This page looks best with JavaScript enabled

IT Security: Defense against the digital dark arts

 ·  β˜• 37 min read

This is an excellent course. It is a great refresher of a lot of cybersecurity concepts that most engineers might have heard of but not know. If you don’t know much, it would be much more useful since you’ll have a better knowledge of the attack vectors and all vulnerabilities that surround us daily. If you know, it will help in filling up many blank spots in your knowledge.

The enthusiasm, knowledge, expertise, and the presentation skills of the instructor Gian Spicuzza, who is a Program Manager with the Android Security team, really was the differentiator, in addition to the content of the course. He definitely is my model Program Manager, someone who is great technically and is able to articulate his ideas very well. After the course, I’m confident of being able to teach an introductory course in IT Security.

Course Link - https://www.coursera.org/learn/it-security/

Time Commitment & Learning Strategy

For someone who has a foundation in CS and had some experience, I think the course can be done in a week’s time by spending around 2 hours per day. My strategy was to watch the videos (say at 1.5x speed) while on the move (say running on the treadmill), download the transcripts, and read through them while sitting, review transcripts while answering the quizzes. Most of the learning comes from answering the questions in the quizzes and the qwiklab labs. I thoroughly loved the qwiklab labs. They were the best hands-on learning experience that I had.

If the course creators had shared the slides, the learning strategy could be

  • Attempt the quizzes
  • Go through the slides
  • Review some videos for concepts that are not clear.
  • Attempt the quizzes again to possibly score 100%
  • Do the hands-on labs

Notes

Week 1 - Understanding Security Threats

Key Concepts

  • Define and recognize security risks, vulnerabilities and threats.
  • Be able to identify the most common security attacks.
  • Understand how security revolves around the CIA principle.

Introduction to IT Security

  • Intro to the instructor - Gian Spicuzza, Overview of the course, other stuff about navigating coursera, using discussion forum, etc.

Malicious Software

  • The CIA Triad
    • CIA = confidentiality, integrity, and availability
    • Confidentiality - keeping things hidden
    • Integrity - keeping data accurate and untampered
    • Availability - Information is readily accessible for those who need it
  • Essential Security Terms
    • Risk - possibility of suffering a loss
    • Vulnerability - holes that you may or may not be aware of. 0-day vulnerability (zero-day) - A type of vulnerability that is not known to the software dev or vendor but to the attacker.
    • Exploit - Software that is used to take advantage of a vulnerability.
    • Threat - possibility of danger that could exploit a vulnerability
    • Hacker - someone who attempts to break into or exploit a system. black hat hackers, white hat hackers.
    • Attack - An actual attempt at causing harm to a system
  • Malicious Software
    • Malware - (malicious software) that can be used to obtain your sensitive information or delete or modify files. viruses, worms, adware, spyware, Trojans, root kids, backdoors, botnets, ..
    • Virus - virus affects a program and replicates itself on files that the program touches, does the malicious work it’s intended to do, and repeats this over and over.
    • Worms - similar to viruses except that instead of having to attach themselves onto something to spread, worms can live on their own and spread through channels like the network.
    • Adware - software that displays advertisements and collects data.
    • Trojan - malware that disguises itself as one thing but does something else
    • Spyware - malware that monitors your computer screens, key presses, webcams, and then reports/streams all of this information to another party.
    • Ransomware - type of attack that holds your data or system hostage until you pay some sort of ransom
  • Malware Continued
    • Bots - steals computer resources
    • Botnets are designed to utilize the power of the Internet-connected machines to perform some distributed function. E.g. bitcoin mining.
    • Backdoor - a secret entryway for attackers
    • Rootkit - admin access. Allows admin level modification to an operating system
    • logic bomb - a type of Malware that’s intentionally installed, after a certain event or time has triggered, it will run the malicious program

Network Attacks

  • Network Attacks
    • A DNS Cache Poisoning attack works by tricking a DNS server into accepting a fake DNS record that will point you to a compromised DNS server.
      • A man-in-the-middle attack, is an attack that places the attacker in the middle of two hosts that think they’re communicating directly with each other
      • A rogue AP is an access point that is installed on the network without the network administrator’s knowledge
        Evil twin attack is for you to connect to a network that is identical to yours.
  • Denial-of-Service
    • DoS (Denial of Service) attack, is an attack that tries to prevent access to a service for legitimate users by overwhelming the network or server.
    • Ping of Death (POD) - sending malformed ping to a computer.
    • Ping flood - sending tons of ping packets to a system
    • SYN flood - server is being bombarded with the SYN packets
    • Distributed denial-of-service attack (DDoS) - A DoS attack using multiple systems

Other Attacks

  • Client-Side Attacks
    • Injection attacks - inject malicious code to be executed in the system
    • Cross-site scripting, or XSS attacks - attacker can insert malicious code and target the user of the service
    • SQL injection attack - targets a website if it is using a SQL database
  • Password Attacks
    • Brute force attack - continuously try different combinations
    • Dictionary attack - tries commonly used passwords from a dictionary
  • Deceptive Attacks
    • Social engineering is an attack method that relies heavily on interactions with humans. attackers use deceptive techniques to get access.
    • Phishing attack - fake email that seems trustworthy due to the logo and color combinations.
    • Spoofing - source is masquerading around as something else
    • Baiting - attacker could leave a USB and an innocent person could take it and put it in to their computer thinking it is free.
    • Tailgating - entering a building immediate after someone

Week 2 - Pelcgbybtl (Cryptology)

Key Concepts

  • Understand the how symmetric encryption, asymmetric encryption, and hashing work.
  • Describe the most common algorithms of cryptography.
  • Choose the most appropriate cryptographic method given a scenario.

Symmetric Encryption

  • Cryptography
    • The topic of cryptography, or hiding messages from potential enemies, has been around for thousands of years. It has evolved greatly now with the advent of modern technology, computers and telecommunications.
    • Encryption is the act of taking a message, called plaintext, and applying an operation to it, called a cipher, and creating a garbled/unreadable/different from original message, called ciphertext. The reverse process, is called decryption.
    • A cipher is actually made up of two components, the encryption algorithm and the key. The algorithm is the underlying logic and is usually complex mathematical operations. The key is something unique to the specific cipher in use.
    • Kerckhoff’s principle (Shannon’s maxim / ’enemy knows the system’) - This principle states that a cryptosystem, or a collection of algorithms for key generation and encryption and decryption operations that comprise a cryptographic service should remain secure, even if everything about the system is known except for the key.
    • Cryptography - overarching discipline that covers the practice of coding and hiding messages from third parties
    • Cryptology - Study of cryptography
    • Cryptanalysis - trying to decipher coded messages (Reminded of Dan Brown’s “Da Vinci Code”). E.g. of a machine - Collossus during World war 1
    • Steganography - practice of hiding information from observers, but not encoding it. (like writing a message using Invisible Ink!)
    • A note in the reading material - A mentioned above, the algorithm for encryption is usually complex mathematical operations. Mostly it is large primeΒ number factorizationΒ which is currently computationally difficult. But if quantum computing become a reality, then brute force attacks to break the keys would be easier.
  • Symmetric Cryptography
    • Symmetric Cryptography - Use the same key to encrypt and decrypt messages. For e.g. ROT-13 is a Caesar cipher that uses a key of 13, which means a text is encrypted by rotating each character in the alphabet by 13 letters.
    • Stream cipher - takes a stream of input and encrypts the stream one character or one digit at a time, outputting one encrypted character or digit at a time. So, there’s a one- to-one relationship between data in and encrypted data out.
    • block cipher - takes data in, places that into a bucket or block of data that’s a fixed size, then encodes that entire block as one unit.
    • Initialization vector (IV) - Random data that’s integrated into the encryption key and the resulting combined key is then used to encrypt the data. This is to avoid key reuse. IV is sent in plaintext along with the encrypted message. e.g - 802.11 frame of a WEP encrypted wireless packet.
  • Symmetric Encryption Algorithms
    • DES (Data Encryption Standard) - designed by IBM in the 70s with inputs from NSA. Was adopted as an official FIPS, Federal Information Processing Standard for the US.
    • DES is a symmetric block cipher that uses 64-bit key sizes and operates on blocks 64-bits in size. Since 8-bits are used for parity checking, in reality, the key length is 56 bits.
    • This means there are 2^56 or 72 quadrillion possible keys to guess from. In the 70s, it seemed like a huge task to determine the key using brute force but in 1998 the EFF, Electronic Frontier Foundation, decrypted a DES-encrypted message in only 56 hours!
    • In 2001, NIST, National Institute of Standards and Technology, adopted AES, Advanced Encryption Standard. AES is the first and only public cipher that’s approved for use with top secret information by NSA.
    • AES is similar to DES but it uses 128-bit blocks, twice the size of DES blocks, and supports key lengths of 128-bit, 192-bit, or 256-bit.
    • Key things to note while adopting an algorithm -> Should be implementable in software or hardware, should be easy to implement, should be fast enough.
    • Some platforms implement cryptographic algorithms in hardware to accelerate the processes and
    • remove some of the burden from the CPU.
    • RC4, or Rivest Cipher 4, is a symmetric stream cipher that gained widespread adoption because
    • of its simplicity and speed. RC4 is not used anymore. Though it supports key sizes from 40-bits to 2,048-bits, the cipher itself has inherent weaknesses and vulnerabilities that have been exploited many times. RC4 was used in many protocols - WEP for wireless encryption, WPA, was used in SSL and TLS till 2015.
    • The preferred secure configuration is TLS 1.2 with AES GCM, a specific mode of operation for the AES block cipher that essentially turns it into a stream cipher. GCM, or Galois/Counter Mode, works by taking randomized seed value, incrementing this and encrypting the value, creating sequentially numbered blocks of ciphertexts.
      Symmetric encryption is very convenient. But the key issue is with the fact that same key is used and it needs to be shared.

Public Key or Asymmetric Encryption

  • Asymmetric Cryptography
    • Asymmetric encryption - different keys are used to encrypt and decrypt.
    • Process - generate a private key, then using this private key, generate a public key. It should be almost impossible (computationally very difficult) to figure out corresponding private key given a public key.
    • Person A uses Person B’s public key to encrypt the message which the Person B decrypts using his private key.
    • Digital signature - If Person B also wants to validate that the message came from Person A, then Person A could compose the message and combine it with his/her private key to generate a digital signature. Person B could use Person A’s public key to validate the signature.
    • Asymmetric cryptosystem grants us - confidentiality, authenticity, and non-repudiation.
    • Confidentiality is granted through the encryption-decryption mechanism
    • Authenticity is granted by the digital signature mechanism
    • Non-repudiation is granted by digital signature & encryption/decryption mechanism. The person who is sending the message cannot deny that it was sent from them.
    • Hybrid - Asymmetric is used to share keys and symmetric is used for actual data encryption/decryption. This also safety as well as speed.
    • A MAC (Message Authentication Code) is a bit of information that allows authentication of a received message, ensuring that the message came from the alleged sender. Similar to digital signature.
    • Popular - HMAC (Keyed-Hash MAC). HMAC uses a cryptographic hash function along with a secret key to generate a MAC.
  • Asymmetric Encryption Algorithms
    • RSA - Rivest Shamir Adleman. Released to public domain by RSA Security in the year 2000.
    • DSA - Digital Signature Algorithm - used for signing and verifying data
    • DH - Diffie-Hellman - key exchange algorithm
    • ECC - Elliptic curve cryptography is a public key encryption system that uses the algebraic structure of elliptic curves over finite fields to generate secure keys. The benefit of elliptic curve based encryption systems is that they are able to achieve security similar to traditional public key systems with smaller key sizes. So, for example, a 256 bit elliptic curve key, would be comparable to a 3,072 bit RSA key.
    • ECDH and ECDSA - elliptic curve variants of DH and DSA

Hashing

  • Hashing
    • Hashing (hash function) - a type of function or operation that takes in an arbitrary data input and maps it to an output of a fixed size, called a hash or a digest. output is unique to the input, such that two different inputs should never yield the same output.
    • Cryptographic hash functions are used for various applications like authentication, message integrity, fingerprinting, data corruption detection and digital signatures.
    • Cryptographic hash function should be one-directional, deterministic, quick to compute and be efficient, not possible to retrieve plain text, small change in input should result in a different output and there should be no correlation b/w input change and output, not have hash collisions.
  • Hashing Algorithms
    • MD5 is a popular and widely used hash function designed in the early 1990s as a cryptographic hashing function. It operates on a 512 bit blocks and generates 128 bit hash digests. Due to the vulnerabilities in the hash function (hash collision issue), it was recommended to stop using MD5 for cryptographic applications by 2010.
    • SHA-1 is part of the secure hash algorithm suite of functions, designed by the NSA and published in 1995. It operates a 512 bit blocks and generates 160 bit hash digest. SHA-1 is another widely used cryptographic hashing functions, used in popular protocols like TLS/SSL, PGP SSH, and IPsec. SHA-1 is also used in version control systems like Git, which uses hashes to identify revisions and ensure data integrity by detecting corruption or tampering.
    • Many organizations have recommended replacing SHA-1 with SHA-2 or SHA-3 due to vulnerabilities in SHA-1
    • A MIC (message integrity check) - a hash digest of the message, a checksum to ensure integrity. It is different from MAC and the main goal is protecting against accidental corruption or loss, but not protecting against tampering.
  • Hashing Algorithms (continued)
    • Think of passwords for user login. The password is usually hashed and stored so that a bad action will not be able to get the plain text. Sometimes it is hashed multiple times making the retrieval even harder for malicious actors.
    • Rainbow table - a pre-computed table of all possible password values and their corresponding hashes.
    • SALT - A password salt is additional randomized data that’s added into the hashing function to generate the hash that’s unique to the password and salt combination.

Cryptography Applications

  • Public Key Infrastructure
    • PKI is a system that defines the creation, storage and distribution of digital certificates. A digital certificate is a file that proves that an entity owns a certain public key. A certificate contains information about the public key, the entity it belongs to and a digital signature from another party that has verified this information.
    • CA (Certificate Authority) - The entity that’s responsible for storing, issuing, and signing certificates
    • RA (Registration Authority) - Responsible for verifying the identities of any entities requesting certificates to be signed and stored with the CA. Usually CA performs both.
    • SSL or TLS server certificate. This is a certificate that a web server presents to a client as part of the initial secure setup of an SSL, TLS connection.
    • Self Sign Certificate - The certificate has been signed by the same entity that issued the certificate.
    • SSL or TLS client certificate - certificates that are bound to clients and are used to authenticate the client to the server, allowing access control to a SSL, TLS service.
    • code signing certificates - used for signing executable programs
    • Root Certificate Authority. These root certificates are self signed because they are the start of the chain of trust. If the root CA signs a certificate and sets a field in the certificate called CA to true, this marks a certificate as an intermediary or subordinate CA. What this means is that the entity that this certificate was issued to can now sign other certificates. And so, on building a chain.
    • Each major OS vendor ships a large number of trusted root CA certificates with their OS
    • Fields in the X.509 standard -
      • Version, what version of the X.509 standard certificate adheres to.
      • Serial number, a unique identifier for their certificate assigned by the CA which allows the CA to manage and identify individual certificates.
      • Certificate Signature Algorithm, this field indicates what public key algorithm is used for the public key and what hashing algorithm is used to sign the certificate.
      • Issuer Name, this field contains information about the authority that signed the certificate.
      • Validity, this contains two subfields, Not Before and Not After, which define the dates when the certificate is valid for.
      • Subject, this field contains identifying information about the entity the certificate was issued to.
      • Subject Public Key Info, these two subfields define the algorithm of the public key along with the public key itself.
      • Certificate Signature Value - the digital signature data
      • Certificate fingerprints which aren’t actually fields in the certificate itself, but are computed by clients when validating or inspecting certificates. These are just hash digests of the whole certificate.
    • A Web of Trust - Where individuals instead of certificate authorities sign other individuals’ public keys. Before an individual signs a key, they should first verify the person’s identity through an agreed upon mechanism.
      • Key Signing Parties - Group of participants perform verification and signing. At the end of the party everyone’s public key should have been signed by every other participant establishing a web of trust.
  • Cryptography in Action
    • HTTPS is the secure version of HTTP, the Hypertext Transfer Protocol. Also called HTTP over SSL or TLS since it’s essentially encapsulating the HTTP traffic over an encrypted, secured channel utilizing SSL or TLS.
    • SSL was deprecated in 2015, and TLS 1.2 is the current recommended revision.
    • TLS is a generic protocol to permit secure communications and authentication over a network. TLS is also used to secure other communications aside from web browsing, like VoIP calls such as Skype or
      Hangouts, email, instant messaging, and even Wi-Fi network security.
    • TLS grants 3 things -
      • One, a secure communication line, which means data being transmitted is protected from potential eavesdroppers.
      • Two, the ability to authenticate both parties communicating, though typically, only the server is authenticated by the client.
      • And three, the integrity of communications, meaning there are checks to ensure that messages aren’t lost or altered in transit.
    • Steps
      • ClientHello - Client includes information about the client, like the version of the TLS that the client supports, a list of cipher suites that it supports, and maybe some additional TLS options.
      • ServerHello - Server selects the highest protocol version in common with the client, and chooses a cipher suite from the list to use. It also transmits its digital certificate and a final ServerHelloDone message.
      • Client Validation - The client will then validate the certificate that the server sent over to ensure that it’s trusted and it’s for the appropriate host name. Assuming the certificate checks out, the client then sends a ClientKeyExchange message. This is when the client chooses a key exchange mechanism to securely establish a shared secret with the server. It then sends ChangeCipherSpec message indicating that it’s switching to secure communications now. Followed by encrypted Finished message.
      • Server response - The server replies with a ChangeCipherSpec and an encrypted Finished message once the shared secret is received.
    • SSH (Secure Shell) uses public key cryptography to authenticate the remote machine that the client is connecting to, and has provisions to allow user authentication via client certificates, if desired.
    • PGP (Pretty Good Privacy) - An encryption application that allows authentication of data along with privacy from third parties. Very secure. Has been compared to military grade encryption. Designed to use keys no smaller than 128 bit.
  • Securing Network Traffic
    • A VPN is a mechanism that allows you to remotely connect a host or network to an internal private network, passing the data over a public channel, like the Internet. A sort of encrypted tunnel.
    • IPsec, or Internet Protocol Security, is a VPN protocol that was designed in conjunction with IPv6.
      • It works by encrypting an IP packet and encapsulating the encrypted packet inside an IPsec packet.
      • This encrypted packet then gets routed to the VPN endpoint where the packet is de-encapsulated and decrypted then sent to the final destination.
      • IPsec supports two modes of operations, transport mode and tunnel mode.
      • When transport mode is used, only the payload of the IP packet is encrypted, leaving the IP headers untouched.
      • In tunnel mode, the entire IP packet, header, payload, and all, is encrypted and encapsulated inside a new IP packet with new headers.
    • L2TP, or Layer 2 Tunneling Protocol, is a simple tunneling protocol that allows encapsulation of different protocols. The tunnel is provided by L2TP, secure channel is provided by Ipsec.
    • L2TP IPsec (combination of L2TP and IPSec) was officially standardized in ietf RFC 3193
    • OpenVPN uses the OpenSSL library to handle key exchange and encryption of data, along with control channels.
  • Cryptographic Hardware
    • Trusted Platform Module or TPM - is a hardware device that’s typically integrated into the hardware of a computer, that’s a dedicated crypto processor.
    • TPM offers secure generation of keys, random number generation, remote attestation, and data binding and sealing.
    • Secure element. Similar to a TPM, it’s a tamper resistant chip often embedded in the microprocessor or integrated into the mainboard of a mobile device.
    • Full Disk Encryption or FDE, is the practice of encrypting the entire drive in the system. E.g - Bitlocker from Microsoft, Filevault 2 from Apple, open source software dm-crypt.

Week 3 - AAA Security (Not Roadside Assistance)

Key Concepts

  • Identify and describe the most common authentication services.
  • Understand and be able to choose the most appropriate method of authentication or authorization.
  • Be able to grant the appropriate level of access for the users of an organization.

Authentication

  • Authentication Best Practices
    • Identification is the idea of describing an entity uniquely.
    • Authentication - to go about proving you are who you claim to be (AuthN)
    • Authorization - pertains to the resources and identity has access to (AuthZ)
    • A good password policy system would enforce length requirements, character complexity, and check for the presence of dictionary words, which would undermine the strength of password.
  • Multifactor Authentication
    • Multifactor authentication is a system where users are authenticated by presenting multiple pieces of information (factors). 3 types of factors - Something you know, something you have, and something you are.
    • Something you know - password, pin, etc.
    • something you have - physical token, card, etc.
    • something you are - retina scan, fingerprint
    • Physical tokens - RSA securId token - It’s a small, battery-powered device with an LCD display, that shows a One-Time-Password that’s rotated periodically. The seed value is used in conjunction with the current time to generate a One-Time-Password.
    • Another common method is delivering OTP via sms to mobile phones. Issue - SMS isn’t encrypted, nor is it private. And it’s possible for SMS to be intercepted by a well-funded attacker.
    • Biometric - Biometric characteristics can be super difficult to change in the event that they are compromised unlike passwords. So usually hash of fingerprint is stored instead of the actual data.
    • U2F or Universal Second Factor - U2F incorporates a challenge-response mechanism, along with public key cryptography to implement a more secure and more convenient second-factor authentication solution
  • Certificates
    • In order to issue client certificates, an organization must set up and maintain CA infrastructure to issue and sign certificates.
  • LDAP
    • LDAP, or Lightweight Directory Access Protocol, is an open industry-standard protocol for accessing and maintaining directory services
    • Bind - how clients authenticate to the server.
    • StartTLS, which permits a client to communicate using LDAP v3 over TLS.
    • Unbind - closes connection.
  • RADIUS
    • RADIUS or Remote Authentication Dial-In User Service, is a protocol that provides AAA services for users on a network.
    • When a client wants to access a resource that’s protected, the client will present authentication credentials to a NAS or Network Access Server which will relay the credentials to the RADIUS server.
    • Once the RADIUS server has evaluated the user authentication request, it replies with one of three messages access reject, access challenge or access accept.
  • Kerberos
    • Kerberos is a network authentication protocol that uses tickets to allow entities to prove their identity over potentially insecure channels to provide mutual authentication.
    • Kerberos supports AES encryption, and implements checksums to ensure data integrity and confidentiality.
    • The authentication tickets let users authenticate to services without requiring username and password authentication for every service individually
    • The first message is the encrypted client to server ticket received from the Ticket Granting Service. The second is a new authenticator with the client ID and time stamp encrypted using the client-server session key. The SS decrypts the first message using its secret key which provides it with the client-server session key. The key is then used to decrypt the second message, and it compares the client ID in the authenticator to the one included in the client to server ticket. If these IDs match, then the SS sends a message containing the time stamp from the client supplied authenticator encrypted using the client-server session key. The client, then decrypts this message, and checks that the time stamp is correct authenticating the server. If this all succeeds, then the server grants access to the requested service on the client.
  • TACACS+
    • TACACS+ (Terminal Access controller Access-Control System Plus) - Cisco developed AAA protocol that was released as an open standard in 1993. TACACS+ is primarily used for device administration, authentication, authorization, and accounting, as opposed to RADIUS, which is mostly used for network access AAA
  • Single Sign-On
    • SSO (Single Sign-On) is accomplished by authenticating to a central authentication server, like an LDAP server. This then provides a cookie, or token that can be used to get access to applications configured to use SSO.
    • Kerberos is actually a good example of an SSO authentication service. The user would authenticate against the Kerberos service once, which would then grant them a ticket granting ticket. This can then be presented to the ticket granting service in place of traditional credentials. So, the user can enter credentials once and gain access to a variety of services.
    • openID - centralized authentication system, is an open standard that allows participating sites known as Relying Parties to allow authentication of users utilizing a third party authentication service.

Authorization

  • Authorization and Access Control Methods
    • Authorization pertains to describing what the user account has access to or doesn’t have access to.
    • Kerberos - After user is authenticated and receives a TGT, it can be used to request access to a specific service by sending a request to Ticket-granting service (TGS). The TGS will decide whether or not the user in question is permitted to access the service being requested.
  • Access Control
    • OAuth is an open standard that allows users to grant third-party websites and applications access to their information without sharing account credentials.
    • User needs to confirm if they grant access or not. Once confirmed, the identity provider will supply the third party with a token that gives them access to the user’s information.
    • The provider issues an access token which would have a scope to do specific things.
    • OAuth is specifically an authorization system and OpenID is an authentication system
    • OpenID Connect is an authentication layer built on top of OAuth 2.0 designed to improve upon OpenID and build better integration with OAuth authorizations
  • Access Control List
    • An access control list or ACL, is a way of defining permissions or authorizations for objects.
    • A file system would have an ACL, which is a table or database with a list of entries specifying access rights for individuals or groups for various objects on the file system like folders, files or programs. These individual access permissions per object are called Access Control Entries
    • Network ACLs are used for restricting and controlling access to hosted services running on hosts within your network.

Accounting

  • Tracking Usage and Access
    • Accounting - keeping records of what resources and services your users access or what they did when they were using your systems.
    • Auditing - involves reviewing these records to ensure that nothing is out of the ordinary
    • TACACS+ server would be more concerned with keeping track of user authentication, what systems they authenticated to, and what commands they ran during their session
    • RADIUS will track details like session duration, client location and bandwidth, or other resources used during the session.

Week 4 - Securing Your Networks

Key Concepts

  • Implement security measures on a network environment.
  • Understand the risks of wireless networks and how to mitigate them.
  • Understand how to monitor network traffic and read packet captures.

Secure Network Architecture

  • Network Hardening Best Practices
    • Network hardening is the process of securing a network by reducing its potential vulnerabilities through configuration changes, and taking specific steps.
    • General security principle - Disable unnecessary extra services or restrict access to them.
    • Implicit deny - A network security concept where anything not explicitly permitted or allowed should be denied. Whitelist instead of blacklist.
    • Monitoring & analyzing network traffic is important. Establish a baseline of what your typical network traffic looks like. Splunk is an example of a good tool to use to analyze logs.
    • Correlation analysis is the process of taking log data from different systems, and matching events across the systems
    • Flood guards provide protection against DoS or denial of service attacks.
    • Network segmentation/separation, using VLANs to create virtual networks for different device classes or types, provides some security benefits.
  • Network Hardware Hardening
    • Rogue DHCP server attack - Attacker manages to deploy a rogue DHCP server on your network, which hands out DHCP leases - setting up gateway address and gaining access to traffic to/from the network.
    • DHCP snooping - A switch that has DHCP snooping will monitor DHCP traffic being sent across it, will also track IP assignments and map them to hosts connected to switch ports. Also protects against IP spoofing and ARP poisoning attacks.
    • ARP man-in-the-middle attack - An attacker could forge an ARP response, advertising its MAC address as the physical address matching a victim’s IP address. When this happens, all of the clients on the local network segment would cache this ARP entry.
    • Dynamic ARP inspection (DAI) - Another feature on enterprise switches that prevents ARP MIM attack. It requires the use of DHCP snooping to establish a trusted binding of IP addresses to switch ports. DAI will detect these forged gratuitous ARP packets and drop them.
    • IP source guard or IPSG - Can be enabled on enterprise switches along with DHCP snooping, to prevent IP spoofing attack.
    • 802.1X - IEEE standard for encapsulating EAP or Extensible Authentication Protocol traffic over the 802 networks. This is also called EAP over LAN or EAPOL, it was originally designed for Ethernet but support was added for other network types like Wi-Fi and fiber networks
    • EAP-TLS - 3 parties involved.
      • Supplicant - Client device/software on the client that handles the authentication. E.g. wpa_supplicant in linux.
      • Authenticator - Enterprise switch/Access point - A mediator that forwards request to authentication server
      • Authentication Server - Usually a RADIUS server where the actual credential verification and authentication occurs.
  • Network Software Hardening
    • N/W Software hardening includes things like firewalls, proxies, VPNs, etc.
    • Firewall - n/w based firewall or host-based firewall. Host-based in a must for portable devices like laptops. Usually both solutions are deployed.
    • VPNs provide secure remote access and link two networks securely.
    • Proxies can be really useful to protect client devices and their traffic. They also provide secure remote access without using a VPN. A proxy server can be configured to block content that might be malicious, dangerous, or just against company policy. A reverse proxy can be configured to allow secure remote access to web based services without requiring a VPN.

Wireless Security

  • WEP Encryption and Why You Shouldn’t Use It
    • WEP - Wired Equivalent Privacy - part of the original 802.11 standard introduced back in 1997. Was intended to provide privacy on par with the wired network, which means the information passed over
      the network should be protected from third parties eavesdropping by having physical proximity to the access point or client station. They key idea was to provide encryption so that even if someone eavesdrops, they wouldn’t be able to understand.
    • Encryption key for each packet was computed by taking the user-supplied shared key and then joining a 24-bit initialization vector (IV). The shared key was entered as either 10 hexadecimal characters for 40-bit WEP, or 26 hex characters for 104-bit WEP.
    • The main issue - WEP transmits both the plain text and the ciphertext in a way that exposes both of these messages to potential eavesdroppers. When plaintext and ciphertext are sent together, attackers can work out the key used for encryption.
    • No one should be using WEP anymore it doesn’t provide the expected confidentiality or security.
  • Let’s Get Rid of WEP! WPA/WPA2
    • WPA or Wi-Fi Protected Access - A short-term replacement for WEP that would be compatible with older WEP-enabled hardware with a simple firmware update.
    • TKIP or the Temporal Key Integrity Protocol. Introduced to overcome shortcomings of WEP security. Uses RC4 cipher. Generates unique encryption keys per packet. It also utilizes 256 bit long keys. Introduced 3 new features -
      • 1- A more secure key derivation method was used to securely incorporate the IV into the per packet encryption key.
      • 2- A sequence counter was implemented to prevent replay attacks by rejecting out of order packets.
      • 3- A 64-bit MIC or Message Integrity Check was introduced to prevent forging, tampering, or corruption of packets.
    • Wifi passphrase is not used to encrypt traffic. The passphrase is fed into the PBKDF2 or Password-Based Key Derivation Function 2, along with the Wi-Fi networks SSID as a salt. This is then run through the HMAC-SHA1 function 4096 times to generate a unique encryption key.
    • WPA2 improves WPA security even more by implementing CCMP or Counter Mode CBC-MAC Protocol. WPA2 is the best security for wireless networks currently available. It’s based on the AES cipher. Has Four-Way Handshake, since it’s made up of four exchanges of data between the client and AP.
    • WPS - a convenience feature designed to make it easier for clients to join a WPA-PSK protected network. WPS simplifies sharing passphrases by allowing for secure exchange of the SSID and pre-shared key. This is done after authenticating or exchanging data using one of the four supported methods - PIN entry authentication, NFC or USB for out of banned exchange of the network details, or push-button authentication.
  • Wireless Hardening
    • Though 802.1X with EAP-TLS is the most secure option, it may not be viable for small companies.
    • It requires the use of a RADIUSserver and an additional authentication back-end at a minimum.
    • If EAP-TLS is implemented, then all the public key infrastructure components will also be necessary. You have to securely deploy PKI on the back-end for certificate management, a system must be in place to sign the client’s certificates, you have to distribute them to each client that would be authenticating to the network.
    • If 802.1X is too complicated for a company, the next best alternative would be WPA2 with AES/CCMP mode

Network Monitoring

  • Sniffing the Network
    • Packet Sniffing or Packet Capture, is a process of intercepting network packets in their entirety for analysis.
    • Promiscuous mode - By default network interfaces accept and process packets that are for specific addresses. This can be overridden by configuring a special mode - Promiscuous mode which indicates “Give me all the packets.” Instead of only accepting and handling packets destined for its address, it will now accept and process any packet that it sees. This is much more useful for network analysis or monitoring purposes.
    • Port Mirroring, allows the switch to take all packets from a specified port, port range, or the entire VLAN and mirror the packets to a specified switch port.
    • Another option is to use Hubs. Hubs are a quick and dirty way of getting packets mirrored to your capture interface. Drawbacks - reduced throughput and the potential for introducing collisions.
    • Monitor mode, allows us to scan across channels to see all wireless traffic being sent by APs and clients. To capture wireless traffic, all you need is an interface placed into monitor mode. Just like enabling promiscuous mode, this can be done with a simple command.
  • Wireshark and tcpdump
    • Tcpdump is a super popular, lightweight command-line based utility that you can use to capture and analyze packets. Tcpdump uses the open source libpcap library. Also supports writing packet captures to a file for later analysis, sharing, or replaying traffic.
    • It converts key information from layers three and up into human readable formats.
    • Output of a sample tcpdump -
      • 1- Timestamp that represents when the packet on this line was processed by the kernel.
      • 2- Layer-3 protocol. E.g. IPv4
      • 3- Connection quad - source address, source port, destination address, and destination port.
      • 4- TCP flags, TCP sequence number if there are any.
      • 5- Ack number,TCP window size, then TCP options, if there are any.
      • 6- Payload size in bytes.
    • Wireshark - another capture and analysis tool that has more features than tcpdump.
    • It is a graphical utility that also uses the libpcap library for capture and interpretation of packets. It is more extensible when it comes to protocol and application analysis.
      • Can decode encrypted payloads if the encryption key is known.
      • Can identify and extract data payloads from file transfers through protocols like SMB or HTTP
  • Intrusion Detection/Prevention Systems
    • IDS/IPS systems look for matching behavior or characteristics that would indicate malicious traffic. IDS detects, IPS goes one level forward and prevents.
    • Can either be host based or network based.
    • NIDS systems resemble firewalls in a lot of ways. But a firewall is designed to prevent intrusions by blocking potentially malicious traffic coming from outside, and enforce ACLs between networks. NIDS systems are meant to detect and alert on potential malicious activity coming from within the network.
    • Some popular NID or NIP systems are Snort, Suricata, and Bro NIDS

Week 5 - Defense in Depth

Key Concepts

  • Implement the appropriate methods for system hardening.
  • Implement the appropriate methods for application hardening.
  • Determine the appropriate policies to use for operating system security.

System Hardening

  • Intro to Defense in Depth
    • Defense in depth is the concept of having multiple overlapping systems of defense to protect IT systems.
    • This ensures some amount of redundancy for defensive measures.
  • Disabling Unnecessary Components
    • An attack vector is a method or mechanism by which an attacker or malware gains access to a network or system. Some attack vectors are email attachments, network protocols or services, network interfaces, and user input.
    • An Attack Surface is the sum of all the different attack vectors in a given system. Think of this as the combination of all possible ways an attacker could interact with our system, regardless of known vulnerabilities.
    • The less complex something is, the less likely there will be undetected flaws.
    • Another way to keep things simple is to reduce your software deployments. Instead of having five different software solutions to accomplish five separate tasks, replace them with one unified solution, if you can.
  • Host-Based Firewall
    • Host-based firewalls are important to creating multiple layers of security. They protect individual hosts from being compromised when they’re used in untrusted and potentially malicious environments. They also protect individual hosts from potentially compromised peers inside a trusted network.
    • Bastion hosts - exposed to the internet so you should pay special attention to hardening and locking them down to reduce the chances of compromise. A sort of gateway or access portal into more sensitive services like core authentication servers or domain controllers.
  • Logging and Auditing
    • Logging is very crucial.
    • A firewall would log traffic that matches rules with details like source and destination addresses, and ports being used
    • Security information and event management systems or SIEMS - centralized logging server
    • Some examples of logging servers and SIEMS solutions are the open source rsylog, Splunk Enterprise Security, IBM Security Qradar, and RSA Security analytics.
  • Antimalware Protection
    • Antivirus software is signature based. This means that it has a database of signatures that identify known malware like the unique file hash of a malicious binary or the file associated with an infection. Or it could be that network traffic characteristics that malware uses to communicate with a command and control server.
    • There are two issues with antivirus software though. The first is that they depend on antivirus signatures distributed by the antivirus software vendor. The second is that they depend on the antivirus vendor discovering new malware and writing new signatures for newly discovered threats.
  • Disk Encryption
    • Full-disk encryption, or FDE, is an important factor in a defense in-depth security model. It provides protection from some physical forms of attack
    • There are first-party full-disk encryption solutions from Microsoft and Apple called Bit Locker and FileVault 2 respectively. There are also a bunch of third party and open source solutions. On Linux, the dm-crypt package is super popular. There are also solutions from PGP, TrueCrypt, VeraCrypt, and lots of others.

Application Hardening

  • Software Patch Management
    • A lot of attacks depend on exploiting bugs in software. This triggers obscure and unintended behavior which can lead to a compromise of the system running the vulnerable software.
    • Can be fixed through software patches and updates which correct the bugs
    • Solutions like Microsoft’s SCCM or Puppet Labs puppet in fact and tools allow administrators to get an overview of what software is installed across their fleet of many systems
  • Application Policies
    • Application software can represent a pretty large attack surface. So it is important to have some kind of application policies in place.
    • Policies define boundaries of what applications are permitted or not, they also help educate folks on how to use software more securely

Week 6 - Creating a Company Culture for Security

Key Concepts

  • Determine appropriate measures to use to meet the 3 goals of security.
  • Develop a security plan for a small-medium size organization.
  • Develop a disaster recovery plan.

Risk in the Workplace

  • Security Goals
    • Before you start to design a security architecture, you need to define exactly what you like it to accomplish, which differs from company to company. If the company handles credit card payments, then you have to follow the PCI DSS or Payment Card Industry Data Security Standard depending.
    • 6 broad objectives of PCI DSS (An area that I’m super familiar with!)
      1. Build and maintain a secure network and systems
        1. Install and maintain a firewall configuration to protect cardholder data
        2. Not use vendor supply default for system passwords/other parameters
      2. Protect cardholder data
        1. Protect stored cardholder data - encrypt data at rest, have data retention policies to make sure that sensitive payment information isn’t stored beyond the time it’s required
        2. Encrypt the transmission of cardholder data across open public networks
      3. Maintain a vulnerability management program
        1. Protect all systems against malware and regularly update antivirus software or programs
        2. Develop and maintain secure systems and applications
      4. Implement strong access control measures
        1. Restrict access to cardholder data by business need-to-know
        2. Identify and authenticate access to system components
        3. Restrict physical access to cardholder data
      5. Regularly monitor and test networks
        1. Track and monitor all access to network resources and cardholder data
        2. Regularly test security systems and processes
      6. Maintain an information security policy
        1. Maintain a policy that addresses information security for all personnel (security team + users)
  • Measuring and Assessing Risk
    • Security is about determining risks and understanding the likelihood of attacks; and designing defenses around these risks to minimize the impact of an attack
    • Threat modeling - Identify likely threats to our systems, then we assign them priorities that correspond to severity and probability
  • Privacy Policy

Users

  • User Habits
    • One needs to set up users for success so that they don’t develop habits that might prove harmful.
    • For e.g. If long and complex passwords are enforced as a rule, users might end up writing them on a post-it to remember and that defeats the purpose.
    • If sharing big files is a common behavior, there needs to be a solution for that within the company so that users don’t end up using a 3rd party.
    • Password reuse is another common user behavior and one needs to encourage users to choose unique passwords for different systems.
  • Third-Party Security
    • When you contract services from a third party, you’re trusting them to protect your data and any credentials involved.
    • Conduct a vendor risk review or security assessment.
    • If possible, ask the third party security assessment report.
    • Google recently made their vendor security assessment questionnaires available for free.
  • Security Training
    • It’s impossible to have good security practices at your company if employees and users haven’t received good trainings and resources.

Incident Handling

  • Incident Reporting and Analysis
    • The very first step of handling an incident is to detect it in the first place. It could be through IDS system or some other alerting. Or someone bringing to your notice.
    • The next step is to analyze it and determine the effects and scope of damage.
    • The next step is containment. You need to contain the breach to prevent further damage
  • Incident Response and Recovery
    • Once a threat has been detected and contained, it has to be removed or remediated.
    • For malware infection, this means removing the malware from affected systems.
    • In many other cases, removal may not be possible, the affected system might have to be restored to a known good configuration.
    • It is crucial to avoid complications or to not add to the problem. Sometimes shutdown works but many times, it could cause more damage.
  • Mobile Security and Privacy
    • One of the most basic protections you can enable on a smartphone or tablet is a screen lock.
    • Enable storage encryption on the device if it is not default.
    • Watch what permission is given to each app on the phone.
Share on
Robinson Raju
WRITTEN BY
Robinson Raju
Bibliophile, Friend, Optimist

Β©2024, Robinson Raju, All Rights Reserved

What's on this Page