Managing The Network
Managing Risk
- What is Risk Management?
- Security policies are documents with broad overview statements.
- Security controls provide more details.
- Procedures discuss specific implementation of policies.
- Security Policies
- Security Policies document to users how to access system resources and what is allowable and acceptable.
- Safety policies apply to the IT department, too!
- NDA’s, software licensing, & data restrictions need to be considered to protect an organization.
- A.U.P. (Acceptable Use Policy)
- What can people do with company equipment??
- defines ownership;
- web-site access;
- access times;
- R.A.P. (Remote Access Policy)
- VPN usage;
- Authentication rules;
- Password Policy
- IT Safety Policy
- Lifting equipment;
- Equipment handling;
- Spills;
- Procedures;
- License Restrictions
- International Export Controls
- Military information;
- Nuclear information;
- License keys;
- Change Management
- The change management team handles infrastructure-level changes.
- The change process includes requests, types of changes, configuration procedures, rollback, & more.
- The end game is documentation of all the changes made.
- Documentation is the last step in change management process.
- Strategic change vs. infrastructure change.
- Change Request document:
- Type of change
- Configuration procedures
- Rollback Process
- Potential Impact
- Notification
- Remember, documentation is the last step in change management process.
- User Training
- Network techs get called on for user training.
- Train users on acceptable use & password policies.
- Users should recognize social engineering and avoid malware!
- *One of the most important parts of security is user training!
- Standard Business Documentation
- Standard business documentation is common in networking.
- Standards on the exam include SLA, MOU, MSA, & SOW.
- SLA (Service Level Agreement)
- Between a customer and a service provider
- Scope, quality, and terms of service to be provided.
- Definition of service provider
- Equipment
- Technical support
- MOU (Memorandum of Understanding)
- Defines an agreement between 2 parties
- Used where a legally binding contract is inappropriate
- Definition of agreed duties and timeframe
- MSA (Multi-Source Agreement)
- SOW (Statement Of Work)
- Legal contract between 2 parties (vendor & customer_
- Defines services to be performed/supplied
- Defines time frame/deliverables
- Defines milestones/defines progress
- Mitigating Network Threats
- Implement proper mitigation techniques to protect your network.
- Start with training & awareness, as well as patch management.
- Complete with policies, procedures, & incident response.
- *Mitigating Threats:
- Training & Awareness;
- Patch Management;
- Policies Procedures;
- Incident Response.
- High Availability
- *High availability is supported with fault tolerance & redundancy.
- High availability means that services aren’t lost, not how fast they are recovered.
- RAID array, redundant power supply, UPS, clustering, and failover systems are high availability methods.
- RAID arrays, Link Aggregation of multiple NICs & redundant systems such as power supplies, routers, etc. will help keep systems running in the event of a failure.
Protecting Your Network
- Denial of Service
- Denial of service attacks prevent others from accessing a system.
- Distributed denial of service uses multiple systems to attack a single host.
- DoS attacks can broadly be broken down into volumetric, protocol, and application attacks.
- Volumetric attacks–ping floods; UDP floods;
- Protocol attacks–does naughty things to the protocol to create confusion;
- SYN FLood/TCP SYN Attack;
- Application Attacks–ex: Slow Loris Attack;
- Amplification Attacks–ex: Smurf Attack;
- DDOS (Distributed Denial Of Service) Attack–ex: BotNets;
- websites like Norse Corporation provide examples of real-time attacks!
- Malware
- Software running on your system that:
- A). You don’t want there; &
- B). It may or may not be doing bad things.
- Viruses do things to files and then propagate;
- Malware collects keystrokes and information.
- Ransomware & logic bombs can devastate systems.
- Polymorphic & armored malware are hard to detect and destroy.
- Virus–characteristics:
- Attach to other files
- Spread to other devices
- Propogate
- Activate
- Adware–programs that try to put ads up; usually web-centric.
- Spyware–some form of malware that is hiding but can be “phoning home” and tracking what you’re doing in terms of web browsing; stealing cookie information.
- Trojan Horse & RATS
- Trojans (old-fashioned classic trojans)–piece of software on your system that does one thing up front, but also something naughty in the background. They are NOT like viruses, they don’t propagate on their own.
- RATS (Remote Access Trojans)–a Trojan that doesn’t do something naughty, or doesn’t activate UNTIL someone at a remote location manually turns it on to do whatever naughtiness it’s going to do. (More modern & common these days.)
- Ransomware/Crypto-Malware–type of malware that locks the system or holds it hostage until an amount of money is paid.
- Logic Bomb–some similarities to RATs; Logic bombs are triggered by an event. (Ex: A disgruntled employee creating a logic bomb that will only go off if an administrator or someone disables that employees account, like say they were fired.
- Rootkit & Backdoor–these can be used for good, legit purposes, but usually not!
- Rootkit is a software that escalates privileges to execute other things on a computer. (It grabs admin privileges to allow it to do things to other stuff running on the computer.) Rootkits are notorious to detect!
- Backdoor–a piece of software that has some intentionally derived way to get into it to do something.
- Polymorphic Malware, Keyloggers, & Armored Viruses–these are aspects of what malware might do.
- Polymorphic malware changes itself to elude the digital signatures of an anti-malware program; very common nowadays.
- Armored Viruses are hard for anti-malware to detect. Uses superfluous code to confuse reverse engineers of anti-malware programs.
- Keylogger–record keystrokes to capture private information, collect information!
- can be a characteristic of malware
- can also be attached to dongles or USB device that’s plugged in physically.
- Social Engineering–involves interacting with people (or their trash!) to glean information of value!
- Social engineering comes in many forms.
- Shred documents to protect against dumpster diving.
- Educating users protects against shoulder surfing & phishing.
- Dumpster Diving–easily stopped with a shredder.
- Use a screen filter to thwart shoulder-surfing.
- Use a password enabled screen-saver.
- Phishing–many different types and forms
- Whale phishing–going for famous people;
- Spear phishing–trying to zero in on one particular person to get their information.
- Access Control
- Access control is an important part of network security.
- Stateless firewalls use pattern analysis and heuristics to decide which packets should be blocked.
- Stateful firewalls examine each packet to decide which packets should be blocked.
- A firewall by definition is software designed to protect our system from the evils of the Internet!
- 2 Kinds of Firewalls: Stateless Firewalls & Stateful Firewalls
- Stateless firewall–these pretty much just turn on; Designed to look at packets coming in & then make decisions on it.
- Stateful firewall–looking at the state of every packet; looking for an IP address, or a port, something to block or something to allow.
- *Access Control gives you control & understanding of what’s going in & out of your computer.
- Firing up “Wireshark” to see what’s going in and out of your network, & then using A.C.L. (Access Control Lists) to filter the type of services that you’re wanting to let in or out will really make you understand what really goes on inside that router of ours!
- Man-in-the-Middle-Attacks–technical attacks that gather data (usernames, passwords, etc)
- To start a man-in-the-middle attack, one must “get in the middle”.
- Once an attack is successful, you must use all information obtained.
- The type of network can make the man-in-the-middle attack easier or more difficult.
- M-I-T-M attack is a 3rd party interception between a two-party conversation.
- Uses the information to the third-party’s advantage.
- Wireless Man-in-the-Middle
- Bluetooth & NFC
- Wired Man-In-The-Middle
- Spoofing
- Ettercap–old, free penetration testing tool; Ettercap comes with Kali Linux.
- IP Address Spoofing
- ARP Poisoning
- Typosquatting (aka URL hijacking)
- Typo-squat the DNS is an invalid mix of 2 man-in-the-middle types of attacks.
- Typosquatting is to simply create an Internet resource, such as a website, that is a mis-spelling of a “real” website.
- DNS poisoning is a method to redirect calls to legitimate.
- Domain hijacking
- Manipulating the M.I.T.M. data
- Replay attack
- Downgrade attack
- Session hijacking
- Firesheep
- Two parts of M.i.t.m. attacks:
- What are you going to do to get into the stream?, and
- What are you going to do with that data once you have it?
- 2 separate issues that are handled differently.
- Introduction to Firewalls
- Firewalls filter traffic based on specific criteria.
- Firewalls can be network-based or host-based.
- Firewalls come in hardware & software varieties.
- Typical fire placement can be at the edge of the network. (ie–a router with a firewall builtin or a separate dedicated firewall device outside of the router between the network & the router itself.
- Network firewall protects the network aka a hardware firewall (physical firewall).
- Host-based software firewall is on individual stations.
- UTM (Unified Threat Managment)–a UTM can be a firewall but also capable of doing so much more!
- Firewalls
- Stateless firewalls filter based on ports & IP addresses.
- Stateful firewalls track the state of the conversations (creates a “state table”).
- Stateful firewalls–use a hierarchy of account roles/permissions.
- Context- and application-aware firewalls filter based on the content of packets.
- DPI (Deep Packet Inspection) Application or Context Aware running at Layer 7 of the OSI.
- DPI–look inside the data payload!
- DMZ (Demilitarized Zone)
- Demilitarized Zone–Anytime you have some number of computers that are exposed to the public internet but separate from your private network!
- A DMZ is an area of a network that hosts public-facing servers.
- Servers in the DMZ are still protected by a firewall.
- A bastion host is any machine directly exposed to the public internet.
- Put exposed computers in the DMZ.
- “Honeypots” (honeyPOTS) invite attacks to capture information. (Can be used for research to collect info.)
- “Honeynets” (honeyNETS) are decoy network sites used to attract attackers.
- Placing a host in the DMZ area exposes it to the public network, so DON’T place all of the internal private network hosts in the DMZ!
- Hardening Devices
- Role separation, access control lists (ACLs), & privileged account security are all examples of user account management.
- Patching, firmware, and driver updates need to be part of the hardening process.
- Keeping ports & unused services disabled, along with certificate management, are good practices.
- User accounts
- Privileged user accounts (be very careful who uses these accounts).
- Role Separation–Use a hierarchy of account roles/permissions.
- Patching/Updating Firmware–Keep your peripheral’s firmware updated and patched!
- Driver updates–rollback reverts back to last driver.
- Upgrading OS–
- Port Management–disable unused/unneeded ports; Also turn off physical ports that are not needed.
- *Hardening Tip: Shutting down (blocking) software & hardware ports helps limit EXPOSURE!
- Signature/credential management—
- Vulnerability assessment–usually done in-house.
- Penetration testing–done from outside the infrastructure!
- Physical Security Controls
- There are 3 types of physical controls:
- deterrent,
- preventative,
- & detective.
- Learn how to identify what falls under all of these types, & how to improve the physical controls.
- Compensating controls are temporarily used if a control is compromised or vulnerable.
- Deterrent physical controls:
- designed to prevent bad guys from trying to get into the physical infrastructure.
- Outside lighting;
- Signage;
- Security Guards.
- Preventative physical controls:
- Fences, gates, barricades, etc.
- K-ratings (made by U.S. Dept. of State) are super strong fences designed to stop vehicles.
- “A ‘K’ rating is a Crash Test Certification issued by the Department of State (DOS) to a fence, gate, bollard or barrier that measures the particular stopping power of that barrier in relation to the speed and weight of an incoming vehicle.” [via]
- K-4 stops 15,000 lb vehicles at 30 mph; K-8 stops up to 40mph; K-12 stops at 50 mph!
- Mantrap
- Cabling Systems–use air gaps
- VPNs or VLANs
- Locked cabinets
- Safes
- Faraday cages–protect sensitive electronic equipment (see more here!)
- Locks & Key Management
- Cable locks
- Screen filters
- Detective Physical Controls
- Alarms/Cameras/Motion Detectors/Infrared detectors/
- Log files–important in tracking that events have taken place!
- Compensating & Corrective Control
- Testing Network Security
- Open ports allow access into a computer or device.
- NMAP can scan a system & identify any open ports services, & devices.
- Honeypots & Honeynets are designed to bait would-be hackers.
- can use free tools like HoneyBOT to more advanced, expensive tools.
- Network+ exam mentions 2 different vulnerability scanners:
- Network Protection Scenarios
- NAT on the firewall can be set up to block outgoing or incoming ports.
- Host-based firewalls can control traffic with names of programs or ports.
- Create inbound rules/exceptions for equipment that might have special inbound port requirements.
- *Note: For the exam, just assume any NAT device has a firewall as well!
- Blocked TCP/UDP ports
- Host-based settings
- Firewall-based settings
- Exception
- Watch traffic flow (incoming vs outgoing).