Copy of SEC 401 Index.xlsx

Term SEC 401.1 Metropolitan Area Network Wide Area Network Personal Area Network Neighborhood Area Network Physical and Logical Topologies Physical Topologies Logical Topologies Comparison of physical and logical Topologies Ethernet Collisions Types of Ethernet Wan Technologies Dedicated Lines Frame Relay MPLS ISDN, DSL, Cable Modems DSL Cable Modems WAN Aggregation Network Devices Hub Bridge Switch Router Embedded Switches Layer 3-7 Switches Layer 4-7 Switches VLAN NAC Network Design Objectives Network Segments Firewall Placement Network Traffic Flow Providing Defense in Depth Border Router Network Final Design Network Protocol Defined Network Protocol Network Protocol Purpose Protocol Stack Physical Layer Data Link Layer Network Layer

Transport Layer Session Layer Presentation Layer Application Layer OSI vs TCP TCP/IP Model TCP/OSI Comparison How Protocol Stacks communicate How TCP/IP Packets are generated Application Layer Transport Layer Internet Layer Receiving System Internet Protocol IP Packets IPV4 Header IPV4 Key Fields IP Version 4 bits Protocol 8 bits TTL 8 bits Fragmentation 16 bits Source address and Destination Address Fragmentation Attacks Addressing Basics Two Parts of an Address IPV4 Addresses and Subnets Subnet Masks Netmasks and CIDR Historical Description of IP addresses- Classes Class A,B,C CIDR CIDR/VLSM Network Addresses and Broadcast Address Private Network Addressing Private Network Allocations Broadcast Addresses Types of Broadcast Packets Smurf Attack The two addresses (Hardware and Software) MAC Software address MAC and IP addresses ARP DNS Two Ways to resolve IP addresses

Domain Hierarchy DNS Hierarchy Types of DNS queries Recursive Queries Making a DNS Query- nslookup DNS Security DNS Cache Poisoning DNS footprinting DNS registration Spoofing DNS layers-fit together IPV6 IPV6 Defined IPv4 vs IPV6 IPV6 features IPV6 addressing IPV6 Header TCP, UDP, ICMP Layer 4/Layer 3 TCP UDP ICMP IP Protocol and the OSI stack TCP TCP uses- guaranteed delivery, common ports Establishing a TCP connection TCP Header TCP source port- 2 bytes Sequence Number- 4 bytes ACK number- 4 bytes Offset (header length) – 4 bits Reserved- 6 bits Flags- 6 bits Window- 2 bytes Checksum- 2 bytes Urgent pointer Options (optional) Variable Length TCP Header- Key Fields TCP Code bits/ flags TCP checksum TCP session closing UDP UDP uses UDP header UDP source port-destination port UDP datagram length Checksum UDP summary TCP and UDP comparison in summary

ICMP ICMP header ICMP Type ICMP Code ICMP Checksum ICMP Payload ICMP Common Types and Codes ICMP Type 0 Echo Reply ICMP Type 3 Destination Unreachable ICMP Type 5 Redirect ICMP Type 8 Echo Request ICMP Type 11 Time Exceeded PING TRACEROUTE TCP UDP ICMP TRACEROUTE SUMMARY Protocol Analysis Protocol Analysis Objectives Sniffer Broadcast vs switched Ethernet Broadcast or Shared Networking Switched Networking Packet Sniffer usages Sniffer examples Sniffing on a switch Mailsnarf, Webspy,Ettercap tcpdump windump Analysis with tcpdump TCPDUMP command line options tcpdump ICMP Output tcpdump udp output tcpdump TCP output Manually Inspecting Packet Fields for Analysis Numbering systems Binary, Decimal, Hex Hexadecimal Hexadecimal Representation Five tips for decoding packets Field offsets Hexadecimal Values Field Length Relationship Between Headers Decoding an IP Header Decoding a TCP Header Calculating Variable Field Lengths Decoding a TCP Header

Reading Packets summary Wireless Network Security Defined Objectives Popular Wireless Devices Wireless Advantages Wiring takes time and money Users can access the network from anywhere Mobility and connectivity usable in environments where wiring is difficult Vertical Markets Bluetooth FHSS 79 channels Range 1m, 10m, 100m Max bandwidth 2.1mbps edr Freq 2.4ghz (interference immunity) Planned usage to replace all cables with peripheral computing Originally 5 dollar per radio goal Class 3: 1m Class 2: 10m Class 1: 100m Bluetooth Security End user utilizes a PIN Bluetooth uses pin and mac to gen keys Some devices use fixed pins Sniffing risk when devices first pair Bluetooth Security Issues Eavesdropping SAFER+ encryption is weak PINS are hackable RedFang and Bluesniff can locate PAN AP’s can expose wired networks BNEP Bluetooth Network Encapsulation Network network extender non discoverable mode Blue Snarf Attacks many vulnerabilities in the application layer several phones allow retrieval of calendar and contacts can also be used to hijack the phone and make calls Protecting Bluetooth config for non discoverable audit the environment use strong pin when possible at least 12 digits pair in a trusted environment encourage vendors to adopt SIG 2.0 ZigBee based on 802.15.4

similar to bluetooth, low cost product tracking, medical, industrial sensor/control Honeywell >> HVAC Over 100 million nodes in production ZigBee Specification Range: 10-75 meters 868 MHZ, 915mhz, 2.4ghz DSSS Rate: 250 kbs @ 2.4 ghz, 40 kbs @ 915, 20 kbs @ 868 mhz IEEE 802.11 Wireless supports ad-hoc and infrastructure Supports roaming, fragmentation, reliable data delivery (positive ack) Branched into 802.11b 11mbps @ 2.4ghz 802.11a 54 mbps @ 5ghz 802.11g 22/54 Mbps @ 2.4 ghz 802.11n supports 100+ mbps @ 5ghz IEEE 802.11i, 802.1x, EAP 802.11i strong encryption, replay protection, integrity protection 802.1x provides network authentication EAP types specify how authentication is protected Different EAP types suitable for different environments consider clients directory types and hardware WEP security Issues WEP has proven to be an insecure encryption type Shared secrets weak can’t rotate keys recovery of shared keys possible due to flaws WEP cracking defeats dynamic WEP WIFI protected access Wi-Fi Alliance performs interoperability testing for 802.11 hardware vendors and consumers enables early adoption for improved security WPA is an improvement over WEP (TKIP) WPA2 is a huge improvement over WEP (AES-CCMP) Set organizational policy to purchase only WPA2 General Misconceptions Wireless Security I don't need to use wireless security, we aren't using it for sensitive data SEC 401.1 Technical Misconceptions we cloak our ssid, so people can not join we filter weak IVs, so WEP is safe MAC based access restricts authorized users tech xyz by itself protects us by itself Risk Misconceptions DoS attacks require expensive hardware Segregating our wireless LAN eliminates our risk for exposure

This whole wireless thing is secure by default right? TOP 4 security Risks for WLAN Eavesdropping Masquerading DoS Rogue Aps Eavesdropping Wireless extends beyond the property line Any suitable receiver can do it hundreds of feet away is not uncommon antennas increase range anyone can gain access to confidential information Eavesdropping mitigation Use strong encryption in lowest layer possible design networks with caution/ reduce coverage area Audit network with a packet sniffer Masquerading An attacker spoofs the identity of a legitimate node or AP Tricks unsuspecting users to giving up sensitive information tricks AP into authenticating malicious users evil twin attack gaining popularity Masquerading Mitigation Use mutual Authentication Wireless protocols such as PEAP or TTLS Use SSL/TLS for passing sensitive information to web applications Educate users on the dangers of clicking yes to digital certificate warnings DoS RF Jamming easy to get Weakness in 802.11 spec permit Dos Bluetooth net less susceptible, based on FHSS instead of DSS/OFDM DoS Mitigation Understand the impact of a Dos against your environment Deploy Wireless Intrusion Detection Prepare a response strategy Rogue Aps Unauthorized Aps connected to a private network Often installed with default settings and no security permits full access to a network for an unauthorized user contributes to unauthorized information disclosure Rogue AP Mitigation perform detection Use mutual authentication wireless protocols such as PEAP or TTLS Deploy 802.1x on the wired network Deploy Wireless IDS Deploy strong wireless LAN Steps to Planning a secure WLAN

Consider design at all layers of the OSI model Identify specific areas for coverage Maintain consistency in deployment Audit the WLAN for rogues and unauthorized clients Consider wireless IDS Protecting Wireless Networks Migrate from WEP > WPA > WPA2 Use Strong authentication mechanism such as PEAP or TTLS Audit network installations for consistency in deployment and configuration Identify Rogue 802.11 and Bluetooth threats Free and Commercial tools are available Summary Wireless is popular because it unties users from the wired world It might be found in multiple business units Popular wireless protocols include 802.11, Bluetooth, ZigBee and WPA Be aware of common misconceptions in wireless security Follow recommended steps fr planning a secure WLAN

SEC 401.2 DEFENSE IN DEPTH

Objectives Defense in Depth risk=threats X vulnerabilities CIA triad Strategies Malicious Code viruses worms What is Defense in Depth There is no magic solution when it comes to network security Any layer of protection might fail Multiple layers of protection must be employed Measures must be across a wide range of controls integrate defense-in-depth Focus of Security is Risk Security deals with managing risk to your critical assets Risk is the probability of a threat crossing or touching a vulnerability Key Focus of Risk Confidentiality/Disclosure Integrity/Alteration Availability/Destruction Prioritizing CIA Although all three areas of CIA are important to an organization, there is always one area that i Confidentiality Pharmaceuticals, government Integrity Financial institutions

Availability Ecommerce-based organizations What is a threat Possible danger Protect against the ones that are most likely or most worrisome based on: Intellectual Property Business Goals Validated Data Past History Primary Threats Malware Insider Threat APTs Natural Disasters Terrorism Vulnerabilities: Vulnerabilities are a weakness in a system Vulnerabilities are inherent in complex systems, they will always be present Many vulnerabilities are the result of poor coding practices Lack of error checking Vulnerabilities are a gateway by which threats are manifested Vulnerabilities fall into various categories known unknown: zero-day Approaches to DiD Deploy measures to reduce, accept or transfer risk Four basic approaches Uniform protection Protected enclaves Information Centric Threat vector analysis Uniform Protection Defense in Depth Most common approach to DiD Firewall, VAN, Intrusion Detection, Antivirus, Patching, etc. All parts of the organization receive equal protection Treats all of the systems the same. Protected enclaves Defense in Depth Work groups that require additional protection are segmented from the rest of the internal orga restrict access to critical segments internal firewalls VLANs and ACLs Information-Centric Defense in Depth Identify critical assets and provide layered protection Data is accessed by applications applications reside on hosts

hosts operate on networks Vector oriented Defense in Depth The threat requires a vector to cross the vulnerability Stop the capability of the threat to use the vector USB thumb drives: Disable USB Auto-answer modems: Digital phone PBX Malicious Software Viruses Worms Malware Defense Viruses Parasitic malware that relies on executable code insertion and user interaction to spread often targets client systems Macro Spread as MS Office attachment with executable code programmed using macro facility Targets are data files *.doc etc Visual Basic editor and other macro languages Worms Attack systems through known vulnerabilities Automatically scan for more systems to attack normally targets servers lower system defenses, install a rootkit or root shell, and/or inform the attacker the system has Linux worms

Ramen worm attacked redhat through holes in file and printer sharing services, Caused minor d Lion worm broke in via bind vulnerability. Opened up root shells and a trojaned version of ssh Integrity problem: With Ramen, we could not distribute a cleaner, with Lion, we could not in goo SQL Slammer Worm UDP-based infection rate the second fastest in worm history (Witty is first) Infected Windows vulnerability in SQL caused DoS on saturated networks Most people didn't even know they were infected Sasser/Netsky Worms W32.Sasser worm network infected machines via the internet and instructed vulnerable system Infected systems ran very slowly and intermittently shut down UK Coast Guard Sydney train system was shut down Conficker Worm Infected millions of system by various means Can spread three ways Vulnerability in the MS Server service Brute Force passwords (administrator) through network shares Infects removable devices with malicious autorun script Fixing the problem A number of files including backdoors are added to the system The system typically sits exposed for days before being patched With more advanced malicious code, the only solution is to reload the system What worms teach us about configuration management

Configuration Management is the discipline of establishing a known condition, and then manag An accurate baseline document Change Control is critical: A way to detect when a change occurs to that baseline If your internal network is not partitioned, nothing prevents the worm from spreading You cannot protect what you do no know Malware Capabilities Destruction of Data Leaking of confidential information Providing backdoor access countless other opportunities Propagation Techniques Social Networking email Web Browsing Removable media Network Vulnerabilities Malware Defense Techniques Activity monitoring programs malware scanners file and resource integrity checking stripping email attachments remember defense in depth patch all systems Summary The most prevalent threats are self replication hybrid threats are becoming more common malware is a significant threat for any organization defense in depth is a key strategy for keeping systems secure Security Policy SANS Seucirity Essentials II Defense in Depth Objectives Policy Framewirk Issue Specific policy examples Contingency Planning POLICY FRAMEWORK Why an Organization needs a security Policy Protects and organization, the people, and the information Establishes what must be done to protect information stored on computetrs Protects people who are trying to do the right thing Convincing the oranization Selling security policy to executives and users involves understanding their concerns To sell to executives, speak their language, money To get users on board, talk about how to make their job easier. Mission Statement What is the reason your organization exists?

The TOP of the security policy pyramid Helps to identify the ciritical assets across the organization When you encounter difficulties and crisis, a mission statement can help you refocus Example: "To serve the most vulnerable": International Red Cross Overall Security Posture Is the overall security posture more concervative or liberal? Some issues to consider incl Allowing home use of Laptop Installing software Sending personal information via email Policy must be realistic, accurate, and enforeable. Corporate position is the 'why' and should be conguent with security posture. Establish a dicumentation baseline An organization survey for everytying that is written down Key Documents: All applicable policies at all levels, checklists, procedures, and managem Acceptable use policy (AUP) and system specific (hardening docs) Policies and Procedures Policies: Address the who, what and why Procedures: Address the how, where and when Policy A policy is a directive that indicates a concious decision to follow a path toward a specific Policies direct the accomplishment of objectives An effective and realistic security policy is the key to effective and achievable security Procedure Detailed steps to be followed by users, system operations personnel, or others to accom (ie preparing new user accounts and assigning privileges) Mandatory Standard Organizational Specific uniform use of specific technologies or parameters Usually refers to specific hardware and software Baseline A baseline is a more specific implementation of a standard a baseline definition gets into specific technical details of how a system should be config Hardening guidelines Guideline Suggestions Assists users, systems personnel, and oothers in effectively securing a system Helps ensure that sepcific security measures are not overlooked Applies to security measures that might be implemented in more than one way Not compulsory Policy Table of Contents The following needs to be included in a policy: Purpose Related documents or references

Cancellation or expiration Background Scope Policy Statement Responsibility Action Policy Statement Must: Be Clear, concise, and meet SMART objectives S:Specific M:Measurable A:Achievable R:Realistic T:Time Based Is the Policy… Consistent with Law and regulations? Consistent with other levels of policy? Mission Statement Program policy, Issue-specific policy, System-specific Policy Uniformly enforced? Given to all users Followed by awareness sessions Current: Has it been reviewed during the year? Readily available? Is there policy version control in place? Creating the policy Steps to follow: State the issue Identify the players (maintainer, HR, legal, management) Find all releveant documetation that might exist Define the policy-including all necessary sections Identify penalties for non-compliance Make sure it is enforceable! Submit for review and approval Building the Policy: State the Issue What problem are you trying to solve? Employee abuse of resources: Hacking, installlation of rogue programs/software, hog bandwidth with P Respect rights of others Intellectual property defamation You must identify the problem before you can define the solution. Non-Compliance/Penalites What happens if you don't follow the policy? Penalties for violation of policy reprimand termination

Collective barganing terms may apply If legal violations Criminal Civil Regulatory Issue Specific Policy Examples Non Disclosure agreement Policy covers use, control, and enforcement of NDA An NDA protects both parties; it must not be one-sided An NDA protects sensitive information. The individual receiving information a legal document has certain specific requirements: Write clear, readable te Intellecual Property-Copyright (Sample Policy) Copyright applies to written and recorded information and images everything you create has an implied copyright a formal copyright is filed with the Library of Congress The owner should display copyright notice to avoid 'innocent infringement' Web pages and all information released to the public can and should be com of protection sheuld they be duplicated copied reposted or used within anothe Sample Online Copyright Infringement Issue-Specific Policy Contingency Planning Within your policy Business Continuity plan (BCP) Disaster recovery plan (DRP) What is a business Continuity Plan? Business Continuity Plan (BCP) is a strategic plan focusing on the availability of critica It includes disaster recovery and business resumption planning It considers long term impact to the business.

Book Pages 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

29 29 29 29 30 30, 49 30, 49 30 32 32 32 33 33 33 34 34 34 34 34 36 36 36 36 37 39 39 40 41 41 44 45 46 46 47 48 48 54 54 54 54 56 56 56

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

56 57 57 57 58 58 58 59 60 60 60 60 61 62 63 64 64 65 65 65 65 65 65 68 69 70 70 71 71 72 72 72 73 74 74 76 76 77 78 78 78 80 81 83, 84 85

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

86 87 88 89 89 90 90 91 91 92 93 94 95 96 97 99 101 103 104 105, 106 107 108 109 109 109 109 109 109 110 110 110 110 110 110 112 113 114 116, 117 118 120 120 120 121 121 122

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

123, 124 125 125 125 125 125 126 126 126 126 127 127 128 129, 130 131 132, 133 134 136 136 136 136 136 138 139 139 139, 140 142 143 144 145 146 148 149 149 150 151 152 152 152 152 153 154-161 162-167 168 170-171

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

172 174 175 176 178 179 179 179 179 179 181 184 185 185 185 185 185 185 185 185 186 186 186 186 186 187 187 187 187 187 187 187 188 189 189 189 189 190 190 190 190 190 190 191 191

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

191 191 191 191 192 192 192 192 196 196 196 196 196 196 196 196 198 198 198 198 198 198 199 199 199 199 199 199 201 201 201 201 201 201 203 203 203 205 205 205 205 207 207 207 207

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

207 209 209 209 209 209 210 210 210 210 210 210 211 211 211 211 212 212 212 212 212 213 213 213 213 214 214 214 214 216 216 216 216 217 217 217 217 218 218 218 218 218 218 220 220

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

220 220 220 220 220 221 221 221 221 221 221 222 222 222 222 222 222

XXXXXXXXXXXXXXXXX 2 6 2 6 2 6 2 6 2 6 2 6 2 6 2 6 2 8 2 8 2 8 2 8 2 8 2 8 2 9 2 9 2 9 2 10 2 10 2 10 2 10 2 12 2 12 2 12 2 12 2 12 2 12

2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

12 12 13 13 13 13 13 13 13 13 13 13 13 13 13 14 14 14 14 14 14 14 14 14 16 16 16 16 16 16 17 17 17 17 17 17 18 18 18 18 18 19 19 19 19

19 20 20 20 20 20 22 22 22 22 23 23 23 23 23 23 25 25 25 25 25 27 27 27 27 29 29 29 29 29 30 30 30 30 31 31 31 31 31 31 32 32 32 32 33

33 33 33 33 33 33 35 35 35 35 35 37 37 37 37 37 37 39 39 39 39 39 39 39 42 42 42 42 42 43 45 45 45 46 47 47 47 47 49 49 49 49 50 50

50 50 50 50 50 51 51 51 51 51 51 51 52 52 52 52 53 53 53 54 54 54 54 55 55 55 55 56 56 56 56 57 57 57 57 58 58 58 58 58 59 59 59 59 59

59 59 59 59 59 59 61 61 61 61 61 61 61 62 62 62 62 62 62 62 62 62 62 62 64 64 64 64 64 64 64 64 64 65 65 65 65 65 65 65 66 66 66 66 66

66 66 66 66 67 68 68 68 68 68 69 69 69 69 69 69 69 70 72 72 72 73 73 73 73

Wireless Overview, Bluetooth, Zigbee, 802.11, Wireless Security Mobile Phones, Laptops, Tablets, HVAC control Units, Medical Devices

Health care, Financial, Academia, Factories, Retail, Wireless ISP, Mobile hotspots

reveals phonebook, cal, IMEI, call forwarding, initiate calls

Bluescanner or bluesniff

10 years on battery, 4-6 dollars per radio

802.11i replaces WEP

EAP: LDAP, Radius, AD, etc

RC4 circa 1997

graphic