Saturday, February 11, 2012

Chapter 14

This last chapter of the book covered how to mitigate risks of attack and damage to a computer system. The first part of the chapter dealt with terminology of risks. Privilege management was covered next, and it dealt with auditing the rights users were assigned on a network. Change management was discussed, which is keeping track of how and what changes are made to a system. Incident management was next, and it deals with identifying, analyzing and contain an event or issue that could r has compromised a system so as to return to normal operations as quickly and seamlessly as possible. Risks can be reduced through security policies, or a document that details how IT plans to secure a company's data networks and assets. Security policies can cover several different areas from digital policies (acceptable use and password complexity policies) to human resource policies, data classification policies, etc. Threat awareness was covered next, and went into detail about issues surrounding peer-to-peer networks and social networks. Lastly, the book went through how to train users in the organization to about these policies, including how to do so to a wide variety of learning styles.

Friday, February 10, 2012

Chapter 13

This chapter dealt with business continuity. Business continuity is where a business has a plan to contniue operations past a point where they are struck with a disaster, or more specifically, when their computer system is damaged or destroyed in some way.The first part of the chapter gave a definition of business continuity and disaster recovery plans. One way to help shorten downtime in a disaster is to build in redundancy and fault tolerance. Redundancy is where there are multiple servers and other hard/software in a system that can take over in the case of a single device or service being taken out. Fault tolerance is similar, making it possible for a system to sustain several problems before expirencing serious degradation of operations. The book went through several different deviced to do this, from redundant servers (clusters) and storage (RAID arrays) to networks, power data backups and even sites (hot/cold and warm).In order to control potential problems, environmental controls, fire prevention and suppression EMI shielding (faraday cages) and HVAC controls in server rooms (dissipation of ESD). Forensics was covered last, and deals with preservation of evidence after an attack takes place. Essentially, it went over how taking a mirror backup copy of a computer was essential for preserving evidence and how keeping a chain of custody was essential to show there was no tampering with evidence after the fact.

Chapter 12

This chapter expanded on chapter 11's discussion of cryptography. The first part of the chapter dealt with defining a digital certificate. A DC is a file that ties a user's identity to a public key (in PKI) that's been signed by a third party. This allows the use of public keys that are from a trusted but indirect participant in the key exchange process. Certificate authorities issue digital certificates. Registration authorities verify the identity of an individual using a CA. Certificates have an expiration date, and the certs that have expired will be kept on a certificate revocation list for future reference. Certificate repositories are lists of digital certs that can be accessed by the public.There are several kinds of digital certs. Class 1 are personal DC's. Class 2 are server DC's and allow those on the web to see who owns a server. Class 3 certs are software DC's and allow these companies to ensure their software has not been hacked or altered. The next portion of the chapter dealt with PKI.and the way it functions, specifically the role trust plays in its use.Third-party trust is where two people trust a third party, and thus the word of that party is sufficient for the certificate or key in PKI. Hierarchical trust is defined as the trust relationships built up from relationships of third-party trusts of CA's. The next part of the chapter dealt with PKI management through certificate policy, or a system of rules governing certificate use and issuance. This is summed up in the cert practice statement. Similarly, key management is the way keys are handled in a PKI system. Transport encryption algorithms were covered next. Secure socket layer (SSL) transport layer security (TLS) use an algorithm to encrypt data sent over the internet and provide server & client authentication. Secure shell (SSL) allows access to rmote computers as an alternative to telnet. HTTPS secures communications between a browser and a web server. IPSec secures the exchange of packets.

Chapter 11

This chapter dealt with the basics of cryptography. The first part of the chapter defined what cryptography was; essentially it is obscuring data in such a way as to make it unreadable and incomprehensible to those who are not authorized or meant to read it. Stenography is the practice of hiding a message or data amongst something in order to obscure it. The book described how cryptography was deciphered through a key that unlocks an algorithm that decrypts the data into plaintext. Cryptography protects the identity of the sender, the integrity of the data and the authenticity of the message. Hashing algorithms are fingerprints of the encrypted data. A message digest is another algorithm used and has 3 versions. MD2 takes plaintext and and creates a 128 bit hash from it. MD4 does the same thing as MD2, but adds enough padding to the message to go to 512 bits in length. MD5 is a revision of MD4 but uses 4 variables to create the hash. Secure Hash Algorithm (SHA) is another hashing algorithm and has a few versions, including SHA-0 and SHA-1. These versions create a hash 160 bits long. RIPEMD is a hash algorithm developed from MD4 and it uses 2 different and independent chains of computation which are combined at the end of the process to create the hash. Passwords are used to store passwords. Symmetric algorithms use the same key to both encrypt and decrypt a file. DES, 3DES, AES, Rivest, RC4 and Blowfish all use the symetric method in their function. Asymmetric cryptography, also known as PKI (public key encryption) uses a different key to encrypt than it does to decrypt a file. In PKI, there are 2 keys, a public key and a private key. The use of this system verifies the user in addition to decrypting the information contained in the message. PGP uses asymmetric cryptography, as does EFS (the system used on Microsoft software). BitLocker uses it as well, and is used to encrypt an entire hard disk. USB devices can be used to provide encryption as well. Lastly, a trusted platform module (TPM) can be used, and is a hardware chip on a motherboard that is a dedicated cryptographic device. Some computers use a hardware security module, which is a dedicated cryptographic processor to handle encryption on a computer.

Chapter 10

This chapter covered account management and authentication. The first part of te chapter dealt with credentials as they apply to passwords. Passwords can be compromised by several methods including social engineering, dictionary attacks, guessing, and attempts to crack them offline. Rainbow tables make password cracking easier by creating an archive of passwords to help crack passwords the hacker is trying to break. Passwords can be hard to crack if the user creates one that is complex. This means using complex characters and through the use of password management systems in order to keep track of them. Tokens and cards can be used to authenticate a user as well. Tokens randomly generate passwords that only last a few minutes and are tied to an authentication system. Smart cards have a chip inside them that physically authenticate a user when interfaced into a system. Biometrics are used as well, and these are tied to something, like a fingerprint or retina scan, that are literally unique to the user. Voice recognition can be used in this manner, as can behavioral biometrics (people do things like access a system at fairly regular time periods). Single-sign on systems were covered next. The first was Windows Live is a central sign-on scheme invented by Windows to interface with its products and services, but only works with Windows products. Open ID was another and it is not specific to a single product or company, though it has security weaknesses due to its URL-specific setup. Open authorization is another and relies on a token security authentication system. Account management was covered next, and deals with setting password policies so that a certain number of times a user fails to enter a valid password, it disables the login until the admin resets it. This interrupts password guessing. Trusted operating systems were covered last, and these are OS's that segregate their applications and have heavy security-access protection on their kernels and system files.

Chapter 9

This chapter dealt with access control. The first section of the chapter went over the ideas and terminology behind access control, then launched into a discussion about the various models and methods of controlling access to a computer system. The first, mandatory access control (MAC) is considered the most restrictive, and is used by the US military on their networks. It operates in the same way as the security clearance regimen that government agencies use, allowing only those who have access to a certain level of information to gain access to that information on the network. Discretionary access control (DAC) was next, and is considered to be the least restrictive model. Administrators of an object in the system can give access to those they choose and create and administer objects at will. Role-based access control was next, and assigns access based on the job function of those who are on the network. Last was rule-based access control (RBAC) which assigns access levels based on a set of per-determined rules set by the administrator. Unlike role-based, rule based access can't be changed by users. The third part of the chapter dealt with some ground rules for access control, including separation of duties (keeping custodial and owner duties separate) job rotation (changing the duties of an administrator periodically), least privilege (only granting necessary levels of access for a job), implicit denial (only granting access if necessary conditions are met) and mandatory vacations (rotating administration duties to prevent buildups of power and access). Next, the implementation of access control was discussed. Access control lists are permissions attached to an object. Group policy is a feature in windows that allows administration of access levels using active directory. Account restrictions are used to allow employees to only be able to use the network at certain times of the day, week, etc so as to cut down on potential attacks. Account expiration is used to keep former employees from hacking or accessing a system after termination. Lastly, authentication services are often used to make certain only authorized users can get into a system. RADIUS is a dial-in service that is used for remote clients. Radius clients are often devices attached to a network that allow for remote users to connect, such as access points, etc. Kerberos authenticates network users using tickets that identify and authenticate a user as having access to a network. Terminal access control/access control is similar to radius used on many unix-based systems. LDAP is a service that authenticates users by keeping a copy of their access credentials, and keeps track of the resources on a network and the user's level of access to them.

Monday, February 6, 2012

Chapter 8

This chapter dealt with security on wireless networks. First, the chapter went through bluetooth hacking. Bluejacking is like spam email that you send other bluetooth users unwanted messages. Bluesnarfing is where an attacker gets access to a wireless device through a bluetooth-enabled device. Wireless LANs (WLANs) are often a point of attack for hackers. Access points have antennas which makes them vulnerable to war drivers and unauthorized attackers nearby who use them to link to a wired network.This can be done with the aid of wireless protocol analyzers to attempt man-in-the-middle attacks and by using interference, such as a 'loud' EM device like a microwave to disrupt access points' signals. Some hackers use rogue access points, or an access point that is setup inside the perimeter of the original WLAN in order to gain access to the network. An evil twin AP is similar, but is setup by an outside user that hijacks traffic from an access point. Countermeasures to WLAN attacks are many. MAC address filtering is used to only allow authorized devices to connect with the network. This can be hacked by someone using a protocol analyzer to substitute their own MAC address for someone else's computer on the network. SSID broadcasts are often used as an attack vector as an attacker simply copies the SSID from a device and, like the MAC address attack, substitutes their own in for an authorized machine at a later time. WEP or wired equivalent privacy is an older method of encrypting data across a WLAN, and thus is vulnerable to attackby hacking the keys the policy uses in its frame encryption algorithm. Temporal key integrity protocol (TKIP) is a method used to help defeat attacks using a 128 bit key instead of a 40 bit key like WEP. it also uses CRC to check for any alteration of individual packets. WPA2 is the second generation of WPA, and it uses AES-CCMP encryption via the advanced encryption standard. It also uses 128 bit encryption, though the key lengths can vary. The last part of the chapter covered some methods to enhance security on a network. First is placing an antenna so as to limit its range to inside the building to keep from attracting wardriving attacks. Another is to use rogue access point detection methods like desktop and access point probes to detect where and when access point hacks have occurred. Third is through the use of VLANs to segment traffic and keep more sensitive data in more secure access levels.

Saturday, February 4, 2012

Chapter 7

This chapter went through how to administer a secured network. It began by examining the OSI model as they relate to the various protocols used in a network such as ICMP (communicates errors up the chain), SNMP (allows remote configuration across a network), DNS (maps IP's to net addresses) and FTP (transfers files across a network), etc. Secondly, it talked about managing networks using a rule-based approach, which is something like managing through predetermined technical policies rather than creating rules and procedures on the fly, as the book mentions. The book mentions doing this for devices (configuring routers logically and installing appropriate protection software such a a flood guard, which protects against SYN storms), analyzing logs to detect patterns of traffic that are unusual, segmenting networks so as to create layers of security, disabling unused ports on devices, etc.Lastly, securing applications was covered. Virtualization simulates an operating system environment protects the host from some attacks. Server virtualization is similar, and allows an administrator to run several 'servers' from a single machine, saving operating costs and segmenting resources to prevent against attacks. Using IP telephony was discussed next. Its a convergence technology that helps enterprises administer many kinds of communication at once. Lastly, cloud computing was gone over, and how it can help to reduce costs of networking to those who use it. I personally think cloud computing is fine for some applications, but for those who wish to personally secure their data and own (for lack of a better word) their applications, it poses significant issues that make it a little less rosy than the book seems to advocate.

Chapter 6

This chapter covered network security. The beginning of the chapter covered the OSI model again, then went through the differences between various network devices (routers, switches, etc.), all of which was covered in depth in CIS-155. Network security devices were next; things like firewalls, proxies and (software) spam and content filters. IDS's were covered, along with the various monitoring methods they use to detect potential attacks (anomaly, behavior, heuristic, etc.) Network technologies were next, such as network address translation (NAT), which masks the IP address of the sender and network access control (NAC) which blocks devices from joining a network that lacks a defined level of security. Increasing network security through DMZ'a and through subnetting schemes were discussed next. VLANs and remote access were covered last, each one of them are used to group devices, thus segmenting away some devices from more secure data.

Chapter 5

This chapter dealt with physically securing a facility where a computer network was set up, securing an operating system and its network and applications. The first part covered various types of locks, RFID key passes, surveillance and other countermeasures used to defeat physical access to hardware on a site. The second part dealt with how to harden an operating system, including developing a security policy, closing up holes, like guest accounts, in the OS itself and running normal security applications such as anti-malware and using spam filters, firewalls and the like. It also talked about monitoring various logs of system performance to spot abnormalities which could indicate an attack. Application security was next, and covered not only injection attacks (again) but also examined fuzzing, or putting in intentionally wrong information to check for exploitable flaws in programs.

Personally, I found this chapter odd. It almost seemed like the authors had a hodgepodge of information they wanted to cover, but did not want to write another chapter to do it. Much of the information here looks to belong in other areas of the book, and other parts of the chapter were nothing but a re-hash of information from former chapters.

Friday, February 3, 2012

Chapter 4

This chapter went through the process of assessing a computer network for potential threats, how to perform this assessment (both through the philosophical and application means) and how to turn aside the threats this assessment has identified, using various tools available in the marketplace. First, the book went through the terminology of an assessment, such as what a threat is, a risk, and a vulnerability. The book then went through what taking a baseline was (the normal look and function of the network when not under attack), then went through how how software is developed, taking into consideration how security conscious programmers are trained to be in the modern day. The chapter then went through some of the tools available for detecting vulnerabilities, such as port scanner, protocol analyzers, vulnerability scanners (these perform a variety of functions to detect network changes that might indicate an ongoing attack) and honeypots and nets, which fool attackers into thinking they have found a vulnerable network and thus hide the real network from their attention. Penetration testing is covered next, each of the box methods being described in detail from the least foreknowldge of a network (black box) to a map of the network (white box) being given to the team. Methods of attack mitigation were covered next, which outlined a few basic means through which attacks could be discouraged when encountered by attackers.

Chapter 3

This chapter covered some of the different attacks hackers can use over and through networks. Many of them were covered in CIS-185 including SQL injection (using a server's weak, unfiltered password reset function to set up a logon ID) and XML injection (using tags to facilitate injection attacks). It went through how an attacker can use directory traversal to get access to areas to which they would not normally be able to enter. Client-side attacks are gaining prevalence, and include Iframe attacks, manipulating headers in HTTP, cookies, hijacking a web session by impersonating a user's session token and buffer overflow attacks which cause a computer to crash due to over-filling a computer's RAM. Lastly, network attacks are often used, and like the injection attacks, these were covered in depth in CIS-185. DOS attacks via ping or syn floods, man-in-the-middle attacks by an attacker inserting their own machine into the middle of a computer conversation, ARP and DNS poisoning (used by the chineese to suppress their own population's access to information) which redirects a user away from information they want censored and transitive access, or using a third user to gain access to a network are all common methods of network hacking attacks.