Chapter 21 - Common Types of Attacks.pdf

Full Transcript

Chapter 21
Common Types of Attacks
THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE
COVERED IN THIS CHAPTER:
Domain 4.0 Network Security
4.1 Explain the importance of basic network security concepts.
Physical security
Camera
Locks
Deception technologies
Honeypot
Honeynet
Network segmentation enforcement
Internet of Things (IoT) and Industrial Internet of Things (IIoT)
Supervisory control and data acquisition (SCADA), industrial control System
(ICS), operational technology (OT)
Guest
Bring your own device (BYOD)
4.2 Summarize various types of attacks and their impact to the network.
Denial-of-service (DoS)/
distributed denial-of-service
(DDoS)
VLAN hopping
Media Access Control (MAC)
Flooding
Address Resolution Protocol
(ARP) poisoning
ARP spoofing
DNS poisoning
DNS spoofing
Rogue devices and services
 DHCP
AP
Evil twin
On-path attack
Social engineering
Phishing
Dumpster diving
Shoulder surfing
Tailgating
Malware
4.3 Given a scenario, apply network security features, defense
techniques, and solutions.
Device hardening
Disable unused ports and services
Change default passwords
Network access control (NAC)
Port security
802.1X
MAC filtering
Key management
Security rules
Access control list (ACL)
Uniform Resource Locator (URL) filtering
Content filtering
Zones
Trusted vs. untrusted
Screened subnet

It's true…you're not paranoid if they really are out to get you. Although “they” probably
aren't after you personally, your network—no matter the size—is seriously vulnerable, so
it's wise to be very concerned about keeping it secure. Unfortunately, it's also true that
no matter how secure you think your network is, it's a good bet that there are still some
very real threats out there that could breach its security and totally cripple your
infrastructure!
I'm not trying to scare you; it's just that networks, by their very nature, are not secure
environments. Think about it—the whole point of having a network is to make resources
available to people who aren't at the same physical location as the network's resources.
Because of this, it follows that you've got to open access to those resources to users you
may not be able to identify. One network administrator I know referred to a server
running a much-maligned network operating system as “a perfectly secure server until
you install the NIC.” You can see the dilemma here, right?
With all this doom and gloom, what's a network administrator to do? Well, the first line
of defense is to know about the types of threats out there because you can't do anything
to protect yourself from something you don't know about. But once you understand the
threats, you can begin to design defenses to combat bad guys lurking in the depths of
cyberspace just waiting for an opportunity to strike.
I'm going to introduce you to some of the more common security threats and teach you
about the ways to mitigate them. I'll be honest—the information I'll be giving you in this
chapter is definitely not exhaustive. Securing computers and networks is a huge task,
and there are hundreds of books on this subject alone. To operate securely in a network
environment, one must understand how to speak the language of security. As in any
field, there is specific terminology.
In this chapter, you will learn the common types of attacks that all network
professionals should understand to secure an enterprise network.

To find Todd Lammle CompTIA videos and practice questions,
please see www.lammle.com.

Technology-Based Attacks
All attacks upon an organization are either technology-based or physically-based. A
technology-based attack is one in which the network and operating systems are used
against the organization in a negative way. Physical attacks use human interaction or
physical access, which I will cover later. I will now cover several different types of
technology-based attacks that are commonly used against networks and organizations.

Denial of Service/Distributed Denial of Service
A denial of service (DoS) is an attack launched to disrupt the service or services a
company receives or provides via the Internet. A DoS attack is executed with an
extremely large number of false requests, resulting in the servers not being able to fulfill
valid requests for clients and employees. As shown in Figure 21.1, a bad actor sends
many false requests for information to a server. Then when the valid requests are sent to
the server, the resources, such as memory and CPU, are exhausted, and the server
cannot fulfill the valid requests. There are several different types of DoS attacks.
 FIGURE 21.1 Typical DoS attack
Reflective A reflective DoS attack is not a direct attack; it requires a third party that
will inadvertently execute the attack. The attacker will send a request to a third-party
server and forge the source address of the packet with the victim's IP address. When the
third party responds, it responds to the victim. There are two victims in this type of DoS
attack; the first is the victim the attack is aimed at, and the second is the third-party
server used to carry out the attack, as shown in Figure 21.2.

FIGURE 21.2 Typical reflective attack
Amplified An amplified DoS attack is a variant of a reflective DoS attack. It is carried
out by making a small request to the third-party server that yields a larger response to
the victim. The most common third-party servers used to carry out this type of attack
are DNS and NTP. For example, an attacker will request a DNS query for a single
hostname that contains 20 aliases while forging the source IP address. The victim is
then barraged with the 20 answers from the query, as shown in Figure 21.3.

FIGURE 21.3 Typical amplified attack
Distributed A distributed denial of service (DDoS) has become the most common
type of DoS, because the source of the DoS is varied. A DDoS employs many bots to
create a botnet. A botnet is a series of compromised servers or hosts that are under a bad
actor's control. It is common for botnets to launch DDoS attacks on organizations. When
a single host is used to create a DoS, it can simply be blocked. However, when traffic is
coming from millions of different hosts, it is impossible to isolate the DoS and firewall
the source. A bad actor will leverage a key server called a command-and-control server
to deliver commands to each bot in the botnet, as shown in Figure 21.4. The command-
and-control server is often a compromised server as well; it just happens to be where the
bad actor has set up shop (so to speak).
 FIGURE 21.4 Components of a DDoS attack

Friendly/Unintentional DoS
An unintentional DoS attack (also referred to as attack from “friendly fire”) is not one
that is not caused by malicious individuals; instead, it's a spike in activity to a website or
resource that overpowers its ability to respond. In many cases, it is the result of a
relatively unknown URL suddenly being shared in a larger medium such as a popular TV
or news show.

Physical DoS
Physical DoS attacks are those that cause hardware damage to a device. These attacks
can be mitigated, but not eliminated, by preventing physical access to the device.
Routers, switches, firewalls, servers, and other infrastructure devices should be locked
away and protected by strong access controls. Otherwise, you may be confronted with a
permanent DoS, covered in the next section.

Permanent DoS
A permanent DoS attack is one in which the device is damaged and must be replaced. It
requires physical access to the device, or does it? Actually, it doesn't! An attack called a
phlashing denial of service (PDoS) attacks the firmware located in many systems. Using
tools that fuzz (introduce errors) the firmware, attackers cause the device to be
unusable. Another approach is to introduce a firmware image containing a Trojan or
other type of malware.

On-Path Attack (Previously Known as Man-in-the-Middle Attack)
Many of the attacks we're discussing can be used in conjunction with an on-path attack,
which was previously known as a man-in-the-middle (MitM) attack. For example, the
evil twin attack, discussed later, allows the attacker to position themselves between the
compromised user and the destination server. The attacker can then eavesdrop on a
conversation and possibly change information contained in the conversation.
Conventional on-path attacks allow the attacker to impersonate both parties involved in
a network conversation. This allows the attacker to eavesdrop and manipulate the
conversation without either party knowing. The attacker can then relay requests to the
server as the originating host attempts to communicate on the intended path, as shown
in Figure 21.5.

FIGURE 21.5 On-path attack

DNS Poisoning/Spoofing
DNS clients send requests for name to IP address resolution (called queries) to a DNS
server. The search for the IP address that goes with a computer or domain name usually
starts with a local DNS server that is not authoritative for the DNS domain in which the
requested computer or website resides. When this occurs, the local DNS server makes a
request of the DNS server that does hold the record in question. After the local DNS
server receives the answer, it returns it to the local DNS client. After this, the local DNS
server maintains that record in its DNS cache for a period called the time to live (TTL),
which is usually an hour but can vary.
In a DNS cache poisoning attack, the attacker attempts to refresh or update that record
when it expires with a different address than the correct address. If the attacker can
convince the DNS server to accept this refresh, the local DNS server will then respond to
client requests for that computer with the address inserted by the attacker. Typically, the
address they now receive is for a fake website that appears to look in every way like the
site the client is requesting. The hacker can then harvest all the name and password
combinations entered on his fake site.
The DNS servers should be limited in the updates they accept to prevent this type of
attack. In most DNS software, you can restrict the DNS servers from which a server will
accept updates. This can help prevent the server from accepting these false updates.
DNS spoofing is slightly different than DNS poisoning. DNS spoofing, also called DNS
cache poisoning, is an attack created by manipulating DNS records to redirect users
toward a fraudulent, malicious website that looks like the destination host or web page.

VLAN Hopping
VLANs, or virtual LANs, are layer 2 subdivisions of the ports in a single switch. A VLAN
may also span multiple switches. When devices are segregated into VLANs, access
control lists can be used in a router to control access between VLANs in the same way it
is done between real LANs. When VLANs span switches, the connection between the
switches is called a trunk link, and it carries the traffic of multiple VLANs. Trunk links
are also used for the connection from the switch to the router.
A VLAN hopping attack results in traffic from one VLAN being sent to the wrong VLAN
(see Figure 21.6). Normally, this is prevented by the trunking protocol placing a VLAN
tag in the packet to identify the VLAN to which the traffic belongs. The attacker can
circumvent this by a process called double tagging, which is placing a fake VLAN tag
into the packet along with the real tag. When the frame goes through multiple switches,
the real tag is taken off by the first switch, leaving the fake tag. When the frame reaches
the second switch, the fake tag is read and the frame is sent to the VLAN to which the
hacker intended the frame to go. This process typically occurs to launch an attack on the
native VLAN.

FIGURE 21.6 VLAN hopping

ARP Spoofing/Poisoning
ARP spoofing is the process of adopting another system's MAC address for the purpose
of receiving data meant for that system. It usually also entails ARP cache poisoning. ARP
cache poisoning is usually a part of an on-path/man-in-the middle attack. The ARP
cache contains IP address to MAC address mappings that a device has learned through
the ARP process.
One of the ways this cache can be poisoned is by pinging a device with a spoofed IP
address. In this way, an attacker can force the victim to insert an incorrect IP address to
MAC address mapping into its ARP cache. If the attacker can accomplish this with two
computers having a conversation, they can effectively be placed in the middle of the
transmission. After the ARP cache is poisoned on both machines, they will be sending
data packets to the attacker, all the while thinking they are sending them to the other
member of the conversation.
Rogue Devices and Services
Rogue devices and services consist of any physical device or logical services that are not
commissioned by the organization. These devices and services are typically malicious in
intent, but they can also be triggered by an employee plugging in a device. This
introduction of a rogue device can consequently have the potential for distruption. The
following are some of the most common rogue devices and services you may encounter.

Rogue DHCP
Dynamic Host Configuration Protocol (DHCP) is used to automate the process of
assigning IP configurations to hosts. When configured properly, it reduces
administrative overload, reduces the human error inherent in manual assignment, and
enhances device mobility. But it introduces a vulnerability that when leveraged by a
malicious individual can result in an inability of hosts to communicate (constituting a
DoS attack) and peer-to-peer attacks.
When an illegitimate DHCP server (called a rogue DHCP server) is introduced to the
network, unsuspecting hosts may accept DHCP Offer packets from the illegitimate
DHCP server rather than the legitimate DHCP server. When this occurs, not only will
the rogue DHCP server issue the host an incorrect IP address, subnet mask, and default
gateway address (which makes a peer-to-peer attack possible), but it can also issue an
incorrect DNS server address, which will lead to the host relying on the attacker's DNS
server for the IP addresses of websites (such as those resembling major banks' websites)
that lead to phishing attacks. Figure 21.7 shows an example of the effect of a Rogue
DHCP server.
In Figure 21.7, after receiving an incorrect IP address, subnet mask, and default gateway
from the rogue DHCP server, the DHCP client unwittingly uses the attacker as the
gateway. The attacker can then launch an on-path attack without the client ever knowing
what happened.

Rogue Access Point
Rogue access points (APs) are APs that have been connected to your wired
infrastructure without your knowledge. The rogue may have been placed there by a
determined hacker who snuck into your facility and put it in an out-of-the-way location
or, more innocently, by an employee who just wants wireless access and doesn't get just
how dangerous doing this is. Either way, it's just like placing an open Ethernet port out
in the parking lot with a sign that says “Corporate LAN access here—no password
required!”
 FIGURE 21.7 Effects of a rogue DHCP
Clearly, the worst type of rogue AP is the one some hacker has cleverly slipped into your
network. It's particularly nasty because the bad guy probably didn't do it to simply gain
access to your network. Nope—the hacker likely did it to entice your wireless clients to
disastrously associate with their rogue AP instead! This ugly trick is achieved by placing
their AP on a different channel from your legitimate APs and then setting its SSID in
accordance with your SSID. Wireless clients identify the network by the SSID, not the
MAC address of the AP or the IP address of the AP, so jamming the channel that your
AP is on will cause your stations to roam to the bad guy's AP instead. With the proper
DHCP software installed on the AP, the hacker can issue the client an address, and once
that's been done, the bad guy has basically “kidnapped” your client over to their network
and can freely perform a peer-to-peer attack. Believe it or not, this can all be achieved
from a laptop while Mr. Hacker simply sits in your parking lot, because there are many
types of AP software that will run on a laptop—yikes!
Evil Twin

An evil twin is an AP that is not under your control but is used to perform a hijacking
attack. A hijacking attack is one in which the hacker connects one or more of your users'
computers to their network for the purpose of a peer-to-peer attack.
The attack begins with the introduction of an access point that is under the hacker's
control. This access point will be set to use the same network name or SSID your
network uses, and it will be set to require no authentication (creating what is called an
open network).
Moreover, this access point will be set to use a different channel than the access point
under your control.
To understand how the attack works, you must understand how wireless stations
(laptops, tablets, and so on) choose an access point with which to connect. It is done by
SSID and not by channel. The hacker will “jam” the channel on which your access point
is transmitting. When a station gets disconnected from an access point, it scans the area
for another access point with the same SSID. The stations will find the hacker's access
point and will connect to it, as shown in Figure 21.8.

FIGURE 21.8 An evil twin attack
Once the station is connected to the hacker's access point, it will receive an IP address
from a DHCP server running on the access point, and the user will now be located on the
same network as the hacker. At this point, the hacker is free to commence a peer-to-peer
attack.
Deauthentication

The 802.11 wireless protocol contains a method for deauthentication of clients via a
deauthentication frame. An attacker can send a deauthentication frame on behalf of the
user, which disconnects them from the access point. Attackers will use this method in
conjunction with an evil twin attack to deauthenticate the user from a valid access point
so they can try to reconnect to the evil twin access point. The deauthetication attack can
also be used to generate association traffic for purposes of cracking a wireless
passphrase.

Password Attacks
When an attacker attempts to guess a password for a known username, it is considered a
password attack. Usernames such as admin, administrator, and root should always be
avoided since these are considered privileged accounts. You should always use
passwords that are at least 10 characters or longer. Complexity should also be used
when formulating a password, such as using lowercase, uppercase, symbols, and
numbers. An attacker will perform a password attack with two primary tactics of a
dictionary attack and brute-force attack.
Dictionary Attacks A dictionary attack is just how it sounds; the attack is carried out
by using a database of common words called a dictionary. These dictionary files can be
kilobytes to gigabytes in size, and they contain commonly used passwords. The obvious
dictionary words are password, privilege, and variations of password using numbers,
such as passw0rd. Password complexity and length settings are often implemented to
mitigate password dictionary attacks.
Brute-Force Attacks Brute force is a last-ditch effort to crack a passphrase or
password. A brute-force application will try every combination of a password until
access is granted. These combinations will include uppercase letters, lowercase letters,
symbols, and numbers. The number of combinations is exponential with every character
added to a password, so long passwords of 10 characters or more are best. There are two
brute-force attack methods: the online method and offline method, as shown in Figure
21.9.

FIGURE 21.9 Brute-force password attacks
Both methods use a brute-force application to try each permutation of the password.
The online method accesses the application directly and attempts to crack the
password. However, the weakness to an online brute-force attack is the use of
automatic lockouts after so many failed attempts, and it slows the attacker down
considerably. The offline method requires the theft of the credentials file, and the
brute-force attack is attempted directly on the offline credentials file. Passwords are
never stored in clear text; they are commonly hashed. So, theft of the credential file
requires hashing password combinations in an attempt to match the hash. With the use
of a high-end graphics card, an attacker can try millions of password hashes a minute
or even in seconds. An attacker can also employ a database of password-to-hash
combinations, called rainbow tables. Rainbow tables can be terabytes in size.

MAC Spoofing
MAC spoofing is the assumption of another system's MAC address for the following
purposes:
To pass through a MAC address filter
To receive data intended for another system
To impersonate a gateway (router interface) for the purpose of receiving all data
leaving a subnet

MAC spoofing is the reason we don't rely solely on security at layer 2 (MAC address
filters), while best practices call for basing access on user accounts rather than device
properties such as IP addresses or MAC addresses.

IP Spoofing
Spoofing is performed by an attacker so they can impersonate an IP address of an
organization's assets. Spoofing allows the attacker to bypass access control systems and
gain access to protected resources on the network. Spoofing is often used in DoS attacks
to hide the attacker's IP address. The attacker forges a packet with the pawn's IP address
as the source IP address and proceeds to attack the victim at the destination IP address.
IP spoofing can be used in more elaborate attacks involving MAC spoofing to carry on a
two-way conversation. Access control lists are an effective way to mitigate spoofing of
internal IPs from outside the trusted network.

MAC Flooding
MAC flooding is a cyberattack targeting switches on a local area network (LAN). It
involves sending multiple packets with fake MAC addresses to overflow the switch's
address table, causing the buffer to overflow and making the switch unable to process
any legitimate traffic.

Malware
Malware is a broad term describing any software with malicious intent. Although we
use the terms malware and virus interchangeably, distinct differences exist between
them. The lines have blurred because the delivery mechanism of malware and viruses is
sometimes indistinguishable.
A virus is a specific type of malware, the purpose of which is to multiply, infect, and do
harm. A virus distinguishes itself from other malware because it is self-replicating code
that often injects its payload into documents and executables. This is done in an attempt
to infect more users and systems. Viruses are so efficient in replicating that their code is
often programmed to deactivate after a period of time, or they are programmed to only
be active in a certain region of the world.
Malware can be found in a variety of other forms, such as covert cryptomining, web
search redirection, adware, spyware, and even ransomware, and these are just a few.
Today the largest threat of malware is ransomware because it's lucrative for criminals.

Ransomware
Ransomware is a type of malware that is becoming popular because of anonymous
currency, such as Bitcoin. Ransomware is software that is often delivered through an
unsuspecting random download. It takes control of a system and demands that a third
party be paid. The “control” can be accomplished by encrypting the hard drive, by
changing user password information, or via any of a number of other creative ways.
Users are usually assured that by paying the extortion amount (the ransom), they will be
given the code needed to revert their systems back to normal operations. CryptoLocker
was one of the first ransomware threats that made headlines across the world (see
Figure 21.10). You can protect yourself from ransomware by having
antivirus/antimalware software with up-to-date definitions and by keeping current on
patches.

FIGURE 21.10 CryptoLocker

Trojans
Trojan horses are programs that enter a system or network under the guise of another
program. A Trojan horse may be included as an attachment or as part of an installation
program. The Trojan horse can create a backdoor or replace a valid program during
installation. It then accomplishes its mission under the guise of another program.
Trojan horses can be used to compromise the security of your system, and they can exist
on a system for years before they're detected.
The best preventive measure for Trojan horses is to not allow them entry into your
system. Immediately before and after you install a new software program or operating
system, back it up! If you suspect a Trojan horse, you can reinstall the original
program(s), which should delete the Trojan horse. A port scan may also reveal a Trojan
horse on your system. If an application opens a TCP or UDP port that isn't supported in
your network, you can track it down and determine which port is being used.

Keyloggers
A keylogger is normally a piece of software that records an unsuspecting victim's
keystrokes. Keyloggers can stay loaded in memory and wait until you log into a website
or other authentication system. They will then capture and relay the information to an
awaiting host on the Internet.
Keyloggers don't always have to be in the form of software. Some keyloggers are
hardware dongles that sit between the keyboard and computer. These must be retrieved,
and the data must be downloaded manually, so they are not very common.

Rootkits
Rootkits are software programs that have the ability to hide certain things from the
operating system. They do so by obtaining (and retaining) administrative-level access.
With a rootkit, there may be a number of processes running on a system that don't show
up in Task Manager, or connections that don't appear in a Netstat display of active
network connections that may be established or available. The rootkit masks the
presence of these items by manipulating function calls to the operating system and
filtering out information that would normally appear.
Unfortunately, many rootkits are written to get around antivirus/antimalware and
antispyware programs that aren't kept up-to-date. The best defense you have is to
monitor what your system is doing and catch the rootkit in the process of installation.

Spyware
Spyware differs from other malware in that it works—often actively—on behalf of a third
party. Rather than self-replicating, like viruses and worms, spyware is spread to
machines by users who inadvertently ask for it. The users often don't know they have
asked for it but have done so by downloading other programs, visiting infected sites, and
so on.
The spyware program monitors the user's activity and responds by offering unsolicited
pop-up advertisements (sometimes known as adware), gathers information about the
user to pass on to marketers, or intercepts personal data, such as credit card numbers.

Cryptominers
With the rise of Bitcoin, so came the rise of cryptominers. A cryptominer is typically a
purpose-built device that grinds out cryptographic computations. When the
computation is balanced, a cryptocoin is created and equates to real money, such as
Bitcoin, Ethereum, and Dogecoin, just to name a few. A cryptominer does not always
have to be a dedicated purpose-built device; it can also be a distributed group of
computers called a cryptopool.
Malware in the form of cryptominers became very popular, because it is a very lucrative
way for threat agents to make money. The problem is that the threat agents use your
computer to grind out the computations. The most common way a threat agent will run
a cryptominer remotely is with JavaScript embedded on a malicious web page. Threat
agents have also been known to create viruses in which the payload (cryptominer) uses
your video card to grind out the computations. However, the JavaScript variant is more
common to find in the wild.

Viruses
Viruses can be classified as polymorphic, stealth, retrovirus, multipartite, armored,
companion, phage, and macro viruses. Each type of virus has a different attack strategy
and different consequences.

EXERCISE 21.1
Testing Your Antimalware

1. Navigate to the Eicar antimalware test file site at www.eicar.org/download-anti-
malware-testfile.

2. Scroll down to the download section.
3. Download a few of the Eicar test files and notice how your antivirus detects the
malware.
4. Examine the alerts your antimalware software uses to report the malware.

The Eicar website contains a totally benign piece of malware that triggers your
antimalware engine. Any search for Eicar will produce similar results and the
contents are benign.

Human and Environmental
While some vulnerabilities come from technical challenges such as attacks on
cryptography and network protocols, many are a result of environmental issues within
the facility or of human error and poor network practices by the users (we call these self-
inflicted wounds). In the following sections, you'll learn about human and
environmental vulnerabilities.

Social Engineering
Hackers are more sophisticated today than they were 10 years ago, but then again, so are
network administrators. Because most of today's sys admins have secured their
networks well enough to make it pretty tough for an outsider to gain access, hackers
decided to try an easier route to gain information: They just asked the network's users
for it.
Social engineering attacks occur when attackers use believable language and user
gullibility to obtain user credentials or some other confidential information. The best
countermeasure against social engineering threats is to provide user security awareness
training. This training should be required and must occur on a regular basis because
social engineering techniques evolve constantly.

Phishing
Phishing is a social engineering attack in which attackers try to learn personal
information, including credit card information and financial data. This type of attack is
usually carried out by implementing a fake website that is nearly identical to a legitimate
website. Users are led there by fake emails that appear to come from a trusted source.
Users enter data, including credentials, on the fake website, allowing the attackers to
capture any information entered. Spear phishing is a phishing attack carried out against
a specific target by learning about the target's habits and likes. The best defense is
security awareness training for the users.

Environmental
Some attacks become possible because of the security environment we have allowed to
develop. The following are issues that are created by user behavior.

Tailgating
Tailgating is the term used for someone being so close to you when you enter a building
that they are able to come in right behind you without needing to use a key, a card, or
any other security device. Many social-engineering intruders who need physical access
to a site will use this method of gaining entry. Educate users to beware of this and other
social-engineering ploys and prevent them from happening.

Access control vestibules (mantraps) are a great way to stop
tailgating. An access control vestibule (mantrap) is a series of two doors with a
small room between them that helps prevent unauthorized people from entering a
building.

Piggybacking
Piggybacking and tailgating are similar but not the same. Piggybacking is done with the
authorization of the person with access. Tailgating is done when the attacker sneaks
inside without the person with access knowing. This is why access control vestibules
(mantraps) and turnstiles deter tailgating, and live guards and security training deter
piggybacking.

Dumpster Diving
Dumpster diving is a way for attackers to gain information that they use to establish
trust from data or sensitive documents that you discarded in one way or another. Law
enforcement, journalists, and hackers who don't mind getting dirty—any of them could
use this technique.

Shoulder Surfing
Shoulder surfing involves nothing more than watching someone when they enter their
sensitive data. They can see you entering a password, typing in a credit card number, or
entering any other pertinent information. The best defense against this type of attack is
to survey your environment before entering personal data. Privacy filters can be used
that make the screen difficult to read unless you are directly in front of it.
 EXERCISE 21.2
Experimenting with Social Engineering

1. Call the receptionist from an outside line when the sales manager is at lunch.
Tell the receptionist that you're a new salesperson, that you didn't write down
the username and password the sales manager gave you last week, and that you
need to get a file from the email system for a presentation tomorrow. Does the
receptionist direct you to the appropriate person or attempt to help you retrieve
the file?
2. Call the human resources department from an outside line. Don't give your real
name but instead say that you're a vendor who has been working with this
company for years. You'd like a copy of the employee phone list to be emailed to
you, if possible. Do they agree to send you the list, which would contain
information that could be used to try to guess usernames and passwords?
3. Pick a user at random. Call them and identify yourself as someone who works
with the company. Tell them that you're supposed to have some new software
ready for them by next week and that you need to know their password to finish
configuring it. Do they do the right thing?

The best defense against any social engineering attack is education. Make certain
that the employees of your company know how to react to the requests presented
here. Social engineering works on the premise that people try to help when they are
vested in your efforts, such as a co-worker or if you are trying to help them.

Hardening Security
There are many different hardening techniques we can employ to secure our networks
from compromise. When evaluating the techniques to be employed in your network, you
should keep a few things in mind: Evaluate your risk, evaluate the overhead the
hardening introduces, and prioritize your list of hardening techniques to be
implemented. Many of these hardening techniques are “low-hanging fruit” and should
be employed, such as changing default passwords on network appliances and operating
systems. Just make sure you have a system in place so complex passwords are not
forgotten and are kept safe. Other techniques might require much more effort, such as
patch management and firmware changes. In the following sections, I will introduce you
to a myriad of hardening techniques that can be used to secure your organization.

Device Gardening
Device hardening is the action of changing the network device or operating system's
defaults to make it more secure. When we install a new device, the first thing we do is
change the default passwords and patch the device. This effectively hardens the device
from attacks. Other common hardening techniques consist of disabling services and
network ports we don't need for the use of the device or operating system.

Changing Default Credentials
When installing a network device, the very first thing you must do is log into the device.
There is often a standardized default username and password for each vendor or
vendor's product line. Most devices make you change the default password upon login to
the device.
Changing the default password to a complex password is a good start to hardening the
device. However, changing the username will also ensure that a brute-force attack
cannot be performed against the default username. There are many different websites
dedicated to listing the default credentials for network devices, so it doesn't take
tremendous skill to obtain the default username and password of the device.

Avoiding Common Passwords
Avoiding common passwords is another simple measure to harden the device or
operating system. There are several dictionaries that you can find on the Internet that
will include common passwords. Some dictionaries are even collections of compromised
passwords that have been made public.
When creating a password, it is always best practice to make the password at least 12 to
18 characters, based on the sensitivity of its use. You should always include symbols,
numbers, and uppercase and lowercase alpha characters. You should also resist
substituting characters for symbols that look like the character. This substitution is often
called “leet speak,” and it is in every dictionary downloadable on the Internet. An
example of a “leet speak” password is p@$$word. Another common pitfall in creating
passwords is the use of words; passwords should be random and complex. An example
of a complex password is GLtNjXu#W6*qkqGkS$. You can find random password
generators on the Internet, such as https://passwordsgenerator.net.

Disabling Unnecessary Services
When services are enabled that are unneeded, it expands the surface area of attack. The
surface area of attack is the range of possible exploitable services on an operating system
or network device. If an operating system was a house, the entry points would be the
doors, windows, and chimney. If we disable services, we remove entry points that can be
exploited by attackers.
One of the major design changes to the Microsoft Server operating system was
introduced with Windows Server 2008. Starting with Windows 2008, Microsoft
disabled all services out of the box, and the firewall was turned on by default. This
dramatically reduced the surface area of attack for the operating system compared to
prior versions such as Windows Server 2003 R2.
Linux and UNIX have long since used this minimalistic approach to installation. When
the Linux/UNIX operating systems are installed, no services are installed by default. All
functionality must be added via the repository tools such as apt for Ubuntu and Debian
and yum for Red Hat–based systems.
Operating systems are not the only network system that contains services; many
network devices have services. Network devices are not immune to exploit; therefore,
the surface area of attack should be reduced by disabling nonessential services. A typical
example is a network printer; printers will often have several protocols enabled for
printing, such as Server Message Block (SMB), Internet Printing Protocol (IPP), and File
Transfer Protocol (FTP). Unnecessary protocols and services should be disabled since
each one could potentially have a vulnerability.

Using Secure Protocols
Secure protocols are protocols that provide encryption. Many of the protocols used
today by network devices do not provide any encryption. Secure protocols should be
used to thwart eavesdropping and manipulation of the network device from an
unauthenticated source.
A typical protocol used to manage network devices for firmware upgrades is Trivial File
Transfer Protocol (TFTP). TFTP is unencrypted and easily exploitable by way of an on-
path attack, because it uses the UDP protocol. Protocols such as Secure Copy Protocol
(SCP) should be used in lieu of older outdated protocols if the device supports it. SCP
provides both encryption and authentication.
Telnet is insecure as well and a worse choice because login credentials are sent in clear
text! Telnet is a console-based maintenance protocol that is frequently used by network
devices because of its small code footprint. Protocols such as Secure Shell (SSH) should
be used if the device supports it. SSH provides both encryption and authentications just
like SCP, since SCP is an extension of SSH.
Console-based management protocols such as TFTP and Telnet are not the only
protocols immune to insecurity. Hypertext Transfer Protocol (HTTP) is sent in clear text
as well. Hypertext Transfer Protocol Secure (HTTPS) should be enabled and used for
management of network devices. HTTPS requires a certificate to be installed, but most
network devices allow the use of self-signed certificates that are locally managed.
HTTPS provides encryption and a minimal layer of authentication for the management
endpoint but will thwart an on-path attack.

Disabling Unused Ports
A port is considered any interface that serves to connect two host systems. The port can
be an IP port related to TCP or UDP, or it can be a physical port such as a serial or USB
port. If the interface allows data to be transferred, then it is considered a port and is a
risk to security. In this section, I will cover the most common ports that should be
disabled if not needed for hardening of systems.
IP Ports

The term port is often associated with TCP/IP ports. Throughout this book you will find
protocols that operate on TCP or UDP; these ports are considered well-known ports. A
list of the registered ports can be found at www.iana.org/assignments/service-names-
port-numbers/service-names-port-numbers.txt. However, this is not a full list because
application designers are not required to register the ports the application runs on.
After a system has been installed, it is best practice to disable any TCP/IP port that is
not being used for the primary purpose of the network system. This is achieved via host-
based firewalls. Microsoft operating systems are proficient at securing the operating
system, because starting with Windows Server 2008 the firewall is on by default. Linux
systems are also being packaged with firewalls that are enabled by default. Only ports
necessary for operations are allowed through the host firewall. When we disable TCP/IP
ports, we reduce the surface area of attack of a network system.
Device Ports (Physical and Virtual)

When we disable and/or firewall TCP/IP ports on a network operating system, we
prevent remote exploits. However, physical ports are just as susceptible to exploitation.
If a network device has a serial port, also known as a console port, an attacker could plug
in and manipulate the system. Any unused ports on network devices should be either
disabled or password protected.
Virtual ports are also susceptible to attacks. Many virtual machine technologies allow for
serial ports to be extended to a remote workstation over TCP/IP. These ports generally
are just as exploitable as their physical counterparts. If virtual console ports are not
required, they should be disabled.

Key Management
Both the Secure Shell and Hypertext Transfer Protocol Secure protocols require public
private key pairs. The key pairs are often generated when the protocols are first enabled.
The modulus is the length in bits of the encryption key pair. A 512-bit modulus can be
cracked within a relatively short period of time. A 2048-bit modulus can take much
longer, if it is even possible. The expiry time on the key pairs is directly related to the
modulus length. A low-bit modulus key pair will expire sooner than a high-bit modulus
key pair, but all key pairs expire at some point. The generation of new keys is required
by the network operating system at some point because of the expiration date set on the
key pair. Some network operating systems generate the key pair automatically; others
require manual intervention.
A generation of new key pairs can also be required if they are compromised. As the
administrator, you should rekey the system if it is compromised, but the operating
system will not care and continue to function as normal.
It is important to note that SSH clients will detect a new key pair upon initial connection
after generating new keys. The SSH client by default will prompt the user to accept this
new key pair. All SSH clients cache the key pairs previously shown in a key chain that is
used for future authentication of connections.

Access Control Lists
Access control lists (ACLs) are used to control traffic and applications on a network.
Every network vendor supports a type of ACL method; for the remainder of this section,
I will focus on Cisco ACLs.
An ACL method consists of multiple access control entries (ACEs) that are condition
actions. Each entry is used to specify the traffic to be controlled. Every vendor will have
a different type of control logic. However, understanding the control logic of the ACL
system allows you to apply it to any vendor and be able to effectively configure an ACL.
The control logic is defined with these simple questions:
How are the conditions of an ACL evaluated?
What is the default action if a condition is not met?
How is the ACL applied to traffic?
How are conditions edited for an ACL?

Let's explore the control logic for a typical Cisco layer 3 switch or router. The conditions
of the ACL are evaluated from top to bottom. If a specific condition is not met for the
ACL, the default action is to deny the traffic. Only one ACL can be configured per
interface, per protocol, and per direction. When you are editing a traditional standard or
extended ACL, the entire ACL must be negated and reentered with the new entry. With
traditional ACLs, there is no way to edit a specific ACL on the fly. When editing a named
access list, each condition is given a line number that can be referenced so that the
specific entry can be edited. For the remainder of this section, I will use named access
lists to illustrate an applied access list for controlling traffic.
In Figure 21.11 you can see a typical corporate network. There are two different types of
workers: HR workers and generic workers. We want to protect the HR web server from
access by generic workers.

FIGURE 21.11 A typical corporate network
We can protect the HR server by applying an ACL to outgoing traffic for Eth 0/0 and
describing the source traffic and destination to be denied. We can also apply an ACL to
the incoming interface of Eth 0/2 describing the destination traffic to be denied. For this
example, we will build an access list for incoming traffic to Eth 0/2, blocking the
destination of the HR server.
Router(config)# ip access-list extended block-hrserver
Router(config-ext-nacl)# deny ip any host 192.168.1.4
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exit
Router(config)# interface ethernet 0/2
Router(config-if)# ip access-group block-hrserver in

This ACL, called block-hrserver, contains two condition action statements. The first
denies any source address to the specific destination address of 192.168.1.4. The second
allows any source address to any destination address. We then enter the interface of Eth
0/2 and apply the ACL to the inbound direction of the router interface. The rule will
protect the HR server from generic worker access while allowing the generic workers to
access all other resources and the Internet.
It is important to note that the focus of this section is to understand how ACLs are used
to protect resources. It is not important to understand how to build specific ACLs since
commands will be different from vendor system to vendor system.

Content Filtering
Content filters are useful in networks to restrict users from viewing material that is non-
work-related, questionable, or malware. Content filtering is usually dictated by
organization policy and management. The content filter operates by watching content
and requests from web browsers and other applications. The content filter functions in
two ways: The first is content-based; when images and text are requested from a
website, the content filter can use heuristic rules to filter the content according to
administrator-set policies. The second method is URL-based, which is much more
common since many websites now use SSL/TLS (encryption) and the traffic is
encrypted. Content filters are typically purchased with a subscription that provides
updates to the categories of material administrators block. Content filters can be
hardware solutions or software solutions, although it is common to find them installed
as software solutions.

Implementing Network Segmentation
One of the biggest reasons for implementing segmentation is for security purposes. At
layer 1, this means complete physical separation. However, if you don't want to go with
complete segmentation, you can also segment at layer 2 on switches by implementing
VLANs and port security. This can prevent connections between systems that are
connected to the same switch. They can also be used to organize users into common
networks regardless of their physical location.
If segmentation at layer 3 is required, it's achieved using access control lists on routers
to control access from one subnet to another or from one VLAN to another. Firewalls
can implement these types of access lists as well.
Finally, network segmentation may be required to comply with an industry regulation.
For example, while it's not strictly required, the Payment Card Industry Data Security
Standard (PCI DSS) strongly recommends that a credit card network should be
segmented from the regular network. If you choose not to do this, your entire network
must be compliant with all sections of the standard.

Network Segmentation Enforcement
When a network is flat with no segmentation, it is impossible to secure because an
intruder has potential access to all hosts and devices once the initial network is
compromised. Fortunately, there are a number of methods to implement segmentation
in the network. We can use physical routers, separate switches, and firewalls. However,
the easiest method is to implement virtual local area networks (VLANs) in the network.
When VLANs are implemented, each VLAN has a distinct network ID. The VLANs
become routable networks because they create segments in the network. This concept
can then be taken one step further by implementing ACLs between these segments to
increase security.
If you are implementing a firewall to create network segmentation, the various networks
are given a label, and a value of trust is associated with them. The labels are also
commonly called zones. As an example, the Internet is often labeled as the public zone
and carries the least amount of trust. Internal networks are often labeled as private
zones and carry a higher amount of trust. Rules can then be enforced that dictate that a
public zone cannot communicate to a private zone, unless the private zone has initiated
the connection.
Segmentation can be taken even further, by segmenting internal private networks within
the organization, such as production, research, and sales, with each zone carrying a
different level of trust. Enforcement rules can then be put into place to protect each
segment.

Screened Subnet
The screened subnet is also known as the demilitarized zone (DMZ). The DMZ gets its
name from the segmentation that is created between the exterior and the interior of the
network. This is similar to where borders of two opposing countries meet with military
presence on both sides. Between the two sides, there is a neutral segment called the
DMZ. As it pertains to a network, hosts that serve Internet clients are placed in the DMZ
subnet. As shown in Figure 21.12, a network segment called the screened subnet
(formerly called DMZ) sits between an external firewall and the internal firewall. The
external firewall contains ACLs to restrict Internet hosts from accessing nonessential
services on the server in the DMZ. The internal firewall restricts which hosts can talk to
internal servers. A typical rule on the external firewall would allow HTTP access for a
web server in the DMZ and would restrict all other ports. A typical rule on the internal
firewall would allow only the web server to communicate with the SQL backend
database in the internal network.
 FIGURE 21.12 A typical DMZ with two firewalls
Although the concept of the DMZ is still used today in network design, a screened
subnet can be created between any two segments in the network. The subnets don't
necessarily need to be external and internal in relation to the network. Routers
containing ACLs can be implemented in lieu of firewalls to filter traffic to the screened
subnet, as shown in Figure 21.13. In the figure, a network called Network A is segmented
from the screened subnet by a router with ACLs filtering traffic. On the other side of the
screened subnet is another network called Network B, and it too is segmented by a
router with ACLs filtering traffic. Each of these two networks has equal access to the
hosts in the screened subnet. These two networks, Network A and Network B, could
potentially be a wireless network and the wired network, respectively.

FIGURE 21.13 A typical screened subnet with two routers
Some screened subnets are just another interface on a single firewall, as shown in Figure
21.14. In this example, the rules for both the Network A subnet and the Network B
subnet would be on the same firewall. The benefit of a single firewall is centralized
administration of firewall rules. Each interface is placed into a trust zone, and the
firewall rules allow incoming and outgoing connections.
 FIGURE 21.14 A typical screened subnet with one firewall

802.1X
The 802.1X protocol is used to control access on the internal network, as shown in
Figure 21.15. 802.1X commonly uses RADIUS as the authentication server. However,
other AAA authentication servers can be used, such as LDAP and TACACS+. 802.1X is
used for both wired and wireless network access. When you are using 802.1X with a
wired connection, the physical port allows communications of 802.1X credentials. The
port will not allow user traffic to be switched until the AAA process is completed and the
user or computer is verified. The user's device is called the supplicant, and the port it is
plugged into is called the control port, because it controls access to the organization's
LAN or resources. The switch that is set up for 802.1X is called the authenticator.
802.1X works with wireless connections, but in lieu of a physical connection an
association occurs. When 802.1X is used with wireless, the control port is the port
leading back to the network. All 802.1X authentication between the supplicant and the
authenticator occurs over the associated connection.
 FIGURE 25.15 802.1X switch control

NAC
Although 802.1X can be used by itself for AAA, it is often used in conjunction with a
network access control (NAC) system. It is often referred to as port-based network
access control (PNAC).
As shown in Figure 21.16, NAC agents check the reported health and integrity of the
client before allowing it on the network. The NAC agent can check the current patch
level of the client, antivirus signature date, and firewall status. The NAC policy is defined
by the network administrator. If the client passes the checks, the client is allowed on the
network. If the client fails the checks, the client is placed into a remediation network,
where the user must remediate the client. It is important to mention that although the
figure details a separate NAC server, the NAC and 802.1X are usually the same server.
 FIGURE 21.16 NAC and 802.1X

MAC Filtering
MAC address filtering is used to secure wireless by providing only an allowed list of
MAC addresses access to the wireless system. This is also sometimes referred to as
whitelisting MAC addresses. It is extremely effective because an attacker will not have
knowledge of which MAC addresses are allowed. There is an administrative burden in
entering the MAC addresses to be whitelisted if your installation has a few clients or
static clients that do not change frequently. MAC filtering is more commonly used with
wireless LAN controllers (WLCs) to control specific clients by their MAC address. When
it is used in conjunction with an 802.1X/NAC solution, the devices can be controlled
globally from the authentication server. MAC filtering is a very effective method of
security because of the difficulty an attacker has identifying the MAC addresses that are
specifically allowed to be forwarded by the switch or WAP. Switches can be configured
to filter specific MAC addresses as well. Port security is considered a form of MAC
filtering for switching.

Port Security
Port security is a method of restricting specific MAC addresses or a specific number of
MAC addresses on a physical access mode switch port. Port security is supported on
many different vendor switches, but I will focus on the Cisco switching platform for this
section; all switches support similar port security function. Port security is commonly
implemented by the network administrator to mitigate the threat of end users plugging
in hub, switches, or wireless access ports (WAPs) to extend switching of a single port.
When a switch powers on, a blank table is created in memory called the switching table.
When a frame is received on the switch port, the switch records the source MAC address
of the frame with the switch port the frame is received on. Each MAC address receives
an entry in the switching table for future forward filter decisions. We can restrict how
many entries each switch port can record with the following commands on a Cisco
switch. In the example, port security is configured, and a maximum of one MAC address
will be allowed.
switch(config)# interface gigabitethernet 0/1
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1

By using switchport port-security mac-address sticky, we can configure the switch to
record the first MAC address and limit the port to only that MAC address indefinitely or
until an administrator clears it. By default, with only the previous commands, the MAC
address learned will be cleared after a period of inactivity.
switch(config)# interface gigabitethernet 0/1
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1
switch(config-if)# switchport port-security mac-address sticky

We can also constrain the switch port to a specific MAC address statically. In lieu of the
switchport port-security mac-address sticky command, we can specify the specific
MAC address to limit the switch port to. When we configure the following command, the
MAC address will be locked to 0678.e2b3.0a02 for the switch port:
switch(config)# interface gigabitethernet 0/1
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1
switch(config-if)# switchport port-security mac-address 0678.e2b3.0a02

Internet of Things
Over the past 20 years, IP-based technology has become cheaper, and the availability of
technology has improved. The Internet of Things (IoT) and Industrial Internet of Things
(IIoT) are a direct result of this expanse in IP-based technology. Wireless technology
further propelled IoT to become a standard in our homes today. The following are some
common IoT/IIoT devices you will find in home and industrial networks today:
Refrigerator The refrigerator has been the hub for every family. The refrigerator
door displays our bills, our photos, our messages, and the shopping list for the week,
among other things. The smart refrigerator operates pretty much the same way a
traditional refrigerator does. The only difference is a smart refrigerator has a
touchscreen on the door that resembles a giant smart phone, and everything you
displayed on the refrigerator is now an app.
Smart Speakers The smart speaker is more than just a speaker; it is an audible way
to use the Internet, control other smart devices in your home, and have a digital
assistant at your beck and call. By saying “Hey, Google,” “Alexa,” or “Hey, Siri,” you can
prompt the smart speaker to listen. You can then follow up with a task, such as asking
what time it is, setting a reminder, checking the weather, controlling the lights, or even
playing some music.
Smart Thermostats The old round mechanical thermostat was a foolproof
mechanism that has heated and cooled houses for decades. However, with the modern
technology of electronics and the Internet, the smart thermostat has forever changed the
way our home is made comfortable. Smart thermostats don't just cycle heating when it's
cold and cooling when it's hot, they perform in an economical way. Since everyone has a
cell phone and no one leaves the house without it, the thermostat can track when you
are home and when you aren't. The thermostat will turn the cooling or heating cycle off
when you are not home, and it can even turn them back on when you are expected to be
home. The smart thermostat learns your habits and adjusts the heating and cooling
cycles.
Smart Doorbells With the rise of eBay, Amazon, and many other online retailers, it
is ever so common to have packages dropped off at your door. It has also become
common to have these packages stolen. The thieves even have the nickname “porch
pirates.” Now you can secure your home and packages with a simple smart doorbell. The
smart doorbell communicates with the Internet and an app on your cellphone. When
someone walks up to the door, it will sense motion and instantly send an alert to your
cell phone with video and the ability to talk back to the person.
Although this section is focused on IoT home devices, IoT is much bigger than home
gadgets. The smart devices we use in our homes are the by-product of big data and
machine learning. These applications of big data and machine learning can also be
applied to industry, such as agriculture, manufacturing, and research, just to name a
few. IIoT devices are cheap and expendable units, so a couple dozen might be deployed
in a crop field to monitor soil dampness. IIoT devices might also be used to monitor heat
in factory devices to signal a foreseeable failure. The solutions are limitless; if you can
monitor it and forecast the outcome, you can use IIoT to achieve better results.

Industrial Control Systems/Supervisory Control and Data Acquisition
Industrial control systems (ICS) are the systems that are used in manufacturing
processes. Products come into the process on an assembly or production line and exit as
a final product. Supervisory control and data acquisition (SCADA) is an automated
system used to control and monitor products such as energy production, water, electric
distribution, and oil and gas, just to name a few. Figure 21.17 shows an example of what
an industrial control system/SCADA system looks like. Although industrial control
systems are typically used in manufacturing, and SCADA systems are used to create and
distribute resources, they both share common components, and the two are sometimes
indistinguishable.
 FIGURE 21.17 SCADA systems

Supervisory System
All plant operations require a supervisory system to measure, monitor, and control plant
production. They are often redundant systems because if a server fails, it could mean the
entire production line stops. Supervisory systems also have a database where production
metrics are stored for quality control and customer usage in the case of utilities. The
supervisory system is usually located in the server farm at the main plant and not in the
cloud because it needs to be as low latency as possible.

Operational Technology
Operational technology (OT) components of ICS/SCADA control the delivery of
information from the ICS/SCADA systems. The following are a few OT devices that you
will find in ICS/SCADA systems. You can see some of these devices in Figure 21.17.
Programmable Logic Controller (PLC) A PLC is nothing more than a bunch of
logic circuits performing a task. On PLCs there are often inputs and outputs. The inputs
might be wired to buttons, switches, or position sensors, just to name a few. The outputs
may be wired to solenoids or motors or may even be robotic, and again, these are just a
few things a PLC may control. It is up to the manufacturing engineer to design and
program the PLC to perform a task. The programming language a PLC uses is actually
not a language. The programming resembles a type of logic circuit. It is called ladder
logic and is quite popular. A specialized program is usually required for programming
PLCs; it is used to develop and program the ladder logic into the controller. Once the
ladder logic is programmed into the PLC, the controller will run the program until it is
powered off or programmed to stop.
Human Machine Interface (HMI) The HMI is used by plant operators so an
overview of the production line can be observed. The HMI might have an oversimplified
drawing of the production line with metrics displayed so a plant operator can adjust
processes. In the event of a failure on the production line, it is used to identify where the
fault exists. Just like PLCs, the HMI is programmed with specialized software. Once
programmed, they will continue to operate until turned off and the programming
software is no longer required, unless a major change is needed. The HMI can interface
with the PLC and the supervisory system, depending on the requirements of the plant
and operators.
Remote Terminal Unit (RTU) An RTU is extremely similar to a PLC. Just like the
PLC, it can run autonomously and manage production. However, the RTU also has an
independent microprocessor, so it can be installed at a remote facility and programmed
for remote control capabilities. The supervisory system would oversee all the field RTUs,
and in the event something needs to be controlled, an operator can intervene. RTUs can
use a multitude of communications methods to communicate back to the main plant.
You can find these units everywhere from oil rigs in the middle of the ocean to power
substations. They are basically ruggedized computers that can withstand harsh
temperature and humidity. The language they are programmed in will differ from
proprietary languages, Visual Basic, C#, C++, and even ladder logic.

Communications Infrastructure
The communications infrastructure is unique for industrial controls because everything
must be low latency. Keep in mind these networks need to maintain production lines. If
a canning line is processing five cans a second, you have a 200 ms window for problems
if latency is experienced, and that is cutting it close! There are a number of protocols
and wiring you will find in industrial control systems, such as Modbus, Profibus, Hart,
EtherNet/IP (Rockwell), and RS-485, and these are just a few of them. Every PLC and
RTU will use a set of standardized protocols that will work with the various components
like the HMI, sensors, and actuators. Some of these protocols are compatible with
Ethernet, and some are completely proprietary to industrial controls. The PLCs and
RTUs will normally support Ethernet and IP-based connectivity back to the supervisor
systems. However, the production network is often logically or physically separated
from the operational network, so the two do not interfere with each other. Lessons have
been learned from the 2010 Stuxnet infection that targeted PLCs and used the
production network as an entry point. It is important to isolate a problem on the
operations network, so production is not affected.

Separate Private/Public Networks
Public IP addressing isn't typically used in a modern network. Instead, private IP
addresses are used and network address translation (NAT) services are employed to
convert traffic to a public IP address when the traffic enters the Internet. While this is
one of the strategies used to conserve the public IP address space, it also serves to
segment the private network from the public network (Internet). Hiding the actual IP
address (private) of the hosts inside the network makes it very difficult to make an
unsolicited connection to a system on the inside of the network from the outside.

Honeypot/Honeynet
Another segmentation tactic is to create honeypots and honeynets. Honeypots are
systems strategically configured to be attractive to hackers and to lure them into
spending enough time attacking them to allow information to be gathered about the
attack. In some cases, entire networks called honeynets are attractively configured for
this purpose.
You need to make sure that either of these types of systems do not provide direct
connections to any important systems. Their ultimate purpose is to divert attention from
valuable resources and to gather as much information about an attack as possible. A
tarpit is a type of honeypot designed to provide a very slow connection to the hacker so
that the attack takes enough time to be properly analyzed.

Bring Your Own Device
The traditional workforce is very quickly becoming a mobile workforce, with employees
working from home, on the go, and in the office. Mobile devices such as laptops, tablets,
and smartphones are used by employees to connect to the organization's cloud
resources.
Bring your own device (BYOD) has been embraced as a strategy by organizations to
alleviate the capital expense of equipment by allowing employees to use devices they
already own.
The various devices that employees bring into the network are often outside of the
organization's control. These devices can pose a severe risk to the network. For this
reason, the BYOD network should be segmented from the operational network.

Guest Network Isolation
Most guests in your network never need to connect to the organization's servers and
internal systems. When guests connect to your wireless network, it is usually just to get
connectivity to the Internet. Therefore, a guest service set identifier (SSID) should be
created that isolates guest traffic from production traffic. These guest network SSIDs are
usually created by default on consumer wireless devices. On enterprise wireless LAN
controllers, the guest network typically needs to be created.
Some considerations for the guest network are what is open to guests, how long they
have access, how much bandwidth, SSID name…the list goes on depending on your
organization. Guest networks usually don't give totally unrestricted Internet access;
certain sensitive ports like TCP 25 SMTP are normally blocked. The length of time they
have access is another concern. Generally, a guest is just that, a guest. So, 4 hours, 8
hours, or 24 hours of access seem responsible. This needs to be thought through as too
short a time will create administrative overhead and too long a window of access allows
for abuse of service.

Captive Portal
A captive portal is a method of redirecting users who connect to wireless or wired
systems to a portal for login or agreement to the acceptable use policy (AUP). Using a
captive portal is common for guest networks. More than likely, if you have stayed in a
hotel that offers wireless, you have been redirected to the captive portal to accept the
terms. Some hotels require you to purchase the wireless service; this type of service
would also redirect you to the portal for login or payment. Captive portals are not
exclusively used for hotels; they are also used for corporate access to an organization's
wireless system.

Physical Security Concepts
Physical security is the most overlooked element of security in a network. A simple lock
can keep out the most curious prying eyes from a network closet or server room. A more
layered approach can be implemented for higher security installations. However, the
simple fact is that not a lot of time is spent on physically securing the network. In the
following sections, we will cover the CompTIA objectives related to physical security of
networks.

Video Surveillance
Video surveillance is the backbone of physical security. It is the only detection method
that allows an investigator to identify what happened, when it happened, and, most
important, who made it happened. Two types of cameras can be deployed: fixed and
pan-tilt-zoom (PTZ). Fixed cameras are the best choice when recording for surveillance
activities. Pan-tilt-zoom (PTZ) cameras allow for 360-degree operations and zooming in
on an area. PTZs are most commonly used for intervention, such as covering an area
outside during an accident or medical emergency. PTZ cameras are usually deployed for
the wrong reasons, mainly because they are cool! PTZs are often put into patrol mode to
cover a larger area than a fixed camera can. However, when an incident occurs, they are
never pointed in the area you need them! It is always best to use a fixed camera or
multiple fixed cameras, unless you need a PTZ for a really good reason. They are usually
more expensive and require more maintenance than fixed cameras.
Video surveillance can be deployed using two common media types: coaxial cable and
Ethernet. Coaxial cable is used typically in areas where preexisting coaxial lines are in
place or distances are too far for typical Ethernet. These systems are called closed-circuit
television (CCTV). Coaxial camera systems generally use appliance-like devices for
recording video. These CCTV recorders generally have a finite number of ports for
cameras and a finite amount of storage in the form of direct-attached storage (DAS).

Most video installations for CCTV are coaxial cable and Ethernet,
as previously described. However, wireless is popular for consumer applications,
such as doorbells and home surveillance cameras. These devices generally use cloud
storage and require an Internet connection.

Ethernet (otherwise known as IP) surveillance is becoming the standard for new
installations. Anywhere an Ethernet connection can be installed, a camera can be
mounted. Power over Ethernet (PoE) allows power to be supplied to the camera, so the
additional power supplies used with coaxial cameras are not needed. Ethernet also
provides the flexibility of virtual local area networks (VLANs) for added security so that
the camera network is isolated from operational traffic. IP surveillance uses network
video recorder (NVR) software to record cameras. Because NVRs are server
applications, you can use traditional storage such as network area storage (NAS) or
storage area network (SAN) storage. This allows you to treat the video recordings like
traditional data.
Coaxial camera networks can be converted to IP surveillance networks with the use of a
device called a media converter. These devices look similar to a CCTV recorder. They
have a limited number of ports for the coaxial cameras and are generally smaller than
the CCTV recorder. This is because they do not have any DAS. The sole purpose of the
media converter is to convert the coaxial camera to an Ethernet feed to the NVR.
The use of IP video surveillance allows for a number of higher-end features such as
camera-based motion detection, license plate recognition (LPR), and motion fencing.
Advanced NVR software allows cameras to send video only when motion is detected at
the camera; this saves on storage for periods of nonactivity. LPR is a method of
detecting and capturing license plates in which the software converts the plate to a
searchable attribute for the event. With motion fencing, an electronic fence can be
drawn on the image so that any activity within this region will trigger an alert. Among
the many other features are facial recognition and object recognition.

EXERCISE 21.3
Planning Video Surveillance

In this exercise, you will plan video surveillance for the exterior of your home.
1. Draw a simple map of your property.
2. Draw your home on the property map.
3. Identify important areas to cover with video surveillance, such as entryways.
4. Plan cameras and angles to be covered.
5. Detail how the cameras will be wired and powered.
6. Detail the storage for the cameras.
7. Make detailed notes as to why you chose a certain camera location.

Door Locks
The most common physical prevention tactic is the use of locks on doors and
equipment. This might mean the installation of a tumbler-style lock or an elaborate
electronic combination lock for the switching closet. If a tumbler-style lock is installed,
then the appropriate authorized individuals who require access will need a physical key.
Using physical keys can become a problem, because you may not have the key with you
when you need it the most, or you can lose the key. The key can also be copied and used
by unauthorized individuals. Combination locks, also called cipher locks, can be
reprogrammed and do not require physical keys, as shown in Figure 21.18. Combination
locks for doors can be purchased as mechanical or electronic.

FIGURE 21.18 A typical combination door lock

When physical locks use keys, the factor of authentication is
considered something that you have—because you must have the key. When
physical locks use ciphers, the authentication is considered something you know—
because you must know the cipher.

Equipment Locks
There are many different types of equipment locks that can secure the information and
the device that holds the information. Simply thwarting the theft of equipment
containing data and restricting the use of USB thumb drives can secure information. In
the following sections, we will cover several topics that are directly related to the
physical aspects of information security.
Cable Locks
Cable locks are used to secure laptops and any device with a universal security slot
(USS), as shown in Figure 21.19. A cable lock is just that—a cable with a lock at one end.
The lock can be a tumbler or a combination, as shown in Figure 21.20. The basic
principle is that the end of the lock fits into the USS. When the cable is locked, the
protruding slot of metal turns into a cross that cannot be removed. This provides
security for expensive equipment that can be stolen due to its portability or size.

FIGURE 21.19 A USS
 FIGURE 21.20 A standard cable lock

Server Locks
Most servers come with a latch-style lock that prevents someone from opening the
server, but the tumbler-style lock is trivial to open. Anyone with a paper clip can open
these locks if they have forgotten the keys. Other types of server locks are holes for
padlocks that latch through the top cover and the body of the server. However, over the
past 10 years, a declining number of servers come with this feature. This is mainly
because servers can be better secured behind a locked rack-mounted enclosure. Rack-
mounted enclosures generally come with a tumbler-style lock that can protect all the
servers and network equipment installed in the cabinet, while still providing airflow.

USB Locks
Universal serial bus (USB) locks can be put into place to physically lock out USB ports
on a workstation or server from use. These devices are extremely rare to find, because
most equipment and operating systems allow for the USB ports to be deactivated. USB
locks work by inserting a small plastic spacer into the USB port. Once inserted, the
spacer latches to the USB detent with plastic teeth. A tool is required to remove the USB
spacer.