2/20/2017

1 ©2007 – Body Temple 2/20/2017

1

Security Principles

CIA

Confidentiality

Integrity

Availability

AAA

Authentication

Authorization

Accounting

2/20/2017

2 ©2007 – Body Temple 2/20/2017

2

THREATS

System Crash/Hardware failures

Admin access control weakness

Malware

Social Engineering

Man in the Middle Attacks

Denial of Service Attacks

Physical Intrusion

Wireless Attacks

2/20/2017

3 ©2007 – Body Temple 2/20/2017

3

System Failures

Hard Drives

Power Failures

Network Devices

Servers

Redundant Systems

RAID

UPS

Clusters (High Availability)

Redundant NIC / Switches

2/20/2017

4 ©2007 – Body Temple 2/20/2017

4

Admin Access Control

Access Control Lists (ACL)

Least amount of privilege

Need to Know principle

Accounts security

2/20/2017

5 ©2007 – Body Temple 2/20/2017

5

Malicious Software (Malware)

Virus

Worm

Trojan Horse

Rootkit

Adware/Spyware

Prevention:

Antimalware / Antivirus

System well patched and maintained

2/20/2017

6 ©2007 – Body Temple 2/20/2017

6

Social Engineering

Using or manipulating users for nefarious

gain.

Phishing.

Vishing.

Hoax.

Prevention

User training and awareness.

2/20/2017

7 ©2007 – Body Temple 2/20/2017

7

Man in the Middle Attack (MITM)

Interception

Gain access to sensitive data

Manipulate data

Prevention

Encryption

Data Integrity

2/20/2017

8 ©2007 – Body Temple 2/20/2017

8

Denial of Service (DOS)

Flooding techniques

Smurf Attack (ICMP)

Fraggle Attack

TCP/SYN Flood

• DDoS – Distributed Denial of service (many computers attempting to access a web

service, in order to break it.)

Zombies / Botnets – A group of computers controlled to perform malicious attacks.

Prevention

• Firewalls

• Intrusion Detection Systems

• Intrusion Prevention Systems

2/20/2017

9 ©2007 – Body Temple 2/20/2017

9

Physical Intrusion

Server Room Security

Building Security

Disposal Policy

Dumpster Diving

Piggy Backing

Shoulder Surfing – Ensure passwords are not easily visible by others.

Tailgating – Following an employee past security

Physical Security barriers

CCTV

Mantrap - Turnstile

Partitions

2/20/2017

10 ©2007 – Body Temple 2/20/2017

10

Wireless Security

Wardriving – Looking for unsecured wireless networks

Warchalking – Marking on the street unsecured wirelesss networks.

Rogue Access Point – Malicious Access Point on your network.

Evil Twin – Clone Server or equipment added to a network.

Encryption Cracking – When your encryption method is broken.

Tips to prevent attack:

Shielding – Using shielded cables that are not easily accessible.

Disable SSID – Not allowing WiFi name being broadcast.

WPA2 (rather than WEP) – More secure WiFi Password encrytion

MAC Filters- Only allowing certain devices with a unique MAC Address

access your network.

2/20/2017

11 ©2007 – Body Temple 2/20/2017

11

Securing User Accounts

Authentication

Something that you know – Username, Password,

Pin

Something that you have – Token, Smartcard,

Common Access Card

Something that you are – Retinal scan, fingerprint

(Biometric)

Multi-factoring – 2 or more authentication methods

2/20/2017

12 ©2007 – Body Temple 2/20/2017

12

Authentication Protocols

Password Authentication Protocol PAP

Challenge Handshake Protocol CHAP

Microsoft CHAP MS-CHAP (MS-CHAPv2)

Extensible Authentication Protocol EAP

802.1x – Network Access Control

2/20/2017

13 ©2007 – Body Temple 2/20/2017

13

A A A

Centralized Authentication, Authorization and

Accounting:

Remote Authentication Dial-in User Service RADIUS

Terminal Access Controller Access-Controller

System TACACS+ (Cisco)

2/20/2017

14 ©2007 – Body Temple 2/20/2017

14

KERBEROS

Authentication protocol for TCP/IP networks

allowing centralization of authentication on a single

server (Domain Controller)

Uses UDP / TCP port 88

Key Distribution Center

TGT

TGS

2/20/2017

15 ©2007 – Body Temple 2/20/2017

15

Authorization

Permissions

Rights

Access Controls

Share / Security

Permissions

Security Groups

2/20/2017

16 ©2007 – Body Temple 2/20/2017

16

FIREWALLS

NAT

Port Filtering

Packet Filtering

MAC Filtering (Wireless Networks)

Personal Firewall (Windows)

Host Based

Network Firewall

2/20/2017

17 ©2007 – Body Temple 2/20/2017

17

Network Zones

Demilitarized Zone (DMZ) – network between 2

firewalls

Transitional Network

Honey Pot / Honey Nets

IDS / IPS

2/20/2017

18 ©2007 – Body Temple 2/20/2017

18

Vulnerability Scanner

Detects network vulnerabilities

Open Ports

Unnecessary Services / Applications

Operating System vulnerabilities

2/20/2017

19 ©2007 – Body Temple 2/20/2017

19

PROTOCOL ANALYZERS

Network ‘Sniffers’

Wireshark

Microsoft Network Monitor (Nmcap)

2/20/2017

20 ©2007 – Body Temple 2/20/2017

20

Controlling Data Throughput

QoS (Quality of Service)

Traffic Shaping (Bandwidth Shaping)

Load Balancing

High Availability – Clusters (Failover, NLB)

Fault Tolerance – Redundant devices

2/20/2017

21 ©2007 – Body Temple 2/20/2017

21

Network Monitoring

Baselines

Performance Monitor

System Logs (syslog)

Traffic Analyser (Wireshark)

SNMP – Simple Network Management Protocol

2/20/2017

22 ©2007 – Body Temple 2/20/2017

22

Windows Performance Monitoring