Security+ Module 2 - Technology and Tools notes
You must know the basic networking concepts to pass the Security+ exam
IPSEC VPN involve
- Encapsulating Security Payloads (ESP) - designed to provide a mix of security services (i.e. confidentiality, data origin, authentication and etcetera...) in IPv4 and IPv6 between a pair of communicating hosts, between a pair of communicating security gateways, or between a security gateway and a host (see IETF RFC-4303 for more information).
- IP Authentication Header (AH) - used to provide connectionless integrity and data origin authentication for IP datagrams and protection against replays (see IETF RFC-4302).
- Security Associations (SAs) - a relationship between two or more entities that describes how the entities will use security services to communicate securely (see Cisco's documentation on IPSec Overview Part Five: Security Associations by Andrew Mason on 22 February 2002 for information)
Network Detection Systems
Open Authorization and Authentication
allows users to signin to a website with popular website (e.g. Zoom) with GMail or Facebook) credentials and involve the following services:
- OAuth - Authorization protocol that works across a variety of webservices
- OpenID - Provides authentication for OAth
Things to look out for when cleaning up Access Control Lists (ACLs) in firewalls and routers
- Shadowed Rules - Never executed due to place in rules list
- Promiscuous Rules - Rules that violate the concept of least privilege
- Orphaned rules - Decommisioned rules
It is a good idea to use Network Flow to analyze packets that flow through the network to verify these ACLs are clean and properly configured.
Security Information and Event Management (SIEM)
- Central, Secure Collection point for logs
- Source of Artificial Intelligence (AI)
- Write Once Read Many (WORM) - Prevents unauthorized changes
- Synchronizing system clocks via Network Time Protocol (NTP)
- Continuous Security Monitoring
- Data Loss Prevention (DLP)
- Host-Based - Uses software on a single system
- Network-Based - Scans network transmissions for sensitive information
- Pattern Matching
- Watermarking (use Spirion)
- Cloud-based - systems operate online to protect sensitive data, using a combination of methods (e.g. Google Cloud DLP)
- Network Access Control (NAC) - Intercepts network traffic via 802.1x authentication
- Role-Based
- Posture-Checking
- Persistent Agent
- Dissolvable Agent
- Agentless
- Secure Email Gateways - provides email protection from threats that come from spam, phishing and malicious attachments (e.g. Kaspersky's Secure Mail Gateway)
- Text
- Siganture
- URL Filtering
- Data Santitization Tools (e.g. Blancco [recommended for enterprise use]) and DBAN [free, but not recommended for enterprise use]
- Steganography- Hide data in large files (e.g. QuickStego).
- Protocol Analyzers, such as:
Network Scanning
Command-Line Network Tools
- Packet InterNet Groper (PING or ping) - uses Internet Control Messaging Protocol (ICMP) packets to troubleshoot and verify network connectivity between hosts
- traceroute (tracert on Windows) - uses ICMP packets to map out the path that packets take to go from one host to another host
- ifconfig (ipconfig on Windows) - Provides information about network Internet Protocol (IP) configuration of a host
- Address Resolution Protocol (ARP)
- Netstat (ss on Linux) - provides network statistics on the Local Area Network (LAN)
- NetCat (nc) (Linux and Mac only) - reads and writes data across network connections, using the TCP or UDP protocols
DNS Harvesting
- NSLookup - Resolves fully qualified network names to ip addresses (e.g. www.ninestar.org = 104.196.121.221) on a Windows operating system
- dig (Linux and Mac only) - does nearly the same thing in Linux and Mac operating systems as NSLookup
- whois (not available in Windows) - A web utility that provides information about domain ownership. Some domains may block this information which will result in "No Data Available"
- Reverse Whois (e.g. ViewDNS - Reverse Who Is) - Provides information about different domains that someone owns.
Know how SNMP version 3 works, namely the encryption, authentication and authorization features and the following SNMP commands:
- get for read operations to gather data,
- set for write operations to log data &
- trap to set an alert or action, based on a given criteria.
Know the difference between a NAS (small) and a SAN (large) - See Geeks for Geeks article on those differences for more information.
Wireless Access Concepts
- Wi-Fi Protected Access (WPA) uses TKIP
- WPA2 uses CCMP or AES
- PreShared Keys (PSK)
- Enterprise Authentication
- Extensible Authentication Protocol (EAP) - Insecure
- Lightweight EAP (LEAP) - Insecure
- Protected EAP (PEAP) - Secure
- EAP-TLS
- EAP-TTLS
- EAP-Fast
Trobleshooting Authentication and authorization issues
- Use encrypted connections
- Investigate access violations
- Troubleshooting Digital Certificates
- Investigate certificate errors
Device Configuration Issues
- Patch devices to avoid Security issues
- Avoid weak cryptography (e.g. DES, RC4, MD4, MD5, SHA1)
- Disable default administrative accounts
- Troubleshoot content filter issues
- Troubleshoot wireless authentication issues
Change and Configuration Management
- Request For Change (RFC)
- Configuration Management
- Baselines
- Software Configuration Management
- Versioning
Physical Asset management
- Build and Asset Inventory
- Keep Asset Inventory updated
- Media management
Handle Policy Violations Carefully!
Insider threat is significant
- Background investigations on new employees and candidates
- Monitoring
- Manager Training
- Data Loss Prevention (DLP)
- Employment Agreements (including NDAs and returning company equipment)
- A plan for exiting employees
- Employee Privacy
- Minimization
- Limit employees who have access... use encryption and masking
Social Networking Security
- Mitigate the hijacking legitimate account with multifator authentication
- Manage Social Media Accounts properly
Personnel Safety - Safety 1st
- Panic Buttons
- Durress Code
- Travel Advisories
Host Security
- Operating System Security is critical
- Security Settings
- Patch Management (updates) - For example, sudo yum update on a Linux system
- System Hardening (locking down systems to least functionality for job or reducing the attack surface)
- Trusted Operating Systems (gone through formal evaluation)
- Malware Prevention
- Viruses - Are malicious software that requires users to act
- Trojan Horses - Disguise themselves
- Spyware - Gathers information
- Worms - Spread on own power
- Sandboxing - running untrusted software in its own memory location
- Malware detection
- Signature Detection
- Behavior Detection
- Spam Filtering (removes unwanted email)
- Send Malware logs to a centralized system
- Application Management
- Application Control
- White Listing
- Black Listing
- Send application control logs to your SIEM or log repository for analysis
- Patch all software on all systems
- Do host Software Baselining
- Hostbased Network Security Controls
- Firewalls
- Network Firwalls - Hardware that regulate connections between networks
- Host Firewalls - Software that exists on a host to protect the host
- Intrusion Dection Systems (IDS) & Intrusion Protection Systems (IPS) Technology
- File Integrity Monitoring (FIM) - Defense in depth strategy
- Hash function to verify integrity
- Tuning is critical! (e.g. Tripwire on Linux systems)
- Removable media control
- Send logs to SIEM or log repository for analysis
- Data execution prevention
Mobile Device Security
- Mobile Connection Methods
- Near-Field Communications (e.g. BlueTooth)
- ANT networks
- Infrared (IrDA) require clear paths
- USB Connections
- Mobile Device Security
- Password
- Biometric devices
- Encrypt device data
- Remote wiping
- Set to lock after a brief period of time
- Mobile Device management (MDM)
- device configuration
- prevent from modifying security settings
- Control data on device
- Application Control
- Black listing
- White listing
- Storage Segmentation (e.g. Google Device Management - Mobile)
- Containerization Process sensitive data inside a secure, encrypted mobile app.
- Mobile device tracking
- Inventory Control is critical! Asset Tracking Software is recommended.
- Geo-Location - real-time location of devices
- Geofencing - alerts when leaving designated area
- GPS Use Limits
- Mobile Application Security
- Limit Apps that users may install
- Require authentication via transitive trust
- Require strong passwords
- Rely on central authentication
- External Authentication
- Context-Aware Authentication - factors include
- Physical location (geosensing)
- Type of request
- specific Device
- Privileged access
- User Behavior
- Encrypt sensitive information
- Geotagging
- Mobile Security Enforcement
- 3rd party app stores can be risky due to the possibility of side loading unvetted applications
- Watch for Jailbreaking
- Patch Mobile Devices
- Restricting Device Feature Use
- Bring Your Own Device (BYOD)
- Employees bring their own devices
- BYOD Policy Issues should be addressed properly
- BYOD Onboarding
- BYOD Offboarding
- BYOD organizational & technical issues
- Mobile Deployment Models
- Choose Your Own Device (CYOD)
- Company Owned and Personally Enabled (COPE)
- Virtual Desktop
Securing Protocols