Hardware and Software
Transcript of Hardware and Software
![Page 1: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/1.jpg)
HardwareandSoftware
CompTIASecurity+
![Page 2: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/2.jpg)
Firewalls
SoftwarevsHardware Stateful vsStateless
![Page 3: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/3.jpg)
AccessControlLists(ACL)• AccessControlLists,orACL,isasetofdatathatinformsacomputer'soperatingsystemwhichpermissions,oraccessrights,thateachuserorgrouphastoaspecificsystemobject(suchasadirectoryorfile).
• AnexampleofanAccessControlListwouldbeWindowsNTFSpermissions.
• FirewallsalsouseACLstorestrictnetworkaccesstocertainTCPandUDPportsorviasource&destinationIPaddresses.
![Page 4: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/4.jpg)
Firewall• Afirewallisahardwareorsoftwaredevicewhichisconfiguredtopermit,deny,orproxydatathroughacomputernetworkwhichhasdifferentlevelsoftrust.
• Modernfirewallsutilizestateful packetinspection.
• Statefulpacketinspectionwillblockincomingtrafficthatdoesnotmatchaninternalrequest.
• Afirewallcanmitigateportscanning.
![Page 5: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/5.jpg)
SoftwareFirewall• Adevice,whetheritissoftwareorhardware,thatinspectstrafficandonlyallowsauthorizedtrafficinoroutofthenetworkorcomputeriscalledafirewall.
• Apersonalfirewallorhost-basedfirewallisanapplicationwhichcontrolsnetworktraffictoandfromacomputer,permittingordenyingcommunicationsbasedonasecuritypolicy.
• Bydefault,yourinboundfirewallruleshouldbesetto“Deny-All”.Thismeansthattrafficoriginatingfromoutsideoftheworkstationwillbedeniedaccessintotheworkstation.ThisisknownasanImplicitDeny
![Page 6: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/6.jpg)
Hardwarefirewall
• AHardwarefirewall,ornetworkbasedfirewallisaphysicaldevicethatcontrolstheflowoftrafficthroughoutthenetwork.
• CommonlyusedattheentrancetoanetworktoseparateaDMZfromaninternalnetwork.• Alternatively,couldjustbepreventingtrafficfromoneinternalnetworktoanother.
![Page 7: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/7.jpg)
StatelessFirewall
• AstatelessfirewallisconfiguredwithanACLthatpermitsordeniestrafficbasedonstaticrulesdefinedbyanadmin.
• ThevulnerabilityherewillisifIPaddressingofthepacketisspoofedthenetworkcanbecompromisedasastatelessfirewalldoesn’tsupportcontextualanalysis.
• Theadvantagewithstatelessfirewallsisprocessingisfasterwhencomparedtostatefulfirewalls
![Page 8: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/8.jpg)
StatefulFirewalls
• AstatefulfirewallinspectsthetrafficleavinganetworkandpermitsthereturntraffictoreturndynamicallybymodifyinganACLontheedgeofthenetworkpointingintotheinternalnetwork.• Createsa“statetable”toallowexternalrepliestoreenterthenetwork.
• Thosepacketsmatchingstatetableentrieswillbepermittedintothenetwork.Theadvantagesincludemoreflexibilityandlesssusceptibletospoofingattackswhencomparedtostatelessfirewalls.
![Page 9: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/9.jpg)
ImplicitDeny
• Implicitdenyisatermtodescribethedefaultactiontodenyeverythingwhentherearenotanymatchesinentriesthatyouspecify.Thiscouldbedenyingahackerfrompenetratingyourfirewalloritcouldbedenyingasalesrep.fromaccessingcompanypayrollinformation.
• ImplicitdeniescanbesetinrouterACLs,firewallrules,NTFSpermissions,etc.
• Animplicitdenymeansyouwillnothaveaccesstothatresourceunlessexplicitlyallowed.
![Page 10: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/10.jpg)
VPNConcentrator
TypesofVPNs IPSEC
Split-tunneling Always-onVPN
![Page 11: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/11.jpg)
VPNConcentrators• VPNconcentratorsincorporatethemostadvancedencryptionandauthenticationtechniquesavailable.
• Theyareideallydeployedwheretherequirementisforasingledevicetohandleaverylargenumber ofVPNtunnels.
• Theywerespecificallydevelopedtoaddresstherequirementforapurpose-built,remote-accessVPNdevice.
![Page 12: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/12.jpg)
VirtualPrivateNetwork(VPN)
• VPNtechnologyprovidessecureremoteaccessmeansfromacomputertoaremotecomputeroronenetworktoanothernetworkovertheInternet.TherearetwoprimarytypesofVPNs.
Remote Access VPN
RemoteAccessServer
Site to site VPN
RemoteAccessServer
![Page 13: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/13.jpg)
IPsec• IPSecurityisasetofprotocolsdevelopedbytheIETFtosupportsecureexchangeofpacketsattheIPlayer.• IPsechasbeendeployedwidelytoimplementVirtualPrivateNetworks(VPNs).
• IPsecsupportstwoencryptionandauthenticationheadermodes:• Transportmodeencryptsonlythedataportion(payload)ofeachpacketbutleavestheheaderuntouched.• Tunnelmodeencryptsboththeheaderandthepayload.
![Page 14: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/14.jpg)
IPsecTransmissionModesTransportMode
PublicNetwork
IPsec
End-to-endIPsecbetweenallorsomeofthecomputers
TunnelMode
![Page 15: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/15.jpg)
AHvsESP
• AuthenticationHeaderprovidesaframeworkforIPsec• AHThisframeworkwillallowforauthentication,anti-replay,andintegrity(NOTencryption).• AHProvidesbetterperformancethanESP
• EncapsulationSecurityPayloadprovidesaframeworkforIPsec• Thisframeworkwillallowforauthentication,encryption,anti-replay,andintegrity.• CommonlyimplementedwhencomparedwithAH• ESPprovidesbettersecuritythanAH
![Page 16: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/16.jpg)
SplitTunneling
• Whensplittunnelingisenabledtrafficintendedforthecorporateofficeisforwardedthroughtheprotectivetunnel,whileothertrafficsuchaswebtrafficmaybeforwardedthroughalocalsameconnectionintheclear.Thismaybedowntocutdownonoverheadbothfortheenduserandthecorporateoffice.
• Whensplittunnelingisdisabledalltrafficwillbeforwardedtothecorporateofficethroughtheprotectivetunnel.Thismaybedonetoensurealltrafficfromtheuserisprotectedviathecorporatepolicy.
![Page 17: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/17.jpg)
TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLShasmanyuses,forexample:
• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.
• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.• CanbeusedtocreateasecureVPNconnectionthroughabrowser,allowingaVPNconnectionwithoutrequiringtheclienttodownloadsoftwareotherthanawebbrowser.
![Page 18: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/18.jpg)
Always-onVPN
• Always-Onpreventsaccesstotheinternetwhenthecomputerisnotonatrustednetwork,unlessaVPNsessionisactive.• Thisenforcesthatthecomputerbeinasecureenvironment,protectingacomputeronanuntrustednetwork.
• Always-OnshouldestablishaVPNconnectionassoonasauserlogsin,andthecomputerdetectsitisonanuntrustednetwork.Then,theVPNsessionshouldremainopenuntiltheuserlogsout.
![Page 19: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/19.jpg)
NIDS/NIPS
Signaturebased Heuristic/Behavioral/Anomaly
FalsePositives&Negatives
![Page 20: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/20.jpg)
IDS
• AnIntrusiondetectionsystem(IDS)issoftwareand/orhardwaredesignedtodetect unwantedattemptsataccessing,manipulating,and/ordisablingcomputersystems.
• IDSareusedtodetect suspiciousbehaviorbutnotreacttoit.
• AmajorconsiderationwhenimplementinganIDSsolutionishavingthepersonneltointerpretresults.
![Page 21: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/21.jpg)
NIDS(NetworkIntrusionDetectionSystem)
• ANIDS(NetworkIntrusionDetectionSystem)isanintrusiondetectionsystemthatwatchesnetworktrafficinordertoviewifnetworkcommunicationsareusingunauthorizedprotocols.
• ForaNIDStoviewallavailablesegmenttrafficonaswitchmakesurethatyouconfigureamirroredport.
• WhenusingaNIDS,theNICshouldbeplacedinpromiscuousmodetomonitoralltraffic.
![Page 22: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/22.jpg)
NIPS(NetworkIntrusionPreventionSystem)• AnIPSisaproactivesecurityapplicationthatisusedtoprevent activityfromenteringyournetwork.
• AnNIPS(NetworkIntrusionPreventionSystem)isanetworksecuritydevicethatmonitorsnetworkand/orsystemactivitiesformaliciousorunwantedbehavior.
• Reactsinreal-timetoblockorpreventthoseactivities.
• Usuallyplacedin-linewithdataflowandcanpotentiallydisruptnetworktraffic.
![Page 23: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/23.jpg)
NIDSandNIPSmisc.• KeepinmindthatencryptingallnetworktrafficwillreducetheeffectivenesswhendeployingandmanagingaNIDSorNIPSbecausetheycannotreadtheencryptedtraffic.
• AnIDS/IPSthatidentifieslegitimatetrafficasmaliciousactivityiscalledafalsepositive.
• AnIDS/IPSthatidentifiesmaliciousactivityasbeinglegitimateactivityiscalledafalsenegative.Example:AnIDSthatdoesnotidentifyabufferoverflow.
![Page 24: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/24.jpg)
InlinevspassiveIPS
• AnInlineIPSisaproactivedefensemeasureandworkswiththeactivedatathatistraversingyournetwork.• ThisgivetheIPSmuchmorecontrolinordertopreventattacks.
• ApassiveIPSisareactivedefensemeasureandreceivesacopyofthedate,andneverworkswiththeinlineinformation.• ThisgivetheIPSlesscontrol,butreducesthechanceoffalsepositivesandnegatives.
• EssentiallybecomesanIDS
![Page 25: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/25.jpg)
Signature-based
• Signature-basedIDS,themostbasicformofIDS,employsadatabasewithsignatures/patternstoidentifypossibleattacksandmaliciousactivity.
• Thesesignatures aresimilartotheonesusedbyanti-virussoftware,butinsteadofcontainingvirusinformation,IDSsignaturesdescribeknownattackspatterns.
• Asignature-basedmonitoringtooldependsonreceivingregularupdates.
• Withsignature-basedmonitoring,thevendordecideswhattrafficgetsblockedbyincludingspecifictrafficpatternsinthesignaturefiles.
![Page 26: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/26.jpg)
Anomaly/Heuristic/Behavior-based• Anomaly-basedIDS usesrulesorpredefinedconceptsabout“normal”and“abnormal”systemactivity(calledheuristics)todistinguishanomaliesfromnormalsystembehavior.
• Anomaly-basedIDSsystemfollowsalearningprocess.
• Thefirststepwhenimplementingananomaly-basedIDS/IPSisdocumentingtheexistingnetwork.
• Anomaly-basedIDSusesstatisticalanalysistodetectintrusions.
• WithAnomaly/Heuristic-based systems,itisuptoyoutodecide whattrafficgetsblockedbydefiningwhatis“normal”.
![Page 27: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/27.jpg)
NetworkingHardware
Routers Switches
![Page 28: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/28.jpg)
Router
• Arouterisacomputernetworkingdevicethatforwardsdatapackets fromonenetworktoanother,towardstheirultimatedestinations.• Routingoccursatlayer3(theNetworklayer).• Connectstwoormorenetworkstogether.• Eachinterfaceconnectstoadifferentnetwork.• TherouterinterfacethenbecomestheDefaultGateway.• Doesnotpassbroadcastpackets.
• Arouter’sAccessControlListscanbeusedtoconfinesensitivedataandcomputerstoparticularsub-networks.
• Passwordprotecttheconsoleportonarouteriftherouteritselfisplacedinanunsecurelocation.
![Page 29: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/29.jpg)
Switch• Anetworkswitchisahardwaredevicethatjoinsmultiplecomputers togetherwithinonelocalareanetwork.• Switchesoperateatlayer2(DataLinkLayer)oftheOSImodel.• ForwardspacketsbyMACaddress.• Devicesoneachconnectioncannotusuallyseeeachother’straffic(exceptforbroadcasts).
• Itisbestpracticetodisableanyunusedportstosecuretheswitchfromphysicalaccess.
![Page 30: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/30.jpg)
MultilayerSwitch
• MultilayerswitchingissimplythecombinationoftraditionalLayer2switchingwithLayer3routinginasingleproduct.• UsesARPtolearntheIPaddressesofdevicesthatareconnected• Canbeusedtopermitdifferentbroadcastdomainstocommunicatewitheachother
![Page 31: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/31.jpg)
SpanningTree• Switchingloopsmustbeavoidedbecausetheyresultinfloodingthenetwork
• TheSpanningTreeProtocol(STP)isalinklayernetworkprotocolthatensuresaloop-freetopologyforanybridgedLAN.• Allowsanetworkdesigntoincludespare(redundant)linkstoprovideautomaticbackuppathsifanactivelinkfails,withoutthedangerofbridgeloops,ortheneedformanualenabling/disablingofthesebackuplinks
• Canbeenabledtoavoidbroadcaststorms• 802.1wand802.1dareIEEEdesignationsforspanningtree• TheMACaddresswiththelowestnumberwillbecometherootbridgefor801.2d
![Page 32: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/32.jpg)
ProxyServers
ForwardProxies ReverseProxies
TransparentProxies
![Page 33: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/33.jpg)
ProxyServer
• Aproxyserverisaserverthatactsasago-betweenforrequestsfromclientsseekingresourcesfromtheInternet.
• Aproxyservercombinestwofunctions:Itcachesweb-pageslocallytospeedupaccessrequests,whilealsoactingasacontentfiltertoblockusersfromvisitinginappropriatesites.
• Ifyouwanttoknowwhatwebsitesyourusersarevisiting,setupaproxyserver.
• ThebestwaytosecureyouremailinfrastructureistosetupanemailproxyserverintheDMZandtheemailserverintheinternalnetwork.
![Page 34: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/34.jpg)
ForwardProxyvsReverseProxy
• Aforwardproxyactsasaproxyforoutgoingtraffic,protectingyournetworkfromtheusersinit.• Canpreventusersfromgoingtomalicioussitesandinspecttheirtrafficasitleaves
• Areverseproxyactsasaproxyforincomingtraffic,andcanprotectyournetworkfromexternalintruders.• Canfilteroutrequestsfromexternalattackerswhoaretryingtoinfiltrateyournetwork.
• Canstandasalargenumberofservers,includingbutnotlimitedtowebservers,emailservers,andfileservers.
![Page 35: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/35.jpg)
TransparentProxy
• Atransparentproxydoesitsnormalfunctionsasaproxy,butdoesn’tappearinthepathoftraffic.Itdoesnotmodifytherequestorresponseforthetrafficpassingthroughit.
• Isseamlessfortheuserconnectingtothenetwork,andmayredirectanewusertoauseragreementscreen,butthenroutesallothertrafficasnormal.• Canstillhandlecachingforspeedingupwebaccess
![Page 36: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/36.jpg)
LoadBalancer
Typesofloadbalancers
SessionaffinityvsRoundRobin
VirtualIPs
![Page 37: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/37.jpg)
LoadBalancer• Loadbalancingisacomputernetworkingmethodologytodistributeworkloadacrossmultiplecomputers,networklinks,centralprocessingunits,diskdrives,orotherresourcestoachieveoptimalresourceutilization.
• Basicallyanydevicescanbeloadbalancedtoprovideredundancyandloadsharing.
![Page 38: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/38.jpg)
SessionAffinityvsRoundRobin
• Sessionaffinityrememberseachuser’ssessionandcontinuestoconnectthatusertothesameservereachtime.• Soifuser1connectstoserver1,user1willcontinuetoconnecttoserver1.
• RoundRobinloadbalancingjustassignssessiontothefirstavailableserver,andcontinuesissequence.• Soiftherewerethreeservers,user1wouldconnecttoserver,user2toserver2,user3toserver3,user4toserver1,andetc.
![Page 39: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/39.jpg)
ActiveorPassiveServers
• Whileloadbalancing,serversareinoneoftwostates,activeorpassive.Withthosestate,youendupwithtwoconfigurations:• Active-active,whereallserversareactiveandparticipatinginloadbalancing.• Active-passive,whereonlysomeoftheserversareactivelybeingloadbalanced,andothersarewaitingasbackups,or“failovers”.
![Page 40: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/40.jpg)
VirtualIPs
• Whenmanyserversarebeingloadbalanced,itispossiblethataclientisnotpointingtothephysicalIPaddressbutavirtualIPaddressassociatedwithone“server”.
• Thoughthisvirtualserverdoesnotactuallyexist,itrepresentsallserversbeingloadbalancedonthebackend.• ThisallowsclientstoseeoneIPaddress,whiletheloadbalancerhandleswhichphysicalIPtheyconnectto.
![Page 41: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/41.jpg)
WirelessAccessPointsSSID MacFiltering
Signalstrength AntennaTypes&Placement
FatvsThin Controller-basedvsstandalone
![Page 42: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/42.jpg)
AccessPoint
• Awirelessaccesspoint(WAPorAP)isadevicethatallowswirelessdevicestoconnecttoawirednetwork.
• AlthoughseveralWAPscansharethesameSSID,individualWAPs canbeidentifiedbytheirBSSID (BasicServiceSetIdentifier),whichisbasicallytheMACaddressoftheWAP.
• Thefirstthingyoushouldlookatwhenimplementinganaccesspointtogainmorecoverageisthepowerlevelsoftheaccesspoint.
• DecreasethepowerlevelsonyourWAPtolimitthewirelesssignalrange.
![Page 43: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/43.jpg)
SSID• SSID(ServiceSetIdentifier)arenamesusedtoidentify theparticular802.11wirelessLAN(s)towhichauserwantstoconnect.
• Thesecurityriskofbroadcasting yourwirelessnetworkSSIDisthatanyonecanseeitandifyouarenotusingastrongenoughencryptiontype,anattackercanfindtheencryptionkeyandconnecttoyournetwork.
• YoushoulddisabletheSSIDbroadcasting,orthebeacon,ifyoudonotwantyourwirelessnetworktoautomaticallybediscoverable.
![Page 44: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/44.jpg)
MACFiltering
• MACFilteringisthewirelessversionofportsecurityandcontrolsaccesstothenetworkbasedonthewirelessNIC’sMACaddress.
• ToallowonlycertainwirelessclientsonyournetworkyoushouldenableandconfigureMACfiltering.
• EnableMACfilteringtomitigateanissuewheremultipleunknowndevicesareconnectedtoyourWLAN.
![Page 45: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/45.jpg)
Antenna– Omni-directional• AnOmni-directionalantenna,orvertical,isanantennasystemwhichradiatespoweruniformlyinoneplanewithadirectivepatternshapeinaperpendicularplane.Thispatternisoftendescribedas"donutshaped”.
• TwosituationswhereanOmni-directionalantennawouldbebestused:• ToconnecthoststoaWAP.• Toenableroamingaccessforlaptopusers.
![Page 46: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/46.jpg)
Omni-directionalantennaplacement
• Keepinmindtheplacementofyourantennaewhenconsideringthesecurityofyourwirelessnetwork.• Anantennaplacedtooclosetotheedgeoftheareayoudesiretoprovidewirelessaccesstocouldallowattackertoreachyournetworkfromoutsidetheintendedarea.
• Forexample,ifanantennawasplacedontheedgeofmybuilding,soanattackerisabletopickupthesignalintheparkinglot.
![Page 47: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/47.jpg)
Antenna- Yagi• AYagiantennaisadirectionalantennasystemconsistingofanarrayofadipoleandadditionalcloselycoupledparasiticelements.• Canbeusedtocreateawirelessbridge
![Page 48: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/48.jpg)
FatvsThinWAPs
• AfatwirelessaccesspointisanintelligentWAPthathasallofthefeaturesandsoftwareneededtomanageyourwirelessclient.Forexample,itcanenableandsetupMACfilteringandenableordisableSSIDbroadcasting.
• Athinwirelessaccesspointisbasicallyjustthehardware.Itcanpushontheconfigurationthatwereputinplaceelsewhere,butnothingischangedonthedeviceitself.• Easiertoimplement,socansavemoneyandtime
![Page 49: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/49.jpg)
SecurityInformationandEventManagement(SIEM)
Aggregation Correlation
Automatedalerting Timesync
EventDeduplications
![Page 50: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/50.jpg)
Aggregation&Correlation
• SIEMsystemscanaggregatedatafrommanydifferentsystems,allowingallinformationtobeconsolidatedandprovideseasiermonitoring.
• SIEMsystemscanalsoprovidecorrelation,detectingcommonattributesandbundlinglikedatatogether,furtherincreasingtheeaseofmonitoringthatdata.
![Page 51: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/51.jpg)
AutomatedAlertsandTriggering
• SIEMsystemscanbesetuptoprovidealertsautomaticallytoidentifycriticalandimmediateissues.
• Certaintriggerscanbesetuptocatchcertainevents,whichwillthensendanalerttoanadmin,whichallowsfasterreactiontocertainevents.• Couldoptionallysetupsomethingalongthelinesofemailalertsforcertaintriggers.
![Page 52: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/52.jpg)
Time-syncandeventdeduplication
• SIEMsystemscanalsosynchronizethetimeofeventsacrossmanyservers,allowinganeasilyreadable.
• Withoutsynchronization,itwouldbedifficulttopinpointwhendifferenteventshappenedondifferentsystems,relatedtoeachother.
• ASIEMsystemcanalsoremoveredundanteventsforeasyreadability.Insteadofhavingpossiblyhundredsoflogs,onlyoneiskeptwhilenotingthenumberofoccurrences.
![Page 53: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/53.jpg)
DLPUSBBlocking
Cloud-based
![Page 54: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/54.jpg)
DataLossPrevention(DLP)• DataLossPrevention(DLP)isacomputersecuritytermreferringtosystemsthatidentify,monitor,andprotect:• Datainuse(e.g.endpointactions)• Datainmotion(e.g.networkactions)• Dataatrest(e.g.datastorage)
• Thesesystemsusedeepcontentinspection,contextualsecurityanalysisoftransactions,andacentralizedmanagementframework.
• Anetwork-basedDLPisasoftwareorhardwaresolutionthatisinstalledatnetworkegresspointsneartheperimeter.Itanalyzesnetworktraffictodetectsensitivedatathatisbeingsentinviolationofinformationsecuritypolicies.
![Page 55: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/55.jpg)
USBBlocking
• Preventingtheuseofremovablemediacanbeasimplewaytopreventthelossofdataforanorganization.
• USBportsarecommonlyfoundonmostmoderncomputers,andUSBdrivesareeasilyacquirable,sopreventingtheirusewillblocksomebodyfromtakingdatafromacompanylaptop.
![Page 56: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/56.jpg)
Email-basedDLP
• Email-basedDLPisessentialforanycompanyconcernedwiththeiremployeessendingoutconfidentialorsensitiveinformationoutsideoftheirnetwork.• Mostifnotallcompaniesutilizeemailintheirdaytodaybusinesspractices.
• Email-basedDLPshouldscananoutgoingemailforsensitiveinformation,likePII,andblockitfromleavingtheworknetwork.• Canatleastenforcedigitalsigningtoprovidenon-repudiationforthecompromisingemail.
• AnEmailgatewayconprovideemail-basedDLP
![Page 57: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/57.jpg)
EmailGateway
• Anemailgatewaymonitorsemailsbeingsentintoanetworkandbeingsentoutboundfromthatnetwork.• Inboundcanpreventspam,whichwillhelpweedoutmalwarebeforeitentersthenetwork• OutboundcanprovideDLP,preventingthelossofsensitivedatalikePII
• Emailgatewayscanalsoprovideencryptionforemailservices.
![Page 58: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/58.jpg)
Cloud-basedDLP
• Withmoreandmoreinformationmovingontothecloud,itisbecomingincreasinglyimportanttoprotectdatastoredonthecloud.
• CloudbasedDLPisaDLPsolutionthatpreventssensitivedatafromleavingthecloudbasedstorageofanorganization.• PersonallyidentifiableInformation(PII)isafocushere.
![Page 59: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/59.jpg)
NACDissolvablevspermanent
HostHealthChecks
AgentvsAgentless
![Page 60: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/60.jpg)
NAC(NetworkAccessControl)• NACreferstowhateversystemyouhaveinplaceforcontrollingaccesstothenetwork.
• Canbeassimpleasclickingaboxto“agreetothetermsandconditions”ofnetworkusage.
• Canbeascomplexashavingyourmachinescannedforviruses,patches,updates,firewalls,etc.beforeit’sallowedtoconnect.
• Portsecurityand802.1xareexamplesofNAC.
![Page 61: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/61.jpg)
HostHealthChecks
• OnesimpleformofNACcanbeasimplescanofacomputerconnectingtoanetwork.Thescancanbecheckingforanumberofimportantthings:• UptodateOperatingSystem.• Updatedandrecentlyscannedanti-virussoftware.• Certainsoftwarebeingpresentorabsentfromamachine,basedonacompany’sapplicationpolicy.• Thatcertainsystemconfigurationsmatchthenetwork’sexpectations.
![Page 62: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/62.jpg)
Agentvs.Agentless
• NACthatrequiresasoftwareagentonthesystemallowsyourNACsolutiontokeeptabsonthesystemusingthatsoftware.
• AgentlessNACdoesnotrequiresoftwareontheendsystemandisreliantonaremotescanofthesystem.
![Page 63: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/63.jpg)
Dissolvablevs.PermanentNAC
• PermanentNACrequiresanagentsoftwareinstalledonthedevice.
• DissolvableNAConlyprovidesonetimeauthenticationtothenetwork,andisthendeleted.• Canprovidegreaterflexibility.
![Page 64: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/64.jpg)
HardwareEncryption
HSM TPM
![Page 65: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/65.jpg)
TrustedPlatformModule• TheTrustedPlatformModule(TPM)isachiponacomputer’s(ortablet’s)motherboardthatcangenerateandstoreencryptionkeysforvariouspurposes.
• TPMcanalsoperformencryptiondutiesinsteadofrelyingonsoftwaretodotheencryption.
• Forexample,Microsoft’sBitLockerusesTPMtoencryptthecontentsoftheharddisk.
![Page 66: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/66.jpg)
HardwareSecurityModule• IfyoursystemdoesnotcomewithaTPM,youcanaddaHSM (HardwareSecurityModule)instead.It’ssimilartoaTPMbutitisintheformofaplug-incardorexternalsecuritydevicethatcanbeattachedtoaserver.
• AHSMcanbeaddedtoserversthatdoalargeamountofencryption,suchasVPNserversorCertificateAuthorities.
• Hardwareencryptionisalwaysfasterthansoftwareencryption!
• BothTPMandHSMprovidestorageforRSAorasymmetrickeysandcanassistinauthentication.
![Page 67: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/67.jpg)
SecurityAssessment
CompTIASecurity+
![Page 68: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/68.jpg)
ProtocolAnalyzer• ProtocolAnalyzerisusedformonitoringandanalyzingdatatrafficonthenetwork.• Canbeusedforlogging,sniffingandinterception,analyzingandnetworkmonitoring,andtroubleshooting.• Canpickupanytypeoftraffic:ICMP,DNS,DHCP,POP3,andSMTPtonameafew.
• ItcanbeusedtodeterminewhatflagsaresetinaTCP/IPhandshake.
• AnexampleofaprotocolanalyzerisWireShark.
![Page 69: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/69.jpg)
PortScanners• Portscanningisusedtoremotelyfindopenports,listeningservices,andeventhefingerprint/footprintofanoperatingsystem.
• Bannergrabbingiswhenyouuseaportscanner(forexample),andbasedonthebannerinformation(thereply)thatisreturned,youcanoftentellwhichOSthereplyiscomingfrom.
• Nmap isaprogramthatcanbeusedtoperformaportscan.
• Afirewallcanmitigateaportscan.
![Page 70: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/70.jpg)
PortScanners
• Aportscannercanbeusedtodeterminewhatservicesarerunningonaserverwithoutloggingintotheserver.
• PortscannersusuallyworkbysendingdifferentTCPflag combinationstoatargetandthenanalyzingtheresponse.
• IfyouneedtodiscoverunnecessaryservicesonyourcorporateLAN,startthediscoverywithaportscanner.
![Page 71: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/71.jpg)
NetworkScanner
• ANetworkscannercanbeutilizedtoscanyournetworkforvulnerabilities.• Roguesystemdetection:ascannercandetectanunauthorizeddeviceonthenetwork,allowanadmintoaddressthesituation.• Networkmapping:ascannercanbeusedtodetectalldevicesconnectedtoanetwork,allowingalogicalnetworkmaptobebuilt,outliningtheconnectiononthenetwork.
![Page 72: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/72.jpg)
WirelessScanner/Cracker
• Wirelessnetworkhaveauniquevulnerabilityinthefactthattheycannotbephysicallyconstrainedtoacertainlocationormedium.
• Awirelessscannerisadevicethatcansimplyscanforawirelessnetworkandrecorddetailsofthatnetwork.Somescannersgoastepfurtherandautomaticallyattempttocracktheencryptiononweakerwirelessnetworks.• Frequentlyusedinwardriving.
![Page 73: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/73.jpg)
PasswordCracker
• Apasswordcrackerisapieceofsoftwaredesignedtoperformabruteforceattackonasystem’spassword.Thisishopingtotakeadvantageofoneofafewweaknesses:• Capturedpasswordhasheswhichcanbeattacked• Weakpasswordsthataresimple,andthuscanbecrackedquickly.
• Havingasecurepasswordpolicywillprotectanorganizationfromapasswordcracker.
![Page 74: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/74.jpg)
VulnerabilityScanners• Avulnerabilityscannerisacomputerprogramdesignedtosearchforandmapsystemsforweaknesses inanapplication,computer,ornetwork.
• Theseutilitiesaretheleastintrusiveandchecktheenvironmentforknownsoftwareflaws.
• Schedulingvulnerabilityscansisamanagementcontroltype.
![Page 75: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/75.jpg)
DataSanitization
• Sanitizationistheprocessofremovingsensitiveinformation fromadocumentorothermediumsothatitmaybedistributedtoabroaderaudience.
• Degaussing istheactofmagneticallyerasingalldataonadisksoitmaybereused.
• Beforesendingdrivesawaytobedestroyed,firstencrypttheentiredisk,thenwipe/sanitizeit.
![Page 76: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/76.jpg)
SteganographyTools
• Asteganographytoolisusedtohidedatainsideofanotherfile,suchasagraphicfileorvideofile.
• Itmakessubtlemodificationstothefilethatiscarryingthehiddeninformation,attemptingtomakethenewfileindistinguishablefromtheoriginal.• Mightbeusedbyaphotographertohideawatermarkinaphoto.
![Page 77: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/77.jpg)
HoneypotandHoneynet• Ahoneypotisatrap settoattract,detect,observe,deflect,orinsomemannercounteractattemptsatunauthorizeduseofinformationsystems.
• Twoormorehoneypotsonanetworkformahoneynet.
• Useahoneypot/nettoprotect yourcompanywhilealsoresearchingattackmethodsbeingusedagainstyourcompany.
• HoneypotsandhoneynetswouldbelocatedintheDMZ.
![Page 78: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/78.jpg)
CommandLineTools
Ping Tracert
Nslookup/dig Arp
Ipconfig/ifconfig nmap
![Page 79: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/79.jpg)
PING
• ThePINGcommandisagreatutilitythatcanletyouknowifyouareabletocommunicatewithanothernetworkdevice.• However,justbecauseyouareunabletoPINGadevicedoesnotalwaysmeanyoucannotcommunicatewithsaiddevice.ThedevicemighthaveafirewallenabledandisconfiguredtonotrespondtoICMP,whichisPING,requests.
• Example:pingwww.yahoo.comorping67.195.160.76
![Page 80: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/80.jpg)
PINGSwitches• Switches:
• -t – PINGthespecifiedhostuntilstopped.• -a – Resolveaddressestohostname.• -ncount – Numberofechorequeststosend.• -lsize – Sendbuffersize.• -f – SetDon’tFragmentflaginpacket(IPv4-only).• -i TTL – TimeToLive.• -vTOS – TypeofService(IPv4-only).• -rcount – Recordrouteforcounthops(IPv4-only).• -scount – Timestampforcounthops(IPv4-only).• -jhost-list – Loosesourceroutealonghost-list(IPv4-only).• -khost-list – Strictsourceroutealonghost-list(IPv4-only).• -wtimeout – Timeoutinmillisecondstowaitforeachreply.• -R – Useroutingheadertotestreverseroutealso(IPv6-only).• -Ssrcaddr – Sourceaddresstouse.• -4 – ForceusingIPv4.• -6 – ForceusingIPv6.
![Page 81: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/81.jpg)
TRACERT• TRACERTshowstheroutethatanIPpackettakestogetfromthesourcetothedestination.
• Example:tracertwww.yahoo.comortracert67.195.160.76
![Page 82: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/82.jpg)
IPCONFIG/IFCONFIG
• IPCONFIGgivesyouinformationaboutyourcurrentnetworkconnections.Suchas:• IPAddress• SubnetMask• DefaultGateway• DNS• MACAddress
• IFCONFIGisusedonUnix/Linuxmachines,butdoesthesameasIPCONFIG.• Example:ipconfig /all
![Page 83: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/83.jpg)
IPCONFIGSwitches• SomeIPCONFIGSwitches:• /all – Producesadetailedconfigurationreportforallinterfaces.• /flushdns – RemovesallentriesfromtheDNSnamecache.• /displaydns – DisplaysthecontentsoftheDNSresolvercache.• /release<adapter> - ReleasestheIPaddressforaspecifiedinterface.• /renew<adapter> - RenewstheIPaddressforaspecifiedinterface.• /? – Displaysthislist.
![Page 84: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/84.jpg)
ARP• ARP(AddressResolutionProtocol)isusedtofindadevice’sMACaddresswhenonlyitsIPaddressisknown.
• Ahostwishingtoobtainanother’sMACaddressbroadcastsanARPrequestontothenetwork.ThehostonthenetworkthathastheIPaddressintherequestthenreplieswithitsMACaddress.
• ARP isaninsecureprotocolasanattackercould“poison”yourARPtableandgiveyoubadinformation,convincingyouthatheistheDefaultGateway.HewouldthenbesetupasaMan-In-The-Middleandcould“sniff”yourtraffic.
![Page 85: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/85.jpg)
TroubleshootingIssues
CompTIASecurity+
![Page 86: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/86.jpg)
Unencryptedcredentials/cleartext
• Cleartextreferstoplainlyreadableinformation,whichallowsanybodywhocanaccessthatinformationtoreadit.
• Nosensitivedatashouldbeleftunencrypted,oritwillbeatriskofbeingstolen.
• PIIisespeciallyatriskhere.
• Penetrationtestingandvulnerabilityscanscanbeutilizedinordertotestifsomethinglacksorhasweakencryption.
![Page 87: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/87.jpg)
PermissionIssues
• Auserwithouttheproperpermissionswillbeunabletodotheirjob,andwillrequiretheirpermissionsrereviewedinordertogainproperpermissions.
• Auserwithmorepermissionsthanintendedcangainaccesstosystemsorsoftwaretheyshouldnohaveaccessto,potentiallycompromisingasystem.• Privilegeescalationiswhenauserexploitsaknownbugorvulnerabilitytoincreasetheirownaccess.
• Continualprivilegereviewcanpreventthis
![Page 88: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/88.jpg)
AccessViolations
• AusermightaccessnetworkedresourcesifimproperpermissionsaresetorifnoNACisimplemented.
• Physicalaccesscanbeanissueifanemployeecanfreelyaccessrestrictedareaswithease.
• Networkaccesscanbedeterminedbyperformingaccountreviewsandwithpenetrationtesting.
• PhysicalaccesscanbedetectedwithsomeforofdetectivecontrollikeCCTV.
![Page 89: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/89.jpg)
DataExfiltration
• Auserabletoexfiltratedatafromasystemisdangerousduetothemyriadofsensitivedatathatcanbestoredonasystem.• USBdrivescaneasilypulldatafromacomputer.• Bluetoothcanpulldatawirelessly.• Datacanbesentoutofthenetworkusingemail.
• Confirmingpropergrouppoliciesareset,andmakingsureUSB/Bluetoothaccessarerestrictedcanpreventexfiltration.DLPcanpreventmanyformsofexfiltration,includinginformationsentoveremail.
![Page 90: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/90.jpg)
Misconfigureddevices
• Amisconfigureddevicecancauseawiderangeofproblemsfromunwantedaccesstocausingadenialofservice.
• Configurationsshouldbereviewedbyanadmininordertopreventmisconfigurationstogounnoticed.
• Avulnerabilityscannercandetectcommonmisconfigurationsofmanytypesofdevicesonanetwork.
![Page 91: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/91.jpg)
WeakSecurityConfigurations
• UtilizingtechnologieslikeWPA2insteadofWEPcanprovideamoresecurenetwork.
• Preventingpasswordreuseorshortpasswordsisalsocriticalinsecuringasystem.
• Runningavulnerabilityscannercandetectcertainweakconfigurationswhileatoolsuchasapasswordcrackercanbeusedonyourmasterpasswordfiletoseeifanythingiseasilybroken.
![Page 92: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/92.jpg)
PersonnelIssues
• PolicyViolationscanbereportedbyotheremployeesordetectedbysecurityguards.• CCTVcandetectpolicyviolationsoccurring• Usereducationcanpreventaccidentalpolicyviolation
• Insiderthreatsarealwaysaconcerntoday,asanemployeealreadyhasaccesstothesystemstheyaretryingtocompromise.• Separationsofduties,jobrotation,andmandatoryvacationscanhelpdeteranddetectinsiderthreats.
![Page 93: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/93.jpg)
PersonnelIssues:SocialEngineering• SocialEngineeringistheactofobtainingorattemptingtoobtainotherwisesecuredatabyusingdeceptionandtrickery.
• SocialEngineeringisanattackthatcannot bepreventedordeterredsolelythroughusingtechnicalmeasures.
• Theonlywaytopreventsocialengineeringattacksistotrainyourusers.
• Activelyattemptingtosocialengineeryouruserscantellyouhowmanyfallfortheattacks.
![Page 94: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/94.jpg)
PersonnelIssues:SocialMedia
• Socialmediaisdangerousinregardstoconfidentialinformation.Informationcanleavethecorporatenetworkandbebroadcastedtohundredsorthousandsofpeople.
• Disablingaccesstosocialnetworkingsiteswhileonthecompanynetworkcanhelpmitigatethisissue.
• Keepingtrackofemployeessocialmediaaccountsistheonlywaytotrulymonitorwhatinformationisbeingspread.• Canbeaninvasionofprivacy.
![Page 95: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/95.jpg)
PersonnelIssues:PersonalEmail
• Anemployee’spersonalemailcanbeeasilycompromisedasitiscontrolledbyathirdpartyorganization.• Notnecessarilyencrypted• NoDLPbuiltintothesystem• Canemailanybodyfreely
• Preventingaccessisrecommended,asemployeescouldeasilyusea3rd partyemailtobypasssomesecuritycontrols.
![Page 96: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/96.jpg)
UnauthorizedSoftware
• Unauthorizedsoftwarecancompromiseasysteminmanyway,including:• Anunknownpotentialentrypointintoasystem.• Apotentialsourceormalware.• Justanunknownanduntestedpossibleinstability.
• Applicationwhite/blacklistingcanpreventunauthorizedprogramsfrombeingrunandinstalled.Permissionreviewscandetectisauserhastherightstoinstallsoftware.
• Avulnerabilityscancouldpickuptheseunauthorizedsoftware.
![Page 97: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/97.jpg)
Baselinedeviation
• Abaselineisasetofknowngoodoracceptedconfigurations.
• Deviatingfromthisknowngoodcancauseinstabilitiesorcreatevulnerabilitiesinasystem.
• AIDSorIPScandetectdeviationsfromthebaseline,potentiallynotifyinganadminofanyissues.• AbehaviorbasedIDS/IPSisdesignedthisway.
![Page 98: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/98.jpg)
ProperLicensing
• Makesureyouandyouremployeesareusinglegitimatesoftwareandhaveproperlicensingforthatsoftware.Considerwhichlicenseyouwantwhen,forexample,buying:• Microsoftoffice• OperatingSystems
• PersonalLicense:Asoftwarelicenseforanindividual.Usedononeofafewdevices.Foroneuser.
• EnterpriseLicense:Asoftwarelicenseforacorporation.Useonalargeamountofnetworkeddevices.Mayrequireaccesstothecompanynetworktoauthenticate.
![Page 99: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/99.jpg)
AssetManagement
• Physicalassetsareimportanttokeeptrackoffforanorganizationtopreventsomethingfrombeinglostorstolen.
• ImplementingRFIDtagscandetectwhenequipmentleavesthebuildingoracertainareaofabuilding
• CompanycellphonescanbeactivelytrackedwithGPS
• Havinganorganizedinventorymanagementsystemisimportanttoproperlykeeptrackofcompanyassets.
![Page 100: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/100.jpg)
AuthenticationIssues
• Topreventuser’saccountsfrombeingcompromisedbycontinuallymonitoringlogs;checkingforbruteforceattacks.• Alargenumberoffailedlog-inisanindicatorofabruteforceattack.
• Anotherissuecouldbeauserfailingtoremembertheirpassword,lockingthemselvesoutoftheirownaccount.• Havingmorelenientlockoutpolicescouldpreventthis,aswellasproperpasswordpolicies.
• Forcingtheusertocontactanadminforaccountrecoverycanpreventthisfrombeingabused.
![Page 101: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/101.jpg)
SecuringMobileDevices
CompTIASecurity+
![Page 102: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/102.jpg)
ConnectionMethods
Cellular Wi-Fi SATCOM
Bluetooth NFC
![Page 103: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/103.jpg)
Cellular
• Thecellularnetworkcanbeutilizedbysmartphonesinordertoconnectmobilityfromahugerangeoflocations.
• Limitedtoareaswithcellulartowers.
• Otherdevices,notjustphonescanaccessit:• USBdonglesforPCs• SomeTablets• Wi-FiHotspots
• Usuallyassociatedwithadataplan/datalimit.
![Page 104: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/104.jpg)
Wi-Fi
• Mobiledevicesarealsoabletoconnecttothewirelessnetwork,lesseningtheirdependenceonthecellularnetwork.• Helpsbysavingdata!
• ConstantlysearchingfornearbyWi-Fiaccesspointscandrainaphone’sbatteryfaster.
• Unsecurewirelessaccesspointscanposeaproblemwithmobiledevices,muchastheycanforlaptopsandothercomputers.
![Page 105: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/105.jpg)
SATCOM
• AserviceprovidesdatathroughtheuseoflowEarthorbitsatellitestousersworld-wide.• Satelliterequiresline-of-sight.• Thedelayinvolvedindigitalsatelliteconnectioniscalledlatency.
• Canprovideconnectivitytojustaboutanywhereonearth,justneedlineofsighttothesatellite.
• Generallyamoreexpensiveoptionforphoneconnectivity.
![Page 106: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/106.jpg)
Bluetooth
• Bluetoothisanopenwirelessprotocolforexchangingdataovershortdistances(usingshortlengthradiowaves)fromfixedandmobiledevices,creatingpersonalareanetworks(PANs).NotethatPANsarecenteredaroundaspecificperson.• Usedtoconnecttwodevicesbytheuseofpairing• Canconnectseveraldevices,overcomingproblemsofsynchronization• Bluetooth1.0and2.0hasawirelessrangeofaround30– 33feet(or10meters)
![Page 107: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/107.jpg)
NFC• MobileDevicescanbeusedforNearFieldCommunication,whichcanbeusedforcommunicationwithanotherdeviceoverashortdistance.
• Iscommonlyusedtodayforelectronicpurchasinginsteadofusingacreditcard,yoursmartphoneisusedtopay.• Canalsobeusedfordatatransfers.
• OldersmartphonesmaynothaveaNFCchip,andwillnotbeabletoutilizeanyNFCpurchasingapps.
![Page 108: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/108.jpg)
MobileDeviceManagement(MDM)
App/ContentManagement
RemoteWipe Geolocation/Geofencing
Screenlocks PushNotifications Passwords&Pins
Biometrics Containerization Fulldeviceencryption
![Page 109: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/109.jpg)
App&ContentManagement
• Itisimportanttoselectanoperatingsystemthatsupportstheapplicationsdesiredforbusinessfunctionality.• Someapplicationsaresimplyincompatiblewithcertaintypesofmobileoperatingsystems.
• Itcanalsobeimportanttohaveproperaccesscontrolssetonmobiledevicestorestrictaccesstocertaincontent,andpossiblypreventtheinstallationofcertainapplications.• 3rd partyapplicationscouldcompromisethesecurityofamobiledevice.
![Page 110: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/110.jpg)
RemoteWipes
• Theremotewipefeatureonasmartphoneisanexcellentwaytoremove thedatastoredonthephoneifsaidphonehasbeenstolenorlost.
• Allowsacompanytoprotecttheirdataonapotentiallystolenphone
![Page 111: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/111.jpg)
GPSTracking• GPStrackingistheabilitytotrackacellphonebyusingthephone’sbuilt-inGPSradio.
• Geo-tagging isafeaturewhereyoucanencodepictureswiththeGPScoordinatesofthepicture’slocation.Becarefulwiththisfeatureasitcanbeasecurityriskbothforthecompanyandforhomeusers!
• Location-basedservicesisthefeatureinyoursmart-phonethatenablestheGPSfunctionalityforallofyourapps.Ifyouturnthisoff,thennoneofyourappscandogeo-tagging,GPStracking,etc.
![Page 112: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/112.jpg)
Geofencing
• Geofencingcanbeutilizedtoeitherpreventtheuseofamobiledeviceoutsideofacertainareasoronlyallowtheuseofamobiledeviceoutsideacertainarea.• Preventingtheuseofmobiledevicesoutsideofacertainareacanpreventanemployeefromleavingandtransmittingdataoutsideofanetworkthecompanyhascontrolover.• Preventinguseinsideacertainareacankeepasecureareasecured,possiblypreventingdatafrombeingexfiltrated.
![Page 113: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/113.jpg)
ScreenLock
• Enforcingascreenlockonemployeemobiledevicescanpreventtheleakageofsensitivecompanyinformation.• Ascreenlockisasimplesecurityfeatureonallmodernsmartphonesthatpreventsaccesstothedeviceswithoutproperauthentication.• Passcode/Pinlock• PatternLock• Biometriclock
![Page 114: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/114.jpg)
PasscodeLocks• Apasscodelockcanbesetsowhenthephonehasbeenturnedonorwokeupyoumustenterthepasscodetounlockthephone.Thisisagreatwaytopreventsomeoneotherthantheownerfromgettingtothedatathatisonthephoneandusingthephone.• Youmustrememberthatwhensettingapasscodeyouneedtouseamixofnumbers.Don’tuseapasscodesuchas1111,2580,or1337.
![Page 115: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/115.jpg)
PatternLocks• APatternlockcanbeusedtosecureaphonebyrequiringtheusertoenteraknownpatterntogainaccesstothephone.
• Thoughapatternlockcanbeamoreconvenientaccessmethod,itislesssecurethanasufficientlylongpasscodelock.
![Page 116: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/116.jpg)
Biometrics
• Biometricsaretheauthenticationtechniquesthatrelyonmeasurablephysicalcharacteristicsthatcanbeautomaticallychecked.
• Thiscouldincludesomethingalongthelinesoffacialrecognitionorafingerprintscanner.
![Page 117: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/117.jpg)
PushNotifications
• PushNotificationscanbeusedforconvenienceforthecompanyoruser,givingfasteraccesstosomeamountofinformation.• Apushnotificationcansimplypopuponthelockedscreenofaphone,givingaccessinstantlytocertaininformation.• Certainpushnotificationscangiveasmallamountofinformationfromatextoremail,potentiallyrevealingsensitiveinformation
![Page 118: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/118.jpg)
Context-awareAuthentication
• Context-awareauthenticationdoesnotcheckforasimplepassword,butalsoforthesituationinwhichthepasswordisbeingenteredunder.• Forexample,thepasswordmightworkperfectlyfinewhenonthecompanynetwork,butbecompletelydisabledwhentryingtoconnecttopublicWi-Fi• Couldalsorequirestricterpasswordinsomelocations,asinnowneedingapasswordandhardwaretokentoaccessadeviceonpublicWi-Fi.
![Page 119: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/119.jpg)
DeviceContainerization
• Wheneveranemployeeisusingasmartphone,theissueofdataownershipneedstobeaddressed.
• Creatinga“container”onthedevicecanseparatecorporateinformationfrompersonalinformationonadevice.
• Thesecurecontainercanberemotelywipedshouldthephonebecompromised.
![Page 120: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/120.jpg)
FullDeviceEncryption
• Deviceencryptionisusedtoencrypteverybitofdatathatgoesonadevice.Thedataisthende-crypted asitisreadintomemory.
• Theterm"fulldeviceencryption“isoftenusedtosignifythateverythingonadeviceisencrypted.
• Fulldeviceencryptionwouldbebestusedonportabledevices,astheycanbeeasilystolen.
![Page 121: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/121.jpg)
Enforcement&monitoring
ThirdPartyApps Rooting/Jailbreaking
CarrierUnlocking
CameraUse ExternalMedia GPSTagging
Sideloading CustomFirmware FirmwareOTAUpdates
SMS/MMS Tethering Wi-Fidirect/Adhoc
![Page 122: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/122.jpg)
ThirdPartyAppstores
• Preventingaccesstothirdpartyapplicationstorescanpreventusersfromhavingaccesstoapplicationsontheirphonesthatcouldcompromisethedevice.
• Preventingunnecessarythirdpartyapplicationscanalsofurtherpreventcompromisefromunknownfactorscausedbythoseapplications.
![Page 123: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/123.jpg)
Rooting/Jailbreaking
• Rooting/Jailbreakingaphoneisgainingrootaccesstotheoperatingsystemonthedevice.• Rootaccessisadminaccess
• Scanninganynetworkeddevicestocheckiftheyhaverootaccessisimportant,becauseauserwithcompletecontrolcouldchangeanynumberofconfigurations.
![Page 124: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/124.jpg)
Sideloading
• Sideloadingistheprocessofinstallingsoftwareonwhilebypassingtheuseofanyappstoreorofficialmeansofacquiringanapplication.
• Sideloadingcanbemitigatedbypreventingremovablemediaandcontrollingwhichnetworksamobiledeviceispermittedtoconnectto.
![Page 125: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/125.jpg)
CustomFirmware
• Customfirmwareisamodifiedversionofmarketfirmwaredevelopedbyathirdparty.
• Customfirmwareisessentiallyamodifiedoperatingsystemthatcanbeusedtobypasscertainsecuritycontrols.• Likesideloaded applications,preventingtheuseofremovablemediacanmitigatetheriskofauserloadingcustomfirmware.
![Page 126: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/126.jpg)
CarrierUnlocking
• Acompanysmartphonebeingunlockedfromaparticularcarriercanpresentanumberofissues.• Canbreachsomesecuritycontrolsonasmartphone.• Canviolateanagreementacompanyhaswithacarrier.
• Carrierunlockingcanbepreventedbyrestrictingaccessto3rd partyapplicationsandremovablemedia.
![Page 127: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/127.jpg)
OTAupdates
• OvertheAirupdatesareupdatesthatyourphonereceivesoverawirelessnetwork,allowingattackerstopotentiallyinterceptandmanipulatethatdata.
• Enforcingwirelessencryptionwithasuitablystrongalgorithmcanpreventexploitingthistechnology.• Forexample,usingAESinsteadofDES.
![Page 128: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/128.jpg)
Camerause
• Preventingcamerauseonanemployeesmartphonecanpreventthemfromtakingpicturesofsensitiveinformation.• Picturesofconfidentialdocuments.• Picturesofsecurelocations• Geotaggedpictures
• Disablingthecameracanfurtherlockdownthecompanyphone.
![Page 129: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/129.jpg)
SMS/MMS
• SMSwouldbeasimplemessage,muchlikeatext.
• MMSwouldbeamultimediamessagesuchasapictureorshortvideo.
• Monitoringemployeecommunicationsonacompanysmartphonecanbeparamountwhentryingtodetecttheleakageofsensitivedata.
![Page 130: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/130.jpg)
ExternalMedia
• Allowingexternalmediaonacompanysmartphonecanpresentnumerousissuesforthesecurityofamobiledevice.• Allowsfortheexfiltrationofdata.• Allowssideloadingof3rd partyapplications.• Givesanaccesspointforpotentiallymalicioussoftware.
• Disablingremovablemediaisagoodideaformobiledevices.
![Page 131: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/131.jpg)
USBOTG
• USBOnTheGo(OTH)allowsotherusb devicestoconnecttoasmartphone,andpassinformationbetweenthetwodevices.• Hasthesamesecurityissueasremovablemedia.
• Allowsfortheconnectingofperipheraldevices,whichcancompromisethesecurityofasmartphone.• Likemostremovablemedia,itisbestpracticetodisableit.
![Page 132: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/132.jpg)
GPStagging
• GPStagging(alsoknownasGeotagging)includesgeographicalinformationsuchasGPScoordinatesintoitemslikepicturesandvideo.• Cancauseprivacyissuesforusers.
• GeotaggingcanalsorevealtheGPScoordinatesofsecurelocations.
• Ensurelocation-basedservicesaredisabledtopreventGeotagging.
![Page 133: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/133.jpg)
Wi-Fidirect/ad-hoc/Tethering
• Wi-Fidirectorad-hocmodeallowedwirelessdevicestoconnectdirectlytogetherwithoutrequiringawirelessnetworktoworkoffof.• Thiscancausethesameissueasremovablemedia,butwirelessly.
• Tetheringisaphysicalconnectionbetweenasmartdeviceandapersonalcomputer,forexample.Thiswouldallowdataexfiltrationtooccur.
![Page 134: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/134.jpg)
DeploymentModels
BYOD COPE
CYOD Corporate-owned
![Page 135: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/135.jpg)
BYOD
• BYOD =BringYourOwnDevice.Ifallowingemployeestousetheirownmobiledevicesonthecorporatenetwork.• ConfinethemtotheirownVLANforsecurity.
• BYODallowsanemployeetobringtheirownpersonalphoneandconnectittothebusinessnetworktobeusedforbusinesspurposes.
• Employeemaintainsalargeamountofcontroloverthedevice.
![Page 136: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/136.jpg)
COPE
• COPE=CompanyOwned,Personally-enabled.Acompanyprovidestheiremployeeswithmobilesdevicesfortheiremployeestouseasthoughtheyweretheemployee’sdevice.
• SimilartoBYOD,butattheendoftheday,thecompanyownsthedevice.• GivesslightlymorecontrolthanBYOD.
![Page 137: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/137.jpg)
CYOD
• CYOD=ChooseYourOwnDevice.WithCYOD,employeesgetachoicefromalimitednumberofdevicesthatareultimatelyselectedbythecompany.• Canlimituserstoparticularoperatingsystems.
• Companyhasmorecontroloverthedevice,andcanlimitittostrictlyworkactivities.
![Page 138: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/138.jpg)
CorporateOwnedMobileDevices
• ACorporateownedmobiledevicesisamobiledevicethatisowned,administeredby,andcontrolledbythecompany,butisthenhandedouttotheemployeesofthatcompany,
• Employeeshavelittlesayonwhichdevicetheyacquire,ifanyatall.
• Acompanycanregaincompletecontrolofthemobiledeviceifneeded.
![Page 139: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/139.jpg)
SecureProtocols
CompTIASecurity+
![Page 140: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/140.jpg)
EmailSecurityProtocols
• Emailcommunicationscanbeencryptedandsignedinordertoguaranteesecurecommunications.• Emailscanbeencryptedtoensureconfidentialityoftheemails• Emailscanbesignedandhashedtoensureintegrity.
• Secureemailprotocols:• S/MIME• SecurePOP• SecureIMAP
![Page 141: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/141.jpg)
S/MIME
• TheprimarybenefitofusingS/MIMEisthatitallowsuserstosendbothencryptedanddigitallysignedemails.
• S/MIMEallowsausertoselectivelyencryptemailmessagesatrest.
![Page 142: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/142.jpg)
SecurePOP/IMAP
• POPorIMAPcanbeutilizedtodownloademailfromanemailserver.• POPdownloadsanddeletes.• IMAPkeepsacopyontheserver.
• BothPOPandIMAPcanbesecuredbySSLorTLS,toallowthiscommunicationtobeencrypted.• CausesPOPtorunoverport995insteadof110• CausesIMAPtorunoverport993insteadof143
![Page 143: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/143.jpg)
SecureWebProtocols
• Browsingtheinternetcanalsobesecuredbyencryptingtrafficbetweenthewebclientandserver.• Usefulwhenpurchasingonline.• Usefulwhenaccessingonlinebankaccounts.• Usefulforanyothersensitiveinternettraffic.
• PrimaryprotocoltousetosecurewebtrafficisHTTPS• SecuredwithSSL/TLS.
![Page 144: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/144.jpg)
HTTPS
• HTTPS standsforHypertextTransferProtocolSecureandisusedtotransmitdatatoandfromawebbrowserandawebserversecurely.
• HTTPSusesSSLorTLSforitsencryption.
• HTTPSusesTCPport443.
![Page 145: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/145.jpg)
SSL
• SecureSocketLayer(SSL)usesport443 andisansymmetricprotocol.
• SSLusesbothpublickeysandprivatekeystosecurewebsites.• ThesessionkeyinanSSLconnectionissymmetric.• SSLsessionkeysareencryptedusinganasymmetricalgorithm.
• IfyouareusingSSLtosecureaweborVPNserver,makesurethatport443inboundonyourfirewallisopen.
![Page 146: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/146.jpg)
TLS• TransportLayerSecurity(TLS)isacryptographicprotocolthatprovidessecurityforcommunicationsovernetworkssuchastheInternet.
• TLSisacompetitortoSSLandiscurrentlythepreferredprotocolforsecuringcommunications.• TLSprotectsagainstman-in-the-middleattacksbyenforcingtheclienttocomparetheactualDNSnameoftheservertotheDNSnameonthecertificate.• TLSisusedforencryptionbetweenemailservers.• TLScanencrypttheprotocolsLDAP,HTTP,andSMTP.
![Page 147: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/147.jpg)
FileTransfer
• Transferringfilesbetweensystemscanandshouldbeencryptedfromendtoendtopreventsnoopingofthedataintransit.• Unencryptedfiletransferscanbecapturedandpossiblymodifiedbyamaliciousattacker.
• Examplesofsecurefiletransferprotocolsinclude:• FTPS• SFTP
![Page 148: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/148.jpg)
SFTP
• SSHcanbeusedtosecureFTPcommunications.ThisiscalledSFTPorSecureFileTransferProtocol.
• SFTP usesTCPport22becauseitutilizesSSHtoencryptthetraffic.
• IsnotcompatiblewiththeoriginalFTP.
• SFTPonlyrequiresonechanneltouse.
![Page 149: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/149.jpg)
FTPS
• SSLorTLScanbeusedtosecureFTPcommunicationsaswell,thisiscalledFTPS.
• Isbuiltonthesameframeworkasmostinternetcommunications.
• IssplitintotwoconnectionslikeFTP,makingithardtousewithfirewalls.• ControlChannel• DataChannel
![Page 150: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/150.jpg)
DirectoryServices
• Adirectoryisacollectionofusernames,passwords,emails,orpossiblymanyotherthings.• Thinklikeaphonebookisalistofnamesofphonenumbers.
• AnexampleofadirectoryservicecouldbeActiveDirectory,Microsoft’sdirectoryservice.• LDAPisusedtoadd,delete,search,andmodifydirectoryentries.
![Page 151: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/151.jpg)
LDAPS
• BeforeandLDAPmessagescanbetransferred,LDAPSrequirestheclienttoestablishasecureTLSsession,providingencryption.
• IftheTLSconnectionisclosed,theLDAPSsessionclosesaswell,preventingconnectionwithoutencryption.
• Runsoverport636
![Page 152: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/152.jpg)
RemoteAccess
• Afterinitialconfiguration,devicescanberemotelyconfiguredandadministratedoverthenetwork,allowingtheadmintochangeandtestconfigurationsremotely.• Otherwisephysicalaccesswouldbetheonlyoption.
• Twoprotocolsthatcouldallowthisremoteaccess:• Telnet(unsecure)• SSH(secure)
![Page 153: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/153.jpg)
SSH• SecureShell(SSH)isanetworkprotocolthatallowsdatatobeexchangedusingasecurechannelbetweentwonetworkeddevicessuchasanadministratorcomputerandarouter.
• SSHwasdesignedasareplacementforTelnetandotherinsecureremoteshellswhichsendinformation(notablypasswords)inplaintextleavingthemopenforinterception.
• SSHismostcommonlyusedtoremotelyadministeraUnix/LinuxsystemandusesTCPport22.
![Page 154: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/154.jpg)
SNMP• SNMP(SimpleNetworkManagementProtocol)isusedinnetworkmanagementsystemstomonitordevicesforconditionsthatwarrantadministrativeattention.• Runsonport161.• Allowsanadministratortosetdevicetraps.• Usedtofindequipmentstatusandmodifyconfiguration andsettingsonnetworkdevices.
• SNMPcanbeusedtogatherreconnaissanceinformationfromaprinter.
• SNMPv3isthemostsecure.
![Page 155: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/155.jpg)
DomainNameSolution
• ADNS server(DomainNameSystem)convertsaFQDN(FullyQualifiedDomainName)(ex:www.yahoo.com)intotheIPaddressyourcomputerneedstoaccesstheremotedevice.BIND isthede-factostandardDNSsoftware.
• ADNSZonetransferiswhentwoDNSserverssynchronizetheirdatabases.ThisusesTCPport53.
• DNSinformationcouldbepotentiallyforgedoramaliciousDNSservercouldtrytoperformazonetransferwithalegitimateone,poisoningit.
![Page 156: Hardware and Software](https://reader030.fdocuments.us/reader030/viewer/2022012719/61b2386ca966da480a0ca77c/html5/thumbnails/156.jpg)
DNSSEC
• DNSSECisasuiteofspecificationsforsecuringinfoprovidedbyDNS(especiallyauthenticationtothedatathereinstoppingzonetransfer).• PreventstheuseofforgedDNSinformation.• HasallDNSresponsesbedigitallysigned.