SlideShare a Scribd company logo

Securityic2

Anne Starr
Anne Starr

o

Education
1 of 20
CCSD SECURITY ESSENTIAL Network Security
Network Security Overview Copyright © 2019 Logical Operations, Inc. All rights reserved. • Network security is one of the most critical topics. • Rapid changes to technology make networking complex. • Need to secure each technology separately. • Need to handle interoperability issues. • No more clear-cut boundaries for the network.
The OSI Model 7 Application 7 Application 6 Presentation 6 Presentation 5 Session 5 Session 4 Transport 4 Transport 3 Network 3 Network 2 Data Link 2 Data Link 1 Physical 1 Physical Web Server Client Browser Information/Data Flow Copyright © 2019 Logical Operations, Inc. All rights reserved.
TCP/IP Core Protocol Vulnerabilities and Mitigation (Slide 1 of 2) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability or Threat Mitigation TCP • An attacker can predict the incrementing sequence number of a TCP session and use it to hijack a session that has already been authenticated and authorized. • TCP can carry malicious payloads to other computers. • Use encrypted versions of Layer 7 protocols. • Encrypt or digitally sign data payloads. • Block unused TCP ports on firewalls. UDP • UDP requires no acknowledgment, so it’s easy to spoof the source or destination of UDP packets. • UPD can cause amplification and other denial-of-service attacks. • Use encrypted versions of Layer 7 protocols. • Encrypt and digitally sign data payloads. • Block unused UDP ports on firewalls. IP • IP has no mechanism for verifying the actual identity of the sender or the receiver. • It’s easy to spoof IP addresses, so that packets are sent to or received from a machine other than the intended destination or source. • An attacker can craft malicious IP packet fragments that cannot be reassembled by the receiving computer, causing a denial of service attack. Configure the router and other IP devices to disallow IP features that can be abused, including fragments, ICMP redirection, and source routing.
TCP/IP Core Protocol Vulnerabilities and Mitigation (Slide 2 of 2) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability or Threat Mitigation ICMP • An attacker can send an ICMP redirect telling targets to use the attacker's machine as a default gateway. • An attacker can insert malicious data inside an ICMP packet, which will pass through routers and firewalls under the assumption that it is just a status message. • An attacker can send oversized ICMP packets and overwhelm the system. Configure firewalls and routers to disallow ICMP unless it is actually needed. IGMP Malformed IGMP packets can cause a buffer overflow in denial of service on a receiving host. Configure firewalls and routers to disable IGMP unless it is actually needed. ARP • ARP (and its twin RARP) is vulnerable because it is sent in cleartext by broadcast, with no way to verify the identity of the sending computer. • An attacker can poison a system's ARP table or cache, causing traffic to be delivered to the wrong node. This type of poisoning is the underlying mechanism for most man-in-the-middle attacks. Hard-code IP-to-MAC mappings in switches and device ARP caches.
Application Layer Protocols Vulnerabilities and Mitigation (Slide 1 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation DHCP Broadcasts in cleartext, so attackers can: • Plug directly into a network jack and receive an IP address. • Set up rogue DHCP servers that provide incorrect addresses to clients. Don’t use DHCP; hard code IP addresses on hosts instead. DNS Sends data in cleartext with no authentication, so attackers can: • Divert, intercept, or deny end-user communications. • Perform unauthorized zone transfers with DNS servers. • Send inaccurate lookup information to clients. • Corrupt the DNS server’s database or lookup cache. Use DNS Security (DNSSEC) to accompany all DNS records with digital signatures. SNMP • Prior to v3, SNMP is sent in cleartext, allowing it to be sniffed. • SNMP uses a weak authentication method that is easy to spoof. Install SNMP v3, or use a proprietary network management solution.
Application Layer Protocols Vulnerabilities and Mitigation (Slide 2 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation FTP • Standard FTP uses plaintext password authentication and no encryption, enabling man-in-the-middle attacks. • Some FTP implementations permit anonymous connections. • Use an encrypted replacement like FTPS or SFTP. • Disallow anonymous connections. • Apply file system permissions on the directories that contain FTP content. Telnet • Telnet is sent in cleartext with no encryption or digital signatures. • Its sessions can be sniffed, and it is vulnerable to session hijacking and man-in-the-middle attacks. Use SSH instead of Telnet. SSH • Different implementations have been vulnerable. • OpenSSH bug allowed enumeration of usernames registered on the SSH server. Make sure your SSH product is patched. HTTP • Uses plaintext and no authentication, so an attacker can intercept or manipulate sensitive information in web forms. • Lack of encryption and digital signatures allows for man-in-the-middle attacks. • Use HTTPS, with TLS v1.2 encryption. • Configure the web server to require Strict Transport Security (HSTS) so that an HTTPS session cannot be downgraded to HTTP.
Application Layer Protocols Vulnerabilities and Mitigation (Slide 3 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation SMTP • No authentication or encryption between servers, allowing fake email servers to send spam. • Cleartext SMTP can be sniffed and spoofed. • Create TLS tunnels and authentication between email servers. • Configure clients to use encrypted versions of SMTP. POP and IMAP Messages are sent in cleartext and can be sniffed or spoofed by an unauthorized person. Configure clients to use encrypted versions of POP3 and IMAP4. LDAP • LDAP provides weak authentication based on DNS. • If DNS is compromised, LDAP is also easy for an attacker to compromise. • Standard LDAP sends messages in plaintext, which can be easily intercepted and read by attackers. Configure clients and servers to use encrypted LDAPS. Kerberos • Weak implementations can have vulnerabilities. • Microsoft implementation allows creation of fake hash checksums and forged tickets (Security Bulletin MS14-068). Patch and update affected systems.
Application Layer Protocols Vulnerabilities and Mitigation (Slide 4 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation SMB • Unauthenticated "null session" enumeration. • Weak encryption. • Ransomware like WannaCry. • Buffer overflows like EternalBlue. • Patch and update affected systems. • Configure systems to disallow older protocol versions and null sessions. • Block SMB-related ports on the firewall: TCP 139 and 445, UDP 137, 138, and 139. RPC Crafted RPC calls can gain system level privilege from vulnerable Windows Services that use RPC (CVE-2003-0352/MS03-026 DCOM buffer overflow being the most notable). • Patch and update affected systems. • Block TCP 135 on the firewall. NFS • Older versions of NFS do not include encryption mechanisms to prevent eavesdropping or tampering of data being transferred. • Many implementations do not have access controls to prevent unauthorized connection and data theft. • Put access control on all NFS shares. • Block TCP 2049 on the firewall. RDP RDP is vulnerable to numerous flooding, overflow, and cryptographic attacks. • Patch affected systems, and configure the RDP server to allow only Network Level Authentication. • Use certificates issued by a trusted CA for authentication.
• Use firewalls/intrusion detection to monitor protocol abuse/suspicious traffic. • Harden/patch servers and workstations to mitigate risks from TCP/IP protocols. • Use TCP wrappers on Linux/UNIX devices to verify incoming connections to host. • Configure personal firewalls on all computers. • Configure routers to disallow/filter: • Source routing - can potentially be used for spoofing. • Subnet broadcasts - can potentially be used for denial of service. • ICMP - filter ICMP by message type; only allow PING to and from trusted hosts. • IP fragments - deliberately malformed fragments could be a denial of service technique. • IP options - excessive use could result in router CPU denial of service. • IP packets with low time-to-live (TTL) - could be used for denial of service. Copyright © 2019 Logical Operations, Inc. All rights reserved. Network Vulnerability Mitigation (Slide 1 of 2)
• If practical, implement DNSSEC in your environment. • If practical, implement authentication/encryption between servers, in your enterprise, and with partners. • Use authenticated/encrypted alternatives to cleartext protocols, including: • SSH (port 22) instead of telnet (port 23). • HTTPS (port 443) instead of HTTP (port 80). • SMTPS (port 465) or MSA (port 587) instead of SMTP (port 25). • IMAPS (port 993) or IMAP-SSL (port 585) instead of IMAP (port 143). • SSL-POP (port 995) instead of POP3 (port 110). • When possible, change default port of a service to an unexpected port number. • When possible, encrypt and digitally sign the payload. Copyright © 2019 Logical Operations, Inc. All rights reserved. Network Vulnerability Mitigation (Slide 2 of 2)
Wireless Security (Slide 1 of 2) Copyright © 2019 Logical Operations, Inc. All rights reserved. Wireless Security Protocol Description WEP • Wired Equivalent Privacy. • Relies on stream cipher with 24-bit initialization vector (IV). • Attack on IV can easily predict short value. • Can be compromised in minutes. • Obsolete – do not use. WPA • Wi-Fi Protected Access. • Provides additional encryption using Temporal Key Integrity Protocol (TKIP). • TKIP is vulnerable to transmission of arbitrary packets. • Also vulnerable to decryption of arbitrary packets. • Obsolete – do not use. WPA2 (802.11i) • Improvement on WPA. • Includes stronger encryption (CCMP protocol using AES standard). • Biggest known vulnerability is choosing a weak password. • The current best choice for Wi-Fi security. WPS • Automated mechanism for wireless devices to obtain the Wi-Fi key from the router. • Wi-Fi setup is easy and convenient. • Negotiation can be intercepted and cracked by hacking tools.
When implementing wireless security: • Select WPA2 (even WPA2 personal) over WEP or WPA. • When possible, use a RADIUS server for wireless authentication. • If you must use a pre-shared key, make the password complex and change it regularly. • Manually enter Wi-Fi passwords into your device, rather than allowing them to autoconfigure themselves by using WPS. • If necessary, enter the MAC addresses of all devices that are permitted to connect to the wireless network into the access point. Copyright © 2019 Logical Operations, Inc. All rights reserved. Wireless Security (Slide 2 of 2)
Networking Hardware • Router • Wireless router • Switch • Hub • Gateway • Modem • Multiplexer • Concentrator • Front-end processor • Repeater • Firewall • Proxy • Reverse Proxy • Appliance Switch Modem Hub Router Firewall Wireless Router Copyright © 2019 Logical Operations, Inc. All rights reserved.
• If a router is compromised, attacker can use it in a man-in-the-middle attack. • Like planting a bug in a room to listen in remotely. • Can also initiate DoS attacks. • Router must be physically protected first and foremost. • Theft or tampering with router will result in major network issues. • Routers are also subject to logical attacks. • Attacker may attempt to access router using a remote protocol like Telnet/SSH. • May also try to send excessive or malformed packets to router, causing a DoS. Router Vulnerabilities Copyright © 2019 Logical Operations, Inc. All rights reserved.
• Deploy the router in a secure, locked area. • Disable all unnecessary services on the router. • Disable any unnecessary routing protocols. • Harden the router per the manufacturer's recommendations. • Use SSH instead of Telnet. • Create access control lists. • Require strong authentication for administrator connections. • Limit number of admin connections, and disconnect inactive sessions. • Require authentication to a centralized server on higher-end routers. • Create custom administrative accounts with limited privileges for support personnel. • Ensure passwords are stored using encryption. • Forward all security events to a central syslog server. • Monitor activity on the router, watching for suspicious behavior. Copyright © 2019 Logical Operations, Inc. All rights reserved. Router Security
• Comprehensive solution to secure mobile devices as they connect to network. • Ensures that these devices are healthy and cannot compromise network. • Software installed on devices includes: • Firewall • VPN client • Antivirus • Anti-malware • Encryption • Uses client/server security model. • Central server on network pushes updates to mobile clients and controls access. • Endpoint security often includes mobile device management (MDM). Copyright © 2019 Logical Operations, Inc. All rights reserved. Endpoint Security
• Various devices enable networking capabilities. • Often found in server rooms. • Use the following methods to secure these devices: • Physically secure all devices against tampering or accidents. • Lock cabinets and rack doors. • Use cable locks on laptops and small PCs. • Mount power adapters, smart jacks, media converters, etc., where they can be easily monitored and serviced. • Consider using a "lights out" approach to server management. • Place non-rack-mountable equipment on boltable trays above the rack floor. • Route all cables both inside racks and in the ceiling in managed bundles and cable trays. Copyright © 2019 Logical Operations, Inc. All rights reserved. Physical Devices
Attackers Attacker Description White hat Someone who breaks computer security for non-malicious purpose, usually to improve security. Black hat Someone who breaks computer security for malicious reasons or personal gain. Grey hat Someone whose ethics lie somewhere between white and black. Blue hat A hacker employed to find security bugs in software so they can be patched before product launch. Elite hacker A highly skilled hacker. Almost always a programmer. Hacktivist Someone who hacks to support a cause. Script kiddie Someone who uses hacking tools written by others, with little/no understanding of underlying technology. Newbie A beginner. Also known as "noobie" or "noob." Nation state A country's cyberwarfare operatives. Organized crime A group that carries out organized criminal hacking for profit. Copyright © 2019 Logical Operations, Inc. All rights reserved.
END

Recommended

topicCybersecurity_4
topicCybersecurity_4topicCybersecurity_4
topicCybersecurity_4Anne Starr
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2Anne Starr
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1sweta dargad
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeleyjoebeone
 
I ptable
I ptableI ptable
I ptableSandeep Gupta
 

Recommended

topicCybersecurity_4
topicCybersecurity_4topicCybersecurity_4
topicCybersecurity_4Anne Starr
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2Anne Starr
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1sweta dargad
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeleyjoebeone
 
I ptable
I ptableI ptable
I ptableSandeep Gupta
 
Firewalls
FirewallsFirewalls
FirewallsIsrael Marcus
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
UCL
UCLUCL
UCLJanak Chandarana
 
Test
TestTest
Testsinha.mrinal
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6jemtallon
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future fraudsRanjeet Kumar
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementationMohibullah Saail
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)Bhargu Bhargavi
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07Wiliam Ferraciolli
 
Java Abs Packet Sniffer Tool
Java Abs Packet Sniffer ToolJava Abs Packet Sniffer Tool
Java Abs Packet Sniffer Toolncct
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2Anne Starr
 
gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2Anne Starr
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptxNguyenNM
 

More Related Content

What's hot

T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6jemtallon
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future fraudsRanjeet Kumar
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementationMohibullah Saail
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Java Abs Packet Sniffer Tool
Java Abs Packet Sniffer ToolJava Abs Packet Sniffer Tool
Java Abs Packet Sniffer Toolncct
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 

What's hot (18)

Firewalls
FirewallsFirewalls
Firewalls
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
UCL
UCLUCL
UCL
 
Test
TestTest
Test
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future frauds
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementation
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Java Abs Packet Sniffer Tool
Java Abs Packet Sniffer ToolJava Abs Packet Sniffer Tool
Java Abs Packet Sniffer Tool
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 

Similar to Securityic2

gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2Anne Starr
 
gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2Anne Starr
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptxNguyenNM
 
port forwarding.pptx
port forwarding.pptxport forwarding.pptx
port forwarding.pptxVignesh kumar
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.RAVI RAJ
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptxkarthikvcyber
 
All about routers
All about routersAll about routers
All about routersagwanna
 
ITN_Module_17.pptx
ITN_Module_17.pptxITN_Module_17.pptx
ITN_Module_17.pptxssuserf7cd2b
 
Chapter 7 Administering a Secure Network
Chapter 7 Administering a Secure Network Chapter 7 Administering a Secure Network
Chapter 7 Administering a Secure Network Dr. Ahmed Al Zaidy
 
Nachos Theoretical assigment 3
Nachos Theoretical assigment 3Nachos Theoretical assigment 3
Nachos Theoretical assigment 3colli03
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasuresdkaya
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8suddenven
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 

Similar to Securityic2 (20)

gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2
 
gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptx
 
port forwarding.pptx
port forwarding.pptxport forwarding.pptx
port forwarding.pptx
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
All about routers
All about routersAll about routers
All about routers
 
Tcpip Intro
Tcpip IntroTcpip Intro
Tcpip Intro
 
ITN_Module_17.pptx
ITN_Module_17.pptxITN_Module_17.pptx
ITN_Module_17.pptx
 
Chapter 7 Administering a Secure Network
Chapter 7 Administering a Secure Network Chapter 7 Administering a Secure Network
Chapter 7 Administering a Secure Network
 
Nachos Theoretical assigment 3
Nachos Theoretical assigment 3Nachos Theoretical assigment 3
Nachos Theoretical assigment 3
 
V P N
V P NV P N
V P N
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Application Protocol
Application Protocol Application Protocol
Application Protocol
 

More from Anne Starr

I01letor20so201leutor2020
I01letor20so201leutor2020I01letor20so201leutor2020
I01letor20so201leutor2020Anne Starr
 
Iso27001leadauditor2020
Iso27001leadauditor2020Iso27001leadauditor2020
Iso27001leadauditor2020Anne Starr
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)Anne Starr
 
Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577Anne Starr
 
01wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-40001wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-400Anne Starr
 
uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00Anne Starr
 
Cloudhnologysstecociat
CloudhnologysstecociatCloudhnologysstecociat
CloudhnologysstecociatAnne Starr
 
Cmbysantocsddsh
CmbysantocsddshCmbysantocsddsh
CmbysantocsddshAnne Starr
 
Cddmbysantcsosh
CddmbysantcsoshCddmbysantcsosh
CddmbysantcsoshAnne Starr
 
Ccbysantsddosh
Ccbysantsddosh Ccbysantsddosh
Ccbysantsddosh Anne Starr
 
Ccsdbyhday1santodms
Ccsdbyhday1santodmsCcsdbyhday1santodms
Ccsdbyhday1santodmsAnne Starr
 

More from Anne Starr (20)

I01letor20so201leutor2020
I01letor20so201leutor2020I01letor20so201leutor2020
I01letor20so201leutor2020
 
Iso27001leadauditor2020
Iso27001leadauditor2020Iso27001leadauditor2020
Iso27001leadauditor2020
 
Ccsddm5days
Ccsddm5daysCcsddm5days
Ccsddm5days
 
Dayblic
DayblicDayblic
Dayblic
 
Day1cspbeblic
Day1cspbeblicDay1cspbeblic
Day1cspbeblic
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)
 
Sec4
Sec4Sec4
Sec4
 
Secuntialesse
SecuntialesseSecuntialesse
Secuntialesse
 
)k
)k)k
)k
 
inte
inteinte
inte
 
Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577
 
01wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-40001wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-400
 
uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00
 
Cloudhnologysstecociat
CloudhnologysstecociatCloudhnologysstecociat
Cloudhnologysstecociat
 
Cmbysantocsddsh
CmbysantocsddshCmbysantocsddsh
Cmbysantocsddsh
 
Cddmbysantcsosh
CddmbysantcsoshCddmbysantcsosh
Cddmbysantcsosh
 
Ccbysantsddosh
Ccbysantsddosh Ccbysantsddosh
Ccbysantsddosh
 
Ccsdbyhday1santodms
Ccsdbyhday1santodmsCcsdbyhday1santodms
Ccsdbyhday1santodms
 

Recently uploaded

Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 

Recently uploaded (20)

Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 

Securityic2

  • 2. Network Security Overview Copyright © 2019 Logical Operations, Inc. All rights reserved. • Network security is one of the most critical topics. • Rapid changes to technology make networking complex. • Need to secure each technology separately. • Need to handle interoperability issues. • No more clear-cut boundaries for the network.
  • 3. The OSI Model 7 Application 7 Application 6 Presentation 6 Presentation 5 Session 5 Session 4 Transport 4 Transport 3 Network 3 Network 2 Data Link 2 Data Link 1 Physical 1 Physical Web Server Client Browser Information/Data Flow Copyright © 2019 Logical Operations, Inc. All rights reserved.
  • 4. TCP/IP Core Protocol Vulnerabilities and Mitigation (Slide 1 of 2) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability or Threat Mitigation TCP • An attacker can predict the incrementing sequence number of a TCP session and use it to hijack a session that has already been authenticated and authorized. • TCP can carry malicious payloads to other computers. • Use encrypted versions of Layer 7 protocols. • Encrypt or digitally sign data payloads. • Block unused TCP ports on firewalls. UDP • UDP requires no acknowledgment, so it’s easy to spoof the source or destination of UDP packets. • UPD can cause amplification and other denial-of-service attacks. • Use encrypted versions of Layer 7 protocols. • Encrypt and digitally sign data payloads. • Block unused UDP ports on firewalls. IP • IP has no mechanism for verifying the actual identity of the sender or the receiver. • It’s easy to spoof IP addresses, so that packets are sent to or received from a machine other than the intended destination or source. • An attacker can craft malicious IP packet fragments that cannot be reassembled by the receiving computer, causing a denial of service attack. Configure the router and other IP devices to disallow IP features that can be abused, including fragments, ICMP redirection, and source routing.
  • 5. TCP/IP Core Protocol Vulnerabilities and Mitigation (Slide 2 of 2) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability or Threat Mitigation ICMP • An attacker can send an ICMP redirect telling targets to use the attacker's machine as a default gateway. • An attacker can insert malicious data inside an ICMP packet, which will pass through routers and firewalls under the assumption that it is just a status message. • An attacker can send oversized ICMP packets and overwhelm the system. Configure firewalls and routers to disallow ICMP unless it is actually needed. IGMP Malformed IGMP packets can cause a buffer overflow in denial of service on a receiving host. Configure firewalls and routers to disable IGMP unless it is actually needed. ARP • ARP (and its twin RARP) is vulnerable because it is sent in cleartext by broadcast, with no way to verify the identity of the sending computer. • An attacker can poison a system's ARP table or cache, causing traffic to be delivered to the wrong node. This type of poisoning is the underlying mechanism for most man-in-the-middle attacks. Hard-code IP-to-MAC mappings in switches and device ARP caches.
  • 6. Application Layer Protocols Vulnerabilities and Mitigation (Slide 1 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation DHCP Broadcasts in cleartext, so attackers can: • Plug directly into a network jack and receive an IP address. • Set up rogue DHCP servers that provide incorrect addresses to clients. Don’t use DHCP; hard code IP addresses on hosts instead. DNS Sends data in cleartext with no authentication, so attackers can: • Divert, intercept, or deny end-user communications. • Perform unauthorized zone transfers with DNS servers. • Send inaccurate lookup information to clients. • Corrupt the DNS server’s database or lookup cache. Use DNS Security (DNSSEC) to accompany all DNS records with digital signatures. SNMP • Prior to v3, SNMP is sent in cleartext, allowing it to be sniffed. • SNMP uses a weak authentication method that is easy to spoof. Install SNMP v3, or use a proprietary network management solution.
  • 7. Application Layer Protocols Vulnerabilities and Mitigation (Slide 2 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation FTP • Standard FTP uses plaintext password authentication and no encryption, enabling man-in-the-middle attacks. • Some FTP implementations permit anonymous connections. • Use an encrypted replacement like FTPS or SFTP. • Disallow anonymous connections. • Apply file system permissions on the directories that contain FTP content. Telnet • Telnet is sent in cleartext with no encryption or digital signatures. • Its sessions can be sniffed, and it is vulnerable to session hijacking and man-in-the-middle attacks. Use SSH instead of Telnet. SSH • Different implementations have been vulnerable. • OpenSSH bug allowed enumeration of usernames registered on the SSH server. Make sure your SSH product is patched. HTTP • Uses plaintext and no authentication, so an attacker can intercept or manipulate sensitive information in web forms. • Lack of encryption and digital signatures allows for man-in-the-middle attacks. • Use HTTPS, with TLS v1.2 encryption. • Configure the web server to require Strict Transport Security (HSTS) so that an HTTPS session cannot be downgraded to HTTP.
  • 8. Application Layer Protocols Vulnerabilities and Mitigation (Slide 3 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation SMTP • No authentication or encryption between servers, allowing fake email servers to send spam. • Cleartext SMTP can be sniffed and spoofed. • Create TLS tunnels and authentication between email servers. • Configure clients to use encrypted versions of SMTP. POP and IMAP Messages are sent in cleartext and can be sniffed or spoofed by an unauthorized person. Configure clients to use encrypted versions of POP3 and IMAP4. LDAP • LDAP provides weak authentication based on DNS. • If DNS is compromised, LDAP is also easy for an attacker to compromise. • Standard LDAP sends messages in plaintext, which can be easily intercepted and read by attackers. Configure clients and servers to use encrypted LDAPS. Kerberos • Weak implementations can have vulnerabilities. • Microsoft implementation allows creation of fake hash checksums and forged tickets (Security Bulletin MS14-068). Patch and update affected systems.
  • 9. Application Layer Protocols Vulnerabilities and Mitigation (Slide 4 of 4) Copyright © 2019 Logical Operations, Inc. All rights reserved. Protocol Vulnerability Mitigation SMB • Unauthenticated "null session" enumeration. • Weak encryption. • Ransomware like WannaCry. • Buffer overflows like EternalBlue. • Patch and update affected systems. • Configure systems to disallow older protocol versions and null sessions. • Block SMB-related ports on the firewall: TCP 139 and 445, UDP 137, 138, and 139. RPC Crafted RPC calls can gain system level privilege from vulnerable Windows Services that use RPC (CVE-2003-0352/MS03-026 DCOM buffer overflow being the most notable). • Patch and update affected systems. • Block TCP 135 on the firewall. NFS • Older versions of NFS do not include encryption mechanisms to prevent eavesdropping or tampering of data being transferred. • Many implementations do not have access controls to prevent unauthorized connection and data theft. • Put access control on all NFS shares. • Block TCP 2049 on the firewall. RDP RDP is vulnerable to numerous flooding, overflow, and cryptographic attacks. • Patch affected systems, and configure the RDP server to allow only Network Level Authentication. • Use certificates issued by a trusted CA for authentication.
  • 10. • Use firewalls/intrusion detection to monitor protocol abuse/suspicious traffic. • Harden/patch servers and workstations to mitigate risks from TCP/IP protocols. • Use TCP wrappers on Linux/UNIX devices to verify incoming connections to host. • Configure personal firewalls on all computers. • Configure routers to disallow/filter: • Source routing - can potentially be used for spoofing. • Subnet broadcasts - can potentially be used for denial of service. • ICMP - filter ICMP by message type; only allow PING to and from trusted hosts. • IP fragments - deliberately malformed fragments could be a denial of service technique. • IP options - excessive use could result in router CPU denial of service. • IP packets with low time-to-live (TTL) - could be used for denial of service. Copyright © 2019 Logical Operations, Inc. All rights reserved. Network Vulnerability Mitigation (Slide 1 of 2)
  • 11. • If practical, implement DNSSEC in your environment. • If practical, implement authentication/encryption between servers, in your enterprise, and with partners. • Use authenticated/encrypted alternatives to cleartext protocols, including: • SSH (port 22) instead of telnet (port 23). • HTTPS (port 443) instead of HTTP (port 80). • SMTPS (port 465) or MSA (port 587) instead of SMTP (port 25). • IMAPS (port 993) or IMAP-SSL (port 585) instead of IMAP (port 143). • SSL-POP (port 995) instead of POP3 (port 110). • When possible, change default port of a service to an unexpected port number. • When possible, encrypt and digitally sign the payload. Copyright © 2019 Logical Operations, Inc. All rights reserved. Network Vulnerability Mitigation (Slide 2 of 2)
  • 12. Wireless Security (Slide 1 of 2) Copyright © 2019 Logical Operations, Inc. All rights reserved. Wireless Security Protocol Description WEP • Wired Equivalent Privacy. • Relies on stream cipher with 24-bit initialization vector (IV). • Attack on IV can easily predict short value. • Can be compromised in minutes. • Obsolete – do not use. WPA • Wi-Fi Protected Access. • Provides additional encryption using Temporal Key Integrity Protocol (TKIP). • TKIP is vulnerable to transmission of arbitrary packets. • Also vulnerable to decryption of arbitrary packets. • Obsolete – do not use. WPA2 (802.11i) • Improvement on WPA. • Includes stronger encryption (CCMP protocol using AES standard). • Biggest known vulnerability is choosing a weak password. • The current best choice for Wi-Fi security. WPS • Automated mechanism for wireless devices to obtain the Wi-Fi key from the router. • Wi-Fi setup is easy and convenient. • Negotiation can be intercepted and cracked by hacking tools.
  • 13. When implementing wireless security: • Select WPA2 (even WPA2 personal) over WEP or WPA. • When possible, use a RADIUS server for wireless authentication. • If you must use a pre-shared key, make the password complex and change it regularly. • Manually enter Wi-Fi passwords into your device, rather than allowing them to autoconfigure themselves by using WPS. • If necessary, enter the MAC addresses of all devices that are permitted to connect to the wireless network into the access point. Copyright © 2019 Logical Operations, Inc. All rights reserved. Wireless Security (Slide 2 of 2)
  • 14. Networking Hardware • Router • Wireless router • Switch • Hub • Gateway • Modem • Multiplexer • Concentrator • Front-end processor • Repeater • Firewall • Proxy • Reverse Proxy • Appliance Switch Modem Hub Router Firewall Wireless Router Copyright © 2019 Logical Operations, Inc. All rights reserved.
  • 15. • If a router is compromised, attacker can use it in a man-in-the-middle attack. • Like planting a bug in a room to listen in remotely. • Can also initiate DoS attacks. • Router must be physically protected first and foremost. • Theft or tampering with router will result in major network issues. • Routers are also subject to logical attacks. • Attacker may attempt to access router using a remote protocol like Telnet/SSH. • May also try to send excessive or malformed packets to router, causing a DoS. Router Vulnerabilities Copyright © 2019 Logical Operations, Inc. All rights reserved.
  • 16. • Deploy the router in a secure, locked area. • Disable all unnecessary services on the router. • Disable any unnecessary routing protocols. • Harden the router per the manufacturer's recommendations. • Use SSH instead of Telnet. • Create access control lists. • Require strong authentication for administrator connections. • Limit number of admin connections, and disconnect inactive sessions. • Require authentication to a centralized server on higher-end routers. • Create custom administrative accounts with limited privileges for support personnel. • Ensure passwords are stored using encryption. • Forward all security events to a central syslog server. • Monitor activity on the router, watching for suspicious behavior. Copyright © 2019 Logical Operations, Inc. All rights reserved. Router Security
  • 17. • Comprehensive solution to secure mobile devices as they connect to network. • Ensures that these devices are healthy and cannot compromise network. • Software installed on devices includes: • Firewall • VPN client • Antivirus • Anti-malware • Encryption • Uses client/server security model. • Central server on network pushes updates to mobile clients and controls access. • Endpoint security often includes mobile device management (MDM). Copyright © 2019 Logical Operations, Inc. All rights reserved. Endpoint Security
  • 18. • Various devices enable networking capabilities. • Often found in server rooms. • Use the following methods to secure these devices: • Physically secure all devices against tampering or accidents. • Lock cabinets and rack doors. • Use cable locks on laptops and small PCs. • Mount power adapters, smart jacks, media converters, etc., where they can be easily monitored and serviced. • Consider using a "lights out" approach to server management. • Place non-rack-mountable equipment on boltable trays above the rack floor. • Route all cables both inside racks and in the ceiling in managed bundles and cable trays. Copyright © 2019 Logical Operations, Inc. All rights reserved. Physical Devices
  • 19. Attackers Attacker Description White hat Someone who breaks computer security for non-malicious purpose, usually to improve security. Black hat Someone who breaks computer security for malicious reasons or personal gain. Grey hat Someone whose ethics lie somewhere between white and black. Blue hat A hacker employed to find security bugs in software so they can be patched before product launch. Elite hacker A highly skilled hacker. Almost always a programmer. Hacktivist Someone who hacks to support a cause. Script kiddie Someone who uses hacking tools written by others, with little/no understanding of underlying technology. Newbie A beginner. Also known as "noobie" or "noob." Nation state A country's cyberwarfare operatives. Organized crime A group that carries out organized criminal hacking for profit. Copyright © 2019 Logical Operations, Inc. All rights reserved.
  • 20. END