human interaction or physical access, which I will cover later. I will now cover several different types of technology-based attacks that are commonly used against networks and organizations. Denial of Service/Distributed Denial of Service A denial of service (DoS) is an attack launched to disrupt the service or services a company receives or provides via the Internet. A DoS attack is executed with an extremely large number of false requests, resulting in the servers not being able to fulfill valid requests for clients and employees. As shown in Figure 21.1, a bad actor sends many false requests for information to a server. Then when the valid requests are sent to the server, the resources, such as memory and CPU, are exhausted, and the server cannot fulfill the valid requests. There are several different types of DoS attacks. FIGURE 21.1 Typical DoS attack Reflective A reflective DoS attack is not a direct attack; it requires a third party that will inadvertently execute the attack. The attacker will send a request to a third-party server and forge the source address of the packet with the victim's IP address. When the third party responds, it responds to the victim. There are two victims in this type of DoS attack; the first is the victim the attack is aimed at, and the second is the third-party server used to carry out the attack, as shown in Figure 21.2. FIGURE 21.2 Typical reflective attack Amplified An amplified DoS attack is a variant of a reflective DoS attack. It is carried out by making a small request to the third-party server that yields a larger response to the victim. The most common third-party servers used to carry out this type of attack are DNS and NTP. For example, an attacker will request a DNS query for a single hostname that contains 20 aliases while forging the source IP address. The victim is then barraged with the 20 answers from the query, as shown in Figure 21.3. FIGURE 21.3 Typical amplified attack Distributed A distributed denial of service (DDoS) has become the most common type of DoS, because the source of the DoS is varied. A DDoS employs many bots to create a botnet. A botnet is a series of compromised servers or hosts that are under a bad actor's control. It is common for botnets to launch DDoS attacks on organizations. When a single host is used to create a DoS, it can simply be blocked. However, when traffic is coming from millions of different hosts, it is impossible to isolate the DoS and firewall the source. A bad actor will leverage a key server called a command-and-control server to deliver commands to each bot in the botnet, as shown in Figure 21.4. The command- and-control server is often a compromised server as well; it just happens to be where the bad actor has set up shop (so to speak). FIGURE 21.4 Components of a DDoS attack Friendly/Unintentional DoS An unintentional DoS attack (also referred to as attack from “friendly fire”) is not one that is not caused by malicious individuals; instead, it's a spike in activity to a website or resource that overpowers its ability to respond. In many cases, it is the result of a relatively unknown URL suddenly being shared in a larger medium such as a popular TV or news show. Physical DoS Physical DoS attacks are those that cause hardware damage to a device. These attacks can be mitigated, but not eliminated, by preventing physical access to the device. Routers, switches, firewalls, servers, and other infrastructure devices should be locked away and protected by strong access controls. Otherwise, you may be confronted with a permanent DoS, covered in the next section. Permanent DoS A permanent DoS attack is one in which the device is damaged and must be replaced. It requires physical access to the device, or does it? Actually, it doesn't! An attack called a phlashing denial of service (PDoS) attacks the firmware located in many systems. Using tools that fuzz (introduce errors) the firmware, attackers cause the device to be unusable. Another approach is to introduce a firmware image containing a Trojan or other type of malware. On-Path Attack (Previously Known as Man-in-the-Middle Attack) Many of the attacks we're discussing can be used in conjunction with an on-path attack, which was previously known as a man-in-the-middle (MitM) attack. For example, the evil twin attack, discussed later, allows the attacker to position themselves between the compromised user and the destination server. The attacker can then eavesdrop on a conversation and possibly change information contained in the conversation. Conventional on-path attacks allow the attacker to impersonate both parties involved in a network conversation. This allows the attacker to eavesdrop and manipulate the conversation without either party knowing. The attacker can then relay requests to the server as the originating host attempts to communicate on the intended path, as shown in Figure 21.5. FIGURE 21.5 On-path attack DNS Poisoning/Spoofing DNS clients send requests for name to IP address resolution (called queries) to a DNS server. The search for the IP address that goes with a computer or domain name usually starts with a local DNS server that is not authoritative for the DNS domain in which the requested computer or website resides. When this occurs, the local DNS server makes a request of the DNS server that does hold the record in question. After the local DNS server receives the answer, it returns it to the local DNS client. After this, the local DNS server maintains that record in its DNS cache for a period called the time to live (TTL), which is usually an hour but can vary. In a DNS cache poisoning attack, the attacker attempts to refresh or update that record when it expires with a different address than the correct address. If the attacker can convince the DNS server to accept this refresh, the local DNS server will then respond to client requests for that computer with the address inserted by the attacker. Typically, the address they now receive is for a fake website that appears to look in every way like the site the client is requesting. The hacker can then harvest all the name and password combinations entered on his fake site. The DNS servers should be limited in the updates they accept to prevent this type of attack. In most DNS software, you can restrict the DNS servers from which a server will accept updates. This can help prevent the server from accepting these false updates. DNS spoofing is slightly different than DNS poisoning. DNS spoofing, also called DNS cache poisoning, is an attack created by manipulating DNS records to redirect users toward a fraudulent, malicious website that looks like the destination host or web page. VLAN Hopping VLANs, or virtual LANs, are layer 2 subdivisions of the ports in a single switch. A VLAN may also span multiple switches. When devices are segregated into VLANs, access control lists can be used in a router to control access between VLANs in the same way it is done between real LANs. When VLANs span switches, the connection between the switches is called a trunk link, and it carries the traffic of multiple VLANs. Trunk links are also used for the connection from the switch to the router. A VLAN hopping attack results in traffic from one VLAN being sent to the wrong VLAN (see Figure 21.6). Normally, this is prevented by the trunking protocol placing a VLAN tag in the packet to identify the VLAN to which the traffic belongs. The attacker can circumvent this by a process called double tagging, which is placing a fake VLAN tag into the packet along with the real tag. When the frame goes through multiple switches, the real tag is taken off by the first switch, leaving the fake tag. When the frame reaches the second switch, the fake tag is read and the frame is sent to the VLAN to which the hacker intended the frame to go. This process typically occurs to launch an attack on the native VLAN. FIGURE 21.6 VLAN hopping ARP Spoofing/Poisoning ARP spoofing is the process of adopting another system's MAC address for the purpose of receiving data meant for that system. It usually also entails ARP cache poisoning. ARP cache poisoning is usually a part of an on-path/man-in-the middle attack. The ARP cache contains IP address to MAC address mappings that a device has learned through the ARP process. One of the ways this cache can be poisoned is by pinging a device with a spoofed IP address. In this way, an attacker can force the victim to insert an incorrect IP address to MAC address mapping into its ARP cache. If the attacker can accomplish this with two computers having a conversation, they can effectively be placed in the middle of the transmission. After the ARP cache is poisoned on both machines, they will be sending data packets to the attacker, all the while thinking they are sending them to the other member of the conversation. Rogue Devices and Services Rogue devices and services consist of any physical device or logical services that are not commissioned by the organization. These devices and services are typically malicious in intent, but they can also be triggered by an employee plugging in a device. This introduction of a rogue device can consequently have the potential for distruption. The following are some of the most common rogue devices and services you may encounter. Rogue DHCP Dynamic Host Configuration Protocol (DHCP) is used to automate the process of assigning IP configurations to hosts. When configured properly, it reduces administrative overload, reduces the human error inherent in manual assignment, and enhances device mobility. But it introduces a vulnerability that when leveraged by a malicious individual can result in an inability of hosts to communicate (constituting a DoS attack) and peer-to-peer attacks. When an illegitimate DHCP server (called a rogue DHCP server) is introduced to the network, unsuspecting hosts may accept DHCP Offer packets from the illegitimate DHCP server rather than the legitimate DHCP server. When this occurs, not only will the rogue DHCP server issue the host an incorrect IP address, subnet mask, and default gateway address (which makes a peer-to-peer attack possible), but it can also issue an incorrect DNS server address, which will lead to the host relying on the attacker's DNS server for the IP addresses of websites (such as those resembling major banks' websites) that lead to phishing attacks. Figure 21.7 shows an example of the effect of a Rogue DHCP server. In Figure 21.7, after receiving an incorrect IP address, subnet mask, and default gateway from the rogue DHCP server, the DHCP client unwittingly uses the attacker as the gateway. The attacker can then launch an on-path attack without the client ever knowing what happened. Rogue Access Point Rogue access points (APs) are APs that have been connected to your wired infrastructure without your knowledge. The rogue may have been placed there by a determined hacker who snuck into your facility and put it in an out-of-the-way location or, more innocently, by an employee who just wants wireless access and doesn't get just how dangerous doing this is. Either way, it's just like placing an open Ethernet port out in the parking lot with a sign that says “Corporate LAN access here—no password required!” FIGURE 21.7 Effects of a rogue DHCP Clearly, the worst type of rogue AP is the one some hacker has cleverly slipped into your network. It's particularly nasty because the bad guy probably didn't do it to simply gain access to your network. Nope—the hacker likely did it to entice your wireless clients to disastrously associate with their rogue AP instead! This ugly trick is achieved by placing their AP on a different channel from your legitimate APs and then setting its SSID in accordance with your SSID. Wireless clients identify the network by the SSID, not the MAC address of the AP or the IP address of the AP, so jamming the channel that your AP is on will cause your stations to roam to the bad guy's AP instead. With the proper DHCP software installed on the AP, the hacker can issue the client an address, and once that's been done, the bad guy has basically “kidnapped” your client over to their network and can freely perform a peer-to-peer attack. Believe it or not, this can all be achieved from a laptop while Mr. Hacker simply sits in your parking lot, because there are many types of AP software that will run on a laptop—yikes! Evil Twin An evil twin is an AP that is not under your control but is used to perform a hijacking attack. A hijacking attack is one in which the hacker connects one or more of your users' computers to their network for the purpose of a peer-to-peer attack. The attack begins with the introduction of an access point that is under the hacker's control. This access point will be set to use the same network name or SSID your network uses, and it will be set to require no authentication (creating what is called an open network). Moreover, this access point will be set to use a different channel than the access point under your control. To understand how the attack works, you must understand how wireless stations (laptops, tablets, and so on) choose an access point with which to connect. It is done by SSID and not by channel. The hacker will “jam” the channel on which your access point is transmitting. When a station gets disconnected from an access point, it scans the area for another access point with the same SSID. The stations will find the hacker's access point and will connect to it, as shown in Figure 21.8. FIGURE 21.8 An evil twin attack Once the station is connected to the hacker's access point, it will receive an IP address from a DHCP server running on the access point, and the user will now be located on the same network as the hacker. At this point, the hacker is free to commence a peer-to-peer attack. Deauthentication The 802.11 wireless protocol contains a method for deauthentication of clients via a deauthentication frame. An attacker can send a deauthentication frame on behalf of the user, which disconnects them from the access point. Attackers will use this method in conjunction with an evil twin attack to deauthenticate the user from a valid access point so they can try to reconnect to the evil twin access point. The deauthetication attack can also be used to generate association traffic for purposes of cracking a wireless passphrase. Password Attacks When an attacker attempts to guess a password for a known username, it is considered a password attack. Usernames such as admin, administrator, and root should always be avoided since these are considered privileged accounts. You should always use passwords that are at least 10 characters or longer. Complexity should also be used when formulating a password, such as using lowercase, uppercase, symbols, and numbers. An attacker will perform a password attack with two primary tactics of a dictionary attack and brute-force attack. Dictionary Attacks A dictionary attack is just how it sounds; the attack is carried out by using a database of common words called a dictionary. These dictionary files can be kilobytes to gigabytes in size, and they contain commonly used passwords. The obvious dictionary words are password, privilege, and variations of password using numbers, such as passw0rd. Password complexity and length settings are often implemented to mitigate password dictionary attacks. Brute-Force Attacks Brute force is a last-ditch effort to crack a passphrase or password. A brute-force application will try every combination of a password until access is granted. These combinations will include uppercase letters, lowercase letters, symbols, and numbers. The number of combinations is exponential with every character added to a password, so long passwords of 10 characters or more are best. There are two brute-force attack methods: the online method and offline method, as shown in Figure 21.9. FIGURE 21.9 Brute-force password attacks Both methods use a brute-force application to try each permutation of the password. The online method accesses the application directly and attempts to crack the password. However, the weakness to an online brute-force attack is the use of automatic lockouts after so many failed attempts, and it slows the attacker down considerably. The offline method requires the theft of the credentials file, and the brute-force attack is attempted directly on the offline credentials file. Passwords are never stored in clear text; they are commonly hashed. So, theft of the credential file requires hashing password combinations in an attempt to match the hash. With the use of a high-end graphics card, an attacker can try millions of password hashes a minute or even in seconds. An attacker can also employ a database of password-to-hash combinations, called rainbow tables. Rainbow tables can be terabytes in size. MAC Spoofing MAC spoofing is the assumption of another system's MAC address for the following purposes: To pass through a MAC address filter To receive data intended for another system To impersonate a gateway (router interface) for the purpose of receiving all data leaving a subnet MAC spoofing is the reason we don't rely solely on security at layer 2 (MAC address filters), while best practices call for basing access on user accounts rather than device properties such as IP addresses or MAC addresses. IP Spoofing Spoofing is performed by an attacker so they can impersonate an IP address of an organization's assets. Spoofing allows the attacker to bypass access control systems and gain access to protected resources on the network. Spoofing is often used in DoS attacks to hide the attacker's IP address. The attacker forges a packet with the pawn's IP address as the source IP address and proceeds to attack the victim at the destination IP address. IP spoofing can be used in more elaborate attacks involving MAC spoofing to carry on a two-way conversation. Access control lists are an effective way to mitigate spoofing of internal IPs from outside the trusted network. MAC Flooding MAC flooding is a cyberattack targeting switches on a local area network (LAN). It involves sending multiple packets with fake MAC addresses to overflow the switch's address table, causing the buffer to overflow and making the switch unable to process any legitimate traffic. Malware Malware is a broad term describing any software with malicious intent. Although we use the terms malware and virus interchangeably, distinct differences exist between them. The lines have blurred because the delivery mechanism of malware and viruses is sometimes indistinguishable. A virus is a specific type of malware, the purpose of which is to multiply, infect, and do harm. A virus distinguishes itself from other malware because it is self-replicating code that often injects its payload into documents and executables. This is done in an attempt to infect more users and systems. Viruses are so efficient in replicating that their code is often programmed to deactivate after a period of time, or they are programmed to only be active in a certain region of the world. Malware can be found in a variety of other forms, such as covert cryptomining, web search redirection, adware, spyware, and even ransomware, and these are just a few. Today the largest threat of malware is ransomware because it's lucrative for criminals. Ransomware Ransomware is a type of malware that is becoming popular because of anonymous currency, such as Bitcoin. Ransomware is software that is often delivered through an unsuspecting random download. It takes control of a system and demands that a third party be paid. The “control” can be accomplished by encrypting the hard drive, by changing user password information, or via any of a number of other creative ways. Users are usually assured that by paying the extortion amount (the ransom), they will be given the code needed to revert their systems back to normal operations. CryptoLocker was one of the first ransomware threats that made headlines across the world (see Figure 21.10). You can protect yourself from ransomware by having antivirus/antimalware software with up-to-date definitions and by keeping current on patches. FIGURE 21.10 CryptoLocker Trojans Trojan horses are programs that enter a system or network under the guise of another program. A Trojan horse may be included as an attachment or as part of an installation program. The Trojan horse can create a backdoor or replace a valid program during installation. It then accomplishes its mission under the guise of another program. Trojan horses can be used to compromise the security of your system, and they can exist on a system for years before they're detected. The best preventive measure for Trojan horses is to not allow them entry into your system. Immediately before and after you install a new software program or operating system, back it up! If you suspect a Trojan horse, you can reinstall the original program(s), which should delete the Trojan horse. A port scan may also reveal a Trojan horse on your system. If an application opens a TCP or UDP port that isn't supported in your network, you can track it down and determine which port is being used. Keyloggers A keylogger is normally a piece of software that records an unsuspecting victim's keystrokes. Keyloggers can stay loaded in memory and wait until you log into a website or other authentication system. They will then capture and relay the information to an awaiting host on the Internet. Keyloggers don't always have to be in the form of software. Some keyloggers are hardware dongles that sit between the keyboard and computer. These must be retrieved, and the data must be downloaded manually, so they are not very common. Rootkits Rootkits are software programs that have the ability to hide certain things from the operating system. They do so by obtaining (and retaining) administrative-level access. With a rootkit, there may be a number of processes running on a system that don't show up in Task Manager, or connections that don't appear in a Netstat display of active network connections that may be established or available. The rootkit masks the presence of these items by manipulating function calls to the operating system and filtering out information that would normally appear. Unfortunately, many rootkits are written to get around antivirus/antimalware and antispyware programs that aren't kept up-to-date. The best defense you have is to monitor what your system is doing and catch the rootkit in the process of installation. Spyware Spyware differs from other malware in that it works—often actively—on behalf of a third party. Rather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for it. The users often don't know they have asked for it but have done so by downloading other programs, visiting infected sites, and so on. The spyware program monitors the user's activity and responds by offering unsolicited pop-up advertisements (sometimes known as adware), gathers information about the user to pass on to marketers, or intercepts personal data, such as credit card numbers. Cryptominers With the rise of Bitcoin, so came the rise of cryptominers. A cryptominer is typically a purpose-built device that grinds out cryptographic computations. When the computation is balanced, a cryptocoin is created and equates to real money, such as Bitcoin, Ethereum, and Dogecoin, just to name a few. A cryptominer does not always have to be a dedicated purpose-built device; it can also be a distributed group of computers called a cryptopool. Malware in the form of cryptominers became very popular, because it is a very lucrative way for threat agents to make money. The problem is that the threat agents use your computer to grind out the computations. The most common way a threat agent will run a cryptominer remotely is with JavaScript embedded on a malicious web page. Threat agents have also been known to create viruses in which the payload (cryptominer) uses your video card to grind out the computations. However, the JavaScript variant is more common to find in the wild. Viruses Viruses can be classified as polymorphic, stealth, retrovirus, multipartite, armored, companion, phage, and macro viruses. Each type of virus has a different attack strategy and different consequences. EXERCISE 21.1 Testing Your Antimalware 1. Navigate to the Eicar antimalware test file site at www.eicar.org/download-anti- malware-testfile. 2. Scroll down to the download section. 3. Download a few of the Eicar test files and notice how your antivirus detects the malware. 4. Examine the alerts your antimalware software uses to report the malware. The Eicar website contains a totally benign piece of malware that triggers your antimalware engine. Any search for Eicar will produce similar results and the contents are benign. Human and Environmental While some vulnerabilities come from technical challenges such as attacks on cryptography and network protocols, many are a result of environmental issues within the facility or of human error and poor network practices by the users (we call these self- inflicted wounds). In the following sections, you'll learn about human and environmental vulnerabilities. Social Engineering Hackers are more sophisticated today than they were 10 years ago, but then again, so are network administrators. Because most of today's sys admins have secured their networks well enough to make it pretty tough for an outsider to gain access, hackers decided to try an easier route to gain information: They just asked the network's users for it. Social engineering attacks occur when attackers use believable language and user gullibility to obtain user credentials or some other confidential information. The best countermeasure against social engineering threats is to provide user security awareness training. This training should be required and must occur on a regular basis because social engineering techniques evolve constantly. Phishing Phishing is a social engineering attack in which attackers try to learn personal information, including credit card information and financial data. This type of attack is usually carried out by implementing a fake website that is nearly identical to a legitimate website. Users are led there by fake emails that appear to come from a trusted source. Users enter data, including credentials, on the fake website, allowing the attackers to capture any information entered. Spear phishing is a phishing attack carried out against a specific target by learning about the target's habits and likes. The best defense is security awareness training for the users. Environmental Some attacks become possible because of the security environment we have allowed to develop. The following are issues that are created by user behavior. Tailgating Tailgating is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device. Many social-engineering intruders who need physical access to a site will use this method of gaining entry. Educate users to beware of this and other social-engineering ploys and prevent them from happening. Access control vestibules (mantraps) are a great way to stop tailgating. An access control vestibule (mantrap) is a series of two doors with a small room between them that helps prevent unauthorized people from entering a building. Piggybacking Piggybacking and tailgating are similar but not the same. Piggybacking is done with the authorization of the person with access. Tailgating is done when the attacker sneaks inside without the person with access knowing. This is why access control vestibules (mantraps) and turnstiles deter tailgating, and live guards and security training deter piggybacking. Dumpster Diving Dumpster diving is a way for attackers to gain information that they use to establish trust from data or sensitive documents that you discarded in one way or another. Law enforcement, journalists, and hackers who don't mind getting dirty—any of them could use this technique. Shoulder Surfing Shoulder surfing involves nothing more than watching someone when they enter their sensitive data. They can see you entering a password, typing in a credit card number, or entering any other pertinent information. The best defense against this type of attack is to survey your environment before entering personal data. Privacy filters can be used that make the screen difficult to read unless you are directly in front of it. EXERCISE 21.2 Experimenting with Social Engineering 1. Call the receptionist from an outside line when the sales manager is at lunch. Tell the receptionist that you're a new salesperson, that you didn't write down the username and password the sales manager gave you last week, and that you need to get a file from the email system for a presentation tomorrow. Does the receptionist direct you to the appropriate person or attempt to help you retrieve the file? 2. Call the human resources department from an outside line. Don't give your real name but instead say that you're a vendor who has been working with this company for years. You'd like a copy of the employee phone list to be emailed to you, if possible. Do they agree to send you the list, which would contain information that could be used to try to guess usernames and passwords? 3. Pick a user at random. Call them and identify yourself as someone who works with the company. Tell them that you're supposed to have some new software ready for them by next week and that you need to know their password to finish configuring it. Do they do the right thing? The best defense against any social engineering attack is education. Make certain that the employees of your company know how to react to the requests presented here. Social engineering works on the premise that people try to help when they are vested in your efforts, such as a co-worker or if you are trying to help them. Hardening Security There are many different hardening techniques we can employ to secure our networks from compromise. When evaluating the techniques to be employed in your network, you should keep a few things in mind: Evaluate your risk, evaluate the overhead the hardening introduces, and prioritize your list of hardening techniques to be implemented. Many of these hardening techniques are “low-hanging fruit” and should be employed, such as changing default passwords on network appliances and operating systems. Just make sure you have a system in place so complex passwords are not forgotten and are kept safe. Other techniques might require much more effort, such as patch management and firmware changes. In the following sections, I will introduce you to a myriad of hardening techniques that can be used to secure your organization. Device Gardening Device hardening is the action of changing the network device or operating system's defaults to make it more secure. When we install a new device, the first thing we do is change the default passwords and patch the device. This effectively hardens the device from attacks. Other common hardening techniques consist of disabling services and network ports we don't need for the use of the device or operating system. Changing Default Credentials When installing a network device, the very first thing you must do is log into the device. There is often a standardized default username and password for each vendor or vendor's product line. Most devices make you change the default password upon login to the device. Changing the default password to a complex password is a good start to hardening the device. However, changing the username will also ensure that a brute-force attack cannot be performed against the default username. There are many different websites dedicated to listing the default credentials for network devices, so it doesn't take tremendous skill to obtain the default username and password of the device. Avoiding Common Passwords Avoiding common passwords is another simple measure to harden the device or operating system. There are several dictionaries that you can find on the Internet that will include common passwords. Some dictionaries are even collections of compromised passwords that have been made public. When creating a password, it is always best practice to make the password at least 12 to 18 characters, based on the sensitivity of its use. You should always include symbols, numbers, and uppercase and lowercase alpha characters. You should also resist substituting characters for symbols that look like the character. This substitution is often called “leet speak,” and it is in every dictionary downloadable on the Internet. An example of a “leet speak” password is p@$$word. Another common pitfall in creating passwords is the use of words; passwords should be random and complex. An example of a complex password is GLtNjXu#W6*qkqGkS$. You can find random password generators on the Internet, such as https://passwordsgenerator.net. Disabling Unnecessary Services When services are enabled that are unneeded, it expands the surface area of attack. The surface area of attack is the range of possible exploitable services on an operating system or network device. If an operating system was a house, the entry points would be the doors, windows, and chimney. If we disable services, we remove entry points that can be exploited by attackers. One of the major design changes to the Microsoft Server operating system was introduced with Windows Server 2008. Starting with Windows 2008, Microsoft disabled all services out of the box, and the firewall was turned on by default. This dramatically reduced the surface area of attack for the operating system compared to prior versions such as Windows Server 2003 R2. Linux and UNIX have long since used this minimalistic approach to installation. When the Linux/UNIX operating systems are installed, no services are installed by default. All functionality must be added via the repository tools such as apt for Ubuntu and Debian and yum for Red Hat–based systems. Operating systems are not the only network system that contains services; many network devices have services. Network devices are not immune to exploit; therefore, the surface area of attack should be reduced by disabling nonessential services. A typical example is a network printer; printers will often have several protocols enabled for printing, such as Server Message Block (SMB), Internet Printing Protocol (IPP), and File Transfer Protocol (FTP). Unnecessary protocols and services should be disabled since each one could potentially have a vulnerability. Using Secure Protocols Secure protocols are protocols that provide encryption. Many of the protocols used today by network devices do not provide any encryption. Secure protocols should be used to thwart eavesdropping and manipulation of the network device from an unauthenticated source. A typical protocol used to manage network devices for firmware upgrades is Trivial File Transfer Protocol (TFTP). TFTP is unencrypted and easily exploitable by way of an on- path attack, because it uses the UDP protocol. Protocols such as Secure Copy Protocol (SCP) should be used in lieu of older outdated protocols if the device supports it. SCP provides both encryption and authentication. Telnet is insecure as well and a worse choice because login credentials are sent in clear text! Telnet is a console-based maintenance protocol that is frequently used by network devices because of its small code footprint. Protocols such as Secure Shell (SSH) should be used if the device supports it. SSH provides both encryption and authentications just like SCP, since SCP is an extension of SSH. Console-based management protocols such as TFTP and Telnet are not the only protocols immune to insecurity. Hypertext Transfer Protocol (HTTP) is sent in clear text as well. Hypertext Transfer Protocol Secure (HTTPS) should be enabled and used for management of network devices. HTTPS requires a certificate to be installed, but most network devices allow the use of self-signed certificates that are locally managed. HTTPS provides encryption and a minimal layer of authentication for the management endpoint but will thwart an on-path attack. Disabling Unused Ports A port is considered any interface that serves to connect two host systems. The port can be an IP port related to TCP or UDP, or it can be a physical port such as a serial or USB port. If the interface allows data to be transferred, then it is considered a port and is a risk to security. In this section, I will cover the most common ports that should be disabled if not needed for hardening of systems. IP Ports The term port is often associated with TCP/IP ports. Throughout this book you will find protocols that operate on TCP or UDP; these ports are considered well-known ports. A list of the registered ports can be found at www.iana.org/assignments/service-names- port-numbers/service-names-port-numbers.txt. However, this is not a full list because application designers are not required to register the ports the application runs on. After a system has been installed, it is best practice to disable any TCP/IP port that is not being used for the primary purpose of the network system. This is achieved via host- based firewalls. Microsoft operating systems are proficient at securing the operating system, because starting with Windows Server 2008 the firewall is on by default. Linux systems are also being packaged with firewalls that are enabled by default. Only ports necessary for operations are allowed through the host firewall. When we disable TCP/IP ports, we reduce the surface area of attack of a network system. Device Ports (Physical and Virtual) When we disable and/or firewall TCP/IP ports on a network operating system, we prevent remote exploits. However, physical ports are just as susceptible to exploitation. If a network device has a serial port, also known as a console port, an attacker could plug in and manipulate the system. Any unused ports on network devices should be either disabled or password protected. Virtual ports are also susceptible to attacks. Many virtual machine technologies allow for serial ports to be extended to a remote workstation over TCP/IP. These ports generally are just as exploitable as their physical counterparts. If virtual console ports are not required, they should be disabled. Key Management Both the Secure Shell and Hypertext Transfer Protocol Secure protocols require public private key pairs. The key pairs are often generated when the protocols are first enabled. The modulus is the length in bits of the encryption key pair. A 512-bit modulus can be cracked within a relatively short period of time. A 2048-bit modulus can take much longer, if it is even possible. The expiry time on the key pairs is directly related to the modulus length. A low-bit modulus key pair will expire sooner than a high-bit modulus key pair, but all key pairs expire at some point. The generation of new keys is required by the network operating system at some point because of the expiration date set on the key pair. Some network operating systems generate the key pair automatically; others require manual intervention. A generation of new key pairs can also be required if they are compromised. As the administrator, you should rekey the system if it is compromised, but the operating system will not care and continue to function as normal. It is important to note that SSH clients will detect a new key pair upon initial connection after generating new keys. The SSH client by default will prompt the user to accept this new key pair. All SSH clients cache the key pairs previously shown in a key chain that is used for future authentication of connections. Access Control Lists Access control lists (ACLs) are used to control traffic and applications on a network. Every network vendor supports a type of ACL method; for the remainder of this section, I will focus on Cisco ACLs. An ACL method consists of multiple access control entries (ACEs) that are condition actions. Each entry is used to specify the traffic to be controlled. Every vendor will have a different type of control logic. However, understanding the control logic of the ACL system allows you to apply it to any vendor and be able to effectively configure an ACL. The control logic is defined with these simple questions: How are the conditions of an ACL evaluated? What is the default action if a condition is not met? How is the ACL applied to traffic? How are conditions edited for an ACL? Let's explore the control logic for a typical Cisco layer 3 switch or router. The conditions of the ACL are evaluated from top to bottom. If a specific condition is not met for the ACL, the default action is to deny the traffic. Only one ACL can be configured per interface, per protocol, and per direction. When you are editing a traditional standard or extended ACL, the entire ACL must be negated and reentered with the new entry. With traditional ACLs, there is no way to edit a specific ACL on the fly. When editing a named access list, each condition is given a line number that can be referenced so that the specific entry can be edited. For the remainder of this section, I will use named access lists to illustrate an applied access list for controlling traffic. In Figure 21.11 you can see a typical corporate network. There are two different types of workers: HR workers and generic workers. We want to protect the HR web server from access by generic workers. FIGURE 21.11 A typical corporate network We can protect the HR server by applying an ACL to outgoing traffic for Eth 0/0 and describing the source traffic and destination to be denied. We can also apply an ACL to the incoming interface of Eth 0/2 describing the destination traffic to be denied. For this example, we will build an access list for incoming traffic to Eth 0/2, blocking the destination of the HR server. Router(config)# ip access-list extended block-hrserver Router(config-ext-nacl)# deny ip any host 192.168.1.4 Router(config-ext-nacl)# permit ip any any Router(config-ext-nacl)# exit Router(config)# interface ethernet 0/2 Router(config-if)# ip access-group block-hrserver in This ACL, called block-hrserver, contains two condition action statements. The first denies any source address to the specific destination address of 192.168.1.4. The second allows any source address to any destination address. We then enter the interface of Eth 0/2 and apply the ACL to the inbound direction of the router interface. The rule will protect the HR server from generic worker access while allowing the generic workers to access all other resources and the Internet. It is important to note that the focus of this section is to understand how ACLs are used to protect resources. It is not important to understand how to build specific ACLs since commands will be different from vendor system to vendor system. Content Filtering Content filters are useful in networks to restrict users from viewing material that is non- work-related, questionable, or malware. Content filtering is usually dictated by organization policy and management. The content filter operates by watching content and requests from web browsers and other applications. The content filter functions in two ways: The first is content-based; when images and text are requested from a website, the content filter can use heuristic rules to filter the content according to administrator-set policies. The second method is URL-based, which is much more common since many websites now use SSL/TLS (encryption) and the traffic is encrypted. Content filters are typically purchased with a subscription that provides updates to the categories of material administrators block. Content filters can be hardware solutions or software solutions, although it is common to find them installed as software solutions. Implementing Network Segmentation One of the biggest reasons for implementing segmentation is for security purposes. At layer 1, this means complete physical separation. However, if you don't want to go with complete segmentation, you can also segment at layer 2 on switches by implementing VLANs and port security. This can prevent connections between systems that are connected to the same switch. They can also be used to organize users into common networks regardless of their physical location. If segmentation at layer 3 is required, it's achieved using access control lists on routers to control access from one subnet to another or from one VLAN to another. Firewalls can implement these types of access lists as well. Finally, network segmentation may be required to comply with an industry regulation. For example, while it's not strictly required, the Payment Card Industry Data Security Standard (PCI DSS) strongly recommends that a credit card network should be segmented from the regular network. If you choose not to do this, your entire network must be compliant with all sections of the standard. Network Segmentation Enforcement When a network is flat with no segmentation, it is impossible to secure because an intruder has potential access to all hosts and devices once the initial network is compromised. Fortunately, there are a number of methods to implement segmentation in the network. We can use physical routers, separate switches, and firewalls. However, the easiest method is to implement virtual local area networks (VLANs) in the network. When VLANs are implemented, each VLAN has a distinct network ID. The VLANs become routable networks because they create segments in the network. This concept can then be taken one step further by implementing ACLs between these segments to increase security. If you are implementing a firewall to create network segmentation, the various networks are given a label, and a value of trust is associated with them. The labels are also commonly called zones. As an example, the Internet is often labeled as the public zone and carries the least amount of trust. Internal networks are often labeled as private zones and carry a higher amount of trust. Rules can then be enforced that dictate that a public zone cannot communicate to a private zone, unless the private zone has initiated the connection. Segmentation can be taken even further, by segmenting internal private networks within the organization, such as production, research, and sales, with each zone carrying a different level of trust. Enforcement rules can then be put into place to protect each segment. Screened Subnet The screened subnet is also known as the demilitarized zone (DMZ). The DMZ gets its name from the segmentation that is created between the exterior and the interior of the network. This is similar to where borders of two opposing countries meet with military presence on both sides. Between the two sides, there is a neutral segment called the DMZ. As it pertains to a network, hosts that serve Internet clients are placed in the DMZ subnet. As shown in Figure 21.12, a network segment called the screened subnet (formerly called DMZ) sits between an external firewall and the internal firewall. The external firewall contains ACLs to restrict Internet hosts from accessing nonessential services on the server in the DMZ. The internal firewall restricts which hosts can talk to internal servers. A typical rule on the external firewall would allow HTTP access for a web server in the DMZ and would restrict all other ports. A typical rule on the internal firewall would allow only the web server to communicate with the SQL backend database in the internal network. FIGURE 21.12 A typical DMZ with two firewalls Although the concept of the DMZ is still used today in network design, a screened subnet can be created between any two segments in the network. The subnets don't necessarily need to be external and internal in relation to the network. Routers containing ACLs can be implemented in lieu of firewalls to filter traffic to the screened subnet, as shown in Figure 21.13. In the figure, a network called Network A is segmented from the screened subnet by a router with ACLs filtering traffic. On the other side of the screened subnet is another network called Network B, and it too is segmented by a router with ACLs filtering traffic. Each of these two networks has equal access to the hosts in the screened subnet. These two networks, Network A and Network B, could potentially be a wireless network and the wired network, respectively. FIGURE 21.13 A typical screened subnet with two routers Some screened subnets are just another interface on a single firewall, as shown in Figure 21.14. In this example, the rules for both the Network A subnet and the Network B subnet would be on the same firewall. The benefit of a single firewall is centralized administration of firewall rules. Each interface is placed into a trust zone, and the firewall rules allow incoming and outgoing connections. FIGURE 21.14 A typical screened subnet with one firewall 802.1X The 802.1X protocol is used to control access on the internal network, as shown in Figure 21.15. 802.1X commonly uses RADIUS as the authentication server. However, other AAA authentication servers can be used, such as LDAP and TACACS+. 802.1X is used for both wired and wireless network access. When you are using 802.1X with a wired connection, the physical port allows communications of 802.1X credentials. The port will not allow user traffic to be switched until the AAA process is completed and the user or computer is verified. The user's device is called the supplicant, and the port it is plugged into is called the control port, because it controls access to the organization's LAN or resources. The switch that is set up for 802.1X is called the authenticator. 802.1X works with wireless connections, but in lieu of a physical connection an association occurs. When 802.1X is used with wireless, the control port is the port leading back to the network. All 802.1X authentication between the supplicant and the authenticator occurs over the associated connection. FIGURE 25.15 802.1X switch control NAC Although 802.1X can be used by itself for AAA, it is often used in conjunction with a network access control (NAC) system. It is often referred to as port-based network access control (PNAC). As shown in Figure 21.16, NAC agents check the reported health and integrity of the client before allowing it on the network. The NAC agent can check the current patch level of the client, antivirus signature date, and firewall status. The NAC policy is defined by the network administrator. If the client passes the checks, the client is allowed on the network. If the client fails the checks, the client is placed into a remediation network, where the user must remediate the client. It is important to mention that although the figure details a separate NAC server, the NAC and 802.1X are usually the same server. FIGURE 21.16 NAC and 802.1X MAC Filtering MAC address filtering is used to secure wireless by providing only an allowed list of MAC addresses access to the wireless system. This is also sometimes referred to as whitelisting MAC addresses. It is extremely effective because an attacker will not have knowledge of which MAC addresses are allowed. There is an administrative burden in entering the MAC addresses to be whitelisted if your installation has a few clients or static clients that do not change frequently. MAC filtering is more commonly used with wireless LAN controllers (WLCs) to control specific clients by their MAC address. When it is used in conjunction with an 802.1X/NAC solution, the devices can be controlled globally from the authentication server. MAC filtering is a very effective method of security because of the difficulty an attacker has identifying the MAC addresses that are specifically allowed to be forwarded by the switch or WAP. Switches can be configured to filter specific MAC addresses as well. Port security is considered a form of MAC filtering for switching. Port Security Port security is a method of restricting specific MAC addresses or a specific number of MAC addresses on a physical access mode switch port. Port security is supported on many different vendor switches, but I will focus on the Cisco switching platform for this section; all switches support similar port security function. Port security is commonly implemented by the network administrator to mitigate the threat of end users plugging in hub, switches, or wireless access ports (WAPs) to extend switching of a single port. When a switch powers on, a blank table is created in memory called the switching table. When a frame is received on the switch port, the switch records the source MAC address of the frame with the switch port the frame is received on. Each MAC address receives an entry in the switching table for future forward filter decisions. We can restrict how many entries each switch port can record with the following commands on a Cisco switch. In the example, port security is configured, and a maximum of one MAC address will be allowed. switch(config)# interface gigabitethernet 0/1 switch(config-if)# switchport port-security switch(config-if)# switchport port-security maximum 1 By using switchport port-security mac-address sticky, we can configure the switch to record the first MAC address and limit the port to only that MAC address indefinitely or until an administrator clears it. By default, with only the previous commands, the MAC address learned will be cleared after a period of inactivity. switch(config)# interface gigabitethernet 0/1 switch(config-if)# switchport port-security switch(config-if)# switchport port-security maximum 1 switch(config-if)# switchport port-security mac-address sticky We can also constrain the switch port to a specific MAC address statically. In lieu of the switchport port-security mac-address sticky command, we can specify the specific MAC address to limit the switch port to. When we configure the following command, the MAC address will be locked to 0678.e2b3.0a02 for the switch port: switch(config)# interface gigabitethernet 0/1 switch(config-if)# switchport port-security switch(config-if)# switchport port-security maximum 1 switch(config-if)# switchport port-security mac-address 0678.e2b3.0a02 Internet of Things Over the past 20 years, IP-based technology has become cheaper, and the availability of technology has improved. The Internet of Things (IoT) and Industrial Internet of Things (IIoT) are a direct result of this expanse in IP-based technology. Wireless technology further propelled IoT to become a standard in our homes today. The following are some common IoT/IIoT devices you will find in home and industrial networks today: Refrigerator The refrigerator has been the hub for every family. The refrigerator door displays our bills, our photos, our messages, and the shopping list for the week, among other things. The smart refrigerator operates pretty much the same way a traditional refrigerator does. The only difference is a smart refrigerator has a touchscreen on the door that resembles a giant smart phone, and everything you displayed on the refrigerator is now an app. Smart Speakers The smart speaker is more than just a speaker; it is an audible way to use the Internet, control other smart devices in your home, and have a digital assistant at your beck and call. By saying “Hey, Google,” “Alexa,” or “Hey, Siri,” you can prompt the smart speaker to listen. You can then follow up with a task, such as asking what time it is, setting a reminder, checking the weather, controlling the lights, or even playing some music. Smart Thermostats The old round mechanical thermostat was a foolproof mechanism that has heated and cooled houses for decades. However, with the modern technology of electronics and the Internet, the smart thermostat has forever changed the way our home is made comfortable. Smart thermostats don't just cycle heating when it's cold and cooling when it's hot, they perform in an economical way. Since everyone has a cell phone and no one leaves the house without it, the thermostat can track when you are home and when you aren't. The thermostat will turn the cooling or heating cycle off when you are not home, and it can even turn them back on when you are expected to be home. The smart thermostat learns your habits and adjusts the heating and cooling cycles. Smart Doorbells With the rise of eBay, Amazon, and many other online retailers, it is ever so common to have packages dropped off at your door. It has also become common to have these packages stolen. The thieves even have the nickname “porch pirates.” Now you can secure your home and packages with a simple smart doorbell. The smart doorbell communicates with the Internet and an app on your cellphone. When someone walks up to the door, it will sense motion and instantly send an alert to your cell phone with video and the ability to talk back to the person. Although this section is focused on IoT home devices, IoT is much bigger than home gadgets. The smart devices we use in our homes are the by-product of big data and machine learning. These applications of big data and machine learning can also be applied to industry, such as agriculture, manufacturing, and research, just to name a few. IIoT devices are cheap and expendable units, so a couple dozen might be deployed in a crop field to monitor soil dampness. IIoT devices might also be used to monitor heat in factory devices to signal a foreseeable failure. The solutions are limitless; if you can monitor it and forecast the outcome, you can use IIoT to achieve better results. Industrial Control Systems/Supervisory Control and Data Acquisition Industrial control systems (ICS) are the systems that are used in manufacturing processes. Products come into the process on an assembly or production line and exit as a final product. Supervisory control and data acquisition (SCADA) is an automated system used to control and monitor products such as energy production, water, electric distribution, and oil and gas, just to name a few. Figure 21.17 shows an example of what an industrial control system/SCADA system looks like. Although industrial control systems are typically used in manufacturing, and SCADA systems are used to create and distribute resources, they both share common components, and the two are sometimes indistinguishable. FIGURE 21.17 SCADA systems Supervisory System All plant operations require a supervisory system to measure, monitor, and control plant production. They are often redundant systems because if a server fails, it could mean the entire production line stops. Supervisory systems also have a database where production metrics are stored for quality control and customer usage in the case of utilities. The supervisory system is usually located in the server farm at the main plant and not in the cloud because it needs to be as low latency as possible. Operational Technology Operational technology (OT) components of ICS/SCADA control the delivery of information from the ICS/SCADA systems. The following are a few OT devices that you will find in ICS/SCADA systems. You can see some of these devices in Figure 21.17. Programmable Logic Controller (PLC) A PLC is nothing more than a bunch of logic circuits performing a task. On PLCs there are often inputs and outputs. The inputs might be wired to buttons, switches, or position sensors, just to name a few. The outputs may be wired to solenoids or motors or may even be robotic, and again, these are just a few things a PLC may control. It is up to the manufacturing engineer to design and program the PLC to perform a task. The programming language a PLC uses is actually not a language. The programming resembles a type of logic circuit. It is called ladder logic and is quite popular. A specialized program is usually required for programming PLCs; it is used to develop and program the ladder logic into the controller. Once the ladder logic is programmed into the PLC, the controller will run the program until it is powered off or programmed to stop. Human Machine Interface (HMI) The HMI is used by plant operators so an overview of the production line can be observed. The HMI might have an oversimplified drawing of the production line with metrics displayed so a plant operator can adjust processes. In the event of a failure on the production line, it is used to identify where the fault exists. Just like PLCs, the HMI is programmed with specialized software. Once programmed, they will continue to operate until turned off and the programming software is no longer required, unless a major change is needed. The HMI can interface with the PLC and the supervisory system, depending on the requirements of the plant and operators. Remote Terminal Unit (RTU) An RTU is extremely similar to a PLC. Just like the PLC, it can run autonomously and manage production. However, the RTU also has an independent microprocessor, so it can be installed at a remote facility and programmed for remote control capabilities. The supervisory system would oversee all the field RTUs, and in the event something needs to be controlled, an operator can intervene. RTUs can use a multitude of communications methods to communicate back to the main plant. You can find these units everywhere from oil rigs in the middle of the ocean to power substations. They are basically ruggedized computers that can withstand harsh temperature and humidity. The language they are programmed in will differ from proprietary languages, Visual Basic, C#, C++, and even ladder logic. Communications Infrastructure The communications infrastructure is unique for industrial controls because everything must be low latency. Keep in mind these networks need to maintain production lines. If a canning line is processing five cans a second, you have a 200 ms window for problems if latency is experienced, and that is cutting it close! There are a number of protocols and wiring you will find in industrial control systems, such as Modbus, Profibus, Hart, EtherNet/IP (Rockwell), and RS-485, and these are just a few of them. Every PLC and RTU will use a set of standardized protocols that will work with the various components like the HMI, sensors, and actuators. Some of these protocols are compatible with Ethernet, and some are completely proprietary to industrial controls. The PLCs and RTUs will normally support Ethernet and IP-based connectivity back to the supervisor systems. However, the production network is often logically or physically separated from the operational network, so the two do not interfere with each other. Lessons have been learned from the 2010 Stuxnet infection that targeted PLCs and used the production network as an entry point. It is important to isolate a problem on the operations network, so production is not affected. Separate Private/Public Networks Public IP addressing isn't typically used in a modern network. Instead, private IP addresses are used and network address translation (NAT) services are employed to convert traffic to a public IP address when the traffic enters the Internet. While this is one of the strategies used to conserve the public IP address space, it also serves to segment the private network from the public network (Internet). Hiding the actual IP address (private) of the hosts inside the network makes it very difficult to make an unsolicited connection to a system on the inside of the network from the outside. Honeypot/Honeynet Another segmentation tactic is to create honeypots and honeynets. Honeypots are systems strategically configured to be attractive to hackers and to lure them into spending enough time attacking them to allow information to be gathered about the attack. In some cases, entire networks called honeynets are attractively configured for this purpose. You need to make sure that either of these types of systems do not provide direct connections to any important systems. Their ultimate purpose is to divert attention from valuable resources and to gather as much information about an attack as possible. A tarpit is a type of honeypot designed to provide a very slow connection to the hacker so that the attack takes enough time to be properly analyzed. Bring Your Own Device The traditional workforce is very quickly becoming a mobile workforce, with employees working from home, on the go, and in the office. Mobile devices such as laptops, tablets, and smartphones are used by employees to connect to the organization's cloud resources. Bring your own device (BYOD) has been embraced as a strategy by organizations to alleviate the capital expense of equipment by allowing employees to use devices they already own. The various devices that employees bring into the network are often outside of the organization's control. These devices can pose a severe risk to the network. For this reason, the BYOD network should be segmented from the operational network. Guest Network Isolation Most guests in your network never need to connect to the organization's servers and internal systems. When guests connect to your wireless network, it is usually just to get connectivity to the Internet. Therefore, a guest service set identifier (SSID) should be created that isolates guest traffic from production traffic. These guest network SSIDs are usually created by default on consumer wireless devices. On enterprise wireless LAN controllers, the guest network typically needs to be created. Some considerations for the guest network are what is open to guests, how long they have access, how much bandwidth, SSID name…the list goes on depending on your organization. Guest networks usually don't give totally unrestricted Internet access; certain sensitive ports like TCP 25 SMTP are normally blocked. The length of time they have access is another concern. Generally, a guest is just that, a guest. So, 4 hours, 8 hours, or 24 hours of access seem responsible. This needs to be thought through as too short a time will create administrative overhead and too long a window of access allows for abuse of service. Captive Portal A captive portal is a method of redirecting users who connect to wireless or wired systems to a portal for login or agreement to the acceptable use policy (AUP). Using a captive portal is common for guest networks. More than likely, if you have stayed in a hotel that offers wireless, you have been redirected to the captive portal to accept the terms. Some hotels require you to purchase the wireless service; this type of service would also redirect you to the portal for login or payment. Captive portals are not exclusively used for hotels; they are also used for corporate access to an organization's wireless system. Physical Security Concepts Physical security is the most overlooked element of security in a network. A simple lock can keep out the most curious prying eyes from a network closet or server room. A more layered approach can be implemented for higher security installations. However, the simple fact is that not a lot of time is spent on physically securing the network. In the following sections, we will cover the CompTIA objectives related to physical security of networks. Video Surveillance Video surveillance is the backbone of physical security. It is the only detection method that allows an investigator to identify what happened, when it happened, and, most important, who made it happened. Two types of cameras can be deployed: fixed and pan-tilt-zoom (PTZ). Fixed cameras are the best choice when recording for surveillance activities. Pan-tilt-zoom (PTZ) cameras allow for 360-degree operations and zooming in on an area. PTZs are most commonly used for intervention, such as covering an area outside during an accident or medical emergency. PTZ cameras are usually deployed for the wrong reasons, mainly because they are cool! PTZs are often put into patrol mode to cover a larger area than a fixed camera can. However, when an incident occurs, they are never pointed in the area you need them! It is always best to use a fixed camera or multiple fixed cameras, unless you need a PTZ for a really good reason. They are usually more expensive and require more maintenance than fixed cameras. Video surveillance can be deployed using two common media types: coaxial cable and Ethernet. Coaxial cable is used typically in areas where preexisting coaxial lines are in place or distances are too far for typical Ethernet. These systems are called closed-circuit television (CCTV). Coaxial camera systems generally use appliance-like devices for recording video. These CCTV recorders generally have a finite number of ports for cameras and a finite amount of storage in the form of direct-attached storage (DAS). Most video installations for CCTV are coaxial cable and Ethernet, as previously described. However, wireless is popular for consumer applications, such as doorbells and home surveillance cameras. These devices generally use cloud storage and require an Internet connection. Ethernet (otherwise known as IP) surveillance is becoming the standard for new installations. Anywhere an Ethernet connection can be installed, a camera can be mounted. Power over Ethernet (PoE) allows power to be supplied to the camera, so the additional power supplies used with coaxial cameras are not needed. Ethernet also provides the flexibility of virtual local area networks (VLANs) for added security so that the camera network is isolated from operational traffic. IP surveillance uses network video recorder (NVR) software to record cameras. Because NVRs are server applications, you can use traditional storage such as network area storage (NAS) or storage area network (SAN) storage. This allows you to treat the video recordings like traditional data. Coaxial camera networks can be converted to IP surveillance networks with the use of a device called a media converter. These devices look similar to a CCTV recorder. They have a limited number of ports for the coaxial cameras and are generally smaller than the CCTV recorder. This is because they do not have any DAS. The sole purpose of the media converter is to convert the coaxial camera to an Ethernet feed to the NVR. The use of IP video surveillance allows for a number of higher-end features such as camera-based motion detection, license plate recognition (LPR), and motion fencing. Advanced NVR software allows cameras to send video only when motion is detected at the camera; this saves on storage for periods of nonactivity. LPR is a method of detecting and capturing license plates in which the software converts the plate to a searchable attribute for the event. With motion fencing, an electronic fence can be drawn on the image so that any activity within this region will trigger an alert. Among the many other features are facial recognition and object recognition. EXERCISE 21.3 Planning Video Surveillance In this exercise, you will plan video surveillance for the exterior of your home. 1. Draw a simple map of your property. 2. Draw your home on the property map. 3. Identify important areas to cover with video surveillance, such as entryways. 4. Plan cameras and angles to be covered. 5. Detail how the cameras will be wired and powered. 6. Detail the storage for the cameras. 7. Make detailed notes as to why you chose a certain camera location. Door Locks The most common physical prevention tactic is the use of locks on doors and equipment. This might mean the installation of a tumbler-style lock or an elaborate electronic combination lock for the switching closet. If a tumbler-style lock is installed, then the appropriate authorized individuals who require access will need a physical key. Using physical keys can become a problem, because you may not have the key with you when you need it the most, or you can lose the key. The key can also be copied and used by unauthorized individuals. Combination locks, also called cipher locks, can be reprogrammed and do not require physical keys, as shown in Figure 21.18. Combination locks for doors can be purchased as mechanical or electronic. FIGURE 21.18 A typical combination door lock When physical locks use keys, the factor of authentication is considered something that you have—because you must have the key. When physical locks use ciphers, the authentication is considered something you know— because you must know the cipher. Equipment Locks There are many different types of equipment locks that can secure the information and the device that holds the information. Simply thwarting the theft of equipment containing data and restricting the use of USB thumb drives can secure information. In the following sections, we will cover several topics that are directly related to the physical aspects of information security. Cable Locks Cable locks are used to secure laptops and any device with a universal security slot (USS), as shown in Figure 21.19. A cable lock is just that—a cable with a lock at one end. The lock can be a tumbler or a combination, as shown in Figure 21.20. The basic principle is that the end of the lock fits into the USS. When the cable is locked, the protruding slot of metal turns into a cross that cannot be removed. This provides security for expensive equipment that can be stolen due to its portability or size. FIGURE 21.19 A USS FIGURE 21.20 A standard cable lock Server Locks Most servers come with a latch-style lock that prevents someone from opening the server, but the tumbler-style lock is trivial to open. Anyone with a paper clip can open these locks if they have forgotten the keys. Other types of server locks are holes for padlocks that latch through the top cover and the body of the server. However, over the past 10 years, a declining number of servers come with this feature. This is mainly because servers can be better secured behind a locked rack-mounted enclosure. Rack- mounted enclosures generally come with a tumbler-style lock that can protect all the servers and network equipment installed in the cabinet, while still providing airflow. USB Locks Universal serial bus (USB) locks can be put into place to physically lock out USB ports on a workstation or server from use. These devices are extremely rare to find, because most equipment and operating systems allow for the USB ports to be deactivated. USB locks work by inserting a small plastic spacer into the USB port. Once inserted, the spacer latches to the USB detent with plastic teeth. A tool is required to remove the USB spacer.

Use Quizgecko on...
Browser
Browser