Information Security

Overview

 What is security?

 What is information security?

 What to secure?

 Why do we need information security?

 Who is vulnerable?

 Key element of information security?

 What is cyber security?

 Elements of Cyber security?

  AAA Model

What is “Security”?

 Dictionary.com says:
1. Freedom from risk or danger; safety.

2. Freedom from doubt, anxiety, or fear; confidence.

3. Something that gives or assures safety, as:

I. A group or department of private guards: Call building security if a visitor

acts suspicious.

II. Measures adopted by a government to prevent spying, sabotage, or

attack.

What is information security?

The state of being protected against the unauthorized use of information, especially electronic data, or
the measures taken to achieve this.

What to secure?

 Data

◦ Information we keep on computers (product design, financial records, personnel

data)

◦ Database record

 Resources

◦ Unauthorized use of computer Hardware or server

Why do we need security?

 Protect vital information while still allowing access to those who need it
 o Trade secrets, bank records, etc.

 Provide authentication and access control for resources

o Ex: ATM

 Guarantee availability of resources

o Ex: 5 9’s (99.999% reliability)

Who is vulnerable?
 Financial institutions and banks

 Internet service providers

 Pharmaceutical companies

 Government and defense agencies

 Contractors to various government agencies

 Multinational corporations

 ANYONE ON THE NETWORK

Key elements of Information Security

As a security professional, you work to achieve the fundamental goals of information security.
Those fundamental goals are confidentiality, integrity (data integrity), and availability—also
referred to as CIA
Security Triad
CIA is a well-known acronym for most people: It means Central Intelligence Agency. But, as
below shows, for security people, CIA means the following:

Confidentiality: Provides data secrecy.

Integrity: Only authorized people can change data.

Availability: Data must always be accessible and ready

Confidentiality
Confidentiality is the ability to ensure secrecy: No one can view the information except the
intended recipients.

Armies and generals have relied on confidentiality for centuries. In fact, in 50 B.C., even Julius
Caesar used a technique called Caesar Code to ensure the confidentiality of his messages.

Integrity
Integrity is defined as the ability of the data (or asset) to not be altered without detection.

An example of integrity applied to networking is a switch configuration: No one can modify the
configuration except with the proper credentials (operators’ usernames and passwords);
moreover, even a modification by the authorized personnel leaves a trail through a syslog
message.

Availability
The final security principle is the availability of service or data. Without data availability, secret and
unaltered data is useless! This principle is well known in the networking arena where redundancy and
high-availability designs are common.
Attacks against availability are called disruption or, in the networking world, denial of service (DoS)
attacks.

The following are popular solutions you can implement to help maintain availability:
Permissions: Implementing permissions on a resource is a way to help ensure
Availability because if you limit who can delete the data, then chances are high it will still be available
when needed.
Backups: Ensure you perform regular backups of critical information so that if the data
Becomes corrupt or unavailable, you can restore it from backup.
Fault tolerance: you can implement data redundancy solutions to ensure the data is available so that if
one of the hard drives fails, the other drives have a copy of the information.
Clustering: to ensure availability of services such as e-mail or database servers,
You can use a high-availability solution such as clustering. Clustering allows y ou to have multiple servers
acting as one unit so if one server fails, the other server takes over the workload
Accountability
Earlier, the last goal of information security was availability, but in recent y ears, an Additional A in CIA
(sometimes referred to as CIAA) has come to stand for accountability.
Accountability is ensuring that employees are accountable for the following are some popular methods
to implement accountability within the organization:
Log files most network services either implement logging by default or can be
Configured to log activity to log files.
Note: Be sure to enable logging for all core services on the Network so that if an incident arises, you can
review the logged data.
Audit files most operating systems have a security auditing feature that allows
You to review the security -related events that occur on a system. In Windows, this is the security
Log in Event Viewer.
Note: Be sure to review the security audit logs on a regular basis.

Understanding Authentication and Authorization Accounting

Identification and Authentication

Identification happens before authentication and is the process of having users identify
Themselves to the system. The most popular method companies use to identify individual users
is to give each a unique username.
Users can identify themselves and authenticate to the system in a number of ways. The
Following lists a few popular methods used for identification and authentication purposes:

Username: The most popular method of identifying users on the network is to give them
Each a unique username.

Smartcard: A smartcard is a card the size of a credit card and has a microchip that can contain
data used by System or application
Token: A security token is a small device that is typically used to identify an individual and is
used in the authentication process. Of the different ty pes of tokens, the most popular is a
device that displays a random number on it for 30 to 60 seconds
Biometrics
Biometrics is the concept of using part of y our physical self to authenticate
To the System. For example, you can scan a fingerprint or a retina to authenticate to a
System. You typically use biometrics in highly secure environments because it is difficult
For anyone else to obtain y our physical characteristics.

Authorization
Once the user has been authenticated, they are given access to different resources; this is
known as authorization.
Permissions You may authorize individuals to access a file by giving them permission to
The file or giving a group that the individual is a member of permission to the file.
Router ACLs Another example of implementing authorization is by configuring access
Control lists (ACLs) on a router.

Proxy servers another popular example of authorization is allowing or denying access to

different web content at the proxy server.
Facility A final example of authorization is to control access to different areas of the building.

Cyber security
Cyber security is the body of technologies, processes and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access. In a
computing context.

Elements of cyber security include:

 Application Security

 Information security

 Disaster recovery /business continuity planning

 Operational security
 End-user education
One of the most problematic elements of cyber security is the quickly and constantly
evolving nature of security risks
Understanding Security Principles and Terminology
Types of Security
1. Physical Security
2. Communication Security
3. Computer Security
4. Network Security
1. Physical Security
Physical security is the concept Of being able to control who has physical access to the
assets within the organization.
2. Communication Security
Communication security deals with protecting the information that is traveling between
the source and destination by encrypting the communication.
Computer Security
Computer security is one of the most popular types of security
It deals with securing the Computer systems by implementing a number of best practices
such as authentication, access
Control, data redundancy, malware protection, and sy stem-hardening techniques.
3. Network Security
Network security is another popular Type of security and deals with securing the
network, not a particular system. Network security deals with such things as controlling who
gains access to the network (switch security) and what type of traffic can enter the network
(firewalls). This is complemented by monitoring network traffic for suspicious activity (an
intrusion detection system).

Human being from ages had two inherent needs:

(a) To communicate and share information and

(b) To communicate selectively.

These two needs gave rise to the art of coding the messages in such a way that only the intended people
could have access to the information.

Unauthorized people could not extract any information, even if the messages fell in their hand.
The art and science of concealing the messages to introduce secrecy in information security is
recognized as cryptography.

The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’ Meaning hidden
and ‘graphene’ meaning writing.

Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches:

Cryptography

Cryptanalysis

What is Cryptography?
Cryptography is the art and science of making a cryptosystem that is capable of providing information
security.

Cryptography deals with the actual securing of digital data. It refers to the design of mechanisms based
on mathematical algorithms that provide fundamental Information security services. You can think of
cryptography as the establishment of a large toolkit containing different techniques in security
applications

What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis

It involves the study of cryptographic mechanism with the intention to break them.

Cryptanalysis is also used during the design of the new cryptographic techniques
To test their security strength

Cryptography Primitives
Cryptography primitives are nothing but the tools and techniques in Cryptography

That can be selectively used to provide a set of desired security services:

1. Encryption
2. Hash functions
3. Message Authentication codes (MAC)
4. Digital Signatures

CRYPTO SYSTEMS

A cryptosystem is an implementation of cryptographic techniques and their Accompanying

infrastructure to provide information security services.

A Cryptosystem is also referred to as a cipher system

Components of a Cryptosystem

The various components of a basic cryptosystem are as follows:

Plaintext. It is the data to be protected during transmission.

Encryption Algorithm. It is a mathematical process that produces a cipher text for any given plaintext
and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption key as input
and produces a cipher text.

Cipher text. It is the scrambled version of the plaintext produced by the Encryption algorithm
using a specific the encryption key. The cipher text is not guarded. It flows on public channel. It can be
intercepted or Compromised by anyone who has access to the communication channel.
 Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any given
cipher text and decryption key.

It is a cryptographic algorithm that takes a cipher text and a decryption key as Input, and outputs a
plaintext.

The decryption algorithm essentially Reverses the encryption algorithm and is thus closely related to it.

Encryption Key. It is a value that is known to the sender. The sender inputs the encryption key
into the encryption algorithm along with the Plaintext in order to compute the cipher text

Decryption Key. It is a value that is known to the receiver. The decryption Key is related to the
encryption key, but is not always identical to it. The Receiver inputs the decryption key into the
decryption algorithm along with the cipher text in order to compute the plaintext.

For a given cryptosystem, a collection of all possible decryption keys is called a Key space.

An interceptor: (an attacker) is an unauthorized entity who attempts to determine the plaintext. He can
see the cipher text and may know the decryption algorithm.

He, however, must never know the decryption key

Cryptosystems

Classic
Modern Ciphers
Ciphers

Substituion Transposition Private Key Public Key

Diffie-
Caesar Atbash Rail Fence Route DES 3DES IDEA RSA
Hellman

CRYPTOGRAPHY – Substitution or Traditional Cipher

Earlier Cryptographic Systems

Before proceeding further, you need to know some facts about historical cryptosystems:
  All of these systems are based on symmetric key encryption scheme.
 The only security service these systems provide is confidentiality of Information.
 Unlike modern systems which are digital and treat data as binary numbers,
 The earlier systems worked on alphabets as basic element.

These earlier cryptographic systems are also referred to as Ciphers. In general, a cipher is
simply just a set of steps (an algorithm) for performing both an encryption, and the
corresponding decryption.

Caesar Cipher
It is a mono-alphabetic cipher wherein each letter of the plaintext is substituted

By another letter to form the cipher text. It is a simplest form of substitution cipher Scheme.

This cryptosystem is generally referred to as the Shift Cipher. The concept is to

Replace each alphabet by another alphabet which is ‘shifted’ by some fixed number

Between 0 and 25.

For this type of scheme, both sender and receiver agree on a ‘secret shift number’ For shifting
the alphabet. This number which is between 0 and 25 becomes the key of encryption.

Process of Shift Cipher

In order to encrypt a plaintext letter, the sender positions the sliding ruler underneath the first
set of plaintext letters and slides it to LEFT by the Number of positions of the secret shift.

The plaintext letter is then encrypted to the cipher text letter on the sliding Ruler underneath.
The result of this process is depicted in the following

He then replaces the cipher text letter by the plaintext letter on the sliding

Ruler underneath. Hence the cipher text ‘WXWRULDO’ is decrypted to

‘Tutorial’. To decrypt a message encoded with a Shift of 3, generate the

Plaintext alphabet using a shift of ‘-3’ as shown below:

Security Value

Caesar Cipher is not a secure cryptosystem because there are only 26 possible keys to try out.
An attacker can carry out an exhaustive key search with available limited computing resources.

Summary Caesar Cipher

• earliest known substitution cipher

• by Julius Caesar

• first attested use in military affairs

• replaces each letter by 3rd letter on

• example:

meet me after the toga party

PHHW PH DIWHU WKH WRJD SDUWB

 Polyalphabetic Ciphers

 another approach to improving security is to use multiple cipher alphabets Called

polyalphabetic substitution ciphers
 makes cryptanalysis harder with more alphabets to guess and flatter frequency
Distribution Use a key to select which alphabet is used for each letter of the message
 use each alphabet in turn repeat from start after end of key is reached

Transposition Cipher

 Plaintext units shift their order

 Units remain unaltered

Common Transposition ciphers

  Rail fence cipher
 Route Cipher

MODERN SYMMETRIC KEY ENCRYPTION

Digital data is represented in strings of binary digits (bits) unlike alphabets. Modern

Cryptosystems need to process this binary strings to convert in to another binary string.

Based on how these binary strings are processed, a symmetric encryption schemes

Can be classified in to:

Stream Ciphers
In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is taken, and
a series of operations is performed on it to generate one bit of cipher text. Technically,
stream ciphers are block ciphers with a block size of one bit.
Block Ciphers
In this scheme, the plain binary text is processed in blocks (groups) of bits at a time; i.e. a block
of plaintext bits is selected, a series of operations is performed on this block to generate a block
of cipher text bits. The number of bits in a block is fixed. For example, the schemes DES and AES
have block sizes of 64 and 128, respectively.

Block Cipher Schemes

There is a vast number of block ciphers schemes that are in use. Many of them are publically
known. Most popular and prominent block ciphers are listed below.

1. Symmetric Algorithms
2. Asymmetric Algorithms

1. Symmetric Algorithms

 Usually use same key for encryption and decryption

 Encryption key can be calculated from decryption key and vice versa
 Require sender and receiver to agree on a key before they communicate securely
 Security lies with the key
 Also called secret key algorithms, single-key algorithms, or one-key algorithms
  Shared or pre shared key This name stems from the fact that you need to share the key
With the person who is going to decrypt the information.
 Secret key this name comes from the fact that you must keep the key secret from
others who should not decrypt the information.
 Session key This name comes from the fact that many implementations of symmetric
encryption use a random key, known as a session key, to do the encryption/decryption..
 Private key This name comes from the fact that you need to keep the key private to
 only the parties who are to decrypt the information; otherwise, you lose confidentiality

 Digital Encryption Standard (DES): The popular block cipher of the 1990s. It is now
considered as a ‘broken’ block cipher, due primarily to its small key size.
 Triple DES: It is a variant scheme based on repeated DES applications. It is still a
respected block ciphers but inefficient compared to the new faster Block ciphers
available.
 Advanced Encryption Standard (AES): It is a relatively new block cipher based on the
encryption algorithm Rijndael that won the AES design competition.
 IDEA: It is a sufficiently strong block cipher with a block size of 64 and a key size of 128
bits. A number of applications use IDEA encryption, including early versions of Pretty
Good Privacy (PGP) protocol. The use of IDEA scheme has a restricted adoption due to
patent issues.

Asymmetric Algorithms

 Usually use same key for encryption and decryption

 Encryption key can be calculated from decryption key and vice versa
 Require sender and receiver to agree on a key before they communicate securely
 Security lies with the key
 Also called secret key algorithms, single-key algorithms, or one-key algorithms
 Shared or pre shared key This name stems from the fact that you need to share the key
With the person who is going to decrypt the information.
 Secret key this name comes from the fact that you must keep the key secret from
others who should not decrypt the information.
 Session key This name comes from the fact that many implementations of symmetric
encryption use a random key, known as a session key, to do the encryption/decryption..
 Private key This name comes from the fact that you need to keep the key private to
 only the parties who are to decrypt the information; otherwise, you lose confidentiality

Asymmetric Algorithms
  Use different keys for encryption and decryption
 Decryption key cannot be calculated from the encryption key
 Anyone can use the key to encrypt data and send it to the host; only the host can
decrypt the data
 Also known as public key algorithms
 Ex

Diffie-Hellman, RSA

Asymmetric Encryption Algorithms

There are not as many asymmetric encryption algorithms as there are symmetric encryption
algorithms.
The following are some common asymmetric algorithms:
Rivest Shamir Adelman (RSA): This is the first asymmetric algorithm that implemented
Signing and encryption. RSA gets its name from its three creators.
Diffie-Hellman: This algorithm is named after its creators as well. Diffie-Hellman is a key -exchange
protocol that deals with exchanging key s in a secure fashion.
Difference between Symmetric and Asymmetric Encryption

Symmetric Encryption Asymmetric Encryption

Symmetric encryption consists of one of Asymmetric Encryption consists of two cryptographic

key for encryption and decryption. keys known as Public Key and Private Key.

Symmetric Encryption is a lot quicker As Asymmetric Encryption incorporates two separate

compared to the Asymmetric method. keys, the process is slowed down considerably.

RC4 RSA

AES Diffie-Hellman

DES ECC

3DES El Gamal

QUAD DSA

Hashing

 Method used for verifying data integrity

 Uses variable-length input that is converted to a fixed-length output string (hash
value)
 It is collision free
 Difficult (nearly impossible) to reverse Engineering

The following are some common hashing algorithms that have been used in recent y ears:
 Message Digest (MD) The MD algorithm was created by Ron Rivest and has
different
Versions, such as MD2, MD4, and MD5. The MD5 algorithm is one of the most common
Hashing algorithms today. It generates a 128-bit hash value.
 Secure Hash Algorithm (SHA) Created by the National Security Agency, the SHA
algorithm has different versions, such as SHA-0, SHA-1, and SHA-2.
The most common hashing protocol of the three in use today, SHA-1, creates a 160-bit hash
value.
  SHA-256 and SHA-512 these are two newer versions of the SHA algorithm that
Generate 256-bit and 512-bit hash values. They are considered to not be
susceptible to collision attacks.
 LANMAN Also known as LM hash, this hashing algorithm is used by older
Microsoft
 Operating systems to hash and store the passwords. LM hash is created by
encrypting the password with DES. It is considered an unsecure method of
storing the password hashes.
 NT LAN Manager (NTLM) Starting with Windows NT operating sy stems, a new
and improved method of storing the passwords in the registry was used.

Example of inputs and Digest of Hashing

Quantum Cryptography
A newer method of encryption that has come to light in recent y ears is known as quantum
Cryptography. Quantum cryptography is currently used with fiber-optic networks. It is based on
Sending the encrypted information as photons (particles of light), which are then converted to
binary data
Encrypting Data
Full disk most operating systems today support full-disk encryption.
For example, Windows 7 and 8 have BitLocker, which allows you to encrypt the contents of the
entire Drive, including the operating system, or encrypt specific partitions
Database When storing information in a database, it is critical that you encrypt sensitive
Information.
For example, if y our company has an application that stores customer credit card numbers, or
even customer passwords, to the site, you should encrypt that data in the database because a
hacker could gain access to the database and discover this information.
Individual files if you are not encrypting the contents of the entire drive, then you can
Encrypt the contents of selected sensitive documents. For example, you can use the
Encrypting File System (EFS) in Windows to encrypt individual files and folders.
Removable media: if you are storing data on a removable drive, such as a flash drive, be
Sure to encrypt all company data on this drive. It is too easy to lose or forget the flash drive
Somewhere, and if the data is not encrypted, it can be read by any one!
Mobile devices: Most mobile devices will allow you to encrypt the contents of the mobile
Device so that if the device is lost or stolen, no one is able to retrieve the data on the device.

Secure Communications Protocols/Transport Encryption

HTTP Secure (HTTPS): Instead of using HTTP, which is the protocol for unsecured web Traffic,
you should be using HTTPS, also known as Secure HTTP (SHTTP).
HTTPS uses SSL to encrypt the communication between the client and the web server.

Security certificate is allotted to a website or Web application by a third-party certification

authority (CA).
Typically, the CA evaluates the security framework of the website requesting the security
certificate. Once the security, legitimacy and authenticity of the website are confirmed, a
security certificate is provided

Secure Socket Layer (SSL)/Transport Layer Security (TLS) SSL has become the
Popular protocol over the last number of years for encrypting traffic, such as web and email
Traffic. TLS is a more secure protocol that is designed to replace SSL.
Secure MIME (S/MIME): S/MIME is the protocol used to encrypt e-mail messages on
The network.
Internet Protocol Security (IPsec): IPsec is a popular security protocol that is designed
to encrypt all IP traffic, no matter what the application is.
IPSec has two modes:
1. Transport mode
2. Tunnel mode.
1. Transport mode
With transport mode, only the pay load of the packet (data portion) is encrypted.
2. Tunnel mode.
With tunnel mode, the header of the packet and the data are encrypted.
Secure Shell (SSH): SSH is designed to be a secure replacement to Telnet, and provides
Authentication and encryption services. SSH can be used to create an encrypted channel so
That communication through the channel is encrypted.
Secure FTP (SFTP): SFTP, also known as FTP Secure (FTPS), is an extension on SSH that allows
secure transfer and management of files through an SSH channel.
Secure Copy Protocol (SCP) Like SFTP, SCP runs on top of an SSH channel in order to encrypt
the communication used to transfer a file.
Wireless You should encrypt wireless communication with WEP, WPA, or the more secure
WPA2.

Understanding Steganography
Steganography is a cryptography concept that involves a person hiding text information inside
Graphic files.
A number of steganography applications can be used to modify a graphic file and
Hide text documents in the graphic file.

sDigital Signatures

Digital signature is technique which is based on public key cryptography with difference In
public key cryptography a pair of keys are used one public key and one private key, The
public key is often user for message encryption and the private key is often used for
decrypting the message However in case of digital signature message is encrypted with the
private key and decrypted with the public key.

-Only a specific person with the corresponding private key encrypt the message or in other
words sign the message however may party who has the signatory’s public key can encrypted
the message in other words can verify the message

How the digital signature verified by the Receiver

Signature Verification may be performed by any party the signatory (sender), the intended
receiver or any other party using the signatory’s public key
 A signatory may wish to verify that the computed signature is correct or not. Before sending the
signed message to the intended receiver

The intended receiver (or any other party) verifies the signature to determine its authenticity
upon on receiving the message

Attributes of Digital Signature

Authentication: Authentication means The act of proving who you say you are.

Authentication: means that you know who created and sent the message Digital signature is
used to authenticate the source of messages it ensures the user of the sender

Integrity: Integrity ensures that when a message is sent over a network the data the arrives is
the same as the data that was originally sent Integrity is the assurance that the information is
trustworthy and accurate Digital signature ensure the integrity of message

Non-Repudiation: this is an important criteria of digital signature as digital signature ensures

the authentication of the message so the sender can’t repudiate it later

At the same time it also ensures the identity of the receiver so the receiver can’t repudiate it
later

Add a Digital Signature Using a Signature Line

1. To add a digital signature, open your Microsoft Word document and click where
you’d like to add your signature line.
2. From the Word ribbon, select the Insert tab and then click Signature Line in
the Text group.

3. A Signature Setup pop-up box appears. Enter your information in the text fields
and click OK.

4. Double-click the signature line.

5. A Sign pop-up box appears. At the X, type your name. Next, look at the Signing
as: field. Select the signing certificate. To ensure that this is the correct certificate,
click the Change button.

 Malware is used primarily to steal sensitive personal, financial, or business information

for the benefit of others.
  Malware is sometimes used broadly against government or corporate websites to
gather guarded information, or to disrupt their operation in general. However, malware
is often used against individuals to gain personal information such as social security
numbers, bank or credit card numbers, and so on. Left un-guarded,

 Originally a UNIX techniques

- The root in rookit

 Modifies core system files part of kernel

 Can be invisible to operating system

- Won’t see it in task manager

 It comes with combined with additional software

Rootkits for good causes

Although there are implications that must be carefully considered, there are potential benefits
of using rootkits, which can be legitimately applied to the following areas:

 Monitoring employees.

 Protection of intellectual property.

 Protecting programs from malware activity or user errors (accidental deletion, for
example).

Trojan horses

Can make copies of themselves, steal information, or harm their host computer systems

Characteristics of Trojan horses

What is a computer virus?

 Computer viruses are small software programs that are designed to spread from one computer
to another and to interfere with computer operation.
 A virus might corrupt or delete data on your computer, use your email program to spread itself
to other computers, or even erase everything on your hard disk.
Various types of virus :
1. File Virus: This type of virus infects the system by appending itself to the end of a file. It changes
the start of a program so that the control jumps to its code. After the execution of its code, the
control returns back to the main program. Its execution is not even noticed. It is also
called parasitic virus because it leaves no file intact but also leaves the host functional.
2. Boot sector Virus: It infects the boot sector of the system, executing every time system is booted
and before operating system is loaded. It infects other bootable media like floppy disks. These are
also known as memory virus as they do not infect file system.
3. Macro Virus: Unlike most virus which are written in low-level language (like C or assembly
language), these are written in high-level language like Visual Basic. These viruses are triggered
when a program capable of executing a macro is run. For example, macro virus can be contained
in spreadsheet files.
4. Source code Virus: It looks for source code and modifies it to include virus and to help spread it.
5. Polymorphic Virus: A virus signature is a pattern that can identify a virus (a series of bytes that
make up virus code). So in order to avoid detection by antivirus a polymorphic virus changes each
time it is installed. The functionality of virus remains same but its signature is changed.
6. Encrypted Virus: In order to avoid detection by antivirus, this type of virus exists in encrypted
form. It carries a decryption algorithm along with it. So the virus first decrypts and then executes.
7. Stealth Virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence,
the detection of virus becomes very difficult. For example, it can change the read system call such
that whenever user asks to read a code modified by virus, the original form of code is shown
rather than infected code.
8. Tunneling Virus: This virus attempts to bypass detection by antivirus scanner by installing itself in
the interrupt handler chain. Interception programs, which remain in the background of an
operating system and catch viruses, become disabled during the course of a tunneling virus.
Similar viruses install themselves in device drivers.
9. Multipartite Virus: This type of virus is able to infect multiple parts of a system including boot
sector, memory and files. This makes it difficult to detect and contain.
10. Armored Virus: An armored virus is coded to make it difficult for antivirus to unravel and
understand. It uses a variety of techniques to do so like fooling antivirus to believe that it lies
somewhere else than its real location or using compression to complicate its code.
How To know if your computer effected by virus?

After you open and run an infected program or attachment on your computer, you
might not realize that you've introduced a virus until you notice something isn't quite
right.

Here are a few indicators that your computer might be infected:

 Your computer runs more slowly than normal

 Your computer stops responding or freezes often

 Your computer crashes and restarts every few minutes

 Your computer restarts on its own and then fails to run normally

 Applications on your computer don't work correctly

 Disks or disk drives are inaccessible

 You can't print correctly

 You see unusual error messages

  You see distorted menus and dialog boxes

 Steps for protecting from viruses

Step1: install any latest antivirus software

Step2: daily run “live update” for antivirus software

Step3: Run “automatic updates” for O.S

Step4: enable “Firewall” for your internet connection

A computer worm
Spyware

Is a type of malware (malicious software) installed on computers that collects information

about users without their knowledge?

 The presence of spyware is typically hidden from the user and can be difficult to detect.

 Some spyware may be installed by the owner of a shared, corporate, or public

computer intentionally in order to monitor users.

anti-spyware software.

 Running anti-spyware software has become a widely recognized element of computer

security practices for computers

Key logger

 (more often called keylogging or "key loggers") is the action of tracking (or logging) the keys
struck on a keyboard,

 Typically in a covert manner so that the person using the keyboard is unaware that their actions
are being monitored. There are numerous keylogging methods, ranging from hardware and
software

How to read keylogger

Email Malware
There a numerous of email security risk that led information theft or password lost among those risks
are

1-phishing

2-spam

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card
details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic
communication

• The purpose a phishing message is to acquire sensitive information about a user. For doing so the
message needs to deceive the intended recipient

Example of phishing messages

How to avoid being a Phishing victim

1.Never respond to requests for personal information via email. When in doubt, call the
institution that claims to have sent you the email.

E.g. “Dear Sir or Madam” rather than “Dear. arday”

2. If you suspect the message don’t use the links within the email to get to a web page.

3. Never fill out forms in email messages that ask for confidential information

Securing E-mail

 Secure e-mail

 Uses cryptography to secure messages transmitted across insecure networks

 Advantages of e-mail encryption

 E-mail can be transmitted over unsecured links

 E-mail can be stored in encrypted form

A cyber-attack is any type of offensive action that targets computer information systems,
infrastructures, computer networks or personal computer devices, using various methods to
steal, alter or destroy data or information systems.

1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks

2. Man-in-the-middle (MitM) attack
3. Password attack
4. SQL injection attack
Denial-of-Service Attacks
 Any malicious act that causes a system to be unusable by its real user(s)

Distributed Denial-of-Service Attacks

 Use hundreds of hosts on the Internet to attack the victim by flooding its link to the
Internet or depriving it of resources

Used by hackers to target government and business Internet sites

2.Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between you and the
person with whom you are communicating is actively monitoring, capturing, and controlling
your communication transparently. For example, the attacker can re-route a data exchange.
When computers are communicating at low levels of the network layer, the computers might
not be able to determine with whom they are exchanging data.

Spoofing

 Act of falsely identifying a packet’s IP address, MAC address, etc

 Four primary types

 IP address spoofing

 ARP poisoning

 Web spoofing

 DNS spoofing

Ip Address Spoofing

 Used to exploit trust relationships between two hosts

 Involves creating an IP address with a forged source address

Example DHCP server attack

ARP poisoning

This an attack against the switch by forcing the switch to broadcast the data in all ports

Web Spoofing
 Convinces victim that he or she is visiting a real and legitimate site
 Considered both a man-in-the-middle attack and a denial-of-service attack

 Attacker acts as the victim’s legitimate DNS server

 Can direct users to a compromised server

 Can redirect corporate e-mail, bank accounts through a hacker’s server where it can be
copied or modified or stealing before sending to final destination
Password attack

Because passwords are the most commonly used mechanism to authenticate users to an
information system, obtaining passwords is a common and effective attack approach. Access to
a person’s password can be obtained by looking around the person’s desk, ‘‘sniffing’’ the
connection to the network to acquire unencrypted passwords, using social engineering, gaining
access to a password database or outright guessing. The last approach can be done in either a
random or systematic manner:

 Brute-force password guessing means using a random approach by trying different

passwords and hoping that one work some logic can be applied by trying passwords
related to the person’s name, job title, hobbies or similar items.
 In a dictionary attack, a dictionary of common passwords is used to attempt to gain
access to a user’s computer and network. One approach is to copy an encrypted file that
contains the passwords, apply the same encryption to a dictionary of commonly used
passwords, and compare the results.

In order to protect yourself from dictionary or brute-force attacks, you need to implement an
account lockout policy that will lock the account after a few invalid password attempts

SQL injection attack

SQL injection has become a common issue with database-driven websites. It occurs when a
malefactor executes a SQL query to the database via the input data from the client to server.
SQL commands are inserted into data-plane input (for example, instead of the login or
password) in order to run predefined SQL commands. A successful SQL injection exploit can
read sensitive data from the database, modify (insert, update or delete) database data, execute
administration operations (such as shutdown) on the database, recover the content of a given
file, and, in some cases, issue commands to the operating system.
Physical Security

Physical security refers to limiting access to key network resources by keeping the resources
behind a locked door and protected from natural and human-made disasters. Physical security
can protect a network from inadvertent misuses of network equipment by untrained
employees and contractors. It can also protect the network from hackers, competitors, and
walking in off the street and changing equipment configurations.

Security Controls

Computer security is often divided into three distinct master categories, commonly referred to
as controls:
 Physical
 Technical
 Administrative
These three broad categories define the main objectives of proper security implementation.
Within these controls are sub-categories that further detail the controls and how to implement
them.

Physical Controls

 When managing a network environment, it is critical to secure:

 Equipment

 Data

 Power supplies

 Wiring
  Personnel with access to the location

Location and Environment Considerations

 Visibility

 Accessibility

 Propensity for environmental problems

Physical Controls Construction

 Composition of construction materials

 Evaluation of fire rating

 Security of doors

 Load and weight bearing ratings of the ceilings

 Location of water and gas lines valves

 Location of fire detection and suppression devices

Physical Barriers

 Types of physical barriers

 Locks

 Fencing

 Lighting
 Preset Lock

 Typical locks that utilize a physical lock and key

 Least secure

Cipher locks

 Programmable locks that utilize a keypad for entering a PIN or password

 More expensive than preset locks

 Offer more security and flexibility

Cipher Locks
Options offered by Cipher Locks

 Door Delay – Alarm triggered if door is held or propped open for long

 Key override – Combination can be set into lock to be used during emergency or for
supervisory needs

 Master Keyring – Allows supervisors to change access codes and other features

 Hostage Alarm – Hostaged employee can enter specific code to notify security personnel

Biometric Locks

Fingerprints and palm prints

 In finger print finger is scanned by an optical scanner and compared to an

archival file of fingerprints
 Hand Geometry

 Length and width of hand and fingers scanned by the optical scanner and
compared to archival data

Eye scans

 Retinal scans

 Iris scans

Retinal scans
Iris scan

Signature Dynamics

Motions performed when signing observed

Voiceprints

Inflection, pitch and intonation of one’s voice used

Fooling biometric techniques

 Exhibit false positive and false negative identifications

  Use of gummy fingers

 Signature forgery

DNA Analysis encourage

Multi criteria Locks

 Combine strengths of other lock types

 As complexity increases, so does cost and security

Device Locks

Used to secure computer hardware and network devices

Example : cable locks, switch controls, slot locks, port controls, cable traps, etc

Cable Lockconsists of a coated steel cable that attaches PCs. laptops, printers, etc to stationary
objects

CompuLock is a system which not only prevents unauthorized access to the interior of the
computer case, but also the common theft of the mouse and keyboard

The above type of lock will help prevent your PC's or server's processor chip, memory chips and
other internal components from being stolen
Technical Controls

Technical controls use technology as a basis for controlling the access and usage of sensitive
data throughout a physical structure and over a network. Technical controls are far-reaching in
scope and encompass such technologies as:

Physical Surveillance

Various intrusion detection systems and physical protection measures require human action
and that is called physical surveillance there are two types of it

 Security guards

 Guard dogs

Technical Surveillance

 Camera monitoring System More prevalent

 Camera records activity within critical areas

 Allows security personnel to assess whether area is compromised upon or not

Ventilation and Power Supply

Ventilation technique that forces air outward from a facility to help guard against
dust and other pollutants

Protection against Power Failure

Uninterruptible power supply (UPS)

 Standby systems

Backup sources such as generator

Shielding & Natural Disasters

 Surrounding the devices/ wires with metallic shielding can suppress the stray electronic
signals

 Common, Cost effective

If facility and surrounding area is disposed to natural disasters, locate elsewhere else ensure
safeguards such as flood drainage, lightning rods, reinforced building, etc

Administrative Controls

Administrative controls define the human factors of security. It involves all levels of personnel
within an organization and determines which users have access to what resources and
information by such means as:
 Training and awareness
 Disaster preparedness and recovery plans
 Personnel recruitment and separation strategies
  Personnel registration and accounting

Cisco Switch device hardening

General Management Plane Hardening

1. Password Management
2. Enhanced Password Security
3. Login Password Retry Lockout
4. No Service Password-Recovery
5. Disable Unused Services
6. EXEC Timeout
7. Keep lives for TCP Sessions
8. Management Interface Use
 Switch Attacks

• Overview

• Types of Attacks

• CAM Table Overflow Attack

• Mitigating the CAM Table Overflow Attack

• MAC Spoofing—Man-in-the-Middle Attacks

• Mitigating MAC Spoofing Attacks

• Using DHCP Snooping

• DHCP Starvation Attacks

• Mitigating DHCP Starvation Attacks

Overview

When attacks take place this is due to the following

 Lack of security policy

 No written policy
 No patch management
 Os or application weakness’
 Protocol weakness
 Network configuration weakness
 Unencrypt ion passwords
 Exposed services
 Human weakness ex social engineering
Switch Attacks
What are common type of attacks?
 Layer 2 attacks?
 Layer3 attacks?
Cam table
We know how the content addressable memory (CAM)
Table is built but we also need to know that this table is not infinite in size
Cam table capacity varies between different Cisco models but regardless of the
capacity it is finite and network attackers can take advantage of that fact
CAMTABLE Overflow Attack (Mac flood attack)
In this attack the attacker floods to the switch with fake source mac address and
destination Mac addresses and this will cause the switch to flood all Frames out of all
the ports then the attacker open sniffer software traffic
ex wire shark
This because the cam table can support limited port entries for sake of this attack
utilized by flooding a large number of invalid Mac address to the switch till the cam
table will fill up the switch will confuse and flood to all port and behave like hub

Solution
The cam table attack can be solved by limiting the number of mac addresses that are
allowed on the switch port this can be achieved by using port security
Port Security
The port security is used to limit access to port based on mac address
The port security feature will restrict the input interface to the switch by controlling
and identifying mac address in such the port does not forward packet outside the
group of defined address
When the Frame arrive to the port the port security compared the packet with defined
packet and this is called Mac coding the port based is used to specify what particular
mac address is allowed and the number mac address that are allowed on interface
Summary
Switch, content addressable Memory (cam table associates destination MAC address
with outgoing interface)
If CAM table is full all unknown entries are treated like broadcast traffic
-Attacker floods frames with random source MAC addresses until CAM table fills up
 Switch become a hub

Type of port security

1-static
2-daynamic
3-sticky secure Mac address
1-static secure mac address
This can be achieved manually by copy the mac address
2-dynamic secure mac address
The mac addresses are dynamically learned and stored it in the address table and
removed when the switch restarted
3-Sticky secure Mac address
Some switches (Catalyst 6500 running a recent IOS release, for example) support sticky
MAC addresses—when the port goes down, the MAC addresses that have been
learned remain associated with that port. They can be saved in the configuration file
Security violation (violation mode)
If we succeeded the maximum number allowed, we used what called security violation
There are three violation modes
1-protect
2-restirct
3-shutdown
1-protect
The number of source Mac address reaches the limited allowed mac address then any
Mac addresses beyond limit are ignored and dropped
2-restrict
This is to send sys logging SNMP message by informing the administrator that there is
some Mac address which are beyond the defined Mac address
3-Shutdown (error disable)
This will cause the interface become disable if beyond the limited port try to access by
offering the port led (this default violation mode)
The different between the errors disable and the normal shutdown is that we can
recover from the error disabled
Note: The most common and recommended port-security setting is dynamic mode
with one MAC address for ports where a single device is supposed to connect, with a
drop action on violation (restrict action).

Configuration
Switch(config)#inter fa 0/2

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security violation shutdown

Switch#sh mac address-table

Lab 2

CISCO(config)#interface fa0/1

CISCO(config-if)#switchport mode access

CISCO(config-if)#switchport port-security

CISCO(config-if)#switchport port-security mac-address sticky

CISCO(config-if)#switchport port-security maximum 1

CISCO(config-if)#switchport port-security violation shutdown

CISCO(config-if)#exit

CISCO(config)#interface fa0/2

CISCO(config-if)#switchport mode access

CISCO(config-if)#switchport port-security

CISCO(config-if)#switchport port-security mac-address sticky

CISCO(config-if)#switchport port-security maximum 1

CISCO(config-if)#switchport port-security violation shutdown

Summary
port security is a great feature but you cannot run it on all ports

there are a few port types that you can’t configure with port security

1-trunk ports

2-ports placed in an ether channel

3-destination SPAN port

4-802.1xports

Vlan hopping attack

This is layer 2 attack because we dealing with layer 2 Ethernet header

In this the attacker configure a system to spoof himself as witch

The attacker can do so if he is capable to imitate either ISL or DOT1Q and then appears as
switch with trunk port and become a member of all vlans

This can be solved by configured all vlan as access port by using

#inter fa 1/2

#switchport mode access

STP vulnerabilities
In this the attacker will force the spanning tree recalculation by sending BPDU which indicates
that attacker has low bridge priority, then the attacker will become the root bridge

After the attacker become the root bridge then the user will configure switch port analyzer
software where he will analyze all switch port traffic

To avoid spanning tree attack we use root guard and bpdu guard
The idea behind the root guard is whenever the root bridge is elected we prevent other root
bridge to become the root bridge

This configuration can be implemented on the port which are heading to no root bridges

STP Root guard configuration

Switch(config)#inter fa 0/24

Switch(config-if)#spanning-tree guard root

The other way to do it

Switch(config)#spanning-tree portfast bpduguard default

DHCP Spoofing Attack

Dhcp server has a finite limit ip address scope

the attacker sends unlimited flood of DHCP requests with spoofed source MAC addresses

Dhcp server leases one ip address per Mac address until pool is depleted or no more addresses
are in pool

the DHCP starvation attack facilities the man in middle attack

this kind of attack is denied of services

the attacker then setup a rogue Dhcp server on their System and response to new DHCP
request from client on the network and this attack will allow the attack to receive all traffic
Solution

since the attack generating unlimited DHCP Request one of the way to solve is to use port
security because if we are generating thousands of DHCP request then we need to limit the
number of mac address requested received through the interface

Port Security

limit the amount of source Mac addresses on a port

limit the specific Mac address allowed on a port

Port security can be used to limit number of Mac addresses on an interface

Attacker can’t generate DCP requests with lots of source MAC addresses

Some DHCP Implementation do’t use client source MAC address but instead use client
hardware address "inside DHCP request payload(ip value )

attacker can keep source MAC address in Ethernet frame the same but change the source MAC
address in the DHCP packet

Port security sees only one source MAC address

Same starvation attack result

Solution

DHCP Snooping

The DHCP Snooping track all the DHCP communication which is going between the client and
server

This means when the client send the request then switch will look the reply coming back

When the reply come back it will looks what is the client identifier and what is the mac address
was assigning
in here we checking the mapping between mac address and ip addresses

Additional DHCP requests are dropped on interfaces that already have ip to MAC interfaces that
already have Ip to MAC binding in the snooping table

With DHCP snooping we had created what we call binding table the binding table will be used
for filtering ongoing traffic

Binding table contain the following features

1. mac address
2. lease time
3. binding type
4. vlan number
5. port id

configuration

switch1(config)#config ter

switch1(config)#ip dhcp snooping database flash

switch1(config)#ip dhcp snooping vlan 50

switch1(config)#inter fa 0/2

switch1(config)#description directly connected DHCP Server

switch1(config)#ip dhcp snooping trust

the above port can make the all operation

switch1(config)#inter range fa 0/3 -4

switch1(config)#description directly connected to untrusted

switch1(config)#ip dhcp snooping limit rate 3

the above command means it limit the request rate 3 if more than that is requested port
goes down

switch1(config)#do show ip dhcp snooping.

!
 Chapter 5 Mitigating Security Threats
Understanding Operating System Hardening
Operating system hardening is the process of removing unnecessary features of the operating
system, disabling unnecessary services, and removing unnecessary accounts.
The purpose of removing unnecessary features from the system is to reduce the attack surface,
which are the components of a system that the hacker can hack into.
Understanding Hardening

The term hardenings usually applied to operating systems. The idea is to “lock down” the
operating system as much as is practical. For example, ensure that all unneeded services are
turned off, all unneeded software is uninstalled, patches are updated, user accounts are
checked for security, and so forth

Working with Services

Services are programs that run when the operating system boots, and they are often are
running in the background without users interacting directly with them. Many services are quite
important—even critical. However, a service can provide an attack vector that someone could
exploit against your system, so be sure to enable only those services that are absolutely
required. Part of operating system hardening is disabling unnecessary services. To display all
the services on your Windows computer (any version—from XP to Windows 8 or Windows
Server 2012), you first select the Control Panel and then select Administrative Tools

the Remote Registry service is shown. This service is used to allow technical support personnel
to access that system’s Registry remotely. The service can be quite useful in some situations,
but it can also function as a means for an attacker to get into your system. If you don’t need it,
turn it off

1. Control panel ➢All control panel Items-> Administrative tools

2. Then select Service
As a security administrator, you should regularly check all servers and make certain that

only necessary services are running on them. Here are some tips:

File and Print Servers: These are primarily vulnerable to denial-of-service (DoS)and access
attacks.

Networks with PC-Based Systems: In a network that has PC-based systems, make sure that
NetBIOS services are disabled on servers or that an effective firewall is in place between the
server and the Internet. Many of the popular attacks that are occurring on systems today
take place through the NetBIOS services via ports 135, 137, 138, and 139. On Unix systems,
make sure that port 111, the Remote Procedure Call (RPC) port, is closed.

Directory Sharing: Directory sharing should be limited to what is essential to performing

systems functions

Linux Service
Uninstall Unnecessary Software
The first step to hardening a system is to be sure to uninstall any unnecessary software from
the system. First focus on uninstalling unnecessary third-party software that may be installed
on the system. For example, when you purchase a new computer from a store, often the
system comes with a bunch of software preinstalled that you never use. From a company
security viewpoint,
the system should be reformatted and a fresh install of the operating sy stem applied,

How To Turn Off Unnecessary Application

In search write turn the windows features on or off

 Patches

A patch is an update to a system. Sometimes a patch adds new functionality; in other cases,
it corrects a bug in the software. In Windows, you can select Control Panel ➢

Administrative Tools ➢System Security and view updates. Doing so allows you to see

Updates that are currently installed, update settings, and any issues.

If you are running a Standalone system (a home system or perhaps a laptop used for
travel), you should elect to have updates automatically installed

User Account Control

User account control is a very important part of operating system hardening. It is important
that only active accounts be operational and that they be properly managed. This means
 disabling unnecessary accounts. Most network administrators focus on domain accounts.
Nevertheless, operating system hardening requires that you pay attention to local accounts
as well. A number of hacking techniques begin by compromising local accounts.

You should disable all accounts that are not needed immediately—on servers and
workstations alike. Here are some types of accounts that you should disable:

Employees Who Have Left the Company: Be sure to disable immediately accounts for any
employee who has left the company. This should be done the minute employment is
terminated. It does not matter why the employee left the company—whether they left on
good terms after giving 2 weeks’ notice, they were fired, or they retired after 30 years of
loyal service—their accounts still get disabled immediately.

Temporary Employees: It is not uncommon to create short-term accounts for brief periods

of time for access by temporary employees. These also need to be disabled the moment
they are no longer needed.

Default Guest Accounts: In many operating systems, a guest account is created during
installation and intended for use by those needing only limited access and lacking their own
account on the system. This account presents a door into the system that should not be
there, and all who have worked with the operating system knows of its existence, thus
making it a likely target for attacker

Protect Management Interfaces and Applications

When securing system, make sure that you limit access to the management software
(interfaces).
The principle here is if the management tool is unavailable to certain employees,
Then they will be unable to change the configuration of the system or applications.
You can restrict access to the management interfaces of the system and applications in a
number of ways, and one of the best ways is to use the policies provided by the system.
This feature is called User Account Control (UAC).
Disable Unnecessary Accounts
An often overlooked aspect to hardening a system is to disable any accounts that are not being
used.
Patch System
One of the key next steps you take to harden the system is to ensure that you patch the system.
When you patch the system, you are applying software fixes to known bugs in the software
running on the system. These bugs in the software are what the hackers are exploiting to gain
access to the system.
Security hot-fix: a security hot-fix is a critical security update that should be applied to your
system as quickly as possible because the vulnerability opens the system to serious security
risks.
Patch: A patch is a fix to a particular problem in software or operating system code that is not
required to be applied immediately because the security risk is not as severe as that addressed
by a hot-fix.
Service pack a service pack is all updates for a product, including patches and security hot-fixes,
from the time the product was released up to the time of the service pack. If you install a
service pack, you will not need to install each patch individually because the
Service pack includes all updates up to that point
Password Protection
 A final practice you should incorporate into y our system hardening procedure is placing
password protection features on y our asset.
From a system point of view, this means that you will
ensure that you have password protected the CMOS setup program so that unauthorized
changes
to the CMOS cannot occur.
Consider password protecting other resources such as routers, switches, and may be even
Printers
Password policy Best Practice
Keep your passwords strong

 Use a minimum of 10 symbols, including numbers, both uppercase and lowercase letters, and

special symbols.

 Even better, use passphrases consisting of a minimum of 15 symbols using letters and numbers.

Avoid common password weaknesses

 Easy-to-guess passwords, especially "password"

 Your name, the name of your spouse or partner name, or other names

 A string of numbers or letters like “1234” or “abcd”, or simple patterns of letters on the

keyboard, like “asdfg”

 Your phone number or your license plate number, anybody’s birth date, or other information

easily obtained about you (e.g., your address, town or alma mater)

 Passwords of all the same letter

 Words that can be found in the dictionary

 Default passwords, even if they seem strong

 Any of the above followed or preceded by a single digit

Protect your password

 It is vital to remember your password without writing it down somewhere, so choose a strong

password or passphrase that you will easily remember.

 If you have a lot of passwords, you can use password management tools, but you must choose

a strong master key and remember it.

 If you suspect that someone else may know your current password, change it immediately.

 Change your password periodically (every 90 days for a strong password, every 180 days for a

passphrase), even if it hasn't been compromised.

 Don't type your password while anyone is watching.

 Avoid using the same password for multiple websites containing sensitive information.

Follow password policy best practices for system administrators

 Configure a minimum password length of at least 10 characters for passwords or 15 for

passphrases.
 Enforce password history, with at least 10 previous passwords remembered.

 Set a minimum password age of 3 days.

 Set a maximum password age of 90 days for passwords and 180 days for passphrases.

 Enable the setting that requires passwords to meet complexity requirements. This setting can

be disabled for passphrases but it is not recommended.

 Reset local admin passwords every 180 days.

 Reset service accounts passwords once a year during maintenance.

 For domain admin accounts, use strong passphrases with a minimum of 15 characters.

Network Security Hardening

The first aspect of network hardening that you need to consider is updating the firmware on all
networking devices. Network devices, although hardware, are like computers in the sense that
they are run by software. The software that runs the network devices is known as firmware and
is stored in flash memory known as EEPROM (Electrically Erasable Programmable Read-Only
Memory).
You can normally go to the manufacturer’s web site for the device and download a revised,
updated version of the firmware.
Disable Unused Interfaces (Ports)
Not only should you limit which systems can connect to which ports on the switch, but you
should
also look at disabling any unused ports on the switch
802.1x
A popular approach for hardening the network is to ensure that anyone who connects to the
network supplies valid credentials before the network connection is allowed. This is different
from normal operating system logon in the sense that when you log on to a sy stem, the system
Typically, already has network access. The 802.1x standard is an IEEE standard for controlling
Access to the network (both wired and wireless) and is typically referred to as port-based
access control protection
Tools for System Hardening
Now that you are familiar with some popular techniques for controlling who has access to the
network,
Group Policies
The first important tool for hardening a Windows system is known as group policy.
Group policy
is a core feature of Windows that allows the network administrator to enable and disable
different features in Windows,?
The following is a quick description of some of the common policies found in the Computer
Configuration settings section of group policies:
Windows Settings | Scripts (Startup/Shutdown) in this policy, you can configure a startup
script for when the computer first boots up or a shutdown script for when the computer is shut
down.
Security Settings | Account Policies This policy section allows you to configure policies related
to user accounts such as account lockout and password policies.
Security Settings | Local Policies A very important policy section that relates to system
hardening.
In this section, you can configure user rights on the system, auditing, and other Security settings
such as creating a logon banner.
Security Settings | Windows Firewall and Advanced Security
Security Settings | Software Restriction Policies This policy allows you to configure what
software is allowed to run on the system.
Security Settings | Advanced Audit Policy Configuration This policy allows you more
Control over the auditing of the system and the ty pes of events you want to audit.
The following outlines some of the popular settings found in the User Configuration of group
Policies:
Windows Settings | Scripts (Logon/Logoff) this policy is used to configure scripts that
Execute when a user logs on or off.
Windows Settings | Internet Explorer Maintenance This policy is used to configure settings in
IE such as a favorites list or default home page.
The benefit of a security template is that once you configure the template, it can then be
imported into the group policies of a local system or into Active Directory.
Creating a Security Template
In this exercise, you will create a security template and then apply that template to the local
Security policy of a Windows XP system.
1. Ensure that you have the 2012ServerA and Windows 8 VM running.
2. Go to the Windows 8 VM.
3. Create a custom MMC and load the Security Templates snap-in:
a. On the Start screen type MMC. Right-click mmc.exe in the search results and choose
“Run as administrator.” Choose Yes to allow the program to make changes to your system.
b. Choose File | Add/Remove Snap-in.
c. Choose Add.
d. Locate the Security Templates snap-in and add it to the list.
e. Choose Close and then OK.
Expand the Security Templates node on the left and notice the folder that y ou will place
security templates in.
5. Expand the folder (most likely starts with c:\users) on the left and then select the folder.
6. Right-click the templates folder and choose New Template. Create a template called
Company Policy.
7. Set the following policy options in the security template:

Importing the Template into the Local System

9. To import the template into y our local system, start up the Local Security Policy Console
from the Administrative Tools.
10. Right-click Security Settings in the top-left corner and choose Import Policy. This will allow
You to choose a security template to import the settings from. Browse to your security
template, and choose it as the template to import.
11. Once the template is imported, verify the settings within the local security policy to make
sure that the template settings have been applied.
12. To refresh the policy, ty pe gpupdate/force at a command prompt.
13. Log off and log back on as user adminguy. Do you get the new banner? _______
14. Why or why not?
Patch Management
Applying patches to systems is a very important aspect of system hardening.
As the vendors of the software you use find out about the vulnerabilities in their software
Configuration Baseline
A security baseline is a standard configuration that has been approved by the company for a
Specific type of system or device as being secure. This standard configuration is required for all
Systems in order to meet the desired security requirements of the company.
The security baseline documentation may contain the following items
 Physical security requirements for the type of system
 Network connection requirements
 Configuration settings to help secure the system
 Patch requirements
The configuration requirements of a baseline may contain any number of operating system or
application configuration steps that are required to meet company standards on what is
considered a secure system. The following are examples of some of the configuration
requirements that should be considered:
 File system
 Permissions
 Services running
 Network connection
 Protocols running
 Firewall rules Be sure that any firewall rules that may be needed on the
System is implemented to help protect the system from unwanted traffic.
 Storage encryption
 Encryption of communication Investigate whether you should be
Encrypting data that travels along the network
 Patching Ensure that systems are being properly patched and that the patching level is
being maintained. This is important for public servers in the DMZ because they are
Sometimes forgotten about after deployment.
Security Posture and Reporting
Security Posture
Once the security baseline requirements have been established and documented, it is then
time to
put the security baseline into practice. This section outlines key stages of managing security
Baselines.
 Initial Baseline Configuration You will need to work with the security baseline
documentation to
Configure the initial security baseline on a system.
 Continuous Security Monitoring Once you have configured a system with the initial
security baseline, you must then monitor the system to ensure it continues to run in a
secure state. One of the popular methods to monitor the security state of the system is
to perform a vulnerability scan
on the system at regular intervals.
A vulnerability scan will let you know about any misconfiguration to the security of the system
and also let you know if it is missing any patches.
Popular ty pes of software that perform vulnerability scans are Nessus (common for Linux),
Microsoft Baseline Security Analyzer (MBSA),
Remediation After running a vulnerability scanner to pick up on any configuration mistakes or
Missing patches, you then need to make sure that you correct the problem. Remediation is the
Process of correcting a fault in the system. For example, if you find a security configuration
Setting that was not applied to the system, then you may need to go back to the initial security
baseline and make sure that the configuration step is applied.
Reporting
Most systems, devices, and applications will want to send out notification when specific events
occur, but they will use different methods to report different levels of severity associated with
the event.
The following are popular methods of reporting
Alarms The first type of reporting method that applications may use is an alarm. An alarm is
used to report critical events that typically require some form of action from the system or
network administrator.
For example, an alarm may be used to notify an administrator of
Suspicious traffic on the network. In this case, the alarm is used to attract the attention of the
network administrator so that they can investigate the issue.
Alerts an alert is a less critical type of notification used to notify the sy stem or network
administrator that a specific event has occurred, but no action may be required by the
administrator.
Trends A trend is a type of reporting method used to identify security issues such as someone
performing a port scan on the network. Trend analysis typically involves looking at log files or
packet captures and analyzing the information to identify a trend that may help the
administrator understand what is happening on the network.
Establishing Application Security
It is important that companies test any software that they create by purposely inputting invalid
Information into any of the data entry screens of the application
Secure Coding Concepts
Two important parts of developing secure code are
Writing good exception-handling routines and validating all data passed to the application.
Error and Exception Handling
runtime error Trapping an error means that instead of the error actually happening, the
programmer intercepts the error and display s a friendly warning message instead of the
application crashing (runtime errors cause the application to crash).
Exception handling is a more advanced method of error handling. Exception
Application Hardening
Application Security Issues
To help create a more secure environment, you should be familiar with a number of common
Application security issues.
 Java
 Scripting
 Browser
 Cross-site scripting (XSS) As discussed earlier in the book, in cross-site scripting, the
Hacker inserts script code into a form on a site so that when the page is displayed by another
User, the browser reads the script and executes it.
 Cookies: Cookies are preferences or logon information from the web site you visit
stored
In memory on y our client computer or in a text file on y our client computer.
He security Issue surrounding storing information in cookies is this: If the information is stored
in a text file and someone gets access to the text file, the information is known to the person
viewing the text file. The other security issue surrounding cookies is that they are sent with the
HTTP traffic, so if you are not encrypting the web traffic, it is possible that someone could
Intercept these preferences or logon information
Instant messaging Instant messaging applications have grown to become a huge security
Issue because worm viruses such as the W32.Seesix worm replicate through the instant
Messaging software
P2P Peer-to-peer file-sharing applications pose a security risk in the sense that users are
Downloading files from untrusted sources.
Buffer overflow as mentioned earlier, a buffer overflow attack is when the hacker
Sends too much data to an application and is able to run arbitrary code that results in
Administrative access to the system.
Prevention Techniques
Application configuration baseline Ensure that you configure each of the applications
With security in mind.
Application hardening you need to disable features in applications that you do not want
Users to use.
Application patch management It cannot be stressed enough that you need to patch your
Applications along with the operating system.
Cross-site scripting prevention an important method of preventing cross-site scripting
is to validate the input into a web site for illegal characters in a particular field.
Cross-site request forgery prevention Cross-site request forgery is an application
Vulnerability where a web page may have code that references another site and that
Automatically uses the user’s cookie data for authentication if the cookie is present and has
Not expired.
NoSQ L databases vs. SQ L databases NoSQL is the concept of developing a database
sy stem to store and retrieve large amounts of data, or Big Data.
Server-side vs. client-side validation Application developers need to validate any input
that the application accepts. The validation code can be implemented either at the client
(client-side validation) or at the server (server-side validation).
Server Hardening Best Practices
Limiting DNS Zone Transfers
In this exercise, you ensure that DNS zone transfers on y our Windows Server are limited to
send zone transfers only to y our secondary DNS servers.
1. Ensure that you have the 2012ServerA and Windows 8 VMs running. Log out of each
System.
2. Log on to the 2012ServerA VM. From the Start screen choose DNS to launch the DNS
Management console.
3. Expand 2012ServerA on the left and then expand Forward Lookup Zones. Right-click y our
DNS zone and choose Properties. For example, right-click certworld.loc and choose
Properties.
4. In the zone properties, choose the Zone Transfers page tab.
5. Enable the Allow Zone Transfers option and then select “Only to the following systems.”
6. Type 10.0.0.5 and then choose the Add button to add the Windows 8 system as a system
That can receive zone transfers from this DNS server. For this exercise, we will pretend that
The Windows 8 system is our secondary DNS server.
7. Choose OK.
8. Go to the Windows 8 VM and start a command prompt.
9. Type the following commands into the command prompt (pressing ENTER after each
Line). Your domain name, for example, might be certworld.loc:
10. You should see the DNS data on the screen. If you try the same commands from a
Different system, you should get a “query refused” error.
• OSI layer 4 (TCP/UDP), some firewalls filter through OSI layer 7

• Filters traffic by port number

• Can encrypt traffic into/out of the network and between sites

• Can proxy traffic - A common security technique

• Most firewalls can be layer 3 devices (routers)

Types of Firewall

Packet filtering firewall

You probably know that you need firewall security; in fact, you may even already have a
firewall management program in place. But what exactly is firewall security, and what does
firewall management entail?

The word firewall originally referred literally to a wall, which was constructed to halt the
spread of a fire. In the world of computer firewall protection, a firewall refers to a network
device which blocks certain kinds of network traffic, forming a barrier between a trusted and
an untrusted network. It is analogous to a physical firewall in the sense that firewall security
attempts to block the spread of computer attacks.

Packet filtering firewall

This type of firewall has a list of firewall security rules which can block traffic based on IP
protocol, IP address and/or port number. Under this firewall management program, all web
traffic will be allowed, including web-based attacks. In this situation, you need to have
intrusion prevention, in addition to firewall security, in order to differentiate between good
web traffic (simple web requests from people browsing your website) and bad web traffic
(people attacking your website).

A packet filtering firewall has no way to tell the difference. An additional problem with packet
filtering firewalls which are not stateful is that the firewall can't tell the difference between a
legitimate return packet and a packet which pretends to be from an established connection,
which means your firewall management system configuration will have to allow both kinds of
packets into the network.

State full firewall

This is similar to a packet filtering firewall, but it is more intelligent about keeping track of
active connections, so you can define firewall management rules such as "only allow packets
into the network that are part of an already established outbound connection." You have
solved the established connection issue described above, but you still can't tell the difference
between "good" and "bad" web traffic. You need intrusion prevention to detect and block
web attacks.

Deep packet inspection firewall

An application firewall actually examines the data in the packet, and can therefore look at
application layer attacks. This kind of firewall security is similar to intrusion prevention
technology, and, therefore, may be able to provide some of the same functionality.

There are three caveats, however: first, for some vendors, the definition of "deep" extends to
some particular depth in the packet and does not necessarily examine the entire packet. This
can result in missing some kinds of attacks. Second, depending on the hardware, a firewall
may not have adequate processing power to handle the deep packet inspection for your
network. Be sure to ask questions about how much bandwidth it can handle while performing
such inspection. And finally, embedded firewall management technology may not have the
flexibility to handle all attacks.

Application-aware firewall

Similar to deep packet inspection, except that the firewall understands certain protocols and
can parse them, so that signatures or rules can specifically address certain fields in the
protocol. The flexibility of this approach to computer firewall protection is great and permits
the signatures or rules to be both specific and comprehensive. There are no specific
drawbacks to this approach to firewall security as generally it will yield improvements over a
standard "deep packet inspection" approach. However, some actual attacks may be
overlooked (false negatives) because the firewall security parsing routines are not robust
enough to handle variations in real-world traffic.

Application proxy firewall

An application proxy acts as an intermediary for certain application traffic (such as HTTP, or
web, traffic), intercepting all requests and validating them before passing them along. Again,
an application proxy firewall is similar to certain kinds of intrusion prevention. The
implementation of a full application proxy is, however, quite difficult, and each proxy can only
handle one protocol (e.g. web or incoming email).

For an application proxy firewall to be effective as computer firewall protection, it has to be

able to understand the protocol completely and to enforce blocking on violations of the
protocol. Because implementations of the protocol being examined often do not follow a
protocol correctly, or because implementers add their own extensions to a protocol, this can
result in the proxy blocking valid traffic (false positives). Because of these kinds of problems,
end users will often not enable these technologies.

As you can see, there are areas of overlap between intrusion prevention and certain types of
firewall security. The terminology in this field is still being worked out, so it can be confusing
at times. Learn more about Secure Works'

Configuring firewall rules

 Allow or disallow traffic based on security tuples

 Source IP, Destination IP, port number, time of day, application, etc.
 Evaluated top-to-bottom
 There’s an implicit deny at the bottom

All-in-one security appliance

 Unified Threat Management (UTM) / Web security gateway

 URL filter / Content inspection, malware inspection, spam filter, CSU/DSU, router,
switch, firewall, IDS/IPS, bandwidth shaper, VPN endpoint

Intrusion detection/prevention system

  Protects against OS and application exploits
 Detection
 Alerts but does not stop the attack
 Prevention
 Blocks the attack

Flood Guards

 Commonly seen on intrusion prevention systems

 DoS / DDoS
 Denial of Service
 SYN floods
 Overload a server
 Ping floods / ping scans
 Overwhelm the network
 Identify what’s out there
 Port floods / port scans
 Identify open ports on a device
Spam Filters
 Stop unsolicited email at the gateway
 Whitelist
 Only receive email from trusted senders
 SMTP standards checking
 Block anything that doesn’t follow RFC standards
 rDNS - Reverse DNS
 Block email where the sender’s domain doesn’t match the IP address
 Tar pitting
 Intentionally slow down the server conversation
 Recipient filtering
 Block all email not addressed to a valid recipient email address

Application-aware Security Devices

 Network-based Firewalls
 Control traffic flows based on the application
 Microsoft SQL Server, Twitter, YouTube
 Intrusion Prevention Systems
 Identify the application
 Apply application-specific vulnerability signatures to the traffic
  Host-based firewalls
 Work with the OS to determine the application

DMZ (Demilitarized Zone)

• A layer of security between your internal network and the Internet • Protects external-facing
services • Usually less trusted than the Internal network connection

VPN concentrator

 The connection point for remote users

 Traffic is encrypted across the Internet and decrypted on the internal private network
Intrusion detection/prevention system
 Protects against OS and application exploits
 Detection
 Alerts but does not stop the attack
 Prevention
 Blocks the attack

Load balancer

• Distributes the load over many physical servers

• Very common in large environments

Proxy

• Sits between the users and the external network

• Receives the user requests and sends the request on their behalf (the proxy)

• Applications may need to know how to use the proxy (explicit)

• Some proxies are invisible (transparent)

Chapter 7
Wireless Networking and Security
A wireless access point, also known as a wireless router
the wireless network uses radio frequencies to transmit data through the air
You can create two ty pes of wireless networks: an ad hoc mode wireless network or an
infrastructure mode wireless network. Each of these is known as a wireless mode, and each has
its advantages.
With ad hoc mode, the wireless device, such as a laptop, is connected to other wireless devices
in a peer-to-peer environment without the need for a wireless access point.
With infrastructure mode, the wireless clients are connected to a central device known as a
wireless access point.
The wireless client sends data to the access point, which then sends the data on to the
destination
Standards
The Institute of Electrical and Electronics Engineers (IEEE) committee has developed wireless
Standards in the 802 project models for wireless networking. Wireless is defined by the 802.11
Project model and has several standards defined.
802.11a
The 802.11a wireless standard is an older one that runs at the 5-GHz (gigahertz) frequency.
802.11a devices can transmit data at 54 Mbps and are incompatible with 802.11b and 802.11g
devices.
802.11b
The 802.11b wireless standard has a transfer rate of 11 Mbps while using a frequency of 2.4
GHz.
These devices are compatible with 802.11g/n devices because they run at the same frequency
and follow the Wi-Fi (wireless fidelity) standard.
802.11g
The 802.11g wireless standard is a newer one that was designed to be compatible with 802.11b
but
Also increases the transfer rate. The transfer rate of 802.11g devices is 54 Mbps in the 2.4-GHz
Frequency range.
All 802.11g devices are compatible with 802.11b/n devices because they all follow the Wi-Fi
Standard and run at the same frequency of 2.4 GHz.
802.11n
The 802.11n wireless standard was finalized in late 2009. The goal of 802.11n is to increase the
Transfer rate beyond what current standards such as 802.11g support. The 802.11n standard
was
Rumored to support transfer rates up to 600 Mbps in theory, but most 802.11n networking

components are running at 150 Mbps today. To help accomplish higher transfer rates, 802.11n
uses two new features:
multiple input multiple output (MIMO)

channel bonding.

Antenna Types
Wireless networking technologies use two major antennae types, omnidirectional and
directional.
Omnidirectional antennas can send and receive signals in any direction, covering a 360-degree
radius from the antenna.
The advantage of omnidirectional is that it can communicate with
devices in any direction, but the downfall is that it is using all the power to cover multiple
directions, so the distance it can reach is lower than with directional. Directional antennas can
only send and receive signals in a single direction. Although the directional antenna is only
communicating in a single direction, it can cover a longer range in that direction.
Authentication and Encryption
A number of wireless authentication and encryption protocols have been developed over the
years.
The purpose of these protocols is to help secure y our wireless network, and you should
consider them for implementation on y our wireless network.
WEP
Wired Equivalent Privacy (WEP) was designed to give the wireless world a level of security
Equivalent to that of the wired networking world
WEP was designed to add security to wireless networks by requiring anyone who wishes to
connect to the wireless network to input a wireless key (a value configured on the wireless
access point that needs to be inputted by anyone wishing to connect).
To configure y our wireless network with WEP, simply specify a shared key, or passphrase, on
the wireless access point

WPA
Wi-Fi Protected Access (WPA) was designed to improve upon security and to fix some of the
flaws found in WEP. WPA uses a 128-bit key and the Temporal Key Integrity Protocol (TKIP),
which is a protocol used to change the encryption key s for every packet that is sent. This will
make it much harder for hackers to crack the key,
WPA
Wi-Fi Protected Access (WPA) was designed to improve upon security and to fix some of the
flaws found in WEP. WPA uses a 128-bit key and the Temporal Key Integrity Protocol (TKIP),
which is a protocol used to change the encryption key s for every packet that is sent.
it supports authentication using the Extensible Authentication Protocol (EAP), a very secure
authentication protocol that supports a number of authentication methods such as Kerberos,
token cards, certificates, and smartcards.
EAP messages are encapsulated inside 802.1x packets for network access authentication with
wired or wireless networks.
it supports authentication using the Extensible Authentication Protocol (EAP), a very secure
authentication protocol that supports a number of authentication methods such as Kerberos,
token cards, certificates, and smartcards.
EAP messages are encapsulated inside 802.1x packets for network access authentication with
wired or wireless networks.
Variations of the EAP protocol, two common protocols are LEAP and PEAP:
LEAP The Lightweight Extensible Authentication Protocol (LEAP) is Cisco’s proprietary
EAP solution that Cisco created before the IEEE created 802.1x.
PEAP Protected Extensible Authentication Protocol (PEAP) is used to encapsulate EAP
messages over a secure tunnel that uses Transport Layer Security (TLS). The purpose of this
protocol is that EAP assumes the packets are sent over a secure network; with PEAP,TLS is used
to create a secure tunnel between two points.

When configuring WPA on the wireless network, note that WPA operates in two different
modes, WPA Personal and WPA Enterprise:
WPA Personal WPA Personal is also known as WPA-PSK, which means WPA preshared key.
With WPA Personal, you will configure the access point with a starting key value,
known as the preshared key, which is then used to encrypt the traffic.
This mode is used most by home users and small businesses.
WPA Enterprise WPA Enterprise, also known as WPA-802.1x, is a WPA implementation that
uses a central authentication server such as a RADIUS server for authentication and auditing
features.

WPA2
WPA2 improves upon the security of WPA and should be used instead of WPA if
you have the choice.
WPA2 uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
(CCMP or CCM mode Protocol) for data privacy, integrity, and authentication on a WPA2
wireless network.
WPA2 uses CCMP with the Advanced Encryption Standard (AES)
protocol for encryption of wireless traffic instead of TKIP and also supports additional features
such as added protection for ad hoc networks and key caching.
Securing a Wireless Network
Security Best Practices
1-Change Admin Password
All routers have a default admin password, so be sure
to change the password from the default.
Service Set Identifier (SSID)
Service Set Identifier (SSID)
The Service Set Identifier (SSID) is a name that y ou give the wireless network, and in order for
someone to connect to y our wireless network, that person needs to know the SSID. Any client
who
wishes to connect to y our wireless network will need to specify the SSID name in their wireless
network card settings. Therefore, it is important that y ou change the SSID from the default.
Remember that the SSID should be changed from the default and the SSID broadcasting
disabled. Also note that you can use a tool such as NetStumbler or Kismet to do a wireless
survey to get a list of wireless networks that are nearby.

to summarize the SSID issue, be sure to change the SSID to something hard to guess (don’t
use y our company name if you are setting up the wireless network for the company), and be
sure to disable SSID broadcasting on the router.

MAC Address Filtering

Most wireless networks allow you to limit which wireless network cards can connect to the
wireless access point.
You can limit systems that can connect to y our wireless network by finding out the MAC
addresses of the systems you want to allow to connect and then configuring the router to deny
traffic from all systems except the MAC addresses you input. This is known as MAC address
filtering.
By default, wireless access points are not configured for MAC address
Antenna Placement and Power Levels
Another important security best practice is placement of the wireless access point.
You should place the wireless access point in an area of the building that allows all of y our
wireless clients to connect, but minimizes the exposure of the wireless network outside the
premises. For example,
you should not place the wireless access point close to the outer walls of the building because it
may allow someone outside the facility to connect to the wireless network.
The wireless router should be placed in the center of the building so that signals from clients
outside the building have trouble reaching the access point
Captive Portal
A common technique used by wireless hotspots is known as captive portal, which forces a
person
to authenticate to the network via a web page before Internet access is allowed. Organizations
can
use a captive portal to intercept all traffic destined for the Internet. Before allowing the traffic
to
pass through the router,
Encrypt Wireless Traffic
Ensure that you are encrypting any traffic from the wireless clients to the access point. You can
use WEP, WPA, or WPA2 to encrypt traffic. Remember to use the more secure WPA or WPA2 if
you can.
Monitoring System Logs

In addition to network monitoring, you must monitor the event logs. Event logs
are system logs that record various events that occur.

Event logs comprise a broad category that includes some logs that are not
relevant to security issue

Windows has several logs.

The two most important logs for security purposes are the following:

Application Log: This log contains various events logged by applications or

programs.

Many applications will record their errors in this log. It can be useful particularly if
the log

is on a server that has database server software like SQL Server installed.

Security Log: The most important things that you will find in the security log are
successful
And unsuccessful logon attempts. This log also records events related to resource
use, such as

Creating, opening, or deleting files or other objects. Administrators can specify

what events

are recorded in the security log. Logon auditing can be turned off, but it never
should be.

In Windows a security log is the access log. Linux provides separate logs for
successful and

Failed login attempts. By default, Windows does not log both successes and
failures, but for

security reasons this should be changed.

Lab1: Viewing the Event Logs

1. Click Start ➢Control Panel ➢Administrative Tools ➢Event Viewer to open

Event

Viewer.

2-Resource Monitoring

1. Click Start ➢Control Panel ➢Administrative Tools ➢Resource Monitoring

3- Task schedule

1. Click Start ➢Control Panel ➢Administrative Tools ➢Task Schedule

Log Files in Linux

The log file are the files that contain messages about the system, including the
kernael, service and application running on it

Locating log file

Most log files are located in the var/log directory

To check the log files

1. Click the Application ➢System Tool➢ System logs

Log Files in Linux

You should check a number of logs for entries that might indicate an intrusion.
The primary ones you should examine are listed here:

/var/log/faillog Open a shell prompt, and use the fail log utility to view a list of

users’ failed authentication attempts.

/var/log/lastlog Open a shell prompt, and use the last

Log utility to view a list of all

users and when they last logged in.

/var/log/messages Use grep, or a derivative there of, to find login-related

entries in this

file.

/var/log/tmp Open a shell prompt, and use the last command to view a list of
users who have authenticated to the system.

Securing the Network

Obviously, network security is a broad topic, and it will be addressed

throughout this

book. However, there are some essential concepts identified on the CompTIA
Security + exam that are discussed in this section:

MAC Limiting and Filtering: Limit access to the network to MAC addresses that
are known, and filter out those that are not.

Adding port authentication to MAC filtering takes security for the network
down to the switch port level and increases your security exponentially
Disable Unused Ports remember: a port is a connection, like a channel. For
example,

SMTP uses port 25. For that reason these are sometimes called application
ports.

All ports not in use should be disabled. Otherwise, they present an open door
for an attacker to enter

Security Audits

Monitoring should take place on several levels. There should be basic, ongoing
monitoring

that is not labor intensive. Software solutions are available that will accomplish
this for

you. However, you should also implement scheduled, in-depth checks of

security. These are

usually called security audits

.A security audit is an integral part of continuous security monitoring. Security

audits can be a check of any aspect of your security, including the following:

■ Review of security logs

■ Review of policies and compliance with policies

■ A check of security device configuration

■ Review of incident response reports

The scope of the audit and its frequency are determined by the organization

Reporting Security Issues

Security incidents will occur no matter how well you design your security
system.
Some of these incidents will be minor, whereas others will be quite serious.
Regardless of the severity of the incident, it must be reported

we will look at ways you will be able to report these risks.

Alarms

Alarms are indications of an ongoing current problem currently. Think of a

siren sounding when someone kicks in the door to a home. These are
conditions to which you must

Respond right now. Alarm rates can indicate trends that are occurring.

Alerts

Slightly below alarms in terms of security issues are alerts. Alerts are issues to
which you need to pay attention but are not about to bring the system down
at any moment. (Think of them as storm watches instead of storm warnings.)
In Event Viewer, for example, system events are identified either as errors,
information, or warnings.
What is Wireshark?

Wireshark is a network packet analyzer. A network packet analyzer will try to

capture network packets and tries to display that packet data as detailed as
possible.

You could think of a network packet analyzer as a measuring device used to

examine what’s going on inside a network cable, just like a voltmeter is used by
an electrician to examine what’s going on inside an electric cable (but at a higher
level, of course).

In the past, such tools were either very expensive, proprietary, or both. However,
with the advent of Wireshark, all that has changed.

Wireshark is perhaps one of the best open source packet analyzers available
today.

1.1.1. Some intended purposes

Here are some examples people useWireshark for:

 Network administrators use it to troubleshoot network problems

 Network security engineers use it to examine security problems
 Developers use it to debug protocol implementations
 People use it to learn network protocol internals

Beside these examples Wireshark can be helpful in many other situations too.

1.1.2. Features

The following are some of the many features Wireshark provides:

 Available for UNIX and Windows.

 Capture live packet data from a network interface.
 Open files containing packet data captured with tcpdump/WinDump,
Wireshark, and a number of other packet capture programs.
 Import packets from text files containing hex dumps of packet data.
  Display packets with very detailed protocol information.
 Save packet data captured.
 Export some or all packets in a number of capture file formats.
 Filter packets on many criteria.
 Search for packets on many criteria.
 Colorize packet display based on filters.
 Create various statistics.
 …and a lot more!

However, to really appreciate its power you have to start using it.

Figure 1.1, “Wireshark captures packets and lets you examine their
contents.” showsWireshark having captured some packets and waiting for you to
examine them.

Figure 1.1. Wireshark captures packets and lets you examine their contents.
1.4. A brief history of Wireshark

In late 1997 Gerald Combs needed a tool for tracking down network problems
and wanted to learn more about networking so he started writing Ethereal (the
original name of the Wireshark project) as a way to solve both problems.

Ethereal was initially released after several pauses in development in July 1998 as
version 0.2.0. Within days patches, bug reports,o
The “Filter” toolbar

The filter toolbar lets you quickly edit and apply display filters. More information
on display filters is available in Section 6.3, “Filtering packets while viewing”.

Figure 3.15. The “Filter” toolbar

3.18. The “Packet List” pane

The packet list pane displays all the packets in the current capture file.

Figure 3.16. The “Packet List” pane

Each line in the packet list corresponds to one packet in the capture file. If you
select a line in this pane, more details will be displayed in the “Packet Details” and
“Packet Bytes” panes.

While dissecting a packet, Wireshark will place information from the protocol
dissectors into the columns. As higher level protocols might overwrite information
from lower levels, you will typically see the information from the highest possible
level only.

For example, let’s look at a packet containing TCP inside IP inside an Ethernet
packet. The Ethernet dissector will write its data (such as the Ethernet addresses),
the IP dissector will overwrite this by its own (such as the IP addresses), the TCP
dissector will overwrite the IP information, and so on.

There are a lot of different columns available. Which columns are displayed can
be selected by preference settings, see Section 10.5, “Preferences”.

The default columns will show:

 No. The number of the packet in the capture file. This number won’t change,
even if a display filter is used.
 Time The timestamp of the packet. The presentation format of this
timestamp can be changed, see Section 6.12, “Time display formats and time
references”.
 Source The address where this packet is coming from.
  Destination The address where this packet is going to.
 Protocol The protocol name in a short (perhaps abbreviated) version.
 Length The length of each packet.
 Info Additional information about the packet content.

The first column shows how each packet is related to the selected packet. For
example, in the image above the first packet is selected, which is a DNS request.
Wireshark shows a rightward arrow for the request itself, followed by a leftward
arrow for the response in packet 2. Why is there a dashed line? There are more
DNS packets further down that use the same port numbers. Wireshark treats
them as belonging to the same conversation and draws a line connecting them.

Table 3.15. Related packet symbols

First packet in a conversation.

Part of the selected conversation.
Not part of the selected conversation.
Last packet in a conversation.
Request.
Response.
The selected packet acknowledges this packet.
The selected packet is a duplicate acknowledgement of this packet.
The selected packet is related to this packet in some other way, e.g. as part of
reassembly.

The “Packet Bytes” pane

The packet bytes pane shows the data of the current packet (selected in the
“Packet List” pane) in a hexdump style.

Figure 3.18. The “Packet Bytes” pane

The “Packet Bytes” pane shows a canonical hex dump of the packet data. Each
line contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes.
Non-printalbe bytes are replaced with a period (‘.’).

Depending on the packet data, sometimes more than one page is available, e.g.
when Wireshark has reassembled some packets into a single chunk of data.
(SeeSection 7.7, “Packet Reassembly” for details). In this case you can see each
data source by clicking its corresponding tab at the bottom of the pane.

Figure 3.19. The “Packet Bytes” pane with tabs

Additional pages typically contain data reassembled from multiple packets or

decrypted data.

The context menu (right mouse click) of the tab labels will show a list of all
available pages. This can be helpful if the size in the pane is too small for all the
tab labels.

4.2. Prerequisites
Setting up Wireshark to capture packets for the first time can be tricky. A
comprehensive guide “How To setup a Capture” is available
athttps://wiki.wireshark.org/CaptureSetup.

Here are some common pitfalls:

 You may need special privileges to start a live capture.

 You need to choose the right network interface to capture packet data from.
 You need to capture at the right place in the network to see the traffic you
want to see.

If you have any problems setting up your capture environment you should have a
look at the guide mentioned above.

How to Use Wireshark to Capture, Filter and Inspect Packets

Wireshark, a network analysis tool formerly known as Ethereal, captures packets

in real time and display them in human-readable format. Wireshark includes
filters, color-coding and other features that let you dig deep into network traffic
and inspect individual packets.

This tutorial will get you up to speed with the basics of capturing packets, filtering
them, and inspecting them. You can use Wireshark to inspect a suspicious
program’s network traffic, analyze the traffic flow on your network, or
troubleshoot network problems.
Getting Wireshark

You can download Wireshark for Windows or Mac OS X from its official website. If
you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in
its package repositories. For example, if you’re using Ubuntu, you’ll find
Wireshark in the Ubuntu Software Center.

Just a quick warning: Many organizations don’t allow Wireshark and similar tools
on their networks. Don’t use this tool at work unless you have permission.

Capturing Packets

After downloading and installing Wireshark, you can launch it and click the name
of an interface under Interface List to start capturing packets on that interface.
For example, if you want to capture traffic on the wireless network, click your
wireless interface. You can configure advanced features by clicking Capture
Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in
real time. Wireshark captures each packet sent to or from your system. If you’re
capturing on a wireless interface and have promiscuous mode enabled in your
capture options, you’ll also see other the other packets on the network.
Click the stop capture button near the top left corner of the window when you
want to stop capturing traffic.
Color Coding

You’ll probably see packets highlighted in green, blue, and black. Wireshark uses
colors to help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP
packets with problems — for example, they could have been delivered out-of-
order.
Sample Captures

If there’s nothing interesting on your own network to inspect, Wireshark’s wiki

has you covered. The wiki contains a page of sample capture files that you can
load and inspect.

Opening a capture file is easy; just click Open on the main screen and browse for a
file. You can also save your own captures in Wireshark and open them later.
Filtering Packets

If you’re trying to inspect something specific, such as the traffic a program sends
when phoning home, it helps to close down all other applications using the
network so you can narrow down the traffic. Still, you’ll likely have a large amount
of packets to sift through. That’s where Wireshark’s filters come in.

The most basic way to apply a filter is by typing it into the filter box at the top of
the window and clicking Apply (or pressing Enter). For example, type “dns” and
you’ll see only DNS packets. When you start typing, Wireshark will help you
autocomplete your filter.

You can also click the Analyze menu and select Display Filters to create a new
filter.
Another interesting thing you can do is right-click a packet and select Follow TCP
Stream.
You’ll see the full conversation between the client and the server.
Close the window and you’ll find a filter has been applied automatically —
Wireshark is showing you the packets that make up the conversation.
Inspecting Packets

Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use
the Apply as Filter submenu to create a filter based on it.
To check other ports
not(tcp.port==80)and not (tcp.port==443) and not (udp.srcport==137 and
udp.dstport==137)

To find out tcpport oricmp

To filter the source ip address and destination ip address

To filter the only httpsurl request

To filter the dns

To filter with arp

To filter with multiple protocols
To filter with the tcp which contains the sequence of 00:0:01