2) Security Part 1 Flashcards
Mantrap
Physical Security:
One at a time, controlled groups
Small area with two doors, both cannot be open at once
May process while inside (ID)
All doors normally unlocked
Opening one door causes others to lock
Or all doors normally locked
Unlocking one door prevents others from being unlocked
Badge Reader
RFID Badge, Magnetic Swipe Card
Smart Card
Integrates with devices & ID Cards
May require a PIN
Creates a digital certificate
Used with multifactor authentication
Types: PIV Card (Personal Identity Verification) CAC Card (Common Access Card)
IEEE 802.1X
Gain access to network using a certificate
On-device storage or separate physical device
Door Access Controls (Door Locks)
Conventional: Lock & Key or Deadbolt
Electronic: Keyless, PIN
Token-Based: RFID badge, magnetic swipe card, key fob
Biometric: Hand, fingers, retina, voiceprint
Usually a mathematical representation
Difficult to change
Often combined (multifactor)
Hardware/Software Tokens
Hardware Tokens
Generates pseudo-random auth codes
Software Tokens
In the form of a mobile app (ex: Google Authenticator)
or SMS code sent to phone
Cable Locks
Physical/Temporary Security
Connects your hardware to something solid
Works almost anywhere
Reinforced notch
Thin, can be cut, not for long-term
Server Locks
Locking Cabinets Data center hardware is often managed by different groups Racks usually installed together Keeps everything close, but protected Maintains airflow
USB Locks/Tokens
USB Lock
Prevents access to USB port
Secondary option after disabling interface in BIOS
(Defense in depth)
USB Token
Certificate/token is on USB Drive
Insert to gain access
Privacy Screen
Privacy Screen/Filter
Extremely narrow angle of view
Prevents others from seeing screen
Entry Control Roster
A roster used to record identities of those who access secured hardware.
Could be inside mantrap, or with security guard
(or both)
Active Directory: Login Script
A script that can be run when a user logs in.
Can map a network drive, run software, check anti-virus, verify application updates, etc
Active Directory: Group Policy/Updates
Defines specific policies
Ex: password complexity, login restrictions
Active Directory: OUs
Organizational Units
AD Structure Units
Can be based on the company (departments, locations)
Active Directory: Home Folder
Assign a network share as the user’s home
\server1\users\kevin
Active Directory: Folder Redirection
Instead of a local folder, redirects to server
Ex: Store Documents folder on \server1
Access these files from anywhere
MDM Policies
Mobile Device Management
Manage company-owned & user-owned mobile devices
BYOD (Bring Your Own Device)
Centralized management of mobile devices
Manage access control
Set policies on apps/data/camera/etc
Can control entire device, or a partition
Port Security
Prevent unauthorized users from connecting to a switch interface (alert/disable the port)
Based on source MAC address
Each port has its own config
Can configure max MAC addresses on interface
MAC Address Filtering
Whitelists/Blacklists MAC addresses allowed on network
Requires additional administration
Easy to circumvent; MAC addresses can be spoofed
“Overriding hardware MAC, spoofing existing MAC”
Security through obscurity
Anti-Virus/Anti-Malware
Must keep signatures updated all the time, updates are essential. (Can be a scaling issue)
A centralized server can be very useful for this.
Large organizations require enterprise management.
Updates are tracked, pushed, confirmed, & managed
Mobile devices will require additional management
Firewalls
Host-Based/Personal Firewall (Software-Based)
Many devices come equipped with their own firewall
Included in many OSs
Stops unauthorized network access “stateful”
Blocks traffic by application
Network-Based Firewalls
Filters traffic by port number
Modern firewalls can identify applications
Can encrypt inbound/outbound traffic (VPN Firewall)
Can proxy traffic (user sends request, firewall makes request, receives response, validates, sends to user)
Most firewalls can be layer 3 devices (routers)
Can provide routing & NAT for inside/outside of network
User Authentication/Strong Passwords
Unique Identifier
Windows: SID (Security Identifier)
Credentials: Password/Authentication data
Profile: Info stored about user
Strong Passwords
Weak passwords are difficult to protect against
Prone to brute force
Passwords need complexity & constant refresh
Multifactor Authentication
More than one factor
Something you are/have/know/do
Somewhere you are
Directory Permissions
NTFS Permissions
Supports encryption, file permissions
Prevent accidental modification/deletion
VPN
Virtual Private Network
Encrypts inbound/outbound data
Concentrator - Encryption/decryption access device
Hardware/software based
Common to use 3rd party apps
DLP
Data Loss Prevention
Limitation of what kind of information is transferred across a network.
SSNs, Credit Cards, Medical Records
Protects against “data leakage”
ACLs
Access Control Lists
Used to allow/deny traffic
Also used for NAT, QoS, etc
Switches, Routers, Firewalls
Criteria: Source/Destination IP, TCP/UDP Port, or particular protocol (ex: ICMP)
Email Filtering
Identifies & stops any malicious/unsolicited emails.
Much filtering occurs in cloud nowadays.
Scan & block malicious software
EXEs, known vulnerabilities, phishing attempts
Trusted/Untrusted Software Sources
CONSIDER THE SOURCE
Important to know where software is coming from
Trusted Sources
Internal apps, well-known publishers, digitally signed apps
Untrusted Sources
Apps from 3rd party sites, links from email, pop-up downloads
Principle of Least Privilege
Rights & permissions should be set to bare minimum
You only get exactly what’s needed to complete your objective/task
All user accounts must be limited
Don’t allow users to run with admin privileges
Limits scope of malicious behavior
WEP
Wired Equivalent Privacy
Significant vulnerabilities (never use)
IV (Initialization Vector) - Relatively small
WPA
Wi-Fi Protected Access (2002)
A short-term bridge between WEP & successor
Ran on existing WEP hardware, but better security
RC4 & TKIP (Temporal Key Integrity Protocol)
IV is larger & has encrypted hash
Every packet gets 128-bit encryption key
WPA2
Wi-Fi Protected Access 2 (2004)
AES Encryption standard (replaced RC4)
Authentication & Access Control
CCMP (Counter Mode w/Cipher Block Chaining Message Authentication Code Protocol)
Replaced TKIP
Block cipher mode
Takes 128-bit key & 128-bit block size
Uses AES for data confidentiality
WPA2-Personal (WPA2-PSK)
Pre-Shared Key
WPA2-Enterprise (WPA2-802.1X)
Authenticates users individually
RADIUS/TACACS+
TKIP
Temporal Key Integrity Protocol
Combines the secret root key with the IV
Adds sequence counter (prevents replay attacks)
Implements 64-bit message integrity check
Protects against tampering
Has its own set of vulnerabilities
Deprecated in 2012
Authentication: RADIUS
Remote Authentication Dial-In User Service
One of the more common AAA protocols
Supports a wide variety of platforms/devices
Not just for dial-in
Centralized authentication for users Routers/Switches/Firewalls Server authentication Remote VPN Access 802.1X Access
On most server OSs
Authentication: TACACS+
Terminal Access Controller Access-Control System
Remote authentication protocol
Created to control access to dial-up lines to ARPANET
TACACS+ (Latest version)
More authentication requests & response codes
