Security/Network Basics (Ch. 1,2) Flashcards
CIA triad
_ confidentiality
_ integrity
_ availability
User identification
_ Claiming an identity prior to authentication
Integrity
_ Ensures data has not changed.
_ Can uses hashes to verify integrity
Redundancy
_ Provides fault tolerance
SPOF
_ Single point of failure
_ If it fails, the entire system “can” fail
Scalability vs. elasticity
Scalability:
_ long-term strategy for being able to scale
_ done manually
Elasticity:
_ ability to dynamically scale up or out as needed
_ scales back down when not needed
TCO
_ total cost of ownership
resiliency
_ ability to self-heal or recover from faults with minimal downtime
_ e.g. performing and testing backups
_ e.g. UPS or generators
_ e.g. NIC teaming
_ e.g. redundant disk subsystems
_ e.g. retrying failed processes
Space needed for encryption
_ typically about a 40% increase
risk
_ the possibility or likelihood of a threat exploiting a vulnerability and resulting in a loss
threat
_ a circumstance or event that has the potential to compromise confidentiality, integrity, or availability
_ can be natural or man-made
_ can be intentional or accidental
Risk mitigation
_ reducing the chances that a threat will exploit a vulnerability
Categories of security controls
_ managerial controls
_ operational controls
_ technical controls
_ (classification alternative to “control types”)
Managerial controls
_ administrative controls
_ document policy
_ regular reviews, such as risk assessments and vulnerability assessments
Operational controls
_ ensure day-to-day ops comply with security plan
_ primarily implemented by people rather than systems
_ e.g. awareness and training
_ e.g. configuration management (such as secure baselines and change management)
_ e.g. media protection
_ e.g. physical and environmental protection
Technical controls
_ technological controls, whether software or hardware
Control types
_ preventative
_ detective
_ corrective
_ deterrent
_ compensating
_ physical
_ (classification alternative to “control categories”)
Preventative controls
_ hardening (making more secure than default config, using defense-in-depth)
_ training
_ security guards
_ change management (a change process helps catch configuration problems before they occur)
_ account disablement policy
_ intrusion prevention system (IPS)
_ and others (not listed)
SEM
_ security event management
_ real-time monitoring and analysis of security events
SIM
_ security information management
_ long-term storage of security data
_ used for analyzing trends and creating reports
SIEM
_ security information and event management system
_ collects, analyzes, manages data from multiple sources
_ detects trends
_ raises alerts
_ combines SEM and SIM functions
IDS
_ intrusion detection system
_ monitors network and sends alerts
_ out-of-band with traffic (can’t block traffic)
_ may modify ACLs, terminate processes, or redirect traffic in response to detections
Detective controls
_ post-exploit
_ log monitoring
_ SIEM systems
_ security audit of organization
_ video surveillance
_ motion dection
_ intrusion detection system (IDS)
_ and others (not listed)
Corrective and recovery controls
_ backups and system recovery
_ incident handling process
Deterrent controls
_ discourage hackers from attacking or employees from violating security policies
_ often also preventative
_ e.g. cable locks (for laptops)
_ e.g. physical locks
TOTP
_ time-based one-time password
_ example of a compensating control
Compensating controls
_ controls that are alternatives to the primary control
_ usually for handling special situations
_ e.g. TOTP access until user receives a security card
Response controls
_ aka incident response controls
_ prepare for security incidents
_ respond to security incidents
Network discovery
_ devices on a network discovering other devices on the same network
Network reconnaissance
_ acquiring details about a network and its devices
ICMP
_ Internet Control Message Protocol
_ often used in DoS attacks
_ used by ping
ping (e.g count)
_ sends an ICMP echo request packet
_ can limit counts on Linux with “-c count”
_ can loop pings on Windows with “-t”
_ firewall may block
hping
_ only on Linux
_ sends pings to TCP, UDP, and ICMP
NIC
_ network interface card
_ wired or wireless
ifconfig
Often first step in troubleshooting network problems. Can show:
_ IP address
_ subnet mask
_ default gateway
_ MAC address
_ DNS address
_ config info for NICs
_ deprecated but still useful
_ ipconfig on Windows
Use ifconfig to get basic network info
_ ifconfig
Use ifconfig to show TCP/IP config for each NIC
_ ifconfig -a
Show local DNS cache
_ displaydns
Flush the local DNS cache
_ flushdns
Ip command
_ recommended over ifconfig, but not as functional
_ show details on interfaces: ip link show
_ enable a network interface: ip link set eth0 up
_ show stats on network interface: ip -s link
netstat
_ shows TPC/IP stats
_ shows active TCP/IP connections
_ switches can be combined
Display list of all open connections
_ netstat
Display list of all TCP and UDP ports being listened to, plus display all open connections
_ netstat -a
Display network statistics details, including bytes sent/received
_ netstat -e
traceroute
_ lists all routers between two systems (each is a hop)
_ provides IP, hostname, and round-trip times (RTTs)
_ useful for identifying faulty routers (e.g. where traffic stops)
_ often used after ping fails to reach an IP
_ can find an unauthorized router monitoring packets
_ on windows: tracert
ARP
_ Address Resolution Protocol
_ resolves IPv4 addresses to MAC addresses
_ caches resolved mappings
_ required when packet reaches destination subnet
arp
_ command to show/manipulate the ARP cache
_ can be used to find MAC addresses of other systems on local network (after getting their IPs)
Show the entire ARP cache
_ arp
Show the ARP cache for a single IP address
_ arp -a 192.168.1.1
logger command
_ adds a log entry to “/var/log/syslog”
Linux permission groups
_ 1st: owner
_ 2nd: owner’s group
_ 3rd: everyone else
Give owner’s group only write permission to a file
_ chmod g=w filename
Remove owner’s execute permission from file
_ chmod u-x filename
Add read permission to file for everyone
_ chmod o+r filename
Windows logs
_ security log (audit and access)
_ system log
_ app log
Network logs
_ found on a variety of devices
UBA
_ user behavior analysis
NTP
_ network time protocol
_ for syncing time across a network
SIEM capabilities
_ log collection - keeps logs in a searchable DB
_ log aggregation - storing varying log data in same format
_ correlation - looks for patterns, raises alerts
_ reporting
_ packet capture
_ user behavior analysis (UBA)
_ sentiment analysis - detects unwanted behavior
_ security monitoring - predefined alerts
_ automated triggers - actions to perform after detecting a predetermined number of repeated events
_ time sync across servers providing source data using NTP (or converting time to a common format)
_ event deduplication - same data only stored once
_ WORM logs - write-once read-many log archiving
Elements of a SIEM dashboard
_ sensor logs
_ alerts
_ sensitivity levels
_ correlation
_ trends
Syslog protocol
_ specifies a general entry format
_ specifies a protocol for transporting log entries
_ can collect log entries from many devices (like SIEM)
_ syslogd collects syslog messages on Linux
_ log format in /etc/syslog.conf
_ logs in /var/syslog
_ formerly used UDP, now uses TCP
Linux logs
_ in /var/log/
_ /var/log/auth.log - user login attempts (debian/ubuntu)
_ /var/log/secure - user login attempts (red hat/centos)
_ /var/log/syslog/ - general system messages (debian/ubuntu)
_ /var/log/messages/ - general system messages (red hat/centos)
U.S. DHS password recommendations
_ hash all passwords
_ require MFA
_ don’t require mandatory password resets
_ requires passwords to be 8+ chars
_ prevent use of common passwords
_ tell users not to share passwords across sites
_ allow all special chars but don’t require any
Password history
_ prevents users from reusing old passwords
Four security factors
_ Something you know
_ Something you have (other than biometrics)
_ Something you are (including biometrics)
_ Somewhere you are
KBA
_ knowledge-based authentication
_ static KBA
_ dynamic KBA
Static KBA
_ static knowledge-based authentication
_ authentication information that doesn’t change
_ e.g. personal security questions
Dynamic KBA
_ authenticates individuals not already having an account
_ retrieves from other sources information that only the individual should know, verifies that
_ time limit answering questions to reduce risk of someone looking them up on the Internet
Smart card
_ card with microchip and certificated
_ embedded cert holds user’s private key
_ requires PKI (public key infrastructure)
Hard token
_ aka hardware token
_ device with a one-time password (OTP)
_ password (usually a number) changes over time
Soft token
_ aka software token
_ app running on smartphone generating the OTP
_ e.g. Google Authenticator
HOTP
_ HMAC-based One-Time-Password
_ token and server apply an algorithm to a shared secret key
_ each time token is used, both advance to the next token
_ device usually has a button for displaying the token
TOTP
_ Time-based One-Time Password
_ select token as a function of the time
Retina vs iris scanners
_ Retinal scanners ID the pattern of blood vessels at the back of the eye - requires physical contact
_ Iris canners use IR to capture the unique patterns of the iris around the pupil - no physical contact required
Strongest authentication factor
_ biometrics (“something you are”)
_ aka “third factor”
_ retina and iris scans are strongest
Four biometric acceptance possibilities
_ false acceptance (incorrectly identifies unknown user as known)
_ false rejection (incorrectly rejects a known user)
_ true acceptance
_ true rejection
FAR and FRR
_ false acceptance rate
_ false rejection rate
CER
_ crossover error rate
_ point at which FAR crosses with FRR on a graph as system increases with sensitivity
_ low CER indicates greater accuracy
2FA combos
_ something you have and something you know
_ something you know and something you are
_ (excludes something you have and something you are)
_ (can’t both use the same class of factor)
_ (“something you have” often verified by push notification to smartphone)
Account types and their credential policies
_ personnel or end-user accounts
_ admin and root accounts
_ service accounts (user account under which a server runs – credentials don’t expire)
_ device accounts
_ third-party accounts (used by external entities)
_ guest accounts
_ shared and generic account/credentials (when user varies)
PAM
_ privileged access management
_ can be just-in-time permissions (given as needed, usually auto-revoked after a period of time)
_ can be temporal accounts (temporary grants)
_ often used for admin or root accounts
_ prevents exposure of a root password
PAM capabilities
_ allow users access to privileged account without giving them the password
_ automatically change privileged account passwords periodically
_ limit time users can use the privileged account
_ allow users to check out credentials
_ log all access of credentials
deprovisioning
_ process of disabling a user account
attestation
_ formal process of reviewing user permissions
SSO
_ single-sign on
_ login once to access multiple systems
_ increases security because user need only remember one password, reducing likelihood they write it down
_ may generate a unique secure token per sign-in
_ often provided by LDAP
Federated system
_ aka federated identity management system
_ provides central authentication in a non-homogeneous environment
_ associates varied credentials with a single identity
_ single sign-on across disparate servers
SAML
_ security assertion markup language
_ provides federated identity management across different websites
_ e.g. a frontend provides auth before redirecting user to a backend system without requiring re-auth
_ does not provide authorization, but may support transfer of authorization info between systems
SAML roles
_ principal - typical user
_ identity provider (IdP) - maintains the auth system
_ service provider - provides services to the user
OAuth
_ open standard for authorization (not authentication)
Authorization models
_ role-based access control
_ rule-based access control
_ discretionary access control (DAC)
_ mandatory access control (MAC)
_ attribute-based access control (ABAC)
Role-BAC
_ role-based access control
_ aka group-based access control
_ can be hierarchy based, mimicking heirarching of org
_ can be job/task/function-based
_ assigns permissions to groups (windows calls roles “security groups”)
Rule-BAC
_ rule-based access control
_ usually in routers and firewalls in ACLs, defining what traffic is allowed into the network
_ intrusion detection systems can use dynamic rules to detect and block attacks
_ some rules trigger in response to an event
DAC
_ discretionary access control
_ owners of objects have full control over permissions to object and establish access to the objects
_ Windows (e.g. NTFS) and most Unix-based systems use DAC (with DAC lists – DACLs)
ACE
_ access control entry in an ACL
NTFS
_ Microsoft’s New Technology File System
_ permissions: write, read, read/execute, modify, full-control
SID
_ security identifier on Windows
_ used in DACLs
MAC (authorization)
_ mandatory access control
_ assigns labels to both subjects and objects
_ objects are organized into compartments
_ labels define security levels and designate compartments
_ subjects have access to the objects for which the subject’s labels are >= the object’s label and the subject also has the label for the compartment
_ also enforces need-to-know
_ government classification access
SELinux
_ security-enhanced Linux
_ uses MAC
MAC (networks)
_ media access control
_ assigns physical/hardware addresses to NICs
MAC (authentication)
_ message authentication code
_ provides integrity akin to a hash
SDN
_ software defined network
_ network in which software routes traffic rather than hardware controllers and switches
ABAC
_ attribute-based access control
_ bases access on attributes of the user, the resource, or the environment
_ rules for access control are called “policies”
_ policies state subject, object, action (what user wants to do), and environment (context of request)
_ commonly used in SDNs
_ can enforce DAC or MAC schemes
What to look for when reviewing authentication logs
_ account lockouts
_ concurrent session usage
_ impossible travel time
_ blocked content (due to validation)
_ resource consumption (indicating attack)
_ resource inaccessibility
_ log anomalies (e.g. unusual numbers of logs, logs at unusual times, or missing log entries)
