Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
2/20/2017
1 ©2007 – Body Temple 2/20/2017
1
Security Principles
CIA
Confidentiality
Integrity
Availability
AAA
Authentication
Authorization
Accounting
2/20/2017
2 ©2007 – Body Temple 2/20/2017
2
THREATS
System Crash/Hardware failures
Admin access control weakness
Malware
Social Engineering
Man in the Middle Attacks
Denial of Service Attacks
Physical Intrusion
Wireless Attacks
2/20/2017
3 ©2007 – Body Temple 2/20/2017
3
System Failures
Hard Drives
Power Failures
Network Devices
Servers
Redundant Systems
RAID
UPS
Clusters (High Availability)
Redundant NIC / Switches
2/20/2017
4 ©2007 – Body Temple 2/20/2017
4
Admin Access Control
Access Control Lists (ACL)
Least amount of privilege
Need to Know principle
Accounts security
2/20/2017
5 ©2007 – Body Temple 2/20/2017
5
Malicious Software (Malware)
Virus
Worm
Trojan Horse
Rootkit
Adware/Spyware
Prevention:
Antimalware / Antivirus
System well patched and maintained
2/20/2017
6 ©2007 – Body Temple 2/20/2017
6
Social Engineering
Using or manipulating users for nefarious
gain.
Phishing.
Vishing.
Hoax.
Prevention
User training and awareness.
2/20/2017
7 ©2007 – Body Temple 2/20/2017
7
Man in the Middle Attack (MITM)
Interception
Gain access to sensitive data
Manipulate data
Prevention
Encryption
Data Integrity
2/20/2017
8 ©2007 – Body Temple 2/20/2017
8
Denial of Service (DOS)
Flooding techniques
Smurf Attack (ICMP)
Fraggle Attack
TCP/SYN Flood
• DDoS – Distributed Denial of service (many computers attempting to access a web
service, in order to break it.)
Zombies / Botnets – A group of computers controlled to perform malicious attacks.
Prevention
• Firewalls
• Intrusion Detection Systems
• Intrusion Prevention Systems
2/20/2017
9 ©2007 – Body Temple 2/20/2017
9
Physical Intrusion
Server Room Security
Building Security
Disposal Policy
Dumpster Diving
Piggy Backing
Shoulder Surfing – Ensure passwords are not easily visible by others.
Tailgating – Following an employee past security
Physical Security barriers
CCTV
Mantrap - Turnstile
Partitions
2/20/2017
10 ©2007 – Body Temple 2/20/2017
10
Wireless Security
Wardriving – Looking for unsecured wireless networks
Warchalking – Marking on the street unsecured wirelesss networks.
Rogue Access Point – Malicious Access Point on your network.
Evil Twin – Clone Server or equipment added to a network.
Encryption Cracking – When your encryption method is broken.
Tips to prevent attack:
Shielding – Using shielded cables that are not easily accessible.
Disable SSID – Not allowing WiFi name being broadcast.
WPA2 (rather than WEP) – More secure WiFi Password encrytion
MAC Filters- Only allowing certain devices with a unique MAC Address
access your network.
2/20/2017
11 ©2007 – Body Temple 2/20/2017
11
Securing User Accounts
Authentication
Something that you know – Username, Password,
Pin
Something that you have – Token, Smartcard,
Common Access Card
Something that you are – Retinal scan, fingerprint
(Biometric)
Multi-factoring – 2 or more authentication methods
2/20/2017
12 ©2007 – Body Temple 2/20/2017
12
Authentication Protocols
Password Authentication Protocol PAP
Challenge Handshake Protocol CHAP
Microsoft CHAP MS-CHAP (MS-CHAPv2)
Extensible Authentication Protocol EAP
802.1x – Network Access Control
2/20/2017
13 ©2007 – Body Temple 2/20/2017
13
A A A
Centralized Authentication, Authorization and
Accounting:
Remote Authentication Dial-in User Service RADIUS
Terminal Access Controller Access-Controller
System TACACS+ (Cisco)
2/20/2017
14 ©2007 – Body Temple 2/20/2017
14
KERBEROS
Authentication protocol for TCP/IP networks
allowing centralization of authentication on a single
server (Domain Controller)
Uses UDP / TCP port 88
Key Distribution Center
TGT
TGS
2/20/2017
15 ©2007 – Body Temple 2/20/2017
15
Authorization
Permissions
Rights
Access Controls
Share / Security
Permissions
Security Groups
2/20/2017
16 ©2007 – Body Temple 2/20/2017
16
FIREWALLS
NAT
Port Filtering
Packet Filtering
MAC Filtering (Wireless Networks)
Personal Firewall (Windows)
Host Based
Network Firewall
2/20/2017
17 ©2007 – Body Temple 2/20/2017
17
Network Zones
Demilitarized Zone (DMZ) – network between 2
firewalls
Transitional Network
Honey Pot / Honey Nets
IDS / IPS
2/20/2017
18 ©2007 – Body Temple 2/20/2017
18
Vulnerability Scanner
Detects network vulnerabilities
Open Ports
Unnecessary Services / Applications
Operating System vulnerabilities
2/20/2017
19 ©2007 – Body Temple 2/20/2017
19
PROTOCOL ANALYZERS
Network ‘Sniffers’
Wireshark
Microsoft Network Monitor (Nmcap)
2/20/2017
20 ©2007 – Body Temple 2/20/2017
20
Controlling Data Throughput
QoS (Quality of Service)
Traffic Shaping (Bandwidth Shaping)
Load Balancing
High Availability – Clusters (Failover, NLB)
Fault Tolerance – Redundant devices
2/20/2017
21 ©2007 – Body Temple 2/20/2017
21
Network Monitoring
Baselines
Performance Monitor
System Logs (syslog)
Traffic Analyser (Wireshark)
SNMP – Simple Network Management Protocol
2/20/2017
22 ©2007 – Body Temple 2/20/2017
22
Windows Performance Monitoring