Professional Documents
Culture Documents
Introduction to Firewalls
In this video you will learn to, discuss what firewalls do and what types of attacks they
security policies from the public internet, where WWW stands for Wild Wild West that just not a shred
of
TCP connections attacks and keeps things so busy that there's no resources left
for real connection. Additionally as opposed to this frontal attack of attacks in the denial service that an
illegal modification or
of the security policy. Content can be stolen for data exfiltration or for example of organizations
homepage could be modified and replaced
with something else. So firewalls also allow only authorized access in conjunction with
and hosts come through. There's actually two types of firewalls, application level, packet filtering,
there's
firewalls work. Packet filtering is one of the fundamental technologies for application in
we're going to look at are listed here on Slide Six. One of the fundamental ones is the source IP address
and
it coming from, and where is it going to? We can make decisions based on those two parameters alone.
Also the transport
port numbers can also be a filtering side of that. So TCP and UDP are the two primary transport
message types and we can also filter on synchronization and acknowledgement bits
being flipped. Let's take a look at a couple of examples of packet filtering. So in example one, write that
within
he pulls a VIP blocks like IP protocol field 17 and neither were source or
policy says that, "We trust our inside guys, more than we trust
the application data. Which is the payload right at the top level
of the OSI stack, as well as these IP transport the fields that are in there. So this allows for example,
select users to employee the Telnet application
do this mandate. We require all telnet connections to go through a gateway. There's an access
or not authorized. So it is once again an access control type mechanism that is applied to
limitations right here. One of the things that as I said is that these are based
the web browsers, the email tools, Ftp tools, instant messaging all of
them have to be smart. So they need to have the protocol predetermined to know how to communicate
with the gateways whether that's an application
open communication with the outside world. No security policies in play. As opposed to an increasing
on protocols and applications and user access. So that is the trade space that the security engineer
conventional firewalls without inspection. So why is that [INAUDIBLE]? Well, XML uses port 80 on a
firewall. And port 80 is the standard web
fundamentally wouldn't work, communicating with the outside world. So a standard firewall cannot
an external web server. There's a challenge within that. XML gateways, which are generally
this is the XML message to stack, right? One of the attack profiles is that a
that can be open for that. But whereas with the security
policy we can define exactly how we expect an XML package to appear. If you're outside of that
specification,
when we're expecting a document, constitutes a surprise. There are no good surprises in security. We
also, with this XML gateway, can ensure
that the target IP address makes sense. Is it one of ours? And is it a IP address that's
in the correct domain for receiving XML messaging? We can also require that
In this video, you will learn to; describe the difference between a stateful and
multi-homing as well, meaning they have multiple and mixed explorer interface
connectors connected to different networks that's basically to put in other words, we have one new
stateful which are the most common ones in a loyalty to the latter
that we will see next, that echo reply if it's not followed by an echo request
decisions based on layer 7 information meaning they could also filter information based on the type of
website
the image on your left, ICMP echo requests and then the corresponding
that tries to send an ICMP echo reply. The stateful firewall will
the image below, iIt's between two nodes of course computer and the server. But actually terminates
the connection with the bug. As you can see also it has as two and 3-way handshakes
between two devices meaning computer would initiate a connection with the server, but the firewall
will actually make that connection
AntiVirus
anti-malware programs detect, block, and remove viruses and malware from infected systems. Describe
the purpose of malware definitions
anti-virus and anti-malware. So an antivirus is a specialized software that can detect, prevent, and even
destroy
send out these updates or these smaller model definition to the antivirus software itself. They basically
scan
recognizes a malware. So the empty virus will either delete that file, put
it in quarantine, or just file and you user it to alert the new user that this file is infective or
Introduction to Cryptography
In this video, you will learn to; describe the purpose or use of cryptography in cybersecurity, describe
how cryptography
between two parties, and only the intended recipient can understand
to understand for cryptography is that there's data at motion and data at rest, and both of them
Ceasar Cipher, those are just a few examples of the ancient cryptography. Nowadays is just more
evolved. We have encrypting data, and with the rise of computers, cryptography has
evolved over the years. To understand better cryptography and why it is important, we need to discuss
some key concepts. We'll start with confidentiality. Basically, confidentiality is the process of assuring
that only the intended parties can read and understand
someone has done something, and that someone one cannot deny that action or that message
that encrypts a message. For example, the Caesar Cipher was an engineers' cryptography
algorithm that basically shifted the alphabet or shifted specific letters either to the right to the left
in amount of kinds. Plaintext like the word says it's just plain text
the ciphertext is something that it's not humanly readable. Encryption is the process of transforming
plaintext
algorithms out there they have stood the test of time are
public algorithms. Modern ciphers use modular math. On the left side of the screen, you will see some
this would be better. Column A will be the plaintext, column B will be the key that we'll use to
the resulting ciphertext. If you did the other way around, you'll have the column A XOR B, meaning you
have the ciphertext, and you run that on
there's the block cipher. Stream cipher encrypt or decrypt the information
encrypt at a time. So block cipher will encrypt the message 64 bits at a time.
Types of Cryptography
modern encryption types. There are the symmetric, the asymmetric and
encryption algorithm or the algorithm is based on just one key and that key needs to remain secret at all
times. DES, Triple DES and AES are just some of the examples
the pioneers of the modern asymmetric encryption. On asymmetric encryption, we have to keys as
publicly called public key and the other one needs to be kept
to generate the two keys. It's based on math like factoring prime numbers and
permits that we exchange one key between two nodes or two parties and from that point forward
algorithm and no key. This means that any length or a variable-length plaintext is hashed into a
can determine this by hashing that same plain text and checking the previous hash and
the hash that we just did. In other words, if we generated a plaintext and we send
on that message using the previews hash generated and then the hash generated
older algorithms. They are prone to collisions and SHA-2 is the newer and
one of the issues. SHA-1 and MD5 are the older algorithms that are
more prone to collisions. A collision means
two different plaintexts having the same hash. Again, since we have
Cryptographic Attacks
will guess correctly. Rainbow tables are similar, but they use a limited amount of information or
entity, or files, and they actually contain three hash passwords that we can check against hash
customers, that makes the attacks
understand and try to get the actual key that is used in the cipher to
we don't own plaintext, we just own ciphertext, and based on that ciphertext, we try to defer the key
used
terms such as plain text, cipher text, symmetric key, public key, substitution cipher, Data Encryption
Standard. So before starting,
one of the things we should do is set our lexicon or dictionary about cryptography. So there's a couple of
key points to be made here. Looking at this diagram, we see Alice communicating
and receiver respectively. Alice has a plain text message that she wishes to send to Bob. So the plain text
message
is human readable. This is a clear text. It can be an email, a Microsoft Word document, a web-page link,
anything that Alice may wish
right here that indicates that is Alice's key. So K_A is Alice's key. Once again, this creates
channel and sent to Bob who's the recipient. Bob decrypts the cipher-text to recover the plain
cryptography architecture. One is a symmetric key. This is where the receiver key, Bob's key and Alice's
keys
uses a difference of a key. There is a secret key that Bob has so K_A does
symmetric cryptography. Let's take some time and investigate the principles behind symmetric
the substitution cipher. So this is the equivalent of a magic decoder warning that we have a simple
substitution of one letter. It's a mono alphabetic cipher which means that we substitute one letter to
another and that substitution does not change
for the entire message. We'll take a look here at a plain text or are we
just simply run a through z and the cipher-text
as in the example from Alice to Bob says, "Bob, I love you Alice,"
and the cipher-text as you can see is nkn and you can certainly
break this simple cipher. Well, the answer is it's not very hard at
text will reveal what e is. In this case, e will be c. So this frequency histogram will quickly yield the
cipher-text. So in fact, this is not
a very secure method to use it. Now from a graphic at what a symmetric key cryptography
the message as M, encrypts the plain text with the key especially designed
here is found by applying the decryption key to the encrypted message or the cipher-text that Bob
has received from Alice. So this element right here. This is the message. This is the decryption
the plain text message. So Bob and Alice, for this to work, we have to share
the distribution key K_A-B. Now the question is, how does Bob and Alice
agree on the key value? That is actually the weakness for symmetric key cryptography. The actual
encryption
on that and we'll take a look at some other methods that are just not
public-key cryptography. But the issue is, this is about key distribution, how does Bob get
the key from Alice? So she could e-mail it, but could truly
decryption of that message, and the answer was obviously yes. So the problem, and we'll talk
about this in more detail, for the foundational problem for symmetric key cryptography is actually in key
distribution. So let's take a look there are another symmetric key method. We'll take a look at some of
the technology behind
cryptography approach. So this was actually built to a standard, that NIST published. It's a 56-bit
symmetric key. So that means that the key from Alice to Bob is 56-bits long. When you see a 64-bit
that the algorithm, the DES encryption algorithm, ingests digests text
plaintext message, you'd have 10, 64-bit groups that are going
to be encrypted. So one of the questions, of course, is how secure is DES, the data encryption standard?
Well, 56-bit keys, it like I said is
broken in about four-months. So how to defeat defeat that? Well, change the key
every three months, and then they have to
simply start it over. So there's no known back door. This has been gone through peer review within the
cryptography community
the slightest vulnerability in an encryption standards. So this has never been published, so we have a
sense that there's
some strength right here. So we'll take a look at how to make this a
architectural element for DES. So there's actually you can take a look at just do a little finger walk right
here, that you can see that there's
against this element, and there are swapped left and right and there's
there are 16 rounds of this segmentation and encryption per encryptions cycle
times and we would concatenate those tendons send that as the encrypted message. Following DES in
November of 2001, NIST published a new standard. So what we did was is that NIST moved the ingest
block
by a factor of two. So went from 64 bits to 128 bits. The key length move from 56 bits to these larger
numbers
that we've seen here 128, 192, or 256 bits. Why are there three? Well, this is a user
using the longer bits, the a 128-bit verses the 64-bit makes for
the previous slide, we mentioned that we had a brute force approach that with the high-end
years for AES. So you've seen the attraction that brute force is essentially off the table when it comes to
the advanced
considerations you might run into. Describe the difference between white hat,
black hat, and grey hat attackers. Describe the several different types of
threat actors and what characterizes each. >> Okay for our next topic be we're going
a practice that requires several contracts before it can be performed. For example, service level
agreement,
the penetration testing a legal agreement between two parties. The penetration testers are the ones in
charge of doing the technical process and they are also called white hackers. There are different type of
hackers and
we can divide them into three categories, basically white hat hackers,
grey hat hackers and black cat hackers. The white hat hackers, as we discussed
earlier, are basically the ethical hackers, people that do this under
testing on companies and they do it for the good of the company. Grey hat hackers they stand like in
between the white hats and the grey hats, they usually performed penetration
testing without authorization, but they usually report back to the customer,
were not contracted to do this. So they were not authorized for previously
they report back to the customer or the victim, the possible victim. On the other hand we have
the black hat hacker, they are quote unquote the bad guys. They usually do these type of attacks for
personal recognition, money, political agenda or social change. They do not do it under contract if they
it's partially responsible for an incident or an attack. It usually affects the security
are also different skill levels associated with them. To start with during there's
they rely on automated tools to hack. They do not develop their own tools and
they pretty much use what's publicly available with very little
technical knowledge. We have also the hacktivist. These type of hackers they are usually
change in their minds. There are also organized crime. These are usually external
they have very high technical knowledge. They are also heavily funded from
the company for example, and they could be motivated to perform some sort of
they deleted that information by mistake. We also have the competitors. A competitor could be a
potential security
risk to other organizations because they they could be motivated by maybe releasing
a product before the competition. And finally we have the nation states. Nation states are external to
the company. They are also highly sophisticated. They are very well economically funded,
nation-state threat actors. The Fancy Bear, also called ATP28. Lazarus Group, Scarcruft also called
accrued Group 123 or the APT29. These are all examples of nation
Pentest Methodologies
one of the key parts of the methodology. It's something that will give you a clear
is dealing with the cyber security war. You're still in with the cyber security
methodologies that are on the public knowledge, or are in the environment for
you to understand and follow. So we have the OSSTMM methodology, the Open Source Security
Financial Institution Examination Council for Information Technology Examination. And then we have
the ISSAF, Information
you will see a lot of things, you will see a lot of information from
on your pen test project. So, for example, when you are in the Intelligence Gathering
process, you can click here. And you will have a lot
if you work as a pen tester, as an ethical hacker, the first step and
the most important step that you could do is the information gathering process,
your client, understand all the possible exploits, all the older possible systems
that you could exploit on your target. So, normally, there is a misconception
will just go and open something called metasploit and start are working with
comments and exploits and that's all. I mean, that's not the real world,
information gathering from your target in order to proceed with the other phases. Then when you have
enough information,
you could go and start your Threat Modeling process. So you have all the information for
is the Vulnerability Analysis. In some occasions, as a pen testers, we use vulnerability scanners,
the Vulnerability Assessment Tools. For understanding a little bit better, which vulnerabilities are more
likely
port 80, and we already know that that thing on port 80 is a web page running on
Apache Server Version 2.6, for example. One of the things that we could do
for example, OpenVAS. We can use Qualys, we can use Nessus, there is a lot of
Vulnerability Assessment Tools over there. But one of the things that also it's
important for you to understand, you could also explore the vulnerabilities
could do is just go to Google. And if you have the version of the system,
just go and type exploit apache 2.4, for example. And you will have a lot of information
you will need, first of all, to understand that you as a pen tester,
or as an ethical hacker. You cannot, you cannot, again, you cannot exploit any system if
you don't have the permission to do that. You need to coordinate with your client, you need to
coordinate with your victim
[LAUGH] the time frame, time windows, in order to perform the exploit
that we were talking about minutes ago. In a time where your victim, your client is performing some
important actions on the Web page. For example, in a high season of sales for that client that will
take over the Internet. So, if you exploit the system and you,
not just get access into the system, but you also broke the system because
you perform a denial of service attack. You probably will have problems because the normal operation
of
the client it's affected for you. So that's an important part for
Pen Test Standard methodology that we're seeing here, there is a lot of things
that you need to have in mind. So, for example, if you want to send a payload with
using NetGuard with encryption. Or using other tools that are not
use ports that are open on the system. And, lastly, we have
the Post Exploitation and Reporting. Again, the Post Exploitation is what
happened when you already have access to the system. How could you maintain the access,
how could you start doing some pivoting? In other words, how could you start
jumping from computer to computer? Or how could you start doing something
that we call privilege escalation? And the most important part here,
that is separate from the pen testing world and this is vulnerability
assessment test. So as I mentioned there is tools that will exploit or will try to give us vulnerabilities for
each of the systems that
we are dealing with. So for example when we have a system and we know
a manual search but, we can use open badge for example to perform a automated
vulnerability assessment. So the tool will be run on the on the network from
your client and will give us a lot of information from possible exploits
gain access to the system. Now the important part of the vulnerability assessment
identified on the system. So only will give us the report, only will give us
the information to exploit that vulnerability but will not exploit the
vulnerability itself. So that's the next step if we're dealing with a pen testing
security into the systems for the vulnerabilities or the exploits not be
access on the system. Now to start or to test that we're doing the
annually for example, in some occasions one or two times per year it's
important or is recommended but this case the pen testers will take
not just the vulnerabilities that you already know that you have but probably will take some additional
exploits
Digital Forensics
the practice of digital forensics and what technical skills and legal
hard drives, cell phones, servers. If we talk about forensic science, we need to talk about
the technical world or the computer world. The perpetrator of a crime will bring
something into the crime scene and leave with something from it. And that both can be used
anybody commits a crime, he will take something from the crime, but he will
also leave something in the crime scene. And those two facts can be used for
we need to talk about chain of custody, just as we will in the forensic science. Basically refers to
been done with the evidence. Who has had it in the past,
who has copied the information, how it was copied, who has analyzed
the information, all sorts of things. And chain of custody will be able to
tell us that or recreate that for us. This chain of custody process have
we have a few samples of the Faraday cage, it's basically a device that
can block any electronic. It basically blocks magnetic fields. And it's used to isolate cellphones,
for example, from the cellular data, wi-fi access. So isolate the cellphone from any,
impulse or any electronic communication. We also have a specific forensics tools or forensics briefcase
that have
case folders, blank forms. Basically these blank forms are what
collected during the investigation. Also we would need some empty hard drives
if we need to copy any information. And also the write blockers because we
want to make sure that we're able to copy anything from the hard drives but we're
not writing anything into the hard drives. We have several software
tools out there and these are just some very small list of
applications like Volatility and we also have paid software like FTK and
the Linux operating systems out there. Autopsy, Bulk Extractor, and many more are some of the tools
that can
be used in any forensics investigation.