hardware and software

HardwareandSoftware

CompTIASecurity+

Firewalls

SoftwarevsHardware Stateful vsStateless

AccessControlLists(ACL)• AccessControlLists,orACL,isasetofdatathatinformsacomputer'soperatingsystemwhichpermissions,oraccessrights,thateachuserorgrouphastoaspecificsystemobject(suchasadirectoryorfile).

• AnexampleofanAccessControlListwouldbeWindowsNTFSpermissions.

• FirewallsalsouseACLstorestrictnetworkaccesstocertainTCPandUDPportsorviasource&destinationIPaddresses.

Firewall• Afirewallisahardwareorsoftwaredevicewhichisconfiguredtopermit,deny,orproxydatathroughacomputernetworkwhichhasdifferentlevelsoftrust.

• Modernfirewallsutilizestateful packetinspection.

• Statefulpacketinspectionwillblockincomingtrafficthatdoesnotmatchaninternalrequest.

• Afirewallcanmitigateportscanning.

SoftwareFirewall• Adevice,whetheritissoftwareorhardware,thatinspectstrafficandonlyallowsauthorizedtrafficinoroutofthenetworkorcomputeriscalledafirewall.

• Apersonalfirewallorhost-basedfirewallisanapplicationwhichcontrolsnetworktraffictoandfromacomputer,permittingordenyingcommunicationsbasedonasecuritypolicy.

• Bydefault,yourinboundfirewallruleshouldbesetto“Deny-All”.Thismeansthattrafficoriginatingfromoutsideoftheworkstationwillbedeniedaccessintotheworkstation.ThisisknownasanImplicitDeny

Hardwarefirewall

• AHardwarefirewall,ornetworkbasedfirewallisaphysicaldevicethatcontrolstheflowoftrafficthroughoutthenetwork.

• CommonlyusedattheentrancetoanetworktoseparateaDMZfromaninternalnetwork.• Alternatively,couldjustbepreventingtrafficfromoneinternalnetworktoanother.

StatelessFirewall

• AstatelessfirewallisconfiguredwithanACLthatpermitsordeniestrafficbasedonstaticrulesdefinedbyanadmin.

• ThevulnerabilityherewillisifIPaddressingofthepacketisspoofedthenetworkcanbecompromisedasastatelessfirewalldoesn’tsupportcontextualanalysis.

• Theadvantagewithstatelessfirewallsisprocessingisfasterwhencomparedtostatefulfirewalls

StatefulFirewalls

• AstatefulfirewallinspectsthetrafficleavinganetworkandpermitsthereturntraffictoreturndynamicallybymodifyinganACLontheedgeofthenetworkpointingintotheinternalnetwork.• Createsa“statetable”toallowexternalrepliestoreenterthenetwork.

• Thosepacketsmatchingstatetableentrieswillbepermittedintothenetwork.Theadvantagesincludemoreflexibilityandlesssusceptibletospoofingattackswhencomparedtostatelessfirewalls.

ImplicitDeny

• Implicitdenyisatermtodescribethedefaultactiontodenyeverythingwhentherearenotanymatchesinentriesthatyouspecify.Thiscouldbedenyingahackerfrompenetratingyourfirewalloritcouldbedenyingasalesrep.fromaccessingcompanypayrollinformation.

• ImplicitdeniescanbesetinrouterACLs,firewallrules,NTFSpermissions,etc.

• Animplicitdenymeansyouwillnothaveaccesstothatresourceunlessexplicitlyallowed.

VPNConcentrator

TypesofVPNs IPSEC

Split-tunneling Always-onVPN

VPNConcentrators• VPNconcentratorsincorporatethemostadvancedencryptionandauthenticationtechniquesavailable.

• Theyareideallydeployedwheretherequirementisforasingledevicetohandleaverylargenumber ofVPNtunnels.

• Theywerespecificallydevelopedtoaddresstherequirementforapurpose-built,remote-accessVPNdevice.

VirtualPrivateNetwork(VPN)

• VPNtechnologyprovidessecureremoteaccessmeansfromacomputertoaremotecomputeroronenetworktoanothernetworkovertheInternet.TherearetwoprimarytypesofVPNs.

Remote Access VPN

RemoteAccessServer

Site to site VPN

RemoteAccessServer

IPsec• IPSecurityisasetofprotocolsdevelopedbytheIETFtosupportsecureexchangeofpacketsattheIPlayer.• IPsechasbeendeployedwidelytoimplementVirtualPrivateNetworks(VPNs).

• IPsecsupportstwoencryptionandauthenticationheadermodes:• Transportmodeencryptsonlythedataportion(payload)ofeachpacketbutleavestheheaderuntouched.• Tunnelmodeencryptsboththeheaderandthepayload.

IPsecTransmissionModesTransportMode

PublicNetwork

IPsec

End-to-endIPsecbetweenallorsomeofthecomputers

TunnelMode

AHvsESP

• AuthenticationHeaderprovidesaframeworkforIPsec• AHThisframeworkwillallowforauthentication,anti-replay,andintegrity(NOTencryption).• AHProvidesbetterperformancethanESP

• EncapsulationSecurityPayloadprovidesaframeworkforIPsec• Thisframeworkwillallowforauthentication,encryption,anti-replay,andintegrity.• CommonlyimplementedwhencomparedwithAH• ESPprovidesbettersecuritythanAH

SplitTunneling

• Whensplittunnelingisenabledtrafficintendedforthecorporateofficeisforwardedthroughtheprotectivetunnel,whileothertrafficsuchaswebtrafficmaybeforwardedthroughalocalsameconnectionintheclear.Thismaybedowntocutdownonoverheadbothfortheenduserandthecorporateoffice.

• Whensplittunnelingisdisabledalltrafficwillbeforwardedtothecorporateofficethroughtheprotectivetunnel.Thismaybedonetoensurealltrafficfromtheuserisprotectedviathecorporatepolicy.

TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLShasmanyuses,forexample:

• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.

• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.• CanbeusedtocreateasecureVPNconnectionthroughabrowser,allowingaVPNconnectionwithoutrequiringtheclienttodownloadsoftwareotherthanawebbrowser.

Always-onVPN

• Always-Onpreventsaccesstotheinternetwhenthecomputerisnotonatrustednetwork,unlessaVPNsessionisactive.• Thisenforcesthatthecomputerbeinasecureenvironment,protectingacomputeronanuntrustednetwork.

• Always-OnshouldestablishaVPNconnectionassoonasauserlogsin,andthecomputerdetectsitisonanuntrustednetwork.Then,theVPNsessionshouldremainopenuntiltheuserlogsout.

NIDS/NIPS

Signaturebased Heuristic/Behavioral/Anomaly

FalsePositives&Negatives

IDS

• AnIntrusiondetectionsystem(IDS)issoftwareand/orhardwaredesignedtodetect unwantedattemptsataccessing,manipulating,and/ordisablingcomputersystems.

• IDSareusedtodetect suspiciousbehaviorbutnotreacttoit.

• AmajorconsiderationwhenimplementinganIDSsolutionishavingthepersonneltointerpretresults.

NIDS(NetworkIntrusionDetectionSystem)

• ANIDS(NetworkIntrusionDetectionSystem)isanintrusiondetectionsystemthatwatchesnetworktrafficinordertoviewifnetworkcommunicationsareusingunauthorizedprotocols.

• ForaNIDStoviewallavailablesegmenttrafficonaswitchmakesurethatyouconfigureamirroredport.

• WhenusingaNIDS,theNICshouldbeplacedinpromiscuousmodetomonitoralltraffic.

NIPS(NetworkIntrusionPreventionSystem)• AnIPSisaproactivesecurityapplicationthatisusedtoprevent activityfromenteringyournetwork.

• AnNIPS(NetworkIntrusionPreventionSystem)isanetworksecuritydevicethatmonitorsnetworkand/orsystemactivitiesformaliciousorunwantedbehavior.

• Reactsinreal-timetoblockorpreventthoseactivities.

• Usuallyplacedin-linewithdataflowandcanpotentiallydisruptnetworktraffic.

NIDSandNIPSmisc.• KeepinmindthatencryptingallnetworktrafficwillreducetheeffectivenesswhendeployingandmanagingaNIDSorNIPSbecausetheycannotreadtheencryptedtraffic.

• AnIDS/IPSthatidentifieslegitimatetrafficasmaliciousactivityiscalledafalsepositive.

• AnIDS/IPSthatidentifiesmaliciousactivityasbeinglegitimateactivityiscalledafalsenegative.Example:AnIDSthatdoesnotidentifyabufferoverflow.

InlinevspassiveIPS

• AnInlineIPSisaproactivedefensemeasureandworkswiththeactivedatathatistraversingyournetwork.• ThisgivetheIPSmuchmorecontrolinordertopreventattacks.

• ApassiveIPSisareactivedefensemeasureandreceivesacopyofthedate,andneverworkswiththeinlineinformation.• ThisgivetheIPSlesscontrol,butreducesthechanceoffalsepositivesandnegatives.

• EssentiallybecomesanIDS

Signature-based

• Signature-basedIDS,themostbasicformofIDS,employsadatabasewithsignatures/patternstoidentifypossibleattacksandmaliciousactivity.

• Thesesignatures aresimilartotheonesusedbyanti-virussoftware,butinsteadofcontainingvirusinformation,IDSsignaturesdescribeknownattackspatterns.

• Asignature-basedmonitoringtooldependsonreceivingregularupdates.

• Withsignature-basedmonitoring,thevendordecideswhattrafficgetsblockedbyincludingspecifictrafficpatternsinthesignaturefiles.

Anomaly/Heuristic/Behavior-based• Anomaly-basedIDS usesrulesorpredefinedconceptsabout“normal”and“abnormal”systemactivity(calledheuristics)todistinguishanomaliesfromnormalsystembehavior.

• Anomaly-basedIDSsystemfollowsalearningprocess.

• Thefirststepwhenimplementingananomaly-basedIDS/IPSisdocumentingtheexistingnetwork.

• Anomaly-basedIDSusesstatisticalanalysistodetectintrusions.

• WithAnomaly/Heuristic-based systems,itisuptoyoutodecide whattrafficgetsblockedbydefiningwhatis“normal”.

NetworkingHardware

Routers Switches

Router

• Arouterisacomputernetworkingdevicethatforwardsdatapackets fromonenetworktoanother,towardstheirultimatedestinations.• Routingoccursatlayer3(theNetworklayer).• Connectstwoormorenetworkstogether.• Eachinterfaceconnectstoadifferentnetwork.• TherouterinterfacethenbecomestheDefaultGateway.• Doesnotpassbroadcastpackets.

• Arouter’sAccessControlListscanbeusedtoconfinesensitivedataandcomputerstoparticularsub-networks.

• Passwordprotecttheconsoleportonarouteriftherouteritselfisplacedinanunsecurelocation.

Switch• Anetworkswitchisahardwaredevicethatjoinsmultiplecomputers togetherwithinonelocalareanetwork.• Switchesoperateatlayer2(DataLinkLayer)oftheOSImodel.• ForwardspacketsbyMACaddress.• Devicesoneachconnectioncannotusuallyseeeachother’straffic(exceptforbroadcasts).

• Itisbestpracticetodisableanyunusedportstosecuretheswitchfromphysicalaccess.

MultilayerSwitch

• MultilayerswitchingissimplythecombinationoftraditionalLayer2switchingwithLayer3routinginasingleproduct.• UsesARPtolearntheIPaddressesofdevicesthatareconnected• Canbeusedtopermitdifferentbroadcastdomainstocommunicatewitheachother

SpanningTree• Switchingloopsmustbeavoidedbecausetheyresultinfloodingthenetwork

• TheSpanningTreeProtocol(STP)isalinklayernetworkprotocolthatensuresaloop-freetopologyforanybridgedLAN.• Allowsanetworkdesigntoincludespare(redundant)linkstoprovideautomaticbackuppathsifanactivelinkfails,withoutthedangerofbridgeloops,ortheneedformanualenabling/disablingofthesebackuplinks

• Canbeenabledtoavoidbroadcaststorms• 802.1wand802.1dareIEEEdesignationsforspanningtree• TheMACaddresswiththelowestnumberwillbecometherootbridgefor801.2d

ProxyServers

ForwardProxies ReverseProxies

TransparentProxies

ProxyServer

• Aproxyserverisaserverthatactsasago-betweenforrequestsfromclientsseekingresourcesfromtheInternet.

• Aproxyservercombinestwofunctions:Itcachesweb-pageslocallytospeedupaccessrequests,whilealsoactingasacontentfiltertoblockusersfromvisitinginappropriatesites.

• Ifyouwanttoknowwhatwebsitesyourusersarevisiting,setupaproxyserver.

• ThebestwaytosecureyouremailinfrastructureistosetupanemailproxyserverintheDMZandtheemailserverintheinternalnetwork.

ForwardProxyvsReverseProxy

• Aforwardproxyactsasaproxyforoutgoingtraffic,protectingyournetworkfromtheusersinit.• Canpreventusersfromgoingtomalicioussitesandinspecttheirtrafficasitleaves

• Areverseproxyactsasaproxyforincomingtraffic,andcanprotectyournetworkfromexternalintruders.• Canfilteroutrequestsfromexternalattackerswhoaretryingtoinfiltrateyournetwork.

• Canstandasalargenumberofservers,includingbutnotlimitedtowebservers,emailservers,andfileservers.

TransparentProxy

• Atransparentproxydoesitsnormalfunctionsasaproxy,butdoesn’tappearinthepathoftraffic.Itdoesnotmodifytherequestorresponseforthetrafficpassingthroughit.

• Isseamlessfortheuserconnectingtothenetwork,andmayredirectanewusertoauseragreementscreen,butthenroutesallothertrafficasnormal.• Canstillhandlecachingforspeedingupwebaccess

LoadBalancer

Typesofloadbalancers

SessionaffinityvsRoundRobin

VirtualIPs

LoadBalancer• Loadbalancingisacomputernetworkingmethodologytodistributeworkloadacrossmultiplecomputers,networklinks,centralprocessingunits,diskdrives,orotherresourcestoachieveoptimalresourceutilization.

• Basicallyanydevicescanbeloadbalancedtoprovideredundancyandloadsharing.

SessionAffinityvsRoundRobin

• Sessionaffinityrememberseachuser’ssessionandcontinuestoconnectthatusertothesameservereachtime.• Soifuser1connectstoserver1,user1willcontinuetoconnecttoserver1.

• RoundRobinloadbalancingjustassignssessiontothefirstavailableserver,andcontinuesissequence.• Soiftherewerethreeservers,user1wouldconnecttoserver,user2toserver2,user3toserver3,user4toserver1,andetc.

ActiveorPassiveServers

• Whileloadbalancing,serversareinoneoftwostates,activeorpassive.Withthosestate,youendupwithtwoconfigurations:• Active-active,whereallserversareactiveandparticipatinginloadbalancing.• Active-passive,whereonlysomeoftheserversareactivelybeingloadbalanced,andothersarewaitingasbackups,or“failovers”.

VirtualIPs

• Whenmanyserversarebeingloadbalanced,itispossiblethataclientisnotpointingtothephysicalIPaddressbutavirtualIPaddressassociatedwithone“server”.

• Thoughthisvirtualserverdoesnotactuallyexist,itrepresentsallserversbeingloadbalancedonthebackend.• ThisallowsclientstoseeoneIPaddress,whiletheloadbalancerhandleswhichphysicalIPtheyconnectto.

WirelessAccessPointsSSID MacFiltering

Signalstrength AntennaTypes&Placement

FatvsThin Controller-basedvsstandalone

AccessPoint

• Awirelessaccesspoint(WAPorAP)isadevicethatallowswirelessdevicestoconnecttoawirednetwork.

• AlthoughseveralWAPscansharethesameSSID,individualWAPs canbeidentifiedbytheirBSSID (BasicServiceSetIdentifier),whichisbasicallytheMACaddressoftheWAP.

• Thefirstthingyoushouldlookatwhenimplementinganaccesspointtogainmorecoverageisthepowerlevelsoftheaccesspoint.

• DecreasethepowerlevelsonyourWAPtolimitthewirelesssignalrange.

SSID• SSID(ServiceSetIdentifier)arenamesusedtoidentify theparticular802.11wirelessLAN(s)towhichauserwantstoconnect.

• Thesecurityriskofbroadcasting yourwirelessnetworkSSIDisthatanyonecanseeitandifyouarenotusingastrongenoughencryptiontype,anattackercanfindtheencryptionkeyandconnecttoyournetwork.

• YoushoulddisabletheSSIDbroadcasting,orthebeacon,ifyoudonotwantyourwirelessnetworktoautomaticallybediscoverable.

MACFiltering

• MACFilteringisthewirelessversionofportsecurityandcontrolsaccesstothenetworkbasedonthewirelessNIC’sMACaddress.

• ToallowonlycertainwirelessclientsonyournetworkyoushouldenableandconfigureMACfiltering.

• EnableMACfilteringtomitigateanissuewheremultipleunknowndevicesareconnectedtoyourWLAN.

Antenna– Omni-directional• AnOmni-directionalantenna,orvertical,isanantennasystemwhichradiatespoweruniformlyinoneplanewithadirectivepatternshapeinaperpendicularplane.Thispatternisoftendescribedas"donutshaped”.

• TwosituationswhereanOmni-directionalantennawouldbebestused:• ToconnecthoststoaWAP.• Toenableroamingaccessforlaptopusers.

Omni-directionalantennaplacement

• Keepinmindtheplacementofyourantennaewhenconsideringthesecurityofyourwirelessnetwork.• Anantennaplacedtooclosetotheedgeoftheareayoudesiretoprovidewirelessaccesstocouldallowattackertoreachyournetworkfromoutsidetheintendedarea.

• Forexample,ifanantennawasplacedontheedgeofmybuilding,soanattackerisabletopickupthesignalintheparkinglot.

Antenna- Yagi• AYagiantennaisadirectionalantennasystemconsistingofanarrayofadipoleandadditionalcloselycoupledparasiticelements.• Canbeusedtocreateawirelessbridge

FatvsThinWAPs

• AfatwirelessaccesspointisanintelligentWAPthathasallofthefeaturesandsoftwareneededtomanageyourwirelessclient.Forexample,itcanenableandsetupMACfilteringandenableordisableSSIDbroadcasting.

• Athinwirelessaccesspointisbasicallyjustthehardware.Itcanpushontheconfigurationthatwereputinplaceelsewhere,butnothingischangedonthedeviceitself.• Easiertoimplement,socansavemoneyandtime

SecurityInformationandEventManagement(SIEM)

Aggregation Correlation

Automatedalerting Timesync

EventDeduplications

Aggregation&Correlation

• SIEMsystemscanaggregatedatafrommanydifferentsystems,allowingallinformationtobeconsolidatedandprovideseasiermonitoring.

• SIEMsystemscanalsoprovidecorrelation,detectingcommonattributesandbundlinglikedatatogether,furtherincreasingtheeaseofmonitoringthatdata.

AutomatedAlertsandTriggering

• SIEMsystemscanbesetuptoprovidealertsautomaticallytoidentifycriticalandimmediateissues.

• Certaintriggerscanbesetuptocatchcertainevents,whichwillthensendanalerttoanadmin,whichallowsfasterreactiontocertainevents.• Couldoptionallysetupsomethingalongthelinesofemailalertsforcertaintriggers.

Time-syncandeventdeduplication

• SIEMsystemscanalsosynchronizethetimeofeventsacrossmanyservers,allowinganeasilyreadable.

• Withoutsynchronization,itwouldbedifficulttopinpointwhendifferenteventshappenedondifferentsystems,relatedtoeachother.

• ASIEMsystemcanalsoremoveredundanteventsforeasyreadability.Insteadofhavingpossiblyhundredsoflogs,onlyoneiskeptwhilenotingthenumberofoccurrences.

DLPUSBBlocking

Cloud-based

Email

DataLossPrevention(DLP)• DataLossPrevention(DLP)isacomputersecuritytermreferringtosystemsthatidentify,monitor,andprotect:• Datainuse(e.g.endpointactions)• Datainmotion(e.g.networkactions)• Dataatrest(e.g.datastorage)

• Thesesystemsusedeepcontentinspection,contextualsecurityanalysisoftransactions,andacentralizedmanagementframework.

• Anetwork-basedDLPisasoftwareorhardwaresolutionthatisinstalledatnetworkegresspointsneartheperimeter.Itanalyzesnetworktraffictodetectsensitivedatathatisbeingsentinviolationofinformationsecuritypolicies.

USBBlocking

• Preventingtheuseofremovablemediacanbeasimplewaytopreventthelossofdataforanorganization.

• USBportsarecommonlyfoundonmostmoderncomputers,andUSBdrivesareeasilyacquirable,sopreventingtheirusewillblocksomebodyfromtakingdatafromacompanylaptop.

Email-basedDLP

• Email-basedDLPisessentialforanycompanyconcernedwiththeiremployeessendingoutconfidentialorsensitiveinformationoutsideoftheirnetwork.• Mostifnotallcompaniesutilizeemailintheirdaytodaybusinesspractices.

• Email-basedDLPshouldscananoutgoingemailforsensitiveinformation,likePII,andblockitfromleavingtheworknetwork.• Canatleastenforcedigitalsigningtoprovidenon-repudiationforthecompromisingemail.

• AnEmailgatewayconprovideemail-basedDLP

EmailGateway

• Anemailgatewaymonitorsemailsbeingsentintoanetworkandbeingsentoutboundfromthatnetwork.• Inboundcanpreventspam,whichwillhelpweedoutmalwarebeforeitentersthenetwork• OutboundcanprovideDLP,preventingthelossofsensitivedatalikePII

• Emailgatewayscanalsoprovideencryptionforemailservices.

Cloud-basedDLP

• Withmoreandmoreinformationmovingontothecloud,itisbecomingincreasinglyimportanttoprotectdatastoredonthecloud.

• CloudbasedDLPisaDLPsolutionthatpreventssensitivedatafromleavingthecloudbasedstorageofanorganization.• PersonallyidentifiableInformation(PII)isafocushere.

NACDissolvablevspermanent

HostHealthChecks

AgentvsAgentless

NAC(NetworkAccessControl)• NACreferstowhateversystemyouhaveinplaceforcontrollingaccesstothenetwork.

• Canbeassimpleasclickingaboxto“agreetothetermsandconditions”ofnetworkusage.

• Canbeascomplexashavingyourmachinescannedforviruses,patches,updates,firewalls,etc.beforeit’sallowedtoconnect.

• Portsecurityand802.1xareexamplesofNAC.

HostHealthChecks

• OnesimpleformofNACcanbeasimplescanofacomputerconnectingtoanetwork.Thescancanbecheckingforanumberofimportantthings:• UptodateOperatingSystem.• Updatedandrecentlyscannedanti-virussoftware.• Certainsoftwarebeingpresentorabsentfromamachine,basedonacompany’sapplicationpolicy.• Thatcertainsystemconfigurationsmatchthenetwork’sexpectations.

Agentvs.Agentless

• NACthatrequiresasoftwareagentonthesystemallowsyourNACsolutiontokeeptabsonthesystemusingthatsoftware.

• AgentlessNACdoesnotrequiresoftwareontheendsystemandisreliantonaremotescanofthesystem.

Dissolvablevs.PermanentNAC

• PermanentNACrequiresanagentsoftwareinstalledonthedevice.

• DissolvableNAConlyprovidesonetimeauthenticationtothenetwork,andisthendeleted.• Canprovidegreaterflexibility.

HardwareEncryption

HSM TPM

TrustedPlatformModule• TheTrustedPlatformModule(TPM)isachiponacomputer’s(ortablet’s)motherboardthatcangenerateandstoreencryptionkeysforvariouspurposes.

• TPMcanalsoperformencryptiondutiesinsteadofrelyingonsoftwaretodotheencryption.

• Forexample,Microsoft’sBitLockerusesTPMtoencryptthecontentsoftheharddisk.

HardwareSecurityModule• IfyoursystemdoesnotcomewithaTPM,youcanaddaHSM (HardwareSecurityModule)instead.It’ssimilartoaTPMbutitisintheformofaplug-incardorexternalsecuritydevicethatcanbeattachedtoaserver.

• AHSMcanbeaddedtoserversthatdoalargeamountofencryption,suchasVPNserversorCertificateAuthorities.

• Hardwareencryptionisalwaysfasterthansoftwareencryption!

• BothTPMandHSMprovidestorageforRSAorasymmetrickeysandcanassistinauthentication.

SecurityAssessment

CompTIASecurity+

ProtocolAnalyzer• ProtocolAnalyzerisusedformonitoringandanalyzingdatatrafficonthenetwork.• Canbeusedforlogging,sniffingandinterception,analyzingandnetworkmonitoring,andtroubleshooting.• Canpickupanytypeoftraffic:ICMP,DNS,DHCP,POP3,andSMTPtonameafew.

• ItcanbeusedtodeterminewhatflagsaresetinaTCP/IPhandshake.

• AnexampleofaprotocolanalyzerisWireShark.

PortScanners• Portscanningisusedtoremotelyfindopenports,listeningservices,andeventhefingerprint/footprintofanoperatingsystem.

• Bannergrabbingiswhenyouuseaportscanner(forexample),andbasedonthebannerinformation(thereply)thatisreturned,youcanoftentellwhichOSthereplyiscomingfrom.

• Nmap isaprogramthatcanbeusedtoperformaportscan.

• Afirewallcanmitigateaportscan.

PortScanners

• Aportscannercanbeusedtodeterminewhatservicesarerunningonaserverwithoutloggingintotheserver.

• PortscannersusuallyworkbysendingdifferentTCPflag combinationstoatargetandthenanalyzingtheresponse.

• IfyouneedtodiscoverunnecessaryservicesonyourcorporateLAN,startthediscoverywithaportscanner.

NetworkScanner

• ANetworkscannercanbeutilizedtoscanyournetworkforvulnerabilities.• Roguesystemdetection:ascannercandetectanunauthorizeddeviceonthenetwork,allowanadmintoaddressthesituation.• Networkmapping:ascannercanbeusedtodetectalldevicesconnectedtoanetwork,allowingalogicalnetworkmaptobebuilt,outliningtheconnectiononthenetwork.

WirelessScanner/Cracker

• Wirelessnetworkhaveauniquevulnerabilityinthefactthattheycannotbephysicallyconstrainedtoacertainlocationormedium.

• Awirelessscannerisadevicethatcansimplyscanforawirelessnetworkandrecorddetailsofthatnetwork.Somescannersgoastepfurtherandautomaticallyattempttocracktheencryptiononweakerwirelessnetworks.• Frequentlyusedinwardriving.

PasswordCracker

• Apasswordcrackerisapieceofsoftwaredesignedtoperformabruteforceattackonasystem’spassword.Thisishopingtotakeadvantageofoneofafewweaknesses:• Capturedpasswordhasheswhichcanbeattacked• Weakpasswordsthataresimple,andthuscanbecrackedquickly.

• Havingasecurepasswordpolicywillprotectanorganizationfromapasswordcracker.

VulnerabilityScanners• Avulnerabilityscannerisacomputerprogramdesignedtosearchforandmapsystemsforweaknesses inanapplication,computer,ornetwork.

• Theseutilitiesaretheleastintrusiveandchecktheenvironmentforknownsoftwareflaws.

• Schedulingvulnerabilityscansisamanagementcontroltype.

DataSanitization

• Sanitizationistheprocessofremovingsensitiveinformation fromadocumentorothermediumsothatitmaybedistributedtoabroaderaudience.

• Degaussing istheactofmagneticallyerasingalldataonadisksoitmaybereused.

• Beforesendingdrivesawaytobedestroyed,firstencrypttheentiredisk,thenwipe/sanitizeit.

SteganographyTools

• Asteganographytoolisusedtohidedatainsideofanotherfile,suchasagraphicfileorvideofile.

• Itmakessubtlemodificationstothefilethatiscarryingthehiddeninformation,attemptingtomakethenewfileindistinguishablefromtheoriginal.• Mightbeusedbyaphotographertohideawatermarkinaphoto.

HoneypotandHoneynet• Ahoneypotisatrap settoattract,detect,observe,deflect,orinsomemannercounteractattemptsatunauthorizeduseofinformationsystems.

• Twoormorehoneypotsonanetworkformahoneynet.

• Useahoneypot/nettoprotect yourcompanywhilealsoresearchingattackmethodsbeingusedagainstyourcompany.

• HoneypotsandhoneynetswouldbelocatedintheDMZ.

CommandLineTools

Ping Tracert

Nslookup/dig Arp

Ipconfig/ifconfig nmap

PING

• ThePINGcommandisagreatutilitythatcanletyouknowifyouareabletocommunicatewithanothernetworkdevice.• However,justbecauseyouareunabletoPINGadevicedoesnotalwaysmeanyoucannotcommunicatewithsaiddevice.ThedevicemighthaveafirewallenabledandisconfiguredtonotrespondtoICMP,whichisPING,requests.

• Example:pingwww.yahoo.comorping67.195.160.76

PINGSwitches• Switches:

• -t – PINGthespecifiedhostuntilstopped.• -a – Resolveaddressestohostname.• -ncount – Numberofechorequeststosend.• -lsize – Sendbuffersize.• -f – SetDon’tFragmentflaginpacket(IPv4-only).• -i TTL – TimeToLive.• -vTOS – TypeofService(IPv4-only).• -rcount – Recordrouteforcounthops(IPv4-only).• -scount – Timestampforcounthops(IPv4-only).• -jhost-list – Loosesourceroutealonghost-list(IPv4-only).• -khost-list – Strictsourceroutealonghost-list(IPv4-only).• -wtimeout – Timeoutinmillisecondstowaitforeachreply.• -R – Useroutingheadertotestreverseroutealso(IPv6-only).• -Ssrcaddr – Sourceaddresstouse.• -4 – ForceusingIPv4.• -6 – ForceusingIPv6.

TRACERT• TRACERTshowstheroutethatanIPpackettakestogetfromthesourcetothedestination.

• Example:tracertwww.yahoo.comortracert67.195.160.76

IPCONFIG/IFCONFIG

• IPCONFIGgivesyouinformationaboutyourcurrentnetworkconnections.Suchas:• IPAddress• SubnetMask• DefaultGateway• DNS• MACAddress

• IFCONFIGisusedonUnix/Linuxmachines,butdoesthesameasIPCONFIG.• Example:ipconfig /all

IPCONFIGSwitches• SomeIPCONFIGSwitches:• /all – Producesadetailedconfigurationreportforallinterfaces.• /flushdns – RemovesallentriesfromtheDNSnamecache.• /displaydns – DisplaysthecontentsoftheDNSresolvercache.• /release<adapter> - ReleasestheIPaddressforaspecifiedinterface.• /renew<adapter> - RenewstheIPaddressforaspecifiedinterface.• /? – Displaysthislist.

ARP• ARP(AddressResolutionProtocol)isusedtofindadevice’sMACaddresswhenonlyitsIPaddressisknown.

• Ahostwishingtoobtainanother’sMACaddressbroadcastsanARPrequestontothenetwork.ThehostonthenetworkthathastheIPaddressintherequestthenreplieswithitsMACaddress.

• ARP isaninsecureprotocolasanattackercould“poison”yourARPtableandgiveyoubadinformation,convincingyouthatheistheDefaultGateway.HewouldthenbesetupasaMan-In-The-Middleandcould“sniff”yourtraffic.

TroubleshootingIssues

CompTIASecurity+

Unencryptedcredentials/cleartext

• Cleartextreferstoplainlyreadableinformation,whichallowsanybodywhocanaccessthatinformationtoreadit.

• Nosensitivedatashouldbeleftunencrypted,oritwillbeatriskofbeingstolen.

• PIIisespeciallyatriskhere.

• Penetrationtestingandvulnerabilityscanscanbeutilizedinordertotestifsomethinglacksorhasweakencryption.

PermissionIssues

• Auserwithouttheproperpermissionswillbeunabletodotheirjob,andwillrequiretheirpermissionsrereviewedinordertogainproperpermissions.

• Auserwithmorepermissionsthanintendedcangainaccesstosystemsorsoftwaretheyshouldnohaveaccessto,potentiallycompromisingasystem.• Privilegeescalationiswhenauserexploitsaknownbugorvulnerabilitytoincreasetheirownaccess.

• Continualprivilegereviewcanpreventthis

AccessViolations

• AusermightaccessnetworkedresourcesifimproperpermissionsaresetorifnoNACisimplemented.

• Physicalaccesscanbeanissueifanemployeecanfreelyaccessrestrictedareaswithease.

• Networkaccesscanbedeterminedbyperformingaccountreviewsandwithpenetrationtesting.

• PhysicalaccesscanbedetectedwithsomeforofdetectivecontrollikeCCTV.

DataExfiltration

• Auserabletoexfiltratedatafromasystemisdangerousduetothemyriadofsensitivedatathatcanbestoredonasystem.• USBdrivescaneasilypulldatafromacomputer.• Bluetoothcanpulldatawirelessly.• Datacanbesentoutofthenetworkusingemail.

• Confirmingpropergrouppoliciesareset,andmakingsureUSB/Bluetoothaccessarerestrictedcanpreventexfiltration.DLPcanpreventmanyformsofexfiltration,includinginformationsentoveremail.

Misconfigureddevices

• Amisconfigureddevicecancauseawiderangeofproblemsfromunwantedaccesstocausingadenialofservice.

• Configurationsshouldbereviewedbyanadmininordertopreventmisconfigurationstogounnoticed.

• Avulnerabilityscannercandetectcommonmisconfigurationsofmanytypesofdevicesonanetwork.

WeakSecurityConfigurations

• UtilizingtechnologieslikeWPA2insteadofWEPcanprovideamoresecurenetwork.

• Preventingpasswordreuseorshortpasswordsisalsocriticalinsecuringasystem.

• Runningavulnerabilityscannercandetectcertainweakconfigurationswhileatoolsuchasapasswordcrackercanbeusedonyourmasterpasswordfiletoseeifanythingiseasilybroken.

PersonnelIssues

• PolicyViolationscanbereportedbyotheremployeesordetectedbysecurityguards.• CCTVcandetectpolicyviolationsoccurring• Usereducationcanpreventaccidentalpolicyviolation

• Insiderthreatsarealwaysaconcerntoday,asanemployeealreadyhasaccesstothesystemstheyaretryingtocompromise.• Separationsofduties,jobrotation,andmandatoryvacationscanhelpdeteranddetectinsiderthreats.

PersonnelIssues:SocialEngineering• SocialEngineeringistheactofobtainingorattemptingtoobtainotherwisesecuredatabyusingdeceptionandtrickery.

• SocialEngineeringisanattackthatcannot bepreventedordeterredsolelythroughusingtechnicalmeasures.

• Theonlywaytopreventsocialengineeringattacksistotrainyourusers.

• Activelyattemptingtosocialengineeryouruserscantellyouhowmanyfallfortheattacks.

PersonnelIssues:SocialMedia

• Socialmediaisdangerousinregardstoconfidentialinformation.Informationcanleavethecorporatenetworkandbebroadcastedtohundredsorthousandsofpeople.

• Disablingaccesstosocialnetworkingsiteswhileonthecompanynetworkcanhelpmitigatethisissue.

• Keepingtrackofemployeessocialmediaaccountsistheonlywaytotrulymonitorwhatinformationisbeingspread.• Canbeaninvasionofprivacy.

PersonnelIssues:PersonalEmail

• Anemployee’spersonalemailcanbeeasilycompromisedasitiscontrolledbyathirdpartyorganization.• Notnecessarilyencrypted• NoDLPbuiltintothesystem• Canemailanybodyfreely

• Preventingaccessisrecommended,asemployeescouldeasilyusea3rd partyemailtobypasssomesecuritycontrols.

UnauthorizedSoftware

• Unauthorizedsoftwarecancompromiseasysteminmanyway,including:• Anunknownpotentialentrypointintoasystem.• Apotentialsourceormalware.• Justanunknownanduntestedpossibleinstability.

• Applicationwhite/blacklistingcanpreventunauthorizedprogramsfrombeingrunandinstalled.Permissionreviewscandetectisauserhastherightstoinstallsoftware.

• Avulnerabilityscancouldpickuptheseunauthorizedsoftware.

Baselinedeviation

• Abaselineisasetofknowngoodoracceptedconfigurations.

• Deviatingfromthisknowngoodcancauseinstabilitiesorcreatevulnerabilitiesinasystem.

• AIDSorIPScandetectdeviationsfromthebaseline,potentiallynotifyinganadminofanyissues.• AbehaviorbasedIDS/IPSisdesignedthisway.

ProperLicensing

• Makesureyouandyouremployeesareusinglegitimatesoftwareandhaveproperlicensingforthatsoftware.Considerwhichlicenseyouwantwhen,forexample,buying:• Microsoftoffice• OperatingSystems

• PersonalLicense:Asoftwarelicenseforanindividual.Usedononeofafewdevices.Foroneuser.

• EnterpriseLicense:Asoftwarelicenseforacorporation.Useonalargeamountofnetworkeddevices.Mayrequireaccesstothecompanynetworktoauthenticate.

AssetManagement

• Physicalassetsareimportanttokeeptrackoffforanorganizationtopreventsomethingfrombeinglostorstolen.

• ImplementingRFIDtagscandetectwhenequipmentleavesthebuildingoracertainareaofabuilding

• CompanycellphonescanbeactivelytrackedwithGPS

• Havinganorganizedinventorymanagementsystemisimportanttoproperlykeeptrackofcompanyassets.

AuthenticationIssues

• Topreventuser’saccountsfrombeingcompromisedbycontinuallymonitoringlogs;checkingforbruteforceattacks.• Alargenumberoffailedlog-inisanindicatorofabruteforceattack.

• Anotherissuecouldbeauserfailingtoremembertheirpassword,lockingthemselvesoutoftheirownaccount.• Havingmorelenientlockoutpolicescouldpreventthis,aswellasproperpasswordpolicies.

• Forcingtheusertocontactanadminforaccountrecoverycanpreventthisfrombeingabused.

SecuringMobileDevices

CompTIASecurity+

ConnectionMethods

Cellular Wi-Fi SATCOM

Bluetooth NFC

Cellular

• Thecellularnetworkcanbeutilizedbysmartphonesinordertoconnectmobilityfromahugerangeoflocations.

• Limitedtoareaswithcellulartowers.

• Otherdevices,notjustphonescanaccessit:• USBdonglesforPCs• SomeTablets• Wi-FiHotspots

• Usuallyassociatedwithadataplan/datalimit.

Wi-Fi

• Mobiledevicesarealsoabletoconnecttothewirelessnetwork,lesseningtheirdependenceonthecellularnetwork.• Helpsbysavingdata!

• ConstantlysearchingfornearbyWi-Fiaccesspointscandrainaphone’sbatteryfaster.

• Unsecurewirelessaccesspointscanposeaproblemwithmobiledevices,muchastheycanforlaptopsandothercomputers.

SATCOM

• AserviceprovidesdatathroughtheuseoflowEarthorbitsatellitestousersworld-wide.• Satelliterequiresline-of-sight.• Thedelayinvolvedindigitalsatelliteconnectioniscalledlatency.

• Canprovideconnectivitytojustaboutanywhereonearth,justneedlineofsighttothesatellite.

• Generallyamoreexpensiveoptionforphoneconnectivity.

Bluetooth

• Bluetoothisanopenwirelessprotocolforexchangingdataovershortdistances(usingshortlengthradiowaves)fromfixedandmobiledevices,creatingpersonalareanetworks(PANs).NotethatPANsarecenteredaroundaspecificperson.• Usedtoconnecttwodevicesbytheuseofpairing• Canconnectseveraldevices,overcomingproblemsofsynchronization• Bluetooth1.0and2.0hasawirelessrangeofaround30– 33feet(or10meters)

NFC• MobileDevicescanbeusedforNearFieldCommunication,whichcanbeusedforcommunicationwithanotherdeviceoverashortdistance.

• Iscommonlyusedtodayforelectronicpurchasinginsteadofusingacreditcard,yoursmartphoneisusedtopay.• Canalsobeusedfordatatransfers.

• OldersmartphonesmaynothaveaNFCchip,andwillnotbeabletoutilizeanyNFCpurchasingapps.

MobileDeviceManagement(MDM)

App/ContentManagement

RemoteWipe Geolocation/Geofencing

Screenlocks PushNotifications Passwords&Pins

Biometrics Containerization Fulldeviceencryption

App&ContentManagement

• Itisimportanttoselectanoperatingsystemthatsupportstheapplicationsdesiredforbusinessfunctionality.• Someapplicationsaresimplyincompatiblewithcertaintypesofmobileoperatingsystems.

• Itcanalsobeimportanttohaveproperaccesscontrolssetonmobiledevicestorestrictaccesstocertaincontent,andpossiblypreventtheinstallationofcertainapplications.• 3rd partyapplicationscouldcompromisethesecurityofamobiledevice.

RemoteWipes

• Theremotewipefeatureonasmartphoneisanexcellentwaytoremove thedatastoredonthephoneifsaidphonehasbeenstolenorlost.

• Allowsacompanytoprotecttheirdataonapotentiallystolenphone

GPSTracking• GPStrackingistheabilitytotrackacellphonebyusingthephone’sbuilt-inGPSradio.

• Geo-tagging isafeaturewhereyoucanencodepictureswiththeGPScoordinatesofthepicture’slocation.Becarefulwiththisfeatureasitcanbeasecurityriskbothforthecompanyandforhomeusers!

• Location-basedservicesisthefeatureinyoursmart-phonethatenablestheGPSfunctionalityforallofyourapps.Ifyouturnthisoff,thennoneofyourappscandogeo-tagging,GPStracking,etc.

Geofencing

• Geofencingcanbeutilizedtoeitherpreventtheuseofamobiledeviceoutsideofacertainareasoronlyallowtheuseofamobiledeviceoutsideacertainarea.• Preventingtheuseofmobiledevicesoutsideofacertainareacanpreventanemployeefromleavingandtransmittingdataoutsideofanetworkthecompanyhascontrolover.• Preventinguseinsideacertainareacankeepasecureareasecured,possiblypreventingdatafrombeingexfiltrated.

ScreenLock

• Enforcingascreenlockonemployeemobiledevicescanpreventtheleakageofsensitivecompanyinformation.• Ascreenlockisasimplesecurityfeatureonallmodernsmartphonesthatpreventsaccesstothedeviceswithoutproperauthentication.• Passcode/Pinlock• PatternLock• Biometriclock

PasscodeLocks• Apasscodelockcanbesetsowhenthephonehasbeenturnedonorwokeupyoumustenterthepasscodetounlockthephone.Thisisagreatwaytopreventsomeoneotherthantheownerfromgettingtothedatathatisonthephoneandusingthephone.• Youmustrememberthatwhensettingapasscodeyouneedtouseamixofnumbers.Don’tuseapasscodesuchas1111,2580,or1337.

PatternLocks• APatternlockcanbeusedtosecureaphonebyrequiringtheusertoenteraknownpatterntogainaccesstothephone.

• Thoughapatternlockcanbeamoreconvenientaccessmethod,itislesssecurethanasufficientlylongpasscodelock.

Biometrics

• Biometricsaretheauthenticationtechniquesthatrelyonmeasurablephysicalcharacteristicsthatcanbeautomaticallychecked.

• Thiscouldincludesomethingalongthelinesoffacialrecognitionorafingerprintscanner.

PushNotifications

• PushNotificationscanbeusedforconvenienceforthecompanyoruser,givingfasteraccesstosomeamountofinformation.• Apushnotificationcansimplypopuponthelockedscreenofaphone,givingaccessinstantlytocertaininformation.• Certainpushnotificationscangiveasmallamountofinformationfromatextoremail,potentiallyrevealingsensitiveinformation

Context-awareAuthentication

• Context-awareauthenticationdoesnotcheckforasimplepassword,butalsoforthesituationinwhichthepasswordisbeingenteredunder.• Forexample,thepasswordmightworkperfectlyfinewhenonthecompanynetwork,butbecompletelydisabledwhentryingtoconnecttopublicWi-Fi• Couldalsorequirestricterpasswordinsomelocations,asinnowneedingapasswordandhardwaretokentoaccessadeviceonpublicWi-Fi.

DeviceContainerization

• Wheneveranemployeeisusingasmartphone,theissueofdataownershipneedstobeaddressed.

• Creatinga“container”onthedevicecanseparatecorporateinformationfrompersonalinformationonadevice.

• Thesecurecontainercanberemotelywipedshouldthephonebecompromised.

FullDeviceEncryption

• Deviceencryptionisusedtoencrypteverybitofdatathatgoesonadevice.Thedataisthende-crypted asitisreadintomemory.

• Theterm"fulldeviceencryption“isoftenusedtosignifythateverythingonadeviceisencrypted.

• Fulldeviceencryptionwouldbebestusedonportabledevices,astheycanbeeasilystolen.

Enforcement&monitoring

ThirdPartyApps Rooting/Jailbreaking

CarrierUnlocking

CameraUse ExternalMedia GPSTagging

Sideloading CustomFirmware FirmwareOTAUpdates

SMS/MMS Tethering Wi-Fidirect/Adhoc

ThirdPartyAppstores

• Preventingaccesstothirdpartyapplicationstorescanpreventusersfromhavingaccesstoapplicationsontheirphonesthatcouldcompromisethedevice.

• Preventingunnecessarythirdpartyapplicationscanalsofurtherpreventcompromisefromunknownfactorscausedbythoseapplications.

Rooting/Jailbreaking

• Rooting/Jailbreakingaphoneisgainingrootaccesstotheoperatingsystemonthedevice.• Rootaccessisadminaccess

• Scanninganynetworkeddevicestocheckiftheyhaverootaccessisimportant,becauseauserwithcompletecontrolcouldchangeanynumberofconfigurations.

Sideloading

• Sideloadingistheprocessofinstallingsoftwareonwhilebypassingtheuseofanyappstoreorofficialmeansofacquiringanapplication.

• Sideloadingcanbemitigatedbypreventingremovablemediaandcontrollingwhichnetworksamobiledeviceispermittedtoconnectto.

CustomFirmware

• Customfirmwareisamodifiedversionofmarketfirmwaredevelopedbyathirdparty.

• Customfirmwareisessentiallyamodifiedoperatingsystemthatcanbeusedtobypasscertainsecuritycontrols.• Likesideloaded applications,preventingtheuseofremovablemediacanmitigatetheriskofauserloadingcustomfirmware.

CarrierUnlocking

• Acompanysmartphonebeingunlockedfromaparticularcarriercanpresentanumberofissues.• Canbreachsomesecuritycontrolsonasmartphone.• Canviolateanagreementacompanyhaswithacarrier.

• Carrierunlockingcanbepreventedbyrestrictingaccessto3rd partyapplicationsandremovablemedia.

OTAupdates

• OvertheAirupdatesareupdatesthatyourphonereceivesoverawirelessnetwork,allowingattackerstopotentiallyinterceptandmanipulatethatdata.

• Enforcingwirelessencryptionwithasuitablystrongalgorithmcanpreventexploitingthistechnology.• Forexample,usingAESinsteadofDES.

Camerause

• Preventingcamerauseonanemployeesmartphonecanpreventthemfromtakingpicturesofsensitiveinformation.• Picturesofconfidentialdocuments.• Picturesofsecurelocations• Geotaggedpictures

• Disablingthecameracanfurtherlockdownthecompanyphone.

SMS/MMS

• SMSwouldbeasimplemessage,muchlikeatext.

• MMSwouldbeamultimediamessagesuchasapictureorshortvideo.

• Monitoringemployeecommunicationsonacompanysmartphonecanbeparamountwhentryingtodetecttheleakageofsensitivedata.

ExternalMedia

• Allowingexternalmediaonacompanysmartphonecanpresentnumerousissuesforthesecurityofamobiledevice.• Allowsfortheexfiltrationofdata.• Allowssideloadingof3rd partyapplications.• Givesanaccesspointforpotentiallymalicioussoftware.

• Disablingremovablemediaisagoodideaformobiledevices.

USBOTG

• USBOnTheGo(OTH)allowsotherusb devicestoconnecttoasmartphone,andpassinformationbetweenthetwodevices.• Hasthesamesecurityissueasremovablemedia.

• Allowsfortheconnectingofperipheraldevices,whichcancompromisethesecurityofasmartphone.• Likemostremovablemedia,itisbestpracticetodisableit.

GPStagging

• GPStagging(alsoknownasGeotagging)includesgeographicalinformationsuchasGPScoordinatesintoitemslikepicturesandvideo.• Cancauseprivacyissuesforusers.

• GeotaggingcanalsorevealtheGPScoordinatesofsecurelocations.

• Ensurelocation-basedservicesaredisabledtopreventGeotagging.

Wi-Fidirect/ad-hoc/Tethering

• Wi-Fidirectorad-hocmodeallowedwirelessdevicestoconnectdirectlytogetherwithoutrequiringawirelessnetworktoworkoffof.• Thiscancausethesameissueasremovablemedia,butwirelessly.

• Tetheringisaphysicalconnectionbetweenasmartdeviceandapersonalcomputer,forexample.Thiswouldallowdataexfiltrationtooccur.

DeploymentModels

BYOD COPE

CYOD Corporate-owned

BYOD

• BYOD =BringYourOwnDevice.Ifallowingemployeestousetheirownmobiledevicesonthecorporatenetwork.• ConfinethemtotheirownVLANforsecurity.

• BYODallowsanemployeetobringtheirownpersonalphoneandconnectittothebusinessnetworktobeusedforbusinesspurposes.

• Employeemaintainsalargeamountofcontroloverthedevice.

COPE

• COPE=CompanyOwned,Personally-enabled.Acompanyprovidestheiremployeeswithmobilesdevicesfortheiremployeestouseasthoughtheyweretheemployee’sdevice.

• SimilartoBYOD,butattheendoftheday,thecompanyownsthedevice.• GivesslightlymorecontrolthanBYOD.

CYOD

• CYOD=ChooseYourOwnDevice.WithCYOD,employeesgetachoicefromalimitednumberofdevicesthatareultimatelyselectedbythecompany.• Canlimituserstoparticularoperatingsystems.

• Companyhasmorecontroloverthedevice,andcanlimitittostrictlyworkactivities.

CorporateOwnedMobileDevices

• ACorporateownedmobiledevicesisamobiledevicethatisowned,administeredby,andcontrolledbythecompany,butisthenhandedouttotheemployeesofthatcompany,

• Employeeshavelittlesayonwhichdevicetheyacquire,ifanyatall.

• Acompanycanregaincompletecontrolofthemobiledeviceifneeded.

SecureProtocols

CompTIASecurity+

EmailSecurityProtocols

• Emailcommunicationscanbeencryptedandsignedinordertoguaranteesecurecommunications.• Emailscanbeencryptedtoensureconfidentialityoftheemails• Emailscanbesignedandhashedtoensureintegrity.

• Secureemailprotocols:• S/MIME• SecurePOP• SecureIMAP

S/MIME

• TheprimarybenefitofusingS/MIMEisthatitallowsuserstosendbothencryptedanddigitallysignedemails.

• S/MIMEallowsausertoselectivelyencryptemailmessagesatrest.

SecurePOP/IMAP

• POPorIMAPcanbeutilizedtodownloademailfromanemailserver.• POPdownloadsanddeletes.• IMAPkeepsacopyontheserver.

• BothPOPandIMAPcanbesecuredbySSLorTLS,toallowthiscommunicationtobeencrypted.• CausesPOPtorunoverport995insteadof110• CausesIMAPtorunoverport993insteadof143

SecureWebProtocols

• Browsingtheinternetcanalsobesecuredbyencryptingtrafficbetweenthewebclientandserver.• Usefulwhenpurchasingonline.• Usefulwhenaccessingonlinebankaccounts.• Usefulforanyothersensitiveinternettraffic.

• PrimaryprotocoltousetosecurewebtrafficisHTTPS• SecuredwithSSL/TLS.

HTTPS

• HTTPS standsforHypertextTransferProtocolSecureandisusedtotransmitdatatoandfromawebbrowserandawebserversecurely.

• HTTPSusesSSLorTLSforitsencryption.

• HTTPSusesTCPport443.

SSL

• SecureSocketLayer(SSL)usesport443 andisansymmetricprotocol.

• SSLusesbothpublickeysandprivatekeystosecurewebsites.• ThesessionkeyinanSSLconnectionissymmetric.• SSLsessionkeysareencryptedusinganasymmetricalgorithm.

• IfyouareusingSSLtosecureaweborVPNserver,makesurethatport443inboundonyourfirewallisopen.

TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.

• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.• TLSisusedforencryptionbetweenemailservers.• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.

FileTransfer

• Transferringfilesbetweensystemscanandshouldbeencryptedfromendtoendtopreventsnoopingofthedataintransit.• Unencryptedfiletransferscanbecapturedandpossiblymodifiedbyamaliciousattacker.

• Examplesofsecurefiletransferprotocolsinclude:• FTPS• SFTP

SFTP

• SSHcanbeusedtosecureFTPcommunications.ThisiscalledSFTPorSecureFileTransferProtocol.

• SFTP usesTCPport22becauseitutilizesSSHtoencryptthetraffic.

• IsnotcompatiblewiththeoriginalFTP.

• SFTPonlyrequiresonechanneltouse.

FTPS

• SSLorTLScanbeusedtosecureFTPcommunicationsaswell,thisiscalledFTPS.

• Isbuiltonthesameframeworkasmostinternetcommunications.

• IssplitintotwoconnectionslikeFTP,makingithardtousewithfirewalls.• ControlChannel• DataChannel

DirectoryServices

• Adirectoryisacollectionofusernames,passwords,emails,orpossiblymanyotherthings.• Thinklikeaphonebookisalistofnamesofphonenumbers.

• AnexampleofadirectoryservicecouldbeActiveDirectory,Microsoft’sdirectoryservice.• LDAPisusedtoadd,delete,search,andmodifydirectoryentries.

LDAPS

• BeforeandLDAPmessagescanbetransferred,LDAPSrequirestheclienttoestablishasecureTLSsession,providingencryption.

• IftheTLSconnectionisclosed,theLDAPSsessionclosesaswell,preventingconnectionwithoutencryption.

• Runsoverport636

RemoteAccess

• Afterinitialconfiguration,devicescanberemotelyconfiguredandadministratedoverthenetwork,allowingtheadmintochangeandtestconfigurationsremotely.• Otherwisephysicalaccesswouldbetheonlyoption.

• Twoprotocolsthatcouldallowthisremoteaccess:• Telnet(unsecure)• SSH(secure)

SSH• SecureShell(SSH)isanetworkprotocolthatallowsdatatobeexchangedusingasecurechannelbetweentwonetworkeddevicessuchasanadministratorcomputerandarouter.

• SSHwasdesignedasareplacementforTelnetandotherinsecureremoteshellswhichsendinformation(notablypasswords)inplaintextleavingthemopenforinterception.

• SSHismostcommonlyusedtoremotelyadministeraUnix/LinuxsystemandusesTCPport22.

SNMP• SNMP(SimpleNetworkManagementProtocol)isusedinnetworkmanagementsystemstomonitordevicesforconditionsthatwarrantadministrativeattention.• Runsonport161.• Allowsanadministratortosetdevicetraps.• Usedtofindequipmentstatusandmodifyconfiguration andsettingsonnetworkdevices.

• SNMPcanbeusedtogatherreconnaissanceinformationfromaprinter.

• SNMPv3isthemostsecure.

DomainNameSolution

• ADNS server(DomainNameSystem)convertsaFQDN(FullyQualifiedDomainName)(ex:www.yahoo.com)intotheIPaddressyourcomputerneedstoaccesstheremotedevice.BIND isthede-factostandardDNSsoftware.

• ADNSZonetransferiswhentwoDNSserverssynchronizetheirdatabases.ThisusesTCPport53.

• DNSinformationcouldbepotentiallyforgedoramaliciousDNSservercouldtrytoperformazonetransferwithalegitimateone,poisoningit.

DNSSEC

• DNSSECisasuiteofspecificationsforsecuringinfoprovidedbyDNS(especiallyauthenticationtothedatathereinstoppingzonetransfer).• PreventstheuseofforgedDNSinformation.• HasallDNSresponsesbedigitallysigned.