More on this book
Community
Kindle Notes & Highlights
Read between
July 9 - July 27, 2019
Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.
Loop protection such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected together.
Implicit deny is an important concept to understand, especially in the context of ACLs. It indicates that all traffic that isn’t explicitly allowed is implicitly denied.
Routers and stateless firewalls (or packet-filtering firewalls) perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list. Antispoofing methods block traffic using ACL rules.
Host-based firewalls provide protection for individual hosts, such as servers or workstations. A host-based firewall provides intrusion protection for the host. Linux systems support xtables for firewall capabilities. Network-based firewalls are often dedicated servers or appliances and provide protection for the network.
Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn’t previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.
A stateless firewall blocks traffic using an ACL. A stateful firewall blocks traffic based on the state of the packet within a session. Web application firewalls provide strong protection for web servers. They protect against several different types of attacks, with a focus on web application attacks and can include load-balancing features.
The demilitarized zone (DMZ) is a buffered zone between a private network and the Internet.
A DMZ is a buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. In other words, Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the intranet (internal network).
NAT translates public IP addresses to private IP addresses, and private IP addresses back to public. A common form of NAT is Port Address Translation. Dynamic NAT uses multiple public IP addresses while static NAT uses a single public IP address.
Virtual local area networks (VLANs) separate or segment traffic on physical networks and you can create multiple VLANs with a single Layer 3 switch. A VLAN can logically group several different computers together, or logically separate computers, without regard to their physical location. VLANs are also used to separate traffic types, such as voice traffic on VLAN and data traffic on a separate VLAN.
A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce Internet bandwidth usage. Transparent proxy servers accept and forward requests without modifying them. Nontransparent proxy servers use URL filters to restrict access to certain sites. Both types can log user activity.
UTM security appliances combine the features of multiple security solutions into a single appliance. For example, a UTM security appliance might include a firewall, antivirus protection, anti-spam protection, URL filtering, and content filtering.
A unified threat management (UTM) appliance combines multiple security controls into a single appliance. They can inspect data streams and often include URL filtering, malware inspection, and contention inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.
The following bullets identify some use cases that you can implement with switches: • Prevent switching loops. You do this by implementing STP or RSTP on switches. • Block flood attacks. Flood guards block MAC flood attacks. • Prevent unauthorized users from connecting to unused ports. Port security methods, such as disabling unused ports, prevent these unauthorized connections. • Provide increased segmentation of user computers. VLANs provide increased segmentation. They are implemented on Layer 3 switches.
The following bullets identify some use cases that you can implement with routers: • Prevent IP address spoofing. Antispoofing methods prevent IP address spoofing. These are implemented with rules in ACLs. • Provide secure management of routers. SNMPv3 is used to securely manage network devices such as routers.
Administrators use SNMPv3 to manage and monitor network devices and SNMP uses UDP ports 161 and 162. It includes strong authentication mechanisms and is more secure than earlier versions.
Intrusion detection systems (IDSs) monitor a network and send alerts when they detect suspicious events on a system or network. Intrusion prevention systems (IPSs) react to attacks in progress and prevent them from reaching systems and networks.
A HIDS can monitor all traffic on a single host system such as a server or a workstation. In some cases, it can detect malicious activity missed by antivirus software. A NIDS is installed on network devices, such as routers or firewalls, to monitor network traffic and detect network-based attacks. It can also use taps or port mirrors to capture traffic. A NIDS cannot monitor encrypted traffic and cannot monitor traffic on individual hosts.
Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can detect known anomalies. Heuristic or behavior- based IDSs (also called anomaly-based) can detect unknown anomalies. They start with a performance baseline of normal behavior and then compare network traffic against this baseline. When traffic differs significantly from the baseline, the IDS sends an alert.
A false positive incorrectly indicates an attack is occurring when an attack is not active. A high incidence of false positives increases the administrator’s workload. A false negative is when an attack is occurring, but the system doesn’t detect and report it. Administrators often set the IDS threshold high enough that it minimizes false positives but low enough that it does not allow false negatives.
An IPS can detect, react, and prevent attacks. It is placed inline with the traffic (also known as in-band). An IDS monitors and responds to an attack. It is not inline but instead collects data passively (also known as out-of-band).
An intrusion prevention system (IPS) is a preventive control. It is placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can also be used internally to protect private networks.
Sun Tzu famously wrote in The Art of War, “All warfare is based on deception,” and “Know your enemies.” Cyberwarfare is occurring daily and security professionals on the front lines of network and system attacks recognize that these attacks mimic warfare in many ways. Honeypots and honeynets provide these professionals with some additional tools to use in this war.
Honeypots and honeynets attempt to divert attackers from live networks. They give security personnel an opportunity to observe current methodologies used in attacks and gather intelligence on these attacks.
An 802.1x server provides port-based authentication, ensuring that only authorized clients can connect to a network. It prevents rogue devices from connecting.
The service set identifier (SSID) identifies the name of the wireless network. You should change the SSID from the default name. Disabling SSID broadcast can hide the network from casual users, but an attacker can easily discover it with a wireless sniffer.
RADIUS, TACACS+, and Diameter all provide centralized authentication. TACACS+ is proprietary to Cisco, but can be used with Kerberos. Diameter is an improvement over RADIUS, and it supports many additional capabilities, including securing transmissions with EAP.
A trusted operating system meets a set of predetermined requirements, such as those identified in the Common Criteria. It uses the mandatory access control (MAC) model.
A master image provides a secure starting point for systems. Administrators sometimes create them with templates or with other tools to create a secure baseline. They then use integrity measurements to discover when a system deviates from the baseline.
Change management defines the process for any type of system modifications or upgrades, including changes to applications. It provides two key goals: • To ensure changes to IT systems do not result in unintended outages • To provide an accounting structure or method to document all changes
Patch management procedures ensure that operating systems and applications are up to date with current patches. This protects systems against known vulnerabilities. Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes.
Jailbreaking removes all software restrictions from an Apple device. Rooting modifies an Android device, giving users root-level access to the device. Overwriting the firmware on an Android device with custom firmware is another way to root an Android device. Sideloading is the process of installing software on an Android device from a source other than an authorized store.
Data exfiltration is the unauthorized transfer of data outside an organization and is a significant concern. In some cases, attackers take control of systems and transfer data outside an organization using malware. It’s also possible for malicious insiders to transfer data.
A hoax is a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist.
Dumpster divers search through trash looking for information. Shredding or burning papers instead of throwing them away mitigates this threat.
Replay attacks capture data in a session with the intent of later impersonating one of the parties in the session. Timestamps and sequence numbers are effective counter measures against replay attacks.
The lack of input validation is one of the most common security issues on web-based applications. Input validation verifies the validity of inputted data before using it, and server-side validation is more secure than client-side validation. Input validation protects against many attacks, such as buffer overflow, SQL injection, command injection, and cross- site scripting attacks.
Cross-site scripting (XSS) attacks allow attackers to capture user information such as cookies. Input validation techniques at the server help prevent XSS attacks.
A framework is a structure used to provide a foundation. Cybersecurity frameworks typically use a structure of basic concepts and they provide guidance to professionals on how to implement security in various systems.
Risk is the likelihood that a threat will exploit a vulnerability. A vulnerability is a weakness, and a threat is a potential danger. The result is a negative impact on the organization. Impact refers to the magnitude of harm that can be caused if a threat exercises a vulnerability.
A threat is a potential danger. Within the context of risk management, a threat is any circumstance or event that can compromise the confidentiality, integrity, or availability of data or a system.
A threat assessment helps an organization identify and categorize threats. It attempts to predict the threats against an organization’s assets, along with the likelihood the threat will occur. Threat assessments also attempt to identify the potential impact from these threats. Once the organization identifies and prioritizes threats, it identifies security controls to protect against the most serious threats.
A vulnerability is a flaw or weakness in software or hardware, or a weakness in a process that a threat could exploit, resulting in a security breach.
Penetration testing actively assesses deployed security controls within a system or network. It starts with passive reconnaissance, such as a vulnerability scan, but takes it a step further and tries to exploit vulnerabilities by simulating or performing an attack.
An exploitation framework is a tool used to store information about security vulnerabilities. It is often used by penetration testers (and attackers) to detect and exploit software. Exploitation frameworks typically include tools used to check for vulnerabilities and execute exploits on any discovered vulnerabilities.
Redundancy adds duplication to critical system components and networks and provides fault tolerance.
A single point of failure is a component within a system that can cause the entire system to fail if the component fails.
You can validate business continuity plans through testing. Tabletop exercises are discussion-based only and are typically performed in a classroom or conference setting. Functional exercises are hands-on exercises.
Hashing verifies integrity for data such as email, downloaded files, and files stored on a disk. A hash is a number created with a hashing algorithm and is sometimes listed as a checksum.
