Module 4: Key security tools

Question 1

Introduction to Firewalls

Fiirewalls isolate an organization’s internal net from the larger Internet allowing some packets to pass and blocking others.

Why use firewalls:
1. preven denial of service attacks
2. prevent illegal modification/access of internal data
3. allow only authorized access to inside network
4. two types of firewalls: application-level and packet-filtering

Answer 1

Firewalls - Packet Filtering
It is a fundamental technology, whereby a packet-by-packet decision is made whether to forward/drop a packet is based on several factors.

Question 2

Firewalls - Application Gateway

Answer 2

Limitations of firewalls and gateways

Question 3

Firewalls - XML Gateway

Answer 3

Firewalls - Stateless and Stateful firewalls
* firewalls filter traffic between networks
* they handle packets differently
* they are multi-homed: multiple NICs are connected to different networks
* there are different types of firewalls, stateful and stateless are the most common ones
* another common firewall is a proxy firewall

Question 4

Firewalls - Stateless and Stateful firewalls (cont’d)

Answer 4

Proxy firewalls
* proxy firewalls act as intermediary servers
* proxies terminate connections and initiate new ones, like MTIM
* there are two 3-way handshakes between two devices, like with a man in the middle, this allows to filter threats and analyse traffic even better

Question 5

Antivirus/Antimalware
* specialized software that can detect, prevent and even destroy a computer virus or malware
* uses malware definitions
* scans the system and searches for matches against the malware definitions
* these definitions are constantly updated by vendors

Question 6

An introduction of Cryptography:
* cryptography is secret writing
* it should be understood only by the intended recipient
* it’s been used since the ancient times
* Key concepts: confidentiality, integrity, authentication, non-repudiation, cryptoanalysis, cipher, plaintext (just plain text), ciphertext (plaintext gone through the cipher), encryption, decryption
* cipher is is the actual algorithm that encrypts a message, for example in ancient cryptography, it was an algorithm that hifted the the the alphabet or specific letters either to the right to the left
* there are stream and block ciphers

Answer 6

Cryptographic strength:
* cryptographic strength relies on math, not secrecy
* ciphers that have stood the test of time are public algorithms
* monoalphabetic ciphers -> polyalphabetic ciphers
* exclusive Or (XOR) is the secret sauce behind modern encryption
* stream ciphers encrypt or decrypt bit per bit
* block ciphers encrypt or decrypt in blocks or several sizes, depending on the algorithm, let’s say 64 bits at a time

3 Types of Cryptography:
1. Symmetric
2. Asymmetric
3. Hash

Question 7

Symmetric encryption:
* uses the same key to encrypt or decrypt
* security depends on keeping the key secret at all times
* strengths include speed and cryptographic strength per bit of key
* the bigger the key, the stronger the algorithm
* the key needs to be shared using a secure out-of-band method
* DES, Triples DES, and AES are examples of symmetric encryption

Answer 7

Asymmetric encryption:
* Whitfield Diffie and Martin Hellman, who created the Diffie-Hellman, are pioneers of asymmetric encryption
* it uses two keys; 4 encryption keys are required for 2 people to exchange a series of messages using asymmetric public key cryptography
* one key can be made public, it’s called a public key, the other needs to be kept private, it’s called a private key
* one is used for encryption and the other for decryption,
* it is used in digital certificates
* it uses one-way math algorithms to generate two keys, like factoring prime numbers and discrete algorithm
* it is slower than symmetric encryption

Question 8

Hash functions
* the hash functions provide encryption using a one-way algorithm and no key
* this means that any length or a variable-length plaintext is hashed into a fixed-length hash value; this is often called message digest or simply a hash
* if the hash of a plaintext changes, the plaintext itself has changed
* this provides integrity verification
* SHA-1, MD5, older algorithms are prone to collisions, which means that wo plaintexts can have the same exact hash volume or message digest
* SHA-2 is the newer and recommended alternative

In other words, if we generated a plaintext and we send it to somebody else
with a corresponding hash and somebody changed that plaintext in transit,
then we can determine if something is changing on that message using
the previews hash generated.

Answer 8

5 types of Cryptographic Attacks
1. Brute force: it is an attack based on trial and error, and effectively would work through submission of many passwords or fast traces to hope that eventually it will guess correctly
2. Rainbow tables: are similar, but they use a limited amount of information or entity, or files, and they actually contain three hash passwords that we can check against hash customers, which makes the attacks a lot faster
3. Social engineering: non-technical methods to get a password from the end users themselves
4. Known plaintext: it is based on having only plain text, and doing analysis based on that plaint text to try to understand how the cipher works, and how the cipher encrypts the information; this is an attempt to actually understand and try to get the actual key that is used in the cipher to encrypt the information, once you have the key, you are able to decrypt or encrypt any information
5. Known ciphertext: it is a process of having only ciphertext, it’s similar to the plaintext attack, but with the difference that we don’t own plaintext, we just own ciphertext, and based on that ciphertext, we try to defer the key used in the cipher to again, encrypt and decrypt information

Question 9

The language of cryptography

Answer 9

Symmetric key cryptography - Substitution cipher
shift symbols to the right or to the left

Question 10

Symmetric key cryptography (cont’d)

• The question is how Bob and Alice agree on the key value? This is a weakness for Symmetric key cryptography
• How does Alice get the key to Bob? She can email it, but Trudy can intercept it, so distribution of the key is a fundamental problem for Symmetric key cryptography

Answer 10

Symmetric key crypto: DES
* DES was the first commercially available, electronic encryption algorithm

Question 11

AES: Advanced Encryption Standard
* new (Nov 2001) symmetric-key NIST standard replacing DES, it effectively removed brute force
* processes data in 128 bit blocks, 128 bit verus 94 bit makes it for a more efficient algorithm
* 128, 192, or 256 bit keys - the longer the key, the more computationally intensive the algorithm will be
* brute force decryption (try each key) takes 1 sec on DES and it takes 149 trillion years for AES, so brute force is off the table when it comes to AES

Answer 11

Penetration Testing (Pentest) Introduction

• Pentest is ethical hacking of testing a computer system, network or application to find security vulnerabilities that an attacker could exploit
• The main objective of a Pentest is to identify security weaknesses before attackers can identify them and and exploit them
• A penetration testing it’s a practice that requires several contracts before it can be performed, for example, service level agreement, engagement rules,
  all sorts of documentation to make the penetration testing a legal agreement
  between two parties
• White hat hackers: ethical hackers who work under contract for security reasons
• Grey hat hackers: they stand between white hat and black hat hackers, they usually perform pentesting in an unathorized manner, but they report back to a possible victim
• Black hat hackers: bad guys, they do hacking for personal recognition, money, political agenda or social change

Question 12

There are also threat actors:
These are entities that are partially or wholly responsible for an incident that affects or potentially affects an organization’s security. also referred to as malicious actors:
* script kiddies
* hacktivists
* organized crime
* insiders (past or present employees or contractors)
* competitors
* Nation states: they are highly sophisticated and state-funded hacking organization, such as Fancy Bear (ATP28), Lazarus Group, Scarcruft (Group 123), APT 29

Answer 12

Pentest Methodologies

Question 13

Vulnerability Tests

The vulnerability assessment will not exploit the vulnerability identified on the system, it will only produce a report. Vulnerability assessment or vulnerability scanning could be done quarterly or bi-monthly or
bi-weekly or on monthly basis.

http://www.letsrespondtoolkit.org/vulnerability-assessment

Answer 13

What is Digital Forensics?

• it is a branch of forensic science
• it includes everything related to identification, recovery, investigation, validation and presentation of facts regarding digital evidence, usually found on computers or similar digital storage media devices for example hard drives, cell phones, servers, etc
• Dr Edmond Locard was a pioneer of forenscic science, who became known as Sherlock Holmes of France, he came up with a principle (which is true for the physical world and for the computer world) that the perpetrator of a crime will bring something into the crime scene and leave with something from it and that both can be used as forensic evidence

Question 14

Chain of custody
* it refers to the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence
* it is often a process that has been required for evidence to be shown legally in court

Answer 14

Securityintelligence.com

Explore https://securityintelligence.com/ to review the information contributed by Cybersecurity experts globally.

At SecurityIntelligence, they empower security professionals across the globe to protect their organizations by providing them with the relatable analysis and actionable insights they need to thrive in the face of cyber uncertainty. This site delivers content from hundreds of the brightest minds in the cybersecurity industry.

Read one article or blog from each of the securityintelligence topic areas:

• News (Current events involving cybersecurity threats and breaches)
• Series (Reoccurring podcasts, articles and videos from a specific group within cybersecurity)
• Topics (Search information on cybersecurity topics such as Fraud protection, Application security, etc)
• Industries (Search information by industry such as banking, healthcare, etc)
• Threat Research (Cybersecurity experts discuss key trends and topics)
• Podcast (Cybersecurity experts record podcasts to discuss key cybersecurity topics)
• Events (Sign up for a future webcast or explore an on demand webcast)

Question 15

Review the following articles on Securityintelligence.com about Incident Response and Digital Forensics.

Incident Response and Digital Forensics: Will You Buy or Build?

https://securityintelligence.com/incident-response-and-digital-forensics-will-you-buy-or-build/

Incident Response: 5 Steps to Prevent False Positives
https://securityintelligence.com/articles/cyber-incident-response-false-positives/