Security

Fundamentals
Based on Security+
Hello!
I am Abdulrahman AlDaej

Info Security Analyst

CEH,CHFI

You can find me at:

Twitter : @a9_4

2
 Part 2 . Technology
and Tools
PERIMETER SECURITY

Small Tip:
Keep in mind that each organization
has different needs and might use
additional tools for perimeter defense

3
Firewall
• A device or application that analyzes packet headers
and enforces policy based on protocol type, source
address, destination address, source port, and/or
destination port. Packets that do not match policy are
rejected

Firewall Rules
• Access control lists (ACLs) Allow or disallow traffic
based on Source IP, Destination IP, port number, time
of day, application.

Implicit deny:
• Most firewalls include a deny at the end of the list Even
if you didn’t put one.
• Unless you explicitly permit it, traffic cannot pass.

4
5
Stateless firewall
• Access Control List (ACL) firewall
• Does not keep track of traffic flows
• Each packet is individually examined,
regardless of past history
• Faster and perform better under heavier traffic
loads

Stateful Firewall
• Remembers the “state” of the session
• Watch traffic streams from end to end
• Everything within a valid flow is allowed
• Better at identifying unauthorized and forged
communications

• Question: On which layer firewall works ?

6
VPN Concentrators
• A VPN concentrator is a type of networking
device that used to allow multiple external
users to access internal network resources
using secure features that are built into the
device (VPN)
• Often integrated into a firewall

Remote access VPN

• On-demand access from a remote device
• Software connects to a VPN concentrator
• Software can be configured as always-on

Site-to-Site VPN
• Always-on or almost always
• Firewalls often act as VPN concentrators
Probably already have firewalls in place

7
IP Sec (Internet Protocol Security)
• A set of protocols that provides security
for Internet Protocol (layer 3)
• Authentication and encryption for every
packet
• Confidentiality and integrity/anti-replay
Encryption.
• Common to use multi-vendor
implementations

IPSec protocols
Authentication Header (AH):
• Hash of the packet and a shared key
using MD5, SHA-1, or SHA-2 (Integrity)

Encapsulation Security Payload (ESP):

• Encrypts the packet using 3DES or AES
8
Intrusion Detection System (IDS) and
Intrusion Prevention System (IPS)
A device or application that analyzes whole
packets, both header and payload, looking for
known events.
When a known event is detected a log message is
generated detailing the event.

• Stop exploits against operating systems,

applications, etc.
• Buffer overflows, cross-site scripting, other
vulnerabilities
• Detection (IDS) – Alarm or alert
• Prevention (IPS) - Stop it before it gets into
the network

9
IDS/IPS Detection technologies

• Signature-based - Look for a perfect match

• Anomaly-based - Build a baseline of what’s

“normal”

• Behavior-based - Observe and report

Detect zero day attacks,

• Heuristics - Use artificial intelligence to identify

10
Passive Monitoring
• Examine a copy of the traffic
• Port mirror (The switch sends a copy of all
network packets seen on one port)
• No way to block (prevent) traffic

Out-of-band response
• When malicious traffic is identified, IDS/IPS
sends TCP RST (reset) frames
• After-the-fact

Inline monitoring
• IDS/IPS sits physically inline
• All traffic passes through the IDS/IPS

In-band response
• Malicious traffic is immediately identified
• Dropped at the IPS
• Does not proceed through the network

11
Routers

A router is a networking device connects

networks together and forwards data packets
between computer networks.
• layer 3 device
• Routers inside of switches sometimes called
• “layer 3 switches”

SWITCH
A switch is a device in a computer network
that connects together other using ports.

• layer 2 device
• Forwards traffic based on MAC address

12
Port Security
Enables individual switch ports to be configured
to allow only a specified number of source MAC
addresses to come in through the port.
• MAC addresses can be spoofed
• Port security can provide useful network
security functionality.

Loop Prevention
• Connect two switches to each other
• They’ll send traffic back and forth forever
• There’s no “counting” mechanism at the MAC
layer
• This is an easy way to bring down a network
• Easy to resolve using Spanning Tree Protocol

13
Proxy
A Server or an application sits between the users
and the external network.
• Receives the user requests and sends the
request on their behalf (the proxy)
• Useful for caching information, access
control,
• URL filtering, content scanning
• Transparent, Users will not notice it

Forward Proxy
Destination server thinks the requests coming from
the proxy (to protect the internal users)
Reverse Proxy
Users thinks the response coming directly from the
server. (To protect the internal servers)

14
LOAD BALANCER
A load balancer is a device that acts as a reverse
proxy and distributes network or application
traffic across a number of Servers

• Distribute the load between multiple servers

• Invisible to the end-user

Round-Robin scheduling
• Sending each new request to the next server
• All requests are sent to servers in equal.

Affinity scheduling
• Designed to keep a host connected to the same
server across a session.
• Web applications, can benefit from affinity-based
scheduling.

15
Active-Passive Load Balancing
First load balancer is actively doing the
balancing while the secondary load balancer
passively observes and is ready to step in at any
time the primary system fails.

Active-Active Load Balancing

All the load balancers are active, sharing the load
balancing duties. Active-active load balancing can
have performance efficiencies

16
Wireless Access Point (WAP)
Networking hardware device that allows a Wi-
Fi device to connect to a wired network
• WAP is an OSI layer 2 device

(SSID) Service Set Identifier

• Change the SSID to something not-so obvious
• Disable SSID broadcasting?

(MAC) Media Access Control filtering

• Limit access through the physical address
• MAC addresses can be spoofed

Signal Strength
• Set it as low as you can, How low is low?
• Require some additional study
• Location, location, location

17
Wi-Fi Band Selection
• 2.4-GHz band used for older standards
such as 802.11a/b/g is crowded and
subject to interference
• Newer standards such as 802.11n and
802.11ac use the 5-GHz band

Antenna types:
Omnidirectional antennas:
• Included on most access points
• Signal is evenly distributed on all sides
• No ability to focus the signal

Directional antennas:
• Focus the signal
• Increased distances
• Send and receive in a single direction

18
SIEM
• Security Information and Event Management
• Tools collect, correlate, and display data feeds that
support response activities
• The purpose of SIEM is to turn a large amount of
data into knowledge that can be acted upon
• One of the challenges is in determining what to log
and what not to log

Aggregation
• Collecting of information in a central place in a
common format, to facilitate analysis and decision
making.

Correlation
• Linking of events based on some common basis.
Events can correlate based on time, based on
common events, based on behaviors

19
Automated Alerting and Triggers
• SIEMs have the ability through a set of rules
and the use of analytical engines to identify
specific predetermined patterns and either
issue an alert or react to them

Time Synchronization
• Switches, routers, firewalls, servers.
• Synchronizing the clocks becomes critical
• Log files, authentication information, outage details
• Automatic update with NTP (Network Time
Protocol)

Event de-duplication
• Filter out the noise
• Focus on the real problems

20
21
Data Loss Prevention (DLP)
DLP technology can scan packets for specific
data patterns. Secrets, specific markers, or files.
When specific data elements are detected, the
system can block the transfer
(DATA EXFILTRATION)

DLP USB Blocking

• Local DLP agent handled USB blocking,
limiting or encrypting data

Cloud based DLP

• Located between users and the Internet
• Watch every byte of network traffic
• Block custom defined data strings
• Unique data for your organization

22
Network Access Control (NAC)
NAC can protect the network from malicious
machine by policy enforcement that helps ensure
that computers are connected only after they
properly configured.

MAIL GATEWAY
A mail server that receives email but passes it on

• Spam Filter - Unsolicited email ads and

phishing
• DLP - Block confidential information in emails
• Emails can encrypted using PGP

23
SSL accelerators
A device that plugs into the server and contains a
co-processor that performs part of the SSL/TLS
processing, relieving the load on the web server’s
main processor
SSL Decryptor
A device that has the ability to view inside of
Secure HTTP traffic (SSL)

• Stop outbound malware botnet

connections
• Stop a rogue insider from
sending out sensitive information

24
Hardware Security Modules (HSMs)
A device used to manage or store encryption keys.
It can also assist in cryptographic operations such
as encryption, hashing, or digital signatures.
• HSMs have tamper protection mechanisms to
prevent physical access

25
Time for Testing ourselves and answering
some questions!

26
Protocol Analyzers
(hardware or software) used to capture and
analyze signals and data traffic over a
communication channel. Ex Wireshark, tcpdump

• Gathers packets on the network or in the air

• Identify unknown traffic
• Verify packet filtering and security controls

Network Scanning or Mapping

• Active - scan for IP addresses and open ports,
(OS and services = Banner Grabbing) Pick a
range of IP addresses
• Can create network diagrams of how
machines are connected
• Ex : Nmap, Zenmap

27
 WIRELESS SCANNERS/CRACKER
• Wireless monitoring - Packet capturing
• Wireless attacks: Rogue access point,
deauthentication attacks, etc.
• Cracking using Dictionary brute force, rainbow
tables
• Examples of wireless scanners: Kismet,
NetStumbler, Airodump
• Cracking password tools: John the Ripper ,
AirCrack

28
 EXPLOITATION FRAMEWORKS
• Tool sets designed to assist hackers/pen tester in
the tasks associated with exploiting vulnerabilities
in a system.
• The most commonly used framework is Metasploit

DATA SANITIZATION TOOLS

Removing the contents from the device or media
as fully as possible

• Tool for Wiping entire drives : DBAN

• Tool for individual files or folders: SDelete

Q: What happens after you delete a file?

29
 STEGANOGRAPHY TOOLS
• The science of hidden writing, or more specifically
the hiding of messages in other content.

HONEYPOT
A honeypot is a server that is designed to act like
the real server on a corporate network, but rather
than having the real data, the data it possesses is
fake.

• Attract the bad guys - And trap them there

• The bad guys are probably a machine
• Many Honyetbot = Honeynet

30
Command Line Security Tools

ping
• Test reachability
• Internet Control Message Protocol (ICMP)

netstat -a
• All active connections and listening ports

traceroute/tracert
• Determine the route a packet takes to a
destination
• tracert (Windows) or traceroute (Linux)

31
Nslookup/ dig
• Lookup names and IP addresses
• nslookup (Windows) on dig (Linux)

ipconfig/ifconfig
• Troubleshooting starts with your IP address
• Ping your local router/gateway
• network adapter information
• ipconfig (Windows) or ifconfig (Linux)

netcat
• A tool that can do port scanning, monitoring,
and file copying.
• Netcat is Linux based, but available for
Windows machines.

32
Time for Testing ourselves and answering
some questions!

33
Common Security Issues
Unencrypted credentials
• Authentication is a critical process
• All data must be protected
• But some protocols aren't encrypted Like :
Telnet, FTP, SMTP, IMAP, http

Permission issues
Ensuring that the list of users and associated
rights is complete and up to date is a challenging
task.

Access Violation
• User is unauthorized and is either making a
mistake or attempting to get past security.
• The other option is that permissions are set
inappropriately (Requires SIEM)

34
Personnel issues
• The weakest link - People make mistakes
• Always so willing to help someone
• User should agree to Acceptable Use Policy
(AUP) before access to a corporate network

Unauthorized Software
• Removing users’ ability to add software,
• The use of whitelisting
Baseline Deviation
• Everything should be well documented
Hardware, software, data storage
• Any changes to the norm should be identified If
something deviates from the baseline, You
must fix it
• Anti-virus and signature version, OS patches

35
License compliance violation
• Operating systems, applications, Hardware
appliances they all license with different
methodologies
• Availability get infected when license is not valid
• A missing/bad license may cause problems with
data integrity
Asset management
• Identify and track computing assets
• Usually an automated process
• Respond faster to security problem
• You know who, what, and where
• Keep an eye on the most valuable assets
• Both hardware and data

36
Antivirus
A software that detects, prevents, and removes any
malware from a computer.

• Signatures (Database)
• Heuristic looks for instructions or commands that
are not normal (Huge false positives )
Facts from Kaspersky:
in Q1 2017:
• 479,528,279 malicious attacks blocked
• 79,209,775 malicious URLs identified
• 240,799 blocked ransomware attacks

37
File integrity checker

• A tool computes a hash value SHA-1 or MD5 for all

selected files and creates a database of the hashes.
• The hashes are periodically recalculated and
compared to the hashes in the database, to check
for modification.
• should be run when the system is first installed, to
create a clean database

38
UTM
Unified threat management (UTM) describes network
solutions that integrates the capabilities of several
security products into one all-inclusive security
console.

• Antivirus
• Antimalware
• Firewall
• Intrusion prevention
• Virtual private networking (VPN)
• Web filtering
• Data loss prevention
• Popular among small businesses because it
provides an affordable alternative to purchasing
each security solution separately

39
Web application firewall (WAF)
• Hardware firewall for HTTP that applies a set of
rules to an HTTP conversation. Generally, these
rules cover common attacks such as cross-site
scripting (XSS) and SQL injection.

WAF vs IPS

• IPS’s deal with packets, while WAF’s work within

http/https sessions.
• HTTP GET, POST, HEAD, JavaScript, SQL, HTML,
XML, Cookies fundamental to the operation of a
WAF but not required for IPS.

40
Mobile Device Connection Methods

Cellular networks
(4G) or LTE in nature, although some 3G services still
exist

Wi-Fi
These systems exist on 2.4- and 5-GHz frequency

SATCOM (satellite communications)

The use of transmitters and receivers and satellites in

orbit to transfer the signals
Remote locations, natural disasters

41
Bluetooth
A short-range, low-power wireless protocol that
transmits in the 2.4-GHz band

• Bluetooth 4 support for three

Modes: Classic, high speed, and Low Energy

42
Near-field communication (NFC)
A set of wireless technologies that enables
smartphones and other devices to establish radio
communication where they are close to each other

• Two-way wireless communication

• Used by Payment systems : Google wallet and
Apple Pay

ANT
technology is wireless sensor (2.4 GHz) enables you to
view fitness and health monitoring data in real time
on your mobile device

IR (Infrared)
• Included on many smartphones, and
smartwatches
• It cannot penetrate solid objects
43
Time for Testing ourselves and answering
some questions!

44
Mobile device management (MDM)

A type of security software used by an IT department to

control, secure and enforce policies on smartphones,
tablets and other endpoints.

• BYOD - Bring Your Own Device

• Helps to set policies on apps, data, camera, etc.
• Control the entire remote device or a “partition”
• Force screen locks and PINs on single user devices

45
Mobile Content Management (MCM)

• Protect data from outsiders

• Data sent from the mobile device
• DLP (Data Loss Prevention) prevents
copy/paste of sensitive data
• Ensure data is encrypted on the mobile
device
• Managed from the mobile device manager
(MDM)

46
Geolocation
• Precise tracking details (uses GPS)
• Tracks within feet
• Find your phone or Find you
• May be managed by the MDM
Remote wipe
• Remove all data from your mobile device
• Even if you have no idea where it is
• Often managed from the MDM
• Connect and wipe from the web

Geofencing
• Some MDMs allow for geofencing (uses GPS)
• Restrict or allow features when the device is in a particular
area
• The camera might only work when outside the office
• Only allow logins when the device is located in a particular
area
47
Time for Testing ourselves and answering
some questions!

48