1. Security Basics

Confidentiality (CIA)

  • Encryption – Turns the message into a code
  • Access Controls
    • Identification – Username
    • Authentication – Password
    • Authorization – Permissions
  • Steganography
    • Hidden messages in plain site.
    • Hidden text in the file or a photo

Integrity (CIA)

  • Ensured data is not tampered with
  • Hashing – Creating a derivative code through an algorithm
    • If data is changed, the future hash will too
  • Digital Signatures, Certificates, and Non-Repudiation
    • By sending a unique digital signature, you make it clear who sent the message, which allows the receiver to trust it, and the sender to be held accountable.
    • Other forms of Non-Repudiation include tracking, by user account, who did what on a system.
    • PKI – Public Key Infrastructure
      • Enables signatures and certificates to function by maintaining encryption keys and certificate management

Availability (CIA)

  • Redundancy and fault tolerance set to ensure that data is retrievable when its needed
  • SPOF – Single Point of Failure
    • Any juncture where, if the SPOF fails, the whole system ceases to function
  • Disk Redundancy
    • Raid 1, 5, 6, 01, 10
  • Server Redundancy
    • Extra clusters! If one server fails, it swaps to the redundant server
    • Virtualization can help
  • Load Balancing
    • Multiple servers supporting a service so one doesn’t get overloaded
  • Site Redundancies
    • If a fire or flood takes out one location, another backs it up
  • Backups
    • Data stored in multiple places
  • Alternate Power
    • UPS and generators
  • Cooling Systems
    • HVAC
  • Patching
    • Keep systems bug free and clear of security issues

Safety

  • Safety of People – Emergency escape plans, drills, and training
    • Often, secure facilities will unsecure in case of emergency to ensure human safety
  • Safety of Assets – Physical security measures like locks, lighting, fencing, CCTV, and more

 

Layered Security/Defense

  • No single approach is enough- mix and match!
  • Every step, layer, and phase needs its own security protocols
  • CAC – Common Access Card
    • Smart card including readable ID info for secure environments
  • PIV – Personal Identity Verification
    • Smart card including readable ID info for secure environments
  • HOTP- HMAC-based One-Time Password
    • An example of a rolling key-based password like the ones used in tokens.
    • HOTP passwords are usable once only, but theoretically forever until used
    • Open-source and affordable systems
    • TOTP – Time-Based HOTP
      • Duh

Authentication Services

  • Kerberos
    • Functions on Unix and Windows Active Directory Domains
    • Prevents MitM attacks through use of mutual authentication
    • Uses tickets to prevent repeat incidents
    • Requirements
      • KDC- Key Distribution Center
      • TGT- Ticket Granting Tickets
        • Certificates are packaged within digital authentication “tickets” or tokens
      • Time-Stamping and Synchronization
        • Tickets are only valid for a certain amount of time, so systems must be within 5 minutes of each other.
        • Time-outs prevent replay attacks
        • Replay Attacks
          • Intercepted authentication data so third party can connect
        • Uses Symmetric Key Cryptography
          • One key encrypts and decrypts
        • Asymmetric Encryption Key
          • Utilizes two keys- a public encryption key (hosted by PKI) and a private decryption key.
        • LDAP and Secure LDAP – Lightweight Directory Access Protocol
          • 500 based that (when secure) can use TLS
          • Specifies formats and methods to query a directory of objects (users, computers, and directory objects)
          • Microsoft Active Directory is based off LDAP
          • Enables a single location to interact with all resources on a directory
          • Secure LDAP
            • Utilizes TLS – Transport Layer Security Session to encrypt data
            • Secure LDAP v2 used SSL encryption, but v3 uses TLS
          • SSO – Single Sign On
            • Feature enabled in both Kerberos and LDAP, wherein a user signs into the network once and receives a token which can sign them into all necessary systems
            • Federations
              • Enables two non-homogenous networks to coordinate permissions for users
              • User holds credentials on both networks, but signs into the federation which treats them as a single account
            • SAML – Security Assertion Markup Language
              • XML based
              • Allows websites to enable federation like trust privileges so that users can access resources on both
              • Principal – User
              • Identity Provider – Identity management utility – contains IDs and passwords
              • Service Provider – Serves principles – redirecting to different hosts or domains
            • RAS – Remote Access Service Authentication
              • Accessed via dial-up or VPN
              • PAP – Password Authentication Protocol
                • Cleartext, insecure, single authentication
                • Utilizes PPP – Point-to-Point Protocol
                  • Used clear-text because over dial-up, nobody thought wiretaps a legitimate risk
                • CHAP – Challenge Handshake AP
                  • Server challenges client, can happen multiple times a session
                  • More difficult to crack because of a hashed code at the start of session
                • MS- CHAP
                  • Microsoft’s CHAP
                • MS-CHAP v2
                  • CHAP + Mutual authentication
                • RADIUS – Remote Authentication Dial-in User Service –
                  • Centralized method of authentication for multiple remote servers
                  • Encrypts password, but not the whole authentication process
                  • Utilizes UDP for best effort connection
                • Diameter
                  • A fucking pun
                  • RADIUS but utilizes EAP for better encryption
                  • Utilizes TCP for guaranteed connections
                • XTACACS – Extended Terminal Access Controller Access-Control System
                  • Cisco proprietary TACACS improvement
                  • Outdated
                • TACACS+
                  • Cisco proprietary alternative to RADIUS.
                  • Interoperable with Kerberos.
                  • Works on a wide host of environments
                  • Encrypts full authentication
                  • Uses TCP for guaranteed connections
                  • Also used to secure network devices like routers by corporations
                • AAA Protocols
                  • Authentication
                    • Proves your identity
                  • Authorization
                    • Determines what you should be able to access
                  • Accounting
                    • Tracks what you do
                  • Radius and TACACS+ are AAA protocols, and Kerberos is considered one, though it does not have accounting.

Control Implementation Methods

  • Technical Controls: Utilizes Technology
  • Management Controls: Use administrative or management methods
  • Operational Controls: Implemented by people in day-to-day operations

 

Technical Controls

Technology installed by an administrator that automatically provides protection and reduces vulnerabilities.

  • Encryption
  • Antivirus Software
  • IDSs- Intrusion Detection Software
    • Monitors a host and reports on intrusions
  • Firewalls
    • Restrict I/O traffic to a server or host
  • Least Privilege
    • Only allowing each user the minimum privileges they need to limit risk if something goes wrong
  • Motion detectors, fire suppression systems, and other such devices are also technical controls which help provide additional physical protection and safety

 

Management Controls

Also known as administrative controls, these use planning and assessment to reduce risk.

  • Risk Assessment
    • Quantitative Assessment
      • Uses cost and asset values to determine how much it’ll cost to protect x-value of assets
    • Qualitative Assessment
      • Categorizes risks based on probability and impact
    • Vulnerability Assessment
      • Used to discover current vulnerabilities and weaknesses to help prioritize the implementation of additional controls
    • Penetration Tests
      • Actual attempts to exploit vulnerabilities to determine how easy it is to do, and what the actual effects are

Operational Controls

People-implemented practices in compliance with an overall security plan.

  • Awareness and Training
    • Prevents social engineering, people writing down passwords, etc.
  • Configuration and Change Management
    • Ensures that each system starts in a baseline of security and that changes do not invalidate security features
  • Contingency Planning
    • Reduces overall impact if something goes wrong by having prepared responses
  • Media Protection
    • Don’t lose flashdrives with valuable shit
  • Physical and Environmental Protection
    • Cameras, door locks, HVAC systems

 

NIST – National Institute of Standards and Technology

  • Hosts the ITL – Information Technology Lab
  • Publish SP 800 – Special Publication 800 which are security standard documents that many IT professionals, and certifications, reference directly
  • These are invaluable security standards

 

Control Goals

  • Preventative controls
    • Hardening
      • Making a system more secure than default by deactivating unnecessary features, creating restrictions, disabling accounts
    • Security Awareness and Training
      • Ensuring users are aware of vulnerabilities and social engineering attempts
    • Security guards
      • Often will deter potential attackers, can verify identities of people
    • Change Management
      • Changes aren’t made on the fly, they’re studied first
    • Account disablement policy
      • If it ain’t necessary, nix it
    • Detective controls
      • Log Monitoring
        • For example, firewall logs track everything blocked to help reveal incidents
      • Trend Analysis
        • Taking note of an increase of firewall denials, etc
      • Security Audit
        • Can detect if users are using good passwords or if users have more rights than they need
      • Video Surveillance
        • CCTV yo
      • Motion Detector
        • See above?
      • Corrective controls
        • Active IDS
          • Detect attacks and modify environment to stop them
        • Backups and System Recovery
          • Fix shit when it breaks
        • Deterrent controls
          • Cable Locks
            • If its hard to take, its less likely to be taken
          • Hardware Locks
            • … ITS A LOCK
          • Compensating controls
            • Temporary controls while implementing other things, or when other things go bad

 

Physical Security Controls

  • Perimeter
    • Get a big ‘ol fence like the military
  • Building
    • Four walls and a big ‘ol locked door
    • Some of these even have LIGHTS holy crap wow such security
  • Secure Work Areas
    • Don’t let people in that aren’t supposed to be there
  • Server and Network Rooms
    • Only let the IT nerds in, use bigger locks
  • Hardware
    • MORE LOCKS

Doors

  • In general have less points of entry with more locks, security guards, cameras, biometrics, and laser beams. But like, be careful of trapping your employees in there when the place sets on fire.
  • Cipher Locks
    • Press buttons in the right order and the door opens
    • These aren’t really all that secure, but you can make them harder to crack
  • Proximity Cards
    • Door shoots the card with lightning and if the card goes, “YEAH!” the door opens
    • You can identify people with special cards
    • Prox cards are pretty easy to steal info from, but a few pieces of aluminum in your wallet can fuck that up
  • Biometrics
    • USE YOUR FUCKING EYEBALL AS A KEY
    • This allows identification
  • ID Badges
    • Do you look like your picture or nah
  • Tailgating
    • Stop holding doors open for other people chivalry is dead let them use their own security credentials you white-knight piece of crap
    • Man traps are cool
  • Access Lists and Logs
    • Track who goes in, and have guards only let certain people in
    • If someone exits a building, but was never logged into the building, they probably tailgated so fire them
    • Video surveillance is a good partner
      • It’s best for proof. It’s hard to deny footage, but people can tailgate or use each others credentials
    • Motion Detectors + Fences mean you know when someone climbs it
    • Motion detectors can also modify lighting so you can save money but still be secure
    • Alarms are annoying but secure
    • Barricades can make vehicles and people zigzag in, giving more time to prevent or identify them
      • Bollards, or short vertical polls, look better than heavy barricades but still prevent people from driving through your walls
    • No Trespassing signs supposedly work
    • Locks, laptop locks, locking cabinets, and safes.

 

Logical Access Controls

  • Least Privilege – Only give users access to what’s essential
  • Group Policy – Allows you to change a setting once and have it affect whole groups
  • Most notes weren’t taken because info is fairly obvious

 

Access Control Models

  • Subjects
    • Users or groups
  • Objects
    • Files, folders, shares, or printers
  • Role-Based Access Control (RBAC)
    • Instead of assigning permissions to users, assign permissions to specific roles, and assign roles to specific users.
    • The Microsoft Project Server operates like this with four chief roles
      • Administrators – Can access anything and adjust settings
      • Executives – Can access anything but have no control over settings
      • Project Managers – Full control over data and settings within their project
      • Team Members – Can only report on work that was specifically assigned to them by project managers
    • These systems can often be seen as hierarchical, as higher-level accounts have more access
    • Matrix planning documents set up tables explaining the permissions before the roles have been created to make sure they make sense and cover all possibilities
  • Rule-Based Access Control (RBAC)
    • Such as when firewalls and routers use Access Control Lists (ACL).
    • Static Rules such as allow or disallow traffic on a specific port
    • Dynamic Rules
      • When in IDS adjusts rules to block specific traffic
      • When Marge has more permissions when Homer is absent
    • Discretionary Access Control (DAC)
      • Every file/folder has an owner who sets who can and can’t access/modify/view
      • NTFS is known for this
        • Every NTFS object has a DACL (Discretionary ACL) which notes the SID (Security ID) of users
        • DACL is filled with Access Control Entries (ACE) which contain an SID and associated permissions
      • Trojan Risk if you install malware with Admin priveleges, that malware can continue to operate with those same priveleges
    • Mandatory Access Control (MAC)
      • Operates under the principle of least privilege
      • Both users and objects have sensitivity labels, and only if the user has equal or greater label, AND need to know, can they access the file
      • In high security situations, multiple levels of checks are enabled before deciding a user is need to know in any given matter
      • This system is slow and inflexible, but very secure
Advertisements
Advertisements

I post all things that interest me. Mainly computers.

%d bloggers like this: