Mike Chapels Notes_CC (1) PDF
Document Details
Uploaded by Deleted User
Mike Chapels
Tags
Summary
Mike Chapels' notes cover various aspects of security, including security principles, business continuity, disaster recovery, access control, and security operations. The document also details concepts of confidentiality concerns and integrity concerns.
Full Transcript
Breakdown of Exam 3. Availability Protects authorized access to Domain 1: Security Principles (26%) systems and data Domain 2: Business C...
Breakdown of Exam 3. Availability Protects authorized access to Domain 1: Security Principles (26%) systems and data Domain 2: Business Continuity, Disaster Ensures information is available Recovery, and Incident Response (10%) to authorized users Domain 3: Access Control Concepts (22%) Domain 4: Network Security (24%) =CIA Domain 5: Security Operations (18%) Confidentiality Concerns ISC2 Code of Ethics 1. Snooping Involves gathering information 1. Protect society and infrastructure that is left out in the open (Hacking) Clean desk policies protect Anyone may file a complaint against snooping 2. Act honorably, justly and within laws 2. Dumpster Diving (Lying) Looking through trash for Anyone may file a complaint information 3. Serve principles diligently and Shredding protects against competently (Fulfill your duties) Dumpster Diving Only employers and clients may 3. Eavesdropping file under a complaint, due to the Rules about sensitive nature of the code conversations prevent 4. Advance the information security eavesdropping profession (Helping cheat exams) 4. Wiretapping Other Professionals may file a Electronic Eavesdropping complaint, due to the nature of Encryption protects against the complaint wiretapping Professionals only 5. Social Engineering You are required to report any Attacker uses psychological witness of violation of Code of tricks to persuade employee to Ethics give it or give access to Failure to report witnessed information violation is a violation Education and Training protects Submit a Complaints Form to against social engineering report You must have a standing before Integrity Concerns you make a complaint 1. Unauthorized Modification Standing: Alleged behavior must Attackers make changes without harm you or your profession in permission (can be internal: someway employees, or external) 3 Goals of Information Security: Follow the Rules of Least Privilege to prevent unauthorized 1. Confidentiality modification Protects information from 2. Impersonation unauthorized disclosure Attackers pretend to be 2. Integrity someone else Protects information from User education protects against unauthorized changes Impersonation 3. Man-in-the-Middle (MITM) Service outage may occur due to Attackers place themselves in programming errors, failure of the middle of communication underlying equipment, and many sessions more reasons Intercepts network traffic as Building systems that are users are logging in to their resilient in the fact of errors and system and assumes their role. hardware failures protect against Impersonation on an service outages electronic/digital level. Authentication & Authorization Encryption prevents man-in-the- middle attacks Access Control Process: 4. Replay Attackers eavesdrop on logins 1. Identification and reuse the captured Identification involves making a credentials claim of identity (Can be false) Encryption prevents Replay Electronic identification attacks commonly uses usernames 2. Authentication Availability Concerns Authentication requires proving a claim of identity 1. Denial of Service (DoS) Electronic authentication When a malicious individual commonly uses passwords bombards a system with an 3. Authorization overwhelming amount of traffic. Authorization ensures that an The idea to is to send so many action is allowed requests to a server that it is Electronic authorization unable to answer any requests commonly takes the form of from legitimate users access control lists Firewalls block unauthorized Access Control Lists also connections to protect against provides Accounting functionality Denial of Service attacks 2. Power Outages Accounting allows to track and maintain logs of user activity Having redundant power sources and back-up generators Can track systems and web protect against power outages browsing history 3. Hardware Failures Authentication + Authorization + Failure of servers, hard drives, Accounting = AAA network gear etc Redundant components protect Password Security against hardware failure Controls you can implement when setting Building systems that have a password requirements: built-in redundancy, so that if one component fails, the other will Password length requirements take over Password complexity requirements 4. Destruction Password expiration requirements Backup data centers protect against destruction (ex. cloud) Force password changes 5. Service Outages Password history requirements Cannot use previously used passwords Non-repudiation Prevents someone from denying the truth Every organization should make it easy for users to change their passwords, however, be Physical signatures can provide non- careful of password reset process as it may repudiation on contracts, receipts etc provide an opportunity for attackers to take Digital signatures use encryption to advantage through unauthorized password provide non-repudiation reset. Other methods can be biometric security controls, Video-surveillance etc Password Managers Privacy Secured password vaults often protected by biometric mechanisms (ex. Organization Privacy Concerns fingerprints) 1. Protecting our down data - Protect your Facilitates the use of strong, unique down organizations data passwords 2. Educating on users - Educated users of Stores passwords how they can protect their own personal information 3. Protecting data collected by our Multi Factor Authentication organizations - Protecting data that was 3 types of authentication factors: entrusted to the organization (ex. client’s data) 1. Something you know Passwords and Pins 2 Types of Private Information: 2. Something you are 1. Personally Identifiable Information Biometric Security Mechanisms (PII) Fingerprints Any information that can be tied Voice back to a specific individual 3. Something you have 2. Protected Health Information (PHI) Software and Hardware Tokens Health care records You combine these factors all together Regulated by HIPPA = Multi Factor Authentication Reasonable expectation of privacy Note: Passwords combined with security Many laws that govern whether information must questions are NOT multi factor authentication. be protected are based upon whether the person Passwords and security questions are both disclosing the information had a reasonable something you know. expectation of privacy. Single Sign-On (SSO) Example, if you upload a YouTube video, you do Shares authenticated sessions not have an expectation of privacy. across systems You do have some expectation of Organizations create SSO privacy for private electronic solutions within their communications such as: email, instant organizations to avoid users chats etc repeatedly authenticating You do not have a reasonable expectation of privacy when sharing PII with an organization You do not have a reasonable Ranking of Risks - By likelihood and impact expectation of privacy when using 1. Likelihood - Probability a risk will occur employer resources 2. Impact - Amount of damage a risk will Risk Management cause 1. Internal Risks 2 Categories of Risk Assessment: Risks that arise from within the 1. Qualitative Techniques - uses organization subjective ratings to evaluate risk Internal control prevents internal likelihood and impact: Usually in the form risks of low, medium or high on both the 2. External Risks likelihood and impact scales. Risks that arise outside the 2. Quantitative Techniques - uses organization subjective numeric ratings to evaluate Build controls that reduce the risk likelihood and impact. chance of attack/risks being successful (ex. multi factor Risk Treatment (Management) - analyzes and authentication, or social implements possible responses to control risk engineering awareness Four Types of Risk Treatment: campaigns) 3. Multiparty Risks 1. Risk Avoidance - Changes business Risks that affect more than one practices to make a risk irrelevant organization 2. Risk Transference - Attempting to shift Intellectual property theft poses the impact of a risk from your a risk to knowledge-based organization to another organization (ex. organizations insurance policy) If attackers are able to alter, ! Note that you cannot always transfer the delete or steal this information, it risk completely. Reputation damage etc. would cause significant damage 3. Risk Mitigation - Actions that reduce the to the organization and its likelihood or impact of a risk customers/counterparties 4. Risk Acceptance - Choice to continue Software license agreements operations in the face of a risk issues risk fines and legal 5. Risk Profile - Combination of risks that actions for violation of license an organization faces agreements Types of Risks: Risk Assessment - Identifies and triages risks 1. Inherent Risk - Initial level of risk, before Threat - Are external forces that jeopardize any controls are put in place security 2. Residual Risk – Risk that is reduced and what is left of it is known as the residual Threat Vector - Are methods used by attackers risk to get to their target (ex. social engineering, 3. Control Risk - New risk that may have hacker toolkit, etc) been introduced by the controls applied Vulnerabilities - Are weaknesses in your security to mitigate risk controls (missing patches, promiscuous firewall Example: Controls applied may be installing a rules, other security misconfiguration) firewall. while that firewall may have mitigated the Threat + Vulnerability = Risk inherent risk, the risk of that firewall failing is another newly introduced risk. Inherent Risk → Controls Applied → (Residual 3. Physical Risk + Control Risk) Controls that impact the physical world 4. Risk Tolerance - Is the level of risk an Examples: Locks, CCTV organization is willing to accept Cameras, and Security guard Security Controls Configuration Are procedures and mechanisms that Configuration Management reduce the likelihood or impact of a risk and help identify issues Tracks the way specific devices are set up Defense in Depth Tracks both operating system settings Uses overlapping security controls and the inventory of software installed on Different methods of security with a a device common objective Should also create Artifacts that may be used to help understand system Security professionals uses different categories configuration (Legend, Diagrams, etc) to group similar security controls Baselines (1) First you must group Controls by their purpose. Provide a configuration snapshot Dual Net 3 Types of Control Purposes are: You can use the snapshot to assess if the 1. Prevent - Stops a security issue from settings are outside of an approved occurring change management process system 2. Detect - Identify security issues requiring Basically the default configuration setting investigation set by an organization 3. Correct - Remediate security issues that Versioning/Version Controls have already occurred Assigns each release of a piece of (2) Then group them by their Control software and an incrementing version Mechanism. number that may be used to identify any 3 Types of Control Mechanisms are: given copy These verison #s are written as three part 1. Technical decimals, with the: Use technology to achieve o First number representing the control objectives major version of software Examples: Firewalls, Encryption, o Second number representing a Data Loss Prevention, and major updates Antivirus Software o Third number representing Also known as Logical Control minor updates 2. Administrative o Example: IPhone IOS 14.1.2 Uses processes to achieve control objectives Standardizing Device Configurations by: Examples: User access reviews, Standardizing Naming Conventions log monitoring, and performing IP Addressing Schemas background checks Security Governance 3. Password Policies Describes password security You must first identify how domestic and practices international Laws and Regulations apply to an An area where all the password organization. requirements (length, Security Policy Framework - a framework that complexity) gets officially everyone in an organization must follow. documented 4. Bring Your Own Device Policies There are 4 types of documents in a Security (BYOD) Policy Framework: Cover the usage of personal 1. Policies devices with company Provide the foundation for an information organization’s information 5. Privacy Policies security program Cover the use of personally Describes organization’s identifiable information security expectations Can be enforced by National & Policies are set by Senior Local authorities Management 6. Change Management Policies Policies should stand the test of Cover the documentation, time anticipating future changes approval, and rollback of Compliance with Policies are technology changes mandatory 2. Standards Business Continuity Describes the specific details of security controls Business Continuity Planning (BCP) Compliance with Standards are The set of controls designed to keep a mandatory business running in the face of adversity, 3. Guidelines whether natural or man-made Provide advice to the rest of the Also known as Continuity of organization on best practices Operations Planning (COOP) Compliance with Guidelines are Directly impacts the #3 goal of security = optional Availability 4. Procedures When planning, proactively as what Step-by-step procedures of an business activities, systems, and objective. controls will it configure Compliance can be mandatory or optional Business Impact Assessment (BIA) Best Practice of Security Policies: A risk assessment that uses a quantitative or qualitative process 1. Acceptable Use Policies (AUP) Begins by identifying organization’s Described authorized uses of mission essential functions and then technology traces those backwards to identify the 2. Data Handling Policies critical IT systems that support those Describe how to protect sensitive functions information In Clouding, Business Continuity Planning o Power Distribution Units requires collaboration between cloud providers (PDUs) - provide power clearing and customers and management for a rack 2. Storage Media Redundancy Protection against the failure of a The level of protection and against the single storage divide failure of a single component Redundant Array of Inexpensive Disks (RAID): Single Point of Failure Analysis Comes in many different forms but each is designed to provide Provides a mechanism to identify and redundancy by having more remove single points of failure from their discs than needed to meet systems business needs. The SPOF analysis continues until the There are 2 RAID technologies: cost of addressing risk outweighs the o Mirroring benefit ▪ Considered to be RAID SPOF can be used in many areas other Lvl 1 than the IT Infrastructure, it can be ▪ Server contains 2 applied in management of HR, 3rd party identical synchronized vendor reliance etc.) discs Continued Operation of Systems o Striping Mirroring ▪ Considered to be RAID Can be ensured in 2 ways: Lvl 1 1. High Availability - Uses multiple ▪ Disc Striping with parity systems to protect against service failure. ▪ RAID Lvl 5 (Different from AWS Cloud as in that it ▪ Contains 3 or more does not just apply to AZs but rather discs everything including multiple firewalls ▪ Also includes an extra etc.) disc called Parity Block 2. Fault-Tolerance - Makes a single system ▪ When one of the disc resilient against technical failures fails, the Parity Block is 3. Load Balancing - Spreads demand used to regenerate the across available systems failed disc’s content ▪ RAID is a Fault- Common Points of Failure Tolerance technique NOT a Back-up 1. Power Supply strategy Contains moving parts 3. Networking High failure rate Improve networking redundancy Can use multiple power supplies by having multiple Internet service providers o Uninterruptible Power Improve networking redundancy Supplies (UPS) - supplies by having dual-network interface battery to devices during brief cards (NIC) or NIC Teaming power disruptions. UPS may be (similar to how you use multiple backed up by an additional power supplies) power generator Implement Multipath Networking Fault-Tolerance mechanisms - prevents Physical Security systems from failing, even if one of these above points experience a complete failure. If your organization lacks personnels from these areas: Always attempt to add Diversity in your o Use incident response service providers infrastructure to improve redundancy to assist if necessary. o Diversity in Technology Used o Diversity of Vendors Diversity of Incident Communication Plan Cryptography o Diversity of Security Controls Communications Plans - ensure that all participants have timely, accurate Incident Response information. Incident Response Plans Make sure to minimize or limit communications to third parties (Media, Provide structure during cybersecurity etc) incidents You will have to choose whether or not to Outlines policies, procedures and involve law enforcement. guidelines that govern cybersecurity Drawbacks of law enforcement incidents engagement can be release of sensitive details to public which may be Elements of a Incident Response Plan unfavorable to the organization Statement of Purpose Always involve your own organization’s Strategies and goals for incident legal team to ensure compliance with response laws and organization’s obligations with Approach to incident response 3rd parties. Communication with other groups Describe communication paths on how Senior leadership approval information will trickle down the organization Tips on best practices: Incident Identification When developing Incident Response Plan, consult NIST SP 800-61 Organizations have a responsibility to Also review other organization’s plan collect, analyze, and retain security information. NIST SP 800-61 ! Data is crucial to incidence detection Assists organization mitigating the potential business impact of information Incident Data Sources security incidents providing practical Intrusion Detection System/Intrusion guidance. Prevention System (IDS/IPS) - Building an Incident Response Team Designed to only provide an alert about a potential incident IR Team should consist of: Firewalls Authentication Systems Management Integrity Monitors Information Security Personnel Vulnerability Scanners SMEs System Event Logs Legal Counsel Netflow Records Public Affairs Antimalware Packages Human Resources Security Incident and Event Management Status updates (SIEM) Ad hoc messages Security solution that collects information ! Once Initial Response is implemented, the DR from diverse sources, analyzes it for team shifts to Assessment Mode signs for security incidents and retains it for later use. Assessment Mode Centralized log repositories Goal of this mode is to triage/analyze the o Basically, take a load of data, damage and implement recover feed it to the SIEM, and it will spit operations on a permanent basis out details regarding risk Depending on circumstances there may o When these systems and be an intermediary mode of Temporary security mechanisms FAIL do Recovery but will gradually move to detect risks before dealt with Permanent Recovery internally, an EXTERNAL source (customer) may be first to detect Recovery Time Objective (RTO) - is the a risk targeted amount of time to restore service after o Therefore, IR Team should have disruption. a consistent method for Recovery Point Objective (RPO) - is the receiving, recording, and targeted amount of data to recover. evaluating external reports Recovery Service Level (RSL) - is the targeted First Responder Duty - First responders percentage of service to restore; Also the (whomever they are, whom encounters the risk percentage of service that must be available first) have a set of responsibilities as they may during a disaster. have the power to tremendously reduce risk Backups - provides an organization with a fail- Highest Priority - The highest priority of a First safe way to recover their data in the event of: Responder must be containing damage through isolation 1. Technology failure Disaster Recovery 2. Human error 3. Natural disaster Disaster Recovery (DR) Backup Methods Restores normal operations as quickly as possible following a disaster 1. Tape Backups - Practice of periodically Disaster recovery plan steps in when copying data from a primary storage business continuity plan fails device to a tape cartridge. (Traditional Disaster recovery plan effort is not method – outdated) finished until organization is completely 2. Disk-to-disk Backups - Writes data from back to normal Primary Disks to special disks that are set Flexibility is key during a disaster aside for backup purposes. Backups that response are sent to a storage area network or a network attached storage are also fitting Initial Response Goals in this category of backup. 1. Contain the damage through isolation 3. Cloud Backups - AWS, Azure, and GC 2. Recover normal operations Different Types of Backups Communications required for an effective DR: 1. Full Backups - include a complete copy Initial Report of all data. (e.g, snapshots and images) 2. Differential Backups - includes all data 2. Cold Site modified since the last full backup Used to restore operations (supplements full backups) eventually, but requires a 3. Incremental Backups - include all data significant amount of time modified since the last full or incremental Empty Data Centers backup. Stocked with core equipment, network, and environmental Scenario 1: ✓ Sundays controls but do not have the Joe performs Full Backup servers or data required to full backups ✓ Thursday’s restore business. every Sunday differential evening and backup Relatively Inexpensive differential Activating them may take weeks backups every or even months. weekday 3. Warm Site evening. His Hybrid of Hot and Cold system fails on Friday Stocked with core requirements morning. What and data. backups does Not maintained in parallel he restore? fashion Scenario 2: ✓ Sunday’s Similar in expense as a Hot Site Joe performs Full Backup Requires significant less time full backups ✓ Monday, every Sunday Tuesday, from IT Staff evening and Wednesday, Activating them may take hours incremental Thursday or days. backups every incremental weekday backups Disaster Recovery Sites don’t only provide a evening. His facility for technology operations, but also serve system fails on as an Offsite Storage Location. They are: Friday morning. What Geographically distant backup does Site Resiliency he restore? Allows backups to be physically transported to the disaster recovery Disaster Recovery Sites facility either manually or electronically Provide alternate data processing called “Site Replication” facilities. Online or offline backups Usually stay idle until emergency Online backups are available for situation arises. restoration immediately, but is very expensive 3 Types of Disaster Recovery Sites/Alternate Offline backups may require manual Processing Facility intervention, but is very inexpensive 1. Hot Site Alternate Business Process – A change of an Premier for of disaster recovery organization’s business protocols to match the facility current Disaster Recovery Plan Fully operational Data Centers Can be activated in moments or automatically deployed. Very expensive Disaster Recovery Testing Goals Physical Access Controls 1. Validate that the plan functions correctly Facilities that require Physical Security: 2. Identify necessary plan updates 1. Data Centers - Most important 5 Types of Disaster Recovery Testing 2. Server Rooms - Has sensitive information in less secure locations 1. Read-through 3. Media Storage Facilities - If in a remote Simplest form of Disaster location may require as much security as Recovery Testing the Data Centers Asks each team member to 4. Evidence Storage Locations review their role in the disaster 5. Wiring Closets - Literally a cluster of recovery process and provide wires; Needs to be protected as it offers feedback access to digital eavesdroppers and Known as “Checklist Reviews” network intruders 2. Walk-through 6. Distribution Cabling - Neatly organized A more comprehensive cables in the ceiling approach but similar to Read- 7. Operations Center Through Gathers the team together for a Types of Physical Security formal review of the disaster 1. Gates - Allows you to focus on other recovery plan security controls Known as “Tabletop Exercise ” 2. Bollards - Block vehicles while allowing 3. Simulation pedestrian traffic Uses a practice scenario to test the Disaster Recovery Plan CPTED (Crime Prevention Through Scenario based- very specific Environmental Design) - Basically giving circumstances principles to design your crime prevention 4. Parallel Test mechanisms in a way that is appropriate with your While above are all theoretical environmental surroundings approaches, the Parallel Test CPTED Goals: actually activates the Disaster Recovery Environment 1. Natural Surveillance However, they do not switch Design your security in a way operations to the backup that allows you to observe the environment natural surroundings of your 5. Full Interruption facility Most effective Windows, Open Areas, Lightning Activate Disaster Recovery 2. Natural Access Control Environments Narrowing the traffic to a single Also switch primary operations to point of entry the backup environment Gates, etc Can be very disruptive to 3. Natural Territory Reinforcement business Making it visually and physically Testing strategies often combine obvious that the area is closed to multiple types of tests the public Signs, Lightnings Visitor Management - Visitor management roles, that they are given access to procedures protect against intrusions corresponding roles Visitor Procedures Account Monitoring Procedures Describe allowable visit purposes 1. Account Audits Explain visit approval authority Completed by pulling all Describe requirements for unescorted permission list, review, and make access adjustments Explain role of visitor escorts Protects against Inaccurate All visitor access to secure areas should Permissions be logged Inaccurate Permissions Visitors should be clearly identified with Wrong permissions assigned distinctive badges that results in too little access to Cameras add a degree of monitoring in do their job or too much access visitor areas (violates least privilege) Cameras should always be disclosed Result of Privilege Creep A condition that occurs when Physical Security (Human Security) users switch roles and their Receptionists may act as Security previous role’s access to system Guards has not been revoked 2. Formal Attestation Process Sometimes an “aggressive” look is sometimes desirable Auditors review documentation to ensure that managers have Robots may replace human security formally approved each user’s patrols account and access Two Person Rule (Two-Person Integrity) - Two permissions. people must enter sensitive areas together 3. Continuous Account Monitoring Watch for suspicious activity Two Person Control - Two people must have Alert administrations to control access to very sensitive functions, anomalies requiring an agreement of 2 persons before Will catch any unauthorized use action. of permissions or acts Ex. Requiring 2 Keys to trigger a launch of Flags Access Policy Violations Nuclear Missiles Impossible travel time logins Unusual network location logins Logical Access Controls Unusual time-of-day logins Account Management Tasks Deviations from normal behavior Implementing Job Rotation schemes Deviations i volume of data Implementing for employees to rotate job transferred functions for purpose of diversity and 4. Geotagging integrity in work Adds user location information to Mandatory Vacation policies logs People on vacation should not have 5. Geofencing access to sensitive data Alerts when a device leaves Managing Account Lifecycle defined boundaries Ensuring that as employees move around an organization with different Provisioning and Deprovisioning Principle of Least Privilege ✓ Involves the process of creating, User should have the minimum set of updating and deleting user accounts in permission necessary to perform their job multiple applications and systems Protects against internal risks as a ✓ Crucial to Identity and Access malicious employee’s damage will be Management Task limited to their access Protects against external risk as if an Provisioning account was hacked, the damage they After onboarding, administrators create can do would be limited to the authentication credentials and grant permissions on the stolen account. appropriate authorization CIA Deprovisioning Mandatory Access Control (MAC) System — During the off-boarding process, Confidentiality administrators disable accounts and Permissions are determined by the revoke authorizations at the appropriate system/operating system time. Users cannot modify any permissions Prompt Termination (quickly acting after Rule-based access system off boarding) is critical Most Stringent/strict Prevents users from accessing resources without permission Discretionary Access Control (DAC) System More important if employee leaves in — Availability unfavorable terms Permissions are determined by the file Routine Workflow (For offboarding) - Disable owners accounts on a scheduled basis for planned Most Common type of access control departures Flexible Emergency Workflow (For offboarding) - Role-Based Access Control (RBAC) Systems Immediately suspends access when user is — Integrity unexpectedly terminated Permissions are granted to groups of Incorrect Timed Account-Deprovisioning people/ job functions may: Group based Inform a user in advance of pending Computer Networking termination Allow user to access to resources after 1. Network termination Connect computers together It is a good idea to Deactivate the Can connect computers within account first before permanent removal an office (LAN) or to the global as it can be reversed internet 2. Local Area Networks (LANs) Authorization Connect devices in the same Final step in the Access Control Process building Determines what an authenticated user LANs are connected to Wide can do Area Networks (WANs) 3. Wide Area Networks (WANs) Internet Protocols Connect across large distances Main function is to provide an addressing Connects to different office scheme, known as the IP address locations and also to the internet Routes information across networks When an LAN is connected to Not just used on the internet WAN = Internet Can be used at home or an office How Devices Connect to a LAN Deliver packets(chunks of information) from source → destination 1. Ethernet Serves as a Network Layer Protocol Connecting a physical Ethernet Supports Transport Layer Protocols - cable to an internet jack behind which have a higher set of the ball responsibilities The Ethernet Cable is called the RJ-45 connectors a.k.a 8 Pins 2 Types of Transport Layer Protocols: Connector Super fast but requires physical 1. Transmission Control Protocol (TCP) cables Responsible for majority of FYI: RJ-11 Cables are used for internet traffic telephone connections. They Is a Connection-Oriented have 6 Pins Protocol 2. Wireless Networks (Wi-Fi) Connection Oriented Protocol Create Wireless LANs (COP) - means the connection is 3. Bluetooth established before data is Creates a Personal Area transferred Network (PANs) Connection is ensured through Designed to support a single TCP Three-Way Handshake person TCP packets include special Main purpose is to create a flags that identify the packets wireless connection between a known as TCP Flags. Within the computer and its peripheral TCP Flags: devices 1.1 SYN Flag: Opens a 4. Near Field Communication connection (NFC) Technology 1.2 FIN Flag: Closes an existing connection Allows extremely short range 1.3 ACK: Used to acknowledge wireless connections (ex= a SYN or FIN packet wireless payment) TCP Three-Way Handshake Transmission Control Protocol/Internet 1. Source SYN sent to request Protocol (TCP/IP) open connection to destination 2. Destination sends ACK + A set of standardized rules that request (SYN) to reciprocate an allow computers to communicate open connection on a network such as the 3. Source acknowledges and internet. sends ACK Protocol suite at the heart of o Guarantees networking delivery through the destination system TCP and UDP acknowledging receipt o Widely used for critical Layer 5: Session Layer applications (email, web Manages the exchange of traffic, etc.) communications between 2. User Datagram Protocol (UDP) systems Connectionless Protocol, not connection-oriented Layer 6: Presentation Layer Lightweight Translates data so that it may be Does NOT use Three-Way transmitted on a network Handshake Encryption and Decryption System basically send data off to each other blindly, hoping that it Layer 7: Application Layer is received on the other end How users interact with data, Does not perform using web browsers or other acknowledgments apps Does not guarantee delivery It's often used for voice and OSI Model vs TCP Model video applications where OSI TCP Model guaranteed delivery is not Layer 1: Physical Layer 1: Network Interface essential. Every single packet Layer Layer doesn't have to reach the (Physical + Data) destination for video and voice to Layer 2: Data Link Layer 2: Internet Layer Layer be comprehensible. Layer 3: Network Layer Layer 3: Transport Layer Layer 4: Transport Layer Layer 4: Application Layer OSI (Open Systems Interconnection) Model (Session + Presentation + Application) Describes networks as having 7 different layers: Layer 5: Session Layer Layer 1: Physical Layer Layer 6: Presentation Layer Layer 7: Application Layer Responsible for sending bits over the network For the Internet Protocol (IP) to successfully Uses wires, radio waves, fiber deliver traffic between any two systems on a optics or other means network, it has to use an addressing scheme. Layer 2: Data Link Layer IP Addresses Transfers data between 2 Nodes Uniquely identify systems on a network connected to the same physical Written in dotted quad notation (ex- network 192.168.1.100). Also known as IPv4 Layer 3: Network Layer Means 4 numbers separated by periods Each of these numbers may range Expands networks to many between 0-255 different nodes Why 255? Internet Protocol (IP) Each number is represented by 8-bit Layer 4: Transport Layer binary numbers Those bits can represent 2 to the power Transfers data in a reliable of 8 = 256 possible values manner But we start at 0 so 256-1=255 o Automatic assignment of IP No duplicates of IP addresses on Address from an administrator Internet-connected systems (Just like configured pool your phone#) o Typically, Servers are configured Allow duplicates if on private networks with Static IP Addresses Your router or firewall takes care of o End-user devices are configured translating private IP Addresses to public with Dynamically-Changing IP IP addresses when you communicate Addresses over the internet Network Ports This translating process is called NAT (Network Address Translation) Like Apartment #s, guide traffic to the correct final destination IP Addresses are divided into 2 parts: IP addresses uniquely identifies a system 1. Network Address while the Network Ports uniquely 2. Host Address identifies a particular location of a system The divide of the 2 parts can come in associated with a specific application anywhere Think of it as: This uses a concept called sub-netting o IP Addresses - Street # of an Apartment Sub-netting divides domains so traffic is routed o Network Ports - Unit # of an Apartment efficiently. Network Port Numbers IP Address Version 4 (IPv4) 16-bit binary numbers (Containing 4 numbers) is running out so 2 to the power of 16 = 65,646 possible we are shifting to → IPv6 values IP Address Version 6 (IPv6) 65,646-1 (for 0) = 0-65,535 possibilities Uses 128 bits (compared to 32 bits Port Ranges (8x4numbers = 32) for IPv4 1. Well-known Ports = 0 - 1,023 Consists of 8 groups of 4 hexadecimal Reserved for common numbers applications that are assigned by Ex. internet authorities fd02:24c1:b942:01f3:ead2:123a:c3d2:cf Ensures everyone on the 2f internet will know how to find IP Addresses can be assigned in 2 ways: common services such as: web servers, email servers 1. Static IPs Web-servers use the Well-known o Manually assigned IP Address port 80 by an administrator Secure Web-servers use the o Must be unique Well-known port 443 o Must be within appropriate range 2. Registered Ports = 1,024 - 49,151 for the network Application vendors may register their applications to use these ports 2. Dynamic Host Configuration Protocol Examples: (DHCP) Microsoft Reserve port o Ensure to immediately change default 1433 for SQL Server administrator passwords database connections o Oracle Reserve port You can configure what Type of Network you 1521 for Database want: 3. Dynamic Ports = 49,152 - 65,535 1. Open Network - Open for anyone to use Applications can use on a (No Password Wifi) temporary basis 2. Other authentication required network: 1.1 Preshared Keys (Home Wifi, Office, Important Port #s Café) Administrative Services o Changing Preshared keys is difficult Port 21: File Transfer Protocol (FTP) - o Prevents individual Transfers data between systems identification of users Port 22: Secure Shell (SSH) - Encrypted 1.2 Enterprise Authentication administrative connections to servers o Uses individual passwords Port 3389: Remote Desktop Protocol 1.3 Captive Portals (RDP) - Encrypted administrative o Used in Starbucks, Airports, connections to servers Tim-Hortons Ports 137, 138, and 139: NetBIOS – o Provide authentication on Windows - Network Communications unencrypted wireless using the NetBIOS Protocol networks Port 53: Domain Name Service (DNS) - o Intercepts web requests to All systems use Port 53 for DNS lookups require Wi-Fi login Mail Services Wireless Encryption Port 25: Simple Mail Transfer Protocol A best practice for network security (SMTP) - Exchange email between Encryption hides the true content of servers network traffic from those without the Port 110: Post Office Protocol (POP) - decryption key Allows clients to retrieve mail Takes, Radio Waves, and makes it Port 143: Internet Message Access secure Protocol (IMAP) - Allows to retrieve mail 1. The Original approach to Security Web Services was: Wired Equivalent Privacy (WEP) Port 80: Hypertext Transfer Protocol This is now considered insecure (HTTP) - For unencrypted web 2. The Second approach was: Wi-Fi communications Protected Access (WPA) Port 443: Secure HTTP (HTTPS) - For Changes keys with the Temporal encrypted connections Key Integrity Protocol (TKIP) Changes the encryption key for Securing Wireless Networks each packet: preventing an Service Set Identifier (SSID) attacker from discovering the key after monitoring the network for The name of your Wi-Fi along period of time You can disable visibility of Wi-Fi (Hide) This is now considered insecure Has an administrative password to the access point (connection) 3. The Improved approach is: Wi-Fi You can ping the remote system: Protected Access v2 (WPA2) a. if you receive a response: it Uses an advanced encryption is not a network issue and a protocol called Counter Mode local web server issue. Cipher Block Chaining Message b. if you don’t receive a Authentication Code Protocol response: you may next ping (CCMP) another system located on WPA is now considered the internet SECURE b.1 if that responds: this will 4. The New approach is: Wi-Fi Protected tell you your internet is Access v3 (WPA3) successful and the issue is Supports Simultaneous with the web server or Authentication of Equals (SAE) network connection SAE is a secure key exchange c. if you ping many systems on protocol based upon the Diffie- internet and there is no Hellman Technique, to provide response, it is likely that the more secure initial setup of problem is on your end encrypted wireless d. You can ping a system on communications. your Local Network: if that Also supports CCMP protocol responds, there's probably In Summary, an issue with your network’s ✘ Open Network: Insecure connection to the internet e. If a Local Network does not ✘ WEP: Insecure respond: Either your Local ✘ WPA: Insecure network is down or there is a ✔ WPA2: Secure problem with your computer ✔ WPA3: Secure f. Last Resort: Repeat process on another Ping and Traceroute computer Command Line Network (CLI) ! Some systems do not respond to ping requests Provides quick and easy way to access Example: A firewall may block ping requests network configurations and 2. HPing troubleshooting information Creates customized ping Used my giving Commands requests Important Commands A variant of the basic “ping” command 1. Ping Allows you to interrogate a Checks whether a remote system to see if it is present on system is responding or the network accessible Old and not monitored but still Works using the Internet Control works Message Protocol (ICMP) 3. Traceroute Basically, sending a request and Determines the network acknowledgement to confirm a path between two systems connection If you want to know how packets are traveling today from my Troubling shooting with Ping system Located in Toronto to a Worms spread because the LinkedIn.com webserver, systems are vulnerable wherever that is located Patching protects against Works only on Mac and Linux worms In Windows, it is tracert 3. Trojan Horse 4. PathPing Pretends to be a useful Windows only command legitimate software, with hidden Combines ping and malicious effect tracert functionality in a single When you run the software, it command may perform as expected however will have Network Threats payloads behind the scene Malware Application Control protects against Trojan Horses One of the most significant threats to Application Controls limit computer security software that can run on systems Short for Malicious Software to titles and versions Might steal information, damage data or disrupt normal use of the system Botnets Malwares have 2 components: Are a collection of zombie computers used for malicious purposes 1. Propagation Mechanism - A network of infected systems Techniques the malware uses to Steal computing power, network spread from one system to another bandwidth, and storage capacity 2. Payload - Malicious actions taken by malware; Any type of malware can carry A hacker creating a botnet begins by: any type of payload 1. Infecting a system with malware through Types of Malware any methods 2. Once the malware takes control of the 1. Virus system (hacker gains control), he or she Spreads after a user takes some joins/adds it to the preconceived botnet type of user action Example: Opening an email How are Botnets Used: attachment, Clicking a Link, and Renting out computing power for profit Inserting an infected USB Delivering spam Viruses do not spread unless Engaging in DDoS attacks someone gives them a hand Mining Bitcoin and Cryptocurrencies User education protects against Perform Brute Force Attacks - against viruses passwords 2. Worms Spread on their own by Botnet Command and Control exploiting vulnerabilities When a worm infects a system, it Hackers command botnets through will use it as it’s base for Command and Control Networks as they spreading to other parts of the relay orders Local Area Network Communication must be indirect (hides the hackers true location) and redundant Must be highly redundant (too much, If the attacker is able to control the alot) because security analysts will shut network traffic, they may be able to them down one by one. It’s a cat and conduct a Reply Attack mouse game, whoever controls the Replay Attack Command and Control channels retains control of the Botnet the longest Uses previously captured data, such as Types of Command and Control Mechanisms an encrypted authentication token, to for Ordering Botnets create a separate connection to the server that’s authenticated but does not Internet Relay Chat (IRC) involve the real end user Twitter The attacker cannot see the actually Peer to Peer within the Botnet encoded credentials They can only see the encoded version In Summary Botnets: of them 1. Infect Systems Prevent Replay Attacks by including unique 2. Convert to bots characteristics: 3. Infect others 4. Check in through Command and Control Token Network Timestamp 5. Get Instructions 6. Deliver payload SSL Stripping Eavesdropping Attacks Tricks browsers into using unencrypted communications All eavesdropping attacks rely on a A variation of eavesdropping attack compromised communication path A hacker who has the ability to view a between a client and a server user’s encrypted web communication Network Device Tapping exploits the vulnerability to trick the users DNS poisoning browser into reverting to ARP poisoning unencrypted communications for the world to see During poisoning attacks, hackers may use the Strips the SSL or TLS protection Man-in-the-Middle technique to trick the user to connect to the attacker directly, then the attacker Implementation of Attacks directly connects to the server. Now the original user logs in to a fake server set up by the attacker Cryptographic systems may have flaws = and the attacker acts as a relay, the man in the vulnerability = attacks middle can view all of the communications. Fault Injection Attacks The user will not know that there is a Man-in-the- Use externally forced errors Middle intercepting communications. Attacker attempts to compromise the Man-in-the-browser Attacks integrity of a cryptic device by causing some type of external fault Variation of Man-in-the-Middle attack For example: Attacker might use high- Exploit flaws in browsers and browser voltage electricity to cause malfunction plugins to gain access to web that undermines security communications These failures of security may cause systems to fail to encrypt data property. Side Channel Attacks 2. False Negative Error - IDS/IPS fails to trigger an alert when an Measure encryption footprints actual attack occurs Attackers use footprints monitor system activity and to retrieve information that is Technology used to identify suspicious actively being encrypted. traffic: For example: If a cryptographic system is 1. Signature Detection Systems improperly implemented, it may be Contain databases with rules possible for an attacker to capture the describing malicious activity electromagnetic radiation emanating Alert admins to traffic matching from that system and use the collected signatures = Rule based signal to determine the plain text Detection information that is being encrypted. Cannot detect brand new attacks Timing Attacks Reduce false positive rates Reliable and time-tested A type of Side Channel Attack technology Measure encryption time 2. Anomaly Detection Systems Attackers precisely measures how long Builds models of “normal” cryptographic operations take to activity, and finds an Outlier complete, gaining information about Can detect brand new attacks cryptographic process that may be used But has high false positive rate to undermine security. Anomaly Detection, Behavior-based Detection, Threat Identification and Prevention and Heuristic Detection = Same Thing Intrusion Detection Systems (IDS) IPS Deployment Modes Monitors network traffic for signs of malicious activity 1. In-band Deployments Misuse Detection and Anomaly Detection IPS sits in the path of network traffic Examples of malicious activity: It can block suspicious traffic SQL Injections from entering the network Malformed Packets Risk: It is a single point of failure so it may disrupt the entire Unusual Logins network Botnet Traffic 2. Out-of-band (passive) Deployments Alerts administrators IPS sits outside of network traffic Requires someone to take action IPS is connected to a SPAN port Intrusion Prevention System (IPS) on a switch Which allows it to receive copies Automatically block malicious activity all traffic sent through the It is not a perfect system. They make 2 network to scan errors: It cannot disrupt the flow of traffic 1. False Positive Error - IDS/IPS It can react after suspicious triggers an alert when an attack did traffic enters the network not actually take place It cannot pre detect as it can only know its existence once it enters the network Malware Prevention Popular port scanning tool /command Antimalware software protects against 2. Vulnerability Scanner many different threats. Looks for known vulnerabilities Antimalware software protects against Scans deeper than Port viruses, worms, Trojan Horses, and Scanner, actually looks at what spyware. services are using those ports Antivirus software uses 2 types of Has a database for all known mechanisms to protect: vulnerability exploits and tests server to see if it contains any of 1. Signature Detection those vulnerabilities Watches for known patterns of Nesssus malware activity Popular vulnerability scanner 2. Behavior Detection 3. Application Scanner Watches for deviations from Tests deep into application normal patterns of activity security flaws This type of mechanism is found in advanced malware protection Network Security Infrastructure tools like the Endpoint Detection Data Centers and Response (EDR) Offer real-time, advanced Have significant cooling requirements protection Current Standard of Temperatures Goes beyond basic signature Maintain data center air temperatures detection and performs deep between 64.6 F and 80.6 F = Expanded instrumentation of endpoints Environmental Envelope Humidity is also important They analyze: Dewpoint says: Humidity 41.9 F and 50.0 o Memory F o Processor use This temperature prevents condensation o Registry Entries and static electricity o Network HVAC is important (Heating, Ventilation Communications and Air Conditioning Systems) o Installed on Endpoint Must also look out for fire, flooding, devices electromagnetic interference o Can perform Sandboxing Fire Suppression Methods o Isolates malicious 1. Wet Pipe Systems content Contains water in the pipes Port Scanners ready to deploy when a fire strikes Vulnerability Assessment Tools High Risk for data center 1. Port Scanner 2. Dry Pipe Systems Looks for open network ports Do not contain water until the Equivalent of rattling all valve opens during a fire alarm. doorknobs looking for unlocked Prevents burst pipes, by doors removing standby water nmap 3. Chemical Systems North-South Traffic - Networks traffic Removes oxygen between systems in the data center and systems Always place MOUs on the Internet Memorandum of Understanding Routers and Switches Outlines the environmental requirements Routers, Switches and Bridges are the building blocks of computer networks. Security Zones Switches Firewalls divide networks into security zones to protect systems of differing Connect devices to the network security models Has many network ports Reside in wiring closets and connect the Types of Security Zones: computers in a building together Network Border Firewall Ethernet jacks are at the other end of network cables connected to switches Three network interfaces, connects 3: Wireless access points (WAPs) connect o Internet to switches and create Wi-Fi networks o Intranet The Physical APs itself has a wired o Data Center Network connection back to the switch Switches can only create Local Networks o Guest Network Layer 2 of OSI Model - Data Link Layer o Wireless Network o Endpoint Network Some switches can be in the Layer 3 of OSI Model - Network Layer (can interpret Demilitarized Zone (DMZ) IP Addresses) For this to happen, they must use You can place systems that must accept Routers connections from the outside world such as mail, web servers Routers Because it is open, higher risk of compromise Connect networks to each other, making intelligent packet routing decisions If the DMZ is compromised, firewalls will still protect Serves as a central aggregation point for network traffic heading to or from a large Zero Trust Approach: Systems do not gain any network trust based solely upon their network location Works as the air traffic controller of the network 3 Special-Purpose Networks Makes best path decisions for traffic to 1. Extranet - Special intranet segments that follow are accessible by outside parties like Stateless Inspection - Use Access Control Lists business partners to limit some traffic that are entering or leaving a 2. Honeynet - Decoy networks designed to netwo