Implementation Flashcards
Adds security features to RTP
- Keep conversations private
Encryption
- Uses AES to encrypt the voice/video flow
Authentication, integrity, and replay protection
-HMAC-SHA1 - Hash-based message authentication code using SHA1
SRTP (Secure Real-Time Transport Protocol)
Secure network time protocol
Cleaned up the code base
- Fixed a number of vulnerabilities
NTPsec
Public key encryption and digital singing of mail content
- Requires a PKI or similar organization of keys
S/MIME (Secure/Multipurpose Internet Mail Extensions)
Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL
Secure POP and Secure IMAP
If the mail is browser based, always encrypt with SSL
SSL/TLS
Use public key encryption
- Private key on the server
-Symmetric session key is transferred using asymmetric encryption
- Security and speed
Browser-based management
Encrypted communication
HTTPS
Security for OSI Layer 3
- Authentication and encryption for every packet
Confidentiality and integrity/anti-replay
- Encryption and packet signing
Very standardized
- Common to use multi-vendor implementations
Two core protocols
- Authentication Header (AH)
- Encapsulated Security Payload (ESP)
IPSec
FTP over SSL
FTPS (File Transfer Protocol Secure)
Provides file system functionality
Resuming interrupted transfers, directory listings, remote file removal
SFTP (SSH File Transfer Protocol)
Protocol for reading and writing directories over an IP network
- An organized set of records, like a phone directory
X.500 specification was written by the International Telecommunications Union (ITU)
- They know directories
Lightweight and uses TCP/IP
Protocol used to query and update an X.500 directory
- Used in Windows Active Directory, Apple OpenDirectory, OpenLDAP, etc
LDAP (Lightweight Directory Access Protocol)
A non-standard implementation of LDAP over SSL
LDAPS (LDAP Secure)
Provides authentication using many different methods, i.e., Kerberos or client certificate
SASL (Simple Authentication and Security Layer)
Encrypted terminal communication
Replaces Telnet (and FTP)
Provides secure terminal communication and file transfer features
SSH (Secure Shell)
Validate DNS responses
- Origin authentication
- Data integrity
Public key cryptography
- DNS records are signed with a trusted third party
- Signed DNS records are published in DNS
DNSSEC
Confidentiality - Encrypted data
Integrity - No tampering of data
Authentication - Verifies the sources
SNMPv3 (Simple Network Management Protocol version 3)
Securing DHCP
- DHCP does not include any built-in security
- There is no “secure” version of the DHCP protocol
Rogue DHCP servers
- In Active Directory, DHCP servers must be authorized
- Some switches can be configured with “trusted” interfaces
- DHCP distributioin is only allowed from trusted interfaces
- Cisco calls this DHCP Snooping
- DHCP client DoS - Starvation attack
- Use spoofed MAC addresses to exhaust the DHCP pool
- Switches can be configured to limit the number of MAC addresses per interface
- Disable an interface when multiple MAC addresses are seen
Network address allocation
Automated subscriptions
- Anti-virus/Anti-malware signature updates
- IPS updates
- Malicious IP address databases/Firewall updates
Constant updates
- Each subscription uses a different update method
Check for encryption and integrity checks
- May require an additional public key configuration
- Set up a trust relationship
- Certificates, IP addresses
Subscription services
The user’s access - Applications and data
Stop the attackers - Inbound attacks, outbound attacks
Many different platforms - Mobile, desktop
Protection is multi-faceted - Defense in depth
The endpoint
Anti-virus is the popular term
- Refers specifically to a type of malware
- Trojans, worms, micro viruses
Malware refers to a broad malicious software category
- Anti-malware stops spyware, ransomware, fileless malware
The terms are effective the same these days
- The names are more of a marketing tool
- Anti-virus software is also anti-malware software now
- Make sure your system is using a comprehensive solution
Anti-virus and anti-malware
A different method of threat protection
- Scale to meet the increasing number of threats
Detect a threat
- Signatures aren’t the only detection tool
- Behavioral analysis, machine learning, process monitoring
- Lightweight agent on the endpoint
Investigate the threat
- Root cause analysis
Respond to the threat
- Isolate the sytem, quarantine the threat, rollback to a previous config
- API driven, no user or technician intervention required
Endpoint detect and response (EDR)
Where’s your data?
- Social Security numbers, credit card numbers, medical records
Stop the data before the attacker gets it
- Data “leakage”
So many resources, so many destinations
- Often requires multiple solutions
- Endpoint clients
- Cloud-based systems
- Email, cloud storage, collaboration tools
Data Loss Prevention (DLP)
The OSI Application Layer - All data in every packet
Can be called different names
- Application layer gateway
- Stateful multilayer inspection, deep packet inspection
Broad security controls
- Allow or disallow application features
- Identify attacks and malware
- Examine encrypted data
- Prevent access to URLs or URL categories
Next-generation firewall (NGFW)
Software-based firewall
- Personal firewall, runs on every endpoint
Allow or disallow incoming or outgoing application traffic
- Control by application process
- View all data
Identify and block unknown processes
- Stop malware before it can start
Manage centrally
Host-based firewall
Uses log files to identify intrusions
Can reconfigure firewalls to block
Host-based Intrusion Detection System (HIDS)
Recognize and block known attacks
Secure OS and application configs, validate incoming service requests
Often built into endpoint protection software
Identification
- Signatures, heuristics, behavioral
- Buffer overflows, registry updates, writing files to the Windows folder
- Access to non-encrypted data
Host-based Intrusion Prevention System (HIPS)
Security is based on trust
- Is your data safely encrypted?
- Is this web site legitimate?
- Has the operating system been infected?
The trust has to start somewhere
- Trusted Platform Module (TPM)
- Hardware Security Module (HSM)
- Designed to be the hardware root of the trust
Difficult to change or avoid
- It’s hardware
- Won’t work without the hardware
Hardware root of trust
A specification for cryptographic functions
- Hardware to help with encryption functions
Cryptographic processor
- Random number generator, key generators
Persistent memory
- Comes with unique keys burned in during production
Versatile memory
- Storage keys, hardware configuration information
Password protected
- No dictionary attacks
Trusted Platform Module (TPM)
The attack on our systems is constant
- Techniques are constantly changing
Attackers compromise a device
- And want it to stay compromised
The boot process is a perfect infection point
- Rootkits run in kernal mode
- Have the same rights as the operating system
Protecting the boot process is important
- Secure boot, trusted boot, and measured boot
- A chain of trust
Boot integrity
Protections
- BIOS includes the manufacturer’s public key
- Digital signature is checked during a BIOS update
- BIOS prevents unauthorizes writes to the flash
Verifies the bootloader
- Checks the bootloader’s digital signature
- Bootloader must be signed with a trusted certificate
- Or a manually approved digital signature
UEFI BIOS Secure Boot
Bootloader verifies digital signature of the OS kernel
- A corrupted kernel will halt the boot process
Kernel verifies all of the other startup components
- Boot drivers, startup files
Just before loading the drives
- ELAM (Early Launch Anti-Malware) starts
- Checks every driver to see if it’s trusted
- Windows won’t load an untrusted driver
Trusted Boot
Nothing on this computer has changed
- There have been no malware infections
- How do you know?
Easy when it’s just your computer
- More difficult when there are 1,000
UEFI stores a hash of the firmware, boot drivers, and everything else loaded during the Secure Boot
- Trusted Boot process
- Stored in the TPM
Remote attestation
- Device provides an operational report to a verification server
- Encrypted and digitally signed with the TPM
Attestation server receives the boot report
- Changes are identified and managed
Measured Boot
Protecting stored data
- And the transmission of that data
Intellectual property storage
- Data is valuable
Compliance issues
- PCI DSS, HIPAA, GDPR, etc
Keep the business running
- Security provides continuity
Breaches are expensive - Keep costs low
Database security
Replaces sensitive data with a non-sensitive placeholder
- SSN 266-12-1112 is now 691-61-8539
Common with credit card processing
- Use a temporary token during payment
- An attacker capturing the card numbers can’t use them later
This isn’t encryption or hashing
- The original data and token aren’t mathematically related
- No encryption overhead
Steps:
1. User registers a credit card on their mobile phone
2. Card is registered with the token service server
3. Token Service Server provides a token instead
4. Phone is used at a store during checkout using NFC
5. Pay with token card #
6. Card number verification is actual card #
7. Token card # is the token for the actual card #
8. Token is validated
9. Transaction is approved
Tokenization
Represents data as a fixed-length string of text
- A message digest, or “fingerprint”
Will not have a collision (hopefully)
- Different inputs will not have the same hash
One-way trip
- Impossible to recover the original message from the digest
- A common way to store passwords
Hashing
Random data added to a password when hashing
Every user gets their own random salt
- The salt is commonly stored with the password
Rainbow tables won’t work with salted hashes
- Additional random value added to the original password
This slows down the brute force process
- It doesn’t complete stop the reverse engineering
Salting
A balance between time and quality
- Programming with security in mind is often secondary
Testing, testing, testing
- The Quality Assurance (QA) process
Vulnerabilities will eventually be found
- And exploited
Secure coding concepts
What is the expected input?
- Validate actual vs. expected
Document all input methods
- Forms, fields, type
Check and correct all input (normalization)
- A zip code should only be X characters long with a letter in the X column
- Fix any data with improper input
The fuzzers will find what you missed
- Don’t give them an opening
Input validation
Send random input to an application
- Fault-injecting, robustness testing, syntax testing, negative testing
Looking for something out of the ordinary
- Application crash, server error, exception
Dynamic analysis (fuzzing)
Information stored on your computer by the browser
Used for tracking, personalization, session management
- Not executable, not generally a security risk
- Unless someone gets access to them
Have a Secure attribute set
- Browser will only send it over HTTPS
Sensitive information should not be stored in a cookie
- The isn’t designed to be secure storage
Secure cookies
An additional layer of security
- Add these to web server configuration
- You can’t fix every bad application
Enforce HTTPS communication
- Ensure encrypted communication
Only allow scripts, stylesheets, or images from the local site
Prevent XSS attacks
- Prevent data from loading into an inline frame (iframe)
Also helps to prevent XSS attacks
HTTP secure headers
An application is deployed
- Users run application executable or scripts
So many security questions
- Has the application been modified in any way?
- Can you confirm the application was written by a specific developer
The application code can be digitally signed by the developer
- Asymmetric encryption
- A trusted CA signs the developer’s public key
- Developer signs the code with the private key
- For internal apps, use your own CA
Code signing
Nothing runs unless it’s approved - Very restrictive
Allow list
Nothing on the “bad list” can be executed
Anti-virus, anti-malware
Block\Deny list
Help to identify security flaws
Many security vulnerabilities found easily
- Buffer overflows, database injections, etc
Not everything can be identified through analysis
- Authentication security, insecure cryptography, etc
Don’t rely on automation for everything
Still have to verify each finding
- False positives are an issue
Static Application Security Testing (SAST)
Minimize the attack surface
- Remove all possible entry points
Remove the potential for all known vulnerabilities
- As well as the unknown
May have compliance mandates
- HIPAA servers, PCI DSS, etc
There are many different resources
- Center for Internet Security (CIS)
- Network and Security Institute (SANS)
- National Institute of Standards and Technology (NIST)
Application hardening
Every open port is a possible entry point
- Close everything except required ports
Control access with a firewall
- NGFW would be ideal
Unused or unknown services
- Installed with the OS or from other applications
Applications with broad port ranges
- Open port 0 through 65,535
Use Nmap or similar port scanner to verify
- Ongoing monitoring is important
Open ports and services
The primary configuration database for Windows
- Almost everything can be configured from the registry
Useful to know what an application modifies
- Many third-party tools can show registry changes
Some registry changes are important security settings
- Configure registry permissions
- Disable SMBv1
Registry
Prevent access to application data files
- File system encryption
Full disk encryption (FDE)
- Encrypt everything on the drive
- BitLocker, FileVault, etc
Self-encrypting drive (SED)
- Hardware-based full disk encryption
- No operating system software needed
Opal storage specification
- The standard for of SED storage
Disk encryption
Many and varied
- Windows, Linux, iOS, Androic, etc
Updates
- Operating system updates/service packs, security patches
User Accounts
- Minimum password length and complexity
- Account limitations
Network access and security
- Limit network access
Monitor and secure
- Anti-virus, anti-malware
Operating system hardening
Incredibly important
- System stability, security fixes
Monthly updates
- Incremental (and important)
Third-party updates
- Application developers, device drivers
Auto-update - Not always the best option
Emergency out-of-band updates
- Zero-day and important security discoveries
Patch management
Application cannot access unrelated resources
- They plan in their own sandbox
Commonly used during development
- Can be useful production technique
Used in many different deployments
- Virtual machines
- Mobile devices
- Browser iframes (Inline Frames)
- Windows User Account Control (UAC)
Sandboxing
Distribute the load
- Multiple servers
- Invisible to the end-user
Large scale implementations
- Web server farms, database farms
Fault tolerance
- Configurable load
- Very fast convergence
Balancing the load
Configurable load
- Manage across servers
TCP offload
- Protocol overhead
SSL offload
- Encryption/Decryption
Caching
- Fast response
Prioritization
- QoS
Content switching
- Application-centric balancing
Load balancer
Round-robin
- Each server is selected in turn
Weighted round-robin
- Prioritize the server use
Dynamic round-robin
- Monitor the server load and distribute to the server with the lowest use
Active/active load balancing
Scheduling Load Balancing
A kinship, a likeness
Many applications require communication to the same instance
- Each user is “stuck” to the same server
- Tracked through IP address or session IDs
- Source affinity/stick session/session persistence
Affinity
Some servers are active
- Others are on standby
If an active server fails, the passive server takes its place
Active/passive load balancing
Physical, logical, or virtual segmentation
- Devices, VLANs, virtual networks
Performance
-High-bandwidth applications
Security
- Users should not talk directly to database servers
- The only applications in the core are SQL and SSH
Compliance
- Mandated segmentation (PCI compliance)
- Makes change control much easier
Segmenting the network
Devices are physically separate - Air gap between Switch A and Switch B
Must be connected to provide communication
- Direct connect, or another switch or router
Web servers in one rack - Database servers on another
Customer A on one switch, customer B on another
- No opportunity for mixing data
Separate devices
- Multiple units, separate infrastructure
Physical segmentation
Separated logically instead of physically
Cannot communicate between these without a Layer 3 device/router
Virtual Local Area Networks (VLANs)
Previously known as the demilitarized zone (DMZ)
- An additional layer of security between the Internet and you
- Public access to public resources
Screened subnet
A private network for partners
- Vendors, suppliers
Usually requires additional authentication
- Only allow access to authorized users
Extranet
Private network - Only available internally
Company announcements, important documents, other company business
- Employees only
No external access
- Internal or VPN access only
Intranet
Traffic flows with a data center
- Important to know where traffic starts and ends
Traffic between devices in the same data center
Relatively fast response times
East-west traffic
Ingress/egress to an outside device
A different security posture than east-west traffic
North-south traffic
Many networks are relatively open on the inside
Once you’re through the firewall, there are a few security controls
Holistic approach to network security
- Covers every device, every process, every person
Everything must be verified
- Nothing is trusted
- Multifactor authentication, encrypted, system permissions, additional firewalls, monitoring and analytics, etc
Zero-trust
Encrypted (private) data traversing a public network
Concentrator
- Encryption/decryption access device
Many deployment options
- Specialized cryptographic hardware
- Software-based options available
Used with client software
- Sometimes built into the OS
Virtual Private Networks (VPNs)
Uses common SSL/TLS protocol (tcp/443)
- (Almost) No firewall issues!
No big VPN clients
- Usually remote access communication
Authenticate users
- No requirement for digital certificates or shared passwords (like IPSec)
Can be run from a browser or from a (usually light) VPN client
- Across many operating systems
SSL VPN (Secure Sockets Layer VPN)
On-demand access from a remote device
- Software connects to a VPN concentrator
Some software can be configured as always-on
Remote access VPN
Steps:
1) Traffic is encrypted as it passes through the local VPN concentrator
2) Traffic is decrypted in the VPN concentrator on the other side of the tunnel
Site-to-site VPN
Steps:
1) Remote user creates a secure tunnel to the VPN concentrator
2) VPN concentrator decrypts the tunneled traffic and routes it into the corporate network
3) The process is reversed for the return traffic
Full VPN Tunnel
Steps:
1) Only traffic to the corporate network traverses the VPN tunnel
2) Traffic to all other sites is “split” from the tunnel and is not decrypted
Split VPN Tunnel
Connecting sites over a layer 3 network as if they were connected at layer 2
Commonly implemented with IPsec
- This for the tunnel, IPSec for the encryption
- This over IPsec
Layer 2 Tunneling Protocol (L2TP)
Security for OSI layer 3
- Authentication and encryption for every packet
Confidentiality and integrity/anti-replay
Verify standardized
- Common to use multi-vendor implementations
Two core IPSec protocols
- Authentication Header (AH)
- Encapsulation Security Payload (ESP)
IPSec (Internet Protocol Security)
Data integrity
Origin authentication
Replay attack protection
Keyed-hash mechanism
No confidentiality/encryption
Hash of the packet and a shared key
- SHA-2 is common
- Adds this to the packet header
This doesn’t provide encryption
- Provides data integrity (hash)
- Guarantees the data origin (authentication)
- Prevents replay attacks (sequence numbers)
Authentication Header (AH)
Data confidentiality (encryption)
Limited traffic flow confidentiality
Data integrity
Anti-replay protection
Encrypts and authenticates the tunneled data
- Commonly uses SHA-2 for hash, AES for encryption
- Adds a header, a trailer, and an Integrity Check Value
Combine with Authentication Header (AH) for integrity and authentication of the outer header
Encapsulating Security Payload (ESP)
Combine the data integrity of AH with the confidentiality of ESP
Tunnel mode is the most common
- Transport mode may not even be an option
IPsec Transport mode and Tunnel mode
The language commonly used in web browsers
Includes comprehensive API support
- Application Programming Interface
- Web cryptography API
Hypertext Markup Language version 5 (HTML5 VPNs)
There’s a lot of security that happens at the physical switch interface
- Often the first and last point of transmission
Control and protect
- Limit overall traffic
- Control specific traffic types
- Watch for unusual or unwanted traffic
Different options are available
- Manage different security issues
Port security
Send information to everyone at once
- One frame or packet, received by everyone
Limited scope - The broadcast domain
Routing updates, ARP requests - Can add up quickly
Malicious software or a bad NIC
- Not always normal traffic
Not used in IPv6
- Focus on multicast
Broadcasts
The switch can control broadcasts
- Limit the number of broadcasts per second
Can often be used to control multicast and known unicast traffic
- Tight security posture
Manage by specific values or by percentage
- Or the change over normal traffic patterns
Broadcast storm control
Connect two switches to each other
- They’ll send traffic back and forth forever
- There’s no “counting” mechanism at the MAC layer
This is an easy way to bring down a network
- And somewhat difficult to troubleshoot
- Relatively easy to resolve
IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990)
- Used practically everywhere
Loop protection
Spanning tree takes time to determine if a switch port should forward frames
- Bypass the listening and learning states
- Cisco calls this PortFast
The spanning tree control protocol
If this frame is seen on a PortFast configured interface, shut down the interface
- This shouldn’t happen - Workstations don’t need these
Bridge Protocol Data Unit (BPDU)
IP tracking on a later 2 device (switch)
- The switch is a DHCP firewall
- Trusted: Routers, switches, DHCP servers
- Untrusted: Other computers, unofficial DHCP servers
Switch watches for DHCP conversations
- Adds a list of untrusted devices to a table
Filters invalid IP and DHCP information
- Static IP addresses
- Devices acting as DHCP servers
- Other invalid traffic patterns
DHCP Snooping
The “hardware” address
Limit access through the physical hardware address
- Keeps the neighbors out
- Additional administration with visitors
Easy to find working MAC addresses through wireless LAN analysis
- MAC addresses can be spoofed
- Free open-source software
Security through obscurity
MAC filtering
No security in the original design
- Relatively easy to poison
Validate responses
- Origin authentication
- Data integrity
Public key cryptography
- Records are signed with a trusted third party
- Signed records are published in this
Domain Name Resolution (DNS)
Stop end users from visiting dangerous sites
- This resolves to a sinkhole address
A query to a known-malicious address can identify infected systems
- And prevent further exploitation
Content filtering
- Prevent these queries to unwanted or suspicious sites
Using DNS for security
The network isn’t available
- Or the device isn’t accessible from the network
Most devices have a separate management interface
- Usually a serial connection/USB
Connect a model
- Dial-in to manage the device
Console router/Comm server
- Out-of-band access for multiple devices
- Connect to the console router, then choose where you want to go
Out-of-band management
Many different devices
- Desktop, laptop, VoIP phone, mobile devices
Many different applications
- Mission critical applications, streaming video, streaming audio
Different apps have different network requirements
- Voice is real-time
- Recorded streaming video has a buffer
- Database application is interactive
Some applications are “more important” than others
- Voice traffic needs to have priority over YouTube
Need for QoS
Prioritize traffic performance
- Voice over IP traffic has priority over web-browsing
- Prioritize by maximum bandwidth, traffic rate, VLAN, etc
Describes the process of controlling traffic flows
Many different methods
- Across many different topologies
Quality of Service (QoS)
More IP address space
- More difficult to IP/port scan (but not impossible)
- The tools already support IPv6
No need for NAT
- NAT is not a security feature
Some attacks disappear
- No ARP, so not ARP spoofing
New attacks willa ppear
IPsec built in / IPsec ready
IPv6 security
Disconnect the link, put this in the middle
- Can be active or passive
Physical taps
Port redirection, SPAN
Software-based tap
Limited functionality, but can work well in a pinch
Port mirror
Constant cybersecurity monitoring
- Ongoing security checks
- A staff of cybersecurity experts at a Security Operations Center (SoC)
Identify threats
- A broad range of threats across many different organizations
Respond to events
- Faster response time
Maintain compliance
- Someone else ensures PCI DSS, HIPAA compliance, etc
Monitoring services
Some files change all the time
- Some files should NEVER change
Monitor important operating system and application files
- Identify when changes occur
Windows - SFC (System File Checker)
Linux - Tripwire
Many host-based IPS options
File Integrity Monitoring (FIM)
Standard issue
- Home, office, and in your operating system
Control the flow of network traffic
- Everything passes through the firewall
Corporate control of outbound and inbound data
- Sensitive materials
Control of inappropriate content
- Not safe for work, parental controls
Protection against evil
- Anti-virus, anti-malware
Universal security control
Filter traffic by port number or application
- Traditional vs. NGFW firewalls
Encrypt traffic - VPN between sites
Most firewalls can be layer 3 devices (routers)
- Often sits on the ingress/egress of the network
- Network Address
- Translation (NAT) functionality
- Authenticate dynamic routing communication
Network-based firewalls
Does not keep track of traffic flows
- Each packet is individually examined, regardless of past history
Traffic sent outside of an active session will traverse a stateless firewall
Stateless firewall
Web security gateway
URL filter/Content inspection
Malware inspection
Spam filter
CSU/DSU
Router, Switch
Firewall
IDS/IPS
Bandwidth shaper
VPN endpoint
Unified Threat Management (UTM)
The OSI Application Layer
- All data in every packet
Can be called different names
- Application later gateway
- Stateful multilayer inspection
- Deep packet inspection
Requires some advanced decodes
- Every packet must be analyzed and categorized before a security decision is determined
Network-based Firewalls
- Control traffic flows based on the application
- Microsoft SQL Server, Twitter, YouTube
Intrusion Prevention System
- Identify the application
- Apply application-specific vulnerability signatures to the traffic
Content filtering
- URL filters
- Control website traffic by category
Next-generation firewall (NGFW)
Not like a “normal” firewall
- Applies rules to HTTP/HTTPS conversations
Allow or deny based on expected input
- Unexpected input is a common method of exploiting the application
SQL injection
- Add your own commands to an application’s SQL query
A major focus of Payment Card Industry
- Data Security Standard (PCI CSS)
Web Application Firewall (WAF)
Access control lists (ACLs)
- Allow of disallow traffic based on tuples
- Groupings of categories
- Source IP, Destination IP, port number, time of day, application, etc
A logical path
- Usually top-to-bottom
Can be very general or very specific
- Specific rules are generally at the top
Implicit deny
- Most firewalls include a deny at the bottom
- Even if you didn’t put one
Firewall rules
Open-source vs proprietary
- Open-source provides traditional firewall functionality
- Proprietary features include application control and high-speed hardware
Hardware vs. Software
- Purpose-built hardware provides efficient and flexible connectivity options
- Software-based firewalls can be installed almost anywhere
Application vs. host-based
- Appliances provide the fastest throughput
- Host-based firewalls are application-aware and can view non-encrypted data
- Virtual firewalls provide valueable East/West network security
Firewall characteristics
Your Internet link
Managed primarily through firewall rules
Firewall rules rarely change
Edge
Control from wherever you are, Inside or outside
Access can be based on many rules
By user, group, location, application, etc.
Access can be easily revoked or changed
Change your security posture at any time
Access control
You can’t trust everyone’s computer
- BYOD (Bring Your Own Device)
- Malware infections/missing anti-malware
- Unauthorized applications
Before connecting to the network, perform a health check
- Is it a trusted device?
- Is it running anti-virus? Which one? Is it updated?
- Are the corporate applications installed?
- Is it a mobile device?
- Is the disk encrypted?
- The type of device doesn’t matter - Windows, Mac, Linux, iOS, Android
Posture assessment
Persistent agents
- Permanently installed onto a system
- Periodic updated may be required
Dissolvable agents
- No installation is required
- Runs during the posture assessment
- Terminates when no longer required
Agentless NAC
- Integrated with Active Directory
- Checks are made during login and logoff
- Can’t be scheduled
Health checks/posture assessment
What happens when a posture assessment fails?
- Too dangerous to allow access
Quarantine network, notify administrators
- Just enough network access to fix the issue
Once resolved, try again
- May require additional fixes
Failing your assessment
Sits between the users and the external network
Receives the user requests and sends the request on their behalf (the proxy)
Useful for caching information, access control, URL filtering, content scanning
Applications may need to know how to use the proxy (explicit)
Some proxies are invisible (transparent)
Proxies
One of the simpliest “proxies” is NAT
- A network layer proxy
Most proxies in use are these
- The proxy understands the way the application works
A proxy may only know one application
- HTTP
Many proxies are multipurpose proxies
- HTTP, HTTPS, FTP, etc
Application proxies
An “internal proxy”
Commonly used to protect and control user access to the Internet
Forward proxy
Inbound traffic from the Internet to your internal service
Reverse proxy
A third-party, uncontrolled proxy
Can be a significant security concern
Often used to circumvent existing security controls
Open proxy
Exploits against operating systems, applications, etc
Buffer overflows, cross-site scripting, other vulnerabilities
Intrusions
Detection - Alarm or alert
Prevention - Stop it before it gets to the network
Detection vs Prevention
Examine a copy of the traffic
- Port mirror (SPAN), network tap
No way to block (prevent) traffic)
Steps:
1) Network traffic is sent from client to server through the network switch
2) A copy of the traffic is sent to the IDS/IPS
Passive monitoring
When malicious traffic is identified
- IPS sends TCP RST (reset) frames
- After-the-fact
- Limited UDP response available
Out-of-band-response
IDS/IPS sits physically inline
-All traffic passes through the IDS/IPS
Steps:
1) Network traffic is sent from the Internet to the core switch, which passes through the IPS
2) The inline IPS can allow or deny traffic in real-time
Inline monitoring
Malicious traffic is immediately identified
- Dropped at the IPS
- Does not proceed through the network
In-band response
Signature-based
- Look for a perfect match
Anomaly-based
- Build a baseline of what’s “normal”
Behavior-based
- Observe and report
Heuristics
- Use artificial intelligence to identify
Identification technologies
High-end cryptographic hardware
- Plug-in card or separate hardware device
Key backup
- Secured storage
Cryptographic accelerators
- Offload that CPU overhead from other devices
Used in large environments
Clusters, redundant power
Hardware Security Module (HSM)
Access secure network zones
- Provides an access mechanism to a protected network
Highly-secured device
- Hardened and monitored
SSH/Tunnel/VPN to this server
- EDP, SSH, or jump from there
A significant security concern
- Compromise to this server is a significant breach
Jump server
Aggregate information from network devices
- Build-in sensors, separate devices
- Integrated into switches, routers, servers, firewalls, etc
Sensors and collectors
Intrusion prevention systems, firewall logs, authentication logs, web server access logs, database transaction logs, emails logs
Sensors
Proprietary consoles (IPS, firewall)
SIEM consoles, syslog servers
Many SIEMs include a correlation engine to compare diverse sensor data
Collectors
An organization’s wireless network can contain confidential information
- Not everyone is allowed to access
Authenticate the users before granting access
- Who gets access to the wireless network?
- Username, password, multi-factor authentication
Ensure that all communication is confidential
- Encrypt the wireless data
Verify the integrity of all communication
- The received data should be identical to the original sent data
- A message integrity check (MIC)
Securing a wireless network
All wireless computers are radio transmitters and receivers
- Anyone can listen in
Solution: Encrypt the data - Everyone has an encryption key
Only people with the right key can transmit and listen
- WPA2 and WPA3
Wireless encryption
Message Authentication Protocol
Data confidentiality with AES
Message Integrity Check (MIC) with CBC-MAC
Counter Mode with Cipher Block Chaining (CCMP)
A stronger encryption than WPA2
Data confidentiality with AES
Message Integrity Check (MIC) with Galois Message Authentication Code (GMAC)
Galois /Counter Mode Protocol (GCMP)
Listen to the 4-way handshake
Some methods can derive the PSK hash without the handshake
Capture the hash
With the hash, attackers can brute force the pre-shared key (PSK)
This has become easier as technology improves
- A weak PSK is easier to brute force
- GPU processing speeds
- Cloud-based password cracking
Once you have the PSK, you have everyone’s wireless key
- There’s no forward secrecy
WPA2 PSK problem
WPA2 changes the PSK authentication process
- Includes mutual authentication
- Creates a shared session key without sending that key across the network
- No more 4-way handshakes, no hashes, no brute force attacks
- Adds perfect forward secrecy
A Diffie-Hellman derived key exchange with an authentication component
Everyone uses a different session key, even with the same PSK
An IEEE standard - the dragonfly handshake
Simultaneous Authentication of Equals (SAE)
Gain access to a wireless network
- Mobile users
- Temporary users
Credentials
- Shared password/pre-shared key (PSK)
- Centralized authentication (802.1x)
Configuration
- Part of the wireless network connection
- Prompted during the connection process
Wireless authentication methods
Configure the authentication on your wireless access point/wireless router
Open System
- No password is required
Wireless security modes
WPA-3 with a pre-shared key
Everyone uses the same key
Unique WPA3 session key is derived from the PSK using SAE
WPA3-Personal/WPA3-PSK
Authenticates users individually with an authentication server (i.e., RADIUS)
WPA3-Enterprise/WPA3-802.1X
Authentication to a network - Common on wireless networks
Access table recognizes a lack of authentication
- Redirects your web access to a captive portal page
Username/password - And additional authentication factors
Once proper authentication is provided, the web session continues
- Until the captive portal removes your access
Captive Portal
Allows “easy” setup of a mobile device
- A passphrase can be complicated to a novice
Different ways to connect
- PIN configured on access point must be entered on the mobile device
- Push a button on the access point
- Near-field communication
- Being the mobile device close to the access point
(Wi-Fi Protected Setup) WPS
Authentication framework
Many different ways to authenticate based on RFC standards
- Manufacturers can build their own methods
Integrates with 802.1X
- Prevents access to the network until the authentication succeeds
Extensible Authentication Protocol (EAP)
Port-based Network Access Control (NAC)
You don’t get access to the network until you authenticate
Used in conjunction with an access database
- RADIUS, LDAP, TACACS+
IEEE 802.1X
Supplicant
- The client
Authenticator
- The device that provides access
Authenticator server
- Validates the client credentials
IEEE 802.1X and EAP
Authentication server (AS) and supplicant share a protected access credential (PAC) (shared secret)
Supplicant receives the PAC
Supplicant and AS mutually authenticate and negotiate a Transport Layer Security (TLS) tunnel
User authentication occurs over the TLS tunnel
Need a RADIUS server
- Provides the authentication database and EAP-FAST services
EAP-FAST
Protected Extensible Authentication Protocol
- Protected EAP
- Created by Cisco, Microsoft, and RSA Security
Also encapsulates EAP in a TLS tunnel
- AS uses a digital certificate instead of a PAC
- Client doesn’t use a certificate
User authenticates with MSCHAPv2
- Authentication to Microsoft’s MSCHAPv2 databases
User can also authenticate with a GTC
- Generic Token Card, hardware token generator
Protected Extensible Authentication Protocol (PEAP)
Strong security, wide adoption
Support from most of the industry
Requires digital certificates on the AS and all other devices
- AS and supplicant exchange certificates for mutual authentication
TLS tunnel is then built for the user authentication process
Relatively complex implementation
- Need a public key infrastructure (PKI)
- Must deploy and manage certificates to all wireless clients
- Not all devices can support the use of digital certificates
EAP Transport Layer Security (EAP-TLS)
Support other authentication protocols in a TLS tunnel
Requires a digital certificate on the AS
- Does not require digital certificates on every device
- Builds a TLS tunnel using this digital certificate
Use any authentication method inside the TLS tunnel
- Other EAPs
- MSCHAPv2
- Anything else
EAP Tunneled Transport Layer Security (EAP-TTLS)
Use this with federation
- Members of one organization can authenticate to the network of another organization
- Use their normal credentials
Use 802.1X as the authentication method
- And RADIUS on the backend - EAP to authenticate
Driven by eduroam (education roaming)
- Educators can use their normal authentication when visiting a different campus
RADIUS federation
Determine existing wireless landscape
- Sample the existing wireless spectrum
identify existing access points
- You may not control all of them
Work around existing frequencies
- Layout and plan for interference
Plan for ongoing site surveys
- Things will certainly change
Heat maps - Identify wireless signal strengths
Site surveys
Signal coverage
Potential interference
Built-in tools
3rd-party tools
Spectrum analyzer
Wireless survey tools
Wireless networks are incredibly easy to monitor
- Everyone “hears” everything
You have to be quiet
- You can’t hear the network if you’re busy transmitting
Some network drivers won’t capture wireless information
- You’ll need specialized adapters/chipsets and drivers
View wireless-specific information
- Signal-to-noise ration, channel information, etc
Wireless packet analysis
Overlapping channels
- Frequency conflicts - use non-overlapping channels
- Automatic or manual configurations
Channel selection and overlaps
Minimal overlap
- Maximize coverage, minimize the number of access points
Avoid interference
- Electronic devices (microwaves)
- Building materials
- Third-party wireless networks
Signal control
- Place APs where the users are
- Avoid excessive signal distance
Access point placement
Wireless controllers
- Centralized management of wireless access points
- Manage system configuration and performance
Securing wireless controllers
- Control access to management console
- Use strong encryption with HTTPS
- Automatic logout after no activity
Securing access points
- Use strong passwords
- Update to the latest firmware
Wireless infrastructure security
One-to-one connection
- Conversion between two devices
Connections between buildings
Wi-Fi repeaters
- Extend the length of an existing network
Point-to-point
One of the most popular communication methods 802.11 wireless
Does not imply full connectivity between nodes
Point-to-multipoint
Mobile devices
- “Cell” phones
Separate land into “cells”
- Antenna coverages a cell with certain frequencies
Security concerns
- Traffic monitoring
- Location tracking
- Worldwide access to a mobile device
Cellular networks
Local network access
- Local security problems
Same security concerns as other devices
Data capture
- Encrypt your data!
On-path attack
- Modify and\or monitor data
Denial of service
- Frequency interference
Wi-Fi
High speed communication over short distances
- PAN (Personal Area Network)
Connects our mobile devices
- Smartphones, tethering, headsets and headphones, health monitors, automobile and phone integration, smartwatches, external speakers
Bluetooth
It’s everywhere
- Access badges
- Inventory/Assembly line tracking
- Pet/Animal Identification
- Anything that needs to be tracked
Radar technology
- Radio energy transmitted to the tag
- Powers the tag, ID is transmitted back
- Bidirectional communication
- Some tag formats can be active/powered
RFID (Radio-frequency identification)
Two-way wireless communication
- Builds on RFID
Payment systems
- Google wallet, Apple Pay
Bootstrap for other wireless
- NFC helps with Bluetooth pairing
Access token, identity “card”
- Short range with encryption support
Security concerns
Remote capture
- It’s a wireless network
- 10 meters for active devices
Frequency jamming - Denial of service
Relay/Replay attack - Man in the middle
Loss of RFC device control - Stolen/lost phone
Near field communication (NFC)
Included on many smartphones, tablets, and smartwatches
- Not really used much for printing
Control your entertainment center
File transfers are possible
Other phones can be used to control your devices
IR (Infrared)
Physical connectivity to your mobile device
- USB to your computer
- USB, Lightning, or proprietary on your phone
Physical access is always a concern
- May be easier to gain access than other a remote connection
A locked device is relatively secure
- Always auto-lock
Mobile phones can also exfiltrate
- Phone can appear to be a USB storage device
Universal Serial Bus (USB)
Created by the U.S. Department of Defense
- Over 30 satellites currently in orbit
Precise navigation
- Need to see at least 4 satellites
Determines location based on timing differences
- Longitude, latitude, altitude
Mobile device location services and geotracking
- Maps, directions
- Determine physical location based on GPS, WIFI, and cellular towers
Global Positioning System (GPS)
Manage company-owned and user-owned mobile devices
- BYOD - Bring Your Own Device
Centralized management of the mobile devices
- Specialized functionality
Set policies on apps, data, camera, et.
- Control the remote device
- The entire device or a “partition”
Manage access control
- Force screen locks and PINs on these single user devices
Mobile Device Management (MDM)
Managing mobile apps are a challenge
- Mobile devices install apps constantly
Not all applications are secure
- And some are malicious
- Android malware is rapidly growing security concern
Manage application use through allow lists
- Only approved applications can be installed
- Managed through the MDM
A management challenge
- New applications must be checked and added
Application management
Secure access to data, protect data from outsiders
File sharing and viewing
- On-site content (Microsoft SharePoint, file servers)
- Cloud-based storage (Box, Office 365)
Data sent from the mobile device
- DLP prevents copy/paste of sensitive data
- Ensure data is encrypted on the mobile device
Managed from the mobile device manager (MDM)
Content management
Remove all data from your mobile device
- Even if you have no idea where it is
- Often managed from the MDM
Connect and wipe from the web
- Nuke it from anywhere
Need to plan for this
- Configure your mobile device now
Always have a backup
- Your data can be removed at any time
- As you are walking out the door
Remote wipe
Precise tracking details - Tracks within feet
Can be used for good (or bad)
- Find your phone, find you
Most phones provide an option to disable
- Limits functionality of the phones
May be managed by the MDM
Geolocation
Some MDMs allow this
- Restrict or allow features when the device is in a particular area
Cameras
- Might only work when outside the office
Authentication
- Only allow logins when the device is located in a particular area
Geofencing
All mobile devices can be locked
- Keep people out of your data
Simple passcode or strong passcode
- Numbers vs. Alphanumeric
Fail too many times?
- Erase the phone
Define a lockout policy
- Create aggressive lockout timers
- Completely lock the phone
Screen lock
Information appears on the mobile device screen
- The notification is “pushed” to your device
No user intervention
- Receive notifications from one app when using a completely different app
Control of displayed notifications can be managed from the MDM
- Or notifications can be pushed from the MDM
Push notification services
The universal help desk call
Mobile devices use multiple authentication methods
- Password/passphrase, PINs, patterns
Recovery process can be initiated from the MDM
- Password reset option is provided on the mobile device
MDM also has full control
- Completely remove all security controls
- Not the default or best practice
Passwords and PINs
You are the authentication factor
- Fingerprint, face
May not be the most secure authentication factor
- Useful in some environments
- Completely forbidden in others
Availability is managed through the MDM
- Organization determines the security of the device
Can be managed per-app
- Some apps require additional biometric authentication
Biometrics
The attackers can get around anything
Authentication can be contextual
Combine multiple contexts
- Where you normally login (IP address)
- Where you normally frequent (GPS information)
- Other devices that may be paired (Bluetooth, etc.)
And others
- An emerging technology
- Another way to keep data safe
Context-aware authentication
Difficult to separate personal from business
- Especially when the device is BYOD
- Owned by the employee
Separate enterprise mobile apps and data
- Create a virtual “container” for company data
- A contained area - limit data sharing
- Storage segmentation keeps data separate
Easy to manage offboarding
- Only the company information is deleted
- Personal data is retained
- Keep your pictures, video, music, email, etc
Containerization
Scramble all of the data on the mobile device
- Even if you lose it, the contents are safe
Devices handle this in different ways
- Strongest/stronger/strong?
Encryption isn’t trivial
- Uses a lot of CPU cycles
- Complex integration between hardware and software
Don’t lose or forget your password!
- There’s no recovery
- Often backed up by the MDM
Full device encryption
Shrink the PCI Express
- Hardware Security Module - Now in the microSD card form
Provides security services
- Encryption, key generation, digital certificates, authentication
Secure storage
- Protect private keys - Cryptocurrency storage
Micro SD HSM
Manage mobile and non-mobile devices
- An evolution of the Mobile Device Manager (MDM)
End users use different types of devices
- Their use has blended together
Applications can be used across different platforms
- Work on a laptop and a smartphone
All of these devices can be used from anywhere
- User’s don’t stay in one place
Unified Endpoint Management (UEM)
Provision, update, and remove apps
- Keep everyone running at the correct version
Create an enterprise app catalog
- Users can choose and install the apps they need
Monitor application use
- Apps used on a device, devices with unauthorized apps
Remotely wipe application data
- Securely manage remote data
Mobile Application Management (MAM)
SELinux (Security-Enhanced Linux) in the Android OS
Supports access control security policies
A project from the US National Security Agency (NSA)
Addresses a broad scope of system security
- Kernal, userspace, and policy configuration
Enabled by default with Android version 4.3
- July 2013
- Protect privileged Android system daemons
- Prevent malicious activity
Change from Discretionary Access Control (DAC) to Mandatory Access Control (MAC)
- Move from user-assigned control to object labels and minimum user access
- Isolates and sandboxes Android apps
Centralized policy configuration
- Manage Android deployments
Security Enhancements for Android (SEAndroid)
Centralized app clearinghouses
- Apple App store
- Google Play
Not all applications are secure
- Vulnerabilities, data leakage
Not all applications are appropriate for business use
- Games, instant messaging, etc.
MDM can allow or deny app store use
Third-party app stores
Mobile devices are purpose-built systems
- You don’t need access to the operating system
Gaining access - Android - Rooting/Apple IOS - Jailbreaking
Install customer firmware
- Replaces the existing operating system
Uncontrolled access
- Circumvent security features, sideload apps without using an app store
- The MDM becomes relatively useless
Rooting/Jailbreaking
Most phones are locked to a carrier
- You can’t use an AT&T phone on Verizon
- Contract with a carries subsidizes the cost of the phone
You can unlock the phone
- If your carrier allows it
- A carrier lock may be illegal in your country
Security revolves around connectivity
- Moving to another carrier circumvent the MDM
- Preventing a SIM unlock may not be possible on a personal device
Carrier unlocking
The operating system of a mobile device is constantly changing - Similar to a desktop computer
Updates are provided over the air
- No cable required
Security patches or entire operating system updates
- Significant changes without connecting the device
This may not be a good thing
- The MDM can manage what updates are allowed
Firmware OTA updates
Cameras are controversial
- They’re not always a good thing
- Corporate espionage, inappropriate use
Almost impossible to control on the device
- No good way to ensure the camera won’t be used
Cameras can be controlled by the MDM
- Always disabled
- Enabled except for certain locations (geo-fencing)
Camera use
Text messages, video, audio
Control of data can be a concern
- Outbound data leaks, financial disclosures
- Inbound notifications, phishing attempts
MDM can enable or disable this
- Or only allow during certain timeframes or locations
Short Message Service/Multimedia Messaging Service
Store data onto external or removable drives
- SD flash memory or USB/lightning drives
Transfer data from flash
- Connect to a computer to retrieve
This is very easy to do
- Limit data written to removable drives
- Or prevent the use of them from the MDM
External media
USB on the Go - Connect devices directly together
- No computer required, only a cable
The mobile device can be both a host and a device
- Read from an external device, then act as a storage device itself
- No need for a third-party storage device
Extremely convenient
- From a security perspective, it’s too convenient
USB OTG
Audio recordings
- There are microphones on every mobile device
Useful for meeting and note taking
- A standard for college classes
A legal liability
- Every state has different laws
- Every situation is different
Disable or geo-fence - Manage from the MDM
Recording microphone
Your phone knows where you are
- Location Services, GPS
Adds your location to document metadata
- Longitude, latitude - Photos, videos, etc
Every document may contain geotagged information
- You can track a user quite easily
This may cause security concerns
- Take picture, upload to social media
Geotagging/GPS tagging
We’re so used to access points
- SSID configurations
The wireless standard includes an ad hoc mode
- Connect wireless devices directly
- Without an access point
Easily connect many devices together
Common to see in home devices
Simplicity can aid vulnerabilities
- Invisible access to important devices
WiFi Direct/ad hoc
Turn your phone into a WiFi hotspot
- Your own personal wireless router
- Extend the cellular data network to all of your devices
Dependent on phone type and provider
- May require additional charges and data costs
May provide inadvertent access to an internal network
- Ensure proper security/passcode
Hotspot/tethering
Send small amounts of data wirelessly over a limited area (NFC)
- Built into your phone
- Payment systems, transportation, in-person information exchange
A few different standards
- Apply Pay, Android Pay, Samsung Pay
Bypassing primary authentication would allow payment
- User proper security - or disable completely
Payment methods
Employee owns the device
- Need to meet the company’s requirements
Difficult to secure
- It’s both a home device and a work device
- How is data protected?
- What happens to the data when a device is sold or traded in?
Bring Your Own Device\Bring Your Own Technology (BYOD)
Corporate owned, personally enabled
- Company buys the device
- Used as both a corporate device and a personal device
Organizations keep full control of the device
- Similar to company-owned laptops and desktops
Information is protected using corporate policies
- Information can be deleted at any time
CYOD - Choose Your Own Device
- Similar but with the user’s choice of device
Corporate-owned personally enabled (COPE)
The company owns the device
- And controls the content on the device
The device is not for personal use
- You’ll need to buy your own device for home
Very specific security requirements
- Not able to mix business with home use
Corporate owned
The apps are separated from the mobile device
The data is separated from the mobile device
Data is stored securely, centralized
Physical device loss - Risk is minimized
Centralized app development
- Write for a single VMI platform
Applications are managed centrally
- No need to update all mobile devices
Virtual Desktop Infrastructure/Virtual Mobile Infrastructure (VDI)
Availability zones (AZ)
- Isolated locations within a cloud region (geographical location)
- Commonly spans across multiple regions
- Each has independent power, HVAC, and networking
Build applications to be highly available (HA)
- Run as active\standby or active\active
- Application recognizes an outage and moves to the other AZ
Use load balances to provide seamless HA
- Users don’t experience any application issues
High availability across zones
Identify and access management (IAM)
- Who gets access, what they get access to
Map job functions to roles
- Combine users into groups
Provide access to cloud resources
- Set granular policies - Group, IP address, date and time
Centralize user accounts, synchronize across all platforms
Resource policies
Cloud computing includes many secrets
- API keys, passwords, certificates
This can quickly become overwhelming
- Difficult to manage and protect
Authorize access to the secrets
- Limit access to the secret service
Manage an access control policy
- Limit users to the secret service
Manage an access control policy
- Limit users to only necessary secrets
Provide an audit trail
- Know exactly who accesses secrets and when
Secrets management
Integrate security across multiple platforms
- Different operating systems and applications
Consolidate log storage and reporting
- Cloud-based Security Information and Event Management (SIEM)
Auditing - Validate the security controls
- Verify compliance with financial and user data
Integration and auditing
Data is on a public cloud
- But may not be public data
Access can be limited
- And protected
Data may be required in different geographical locations
- A backup is always required
Availability is always important
Cloud storage
A significant cloud storage concern
- One mistake can cause a data breach
Public access
- Should not usually be the default
Many different options
- Identity and Access Management (IAM)
- Bucket policies
- Globally blocking public access
- Don’t put data in the cloud unless it really needs to be there
Permissions
Cloud data is more accessible than non-cloud data
- More access by more people
Server-side
- Encrypt the data in the cloud
- Data in encrypted when stored on disk
Client-side
- Data is already encrypted when it’s sent to the cloud
- Performed by the application
Key management is critical
Encryption
Copy data from one place to another
- Real-time data duplication in multiple locations
Disaster recovery, high availability
- Plan for problems
- Maintain uptime if an outage occurs
- Hot site for disaster recovery
Data analysis
- Analytics, big data analysis
Backups
- Constant, duplication of data
Replication
Connect cloud components
- Connectivity within the cloud
- Connectivity from outside the cloud
Users communicate to the cloud
- From the public internet
- Over a VPN tunnel
Cloud devices communicate between each other
- Cloud-based network
- East/west and north/south communication
- No external traffic flows
Cloud networks
A cloud contains virtual devices
- Servers, databases, storage devices
Virtual switches, virtual routers
- Build the network from the cloud console
- The same configuration as the physical device
The network changes with the rest of the infrastructure
- On-demand
- Rapid elasticity
Virtual networks
All internal IP addresses
Connect over a VPN
No access from the Internet
Private cloud subnet
External IP addresses
Connect to the cloud from anywhere
Public cloud subnet
Combine internal cloud resources with external
May combine both public and private subnets
Hybrid cloud subnet
The cloud contains separate VPCs, containers, and microservices
Separation is a security opportunity
- Data is separate from the application
- Add security systems between application components
Virtualized security technologies
- Web Application Firewall (WAF)
- Next-Generation Firewall (NGFW)
Segmentation
Microservice architecture is the underlying application engine
- A significant security concern
API calls can include risk
- Attempts to access critical data
- Geographic origin
- Unusual API calls
API monitoring
- View specific API queries
- Monitor incoming and outgoing data
API inspection and integration
The IaaS component for the cloud computing environment
- Amazon Elastic Compute Cloud (EC2)
- Google Compute Engine (GCE)
- Microsoft Azure Virtual Machine
Manage computing resources
- Launch a VM or container
- Allocate additional resources
- Disable/remove a VM or container
Compute cloud instances
A firewall for compute instances
- Control inbound and outbound traffic flows
Layer 4 port number
- TCP or UDP port
Layer 3 address
- Individual addresses
- CIDR block notation
- IPv4 or IPv6
Security groups
Provision resources when they are needed
- Based on demand - Provisioned automatically
Scale up and down
- Allocate compute resources where and when they are needed
- Rapid elasticity
- Pay for only what’s used
Ongoing monitoring
- IF CPU utilization hits a particular threshold, provision a new application instance
Dynamic resource allocation
Granular security controls
- Identify and manage very specific data flows
- Each instance of a data flow is different
Define and set policies
- Allow uploads to the corporate box.com file share
* Corporate file shares can contain PII
* Any department can upload to the corporate file share
- Deny certain uploads to a personal box.com file share
* Allow graphics files
* Deny any spreadsheets
* Deny files containing credit card numbers
* Quarantine the file and send an alert
Instance awareness
Microservice architecture is the VPC gateway endpoints
- Allow private cloud subnets to communicate to other cloud services
Keep private resources private
- Internet connectivity not required
Add an endpoint to connect VPC resources
Virtual private cloud endpoints
Containers have similar security concerns as any other application deployment method
- Bugs, insufficient security controls, misconfigurations
Use container-specific operating systems
- A minimalist OS designed for containers
Group container types on the same host
- The same purpose, sensitivity, and threat posture
- Limit the scope of any intrusion
Container security
Clients are at work, data is in the cloud
- How do you keep everything secure?
- The organization already has well-defined security policies
How do you make your security policies work in the cloud?
- Integrate this
- Implemented this as client software, local security appliances, or cloud-based security solutions
Visibility
- Determine what apps are in use
- Are they authorized to use the apps?
Compliance
- Are users complying with HIPAA? PCI?
Threat prevention
- Allow access by authorized users, prevent attacks
Data security
- Ensure that all data transfers are encrypted
- Protect the transfer of PII with DLP
Cloud access security broker (CASB)
Secure cloud-based applications
- Complexity increases in the cloud
Application misconfigurations
- One of the most common security issues
- Especially cloud storage
Authorization and access
- Controls should be strong enough for access from anywhere
API security - Attackers will try to exploit interfaces and APIs
Application security
Protect users and devices
- Regardless of location and activity
Go beyond URLs and GET requests
- Examine the application API
- Dropbox for personal use or corporate use?
Examine JSON strings and API requests
- Allow or disallow certain activities
Instance-aware security
- A development instance is different than production
Next-Gen Secure Web Gateway (SWG)
Control traffic flows in the cloud
- Inside the cloud and external flows
Cost
- Relatively inexpensive compared to appliances
- Virtual firewalls
- Host-based firewalls
Segmentation
- Between microservices, VMs, or VPCs
OSI layers
- Layer 4 (TCP/UDP, Layer 7 (Application)
Firewalls in the cloud
Cloud-native
- Integrated and supported by the cloud provider
- Many configuration options
- Security is part of the infrastructure
- No additional costs
Third-party solutions
- Support across multiple cloud providers
- Single pane of glass
- Extend policies outside the scope of the cloud provider
- More extensive reporting
Security controls
Who are you?
- A service needs to vouch for you
- Authentication as a Service
A list of entities
- Users and devices
Commonly used by SSO applications or an authentication process
- Cloud-based services need to know who you are
Uses standard authentication methods
- SAML, OAuth, OpenID Connect, etc
Identity Provider (IdP)
An identifier or property of an entity
- Provides identification
Personal attributes
- Name, email address, phone number, Employee ID
Other attributes
- Department name, job title, mail stop
One or more attributes can be used for identification
- Combine them for more detail
Attributes
Digital certificate - Assigned to a person or device
Binds the identity of the certificate owner to a public and private key
- Encrypt data, create digital certificates
Requires an existing public-key infrastructure (PKI)
- The Certificate Authority (CA) is a trusted entity
- The CA digitally sins the certificates
Certificates
Smart card
- Integrates with devices - may require a PIN
Tokens and cards
Secure terminal communication
Use a key instead of username and password
- Public/private keys - Critical for automation
Key management is critical
- Centralize, control, and audit key use
Key managers - Open source Commercial
SSH keys
Create a public/private key pair
- ssh-keygen
Copy the public key to the SSH server
- ssh-copy-id user@host
Try it out
- ssh user@host
- No password prompt!
SSH key-based authentication
An account on a computer associated with a specific person
- The computer associates the user with a specific identification number
Storage and files can be private to that user
- Even if another person is having the same computer
No privileged access to the operating system
- Specifically not allowed on a user account
This is the account type most people will use
- Your user community
User accounts
Shared account
- Used by more than one person
- Guest login, anonymous login
Very difficult to create an audit trail
- No way to know exactly who was working
- Difficult to determine the proper privileges
Password management becomes difficult
- Password changes require notifying everyone
- Difficult to remember so many password changes
- Just write it down on this yellow sticky paper
Best practice: Don’t use these accounts
Shared and generic accounts
Access to a computer for guests
- No access to change settings, modify applications, view other user’s files, and more
- Usually no password
This brings significant security challenges
- Access to the userspace is one step closer to an exploit
Must be controlled
- Not the default - Removed from Windows 10
Guest accounts
Used exclusively by services running on a computer
- No interactive/user access
- Web server, database server, etc.
Access can be defined for a specific service
- Web server rights and permissions will be different than a database server
Commonly use usernames and passwords
- You’ll need to determine the best policy for password updates
Service accounts
Elevated access to one or more systems
- Administrator, Root
Complete access to the system
- Often used to manage hardware, drivers, and software installation
This account should be used for normal administration
- User accounts should be used
Need to be highly secured
- Strong passwords, 2FA
- Scheduled password changes
Privileged accounts
Control access to an account
- It’s more than just username and password
- Determine what policies are best for an organization
Authentication process
- Password policies, authentication factor policies, other considerations
Permissions after login - Another line of defense
Account policies
Is everything following the policy?
- You have to police yourself
it’s amazing how quickly things can change
- Make sure the routine is scheduled
Certain actions can be automatically identified
- Consider a tool for log analysis
Perform routine audits
Permission auditing
- Does everyone have the correct permissions?
- Some administrators don’t need to be there
- Scheduled recertification
Usage auditing - How are your resources used?
- Are your systems and applications secure
Auditing
Make your password strong - Resist brute-force attack
Increase password entropy
- No single words, no obvious passwords
- Mix upper and lower case and use special characters
Stronger passwords are at least 8 characters
- Consider a phrase or set of words
Prevent password reuse
- System remembers password history, requires unique passwords
Password complexity and length
Too many incorrect passwords will cause a lockout
- Prevents online brute force attacks
- This should be normal for most user accounts
- This can cause big issues for service accounts
- You might want this
Disabling accounts
- Part of the normal change process
- You don’t want to delete accounts
* At least not initially
* May contain important decryption keys
Account lockout and disablement
Identify based on IP subnet
Can be difficult with mobile devices
Geofencing
- Automatically
Network location
Determine a user’s location
- GPS - mobile devices, very accurate
- 802.11 wireless, less accurate
- IP address, not very accurate
Geolocation
Automatically allow or restrict access when the user is in a particular location
Don’t allow this app to run unless you’re near the office
Geofencing
Add location metadata to a document or file
Latitude and longitude, distance, time stamps
Geotagging
Hardware-based authentication
- Something you have
Helps prevent unauthorized logins and account takeovers
- The key must be present to login
Doesn’t replace other factors
- Passwords are still important
Password keys
Password managers
- All passwords in one location
- A database of credentials
Secure storage
- All credentials are encrypted
- Cloud-based synchronization options
Create unique passwords
- Passwords are not the same across sites
Personal and enterprise options
- Corporate access
Password vaults
A specification for cryptographic functions
- Hardware to help with all of this encryption stuff
Cryptographic processor
- Random number generator, key generators
Persistent memory
- Comes with unique keys burned in during production
Versatile memory
- Storage keys, hardware configuration information
Password protected
- No dictionary attacks
Trusted Platform Module (TPM)
High-end cryptographic hardware
- Plug-in card or separate hardware device
Key backup
- Secured storage
Cryptographic accelerators
- Offload that CPU overhead from other devices
Used in large environments
- Clusters, redundant powers
Hardware Security Module (HSM)
Use personal knowledge as an authentication factor
- Something you know
Static KBA
- Pre-configured shared secrets
- Often used with account recovery
- What was the make and model of your first car?
Dynamic KBA
- Questions are based on an identity verification service
What was your street address when you lived in Pembroke Pines, Florida
Knowledge-based authentication (KBA)
A basic authentication method
- Used in legacy operating systems
- Rare to see singularly used
This is in the clear
- Weak authentication scheme
- Non-encrypted password exchange
- We didn’t require encryption on analog dialup lines
- The application would need to provide an encryption
Password Authentication Protocol (PAP)
Encrypted challenge sent over the network
Three-way handshake
- After link is established, server sends a challenge
- Client responds with a password hash calculated from the challenge and the password
- Server compares received has and stored hash
Challenge-Response continues
- Occurs periodically during the connection
- User never knows it happens
Challenge-Handshake Authentication Protocol (CHAP)
Microsoft’s implementation of CHAP
- Used commonly on Microsoft’s Point-to-Point Tunneling Protocol (PPTP)
Security issues related to the use of DES
- Relatively easy to brute force the 256 possible keys to decrypt the NTLM hash
- Consider L2TP, IPsec, 802.1X or some other secure authentication method
Steps:
1) Login request is sent to the server
2) Server looks up the credentials and sends a challenge to the user
3) User combines the password and challenge to create a response
4) Server compares the user’s response with a locally created response
MS-CHAP
One of the more common AAA protocols
- Supported on a wide variety of platforms and devices
- Not just for dial-in
Centralize authentication for users
- Routers, switches, firewalls, server authentication, remote VPN access, 802.1X network access
Available on almost any server OS
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller
- Access-Control System
- Remote authentication protocol
- Created to control access to dial-up lines to ARPANET
TACACS
A Cisco-created (proprietary) version of TACACS
- Additional support for account and auditing
XTACACS (Extended TACACS)
Latest version of TACACS, not backwards compatible
- More authentication requests and response codes
TACACS+
Network authentication protocol
- Authenticate once, trusted by the system
- No need to re-authenticate to everything
- Mutual authentication - the client and the server
- Protect against on-path or replay attacks
Standard since the 1980s
- Developed by MIT
Microsoft started using in Windows 2000
- Compatible with other operating systems and devices
Kerberos
Authenticate one time
- Lots of backend ticketing
- Cryptographic tickets
No constant username and password input!
- Save time
SSO with Kerberos
Port-based Network Access Control (NAC)
- You don’t get access to the network until you authenticate
Extensible Authentication Protocol
Prevents access to the network until the authentication succeeds
Used in conjunction with an access database
- RADIUS, LDAP, TACACS+
IEEE 802.1X
Provide network access to others
- Not just employees - Partners, suppliers, customers, etc
- Provides SSO and more
Third-parties can establish a federated network
- Authenticate and authorize between the two organizations
- Login with your Facebook credentials
The third-parties must establish a trust relationship
- And the degree of trust
Federation
Open standard for authentication and authorization
- You can authenticate through a third-party to gain access
- One standard does it all
Not originally designed for mobile apps
- This has been the largest roadblock
Security Assertion Markup Language (SAML)
Authorization framework
- Determines what resources a user will be able to access
Created by Twitter, Google, and many others
- Significant industry support
Not an authentication protocol
- OpenID Connect handles the single sign-on authentication
- Provides authorization between applications
Relatively popular
- Used by Twitter, Google, Facebook
OAuth
Authorization
- The process of ensuring only authorized rights are exercised
- Policy enforcement
The process of determining rights
- Policy definition
Users receive rights based on
- Access control models
- Different business needs or mission requirements
Access control
The operating system limits the operation of an object
- Based on security clearance level
Every object gets a label
- Confidential, secret, top secret, etc.
Labeling of objects uses predefined rules
- The administrator decides who gets access to what security level
- Users cannot change these settings
Mandatory Access Control (MAC)
Used in most operating systems
- A familiar access control model
You create a spreadsheet
- As the owner, you control who has access
- You can modify access at any time
Very flexible access control
- And very weak security
Discretionary Access Control (DAC)
You have a role in your organization
- Manager, director, team lead, project manager
Administrators provide access based on the role of the user
- Rights are gained implicitly instead of explicitly
In Windows, use Groups to provide role-based access control
You are shipping and receiving so you can use the shipping software
- You are the manager, so you can review shipping logs
Role-based access control (RBAC)
Users can have complex relationships to applications and data
- Access may be based on many different criteria
Can consider many parameters
- A “next generation” authorization model
- Aware of context
Combine and evaluate multiple parameters
- Resource information, IP address, time of day, desired action, relationship to the data, etc.
Attribute-based access control (ABAC)
Generic term for following rules
- Conditions other than who you are
Access is determined through system-enforced rules
- System administrators, not users
The rule is associated with the object
- System checks the ACLs for that object
Rule examples
- Lab network access is only available between 9-5
- Only Chrome browses may complete this web form
Rule-based access control
Store files and access them
- Hard drive, SSDs, flash drives, DVDs, part of most OSs
Accessing information
- Access control lists
- Group/user rights and permissions
- Can be centrally administered and/or users can manage files they own
The file system handles encryption and decryption
File system security
Difficult to apply old methods of authentication to new methods of working
- Mobile workforce, many different devices, constantly changing cloud
Conditions
- Employee or partner, location, type of application accessed, device
Controls
- Allow or block, require MFA, provide limited access, require password reset
Administrators can build complex access rules
- Complete control over data access
Conditional access
Managing superuser access
- Administrator and Root
- You don’t want this in the wrong hands
Store privileged accounts in a digital vault
- Access is only granted from the vault by request
- These privileges are temporary
Advantages
- Centralized password management
- Enables automation
- Manage access for each user
- Extensive tracking and auditing
Privileged access management (PAM)
Policies, procedures, hardware, software, people
- Digital certificates: create, distribute manage, store, revoke
This is a big, big endeavor
- Lots of planning
Also refers to the binding of public keys to people or devices
- The certificate authority
- It’s all about trust
Public Key Infrastructure (PKI)
Key generation
- Create a key with the requested strength using the proper cipher
Certificate generation
- Allocate a key to the user
Distribution
- Make the key available to the user
Storage
- Securely store and protect against unauthorized use
Revocation
- Manage keys that have been compromised
Expiration
- A certificate may only have a certain “shelf life”
Key management lifecycle
A public key certificate
- Binds a public key with a digital signature
- And other details about the key holder
Adds trust
- PKI uses Certificate Authority for additional trust
- Web of Trust adds other users for additional trust
Certificate creation can be build into the OS
- Part of Windows Domain services
- 3rd-party Linux options
Digital certificates
Built-in to your browser
- Any browser
Purchase your web site certificate
- It will be trusted by everyone’s browser
Create a key pair, send the public key to the CA to be signed
- A certificate signing request (CSR)
May provide different levels of trust and additional features
- Add a new “tag” to your web site
Commercial certificate authority
You are your own CA
- Build it in-house
- Your devices must trust the internal CA
Needed for medium-to-large organizations
- Many web servers and privacy requirements
Implement as part of your overall computing strategy
- Windows Certificate Services, OpenCA
Private certificate authorities
Single CA
- Everyone receives their certificates from one authority
Hierarchical
- Single CA issues certs to intermediate CAs
- Distributes the certificate management load
- Easier to deal with the revocation of an intermediate CA than the root CA
PKI trust relationships
The entity requesting the certificate needs to be verified
- The RA identifies and authenticates the requester
Approval or rejection
- The foundation of trust in this model
Also responsible for revocations
- Administratively revoked or by request
Manages renewals and re-key requests
- Maintains certificates for current cert holders
Registration authority (RA)
Common Name (CN)
- The FQDN (Fully Qualified Domain Name) for the certificate
- Clearly describes the certificates owner
Subject alternative name
- Additional host names for the cert
- Common on web servers
Expiration
- Limit exposure to compromise
- 398 day browser limit (13 months)
Important certificate attributes
Certificate Revocation List (CRL)
- Maintained by the Certificate Authority (CA)
Many different reasons
- changes all the time
Key revocation
The browser can check certificate revocation
Messages usually sent to this responder via HTTP
- Easy to support over Internet links
Not all browsers/apps support this
- Early Internet Explorer versions did not support this
Online Certificate Status Protocol (OCSP)
Owner of the certificate has some control over a DNS domain
Domain validation certificate (DV)
Additional checks have verified the certificate owner’s identity
Browsers used to show a green name on the address bar
Promoting the use of SSL is now outdated
Extended validation certificate (EV)
Extension to an X.509 certificate
Lists additional identification information
Allows a certificate to support many different domains
Subject Alternative Name (SAN)
Certificates are based on the name of the server
A wildcard domain will apply to all server names in a domain
Wildcard domain
Developers can provide a level of trust
- Applications can be signed by the developer
The user’s operating system will examine the signature
- Checks the developer signature
- Validates that the software has not been modified
Is it from a trusted entity?
- The user will have the opportunity to stop the application execution
Code signing certificate
The public key certificate that identifies the root CA (Certificate Authority)
- Everything starts with this certificate
This certificate issues other certificates
- Intermediate CA certificates
- Any other certificates
This is a very important certificate
- Take all security precautions
- Access to the root certificate allows for the creation of any trusted certificate
Root certificate
Internal certificates don’t need to be signed by a public CA
- Your company is the only one going to use it
- No need to purchase trust for devices that already trust you
Build your own CA
- Issue your own certificates signed by your own CA
Install the CA certificate/trusted chain on all devices
- They’ll now trust any certificates signed by your internal CA
- Works exactly like a certificate you purchased
Self-signed certificates
You have to manage many devices
- Often devices that you’ll never physically see
How can you truly authenticate a device?
- Put a certificate on the device that you signed
Other business processes rely on the certificate
- Access to the remote access
- VPN from authorized devices
- Management software can validate the end device
Machine and computer certificate
Use cryptography in an email platform
- You’ll need public key cryptography
Encrypting emails
- Use a recipient’s public key to encrypt
Receiving encrypted emails
- Use your private key to decrypt
Digital certificates
- Use your private key to digitally sign an email
- Non-repudiation, integrity
Email certificates
Associate a certificate with a user
- A powerful electronic “id card”
Use as an additional authentication factor
- Limit access without the certificate
Integrate onto smart cards
- Use as both a physical and digital access card
User certificates
The structure of the certification is standardized
The format of the actual certificate file can take many forms
There are many certificate file formats
- Use openssl or a similar application to view the certificate contents
X.509 digital certificates
Format designed to transfer syntax for data structure
- A very specific encoding format
- Perfect for an X.509 certificate
Binary format
- Non-human readable
A common format
- Used across many platforms
- Often used with Java certificates
Distinguished Encoding Rules (DER)
A very common format
- BASE64 encoded DER certificate
- Generally the format provided by CAs
- Supported on many different platforms
ASCII format
- Letters and numbers
- Easy to email, readable
Privacy-Enhanced Main (PEM)
Personal Information Exchange Syntax Standard
- Developed by RSA Security, now an RFC standard
Container format for many certificates
- Store many X.509 certificates in a single .p12 or .pfx file
- Often used to transfer a private and public key pair
- The container can be password protected
Extended from Microsoft’s .pfx format
- Personal Information Exchange (PFX)
- The two standards are very similar
- Often referenced interchangeably
Public Key Cryptography Standards #12
Primarily a Windows X.509 file extension
- Can be encoded as a binary DER format or as the ASCII PEM format
Usually contains a public key
- Private keys would be transferred in the .pfx file format
Common format for Windows certificates
- Look for the .cer extension
Certificate (CER)
Cryptographic Message Syntax Standard
- Associated with the .p7b file
Stored as ASCII format
- Human-readable
Contains certificates and chain certificates
- Private keys are not included in a .p7b file
Wide platform support
- Microsoft Windows
- Java Tomcat
Public Key Cryptography Standards #7 (PKCS #7)
Provides scalability for checking
The CA is responsible for responding to all client requests
- This does not scale well
Instead, have the certificate holder verify their own status
- Status information is stored on the certificate holder’s server
Stapled into the SSL/TLS handshake
- Digitally signed by the CA
Online Certificate Status Protocol Stapling
You’re communicating over TLS/SSL to a server
- How do you really know it’s a legitimate server?
“Pin” the expected certificate or public key to an application
- Compiled in the app or added at first run
If the expected certificate or public key doesn’t match, the application can decide what to do
- Shut down, show a message
Pinning
Everyone receives their certificates from one authority
Single CA (PKI trust relationship)
Single CA issues certs to intermediate CAs
Hierarchical (PKI trust relationship)
Cross-certifying CAs - Doesn’t scale well
Mesh (PKI trust relationship)
Alternative to traditional PKI
Web-of-trust (PKI trust relationship)
Server authenticates to the client and the client authenticates to the server
Mutual Authentication (PKI trust relationship)
Someone who holds your decryption keys
- Your private keys are in the hands of a 3-rd party
This can be a legitimate business arrangement
- A business might need to access to employee information
- Government agencies may need to decrypt partner data
Key escrow
Chain of trust
- List all of the certs between the server and the root CA
The chain starts with the SSL certificate
- And ends with the Root CA certificate
Any certificate between the SSL certificate and the root certificate is a chain certificate
- Or intermediate certificate
The web server needs to be configured with the proper chain
- Or the end user may receive an error
Certificate chaining
Source code of an application is reviewed manually or with automatic
tools without running the code
Static code analysis
Distribute the load among multiple systems that are online and in use at the same time
Active/active load balancing
Source code of an application is reviewed manually or with automatic
tools without running the code
Persistence
Attempts to detect, log, and alert on malicious network activities
Use promiscuous mode to see all network traffic on a segment
Network-based intrusion detection system (NIDS)
Attempts to remove, detain, or redirect malicious traffic
Should be installed in-line of the network traffic flow
Can also perform functions as a protocol analyzer
Network intrusion prevention system (NIPS)
Pay attention to the state of traffic between systems
They can make a decision about a conversation and allow it to continue once it has been approved rather than reviewing every packet
Track this information in a state table, and use the information they gather to allow them see entire traffic flows instead of each packet
Stateful firewall
Process of changing an IP address while it transits across a router
Using NAT can help us hide our network IPs
Network address translation (NAT) gateway
Devices or software that allow or block traffic based on content rules
Simple as blocking specific URLs, domains, or hosts, or they can be complex with pattern matching, IP reputation, and other elements built into the filtering rules
Content/URL filters
Networks rely on routing protocols to determine which path traffic should take to other networks
Common protocols include BGP, RIP, OSPF, EIGRP
Attacks against routing can result in on-path attacks, outages due to loops or delays in traffic being sent, or drops of traffic
Route security
WPA-Personal
- Uses a preshared key and is thus often called WPA-PSK
- Allows clients to authenticate without an authentication server infrastructure
WPA-Enterprise
- Relies on a RADIUS authentication server as part of an 802.1x implementation for authentication
- Users can thus have unique credentials and be individually identified
Uses AES encryption to provide confidentiality, delivering much stronger encryption than WEP
WPA2
Wireless security also relies upon proper WAP placement
Wireless B, G, and N use a 2.4 GHz signal
Wireless A, N, and AC use a 5.0 GHz signal
2.4 GHz signals can travel further than 5 GHz
Wireless Access Point (WAP) placement
Creating a clear separation between personal and company data on a
single device
Keep personal and business data separate
Separate volumes or even separate encrypted volumes that require specific applications, wrappers, or containers to access them
Storage segmentation
The organization pays for the device and typically for the cellular plan or other connectivity
The user selects the device from a list of preferred options rather than bringing in whatever they want to use
Support is easier since only a limited number of device types will be encountered, and that can make a security model easier to establish as well
Choose your own device (CYOD)
An open standard and decentralized protocol that is used to
authenticate users in a federated identity management system
User logs into an Identity Provider (IP) and uses their account at
Relying Parties (RP)
This is easier to implement than SAML
SAML is more efficient than this
OpenID
Determine which accounts, users, groups, or services can perform actions like reading, writing, and executing files
Linux can be set with chmod command
Windows can be set via command line or GUI
The modify permission allows viewing as well as changing files or folders
Read and execute does not allow modification or changes but does allow the files to be run
Filesystem permissions
The offline CA uses the root certificate to create this that serves as the online CAs used to issue certificates on a routine basis
Intermediate CA
An online list of digital certificates that the certificate authority has
revoked
Maintained by the various CAs and contain the serial numbers of certificates that been issued by a CA and have been revoked along with the date and time the revocation went into effect
Major disadvantage is they must be downloaded and cross-referenced periodically, introducing a period of latency between the time a certificate is revoked and the time end users are notified of the revocation
Certificate Revocation List (CRL)
Once you’ve satisfied the CA regarding your identity, you provide them with your public key in this form
The CA next creates an X.509 digital certificate containing your identifying information and a copy of your public key
The CA then digitally signs the certificate using the CA’s private key and provides you with a copy of your signed digital certificate
Certificate Signing Request (CSR)
Commonly used by Windows systems
Certificates may be stored in binary form, using .PFX or .P12 file extensions
Personal Information Exchange (PFX)
