Topic 9A Flashcards
Hardening
is the process of reducing system vulnerabilities to make IT resources more resilient to attacks. It involves disabling unnecessary services, configuring appropriate permissions, applying patches and updates, and ensuring adherence to secure configurations defined by the secure baselines.
Network access control (NAC)
is a security solution that enforces policy on devices seeking to access network resources. It identifies, categorizes, and manages the activities of all devices on a network, ensuring they comply with security policies before granting access and continuously monitoring them while they are connected.
secure baseline
is a collection of standard configurations and settings for network devices, software, patching and updates, access controls, logging, monitoring, password policies, encryption, endpoint protection, and many others.
The Center for Internet Security (CIS) Benchmarks
an important resource for secure configuration best practices. CIS is recognized globally for publishing and maintaining best practice guides for securing IT systems and data.
Security Technical Implementation Guides (STIGs)
are a specific secure baseline developed by the Defense Information Systems Agency (DISA) for the US Department of Defense. Like CIS Benchmarks, STIGs define a standardized set of security configurations and controls specifically designed for the DoD’s IT infrastructure.
Configuration management tools, such as Puppet, Chef, Ansible, and Microsoft’s Group Policy
allow organizations to automate the deployment of secure baseline configurations across various diverse systems.
Security Content Automation Protocol (SCAP) compliant tools
like OpenSCAP, can assess and verify the system’s adherence to the baseline.
The SCAP Compliance Checker (SCC)
is a tool maintained by the DISA used to measure compliance with STIG baselines.
Examples of changes designed to improve the security of switches and routers from the default settings include the following:
Change Default Credentials that are well documented and pose a significant security risk.
Disable Unnecessary Services and Interfaces on a switch or router. Not every service or interface is needed. For example, services like HTTP or Telnet should be avoided.
Use Secure Management Protocols such as SSH instead of Telnet or HTTPS instead of HTTP.
Implement Access Control Lists (ACLs) to restrict access to the router or switch to only required devices and networks.
Enable Logging and Monitoring to help identify issues like repeated login failures, configuration changes, and many others.
Configure Port Security helps limit the devices that can connect to a switch port to prevent unauthorized access.
Strong Password Policies help reduce the risk of password attacks.
Physically Secure Equipment like keeping devices in a locked room to prevent unauthorized physical access.
Examples of changes designed to improve the security of servers from the default settings include the following:
Change Default Credentialsto prevent unauthorized access, similar to network devices.
Disable Unnecessary Servicesto reduce the attack surface of the server. Each service running on a server represents a potential point of entry for an attacker.
Apply Software Security Patches and Updates Regularlyto fix known vulnerabilities and provide security improvements. Automated patch management ensures this process is consistent and timely.
Least Privilege Principlelimits each user to the least amount of privilege necessary to perform a function to reduce the impact of a compromised account.
Use Firewalls and Intrusion Detection Systems (IDS)to help block or alert on malicious activity.
Secure Configurationof servers should use baseline configurations such as those provided by the CIS or STIGs.
Strong Access Controlsinclude strong password policies, multifactor authentication (MFA), and privileged access management (PAM).
Enable Logging and Monitoringto help identify issues like repeated login failures, configuration changes, and many others similar to the benefits for network equipment.
Use Antivirus and Antimalware Solutionsto detect and quarantine malware automatically.
Physical Securityof server equipment racks, server rooms, or datacenters prevents unauthorized access.
access points
forward traffic to and from the wired switched network.
Each WAP is identified by its MAC address, also referred to as its basic service set identifier (BSSID).
Each wireless network is identified by its name or service set identifier (SSID).
Wireless Networks operate at what wavelength?
can operate in either the 2.4 GHz or 5 GHz radio band.
Each radio band is divided into a number of channels, and each WAP must be configured to use a specific channel.
For performance reasons, the channels chosen should be as widely spaced as possible to reduce interference.
site survey
is used to measure signal strength and channel usage throughout the area to cover.
A site survey starts with an architectural map of the site, with features that can cause background interference marked. These features include solid walls, reflective surfaces, motors, microwave ovens, and so on.
A Wi-Fi-enabled laptop or mobile device with Wi-Fi analyzer software installed performs the survey.
heat map
The signal map that is created from a site survey.
Showing where a signal is strong (green/blue) or weak (red), and which channel is being used and how they overlap.
How are which cryptographic protocols chosen?
Security standard determine which cryptographic protocols are supported, the means of generating the encryption key, and the available methods for authenticating wireless stations when they try to join (or associate with) the network.
The first version of Wi-Fi Protected Access (WPA) was designed to
fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard.
Like WEP, version 1 of WPA uses the RC4 stream cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger.
Wi-Fi Protected Setup (WPS)
As setting up an access point securely is relatively complex for residential consumers, vendors have developed a system to automate the process.
To use WPS, both the access point and wireless station (client device) must be WPS-capable. Typically, the devices will have a push button.
Activating this on the access point and the adapter simultaneously will associate the devices using a PIN, then associate the adapter with the access point using WPA2.
The system generates a random SSID and PSK. If the devices do not support the push button method, the PIN (printed on the WAP) can be entered manually.
WPS vulnerability
WPS is vulnerable to a brute force attack. While the PIN is eight characters, one digit is a checksum and the rest are verified as two separate PINs of four and three characters.
These separate PINs are many orders of magnitude simpler to brute force, typically requiring just hours to crack.
On some models, disabling WPS through the admin interface does not actually disable the protocol, or there is no option to disable it.
The Easy Connect method, announced alongside WPA3, is intended to
replace WPS as a method of securely configuring client devices with the information required to access a Wi-Fi network. Easy Connect isa brand name for the Device Provisioning Protocol (DPP).
The main features of WPA3 are as follows:
Simultaneous Authentication of Equals (SAE)—replaces the Pre-Shared Key (PSK) exchange protocol in WPA2, ensuring an attacker cannot intercept the Wi-Fi password even when capturing data from a successful login.
Enhanced Open—encrypts traffic between devices and the access point, even without a password, which increases privacy and security on open networks.
Updated Cryptographic Protocols—replaces AES CCMP with the AES Galois Counter Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit.
Wi-Fi Easy Connect—allows connecting devices by scanning a QR code, reducing the need for complicated configurations while maintaining secure connections.
Wi-Fi authentication comes in three types:
personal, open, and enterprise. Within the personal category, there are two methods: pre-shared key authentication (PSK) and simultaneous authentication of equals (SAE).
In WPA2, pre-shared key (PSK) authentication uses
a passphrase to generate the key used to encrypt communications. It is also referred to as group authentication because a group of users shares the same secret.
When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm.
This HMAC is referred to as the pairwise master key (PMK). The same secret must be configured on the access point and on each node that joins the network.
The PMK is used as part of WPA2’s 4-way handshake to derive various session keys.
While WPA3 still uses a passphrase to authenticate stations in personal mode, it changes the method this secret is uses to agree session keys. The scheme used is called
Password-Authenticated Key Exchange (PAKE)
In WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces
the 4-way handshake, which has been found vulnerable to various attacks. SAE uses the Dragonfly handshake, which is basically Diffie-Hellman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes.
With SAE, there should be no way for an attacker to sniff out the handshake to obtain the hash value and try to use an offline brute force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys providing forward secrecy.
