Implementation Flashcards by Bryan Kruep

Adds security features to RTP
- Keep conversations private

Encryption
- Uses AES to encrypt the voice/video flow

Authentication, integrity, and replay protection
-HMAC-SHA1 - Hash-based message authentication code using SHA1

SRTP (Secure Real-Time Transport Protocol)

How well did you know this?

Not at all

Perfectly

Secure network time protocol

Cleaned up the code base
- Fixed a number of vulnerabilities

NTPsec

How well did you know this?

Not at all

Perfectly

Public key encryption and digital singing of mail content
- Requires a PKI or similar organization of keys

S/MIME (Secure/Multipurpose Internet Mail Extensions)

How well did you know this?

Not at all

Perfectly

Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL

Secure POP and Secure IMAP

How well did you know this?

Not at all

Perfectly

If the mail is browser based, always encrypt with SSL

SSL/TLS

How well did you know this?

Not at all

Perfectly

Use public key encryption
- Private key on the server
-Symmetric session key is transferred using asymmetric encryption
- Security and speed

Browser-based management

Encrypted communication

HTTPS

How well did you know this?

Not at all

Perfectly

Security for OSI Layer 3
- Authentication and encryption for every packet

Confidentiality and integrity/anti-replay
- Encryption and packet signing

Very standardized
- Common to use multi-vendor implementations

Two core protocols
- Authentication Header (AH)
- Encapsulated Security Payload (ESP)

IPSec

How well did you know this?

Not at all

Perfectly

FTP over SSL

FTPS (File Transfer Protocol Secure)

How well did you know this?

Not at all

Perfectly

Provides file system functionality

Resuming interrupted transfers, directory listings, remote file removal

SFTP (SSH File Transfer Protocol)

How well did you know this?

Not at all

Perfectly

Protocol for reading and writing directories over an IP network
- An organized set of records, like a phone directory

X.500 specification was written by the International Telecommunications Union (ITU)
- They know directories

Lightweight and uses TCP/IP

Protocol used to query and update an X.500 directory
- Used in Windows Active Directory, Apple OpenDirectory, OpenLDAP, etc

LDAP (Lightweight Directory Access Protocol)

How well did you know this?

Not at all

Perfectly

A non-standard implementation of LDAP over SSL

LDAPS (LDAP Secure)

How well did you know this?

Not at all

Perfectly

Provides authentication using many different methods, i.e., Kerberos or client certificate

SASL (Simple Authentication and Security Layer)

How well did you know this?

Not at all

Perfectly

Encrypted terminal communication

Replaces Telnet (and FTP)

Provides secure terminal communication and file transfer features

SSH (Secure Shell)

How well did you know this?

Not at all

Perfectly

Validate DNS responses
- Origin authentication
- Data integrity

Public key cryptography
- DNS records are signed with a trusted third party
- Signed DNS records are published in DNS

DNSSEC

How well did you know this?

Not at all

Perfectly

Confidentiality - Encrypted data

Integrity - No tampering of data

Authentication - Verifies the sources

SNMPv3 (Simple Network Management Protocol version 3)

How well did you know this?

Not at all

Perfectly

Securing DHCP
- DHCP does not include any built-in security
- There is no “secure” version of the DHCP protocol

Rogue DHCP servers
- In Active Directory, DHCP servers must be authorized
- Some switches can be configured with “trusted” interfaces
- DHCP distributioin is only allowed from trusted interfaces
- Cisco calls this DHCP Snooping
- DHCP client DoS - Starvation attack
- Use spoofed MAC addresses to exhaust the DHCP pool
- Switches can be configured to limit the number of MAC addresses per interface
- Disable an interface when multiple MAC addresses are seen

Network address allocation

How well did you know this?

Not at all

Perfectly

Automated subscriptions
- Anti-virus/Anti-malware signature updates
- IPS updates
- Malicious IP address databases/Firewall updates

Constant updates
- Each subscription uses a different update method

Check for encryption and integrity checks
- May require an additional public key configuration
- Set up a trust relationship
- Certificates, IP addresses

Subscription services

How well did you know this?

Not at all

Perfectly

The user’s access - Applications and data

Stop the attackers - Inbound attacks, outbound attacks

Many different platforms - Mobile, desktop

Protection is multi-faceted - Defense in depth

The endpoint

How well did you know this?

Not at all

Perfectly

Anti-virus is the popular term
- Refers specifically to a type of malware
- Trojans, worms, micro viruses

Malware refers to a broad malicious software category
- Anti-malware stops spyware, ransomware, fileless malware

The terms are effective the same these days
- The names are more of a marketing tool
- Anti-virus software is also anti-malware software now
- Make sure your system is using a comprehensive solution

Anti-virus and anti-malware

How well did you know this?

Not at all

Perfectly

A different method of threat protection
- Scale to meet the increasing number of threats

Detect a threat
- Signatures aren’t the only detection tool
- Behavioral analysis, machine learning, process monitoring
- Lightweight agent on the endpoint

Investigate the threat
- Root cause analysis

Respond to the threat
- Isolate the sytem, quarantine the threat, rollback to a previous config
- API driven, no user or technician intervention required

Endpoint detect and response (EDR)

How well did you know this?

Not at all

Perfectly

Where’s your data?
- Social Security numbers, credit card numbers, medical records

Stop the data before the attacker gets it
- Data “leakage”

So many resources, so many destinations
- Often requires multiple solutions
- Endpoint clients
- Cloud-based systems
- Email, cloud storage, collaboration tools

Data Loss Prevention (DLP)

How well did you know this?

Not at all

Perfectly

The OSI Application Layer - All data in every packet

Can be called different names
- Application layer gateway
- Stateful multilayer inspection, deep packet inspection

Broad security controls
- Allow or disallow application features
- Identify attacks and malware
- Examine encrypted data
- Prevent access to URLs or URL categories

Next-generation firewall (NGFW)

How well did you know this?

Not at all

Perfectly

Software-based firewall
- Personal firewall, runs on every endpoint

Allow or disallow incoming or outgoing application traffic
- Control by application process
- View all data

Identify and block unknown processes
- Stop malware before it can start

Manage centrally

Host-based firewall

How well did you know this?

Not at all

Perfectly

Uses log files to identify intrusions

Can reconfigure firewalls to block

Host-based Intrusion Detection System (HIDS)

How well did you know this?

Not at all

Perfectly

Recognize and block known attacks Secure OS and application configs, validate incoming service requests Often built into endpoint protection software Identification - Signatures, heuristics, behavioral - Buffer overflows, registry updates, writing files to the Windows folder - Access to non-encrypted data

Host-based Intrusion Prevention System (HIPS)

Security is based on trust - Is your data safely encrypted? - Is this web site legitimate? - Has the operating system been infected? The trust has to start somewhere - Trusted Platform Module (TPM) - Hardware Security Module (HSM) - Designed to be the hardware root of the trust Difficult to change or avoid - It's hardware - Won't work without the hardware

Hardware root of trust

A specification for cryptographic functions - Hardware to help with encryption functions Cryptographic processor - Random number generator, key generators Persistent memory - Comes with unique keys burned in during production Versatile memory - Storage keys, hardware configuration information Password protected - No dictionary attacks

Trusted Platform Module (TPM)

The attack on our systems is constant - Techniques are constantly changing Attackers compromise a device - And want it to stay compromised The boot process is a perfect infection point - Rootkits run in kernal mode - Have the same rights as the operating system Protecting the boot process is important - Secure boot, trusted boot, and measured boot - A chain of trust

Boot integrity

Protections - BIOS includes the manufacturer's public key - Digital signature is checked during a BIOS update - BIOS prevents unauthorizes writes to the flash Verifies the bootloader - Checks the bootloader's digital signature - Bootloader must be signed with a trusted certificate - Or a manually approved digital signature

UEFI BIOS Secure Boot

Bootloader verifies digital signature of the OS kernel - A corrupted kernel will halt the boot process Kernel verifies all of the other startup components - Boot drivers, startup files Just before loading the drives - ELAM (Early Launch Anti-Malware) starts - Checks every driver to see if it's trusted - Windows won't load an untrusted driver

Trusted Boot

Nothing on this computer has changed - There have been no malware infections - How do you know? Easy when it's just your computer - More difficult when there are 1,000 UEFI stores a hash of the firmware, boot drivers, and everything else loaded during the Secure Boot - Trusted Boot process - Stored in the TPM Remote attestation - Device provides an operational report to a verification server - Encrypted and digitally signed with the TPM Attestation server receives the boot report - Changes are identified and managed

Measured Boot

Protecting stored data - And the transmission of that data Intellectual property storage - Data is valuable Compliance issues - PCI DSS, HIPAA, GDPR, etc Keep the business running - Security provides continuity Breaches are expensive - Keep costs low

Database security

Replaces sensitive data with a non-sensitive placeholder - SSN 266-12-1112 is now 691-61-8539 Common with credit card processing - Use a temporary token during payment - An attacker capturing the card numbers can't use them later This isn't encryption or hashing - The original data and token aren't mathematically related - No encryption overhead Steps: 1. User registers a credit card on their mobile phone 2. Card is registered with the token service server 3. Token Service Server provides a token instead 4. Phone is used at a store during checkout using NFC 5. Pay with token card # 6. Card number verification is actual card # 7. Token card # is the token for the actual card # 8. Token is validated 9. Transaction is approved

Tokenization

Represents data as a fixed-length string of text - A message digest, or "fingerprint" Will not have a collision (hopefully) - Different inputs will not have the same hash One-way trip - Impossible to recover the original message from the digest - A common way to store passwords

Hashing

Random data added to a password when hashing Every user gets their own random salt - The salt is commonly stored with the password Rainbow tables won't work with salted hashes - Additional random value added to the original password This slows down the brute force process - It doesn't complete stop the reverse engineering

Salting

A balance between time and quality - Programming with security in mind is often secondary Testing, testing, testing - The Quality Assurance (QA) process Vulnerabilities will eventually be found - And exploited

Secure coding concepts

What is the expected input? - Validate actual vs. expected Document all input methods - Forms, fields, type Check and correct all input (normalization) - A zip code should only be X characters long with a letter in the X column - Fix any data with improper input The fuzzers will find what you missed - Don't give them an opening

Input validation

Send random input to an application - Fault-injecting, robustness testing, syntax testing, negative testing Looking for something out of the ordinary - Application crash, server error, exception

Dynamic analysis (fuzzing)

Information stored on your computer by the browser Used for tracking, personalization, session management - Not executable, not generally a security risk - Unless someone gets access to them Have a Secure attribute set - Browser will only send it over HTTPS Sensitive information should not be stored in a cookie - The isn't designed to be secure storage

Secure cookies

An additional layer of security - Add these to web server configuration - You can't fix every bad application Enforce HTTPS communication - Ensure encrypted communication Only allow scripts, stylesheets, or images from the local site Prevent XSS attacks - Prevent data from loading into an inline frame (iframe) Also helps to prevent XSS attacks

HTTP secure headers

An application is deployed - Users run application executable or scripts So many security questions - Has the application been modified in any way? - Can you confirm the application was written by a specific developer The application code can be digitally signed by the developer - Asymmetric encryption - A trusted CA signs the developer's public key - Developer signs the code with the private key - For internal apps, use your own CA

Code signing

Nothing runs unless it's approved - Very restrictive

Allow list

Nothing on the "bad list" can be executed Anti-virus, anti-malware

Block\Deny list

Help to identify security flaws Many security vulnerabilities found easily - Buffer overflows, database injections, etc Not everything can be identified through analysis - Authentication security, insecure cryptography, etc Don't rely on automation for everything Still have to verify each finding - False positives are an issue

Static Application Security Testing (SAST)

Minimize the attack surface - Remove all possible entry points Remove the potential for all known vulnerabilities - As well as the unknown May have compliance mandates - HIPAA servers, PCI DSS, etc There are many different resources - Center for Internet Security (CIS) - Network and Security Institute (SANS) - National Institute of Standards and Technology (NIST)

Application hardening

Every open port is a possible entry point - Close everything except required ports Control access with a firewall - NGFW would be ideal Unused or unknown services - Installed with the OS or from other applications Applications with broad port ranges - Open port 0 through 65,535 Use Nmap or similar port scanner to verify - Ongoing monitoring is important

Open ports and services

The primary configuration database for Windows - Almost everything can be configured from the registry Useful to know what an application modifies - Many third-party tools can show registry changes Some registry changes are important security settings - Configure registry permissions - Disable SMBv1

Registry

Prevent access to application data files - File system encryption Full disk encryption (FDE) - Encrypt everything on the drive - BitLocker, FileVault, etc Self-encrypting drive (SED) - Hardware-based full disk encryption - No operating system software needed Opal storage specification - The standard for of SED storage

Disk encryption

Many and varied - Windows, Linux, iOS, Androic, etc Updates - Operating system updates/service packs, security patches User Accounts - Minimum password length and complexity - Account limitations Network access and security - Limit network access Monitor and secure - Anti-virus, anti-malware

Operating system hardening

Incredibly important - System stability, security fixes Monthly updates - Incremental (and important) Third-party updates - Application developers, device drivers Auto-update - Not always the best option Emergency out-of-band updates - Zero-day and important security discoveries

Patch management

Application cannot access unrelated resources - They plan in their own sandbox Commonly used during development - Can be useful production technique Used in many different deployments - Virtual machines - Mobile devices - Browser iframes (Inline Frames) - Windows User Account Control (UAC)

Sandboxing

Distribute the load - Multiple servers - Invisible to the end-user Large scale implementations - Web server farms, database farms Fault tolerance - Configurable load - Very fast convergence

Balancing the load

Configurable load - Manage across servers TCP offload - Protocol overhead SSL offload - Encryption/Decryption Caching - Fast response Prioritization - QoS Content switching - Application-centric balancing

Load balancer

Round-robin - Each server is selected in turn Weighted round-robin - Prioritize the server use Dynamic round-robin - Monitor the server load and distribute to the server with the lowest use Active/active load balancing

Scheduling Load Balancing

A kinship, a likeness Many applications require communication to the same instance - Each user is "stuck" to the same server - Tracked through IP address or session IDs - Source affinity/stick session/session persistence

Affinity

Some servers are active - Others are on standby If an active server fails, the passive server takes its place

Active/passive load balancing

Physical, logical, or virtual segmentation - Devices, VLANs, virtual networks Performance -High-bandwidth applications Security - Users should not talk directly to database servers - The only applications in the core are SQL and SSH Compliance - Mandated segmentation (PCI compliance) - Makes change control much easier

Segmenting the network

Devices are physically separate - Air gap between Switch A and Switch B Must be connected to provide communication - Direct connect, or another switch or router Web servers in one rack - Database servers on another Customer A on one switch, customer B on another - No opportunity for mixing data Separate devices - Multiple units, separate infrastructure

Physical segmentation

Separated logically instead of physically Cannot communicate between these without a Layer 3 device/router

Virtual Local Area Networks (VLANs)

Previously known as the demilitarized zone (DMZ) - An additional layer of security between the Internet and you - Public access to public resources

Screened subnet

A private network for partners - Vendors, suppliers Usually requires additional authentication - Only allow access to authorized users

Extranet

Private network - Only available internally Company announcements, important documents, other company business - Employees only No external access - Internal or VPN access only

Intranet

Traffic flows with a data center - Important to know where traffic starts and ends Traffic between devices in the same data center Relatively fast response times

East-west traffic

Ingress/egress to an outside device A different security posture than east-west traffic

North-south traffic

Many networks are relatively open on the inside Once you're through the firewall, there are a few security controls Holistic approach to network security - Covers every device, every process, every person Everything must be verified - Nothing is trusted - Multifactor authentication, encrypted, system permissions, additional firewalls, monitoring and analytics, etc

Zero-trust

Encrypted (private) data traversing a public network Concentrator - Encryption/decryption access device Many deployment options - Specialized cryptographic hardware - Software-based options available Used with client software - Sometimes built into the OS

Virtual Private Networks (VPNs)

Uses common SSL/TLS protocol (tcp/443) - (Almost) No firewall issues! No big VPN clients - Usually remote access communication Authenticate users - No requirement for digital certificates or shared passwords (like IPSec) Can be run from a browser or from a (usually light) VPN client - Across many operating systems

SSL VPN (Secure Sockets Layer VPN)

On-demand access from a remote device - Software connects to a VPN concentrator Some software can be configured as always-on

Remote access VPN

Steps: 1) Traffic is encrypted as it passes through the local VPN concentrator 2) Traffic is decrypted in the VPN concentrator on the other side of the tunnel

Site-to-site VPN

Steps: 1) Remote user creates a secure tunnel to the VPN concentrator 2) VPN concentrator decrypts the tunneled traffic and routes it into the corporate network 3) The process is reversed for the return traffic

Full VPN Tunnel

Steps: 1) Only traffic to the corporate network traverses the VPN tunnel 2) Traffic to all other sites is "split" from the tunnel and is not decrypted

Split VPN Tunnel

Connecting sites over a layer 3 network as if they were connected at layer 2 Commonly implemented with IPsec - This for the tunnel, IPSec for the encryption - This over IPsec

Layer 2 Tunneling Protocol (L2TP)

Security for OSI layer 3 - Authentication and encryption for every packet Confidentiality and integrity/anti-replay Verify standardized - Common to use multi-vendor implementations Two core IPSec protocols - Authentication Header (AH) - Encapsulation Security Payload (ESP)

IPSec (Internet Protocol Security)

Data integrity Origin authentication Replay attack protection Keyed-hash mechanism No confidentiality/encryption Hash of the packet and a shared key - SHA-2 is common - Adds this to the packet header This doesn't provide encryption - Provides data integrity (hash) - Guarantees the data origin (authentication) - Prevents replay attacks (sequence numbers)

Authentication Header (AH)

Data confidentiality (encryption) Limited traffic flow confidentiality Data integrity Anti-replay protection Encrypts and authenticates the tunneled data - Commonly uses SHA-2 for hash, AES for encryption - Adds a header, a trailer, and an Integrity Check Value Combine with Authentication Header (AH) for integrity and authentication of the outer header

Encapsulating Security Payload (ESP)

Combine the data integrity of AH with the confidentiality of ESP Tunnel mode is the most common - Transport mode may not even be an option

IPsec Transport mode and Tunnel mode

The language commonly used in web browsers Includes comprehensive API support - Application Programming Interface - Web cryptography API

Hypertext Markup Language version 5 (HTML5 VPNs)

There's a lot of security that happens at the physical switch interface - Often the first and last point of transmission Control and protect - Limit overall traffic - Control specific traffic types - Watch for unusual or unwanted traffic Different options are available - Manage different security issues

Port security

Send information to everyone at once - One frame or packet, received by everyone Limited scope - The broadcast domain Routing updates, ARP requests - Can add up quickly Malicious software or a bad NIC - Not always normal traffic Not used in IPv6 - Focus on multicast

Broadcasts

The switch can control broadcasts - Limit the number of broadcasts per second Can often be used to control multicast and known unicast traffic - Tight security posture Manage by specific values or by percentage - Or the change over normal traffic patterns

Broadcast storm control

Connect two switches to each other - They'll send traffic back and forth forever - There's no "counting" mechanism at the MAC layer This is an easy way to bring down a network - And somewhat difficult to troubleshoot - Relatively easy to resolve IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990) - Used practically everywhere

Loop protection

Spanning tree takes time to determine if a switch port should forward frames - Bypass the listening and learning states - Cisco calls this PortFast The spanning tree control protocol If this frame is seen on a PortFast configured interface, shut down the interface - This shouldn't happen - Workstations don't need these

Bridge Protocol Data Unit (BPDU)

IP tracking on a later 2 device (switch) - The switch is a DHCP firewall - Trusted: Routers, switches, DHCP servers - Untrusted: Other computers, unofficial DHCP servers Switch watches for DHCP conversations - Adds a list of untrusted devices to a table Filters invalid IP and DHCP information - Static IP addresses - Devices acting as DHCP servers - Other invalid traffic patterns

DHCP Snooping

The "hardware" address Limit access through the physical hardware address - Keeps the neighbors out - Additional administration with visitors Easy to find working MAC addresses through wireless LAN analysis - MAC addresses can be spoofed - Free open-source software Security through obscurity

MAC filtering

No security in the original design - Relatively easy to poison Validate responses - Origin authentication - Data integrity Public key cryptography - Records are signed with a trusted third party - Signed records are published in this

Domain Name Resolution (DNS)

Stop end users from visiting dangerous sites - This resolves to a sinkhole address A query to a known-malicious address can identify infected systems - And prevent further exploitation Content filtering - Prevent these queries to unwanted or suspicious sites

Using DNS for security

The network isn't available - Or the device isn't accessible from the network Most devices have a separate management interface - Usually a serial connection/USB Connect a model - Dial-in to manage the device Console router/Comm server - Out-of-band access for multiple devices - Connect to the console router, then choose where you want to go

Out-of-band management

Many different devices - Desktop, laptop, VoIP phone, mobile devices Many different applications - Mission critical applications, streaming video, streaming audio Different apps have different network requirements - Voice is real-time - Recorded streaming video has a buffer - Database application is interactive Some applications are "more important" than others - Voice traffic needs to have priority over YouTube

Need for QoS

Prioritize traffic performance - Voice over IP traffic has priority over web-browsing - Prioritize by maximum bandwidth, traffic rate, VLAN, etc Describes the process of controlling traffic flows Many different methods - Across many different topologies

Quality of Service (QoS)

More IP address space - More difficult to IP/port scan (but not impossible) - The tools already support IPv6 No need for NAT - NAT is not a security feature Some attacks disappear - No ARP, so not ARP spoofing New attacks willa ppear IPsec built in / IPsec ready

IPv6 security

Disconnect the link, put this in the middle - Can be active or passive

Physical taps

Port redirection, SPAN Software-based tap Limited functionality, but can work well in a pinch

Port mirror

Constant cybersecurity monitoring - Ongoing security checks - A staff of cybersecurity experts at a Security Operations Center (SoC) Identify threats - A broad range of threats across many different organizations Respond to events - Faster response time Maintain compliance - Someone else ensures PCI DSS, HIPAA compliance, etc

Monitoring services

Some files change all the time - Some files should NEVER change Monitor important operating system and application files - Identify when changes occur Windows - SFC (System File Checker) Linux - Tripwire Many host-based IPS options

File Integrity Monitoring (FIM)

Standard issue - Home, office, and in your operating system Control the flow of network traffic - Everything passes through the firewall Corporate control of outbound and inbound data - Sensitive materials Control of inappropriate content - Not safe for work, parental controls Protection against evil - Anti-virus, anti-malware

Universal security control

Filter traffic by port number or application - Traditional vs. NGFW firewalls Encrypt traffic - VPN between sites Most firewalls can be layer 3 devices (routers) - Often sits on the ingress/egress of the network - Network Address - Translation (NAT) functionality - Authenticate dynamic routing communication

Network-based firewalls

Does not keep track of traffic flows - Each packet is individually examined, regardless of past history Traffic sent outside of an active session will traverse a stateless firewall

Stateless firewall

Web security gateway URL filter/Content inspection Malware inspection Spam filter CSU/DSU Router, Switch Firewall IDS/IPS Bandwidth shaper VPN endpoint

Unified Threat Management (UTM)

The OSI Application Layer - All data in every packet Can be called different names - Application later gateway - Stateful multilayer inspection - Deep packet inspection Requires some advanced decodes - Every packet must be analyzed and categorized before a security decision is determined Network-based Firewalls - Control traffic flows based on the application - Microsoft SQL Server, Twitter, YouTube Intrusion Prevention System - Identify the application - Apply application-specific vulnerability signatures to the traffic Content filtering - URL filters - Control website traffic by category

Next-generation firewall (NGFW)

Not like a "normal" firewall - Applies rules to HTTP/HTTPS conversations Allow or deny based on expected input - Unexpected input is a common method of exploiting the application SQL injection - Add your own commands to an application's SQL query A major focus of Payment Card Industry - Data Security Standard (PCI CSS)

Web Application Firewall (WAF)

Access control lists (ACLs) - Allow of disallow traffic based on tuples - Groupings of categories - Source IP, Destination IP, port number, time of day, application, etc A logical path - Usually top-to-bottom Can be very general or very specific - Specific rules are generally at the top Implicit deny - Most firewalls include a deny at the bottom - Even if you didn't put one

Firewall rules

Open-source vs proprietary - Open-source provides traditional firewall functionality - Proprietary features include application control and high-speed hardware Hardware vs. Software - Purpose-built hardware provides efficient and flexible connectivity options - Software-based firewalls can be installed almost anywhere Application vs. host-based - Appliances provide the fastest throughput - Host-based firewalls are application-aware and can view non-encrypted data - Virtual firewalls provide valueable East/West network security

Firewall characteristics

Your Internet link Managed primarily through firewall rules Firewall rules rarely change

Edge

Control from wherever you are, Inside or outside Access can be based on many rules By user, group, location, application, etc. Access can be easily revoked or changed Change your security posture at any time

Access control

You can't trust everyone's computer - BYOD (Bring Your Own Device) - Malware infections/missing anti-malware - Unauthorized applications Before connecting to the network, perform a health check - Is it a trusted device? - Is it running anti-virus? Which one? Is it updated? - Are the corporate applications installed? - Is it a mobile device? - Is the disk encrypted? - The type of device doesn't matter - Windows, Mac, Linux, iOS, Android

Posture assessment

Persistent agents - Permanently installed onto a system - Periodic updated may be required Dissolvable agents - No installation is required - Runs during the posture assessment - Terminates when no longer required Agentless NAC - Integrated with Active Directory - Checks are made during login and logoff - Can't be scheduled

Health checks/posture assessment

What happens when a posture assessment fails? - Too dangerous to allow access Quarantine network, notify administrators - Just enough network access to fix the issue Once resolved, try again - May require additional fixes

Failing your assessment

Sits between the users and the external network Receives the user requests and sends the request on their behalf (the proxy) Useful for caching information, access control, URL filtering, content scanning Applications may need to know how to use the proxy (explicit) Some proxies are invisible (transparent)

Proxies

One of the simpliest "proxies" is NAT - A network layer proxy Most proxies in use are these - The proxy understands the way the application works A proxy may only know one application - HTTP Many proxies are multipurpose proxies - HTTP, HTTPS, FTP, etc

Application proxies

An "internal proxy" Commonly used to protect and control user access to the Internet

Forward proxy

Inbound traffic from the Internet to your internal service

Reverse proxy

A third-party, uncontrolled proxy Can be a significant security concern Often used to circumvent existing security controls

Open proxy

Exploits against operating systems, applications, etc Buffer overflows, cross-site scripting, other vulnerabilities

Intrusions

Detection - Alarm or alert Prevention - Stop it before it gets to the network

Detection vs Prevention

Examine a copy of the traffic - Port mirror (SPAN), network tap No way to block (prevent) traffic) Steps: 1) Network traffic is sent from client to server through the network switch 2) A copy of the traffic is sent to the IDS/IPS

Passive monitoring

When malicious traffic is identified - IPS sends TCP RST (reset) frames - After-the-fact - Limited UDP response available

Out-of-band-response

IDS/IPS sits physically inline -All traffic passes through the IDS/IPS Steps: 1) Network traffic is sent from the Internet to the core switch, which passes through the IPS 2) The inline IPS can allow or deny traffic in real-time

Inline monitoring

Malicious traffic is immediately identified - Dropped at the IPS - Does not proceed through the network

In-band response

Signature-based - Look for a perfect match Anomaly-based - Build a baseline of what's "normal" Behavior-based - Observe and report Heuristics - Use artificial intelligence to identify

Identification technologies

High-end cryptographic hardware - Plug-in card or separate hardware device Key backup - Secured storage Cryptographic accelerators - Offload that CPU overhead from other devices Used in large environments Clusters, redundant power

Hardware Security Module (HSM)

Access secure network zones - Provides an access mechanism to a protected network Highly-secured device - Hardened and monitored SSH/Tunnel/VPN to this server - EDP, SSH, or jump from there A significant security concern - Compromise to this server is a significant breach

Jump server

Aggregate information from network devices - Build-in sensors, separate devices - Integrated into switches, routers, servers, firewalls, etc

Sensors and collectors

Intrusion prevention systems, firewall logs, authentication logs, web server access logs, database transaction logs, emails logs

Sensors

Proprietary consoles (IPS, firewall) SIEM consoles, syslog servers Many SIEMs include a correlation engine to compare diverse sensor data

Collectors

An organization's wireless network can contain confidential information - Not everyone is allowed to access Authenticate the users before granting access - Who gets access to the wireless network? - Username, password, multi-factor authentication Ensure that all communication is confidential - Encrypt the wireless data Verify the integrity of all communication - The received data should be identical to the original sent data - A message integrity check (MIC)

Securing a wireless network

All wireless computers are radio transmitters and receivers - Anyone can listen in Solution: Encrypt the data - Everyone has an encryption key Only people with the right key can transmit and listen - WPA2 and WPA3

Wireless encryption

Message Authentication Protocol Data confidentiality with AES Message Integrity Check (MIC) with CBC-MAC

Counter Mode with Cipher Block Chaining (CCMP)

A stronger encryption than WPA2 Data confidentiality with AES Message Integrity Check (MIC) with Galois Message Authentication Code (GMAC)

Galois /Counter Mode Protocol (GCMP)

Listen to the 4-way handshake Some methods can derive the PSK hash without the handshake Capture the hash With the hash, attackers can brute force the pre-shared key (PSK) This has become easier as technology improves - A weak PSK is easier to brute force - GPU processing speeds - Cloud-based password cracking Once you have the PSK, you have everyone's wireless key - There's no forward secrecy

WPA2 PSK problem

WPA2 changes the PSK authentication process - Includes mutual authentication - Creates a shared session key without sending that key across the network - No more 4-way handshakes, no hashes, no brute force attacks - Adds perfect forward secrecy A Diffie-Hellman derived key exchange with an authentication component Everyone uses a different session key, even with the same PSK An IEEE standard - the dragonfly handshake

Simultaneous Authentication of Equals (SAE)

Gain access to a wireless network - Mobile users - Temporary users Credentials - Shared password/pre-shared key (PSK) - Centralized authentication (802.1x) Configuration - Part of the wireless network connection - Prompted during the connection process

Wireless authentication methods

Configure the authentication on your wireless access point/wireless router Open System - No password is required

Wireless security modes

WPA-3 with a pre-shared key Everyone uses the same key Unique WPA3 session key is derived from the PSK using SAE

WPA3-Personal/WPA3-PSK

Authenticates users individually with an authentication server (i.e., RADIUS)

WPA3-Enterprise/WPA3-802.1X

Authentication to a network - Common on wireless networks Access table recognizes a lack of authentication - Redirects your web access to a captive portal page Username/password - And additional authentication factors Once proper authentication is provided, the web session continues - Until the captive portal removes your access

Captive Portal

Allows "easy" setup of a mobile device - A passphrase can be complicated to a novice Different ways to connect - PIN configured on access point must be entered on the mobile device - Push a button on the access point - Near-field communication - Being the mobile device close to the access point

(Wi-Fi Protected Setup) WPS

Authentication framework Many different ways to authenticate based on RFC standards - Manufacturers can build their own methods Integrates with 802.1X - Prevents access to the network until the authentication succeeds

Extensible Authentication Protocol (EAP)

Port-based Network Access Control (NAC) You don't get access to the network until you authenticate Used in conjunction with an access database - RADIUS, LDAP, TACACS+

IEEE 802.1X

Supplicant - The client Authenticator - The device that provides access Authenticator server - Validates the client credentials

IEEE 802.1X and EAP

Authentication server (AS) and supplicant share a protected access credential (PAC) (shared secret) Supplicant receives the PAC Supplicant and AS mutually authenticate and negotiate a Transport Layer Security (TLS) tunnel User authentication occurs over the TLS tunnel Need a RADIUS server - Provides the authentication database and EAP-FAST services

EAP-FAST

Protected Extensible Authentication Protocol - Protected EAP - Created by Cisco, Microsoft, and RSA Security Also encapsulates EAP in a TLS tunnel - AS uses a digital certificate instead of a PAC - Client doesn't use a certificate User authenticates with MSCHAPv2 - Authentication to Microsoft's MSCHAPv2 databases User can also authenticate with a GTC - Generic Token Card, hardware token generator

Protected Extensible Authentication Protocol (PEAP)

Strong security, wide adoption Support from most of the industry Requires digital certificates on the AS and all other devices - AS and supplicant exchange certificates for mutual authentication TLS tunnel is then built for the user authentication process Relatively complex implementation - Need a public key infrastructure (PKI) - Must deploy and manage certificates to all wireless clients - Not all devices can support the use of digital certificates

EAP Transport Layer Security (EAP-TLS)

Support other authentication protocols in a TLS tunnel Requires a digital certificate on the AS - Does not require digital certificates on every device - Builds a TLS tunnel using this digital certificate Use any authentication method inside the TLS tunnel - Other EAPs - MSCHAPv2 - Anything else

EAP Tunneled Transport Layer Security (EAP-TTLS)

Use this with federation - Members of one organization can authenticate to the network of another organization - Use their normal credentials Use 802.1X as the authentication method - And RADIUS on the backend - EAP to authenticate Driven by eduroam (education roaming) - Educators can use their normal authentication when visiting a different campus

RADIUS federation

Determine existing wireless landscape - Sample the existing wireless spectrum identify existing access points - You may not control all of them Work around existing frequencies - Layout and plan for interference Plan for ongoing site surveys - Things will certainly change Heat maps - Identify wireless signal strengths

Site surveys

Signal coverage Potential interference Built-in tools 3rd-party tools Spectrum analyzer

Wireless survey tools

Wireless networks are incredibly easy to monitor - Everyone "hears" everything You have to be quiet - You can't hear the network if you're busy transmitting Some network drivers won't capture wireless information - You'll need specialized adapters/chipsets and drivers View wireless-specific information - Signal-to-noise ration, channel information, etc

Wireless packet analysis

Overlapping channels - Frequency conflicts - use non-overlapping channels - Automatic or manual configurations

Channel selection and overlaps

Minimal overlap - Maximize coverage, minimize the number of access points Avoid interference - Electronic devices (microwaves) - Building materials - Third-party wireless networks Signal control - Place APs where the users are - Avoid excessive signal distance

Access point placement

Wireless controllers - Centralized management of wireless access points - Manage system configuration and performance Securing wireless controllers - Control access to management console - Use strong encryption with HTTPS - Automatic logout after no activity Securing access points - Use strong passwords - Update to the latest firmware

Wireless infrastructure security

One-to-one connection - Conversion between two devices Connections between buildings Wi-Fi repeaters - Extend the length of an existing network

Point-to-point

One of the most popular communication methods 802.11 wireless Does not imply full connectivity between nodes

Point-to-multipoint

Mobile devices - "Cell" phones Separate land into "cells" - Antenna coverages a cell with certain frequencies Security concerns - Traffic monitoring - Location tracking - Worldwide access to a mobile device

Cellular networks

Local network access - Local security problems Same security concerns as other devices Data capture - Encrypt your data! On-path attack - Modify and\or monitor data Denial of service - Frequency interference

Wi-Fi

High speed communication over short distances - PAN (Personal Area Network) Connects our mobile devices - Smartphones, tethering, headsets and headphones, health monitors, automobile and phone integration, smartwatches, external speakers

Bluetooth

It's everywhere - Access badges - Inventory/Assembly line tracking - Pet/Animal Identification - Anything that needs to be tracked Radar technology - Radio energy transmitted to the tag - Powers the tag, ID is transmitted back - Bidirectional communication - Some tag formats can be active/powered

RFID (Radio-frequency identification)

Two-way wireless communication - Builds on RFID Payment systems - Google wallet, Apple Pay Bootstrap for other wireless - NFC helps with Bluetooth pairing Access token, identity "card" - Short range with encryption support Security concerns Remote capture - It's a wireless network - 10 meters for active devices Frequency jamming - Denial of service Relay/Replay attack - Man in the middle Loss of RFC device control - Stolen/lost phone

Near field communication (NFC)

Included on many smartphones, tablets, and smartwatches - Not really used much for printing Control your entertainment center File transfers are possible Other phones can be used to control your devices

IR (Infrared)

Physical connectivity to your mobile device - USB to your computer - USB, Lightning, or proprietary on your phone Physical access is always a concern - May be easier to gain access than other a remote connection A locked device is relatively secure - Always auto-lock Mobile phones can also exfiltrate - Phone can appear to be a USB storage device

Universal Serial Bus (USB)

Created by the U.S. Department of Defense - Over 30 satellites currently in orbit Precise navigation - Need to see at least 4 satellites Determines location based on timing differences - Longitude, latitude, altitude Mobile device location services and geotracking - Maps, directions - Determine physical location based on GPS, WIFI, and cellular towers

Global Positioning System (GPS)

Manage company-owned and user-owned mobile devices - BYOD - Bring Your Own Device Centralized management of the mobile devices - Specialized functionality Set policies on apps, data, camera, et. - Control the remote device - The entire device or a "partition" Manage access control - Force screen locks and PINs on these single user devices

Mobile Device Management (MDM)

Managing mobile apps are a challenge - Mobile devices install apps constantly Not all applications are secure - And some are malicious - Android malware is rapidly growing security concern Manage application use through allow lists - Only approved applications can be installed - Managed through the MDM A management challenge - New applications must be checked and added

Application management

Secure access to data, protect data from outsiders File sharing and viewing - On-site content (Microsoft SharePoint, file servers) - Cloud-based storage (Box, Office 365) Data sent from the mobile device - DLP prevents copy/paste of sensitive data - Ensure data is encrypted on the mobile device Managed from the mobile device manager (MDM)

Content management

Remove all data from your mobile device - Even if you have no idea where it is - Often managed from the MDM Connect and wipe from the web - Nuke it from anywhere Need to plan for this - Configure your mobile device now Always have a backup - Your data can be removed at any time - As you are walking out the door

Remote wipe

Precise tracking details - Tracks within feet Can be used for good (or bad) - Find your phone, find you Most phones provide an option to disable - Limits functionality of the phones May be managed by the MDM

Geolocation

Some MDMs allow this - Restrict or allow features when the device is in a particular area Cameras - Might only work when outside the office Authentication - Only allow logins when the device is located in a particular area

Geofencing

All mobile devices can be locked - Keep people out of your data Simple passcode or strong passcode - Numbers vs. Alphanumeric Fail too many times? - Erase the phone Define a lockout policy - Create aggressive lockout timers - Completely lock the phone

Screen lock

Information appears on the mobile device screen - The notification is "pushed" to your device No user intervention - Receive notifications from one app when using a completely different app Control of displayed notifications can be managed from the MDM - Or notifications can be pushed from the MDM

Push notification services

The universal help desk call Mobile devices use multiple authentication methods - Password/passphrase, PINs, patterns Recovery process can be initiated from the MDM - Password reset option is provided on the mobile device MDM also has full control - Completely remove all security controls - Not the default or best practice

Passwords and PINs

You are the authentication factor - Fingerprint, face May not be the most secure authentication factor - Useful in some environments - Completely forbidden in others Availability is managed through the MDM - Organization determines the security of the device Can be managed per-app - Some apps require additional biometric authentication

Biometrics

The attackers can get around anything Authentication can be contextual Combine multiple contexts - Where you normally login (IP address) - Where you normally frequent (GPS information) - Other devices that may be paired (Bluetooth, etc.) And others - An emerging technology - Another way to keep data safe

Context-aware authentication

Difficult to separate personal from business - Especially when the device is BYOD - Owned by the employee Separate enterprise mobile apps and data - Create a virtual "container" for company data - A contained area - limit data sharing - Storage segmentation keeps data separate Easy to manage offboarding - Only the company information is deleted - Personal data is retained - Keep your pictures, video, music, email, etc

Containerization

Scramble all of the data on the mobile device - Even if you lose it, the contents are safe Devices handle this in different ways - Strongest/stronger/strong? Encryption isn't trivial - Uses a lot of CPU cycles - Complex integration between hardware and software Don't lose or forget your password! - There's no recovery - Often backed up by the MDM

Full device encryption

Shrink the PCI Express - Hardware Security Module - Now in the microSD card form Provides security services - Encryption, key generation, digital certificates, authentication Secure storage - Protect private keys - Cryptocurrency storage

Micro SD HSM

Manage mobile and non-mobile devices - An evolution of the Mobile Device Manager (MDM) End users use different types of devices - Their use has blended together Applications can be used across different platforms - Work on a laptop and a smartphone All of these devices can be used from anywhere - User's don't stay in one place

Unified Endpoint Management (UEM)

Provision, update, and remove apps - Keep everyone running at the correct version Create an enterprise app catalog - Users can choose and install the apps they need Monitor application use - Apps used on a device, devices with unauthorized apps Remotely wipe application data - Securely manage remote data

Mobile Application Management (MAM)

SELinux (Security-Enhanced Linux) in the Android OS Supports access control security policies A project from the US National Security Agency (NSA) Addresses a broad scope of system security - Kernal, userspace, and policy configuration Enabled by default with Android version 4.3 - July 2013 - Protect privileged Android system daemons - Prevent malicious activity Change from Discretionary Access Control (DAC) to Mandatory Access Control (MAC) - Move from user-assigned control to object labels and minimum user access - Isolates and sandboxes Android apps Centralized policy configuration - Manage Android deployments

Security Enhancements for Android (SEAndroid)

Centralized app clearinghouses - Apple App store - Google Play Not all applications are secure - Vulnerabilities, data leakage Not all applications are appropriate for business use - Games, instant messaging, etc. MDM can allow or deny app store use

Third-party app stores

Mobile devices are purpose-built systems - You don't need access to the operating system Gaining access - Android - Rooting/Apple IOS - Jailbreaking Install customer firmware - Replaces the existing operating system Uncontrolled access - Circumvent security features, sideload apps without using an app store - The MDM becomes relatively useless

Rooting/Jailbreaking

Most phones are locked to a carrier - You can't use an AT&T phone on Verizon - Contract with a carries subsidizes the cost of the phone You can unlock the phone - If your carrier allows it - A carrier lock may be illegal in your country Security revolves around connectivity - Moving to another carrier circumvent the MDM - Preventing a SIM unlock may not be possible on a personal device

Carrier unlocking

The operating system of a mobile device is constantly changing - Similar to a desktop computer Updates are provided over the air - No cable required Security patches or entire operating system updates - Significant changes without connecting the device This may not be a good thing - The MDM can manage what updates are allowed

Firmware OTA updates

Cameras are controversial - They're not always a good thing - Corporate espionage, inappropriate use Almost impossible to control on the device - No good way to ensure the camera won't be used Cameras can be controlled by the MDM - Always disabled - Enabled except for certain locations (geo-fencing)

Camera use

Text messages, video, audio Control of data can be a concern - Outbound data leaks, financial disclosures - Inbound notifications, phishing attempts MDM can enable or disable this - Or only allow during certain timeframes or locations

Short Message Service/Multimedia Messaging Service

Store data onto external or removable drives - SD flash memory or USB/lightning drives Transfer data from flash - Connect to a computer to retrieve This is very easy to do - Limit data written to removable drives - Or prevent the use of them from the MDM

External media

USB on the Go - Connect devices directly together - No computer required, only a cable The mobile device can be both a host and a device - Read from an external device, then act as a storage device itself - No need for a third-party storage device Extremely convenient - From a security perspective, it's too convenient

USB OTG

Audio recordings - There are microphones on every mobile device Useful for meeting and note taking - A standard for college classes A legal liability - Every state has different laws - Every situation is different Disable or geo-fence - Manage from the MDM

Recording microphone

Your phone knows where you are - Location Services, GPS Adds your location to document metadata - Longitude, latitude - Photos, videos, etc Every document may contain geotagged information - You can track a user quite easily This may cause security concerns - Take picture, upload to social media

Geotagging/GPS tagging

We're so used to access points - SSID configurations The wireless standard includes an ad hoc mode - Connect wireless devices directly - Without an access point Easily connect many devices together Common to see in home devices Simplicity can aid vulnerabilities - Invisible access to important devices

WiFi Direct/ad hoc

Turn your phone into a WiFi hotspot - Your own personal wireless router - Extend the cellular data network to all of your devices Dependent on phone type and provider - May require additional charges and data costs May provide inadvertent access to an internal network - Ensure proper security/passcode

Hotspot/tethering

Send small amounts of data wirelessly over a limited area (NFC) - Built into your phone - Payment systems, transportation, in-person information exchange A few different standards - Apply Pay, Android Pay, Samsung Pay Bypassing primary authentication would allow payment - User proper security - or disable completely

Payment methods

Employee owns the device - Need to meet the company's requirements Difficult to secure - It's both a home device and a work device - How is data protected? - What happens to the data when a device is sold or traded in?

Bring Your Own Device\Bring Your Own Technology (BYOD)

Corporate owned, personally enabled - Company buys the device - Used as both a corporate device and a personal device Organizations keep full control of the device - Similar to company-owned laptops and desktops Information is protected using corporate policies - Information can be deleted at any time CYOD - Choose Your Own Device - Similar but with the user's choice of device

Corporate-owned personally enabled (COPE)

The company owns the device - And controls the content on the device The device is not for personal use - You'll need to buy your own device for home Very specific security requirements - Not able to mix business with home use

Corporate owned

The apps are separated from the mobile device The data is separated from the mobile device Data is stored securely, centralized Physical device loss - Risk is minimized Centralized app development - Write for a single VMI platform Applications are managed centrally - No need to update all mobile devices

Virtual Desktop Infrastructure/Virtual Mobile Infrastructure (VDI)

Availability zones (AZ) - Isolated locations within a cloud region (geographical location) - Commonly spans across multiple regions - Each has independent power, HVAC, and networking Build applications to be highly available (HA) - Run as active\standby or active\active - Application recognizes an outage and moves to the other AZ Use load balances to provide seamless HA - Users don't experience any application issues

High availability across zones

Identify and access management (IAM) - Who gets access, what they get access to Map job functions to roles - Combine users into groups Provide access to cloud resources - Set granular policies - Group, IP address, date and time Centralize user accounts, synchronize across all platforms

Resource policies

Cloud computing includes many secrets - API keys, passwords, certificates This can quickly become overwhelming - Difficult to manage and protect Authorize access to the secrets - Limit access to the secret service Manage an access control policy - Limit users to the secret service Manage an access control policy - Limit users to only necessary secrets Provide an audit trail - Know exactly who accesses secrets and when

Secrets management

Integrate security across multiple platforms - Different operating systems and applications Consolidate log storage and reporting - Cloud-based Security Information and Event Management (SIEM) Auditing - Validate the security controls - Verify compliance with financial and user data

Integration and auditing

Data is on a public cloud - But may not be public data Access can be limited - And protected Data may be required in different geographical locations - A backup is always required Availability is always important

Cloud storage

A significant cloud storage concern - One mistake can cause a data breach Public access - Should not usually be the default Many different options - Identity and Access Management (IAM) - Bucket policies - Globally blocking public access - Don't put data in the cloud unless it really needs to be there

Permissions

Cloud data is more accessible than non-cloud data - More access by more people Server-side - Encrypt the data in the cloud - Data in encrypted when stored on disk Client-side - Data is already encrypted when it's sent to the cloud - Performed by the application Key management is critical

Encryption

Copy data from one place to another - Real-time data duplication in multiple locations Disaster recovery, high availability - Plan for problems - Maintain uptime if an outage occurs - Hot site for disaster recovery Data analysis - Analytics, big data analysis Backups - Constant, duplication of data

Replication

Connect cloud components - Connectivity within the cloud - Connectivity from outside the cloud Users communicate to the cloud - From the public internet - Over a VPN tunnel Cloud devices communicate between each other - Cloud-based network - East/west and north/south communication - No external traffic flows

Cloud networks

A cloud contains virtual devices - Servers, databases, storage devices Virtual switches, virtual routers - Build the network from the cloud console - The same configuration as the physical device The network changes with the rest of the infrastructure - On-demand - Rapid elasticity

Virtual networks

All internal IP addresses Connect over a VPN No access from the Internet

Private cloud subnet

External IP addresses Connect to the cloud from anywhere

Public cloud subnet

Combine internal cloud resources with external May combine both public and private subnets

Hybrid cloud subnet

The cloud contains separate VPCs, containers, and microservices Separation is a security opportunity - Data is separate from the application - Add security systems between application components Virtualized security technologies - Web Application Firewall (WAF) - Next-Generation Firewall (NGFW)

Segmentation

Microservice architecture is the underlying application engine - A significant security concern API calls can include risk - Attempts to access critical data - Geographic origin - Unusual API calls API monitoring - View specific API queries - Monitor incoming and outgoing data

API inspection and integration

The IaaS component for the cloud computing environment - Amazon Elastic Compute Cloud (EC2) - Google Compute Engine (GCE) - Microsoft Azure Virtual Machine Manage computing resources - Launch a VM or container - Allocate additional resources - Disable/remove a VM or container

Compute cloud instances

A firewall for compute instances - Control inbound and outbound traffic flows Layer 4 port number - TCP or UDP port Layer 3 address - Individual addresses - CIDR block notation - IPv4 or IPv6

Security groups

Provision resources when they are needed - Based on demand - Provisioned automatically Scale up and down - Allocate compute resources where and when they are needed - Rapid elasticity - Pay for only what's used Ongoing monitoring - IF CPU utilization hits a particular threshold, provision a new application instance

Dynamic resource allocation

Granular security controls - Identify and manage very specific data flows - Each instance of a data flow is different Define and set policies - Allow uploads to the corporate box.com file share * Corporate file shares can contain PII * Any department can upload to the corporate file share - Deny certain uploads to a personal box.com file share * Allow graphics files * Deny any spreadsheets * Deny files containing credit card numbers * Quarantine the file and send an alert

Instance awareness

Microservice architecture is the VPC gateway endpoints - Allow private cloud subnets to communicate to other cloud services Keep private resources private - Internet connectivity not required Add an endpoint to connect VPC resources

Virtual private cloud endpoints

Containers have similar security concerns as any other application deployment method - Bugs, insufficient security controls, misconfigurations Use container-specific operating systems - A minimalist OS designed for containers Group container types on the same host - The same purpose, sensitivity, and threat posture - Limit the scope of any intrusion

Container security

Clients are at work, data is in the cloud - How do you keep everything secure? - The organization already has well-defined security policies How do you make your security policies work in the cloud? - Integrate this - Implemented this as client software, local security appliances, or cloud-based security solutions Visibility - Determine what apps are in use - Are they authorized to use the apps? Compliance - Are users complying with HIPAA? PCI? Threat prevention - Allow access by authorized users, prevent attacks Data security - Ensure that all data transfers are encrypted - Protect the transfer of PII with DLP

Cloud access security broker (CASB)

Secure cloud-based applications - Complexity increases in the cloud Application misconfigurations - One of the most common security issues - Especially cloud storage Authorization and access - Controls should be strong enough for access from anywhere API security - Attackers will try to exploit interfaces and APIs

Application security

Protect users and devices - Regardless of location and activity Go beyond URLs and GET requests - Examine the application API - Dropbox for personal use or corporate use? Examine JSON strings and API requests - Allow or disallow certain activities Instance-aware security - A development instance is different than production

Next-Gen Secure Web Gateway (SWG)

Control traffic flows in the cloud - Inside the cloud and external flows Cost - Relatively inexpensive compared to appliances - Virtual firewalls - Host-based firewalls Segmentation - Between microservices, VMs, or VPCs OSI layers - Layer 4 (TCP/UDP, Layer 7 (Application)

Firewalls in the cloud

Cloud-native - Integrated and supported by the cloud provider - Many configuration options - Security is part of the infrastructure - No additional costs Third-party solutions - Support across multiple cloud providers - Single pane of glass - Extend policies outside the scope of the cloud provider - More extensive reporting

Security controls

Who are you? - A service needs to vouch for you - Authentication as a Service A list of entities - Users and devices Commonly used by SSO applications or an authentication process - Cloud-based services need to know who you are Uses standard authentication methods - SAML, OAuth, OpenID Connect, etc

Identity Provider (IdP)

An identifier or property of an entity - Provides identification Personal attributes - Name, email address, phone number, Employee ID Other attributes - Department name, job title, mail stop One or more attributes can be used for identification - Combine them for more detail

Attributes

Digital certificate - Assigned to a person or device Binds the identity of the certificate owner to a public and private key - Encrypt data, create digital certificates Requires an existing public-key infrastructure (PKI) - The Certificate Authority (CA) is a trusted entity - The CA digitally sins the certificates

Certificates

Smart card - Integrates with devices - may require a PIN

Tokens and cards

Secure terminal communication Use a key instead of username and password - Public/private keys - Critical for automation Key management is critical - Centralize, control, and audit key use Key managers - Open source Commercial

SSH keys

Create a public/private key pair - ssh-keygen Copy the public key to the SSH server - ssh-copy-id user@host Try it out - ssh user@host - No password prompt!

SSH key-based authentication

An account on a computer associated with a specific person - The computer associates the user with a specific identification number Storage and files can be private to that user - Even if another person is having the same computer No privileged access to the operating system - Specifically not allowed on a user account This is the account type most people will use - Your user community

User accounts

Shared account - Used by more than one person - Guest login, anonymous login Very difficult to create an audit trail - No way to know exactly who was working - Difficult to determine the proper privileges Password management becomes difficult - Password changes require notifying everyone - Difficult to remember so many password changes - Just write it down on this yellow sticky paper Best practice: Don't use these accounts

Shared and generic accounts

Access to a computer for guests - No access to change settings, modify applications, view other user's files, and more - Usually no password This brings significant security challenges - Access to the userspace is one step closer to an exploit Must be controlled - Not the default - Removed from Windows 10

Guest accounts

Used exclusively by services running on a computer - No interactive/user access - Web server, database server, etc. Access can be defined for a specific service - Web server rights and permissions will be different than a database server Commonly use usernames and passwords - You'll need to determine the best policy for password updates

Service accounts

Elevated access to one or more systems - Administrator, Root Complete access to the system - Often used to manage hardware, drivers, and software installation This account should be used for normal administration - User accounts should be used Need to be highly secured - Strong passwords, 2FA - Scheduled password changes

Privileged accounts

Control access to an account - It's more than just username and password - Determine what policies are best for an organization Authentication process - Password policies, authentication factor policies, other considerations Permissions after login - Another line of defense

Account policies

Is everything following the policy? - You have to police yourself it's amazing how quickly things can change - Make sure the routine is scheduled Certain actions can be automatically identified - Consider a tool for log analysis

Perform routine audits

Permission auditing - Does everyone have the correct permissions? - Some administrators don't need to be there - Scheduled recertification Usage auditing - How are your resources used? - Are your systems and applications secure

Auditing

Make your password strong - Resist brute-force attack Increase password entropy - No single words, no obvious passwords - Mix upper and lower case and use special characters Stronger passwords are at least 8 characters - Consider a phrase or set of words Prevent password reuse - System remembers password history, requires unique passwords

Password complexity and length

Too many incorrect passwords will cause a lockout - Prevents online brute force attacks - This should be normal for most user accounts - This can cause big issues for service accounts - You might want this Disabling accounts - Part of the normal change process - You don't want to delete accounts * At least not initially * May contain important decryption keys

Account lockout and disablement

Identify based on IP subnet Can be difficult with mobile devices Geofencing - Automatically

Network location

Determine a user's location - GPS - mobile devices, very accurate - 802.11 wireless, less accurate - IP address, not very accurate

Geolocation

Automatically allow or restrict access when the user is in a particular location Don't allow this app to run unless you're near the office

Geofencing

Add location metadata to a document or file Latitude and longitude, distance, time stamps

Geotagging

Hardware-based authentication - Something you have Helps prevent unauthorized logins and account takeovers - The key must be present to login Doesn't replace other factors - Passwords are still important

Password keys

Password managers - All passwords in one location - A database of credentials Secure storage - All credentials are encrypted - Cloud-based synchronization options Create unique passwords - Passwords are not the same across sites Personal and enterprise options - Corporate access

Password vaults

A specification for cryptographic functions - Hardware to help with all of this encryption stuff Cryptographic processor - Random number generator, key generators Persistent memory - Comes with unique keys burned in during production Versatile memory - Storage keys, hardware configuration information Password protected - No dictionary attacks

Trusted Platform Module (TPM)

Hardware Security Module (HSM)

Use personal knowledge as an authentication factor - Something you know Static KBA - Pre-configured shared secrets - Often used with account recovery - What was the make and model of your first car? Dynamic KBA - Questions are based on an identity verification service What was your street address when you lived in Pembroke Pines, Florida

Knowledge-based authentication (KBA)

A basic authentication method - Used in legacy operating systems - Rare to see singularly used This is in the clear - Weak authentication scheme - Non-encrypted password exchange - We didn't require encryption on analog dialup lines - The application would need to provide an encryption

Password Authentication Protocol (PAP)

Encrypted challenge sent over the network Three-way handshake - After link is established, server sends a challenge - Client responds with a password hash calculated from the challenge and the password - Server compares received has and stored hash Challenge-Response continues - Occurs periodically during the connection - User never knows it happens

Challenge-Handshake Authentication Protocol (CHAP)

Microsoft's implementation of CHAP - Used commonly on Microsoft's Point-to-Point Tunneling Protocol (PPTP) Security issues related to the use of DES - Relatively easy to brute force the 256 possible keys to decrypt the NTLM hash - Consider L2TP, IPsec, 802.1X or some other secure authentication method Steps: 1) Login request is sent to the server 2) Server looks up the credentials and sends a challenge to the user 3) User combines the password and challenge to create a response 4) Server compares the user's response with a locally created response

MS-CHAP

One of the more common AAA protocols - Supported on a wide variety of platforms and devices - Not just for dial-in Centralize authentication for users - Routers, switches, firewalls, server authentication, remote VPN access, 802.1X network access Available on almost any server OS

Remote Authentication Dial-In User Service (RADIUS)

Terminal Access Controller - Access-Control System - Remote authentication protocol - Created to control access to dial-up lines to ARPANET

TACACS

A Cisco-created (proprietary) version of TACACS - Additional support for account and auditing

XTACACS (Extended TACACS)

Latest version of TACACS, not backwards compatible - More authentication requests and response codes

TACACS+

Network authentication protocol - Authenticate once, trusted by the system - No need to re-authenticate to everything - Mutual authentication - the client and the server - Protect against on-path or replay attacks Standard since the 1980s - Developed by MIT Microsoft started using in Windows 2000 - Compatible with other operating systems and devices

Kerberos

Authenticate one time - Lots of backend ticketing - Cryptographic tickets No constant username and password input! - Save time

SSO with Kerberos

Port-based Network Access Control (NAC) - You don't get access to the network until you authenticate Extensible Authentication Protocol Prevents access to the network until the authentication succeeds Used in conjunction with an access database - RADIUS, LDAP, TACACS+

IEEE 802.1X

Provide network access to others - Not just employees - Partners, suppliers, customers, etc - Provides SSO and more Third-parties can establish a federated network - Authenticate and authorize between the two organizations - Login with your Facebook credentials The third-parties must establish a trust relationship - And the degree of trust

Federation

Open standard for authentication and authorization - You can authenticate through a third-party to gain access - One standard does it all Not originally designed for mobile apps - This has been the largest roadblock

Security Assertion Markup Language (SAML)

Authorization framework - Determines what resources a user will be able to access Created by Twitter, Google, and many others - Significant industry support Not an authentication protocol - OpenID Connect handles the single sign-on authentication - Provides authorization between applications Relatively popular - Used by Twitter, Google, Facebook

OAuth

Authorization - The process of ensuring only authorized rights are exercised - Policy enforcement The process of determining rights - Policy definition Users receive rights based on - Access control models - Different business needs or mission requirements

Access control

The operating system limits the operation of an object - Based on security clearance level Every object gets a label - Confidential, secret, top secret, etc. Labeling of objects uses predefined rules - The administrator decides who gets access to what security level - Users cannot change these settings

Mandatory Access Control (MAC)

Used in most operating systems - A familiar access control model You create a spreadsheet - As the owner, you control who has access - You can modify access at any time Very flexible access control - And very weak security

Discretionary Access Control (DAC)

You have a role in your organization - Manager, director, team lead, project manager Administrators provide access based on the role of the user - Rights are gained implicitly instead of explicitly In Windows, use Groups to provide role-based access control You are shipping and receiving so you can use the shipping software - You are the manager, so you can review shipping logs

Role-based access control (RBAC)

Users can have complex relationships to applications and data - Access may be based on many different criteria Can consider many parameters - A "next generation" authorization model - Aware of context Combine and evaluate multiple parameters - Resource information, IP address, time of day, desired action, relationship to the data, etc.

Attribute-based access control (ABAC)

Generic term for following rules - Conditions other than who you are Access is determined through system-enforced rules - System administrators, not users The rule is associated with the object - System checks the ACLs for that object Rule examples - Lab network access is only available between 9-5 - Only Chrome browses may complete this web form

Rule-based access control

Store files and access them - Hard drive, SSDs, flash drives, DVDs, part of most OSs Accessing information - Access control lists - Group/user rights and permissions - Can be centrally administered and/or users can manage files they own The file system handles encryption and decryption

File system security

Difficult to apply old methods of authentication to new methods of working - Mobile workforce, many different devices, constantly changing cloud Conditions - Employee or partner, location, type of application accessed, device Controls - Allow or block, require MFA, provide limited access, require password reset Administrators can build complex access rules - Complete control over data access

Conditional access

Managing superuser access - Administrator and Root - You don't want this in the wrong hands Store privileged accounts in a digital vault - Access is only granted from the vault by request - These privileges are temporary Advantages - Centralized password management - Enables automation - Manage access for each user - Extensive tracking and auditing

Privileged access management (PAM)

Policies, procedures, hardware, software, people - Digital certificates: create, distribute manage, store, revoke This is a big, big endeavor - Lots of planning Also refers to the binding of public keys to people or devices - The certificate authority - It's all about trust

Public Key Infrastructure (PKI)

Key generation - Create a key with the requested strength using the proper cipher Certificate generation - Allocate a key to the user Distribution - Make the key available to the user Storage - Securely store and protect against unauthorized use Revocation - Manage keys that have been compromised Expiration - A certificate may only have a certain "shelf life"

Key management lifecycle

A public key certificate - Binds a public key with a digital signature - And other details about the key holder Adds trust - PKI uses Certificate Authority for additional trust - Web of Trust adds other users for additional trust Certificate creation can be build into the OS - Part of Windows Domain services - 3rd-party Linux options

Digital certificates

Built-in to your browser - Any browser Purchase your web site certificate - It will be trusted by everyone's browser Create a key pair, send the public key to the CA to be signed - A certificate signing request (CSR) May provide different levels of trust and additional features - Add a new "tag" to your web site

Commercial certificate authority

You are your own CA - Build it in-house - Your devices must trust the internal CA Needed for medium-to-large organizations - Many web servers and privacy requirements Implement as part of your overall computing strategy - Windows Certificate Services, OpenCA

Private certificate authorities

Single CA - Everyone receives their certificates from one authority Hierarchical - Single CA issues certs to intermediate CAs - Distributes the certificate management load - Easier to deal with the revocation of an intermediate CA than the root CA

PKI trust relationships

The entity requesting the certificate needs to be verified - The RA identifies and authenticates the requester Approval or rejection - The foundation of trust in this model Also responsible for revocations - Administratively revoked or by request Manages renewals and re-key requests - Maintains certificates for current cert holders

Registration authority (RA)

Common Name (CN) - The FQDN (Fully Qualified Domain Name) for the certificate - Clearly describes the certificates owner Subject alternative name - Additional host names for the cert - Common on web servers Expiration - Limit exposure to compromise - 398 day browser limit (13 months)

Important certificate attributes

Certificate Revocation List (CRL) - Maintained by the Certificate Authority (CA) Many different reasons - changes all the time

Key revocation

The browser can check certificate revocation Messages usually sent to this responder via HTTP - Easy to support over Internet links Not all browsers/apps support this - Early Internet Explorer versions did not support this

Online Certificate Status Protocol (OCSP)

Owner of the certificate has some control over a DNS domain

Domain validation certificate (DV)

Additional checks have verified the certificate owner's identity Browsers used to show a green name on the address bar Promoting the use of SSL is now outdated

Extended validation certificate (EV)

Extension to an X.509 certificate Lists additional identification information Allows a certificate to support many different domains

Subject Alternative Name (SAN)

Certificates are based on the name of the server A wildcard domain will apply to all server names in a domain

Wildcard domain

Developers can provide a level of trust - Applications can be signed by the developer The user's operating system will examine the signature - Checks the developer signature - Validates that the software has not been modified Is it from a trusted entity? - The user will have the opportunity to stop the application execution

Code signing certificate

The public key certificate that identifies the root CA (Certificate Authority) - Everything starts with this certificate This certificate issues other certificates - Intermediate CA certificates - Any other certificates This is a very important certificate - Take all security precautions - Access to the root certificate allows for the creation of any trusted certificate

Root certificate

Internal certificates don't need to be signed by a public CA - Your company is the only one going to use it - No need to purchase trust for devices that already trust you Build your own CA - Issue your own certificates signed by your own CA Install the CA certificate/trusted chain on all devices - They'll now trust any certificates signed by your internal CA - Works exactly like a certificate you purchased

Self-signed certificates

You have to manage many devices - Often devices that you'll never physically see How can you truly authenticate a device? - Put a certificate on the device that you signed Other business processes rely on the certificate - Access to the remote access - VPN from authorized devices - Management software can validate the end device

Machine and computer certificate

Use cryptography in an email platform - You'll need public key cryptography Encrypting emails - Use a recipient's public key to encrypt Receiving encrypted emails - Use your private key to decrypt Digital certificates - Use your private key to digitally sign an email - Non-repudiation, integrity

Email certificates

Associate a certificate with a user - A powerful electronic "id card" Use as an additional authentication factor - Limit access without the certificate Integrate onto smart cards - Use as both a physical and digital access card

User certificates

The structure of the certification is standardized The format of the actual certificate file can take many forms There are many certificate file formats - Use openssl or a similar application to view the certificate contents

X.509 digital certificates

Format designed to transfer syntax for data structure - A very specific encoding format - Perfect for an X.509 certificate Binary format - Non-human readable A common format - Used across many platforms - Often used with Java certificates

Distinguished Encoding Rules (DER)

A very common format - BASE64 encoded DER certificate - Generally the format provided by CAs - Supported on many different platforms ASCII format - Letters and numbers - Easy to email, readable

Privacy-Enhanced Main (PEM)

Personal Information Exchange Syntax Standard - Developed by RSA Security, now an RFC standard Container format for many certificates - Store many X.509 certificates in a single .p12 or .pfx file - Often used to transfer a private and public key pair - The container can be password protected Extended from Microsoft's .pfx format - Personal Information Exchange (PFX) - The two standards are very similar - Often referenced interchangeably

Public Key Cryptography Standards #12

Primarily a Windows X.509 file extension - Can be encoded as a binary DER format or as the ASCII PEM format Usually contains a public key - Private keys would be transferred in the .pfx file format Common format for Windows certificates - Look for the .cer extension

Certificate (CER)

Cryptographic Message Syntax Standard - Associated with the .p7b file Stored as ASCII format - Human-readable Contains certificates and chain certificates - Private keys are not included in a .p7b file Wide platform support - Microsoft Windows - Java Tomcat

Public Key Cryptography Standards #7 (PKCS #7)

Provides scalability for checking The CA is responsible for responding to all client requests - This does not scale well Instead, have the certificate holder verify their own status - Status information is stored on the certificate holder's server Stapled into the SSL/TLS handshake - Digitally signed by the CA

Online Certificate Status Protocol Stapling

You're communicating over TLS/SSL to a server - How do you really know it's a legitimate server? "Pin" the expected certificate or public key to an application - Compiled in the app or added at first run If the expected certificate or public key doesn't match, the application can decide what to do - Shut down, show a message

Pinning

Everyone receives their certificates from one authority

Single CA (PKI trust relationship)

Single CA issues certs to intermediate CAs

Hierarchical (PKI trust relationship)

Cross-certifying CAs - Doesn't scale well

Mesh (PKI trust relationship)

Alternative to traditional PKI

Web-of-trust (PKI trust relationship)

Server authenticates to the client and the client authenticates to the server

Mutual Authentication (PKI trust relationship)

Someone who holds your decryption keys - Your private keys are in the hands of a 3-rd party This can be a legitimate business arrangement - A business might need to access to employee information - Government agencies may need to decrypt partner data

Key escrow

Chain of trust - List all of the certs between the server and the root CA The chain starts with the SSL certificate - And ends with the Root CA certificate Any certificate between the SSL certificate and the root certificate is a chain certificate - Or intermediate certificate The web server needs to be configured with the proper chain - Or the end user may receive an error

Certificate chaining

Source code of an application is reviewed manually or with automatic tools without running the code

Static code analysis

Distribute the load among multiple systems that are online and in use at the same time

Active/active load balancing

Source code of an application is reviewed manually or with automatic tools without running the code

Persistence

Attempts to detect, log, and alert on malicious network activities Use promiscuous mode to see all network traffic on a segment

Network-based intrusion detection system (NIDS)

Attempts to remove, detain, or redirect malicious traffic Should be installed in-line of the network traffic flow Can also perform functions as a protocol analyzer

Network intrusion prevention system (NIPS)

Pay attention to the state of traffic between systems They can make a decision about a conversation and allow it to continue once it has been approved rather than reviewing every packet Track this information in a state table, and use the information they gather to allow them see entire traffic flows instead of each packet

Stateful firewall

Process of changing an IP address while it transits across a router Using NAT can help us hide our network IPs

Network address translation (NAT) gateway

Devices or software that allow or block traffic based on content rules Simple as blocking specific URLs, domains, or hosts, or they can be complex with pattern matching, IP reputation, and other elements built into the filtering rules

Content/URL filters

Networks rely on routing protocols to determine which path traffic should take to other networks Common protocols include BGP, RIP, OSPF, EIGRP Attacks against routing can result in on-path attacks, outages due to loops or delays in traffic being sent, or drops of traffic

Route security

WPA-Personal - Uses a preshared key and is thus often called WPA-PSK - Allows clients to authenticate without an authentication server infrastructure WPA-Enterprise - Relies on a RADIUS authentication server as part of an 802.1x implementation for authentication - Users can thus have unique credentials and be individually identified Uses AES encryption to provide confidentiality, delivering much stronger encryption than WEP

WPA2

Wireless security also relies upon proper WAP placement Wireless B, G, and N use a 2.4 GHz signal Wireless A, N, and AC use a 5.0 GHz signal 2.4 GHz signals can travel further than 5 GHz

Wireless Access Point (WAP) placement

Creating a clear separation between personal and company data on a single device Keep personal and business data separate Separate volumes or even separate encrypted volumes that require specific applications, wrappers, or containers to access them

Storage segmentation

The organization pays for the device and typically for the cellular plan or other connectivity The user selects the device from a list of preferred options rather than bringing in whatever they want to use Support is easier since only a limited number of device types will be encountered, and that can make a security model easier to establish as well

Choose your own device (CYOD)

An open standard and decentralized protocol that is used to authenticate users in a federated identity management system User logs into an Identity Provider (IP) and uses their account at Relying Parties (RP) This is easier to implement than SAML SAML is more efficient than this

OpenID

Determine which accounts, users, groups, or services can perform actions like reading, writing, and executing files Linux can be set with chmod command Windows can be set via command line or GUI The modify permission allows viewing as well as changing files or folders Read and execute does not allow modification or changes but does allow the files to be run

Filesystem permissions

The offline CA uses the root certificate to create this that serves as the online CAs used to issue certificates on a routine basis

Intermediate CA

An online list of digital certificates that the certificate authority has revoked Maintained by the various CAs and contain the serial numbers of certificates that been issued by a CA and have been revoked along with the date and time the revocation went into effect Major disadvantage is they must be downloaded and cross-referenced periodically, introducing a period of latency between the time a certificate is revoked and the time end users are notified of the revocation

Certificate Revocation List (CRL)

Once you've satisfied the CA regarding your identity, you provide them with your public key in this form The CA next creates an X.509 digital certificate containing your identifying information and a copy of your public key The CA then digitally signs the certificate using the CA's private key and provides you with a copy of your signed digital certificate

Certificate Signing Request (CSR)

Commonly used by Windows systems Certificates may be stored in binary form, using .PFX or .P12 file extensions

Personal Information Exchange (PFX)