Cybersecurity Foundations Session 4 PDF
Document Details
Uploaded by Deleted User
Marina Hany Assaad
Tags
Related
- Chapter 4 - 02 - Discuss Identity and Access Management (IAM) - 01_ocred.pdf
- Chapter 4 - 02 - Discuss Identity and Access Management (IAM) PDF
- Chapter 4 - 02 - Discuss Identity and Access Management (IAM) - 03_ocred.pdf
- Chapter 4 - 02 - Discuss Identity and Access Management (IAM) - 08_ocred_fax_ocred.pdf
- Network Security Concepts - GuidesDigest Training PDF
- CompTIA Security + Exam SY0-601 PDF
Summary
This document is a presentation on Cybersecurity Foundations, Session 4, covering Identity Management and Network Hardening. The presentation details topics like authentication factors, password policies, and directory services.
Full Transcript
Cybersecurity Foundations Session 4 Presented by Marina Hany Assaad Mod 1: Mod 2: Network Mod 3: Systems Mod 4: Security Mod 5: Data Cybersecurity Discovery...
Cybersecurity Foundations Session 4 Presented by Marina Hany Assaad Mod 1: Mod 2: Network Mod 3: Systems Mod 4: Security Mod 5: Data Cybersecurity Discovery Hardening Architecture Security Awareness Mod 16: Trends In 7 Module lessons: Mod 6: Public Key Cybersecurity What is identity management? Infrastructure Personally identifiable information Authentication factors Mod 15: Legal Directory services Mod 7: Identity Considerations Kerberos Management Windows NT LAN Manager Service accounts Password policies Federated identities Mod 14: Incident Cracking passwords Identity as a Service Mod 8: Network Password managers Response Hardening Group accounts Mod 12: Mod 13: Physical Mod 11: Software Mod 10: Social Environment Mod 9: Malware Mod:9 Malware Security Security Engineering Monitoring Presented by Marina Hany Assaad What is identity management? Actively administers subjects, objects, and their access privileges Ensures identities receive appropriate access to resources Ensures systems remain scalable in granting access to resources Presented by Marina Hany Assaad The IAAA process consists of four steps. Identification Uniqueness Authentication Verification Authorization Validation Accountability Tracking Presented by Marina Hany Assaad Personally identifiable information Any data that can be used to identify a subject Items at risk: Social security number Account numbers Mother’s maiden name Password Birthdate System information Billing addresses Company or government data E-mail addresses Presented by Marina Hany Assaad Authentication factors ATM Pa33w0rd 0000 0000 0000 0000 JOHN DOE Access can be further controlled by using multiple factors to authenticate. Presented by Marina Hany Assaad Authentication factors: Something you know Knowledge Factor A password is an example of “something you know. Password: Pa33w0rd Passphrase: Peter Piper likes pickled peppers! PIN:1234 Login credentials Web server Credentials Something you know verified Authentication Access granted server Presented by Marina Hany Assaad Authentication factors: Something you have You can authenticate using something that you physically possess. Permission factor Examples: Smart card Certificate Token USB key Key Virtual cards Transaction Authentication Number (TAN) Presented by Marina Hany Assaad Authentication factors: Something you are Biometric devices are something you have. A biometric device authenticates based on a human property. Examples: Fingerprint reader Hand geometry Retina scanner Facial recognition Iris recognition Signature analysis Presented by Marina Hany Assaad Discussion If you have a PIN and a username, how many authentication factors do you have? It is one authentication factor because both present something you know forms of authentication. Presented by Marina Hany Assaad Directory services Are special databases holding usernames and passwords Have a scalable hierarchy (trees, OUs, etc.) Rely on common standards (X.500, LDAP, etc.) Hold different partitions Presented by Marina Hany Assaad Kerberos Kerberos is the primary authentication service for directories. It is a scalable system that allows a user, service, or computer to authenticate centrally and keep the authentication information while accessing resources the system is trusting. Kerberos involves the use of three components: Authentication Service (AS) Key distribution center (KDC) Ticket‐granting server (TGS) Presented by Marina Hany Assaad Kerberos KDC AS TGS Authentication request Authentication reply TGS request Client TGT TGT Session ticket Session File server Presented by Marina Hany Assaad Windows NT LAN Manager File File server A server B 1. Login request 1. Login request 2. Challenge 2. Challenge 3. Challenge response Client 3. Challenge response 4. Access granted 4. Access granted Presented by Marina Hany Assaad Password policies Group of settings defining how a secret is generated Contains the following parameters: Minimum number of characters Password complexity Maximum password age Password history Minimum password age Reversible encryption capability A strong password is difficult for the system to compute but easy for humans to remember. Presented by Marina Hany Assaad Dictionary attacks Use a list of predefined words as passwords to Attempt login Attempt login attempt to log in to a Attacker Attempt login Attempt login system Dictionary Access granted Cracking passwords Presented by Marina Hany Assaad Rainbow tables Rainbow tables store hashes of possible passwords. Hashes in a table are compared against the hash that is stored in the security database of a system to find match. No mathematical operations are performed. Hash of the target system must be acquired to have something to compare against the rainbow table. Presented by Marina Hany Assaad Brute force attacks The brute force attack relies on all password possibilities. Range of parameters are defined. Password cracking tests every password possibility within the range of parameters. GPUs are used to accelerate cracking. Presented by Marina Hany Assaad Password assessment tools The following tools can help in assessing the security of a password by testing the password using one or more of the methods you have just seen : Cain and Abel L0phtcrack Ophcrack Crackstation.net John the Ripper Presented by Marina Hany Assaad Password managers Operate over centralized authentication system Password Improve security by requiring consolidation Security questions extra login steps Password reset Allow password resets Permitted services Manage services that can be used with specific credentials Store personal passwords on AAA Web connection local system Presented by Marina Hany Assaad Same sign-on Refers to password System A System B synchronization between two User4201 credentials independent systems. Replicates login credentials from system A to system B. Systems remain independent and share little information between them. Login: User4201, Login: User4201, Systems are not in a trust Pa33w0rd Pa33w0rd relationship, and do not belong to the same directory structure. User4201 Presented by Marina Hany Assaad Group accounts DON’ DO T Group accounts Login: Login: allows multiple Group 1 SmithA users to authenticate. Login: Login: Group 1 JonesD Do not use group accounts. Login: Login: Anderson Group 1 M Presented by Marina Hany Assaad Discussion Can you name some systems that use group accounts? Examples: CCTV systems Police/guards Network devices, such as routers and switches Web portals Presented by Marina Hany Assaad Service accounts Local or directory accounts can be used to run different roles or service within the organization. These services present themselves as a subject to the system. Examples: SQL server Backup solution Website Presented by Marina Hany Assaad Federated identities Federated identities are a form of single sign-on. One account is used for multiple services. Process: 1. User authenticates to system. 2. User obtains token from system. 3. User presents token to third-party system. 4. Third-party system uses token to validate user. 5. If token is valid, user is granted access to remote system without the need to authenticate again. Presented by Marina Hany Assaad Identity as a Service Office365 Credentials are stored Virtualization in the cloud and used Web for cloud services. IDaaS IDaaS can be considered as a form of single sign‐on. Presented by Marina Hany Assaad Mod 1: Mod 2: Network Mod 3: Systems Mod 4: Security Mod 5: Data Cybersecurity Discovery Hardening Architecture Security Awareness Mod 16: Trends In 8 Module lessons: Mod 6: Public Key Cybersecurity Limiting remote admin access Infrastructure AAA: Administrative access Simple Network Management Protocol Mod 15: Legal Network segmentation Mod 7: Identity Considerations Limiting physical access Management Establishing secure access Network devices Mod 14: Incident Fundamental device protection summary Mod 8: Network Response Traffic filtering best practices Hardening Mod 12: Mod 13: Physical Mod 11: Software Mod 10: Social Environment Mod 9: Malware Mod:9 Malware Security Security Engineering Monitoring Presented by Marina Hany Assaad Limiting remote admin access Exploiting a network device could significantly impact the network. Implement AAA for all engineer, administrative, and root level access to network devices. Limit protocols used to do remote administration. Limit locations from where remote administration can be done. Presented by Marina Hany Assaad AAA: Administrative access Leverage current AAA solution for User 1: Privilege level 1 controlling access to network User 2: devices. Privilege User 1 Access level 15 Granular authorization control. Log access, commands, and Log AAA changes to devices. server Enforce change control process. Access, commands, changes User 2 Presented by Marina Hany Assaad AAA for accessing network devices 802.1X forces all access to go through AAA. AAA server (RADIUS, DIAMETER, TACACS+) It operates at the logical link control sub-layer of OSI Corporate intranet layer 2. 802.1X RADIUS, DIAMETER, and TACACS+ run to 802.1X. Edge devices Presented by Marina Hany Assaad AAA for accessing network devices Presented by Marina Hany Assaad Simple Network Management Protocol Switches Switches Users Users SNMP Manager WAN link Router Router Servers Servers SNMP enabled but hardened New York London SNMP disabled Presented by Marina Hany Assaad Simple Network Management Protocol It becomes a major security hole. SNMP comes enabled by default on many devices. So, at a minimum, you need to: Disable SNMP on devices that aren’t being managed or monitored. Harden devices that are being managed or monitored. On those devices that are being managed or monitored: Use access control lists (ACLs) to limit SNMP traffic. Only accept SNMP traffic from this one small subnet, which should be the subnet your network management devices reside on. Change default community strings. Use version 3. SNMPv3 offers cryptographic capabilities not provided in earlier versions of the protocol. Limit who has access to the network management devices. Presented by Marina Hany Assaad Network segmentation Internet DMZ VLAN 100 VLAN 200 Sales Web server Mkt Sales Subnet Subnet Mkt Switch 192.168.8.0/24 192.168.10.0/24 Switch Presented by Marina Hany Assaad Rules on routers and firewalls ACLs are primarily a list of Permit statements and Allow statements. By default, an ACL is configured to block everything. If you create an ACL with no entries, it should block all traffic. ACL design can be a performance issue. Place more utilized rules at beginning of list, if possible. Presented by Marina Hany Assaad Router and firewall management Networking Security Move traffic quickly and efficiently Limit traffic movement Switch Router IPS Firewall Presented by Marina Hany Assaad Discovery protocols Network discovery protocols make it easy to find and keep track of what is on the network. Automated gathering of possibly sensitive information creates security and privacy concerns. Turn them off or block access to the information if you are not using them. Presented by Marina Hany Assaad Discovery Protocols CDP and LLDP Some of the default services can make the device vulnerable to attack if security is not enabled. The Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default on Cisco routers. The Link Layer Discovery Protocol (LLDP) is an open standard that can be enabled on Cisco devices, as well as other vendor devices that support LLDP. The intent of CDP and LLDP is to make it easier for administrators to discover and troubleshoot other devices on the network. However, because of the security implications, these discovery protocols should be used with caution. 39 Edge devices are an example of a device that should have this feature disabled. Presented by Marina Hany Assaad Discovery Protocols CDP and LLDP (Cont.) LLDP configuration and verification is similar to CDP. 28 Presented by Marina Hany Assaad Limiting physical access: Internal Any equipment that can be physically accessed can be compromised. Compromising one device WAP Telecom closet can take out a significant portion of the network. Secure cabling and wireless access points. Cables SPOF: Can you justify more than one physical route for Internet/utilities coming into your facilities? Equipment rack Equipment rack Presented by Marina Hany Assaad Locking telecom closets Organizations commonly fail to lock telecom closets. Telecom closet Physical controls are mandated for electrical Door and plumbing access but not IT. Secure physical access: 2-man rule Physical key Access card 2-man rule Don’t forget change Equipment rack Equipment rack management. Presented by Marina Hany Assaad Controlling network device ports Port Security Table Implement AAA on AAA the console port Port 2 02 60 8c 12 34 56 Console Port 6 02 60 8c 34 56 78 Port 7 00 10 4c 39 47 6c 1 Disable aux port 2 3 4 5 6 7 8 9 10 Port 10 00 02 67 80 5c 1a if not used Aux ACL Disable Protect enabled unused ports with ACLs ports Device A Device A Device B Device B Device C Device C Device D Device D MAC = MAC = MAC = MAC = 02 60 8c 12 34 56 02 60 8c 34 56 78 00 10 4c 39 47 6c 00 02 67 80 5c 1a Presented by Marina Hany Assaad Limiting physical access: External Physical security is harder to control outside the facilities. Cabling can be cut. APs can be pulled off walls. Cameras can be knocked down. Lighting can be disabled. Natural disasters can occur. The problem may not be malicious but an accidental compromise of cabling, water, or other utility. Include cabling and wireless access points in your physical security plan. Presented by Marina Hany Assaad Establishing secure access Disable insecure protocols. Telnet, HTTP, SNMPv1 Insist on AAA. Limit locations (subnets) where management traffic can originate. Drop all other traffic attempting to access the device directly. Don’t overlook the last A in AAA—log all access. Presented by Marina Hany Assaad Discussion At which device should you first filter unwanted traffic ? The device closest to the source. If you want to keep someone out of your office, do you lock the office door or keep them out of the building? Presented by Marina Hany Assaad Network devices Firewall PC/laptop/tablet IDS/IPS Printer/scanner/copier Spam/malware filter Badge/access card printer Router/switch/AP Presented by Marina Hany Assaad Wireless access points Change: Default passwords SSID(s) Default SSID Broadcast of SSID Radio power Radio channel Wireless administrative access Directional antennas Presented by Marina Hany Assaad Wireless access points: Physical Mount APs in secure location. High up Hidden Enterprise APs receive power through Ethernet cable. Secure wiring closet and UPS support for closets. Do not install near devices that might cause RFI: Microwave ovens Electric motors Other wireless devices Presented by Marina Hany Assaad Changing default settings Applies to all IT equipment. Bad guy can find that default info as easily as you. Admin access Password SNMP community strings Logging. Presented by Marina Hany Assaad Fundamental device protection summary Secure both physical access and Implement warning banners. logical access. Verify device integrity on a regular Authenticate individual users. basis. Disable device access methods Time out administrative access. that are not used. Permit remote administration only Disable interfaces that are not over secure communication paths. used. Change default settings. Protect SNMP if used. Disable it if not used. Synchronize clocks. Presented by Marina Hany Assaad Traffic filtering best practices Explicitly deny all traffic. Permit only needed traffic. Drop traffic directed to network control devices unless originating from trusted networks. Implement filtering as close to the source as possible. Internet Internal network segments Make filtering the primary responsibility of firewalls with other devices doing their piece as appropriate. Defense in depth Defense in diversity Log all exceptions. Presented by Marina Hany Assaad THANK YOU Presented by Marina Hany Assaad