Cybersecurity Foundations Session 4 PDF

Summary

This document is a presentation on Cybersecurity Foundations, Session 4, covering Identity Management and Network Hardening. The presentation details topics like authentication factors, password policies, and directory services.

Full Transcript

Cybersecurity Foundations
Session 4

Presented by
Marina Hany Assaad
 Mod 1:
Mod 2: Network Mod 3: Systems Mod 4: Security Mod 5: Data
Cybersecurity
Discovery Hardening Architecture Security
Awareness

Mod 16: Trends In 7 Module lessons: Mod 6: Public Key
Cybersecurity What is identity management? Infrastructure
Personally identifiable information
Authentication factors
Mod 15: Legal Directory services Mod 7: Identity
Considerations Kerberos Management
Windows NT LAN Manager Service accounts
Password policies Federated identities
Mod 14: Incident Cracking passwords Identity as a Service Mod 8: Network
Password managers
Response Hardening
Group accounts

Mod 12:
Mod 13: Physical Mod 11: Software Mod 10: Social
Environment Mod 9: Malware
Mod:9 Malware
Security Security Engineering
Monitoring

Presented by
Marina Hany Assaad
 What is identity management?

Actively administers subjects, objects, and their access privileges

Ensures identities receive appropriate access to resources

Ensures systems remain scalable in granting access to resources

Presented by
Marina Hany Assaad
The IAAA process consists of four steps.

Identification Uniqueness

Authentication Verification

Authorization Validation

Accountability Tracking

Presented by
Marina Hany Assaad
 Personally identifiable information
Any data that can be used to identify a subject
Items at risk:

Social security number Account numbers
Mother’s maiden name Password
Birthdate System information
Billing addresses Company or government data
E-mail addresses

Presented by
Marina Hany Assaad
 Authentication factors

ATM

Pa33w0rd 0000 0000 0000 0000
JOHN DOE

Access can be further controlled by using multiple factors to authenticate.

Presented by
Marina Hany Assaad
 Authentication factors: Something you know
Knowledge Factor
A password is an example of “something you know.

Password: Pa33w0rd
Passphrase: Peter Piper
likes pickled peppers!
PIN:1234 Login credentials
Web
server
Credentials
Something you know verified

Authentication
Access granted
server

Presented by
Marina Hany Assaad
 Authentication factors: Something you have
You can authenticate using something that you
physically possess.
Permission factor
Examples:
Smart card
Certificate
Token
USB key
Key
Virtual cards
Transaction Authentication Number (TAN)
Presented by
Marina Hany Assaad
 Authentication factors: Something you are
Biometric devices are something you have.
A biometric device authenticates based on a human property.
Examples:
Fingerprint reader
Hand geometry
Retina scanner
Facial recognition
Iris recognition
Signature analysis

Presented by
Marina Hany Assaad
 Discussion
If you have a PIN and a username, how many authentication factors do
you have?
It is one authentication factor because both present something you
know forms of authentication.

Presented by
Marina Hany Assaad
Directory services

Are special databases holding usernames and passwords
Have a scalable hierarchy (trees, OUs, etc.)
Rely on common standards (X.500, LDAP, etc.)
Hold different partitions

Presented by
Marina Hany Assaad
 Kerberos
Kerberos is the primary authentication service for directories. It is a
scalable system that allows a user, service, or computer to authenticate
centrally and keep the authentication information while accessing
resources the system is trusting.

Kerberos involves the use of three components:
Authentication Service (AS)
Key distribution center (KDC)
Ticket‐granting server (TGS)

Presented by
Marina Hany Assaad
Kerberos
KDC

AS TGS
Authentication request
Authentication reply
TGS request
Client TGT
TGT
Session ticket
Session

File server
Presented by
Marina Hany Assaad
Windows NT LAN Manager
File File
server A server B

1. Login request 1. Login request
2. Challenge 2. Challenge
3. Challenge response Client 3. Challenge response
4. Access granted 4. Access granted

Presented by
Marina Hany Assaad
 Password policies
Group of settings defining how a secret is generated
Contains the following parameters:
Minimum number of characters
Password complexity
Maximum password age
Password history
Minimum password age
Reversible encryption capability

A strong password is difficult for the system to compute
but easy for humans to remember.
Presented by
Marina Hany Assaad
 Dictionary attacks

Use a list of predefined
words as passwords to Attempt login
Attempt login
attempt to log in to a Attacker Attempt login
Attempt login
system
Dictionary Access
granted
Cracking passwords

Presented by
Marina Hany Assaad
 Rainbow tables

Rainbow tables store hashes of possible passwords.
Hashes in a table are compared against the hash that is stored in
the security database of a system to find match.
No mathematical operations are performed.
Hash of the target system must be acquired to have something to
compare against the rainbow table.

Presented by
Marina Hany Assaad
 Brute force attacks

The brute force attack relies on all password possibilities.
Range of parameters are defined.
Password cracking tests every password possibility
within the range of parameters.
GPUs are used to accelerate cracking.

Presented by
Marina Hany Assaad
 Password assessment tools
The following tools can help in assessing the security of a password by testing the
password using one or more of the methods you have just seen :

Cain and Abel
L0phtcrack
Ophcrack
Crackstation.net
John the Ripper

Presented by
Marina Hany Assaad
 Password managers
Operate over centralized
authentication system Password
Improve security by requiring consolidation
Security questions
extra login steps Password reset
Allow password resets Permitted services

Manage services that can be
used with specific credentials
Store personal passwords on AAA Web
connection
local system

Presented by
Marina Hany Assaad
 Same sign-on
Refers to password System A System B
synchronization between two User4201 credentials
independent systems.
Replicates login credentials
from system A to system B.
Systems remain independent
and share little information
between them. Login: User4201, Login: User4201,
Systems are not in a trust Pa33w0rd Pa33w0rd
relationship, and do not
belong to the same directory
structure. User4201

Presented by
Marina Hany Assaad
 Group accounts
DON’ DO
T
Group accounts Login: Login:
allows multiple Group 1 SmithA

users to
authenticate.
Login: Login:
Group 1 JonesD
Do not use group
accounts.
Login:
Login:
Anderson
Group 1
M

Presented by
Marina Hany Assaad
Discussion
Can you name some systems that use group accounts?
Examples:
CCTV systems
Police/guards
Network devices, such as routers and switches
Web portals

Presented by
Marina Hany Assaad
Service accounts
Local or directory accounts can be used to run different roles
or service within the organization.
These services present themselves as a subject to the system.
Examples:
SQL server
Backup solution
Website

Presented by
Marina Hany Assaad
 Federated identities
Federated identities are a form of single sign-on.
One account is used for multiple services.
Process:
1. User authenticates to system.
2. User obtains token from system.
3. User presents token to third-party system.
4. Third-party system uses token to validate user.
5. If token is valid, user is granted access to remote system without the
need to authenticate again.
Presented by
Marina Hany Assaad
 Identity as a Service

Office365
Credentials are stored
Virtualization
in the cloud and used Web

for cloud services.
IDaaS
IDaaS can be
considered as a form of
single sign‐on.

Presented by
Marina Hany Assaad
 Mod 1:
Mod 2: Network Mod 3: Systems Mod 4: Security Mod 5: Data
Cybersecurity
Discovery Hardening Architecture Security
Awareness

Mod 16: Trends In 8 Module lessons: Mod 6: Public Key
Cybersecurity Limiting remote admin access Infrastructure
AAA: Administrative access
Simple Network Management Protocol
Mod 15: Legal Network segmentation Mod 7: Identity
Considerations Limiting physical access Management
Establishing secure access
Network devices
Mod 14: Incident Fundamental device protection summary Mod 8: Network
Response Traffic filtering best practices Hardening

Mod 12:
Mod 13: Physical Mod 11: Software Mod 10: Social
Environment Mod 9: Malware
Mod:9 Malware
Security Security Engineering
Monitoring

Presented by
Marina Hany Assaad
 Limiting remote admin access
Exploiting a network device could significantly impact the network.
Implement AAA for all engineer, administrative, and root level access to
network devices.

Limit protocols used to do remote administration.

Limit locations from where remote administration can
be done.

Presented by
Marina Hany Assaad
 AAA: Administrative access
Leverage current AAA solution for User 1: Privilege level 1
controlling access to network
User 2:
devices. Privilege User 1
Access level 15

Granular authorization control.
Log access, commands, and Log
AAA
changes to devices. server

Enforce change control process. Access, commands, changes User 2

Presented by
Marina Hany Assaad
 AAA for accessing network devices

802.1X forces all access to go
through AAA. AAA server
(RADIUS, DIAMETER, TACACS+)

It operates at the logical link
control sub-layer of OSI
Corporate intranet
layer 2.
802.1X
RADIUS, DIAMETER, and
TACACS+ run to 802.1X.

Edge devices
Presented by
Marina Hany Assaad
AAA for accessing network devices

Presented by
Marina Hany Assaad
 Simple Network Management Protocol
Switches Switches

Users Users
SNMP
Manager

WAN link
Router Router
Servers Servers

SNMP enabled
but hardened

New York London SNMP disabled
Presented by
Marina Hany Assaad
 Simple Network Management Protocol
It becomes a major security hole. SNMP comes enabled by default on many
devices. So, at a minimum, you need to:
Disable SNMP on devices that aren’t being managed or monitored.
Harden devices that are being managed or monitored.

On those devices that are being managed or monitored:
Use access control lists (ACLs) to limit SNMP traffic.
Only accept SNMP traffic from this one small subnet, which should be the subnet
your network management devices reside on.
Change default community strings.
Use version 3. SNMPv3 offers cryptographic capabilities not provided in earlier
versions of the protocol.
Limit who has access to the network management devices.
Presented by
Marina Hany Assaad
Network segmentation

Internet

DMZ

VLAN 100 VLAN 200

Sales Web server Mkt

Sales Subnet Subnet Mkt
Switch 192.168.8.0/24 192.168.10.0/24 Switch

Presented by
Marina Hany Assaad
 Rules on routers and firewalls

ACLs are primarily a list of Permit statements and Allow statements.
By default, an ACL is configured to block everything.

If you create an ACL with no entries, it should block all traffic.

ACL design can be a performance issue.
Place more utilized rules at beginning of list, if possible.

Presented by
Marina Hany Assaad
Router and firewall management

Networking Security
Move traffic quickly and efficiently Limit traffic movement

Switch Router IPS Firewall

Presented by
Marina Hany Assaad
 Discovery protocols
Network discovery protocols make it easy to find and keep track of
what is on the network.

Automated gathering of possibly sensitive information creates
security and privacy concerns.

Turn them off or block access to the information if you are not using
them.

Presented by
Marina Hany Assaad
 Discovery Protocols CDP and LLDP
Some of the default services can make the device vulnerable to attack if security is not enabled.
The Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default on
Cisco routers.
The Link Layer Discovery Protocol (LLDP) is an open standard that can be enabled on Cisco
devices, as well as other vendor devices that support LLDP.
The intent of CDP and LLDP is to make it easier for administrators to discover and
troubleshoot other devices on the network. However, because of the security implications,
these discovery protocols should be used with caution. 39

Edge devices are an example of a device that should have this feature disabled.

Presented by
Marina Hany Assaad
 Discovery Protocols CDP and LLDP (Cont.)
LLDP configuration and verification is
similar to CDP.

28

Presented by
Marina Hany Assaad
 Limiting physical access: Internal
Any equipment that can be
physically accessed can be
compromised.
Compromising one device WAP
Telecom closet
can take out a significant
portion of the network.
Secure cabling and wireless
access points. Cables
SPOF: Can you justify more
than one physical route for
Internet/utilities coming
into your facilities? Equipment rack Equipment rack
Presented by
Marina Hany Assaad
 Locking telecom closets
Organizations commonly
fail to lock telecom
closets.
Telecom closet
Physical controls are
mandated for electrical
Door
and plumbing access but
not IT.
Secure physical access: 2-man rule
Physical key
Access card
2-man rule
Don’t forget change
Equipment rack Equipment rack
management.

Presented by
Marina Hany Assaad
 Controlling network device ports
Port Security Table Implement AAA on AAA
the console port
Port 2 02 60 8c 12 34 56
Console
Port 6 02 60 8c 34 56 78
Port 7 00 10 4c 39 47 6c 1
Disable aux port 2 3 4 5 6 7 8 9 10
Port 10 00 02 67 80 5c 1a if not used
Aux
ACL
Disable
Protect enabled
unused
ports with ACLs
ports

Device A Device A Device B Device B Device C Device C Device D Device D
MAC = MAC = MAC = MAC =
02 60 8c 12 34 56 02 60 8c 34 56 78 00 10 4c 39 47 6c 00 02 67 80 5c 1a
Presented by
Marina Hany Assaad
 Limiting physical access: External
Physical security is harder to control outside the facilities.
Cabling can be cut.
APs can be pulled off walls.
Cameras can be knocked down.
Lighting can be disabled.
Natural disasters can occur.
The problem may not be malicious but an accidental compromise of
cabling, water, or other utility.
Include cabling and wireless access points in your physical security
plan.

Presented by
Marina Hany Assaad
 Establishing secure access

Disable insecure protocols.
Telnet, HTTP, SNMPv1
Insist on AAA.
Limit locations (subnets) where management traffic can originate.
Drop all other traffic attempting to access the device directly.
Don’t overlook the last A in AAA—log all access.

Presented by
Marina Hany Assaad
Discussion
At which device should you first filter unwanted traffic ?
The device closest to the source. If you want to keep someone
out of your office, do you lock the office door or keep them out
of the building?

Presented by
Marina Hany Assaad
Network devices
Firewall PC/laptop/tablet

IDS/IPS Printer/scanner/copier

Spam/malware filter Badge/access card printer

Router/switch/AP

Presented by
Marina Hany Assaad
 Wireless access points
Change:
Default passwords
SSID(s)
Default SSID
Broadcast of SSID
Radio power
Radio channel
Wireless
administrative access
Directional antennas

Presented by
Marina Hany Assaad
 Wireless access points: Physical
Mount APs in secure location.
High up
Hidden
Enterprise APs receive power through Ethernet cable.
Secure wiring closet and UPS support for closets.
Do not install near devices that might cause RFI:
Microwave ovens
Electric motors
Other wireless devices

Presented by
Marina Hany Assaad
Changing default settings
Applies to all IT equipment.
Bad guy can find that default info as easily as you.
Admin access
Password
SNMP community strings
Logging.

Presented by
Marina Hany Assaad
 Fundamental device protection summary
Secure both physical access and Implement warning banners.
logical access. Verify device integrity on a regular
Authenticate individual users. basis.
Disable device access methods Time out administrative access.
that are not used. Permit remote administration only
Disable interfaces that are not over secure communication paths.
used. Change default settings.
Protect SNMP if used. Disable it if
not used.
Synchronize clocks.

Presented by
Marina Hany Assaad
 Traffic filtering best practices
Explicitly deny all traffic.
Permit only needed traffic.
Drop traffic directed to network control devices unless originating
from trusted networks.
Implement filtering as close to the source as possible.
Internet
Internal network segments
Make filtering the primary responsibility of firewalls with other
devices doing their piece as appropriate.
Defense in depth
Defense in diversity
Log all exceptions.

Presented by
Marina Hany Assaad
THANK YOU
Presented by
Marina Hany Assaad