network security threats and mitigation unit objectives explain common threats and vulnerabilities...
TRANSCRIPT
Network security threats and mitigation
Unit objectives Explain common threats and
vulnerabilities Explain common mitigation techniques Categorize different types of network
security appliances and methods Install and configure a firewall
Topic A
Topic A: Network security threats Topic B: Threat mitigation Topic C: Network security appliances
and methods Topic D: Installing and configuring a
firewall
Wireless security threats
Theft, rogue devices Default configuration of access points RF traffic Lack of encryption One-way authentication Client connection requests War chalking, war driving
Vulnerabilities of access points
Physical access Firmware vulnerabilities Default accounts
Wi-Fi scanners
Physical devices Laptop software
– Airsnort – NetStumbler
War driving War chalking Interference attacks Evil-twin attacks
War chalking symbols
Activity A-1
Scanning for insecure access points
Denial-of-service attacks
Consume or disable resources by flooding systems with TCP/IP packets
Hit client computers and servers
Distributed DoS attacks
Attacker uses multiple hosts Handlers Zombies
DDoS countermeasures
Packet filtering Turn off directed broadcasts Block ports
Man-in-the-middle attacks
Web spoofing Information theft TCP hijacking ARP poisoning ICMP redirect DNS poisoning
Buffer overflow
Attackers insert malicious code Remote execution capability
FTP bounce attacks
Use FTP port command Bypass security measures
Smurf attacks
Flood a host with ICMP packets Use third-party network Configure routers to drop specific
ICMP packets
Malware
Viruses Worms
Activity A-2
Discussing attacks on wired networks
Social engineering
Hacking people, not computers Goals include fraud, network intrusion,
espionage, identify theft, disruption Shoulder surfing
Attack types
Dumpster diving Hoax Impersonation Phishing Pharming Shoulder surfing Skimming
Spam Spear phishing Spim Tailgating Vishing Whaling
Social engineering countermeasures
Awareness Communicate security needs Policies
Activity A-3
Discussing social engineering
Topic B
Topic A: Network security threats Topic B: Threat mitigation Topic C: Network security appliances
and methods Topic D: Installing and configuring a
firewall
Antivirus software
Combat viruses Real-time scanners Checksum Definition files Antivirus products
Securing the operating system
Hardening Hotfixes Patches Updates Service packs
Windows Update
Updates
Important Recommended Optional
Activity B-1
Updating the operating system
Patch management
View list of installed updates View update information Uninstall updates when necessary
Activity B-2
Managing software patches
Security policies
Acceptable use Due care Privacy Separation of duties Need-to-know information Password management Account expiration Service-level agreements Ways to destroy or dispose of equipment,
electronic media, and printed documents
Acceptable use
Defines how computer and network resources can be used
Protects information and limits liabilities and legal actions
Addresses productivity issues Employees should read and sign
document
Due care
Judgment or care exercised in a given circumstance
Identifies risks to organization Assesses risks and measures to be
taken to ensure information security
Privacy
Privacy of customer and supplier information– Contracts– Sales documents– Financial data– Personally identifiable information
Compromised information causes entities to lose trust
Separation of duties
Avoids one person having all knowledge of a process– Potential for abuse– Knowledge leaves with person
Distribute tasks Document all procedures Security divided into multiple elements
– Each element assigned to different people
Need to know
Sensitive information accessed only by those who must
Give IT team just enough permissions to perform duties
Give explicit access to those who need it
Password management
Minimum password length Required characters Reset interval Reuse How users handle Check for weak passwords
Account expiration
Unneeded counts disabled or deleted Disable accounts for extended leaves
Service-level agreement
Contract between service provider and end-user
Defines levels of support Documents penalties Covers disaster recovery plans Contingency plans
Disposal and destruction
Degauss magnetic media Zeroize drives Physically destroy media Lock recycle bins Shred or burn documents
Activity B-3
Creating a security policy
Human resources policies
Document manual procedures for automated duties
Access policies– ID badges– Keys– Restricted-access areas
Personnel management– Hiring process– Employee review and maintenance– Employee termination
Incident response policy
1. Preparation
2. Detection
3. Containment
4. Eradication
5. Recovery
6. Follow-up
Preparation
Have steps in place Balance easy access with effective
controls Identify steps to be taken Acceptable risks Due diligence
Detection
Ask questions and document responses
Containment
Shut down or take equipment offline Increase monitoring
Eradication
Clean or delete files Restore data
Recovery
Equipment Storage devices Passwords
Follow-up
Document entire process Use documents for training or for legal
proceedings
Activity B-4
Creating an incident response and reporting policy
Education
Educate staff about security– Network administrators– End-users
Enables all employees to be part of security team
Enables regular user to see potential security problems or security violations
Customize as needed– Big picture for end-users– Detailed knowledge for administrative users– Exhaustive knowledge for security
administrators
Communication
Identify what information can be shared and with whom
Identify what information can never be shared
Prove identity Social engineering threats
User awareness
Reason for training Security contacts Whom to contact about security incidents Actions to take Policies about system account use Policies about system media use Techniques for sanitizing media and hard
copies Maintaining security of accounts Application and data policies Internet, Web, and e-mail policies
Activity B-5
Identifying the need for user education and training
Topic C
Topic A: Network security threats Topic B: Threat mitigation Topic C: Network security appliances
and methods Topic D: Installing and configuring a
firewall
Assessment types
Threat Vulnerability Risk
Vulnerability assessments
1. Establish a baseline
2. Review the code
3. Determine the attack surface
4. Review the architecture
5. Review the design
Vulnerability testing tools
Port scanners Network mappers Password crackers Nessus and other dedicated scanning
applications
Intrusion detection
Types– Anomaly-based, heuristic– Behavior-based – Signature-based
IDS monitors for attacks IPS takes action NIDS: network IDS HIDS: host-based IDS
Events
True negative True positive False positive False negative
Activity C-1
Discussing IDS characteristics
NIDS
Monitors network for signs of attack Network location Indicators of malicious activity Active reaction options Passive reaction options
IDScenter for Snort
Example Snort rule
alert icmp any any -> any any (msg: “ICMP alert”;sid:2;)
Type (alert, log, etc.)
Protocol to watch
Source IP address
Source port
ID number (required)
Target IP
Message for log or alert
Target port
HIDS
Monitors a single host HIDS operation Logs File modifications Application and resource monitoring Network traffic monitoring
Advantages of HIDS over NIDS
Verify success or failure of attack Monitor individual users Monitor local attacks Not dependent on network (topology,
location, and so forth)
Activity C-2
Comparing host-based and network intrusion detection systems
Honeypots and honeynets
Honeypot: single host Honeynet: network Traps for attackers Purposes Ethical and legal considerations
Honeypot examples
HoneyPoint Symantec Decoy Server Specter PacketDecoy HoneyBot Honeyd Project Honey Pot
Honeypot deployment
Activity C-3
Examining the role and use ofhoneypots and honeynets
Topic D
Topic A: Network security threats Topic B: Threat mitigation Topic C: Network security appliances
and methods Topic D: Installing and configuring a
firewall
Firewalls and proxies
Traffic control devices Techniques
– NAT and PAT– Packet filtering– Stateful packet inspection– Access control lists
Firewall categories
Network-layer firewalls Application-layer firewalls
Activity D-1
Examining firewalls and proxy servers
Security zones
Network regions with various levels of security – Trusted zone– Semi-trusted zone – Untrusted zone
Intranet zone
Organization’s own network Highly trusted Private address space Separated from public network
Perimeter network
DMZ Network between intranet and Internet Not used in every network
DMZ options
Screened host Bastion host Three-homed firewall Back-to-back firewalls Dead zone
Screened host
Bastion host
Three-homed firewall
Back-to-back firewalls
Dead zone
Traffic filtering
Outgoing traffic Incoming traffic
NAT and PAT
Correlate internal and external addresses
Address availability Security
Port address translation
Ports differentiate internal servers Common ports PAT enables
– Sharing of single external IP address– Added security for internal but publicly
accessible servers
Activity D-2
Examining NAT and PAT devices
Firewall administration
Host-based; network-based Software-based firewall vs. dedicated
appliance Rules-based Network layer vs. Application layer
Rule planning
What traffic must always be allowed? What traffic must always be blocked?
Which systems must accept unsolicited inbound connections?
Can you use IPSec, Kerberos, etc.? Do you need to permit remote access? Do default rules meet your needs?
Activity D-3
Configuring firewall rules
Port security
Blocks rogue applications Configure at host level Use GPO or provisioning tool
Activity D-4
Blocking ports with a firewall
Unit summary
Explained common threats to and vulnerabilities in network security
Explained common mitigation techniques
Categorized different types of network security appliances and methods
Installed and configured a firewall