Lesson 13: Implementing Secure Network Applications Flashcards

1
Q

HyperText Transfer Protocol (HTTP)

A

HTTP enables clients (typically web browsers) to request resources from an HTTP server. A client connects to the HTTP server using an appropriate TCP port (the default is port

80) and submits a request for a resource, using a uniform resource locator (URL). The server acknowledges the request and responds with the data (or an error message).

The response and request formats are defined in an HTTP header. The HTTP payload is usually used to serve HTML web pages, which are plain text files with coded tags (HyperText Markup Language) describing how the page should be formatted. A web browser can interpret the tags and display the text and other resources associated with the page, such as binary picture or sound files linked to the HTML page.

HTTP also features a forms mechanism (POST) whereby a user can submit data from the client to the server. HTTP is a stateless protocol; this means that the server preserves no information about the client during a session. However, the basic functionality of HTTP servers is often extended by support for scripting and programmable features (web applications). Servers can also set text file cookies to preserve session information. Technologies such as Java, ASP, and integration with databases increase flexibility and interactivity but also significantly increase security risks.

As with other early TCP/IP application protocols, HTTP communications are not secured. The popularity of the web has made it and related technologies (such as browsers and plug-ins) a popular target for different attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Web servers should be deployed using configuration templates where possible. Some basic hardening procedures include the following:

A

• Most web servers must allow access to guests (that is, unauthenticated users). The guest account must be secured so that it cannot be used to modify any data on the server (it should be granted read-only or browse permissions only). The guest account on IIS is called IUSR_ServerName; an account named httpd or apache is typically configured for guest access to Apache®. The guest account should have no permissions outside the directory set up for browsing.

Note: Guests may require execute permissions on scripts and applications that you want them to be able to run, and these may be stored in a directory outside the root of the website.

  • When a web server is leased, a secure means of uploading files and configuration changes needs to be used (SSH, for example). Most hosting packages include a GUI management application such as cPanel. Remember that ordinary FTP connections are not secure (critically, authentication information is transmitted in plaintext).
  • When a web server is connected to a private network, the location of the server should be carefully considered so as not to expose the private network to attack from the public one through the web server. This is typically achieved by placing a firewall between the web server and the local network, creating a Demilitarized Zone (DMZ).
  • Use separate accounts to administer servers in the DMZ, and ensure that the accounts do not share credentials with any other accounts on the LAN.
  • Web servers are typically installed with sample pages (and even scripts) along with help documentation. These samples sometimes contain vulnerabilities and should be removed from a production server.
  • Logging provides valuable information regarding the use of the website, alerts of any unusual or suspicious behavior, and audit changes made to pages and settings.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Secure Sockets Layer (SSL)

A

developed by Netscape in the 1990s to address the problems with the lack of security in HTTP. SSL proved very popular with the industry. Transport Layer Security (TLS) was developed from SSL and ratified as a standard by IETF. SSL/TLS works as a layer between the application and transport layers of the TCP/IP stack. It is usually used to encrypt TCP connections. It is typically used with the HTTP application (referred to as HTTPS or HTTP Over SSL or HTTP Secure) but can also be used to secure other TCP application protocols, such as Telnet, FTP, NNTP, SMTP, or LDAP.

To implement HTTPS, a server is assigned a digital certificate signed by some trusted certificate authority (CA). The certificate proves the identity of the server (assuming that the client trusts the Certificate Authority). The server uses the digital certificate and the SSL/TLS protocol to encrypt communications between it and the client. This means that the communications cannot be read or changed by a third party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The initial connection is governed by the SSL/TLS Handshake sub-protocol:

A
  1. The client makes a connection request (CLIENT_HELLO) listing the highest protocol version, cipher suites, and compression algorithm(s) supported. It also sends the date and time plus a random number (ClientRandom), which is used to generate the secret key. The client may also specify a session ID, allowing resumption of an existing session without re-generating keys (which is processor intensive).

Observing the TLS handshake in a Wireshark packet capture—The CLIENT HELLO packet sends the cipher suites supported (amongst other data). (Screenshot used with permission from Wireshark.)

Note: In this context, SSL 3.1 is used to mean TLS. Most implementations do not actually support any compression technologies.

  1. The server responds with SERVER_HELLO, selecting the highest protocol version and strongest cipher suite supported by both, and its own randomly generated number (ServerRandom), along with any session information.
  2. If client and server support compatible versions and ciphers, the server sends its X.509 certificate to the client (CERTIFICATE command) followed by the SERVER_DONE command.

Note: A server can optionally request a certificate from the client, providing mutual authentication. More commonly, the client is untrusted.

  1. The client checks the server’s certificate and if verified, responds with CERTIFICATE_VERIFY. It then performs key exchange or key agreement to select the secret session key for use with the confidentiality cipher, such as AES. This process can be completed using either RSA or Diffie-Hellman. If using RSA, the client generates a pre-master secret, encrypts it using the server’s public key, and sends it to the server.
  2. The server and client then follow the same steps to derive a shared master secret from the pre-master secret and the ClientRandom and ServerRandom values.
  3. Client and server then exchange the CHANGE_CIPHER_SPEC command, to indicate that subsequent communications will be encrypted, and the FINISHED command, which contains a digest of the command exchange that is used to verify that the handshake process has not been tampered with.
  4. Once the session is established, client and server exchange encrypted data in SSL/TLS records, which are placed into transport layer packets for delivery.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SSL/TLS supports most of the major symmetric and asymmetric ciphers.

A
  • Asymmetric ciphers (key exchange and authentication)—RSA, DSA/DSS, and Diffie-Hellmann.
  • Symmetric ciphers (confidentiality)—RC4, RC2, DES, 3DES, IDEA, AES.
  • Hashed Message Authentication Code (HMAC) function—MD5 or SHA.
  • A cipher suite is written in the following form:

ECDHE-RSA-AES128-GCM-SHA256

This means that the server can use Elliptic Curve Diffie-Hellman Ephemeral mode (and supports Perfect Forward Secrecy) for session key agreement, RSA for authentication, 128-bit AES-GCM (Galois Counter Mode) for symmetric encryption confidentiality, and 256-bit SHA for HMAC functions. Suites the server prefers are listed earlier in its supported cipher list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Transport Layer Security

A

While the name SSL is still widely used, the Transport Layer Security versions are the only ones that are safe to use. SSL and TLS versions are not interoperable; that is, a client supporting only SSL 3.0 could not connect to a server supporting only TLS 1.0. A server can provide support for legacy clients, but obviously this is less secure. For example, a TLS 1.2 server could be configured to allow clients to downgrade to TLS 1.1 or 1.0 or even SSL 3.0 if they do not support TLS 1.2.

Note: A downgrade attack is where a Man-in-the-Middle tries to force the use of a weak cipher suite and SSL/TLS version.

SSL 2.0 and 3.0 are both deprecated, and SSL 1.0 was never used commercially. TLS 1.2 is widely supported now, and older versions should only be deployed when subject to risk assessments. The most notable changes between TLS 1.0, 1.1, and 1.2 are improvements to the cipher suite negotiation process (the means by which server and client agree to use the strongest ciphers available to both) and protection against known attacks. TLS 1.2 also adds support for the strong SHA-256 cipher.

TLS version 1.3 was approved in 2018. One of the main features of TLS 1.3 is the removal of the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions. There are also changes to the handshake protocol to reduce the number of messages and, therefore, speed up connection establishment. TLS 1.3 cipher suites only include the mechanisms used for confidentiality and integrity (AES with SHA, for instance). Key exchange/agreement and authentication algorithms are specified separately. This should make selecting the algorithms simpler and less prone to configuration errors as there isn’t a list of 30 or more cryptically named suites to choose from and it allows the actual cipher negotiation process to be streamlined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SSL/TLS accelerator

A

Public key encryption calculations are relatively intensive in terms of CPU and memory resources. An SSL/TLS accelerator is a hardware device with a specialist chipset—Application Specific Integrated Circuit (ASIC)—dedicated to performing these calculations. They are usually implemented as plug-in cards for server equipment or load balancing appliances and therefore can be placed anywhere in the network where SSL/TLS offloading is desired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SSL decryptor, inspector, or interceptor

A

An SSL decryptor, inspector, or interceptor is a type of proxy used to examine encrypted traffic before it enters or leaves the network. This ensures that traffic complies with data policies and that encryption is not being misused, either as a data exfiltration mechanism or to operate a Command & Control (C2) Remote Access Trojan. An SSL decryptor would be positioned at the network edge and implemented as a transparent bridge. This makes it almost impossible for an adversary to evade the device, unless there is a separate backdoor network channel. The drawback is that the decryptor appliance will be a single point of failure, unless a load balancing and failover system is implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Some typical functions of SSL decryptors include:

A
  • Block connections that use weak cipher suites or implementations.
  • Block connections that cannot be inspected (for instance, they do not use a standard enterprise certificate).
  • Do not inspect authorized traffic that is subject to privacy or compliance regulations.
  • Integrate with IDS, DLP, and SIEM to apply security policies and provide effective monitoring and reporting.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Employees may require access to all kinds of subscription services. Some examples include:

A
  • Market and financial intelligence and information.
  • Security threat intelligence and information.
  • Reference and training materials in various formats (ebook and video, for instance).
  • Software applications and cloud services paid for by subscription rather than permanent licenses.

Most of this sort of content will be delivered by a secure web site or cloud application. It may be necessary to provision authentication mechanisms for enterprise Single-Sign On (SSO) access to the services.

Another use of subscriptions is a web feed, where updated articles or news items are pushed to the client or browser. Web feeds are based on either the Really Simple Syndication (RSS) or Atom formats, both of which use eXtensible Markup Language (XML) to mark up each document supplied by the feed. It is possible that such feeds may be vulnerable to XML injection style attacks, allowing an attacker to show malicious links or even interact with the file system (https://mikeknoop.com/lxml-xxe-exploit).

Note: Subscription services may also describe the outsourcing of network and security components and procedures. There may also be subscription use of enterprise cloud applications, which may be mediated by an access broker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

file transfer

A

There are many means of transferring files across networks. A network operating system can host shared folders and files, enabling them to be copied or accessed over the local network or via remote access (over a VPN, for instance). Email and IM applications allow file transfer using attachments to messages. HTTP supports file download (and uploads via various scripting mechanisms). The TCP/IP FTP protocol and various peer-to-peer file sharing products can be used to transfer files more quickly and efficiently, however.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

File Transfer Protocol (FTP)

A

A File Transfer Protocol (FTP) server is typically configured with several public directories, hosting files, and user accounts. Each user account can be configured with different permissions over files and directories. Most HTTP servers also function as FTP servers, and FTP services, accounts, and directories may be installed and enabled by default when you install a web server. FTP is more efficient compared to file attachments or HTTP file transfer, but has no security mechanisms. All authentication and data transfer are communicated as plain text, meaning that credentials can easily be picked out of any intercepted FTP traffic.

Note: Do not re-use secure passwords (such as Windows authentication passwords) for FTP applications. Any password used for FTP should be regarded as unsecure.

FTP clients usually have GUIs to help the user, though FTP can be performed over a command line as well. Most web browsers can function as basic FTP clients.

Note: You should check that users do not install unauthorized servers on their PCs (a rogue server). For example, a version of IIS that includes HTTP, FTP, and SMTP servers is shipped with client versions of Windows, though it is not installed by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Trivial File Transfer Protocol (TFTP)

A

a connectionless protocol (utilizing UDP port

69) that also provides file transfer services. It does not provide the guaranteed delivery offered by FTP and is therefore only suitable for transferring small files. Also, it only supports reading (GET) and writing (PUT) files, not directory browsing, file deletion, or any of the other features of FTP. An example of the usage for TFTP might be a switch or router automatically downloading configuration files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SSH FTP (SFTP)

A

addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. In SFTP, a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or Man-in-the-Middle attacks. This solution requires an SSH server that supports SFTP and SFTP client software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Another means of securing FTP is to use the connection security protocol SSL/TLS. As with SMTP, there are two means of doing this:

A
  • Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).
  • Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection.

FTPS is tricky to configure when there are firewalls between the client and server. Consequently, FTPES is usually the preferred method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Simple Mail Transfer Protocol (SMTP)

A

The Simple Mail Transfer Protocol (SMTP) specifies how mail is delivered from one system to another. It is a relatively straightforward protocol that makes the connection from the sender’s server to that of the recipient and then transfers the message. The SMTP server of the sender discovers the IP address of the recipient SMTP server using the domain name part of the email address. The SMTP server for the domain is registered in DNS using a Mail Exchanger (MX) record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

SMTP communications can (and should) be secured using the SSL/TLS version of the protocol (SMTPS). This works much like HTTPS with a certificate on the SMTP server and a negotiation between client and server about which cipher suites to use. There are two ways for SMTP to use TLS:

A
  • STARTTLS—this is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS. Note that despite the name, the connection can be configured to use legacy SSL versions if required.
  • SMTPS—this establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The STARTTLS method is generally more widely implemented than SMTPS. Typical SMTP configurations use the following ports and secure services:

A
  • Port 25—used for message relay (between SMTP servers or Message Transfer Agents [MTA]). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.
  • Port 587—used by mail clients (Message Submission Agents [MSA]) to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.
  • Port 465—some providers and mail clients use this port for message submission over implicit TLS (SMTPS), though this usage is now deprecated by standards documentation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Post Office Protocol v3 (POP3)

A

SMTP is only used to deliver mail to hosts that are permanently available. Mail users require the convenience of receiving and reading their mail when they choose. The Post Office Protocol v3 (POP3) is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient’s email client at his or her convenience.

A POP3 client application, such as Microsoft Outlook® or Mozilla Thunderbird®, establishes a TCP connection to the POP3 server over port 110. The user is authenticated (by username and password) and the contents of his or her mailbox are downloaded for processing on the local PC. POP3S is the secured version of the protocol, operating over TCP port 995 by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Internet Message Access Protocol v4 (IMAP4)

A

POP3 has limitations, which are addressed by the Internet Message Access Protocol v4 (IMAP4). POP3 is primarily designed for dial-up access; the client contacts the server to download its messages then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage the mailbox on the server (to organize messages in folders and control when they are deleted, for instance) and to create multiple mailboxes. Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve messages from the designated folders. As with other email protocols, the connection can be secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993.

Note: POP and IMAP also support the STARTTLS command, but this is not often used in practice, with implicit TLS over the default secure ports much more widely implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Secure/Multipurpose Internet Mail Extensions (S/MIME)

A

Connection security goes a long way toward preventing the compromise of email accounts and the spoofing of email, but there is still a need for message authentication and confidentiality in many scenarios. One means of doing this with PKI is called Secure/Multipurpose Internet Mail Extensions (S/MIME).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

To use S/MIME, the user is issued a digital certificate containing his or her public key, signed by a CA to establish its validity. The public key is a pair with a private key kept secret by the user. To establish the exchange of secure emails, both users must be using S/MIME and exchange certificates:

A
  1. Alice sends Bob her digital certificate, containing her public key and validated digital ID (distinguished subject name and email address). She signs this message using her private key.
  2. Bob uses the public key in the certificate to decode her signature and the signature of the CA (or chain of CAs) validating her digital certificate and digital ID and decides that he can trust Alice and her email address.
  3. He responds with his digital certificate and public key and Alice, following the same process, decides to trust Bob.

• Both Alice and Bob now have one another’s certificates in their trusted certificate stores.

  1. When Alice wants to send Bob a confidential message, she makes a hash of the message and signs the hash using her private key. She then encrypts the message, hash, and her public key using Bob’s public key and sends a message to Bob with this data as an S/MIME attachment.

5.

Bob receives the message and decrypts the attachment using his private key. He validates the signature and the integrity of the message by decrypting it with Alice’s public key and comparing her hash value with one he makes himself.

One complication in this scenario is that it assumes Alice and Bob are using the same private and public key pair, both to sign messages and to allow recipients to encrypt messages. This is not recommended for communication requiring very high levels of security. A key pair used for encryption/decryption should normally be backed up or kept in escrow because if it is lost, the data encrypted with it will also be lost. However, if the same key pair had been used for signing messages, obtaining the backup or escrow key would allow someone to impersonate the user (breaking the principle of non-repudiation). Using separate private key pairs is referred to as a dual key pair. The following key usage OIDs must be specified in each certificate:

  • Signing—digital signature or non-repudiation OID.
  • Encryption—key agreement or data encipherment OID.

Not all email clients support the use of dual key pairs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Spam

A

unsolicited email. Dealing with spam wastes resources (computer and human). Most new email application software has spam filtering built-in. This is an appropriate solution for home users, but on enterprise networks, if spam has already reached the user’s mailbox, then it has already wasted bandwidth and taken up space on the server. Consequently, most companies deploy a gateway server with spam filtering technology. This can either be installed in-house or leased from a provider.

A secure configuration for email is to install an email relay server in a demilitarized zone (DMZ).

The mail relay can be installed with software to monitor and filter email traffic, checking for spam and infected file attachments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Apart from message-based filtering and using blacklists (to block mail servers or domains known to send spam), there are many other methods for trying to reduce spam. As with filters, though, these can generate numerous false positives (that is, block legitimate traffic). Some examples include:

A
  • Whitelist—if an organization only deals with a limited number of correspondents, they can set up a whitelist of permitted domains or use some sort of authentication between the mail servers.
  • SMTP standards checking—rejecting email that is not strictly RFC-compliant can block some spam, but may also block legitimate traffic.
  • rDNS (reverse DNS lookup)—rejecting mail from servers where the IP address does not match the domain in the message header or is a dynamically assigned address.
  • Tarpitting—introducing a delayed response to the SMTP session. This makes the spammer’s server less efficient; in many cases, the spamming software will simply give up.
  • Recipient filtering—blocking mail that is not addressed to a valid recipient email address.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Apart from message filtering, a mail gateway could provide other services:

A
  • Data Loss Prevention (DLP)—the relay can act as an enforcer for any DLP policies, scanning messages to ensure that no data is being communicated in a way that is not compliant with policy.
  • Encryption—a relay can handle message encryption and decryption for all messages leaving and arriving at the company. This is an alternative to relying on individual users to set up mail security on their clients. External recipients can configure an account to authenticate with the gateway to allow them to decrypt messages sent to them and submit messages to the company securely.
26
Q

Voice over IP (VoIP), web conferencing, and Video Teleconferencing (VTC) solutions

A

become the standard method for the provision of business communication over the last decade as the network technologies that support them have become faster, more reliable, and cheaper. The main challenges that these applications have in common is that they transfer real-time data and must create point-to-point links between hosts on different networks. Real-time services are those that require real-time playback. This type of data can be one-way, as is the case with video streams, such as Internet TV (IPTV), or two-way, as is the case with VoIP and VTC.

27
Q

Implementing Internet telephony and video conferencing brings its own raft of security concerns. Each part of the communications media network infrastructure needs to be evaluated for threats and vulnerabilities. This includes protocols, servers, handsets, and software. The protocols designed to support real-time services cover one or more of the following functions:

A
  • Session control—used to establish, manage, and disestablish communications sessions. They handle tasks such as user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination.
  • Data transport—handles the delivery of the actual video or voice information.
  • Quality of Service (QoS)—provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems such as dropped packets, delay, or jitter.
28
Q

Session Initiation Protocol (SIP)

A

one of the most widely used session control protocols. SIP endpoints are the end-user devices (also known as User Agents), such as IP-enabled handsets or client and server web conference software. Each device, conference, or telephony user is assigned a unique SIP address known as a SIP Uniform Resource Indicator (URI). Examples of SIP URIs include:

  • sip:bob.dobbs@comptia.org
  • sip:2622136227@comptia.org
  • sip:bob.dobbs@2622136227
  • meet:sip:organizer@comptia.org;ms-app=conf;ms-conf-id=subg42
29
Q

intermediary servers and directory servers

A

SIP endpoints can establish communications directly in a peer-to-peer architecture, but it is more typical to use intermediary servers and directory servers

30
Q

gateways

A

A SIP network may also use gateways to provide an interface between the VoIP network and external voice networks, such as the ordinary Public Switched Telephone Network (PSTN). SIP typically runs over TCP port 5060.

31
Q

Real-time Transport Protocol (RTP)

A

While SIP provides session management features, the actual delivery of real-time data uses different protocols. The principal one is Real-time Transport Protocol (RTP). RTP works in conjunction with the RTP Control Protocol (RTCP). Each RTP stream uses a corresponding RTCP session to monitor the quality of the connection and to provide reports to the endpoints. These reports can then be used by the applications to modify codec parameters or by the network stacks to tune QoS parameters. RTP and RTCP use a sequential pair of UDP ports, with RTP using an even numbered port and the corresponding RTCP session using the next higher odd numbered port. UDP ports 5004 (RTP) and 5005 (RTCP) are reserved for this purpose, although in practice RTP typically uses an even-numbered ephemeral UDP port, with RTCP again using the next higher port number.

One of the main concerns for VoIP is that of eavesdropping. Hackers could exploit unencrypted VoIP communications to try to intercept passwords, credit card details, and so on. Without strong mutual authentication, connections are also vulnerable to Man-in-the-Middle attacks (redirection, replay, and hijacking).

Connection security for VoIP works in a similar manner to HTTPS. To initiate the call, the secure version SIPS uses digital certificates to authenticate the endpoints and establish an SSL/TLS tunnel. SIPS uses TCP port 5061 by default. The secure connection established by SIPS can also be used to generate a master key to use with the secure versions of the transport and control protocols (SRTP and SRTCP). These use AES encryption and SHA hashing for message confidentiality and integrity.

32
Q

Unified Communications (UC) solutions

A

messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include VoIP, VTC, Instant Messaging (IM), text messaging (SMS), interactive whiteboards, data sharing, email, and social media networks, such as Twitter, LinkedIn®, and Facebook. Unified communications applications allow users to establish connections with one another using any available channels, and to modify the communication method as required. For example, a conversation may start as text-based instant messaging, then change to voice or video. Users may also choose to share data as part of the communication (possibly including shared screen access) or to expand the conversation to include other users.

33
Q

media gateway

A

To facilitate these communications, it is often necessary to transfer a call between two disparate systems. For example, a user might initiate a voice call on a VoIP system with a receiver using the Public Switched Telephone Network (PSTN). A media gateway handles the job of interfacing between these different communications platforms and protocols. A media gateway can be provisioned as a dedicated appliance or as software running on a server. Like email and web servers, media gateway servers must connect to untrusted networks. Consequently, they should be positioned in a DMZ and configured with least privilege access controls.

34
Q

Virtualization

A

means that multiple operating systems can be installed and run simultaneously on a single computer.

35
Q

A virtual platform requires at least three components:

A
  • Computer(s)—the platform that will host the virtual environment. Optionally, there may be multiple computers networked together.
  • Hypervisor (or Virtual Machine Monitor [VMM])—manages the virtual machine environment and facilitates interaction with the computer hardware and network.
  • Guest operating systems (or Virtual Machines [VM])—operating systems installed under the virtual environment.

One basic distinction that can be made between virtual platforms is between host and bare metal methods of interacting with the host hardware. In a guest OS (or host-based) system, the hypervisor application (known as a Type II hypervisor) is itself installed onto a host operating system. Examples of host-based hypervisors include VMware® Workstation, Oracle® Virtual Box, and Parallels Workstation. The hypervisor software must support the host OS.

36
Q

bare metal

A

A bare metal virtual platform means that the hypervisor (Type I hypervisor) is installed directly onto the computer and manages access to the host hardware without going through a host OS. Examples include VMware ESX® Server, Microsoft’s Hyper-V®, and Citrix’s XenServer. The hardware needs only support the base system requirements for the hypervisor plus resources for the type and number of guest OSes that will be installed.

37
Q

Virtual Desktop Infrastructure (VDI)

A

refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server infrastructure. The user makes a connection to the VM using some sort of remote desktop protocol (Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. There may be a 1:1 mapping based on machine name or IP address or the process of finding an image may be handled by a connection broker.

38
Q

Virtual Desktop Environment (VDE)

A

All application processing and data storage in the Virtual Desktop Environment (VDE) or workspace is performed by the server. The thin client computer must only be powerful enough to display the screen image, play audio, and transfer mouse, key commands and video, and audio information over the network. All data is stored on the server, so it is easier to back up and the desktop VMs are easier to support and troubleshoot. They are better “locked” against unsecure user practices because any changes to the VM can easily be overwritten from the template image. With VDI, it is also easier for a company to completely offload their IT infrastructure to a third-party services company.

The main disadvantage is that in the event of a failure in the server and network infrastructure, users have no local processing ability, so downtime events may be more costly in terms of lost productivity.

39
Q

Application virtualization

A

a more limited type of VDI. Rather than run the whole client desktop as a virtual platform, the client either accesses an application hosted on a server or streams the application from the server to the client for local processing. Most application virtualization solutions are based on Citrix XenApp (formerly MetaFrame/Presentation Server), though Microsoft has developed an App-V product with its Windows Server range and VMware has the ThinApp product.

40
Q

Application cell/container virtualization

A

dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level. The OS defines isolated “cells” for each user instance to run in. Each cell or container is allocated CPU and memory resources, but the processes all run through the native OS kernel. These containers may run slightly different OS distributions but cannot run guest OSes of different types (you could not run Windows or Ubuntu® in a RedHat® Linux® container, for instance). Alternatively, the containers might run separate application processes, in which case the variables and libraries required by the application process are added to the container.

One of the best-known container virtualization products is Docker (https://www.docker.com). Containerization is also being widely used to implement corporate workspaces on mobile devices.

41
Q

Hypervisor software

A

A virtual platform introduces an additional layer for the attention of security analysts; that of the hypervisor. Hypervisor software is subject to patches and security advisories like any other software. Some notable exploits have appeared, and as the use of virtual platforms grows, hypervisors will increasingly be the target of attacks. This becomes even more complex when the network infrastructure—switches and routers—is also virtualized. Where the network infrastructure is implemented in software, it may not be subject to inspection and troubleshooting by system administrators, who would have to rely entirely on the hypervisor developer for security.

As well as securing the hypervisor, you must also treat each VM as you would any other network host. This means using security policies and controls to ensure the confidentiality, integrity, and availability of all data and services relying on host virtualization. A key security vulnerability in a virtual platform is that if the host is compromised, then nn guest servers have also been compromised. Host availability represents a single point of failure (SPoF). For example, if the CPU on the host crashes, all the installed guest OSes will suddenly go offline. A successful Denial of Service (DoS) attack on a host machine, host OS, or hypervisor will cause far more damage to the server infrastructure than a DoS on a single web server. As an example, the undo disks feature of some hypervisors (allowing the user to revert to the saved image after making changes) can be misused to perform DoS (by causing the undo file to grow to the point where it consumes all the available disk space on the host). These sorts of vulnerabilities can be mitigated by duplicating the guest OS on a redundant physical server that can be used as a fail-over. This is costly, however, and keeping the redundant server up to date and ready to be deployed can be complex.

Each VM needs to be installed with its own security software suite to protect against malware and intrusion attempts. Each guest must also have a patch management process. This might mean installing updates locally or replacing the guest instance from an updated VM template image.

42
Q

VM escaping

A

refers to malware running on a guest OS jumping to another guest or to the host. To do this, the malware must identify that it is running in a virtual environment, which is usually simple to do. One means of doing so is through a timing attack. The classic timing attack is to send multiple usernames to an authentication server and measure the server response times. An invalid username will usually be rejected very quickly, but a valid one will take longer (while the authentication server checks the password). This allows the attacker to harvest valid usernames. Malware can use a timing attack within a guest OS to detect whether it is running in a VM (certain operations may take a distinct amount of time compared to a “real” environment). There are numerous other “signatures” that an attacker could use to detect the presence of virtualized system hardware. The next step in VM escaping is for the attacker to compromise the hypervisor. Security researchers have been focusing on this type of exploit and several vulnerabilities have been found in popular hypervisors.

43
Q

serious implication of VM escaping

A

One serious implication of VM escaping is where virtualization is used for hosted applications. If you have a hosted web server, apart from trusting the hosting provider with your data, you have no idea what other applications might be running in other customers’ VMs. For example, consider a scenario where you have an e-commerce web server installed on a virtual server leased from an ISP. If a third-party installs another guest OS with malware that can subvert the virtual server’s hypervisor, they might be able to gain access to your server or to data held in the memory of the physical server. Having compromised the hypervisor, they could make a copy of your server image and download it to any location. This would allow the attacker to steal any unencrypted data held on the e-commerce server. Even worse, it could conceivably allow them to steal encrypted data, by obtaining the private encryption keys stored on the server or by sniffing unencrypted data or a data encryption key from the physical server’s memory.

It is imperative to monitor security bulletins for the hypervisor software that you operate and to install patches and updates promptly. You should also design the VM architecture carefully so that the placement of VMs running different types of applications with different security requirements does not raise unnecessary risks.

44
Q

VM escape protection

A

Preventing VM escaping is dependent on the virtualization vendor identifying security vulnerabilities in the hypervisor and on these being patched. The impact of VM escaping can be reduced by using effective service design and network placement when deploying VMs.

For example, when considering security zones such as a DMZ, VMs providing frontend and middleware/backend services should be separated to different physical hosts. This reduces the security implications of a VM escaping attack on a host in the DMZ (which will generally be more vulnerable to such attacks).

45
Q

system sprawl and deployment of undocumented assets

A

one of the primary benefits of virtualization is the ease of deploying new systems, this type of system sprawl and deployment of undocumented assets can also be the root of security issues. We may see new virtualized systems go up and down from one minute to the next across one or more virtualization farms, developer laptops, and cloud offerings from several vendors. It will often be the case that a system will be brought up for “just a minute” to test something, but languish for months or years, undocumented, unsecured, and unpatched. Each of these undocumented systems could represent an exploitable vulnerability. They increase the potential attack surface of the network. Policies and procedures for tracking, securing, and, when no longer used, destroying virtualized assets should be put in place and carefully enforced.

46
Q

Virtual machine lifecycle management (VMLM)

A

software can be deployed to enforce VM sprawl avoidance. VMLM solutions provide you with a centralized dashboard for maintaining and monitoring all the virtual environments in your organization. More generally, the management procedures for developing and deploying machine images need to be tightly drafted and monitored. VMs should conform to an application-specific template with the minimum configuration needed to run that application (that is, not running unnecessary services). Images should not be run in any sort of environment where they could be infected by malware or have any sort of malicious code inserted. One of the biggest concerns here is of rogue developers or contractors installing backdoors or “logic bombs” within a machine image. The problem of criminal or disgruntled staff is obviously one that affects any sort of security environment, but concealing code within VM machine images is a bit easier to accomplish and has the potential to be much more destructive.

47
Q

cloud computing

A

a service that provides on-demand resources—server instances, data storage, databases, or applications—over a network, typically the Internet. The service is a “cloud” because the end user is not aware of or responsible for any details of the procurement, implementation, or management of the infrastructure that underpins those resources. The end user is only interested and pays for the services provided by the cloud.

48
Q

rapid elasticity

A

Among other benefits, the cloud provides rapid elasticity. This means that the cloud can scale quickly to meet peak demand. For example, a company may operate a single web server instance for most of the year but provision additional instances for the busy Christmas period and then release them again in the New Year. This example also illustrates the principles of on-demand and pay-per-use; key features of a cloud service (as opposed to a hosted service). On-demand implies that the customer can initiate service requests and that the cloud provider can respond to them immediately. Pay-per-use implies a measured service, so that the customer is paying for the CPU, memory, disk, and network bandwidth resources they are actually consuming rather than paying a monthly fee for a particular service level.

49
Q

resource pooling and virtualization

A

From the provider point-of-view, provisioning a cloud is quite similar to provisioning any other type of large-scale data center. Cloud computing almost always uses one or more methods of virtualization to ensure that resources are quickly and easily provisioned to the client who requires them. The security implications of virtualization are therefore closely tied to the security implications of the cloud. In order to respond quickly to changing customer demands, cloud providers must be able to provision resources quickly. This is achieved through resource pooling and virtualization. Resource pooling means that the hardware making up the cloud provider’s data center is not dedicated or reserved to a particular customer account. The layers of virtualization used in the cloud architecture allow the provider to provision more CPU, memory, disk, or network resource using management software, rather than (for instance) having to go to the data center floor, unplug a server, add a memory module, and reboot.

50
Q

In most cases, the “cloud” (that is, the hardware and/or software hosting the service) will be offsite relative to the organization’s users, who will require an Internet link to access the cloud services. There can be different ownership and access arrangements for clouds, which can be broadly categorized as follows:

A
  • Public (or multi-tenant)—hosted by a third party and shared with other subscribers. This is what many people understand by “cloud computing.” As a shared resource, there are risks regarding performance and security.
  • Hosted Private—hosted by a third party for the exclusive use of the organization. This is more secure and can guarantee a better level of performance but is correspondingly more expensive.
  • Private—cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations.

This type of cloud could be on-premise or offsite relative to the other business units. An onsite link can obviously deliver better performance and is less likely to be subject to outages (loss of an Internet link, for instance). On the other hand, a dedicated offsite facility may provide better shared access for multiple users in different locations.

• Community—this is where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies.

There will also be cloud computing solutions that implement some sort of hybrid public/private/community/hosted/onsite/offsite solution. For example, a travel organization may run a sales website for most of the year using a private cloud but break out the solution to a public cloud at times when much higher utilization is forecast.

Flexibility is a key advantage of cloud computing, but the implications for data risk must be well understood when moving data between private and public storage environments.

51
Q

Something as a Service (*aaS)

A

As well as the ownership model (public, private, hybrid, or community), cloud services are often differentiated on the level of complexity and pre-configuration provided. These models are referred to as Something as a Service (*aaS), where the something can refer to infrastructure, platform, or software.

52
Q

Infrastructure as a Service (IaaS)

A

a means of provisioning IT resources such as servers, load balancers, and Storage Area Network (SAN) components quickly. Rather than purchase these components and the Internet links they require, you rent them on an as-needed basis from the service provider’s data center. Examples include Amazon Elastic Compute Cloud (https://aws.amazon.com/ec2), Microsoft Azure® Virtual Machines (https://azure.microsoft.com/services/virtual-machines), and OpenStack® (https://www.openstack.org).

53
Q

Software as a Service (SaaS)

A

a different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier’s servers on a pay-as-you-go or lease arrangement (on-demand). Virtual infrastructure allows developers to provision on-demand applications much more quickly than previously. The applications can be developed and tested in the cloud without the need to test and deploy on client computers. Examples include Microsoft Office 365® (https://support.office.com), Salesforce® (https://www.salesforce.com), and Google G Suite™ (https://gsuite.google.com).

54
Q

Platform as a Service (PaaS)

A

provides resources somewhere between SaaS and IaaS. A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top. This platform could be based on Oracle® or MS SQL or PHP and MySQL™. Examples include Oracle Database (https://cloud.oracle.com/paas), Microsoft Azure SQL Database (https://azure.microsoft.com/services/sql-database), and Google App Engine (https://cloud.google.com/appengine).

As distinct from SaaS though, this platform would not be configured to actually do anything. Your own developers would have to create the software (the CRM or e‑commerce application) that runs using the platform. The service provider would be responsible for the integrity and availability of the platform components, but you would be responsible for the security of the application you created on the platform.

55
Q

Cloud storage

A

a particular type of Software as a Service where the vendor provides reliable data storage and backup. Many cloud storage solutions are combined with content management tools with document permission, version history, and collaborative editing features.

56
Q

The breadth of technologies requiring specialist security knowledge and configuration makes it likely that companies will need to depend on third-party support at some point. You can classify such support in three general “tiers”:

A
  • Consultants—the experience and perspective of an outsider can be hugely useful in improving security awareness and capabilities in any type of organization (small to large). Consultants could be used for “big picture” framework analysis and alignment or for more specific or product-focused projects (pen testing, SIEM rollout, and so on). It is also fairly simple to control costs when using consultants if they are used to develop capabilities rather than implement them. Where consultants come to “own” the security function, it can be difficult to change or sever the relationship.
  • Managed Security Services Provider (MSSP)—a means of fully outsourcing responsibility for information assurance to a third party. This type of solution is expensive but can be a good fit for an SME that has experienced rapid growth and has no in-house security capability. Of course, this type of outsourcing places a huge amount of trust in the MSSP. Maintaining effective oversight of the MSSP requires a good degree of internal security awareness and expertise. There could also be significant challenges in industries exposed to high degrees of regulation in terms of information processing.
  • Security as a Service (SECaaS)—can mean lots of different things, but is typically distinguished from an MSSP as being a means of implementing a particular security control, such as virus scanning or SIEM-like functionality, in the “cloud.” Typically, there would be a connector to the cloud service installed locally. For example, an anti-virus agent would scan files locally but be managed and updated from the cloud provider; similarly, a log collector would submit events to the cloud service for aggregation and correlation. Examples include Cloudflare® (https://www.cloudflare.com/saas), FireEye® (https://www.fireeye.com/solutions/managed-defense.html), and SonicWall (https://www.sonicwall.com/solutions/service-provider/security-as-a-service).

Note: It’s not usually easy (or particularly useful) to distinguish between managed/ hosted services and genuinely cloud-based offerings.

SECaaS can also be taken to mean providing security systems for cloud-based applications, such as Software as a Service (SaaS CRM, for instance) or Platform as a Service (PaaS).

57
Q

Service Level Agreement (SLA)

A

As with any contracted service, cloud computing is a means of transferring risk. As such, it is imperative to identify precisely which risks you are transferring; to identify which responsibilities the service provider is undertaking, and which remain with you. This should be set out in a Service Level Agreement (SLA).

For example, in an SaaS solution, the provider may be responsible for the confidentiality, integrity, and availability of the software. They would be responsible for configuring a fault tolerant, clustered server service; for firewalling the servers and creating proper authentication, authorization, and accounting procedures; for scanning for intrusions and monitoring network logs, applying OS and software patches, and so on. You might or might not be responsible for some or all of the software management functions, though—ensuring that administrators and users practice good password management, configuring system privileges, making backups of data, and so on.

Where critical tasks are the responsibility of the service provider, you should try to ensure that there is a reporting mechanism to show that these tasks are being completed, that their disaster recovery plans are effective, and so on.

Another proviso is that your company is likely to still be directly liable for serious security breaches; if customer data is stolen, for instance, or if your hosted website is hacked and used to distribute malware. The legal and regulatory “buck” still stops with you; you might be able to sue the service provider for damages, but your company would still be the point of investigation. You may also need to consider the legal implications of using a cloud provider if its servers are located in a different country.

You must also consider the risk of insider threat, where the insiders are administrators working for the service provider. Without effective security mechanisms such as separation of duties and M of N control, it is highly likely that they would be able to gain privileged access to your data. Consequently, the service provider must be able to demonstrate to your satisfaction that they are prevented from doing so. There is also the risk described earlier that your data is in proximity to other, unknown virtual servers and that some sort of attack could be launched on your data from another virtual server.

As with any contracted service, with any *aaS solution, you place a large amount of trust in the service provider. The more important the service is to your business, the more risk you are investing in that trust relationship.

58
Q

cloud access security broker (CASB)

A

enterprise management software designed to mediate access to cloud services by users across all types of devices. CASB vendors include Blue Coat, now owned by Symantec (https://www.symantec.com/products/cloud-application-security-cloudsoc) and SkyHigh Networks, now owned by MacAfee (https://www.skyhighnetworks.com).

59
Q

Some of the functions of a CASB are:

A
  • Enable single-sign on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider.
  • Scan for malware and rogue or non-compliant device access.
  • Monitor and audit user and resource activity.
  • Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.
60
Q

The interface between the CASB software, the cloud service, and users/devices can be created in several ways:

A
  • Proxy—each client must be configured to contact the cloud service via a CASB proxy. The problems with this approach are that not all cloud applications have proxy support and users may be able to evade the proxy and connect directly.
  • API—the CASB software uses the cloud provider’s Application Programming Interface (API). This depends on the API supporting the range of functions that the CASB and access and authorization policies demand.
61
Q

Follow these guidelines when securing virtualized and cloud-based resources:

A
  • Consider using virtualization in your organization for easier management and efficiency of resources.
  • Recognize the differences between the virtualization types and identify which are more suitable to your needs.
  • Ensure that VM software as well as host and guest operating systems are patched regularly.
  • Enforce the principle of least privilege for access to VMs.
  • Ensure VMs are logging critical events.
  • Configure virtual networking devices to support isolated communications wherever necessary.
  • Take snapshots of optimal VM states.
  • Incorporate VM lifecycle management solutions.
  • Familiarize yourself with the different cloud deployment models and service types.
  • Consider taking advantage of SECaaS to offload some security operations to a third-party provider.