-
Replay Attack
3rd party attempts to impersonate a client after intercepting captured data from a session
-
KDC
- Key distribution center
- Used with Kerberos
-
Kerberos
- Network authentication protocol within active directory/UNIX realm
- Uses a database of objects (i.e. active directory)
- UsesĀ KDC/TGT server to issue timestamped tickets that expire after a certain amount of time
-
TGT
- Ticket-granting ticket
- Used in Kerberos
-
Symmetric Key Cryptography
Uses a single key for both encryption and decryption
-
Asymmetric Key Cryptography
- Uses a separate key to encrypt and decrypt data
- Requires a PKI to issue tickets
-
LDAP
- Based on an earlier version of x.500
- Active Directory/UNIX realms use LDAP to identify objects in query strings
-
-
DC (LDAP)
Domain Component
-
Secure LDAP
LDAP with SSL or TLS
-
SSO
- Single Sign-On
- Users only remember one set of credentials
- Can provide authentication against a federated database
-
Same Sign-on vs Single Sign-on
- In same sign on, users have to re-enter credentials each time they access another system
- Single sign on uses the same credentials entered for multiple systems within a session
-
SAML
- Security Assertion Markup Language
- An XML-based standard for exchanging authentication and authorization information between parties
- Provides SSO for web-based applications
-
PAP
- Password Authentication Protocol
- RAS protocol that sends passwords in cleartext
-
CHAP
- Challenge Handshake Authentication Protocol
- A type of RAS protocol
- Server challenges client, client provides authentication info
-
RADIUS
- Remote Authentication Dial-In Service
- Provides centralized authentication for RAS servers
- Only the password is encrypted
- uses UDP
-
TATACS+
- CISCO alternative to RADIUS
- Entire authentication process is encrypted
- Uses TCP (guaranteed delivery)
-
DIAMETER
Upgrade to RADIUS that uses TCP and EAP
-
AAA
- Authentication, Authorization, Accounting
- RADIUS and TACACS+ provide all 3
- KERBEROS does not procide accounting
-
XTACACS
- CISCO-proprietary
- rarely used
-
TACACS (Acronym)
Terminal Access Controller Access Control System
-
HOTP & TOTP
- Open source standards used to create one-time use standards
- HOTP makes a one-time password that does not expire
- TOTP is makes a one-time password that expires after 30 mins
-
Which authentication service uses tickets for credentials?
Kerberos
-
What is the primary purpose of a ticket-granting server?
Authentication
-
Technical Controls
- Use technology to mitigate vulnerability
- example: IDS, Firewall, Encryption
-
Management Controls
- Use planning & risk assessment methods to mitigate risk
- examples: Risk Assessment, vulnerability assessment, penetration test
-
Operation Controls
- Ensure day-to-day operations comply with an overall security plan; Implemented by people and not machines
- Examples: Awareness & Training, Configuration management, Contingency Planning
-
Hardening
- The practice of making a system or application more secure than its default configuration
- examples: disabling unneeded services and accounts
-
Examples of Preventative Controls
- Hardening
- Security Awareness
- Change Management
- Account deactivation policy
-
Examples of detective controls
- Log monitoring
- Trend Analysis
- Security Audit
- Video Surveillance
-
Compensating Controls
- Alternative controls in place of a primary control
- Usually temporary
-
Rule-based access control
Based on a set of instructions, such as an access control list
-
DACL
- Discretionary access control list
- property of an object that identifies who is allowed to access it
-
ACE
- access control entry
- found in the DACL
-
DAC model
- Discretionary access control
- Every object has an owner, who determines who can do what with that object
-
MAC
- Mandatory access control
- Uses security labels (i.e. "secret") to determine who is allowed to access
-
TCP Handshake Concept
- Client sends a SYN
- Server sends a SYN ACK
- Client sends ACK
- (3 way handshake)
-
ICMP
- Internet Control Message Protocl
- Included in connection tools (like ping)
- Often blocked because it is used for DoS attacks
-
ARP
- Address Resolution Protocol
- Resolves IPv4 addresses to MAC addresses
-
NDP
- Neighbor Discovery Protocol
- Functions similarly to ARP, but on IPv6
-
SSH
- Secure Shell
- Encrypyts SFTP and SCP
- Uses TCP port 22
-
SSL
- Secures HTTP, SMTP, LDAP traffic using certificates
- Uses port 443 for HTTP traffic
- Uses port 465 for SMTP traffic
- Uses port 636 for LDAP traffic
-
TLS
- Tranport Layer Security
- Successor to SSL
- Uses the same ports as SSL
-
IPSec
- IP Security
- Inherent in IPv6
- Uses tunnel mode for VPN's
-
FTP
- Transfers data in cleartext!!
- Active mode uses ports 21, 20
- Passive mode uses ports 21 and a random port
-
SFTP
Uses SSH to encrypt traffic using TCP port 22
-
FTPS
- Uses SSL or TLS to encrypt traffic
- Can use TCP ports 989 and 990
-
TFTP
- Trivial File Transfer Protocol
- Used for small amounts of data, uses UDP
- Commonly disabled
- UDP port 69
-
-
SNMP Ports
- UDP port 161
- Sends traps (error messages) on UDP port 162
-
NetBIOS ports
- TCP 137, 139 (more common)
- UDP 137, 138
-
LDAP ports
- TCP 389
- TCP 636 (encrypted)
-
-
-
-
SMTP ports
- TCP 25
- TCP 465 (SSL/TLS encrypted)
-
POP3 ports
- TCP 110
- TCP 995 (TLS/SSL encrypted)
-
IMAP ports
- TCP 143
- TCP 993 (SSL/TLS secured)
-
DNS Zone Record: A
- Includes hostname and IPv4 address
- Most commonly used
-
DNS Zone Record: AAAA
Includes hostname and IPv6 address
-
-
DNS Zone Record: PTR
- aka "pointer record" or "reverse lookup"
- client queries DNS server for hostname, from IPv4 address
- Does not always work, is an optional record
-
DNS Zone Record: MX
- Identifies mail server used for e-mail
- linked to A or AAAA records
-
DNS Zone Record: CNAME
- Canonical name or "alias"
- points multiple domain name to same IP address
-
Secure Zone Transfers
- DNS Servers sharing info with eachother
- Some transfers might include all records in a zone
- Zone Transfers happen using TCP 53
-
-
-
-
-
SMTP Ports (SSL/TLS)
TCP 465
-
Loop Protection on a switch
STP or RSTP
-
provides port-based authentication, ensuring that only authorized clients can connect to a network
802.1x server
-
Disabling unused ports and limiting MAC addresses that can use a port
Port Security
-
-
Implicit Deny
Any traffic not explicitly allowed is denied
-
___ identifies what traffic is allowed and what is blocked
ACL
-
Last rule in an ACL is typically
- implicit deny
- used by routers and firewalls
-
Routers & packet-filtering firewalls perform basic filtering using
an ACL
-
Format for firewall rules
- PPSDP
- permission, protocol, source, destination, port
-
Implicity deny on an ACL
- deny any any
- deny any
- drop all
-
WAF's focus on defending against
- cross-site scripting attacks
- buffer overflow attacks
-
OSI Layer 1
- Physical
- Cables & Hubs
- Protocls related to ethernet and cabling
-
OSI Layer 2
- Data Link
- Switches
- ARP, MAC, NDP, VLAN
-
OSI Layer 3
- Network (logical addressing)
- Router, Layer 3 Switches
- IPv4, IPv6, IPSec, ICMP
-
OSI Layer 4
- Transport
- aka flow control
- TCP & UDP
-
-
OSI Layer 6
- Presentation
- Formats data (i.e. ASCII)
-
OSI Layer 7
- Application
- Proxies, WAF's, UTM's, web security gatways
- FTP, DNS, HTTP, Telnet, RDP etc.
-
OSI Acronym
- All People
- Seem To Need
- Data Processing
-
IDS and IPS include
packet sniffing capability
-
SYN Flood
- Basically DoS
- Sends repeated SYN messages but never ACK's them
- creates sessions repeatedly
-
Active IDS
Will log an event, but can also divert traffic, change ACL rules, and end processes
-
a bunch of virtualized servers made as decoys
honeynet
-
IPS are placed
in-line with traffic
-
802.11a bandwidth and freqs
-
802.11n bandwidth and freqs
-
War driving
- looking for wireless networks
- aka driving through neighborhoods
-
TKIP
- Temporal Key Integrity Protocl
- used with WPA
- Replaced with CCMP in WPA2
-
How to implement 802.1x
Use a RADIUS server
-
enterprise mode vs personal mode on WPA/2
- enterprise requires a radius server
- enterprise requires a database with username/pass combo
-
-
EAP
- Extensible Authorization Protocol
- two systems create a pairwise master key (PMK)
- used by 802.1x servers, requires a cert on the server
-
PEAP vs EAP
- PEAP uses TLS-encrypted tunnel for PMK conversation
- PEAP-TTLS lets you TLS-tunnel older PAP systems
-
EAP-TLS
requires a certificate on server and on all clients
-
LEAP
- CISCO proprietary EAP
- does not required certificates
-
Isolation mode
used in wireless hotspots to prevent clients from connecting to eachother
-
WEP inherent vulnerability
uses a weak 24-bit IV sent in plaintext to create a key
-
WPA cracking attack
- Attacker captures traffic with a sniffer, waits for an authorized client to connect
- Then attacker brute forces access point using intercepted info from 4-way handshake
-
Bluesnarfing
stealing info via bluetooth
-
IPSec provides
- Authentication & Identification (AH Header)
- Encryption, Confidentiality, Identity, & Auth (ESP)
-
-
-
uses tunnel mode, & IKE over port 500
IPSec
-
L2TP
- Layer 2 Tunneling Protocol
- UDP Port 1701
- Is not encrypted
-
-
L2TP commonly combined with
IPSec
-
Software that creates, runs, and manages VMs
Hypervisor
-
VM Escape
When attackers gain control of a host through a VM machine
-
SCADA systems
supervisory data control and acquisition systems
-
Primary methods of securing data
- encryption
- strong access controls
-
How to protect data at rest
encryption
-
How to protect data in transit
-
TPM
- Trusted Platform Module
- Chip baked into computer
- Provides full disk encryption, includes unique RSA asymmetric key
-
HSM
- Hardware security module
- removable device that can store/manage RSA keys for asymmetric encryption
-
Provides customers with a fully managed platform, which the vendor keeps up to date with current patches
Platform as a Service
-
Provides customers with access to hardware in a self-managed service
Infrastructure as a Service
-
Uses one or more techniques to make it difficult to reverse engineer
Armored virus
-
Armored virus techniques
- complex code
- encryption
- hiding virus location
-
detects previously-unknown malware based on behavior
Heuristic-based antivirus
-
Smurf attack
- Attacker spoofs IP of victim and sends broadcast pings
- victim is flooded with replies
-
Defense against smurf attacks
- Disable directed broadcasts
- Especially important for front-facing border routers
-
Xmas tree attack
used to gain information about a network for other attacks
-
replay attack
capturing data in a session in hopes of later impersonating one of the parties in that session
-
defense against replay attack
- timestamps
- sequence numbers (i.e. kerberos)
-
Pharming
redirects website traffic to another website, by way of modifying client host file
-
-
XSRF
- Cross-site forgery
- can allow attackers to steal information and perform actions
-
LDAP injection
attempts to access or modify data hosted on directory service servers
-
attack attempting to access a back-end server through another server
transitive access attack
-
SLE
- single loss expectancy
- the cost of any single loss
-
ARO
annual rate of occurrence
-
ALE
- annual loss expectancy
- single loss expectancy (SLE) * ARO (rate of occurrence)
-
ALE equation
ALE = SLE * ARO
-
MTBF
- Mean time between failures
- usually in hours
- higher MBTF is better
-
MTTF
- mean time to failure
- average amount of time until equipment breaks
-
MTTR
mean time to recover
-
helps determine what protocols and services are running on a remote system
port scanner
-
determines the security posture of a system by identifying vulnerabilities and weaknesses
vulnerability assessment
-
black box tester
has no prior knowledge of system prior to pen testing
-
white box tester
has full knowledge of system prior to testing
-
helps an organization ensure they are following their own policies (least privilege, etc.)
routine audits
-
ensures users only have access they need and no more
user rights and permissions review
-
RAID-0
- striping
- no fault tolerance
- two or more disks with files striped across them
-
RAID-1
- mirroring
- you can also add an additional disk as a disk controller
-
RAID-5
- requires three or more drives
- one drive can fail with continued operation
-
RAID-6
- requires four disks
- two drives can fail with continued operation
-
RAID-10
combines mirroring and striping
-
BIA
- business impact analysis
- helps an organization identify critical systems and components that are essential to the organization's success
- also identifies maximum downtime limits
-
RTO
- recovery time objective
- maximum time it should take to recover after an outage
-
RPO
- recovery point objective
- a point in time where data loss is acceptable
-
hot site
a place where you can immediately restore operations, including everything that is required
-
includes a hierarchy of critical systems and the order to restore them in
disaster recovery plan
-
final phase of disaster recovery
lessons learned
-
stream cipher
- encrypts one bit at a time
- opposite is the block cipher
-
2 most popular hash algorithms
-
verifies both integrity and authenticity of a message by use of a shared secret
HMAC
-
-
-
creates 224-512 bit hashes
SHA-2
-
AES info
- 128, 192, or 256-bit block cipher
- symmetric
-
3DES and DES
- Data Encryption Standard
- both are symmetric 64-bit block cipher
-
RC Ciphers (like RC4)
- symmetric, stream
- 40 - 2048 bit
-
Blowfish
- symmetric, 64-bit block cipher
- 32 - 488 bit key
-
Twofish
- symmetric, 128-bit block cipher
- 128 - 256-bit key
-
Diffie-Hellman (ECDHE)
secure method of sharing symmetric keys over a public network
-
elliptical curve cryptography
commonly used with small devices
-
sender's private key (digital signature)
encrypts
-
sender's public key (digital signature)
decrypts
-
recipient public vs private key
- recip. public key encrypts
- recip. private key decrypts
-
web site encryption
- web site public key encrypts
- web site private key decrypts
-
web site session encryption
symmetric key encrypts
-
Bcrypt and PBKDF2
- key stretching techniques
- help prevent brute force attacks and rainbow table attacks
- salt the password with additional bits
|
|
