Skip to content

Latest commit

 

History

History
804 lines (792 loc) · 37.8 KB

2.md

File metadata and controls

804 lines (792 loc) · 37.8 KB
Raw

2.0 Technologies and Tools

2.1 Install and configure network components, both hardware and software-based, to support organizational security. (Mike Meyers 1, Mike Meyers 2)

  • Firewall (James Messer)
    • Keeps bad traffic from coming in; sometimes from leaving too
    • Controls traffic flow
    • Content control as well
      • Inappropriate content
      • Malware
    • Application-based vs. network-based
      • "Application-based firewalls (aka application-layer firewalls) can analyze traffic at an even deeper level, examining the application characteristics of traffic and blocking specific actions while allowing others, even inside web-connected applications. This gives application-based firewalls much greater specificity than network-based firewalls that only look at IP addresses and ports." (Conklin)
    • Stateful vs. stateless
      • Stateless
        • Doesn't keep track of sessions
        • Packet filter
      • Stateful
        • Keep track of what traffic flows are active
        • "A stateful packet inspection firewall can act upon the state condition of a conversation—is this a new conversation or a continuation of a conversation, and did it originate inside or outside the firewall?" (Conklin)
    • ACL
      • Rules for allow/disallow
      • "Access control lists (ACLs) are lists of users and their permitted actions." (Conklin)
    • Implicit deny
      • Prevents "any traffic from passing that is not specifically recognized as allowed." (Conklin)
  • VPN concentrator (James Messer)
    • Remote access vs. site-to-site
      • "When the VPN is set up to connect specific machines between two networks on an ongoing basis, with no setup per communication required, it is referred to as a site-to-site VPN configuration. If the VPN connection is designed to allow remote hosts to connect to a network, they are called remote access VPNs." (Conklin)
    • IPSec (Mike Meyers)
      • Authentication and encryption for every packet.
      • Integrity check: Anti-replay
      • Transport mode
        • Data is encrypted
        • IPSec headers and trailers
        • Original IP header used
      • Tunnel mode
        • Both IP header and data are encrypted
        • Completely different IPSec header put on front of packet
      • AH: Authentication header
        • "The AH, when added to an IP datagram, ensures the integrity of the data and also the authenticity of the data’s origin." (Conklin)
      • ESP: Encapsulating Security Payload
        • "Provides security services for the higher-level protocol portion of the packet only, not the IP header." (Conklin)
    • Split tunnel vs. full tunnel
      • "Split tunnel is a form of VPN where not all traffic is routed via the VPN." (Conklin)
      • "A full tunnel solution routes all traffic over the VPN, providing protection to all networking traffic." (Conklin)
    • TLS (Mike Meyers)
      • "TLS-based VPNs have some advantages over IPSec-based VPNs when networks are heavily NAT encoded, because IPSec-based VPNs can have issues crossing multiple NAT domains." (Conklin)
    • Always-on VPN
      • They use "pre-established connection parameters and automation. Always-on VPNs can self-configure and connect once an Internet connection is sensed and provide VPN functionality without user intervention." (Conklin)
  • NIPS/NIDS (James Messer, Jason Dion 1, Jason Dion 2, Mike Meyers)
    • Inline vs. passive
      • Passive
        • No way to block traffic
        • Receives copy of traffic
        • Isn't sitting in middle of traffic
      • Inline
        • Traffic passes through
        • May be dropped
    • In-band vs. out-of-band
      • Out-of-band
        • After-the-fact
        • Sends TCP RST (reset), closes connection
        • UPD doesn't allow reset
    • Identification technologies
      • Signature-based
        • Look for a perfect match
      • Anomaly
        • Build a baseline of what's normal
    • Heuristic/behavioral
      • Use artificial intelligence to identify
    • Rules
      • Block, allow, sent alert, etc.
    • Analytics
      • False positive
        • False alarm
        • e.g. quarantining sites, files which are legitimate
      • False negative
        • Should have been caught, but passed
        • Malicious traffic not identified
  • Router (James Messer, Jason Dion)
    • A router forwards traffic between IP subnets
    • Layer 3 devices
      • They make decisions on the network level on the OSI model
      • Typically "layer 2" is referring to a switch
      • Routers inside of switches sometimes called "layer 3 switches"
    • ACLs: Access Control Lists
      • Used to allow or deny traffic
      • Evaluate traffic on certain criteria
        • Source IP, destination IP, TCP port numbers, UDP port numbers, ICMP
      • "The ACLs should be deployed on the routers. The ACLs will improve network security by confining sensitive data traffic to computers on a specific subnet. By implementing ACLs and rules, you can ensure that a secure router configuration is implemented, which will protect the routers and the subnets they manage." (uCertify)
    • Antispoofing
      • Prevent others from using someone else's address
      • Man-in-the-middle, DDoS
      • Filter reserved IP addresses
      • RPF: Reverse Path Forwarding
        • The response to an inbound packet should return the same way
        • If it doesn't, then drop the packet right now
  • Switch (James Messer, Jason Dion)
    • OSI layer 2 device
      • Uses MAC address
    • ASIC: Application-specific integrated circuit
    • Port security
      • Inside of network less secure
      • NAC: Network Access Control
      • IEEE 802.1X - Port-based Network Access Control
        • You don't get access until you authenticate
        • Makes extensive use of EAP and RADIUS
    • "A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes." (uCertify)
    • Disable unused ports
    • Duplicate MAC address checking
      • Stop the spoofers
    • Loop prevention
      • Two switches connected together will send traffic back and forth forever
      • Easy way to take down a network
      • STP: Spanning Tree Protocol
        • 802.1D
        • Prevents loops
    • Flood guard
      • Configure a maximum number of MAC addresses on an interface
      • Configure specific MAC addresses
    • Layer 2 vs. Layer 3
      • Layer 3 switches
        • Switching operates at OSI layer 2
        • Routing still operates at OSI layer 3
  • Proxy (James Messer, Mike Meyers)
    • Sits between users and the external network
    • Receives the user requests and sends the request on their behalf (the proxy)
    • Useful for caching information, access control, URL filtering, content scanning
    • Modes of operation
      • Explicit proxy
        • OS or browser must be configured to explicitly use proxy
      • Transparent
        • Invisible; end users have no idea there is a proxy in the middle
    • Application/multipurpose
      • NAT
        • Network-level proxy
      • May only know one application (e.g. HTTP)
      • Many proxies are multipurpose proxies
        • HTTP, HTTPS, FTP
    • Forward and reverse proxy
      • Forward proxy
        • An "internal proxy"
          • Commonly used to protect and control user access to the internet
      • Reverse proxy
        • Inbound traffic from the internet to your interal service
    • Open proxy
      • A third-party, uncontrolled proxy
        • Can be a significant security concern
        • Often used to circumvent existing security controls
  • Load balancer (James Messer)
    • Distributes the load
      • Multiple service
      • Invisible to the end-user
    • Large scale implementations
      • Web server farms, database farms
    • Fault tolerance
      • Server outages have no effect
      • Very fast convergence
    • SSL offload
      • Encryption/decryption
    • Prioritization
      • QoS
    • Scheduling
      • Round-robin
        • Each server is selected in turn
        • Dynamic round-robin
          • Distribute load to server with lowest use
      • Weighted
      • Affinity
        • Uses the same server for a particular user
        • Tracked through IP address or session IDs
    • Active-active
      • All servers are active
    • Active-passive
      • Some servers available
      • Others on standby
      • Passive servers take place of failed servers
    • Virtual IPs
      • "Allow for multiple systems to be reflected back as a single IP address." (Conklin)
  • WAP: Wireless Access point (James Messer)
    • Not a wireless router
      • A wireless router is a router and a WAP in a single device
      • WAP is a bridge
        • Extends the wired network onto the wireless network
        • An OSI layer 2 device
    • SSID: Service Set Identifier
      • Name of the wireless network
      • Change the SSID to something not-so obvious
    • Disabled SSID broadcasting?
      • This was never designed to be a wireless security feature
      • SSID easily determined through wireless network analysis
      • Security through obscurity
    • MAC filtering
      • Limit access to only certain physical devices
      • Keep neighbors out of AP
      • But MAC addresses can be spoofed
        • Use packet-capturing device to discern MAC address
    • Signal strength
      • Power level controls
        • Limit power of signal
        • Set it as low as possible
      • "The power levels will dictate how far an access point can transmit its signal. For more coverage, increase the power levels, but be careful not to go beyond your organization's work area, or other neighboring entities might try to compromise your network." (uCertify)
    • Band selection/width
      • Throughput
        • Maximum theoretical throughputs
        • Actual throughput can vary
      • Frequency
        • 2.4 GHz and 5 GHz
        • Sometimes both
    • Antenna types and placement
      • Omnidirectional antennas
        • Most common
        • Signal can't be focused
      • Directional antennas
        • Focus the signal
        • Increased distances
        • Double power every 3dB of gain (logarithmic scale)
        • Yagi antenna
          • Very directional
          • High gain
        • Parabolic antenna
          • Focus on a single point
    • Controller-based vs. standalone
      • Wireless LAN controllers
        • Centralized management of WAPs
          • Deploy
          • Monitor
          • Configure
        • LWAPP - Lightweight Access Point Protocol
          • Cisco proprietary - CAPWAP is an RFC standard, based on LWAPP
          • Manage multiple points simultaneously
        • Fat vs. thin
          • Thick
            • The access point handles most wireless tasks
            • The switch is not wireless-aware
          • Thin
            • Just enough to be 802.11 wireless
            • The intelligence is in the switch
            • Less expensive
  • SIEM: Security Information and Management (James Messer, Mike Meyers)
    • Logging of security events and information
    • Aggregation
      • "The collecting of information in a central place, in a common format, to facilitate analysis and decision making." (Conklin)
    • Correlation
      • "The connection of events based on some common basis. Events can cor- relate based on time, based on common events, based on behaviors, and so on. Although correlation is not necessarily causation, it is still useful to look for patterns, and then use these patterns to find future issues." (Conklin)
    • Time synchronization
      • Challenge: each device has its own clock setting
      • Synchronization becomes critical
      • Automatic update with NTP (Network Time Protocol)
        • Very accurate: within 1 millisecond
    • Syslog
      • Standard method for transferring logs between devicesk
      • Diverse systems, conslidated log
    • Logs/WORM
      • Write once, read many
    • Event deduplication
      • Event storms
    • Automated alerting and triggers
      • Track important statistics
      • Email, text, call
  • DLP: Data Loss Prevention (James Messer)
    • Endpoint DLP tools
    • Data in motion
      • Insecure data sent over network
    • Data at rest
      • "Data-at-rest is the data that is currently inactive but stored in digital form in places such as nonvolatile memory." (Dion)
      • On your server
    • USB blocking
      • e.g. ban removable flash media
    • Cloud-based
      • Located between users and internet
    • Email
      • Track, monitor, and filter email, inbound and outbound
      • Block forgeries
  • NAC: Network Access Control (James Messer)
    • Dissolvable vs. permanent
      • Persistent agents
        • Permanently installed
        • Periodic updates
      • Dissolvable agents
        • No installation required
        • Runs during the posture assessment
        • Terminates when no longer required
      • Agentless NAC
        • Integrated with Active Directory
        • Checks are made during login and logoff
        • Can't be scheduled
    • Failing assessment
      • Put on quarantine network
      • Just enough access to fix issue
    • Host health checks
      • "Some common host health checks include verifying an antivirus solution is present, has the latest patches, and has been run recently, and verifying that the OS and applications are patched." (Conklin)
    • Agent vs. agentless
      • "In agent-based solutions, code is stored on the host machine for activation and use at time of connection. In agentless solutions, the code resides on the network and is deployed to memory for use in a machine requesting connections, but since it never persists on the host machine, it is referred to as agentless." (Conklin)
    • "Computers must have the authentication agent installed; otherwise, the NAC system will not ask for the credentials." (uCertify)
  • Mail gateway (James Messer)
    • Filtering
      • Examine inbound or outbound email
      • Antivirus
      • DLP
    • Spam filter
      • Only receive email from trusted senders
      • SMTP standards checking
      • rDNS - Reverse DNS
        • Block email where the sender's domain doesn't match the IP address
      • Tarpitting
        • Intentionally slow down the conversation
      • Recipient filtering
        • Block all email not addressed to a valid recipient address
    • Encryption
      • Based on policy
      • Force encryption, send a password to the sender
    • DLP
      • "Most enterprise-level DLP solutions have built-in gateway methods for integration with mail servers to facilitate outgoing mail scanning." (Conklin)
  • Bridge
    • "Operates by connecting two separate network segments and allows communication between the two segments based on the layer 2 address on a packet." (Conklin)
  • SSL/TLS accelerators (James Messer)
    • Asymmetric encryption is hard
      • Much more computationally intense than symmetric encryption
      • Accelerator offloads the process
    • "Includes hardware-based SSL/TLS operations to handle the throughput, and it acts as a transparent device between the web server and the Internet. When an enterprise experiences web server bottlenecks due to SSL/TLS demands, an accelerator can be an economical solution." (Conklin)
  • SSL decryptors
    • SSL proxy
    • Uses internal CA certificate
    • Decrypts and inspects traffic before re-encrypting and sending it to destination
  • Hardware security module
    • High-end cryptographic hardware
    • Key backup
      • Secured storage
    • SSL endpoint
  • Media gateway
    • Converts between PSTN (public switched telephone network) and VoIP
    • Hacker could disabled all voice communications
      • Make outbound calls
      • Listen to communications

2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization. (James Messer)

  • Passive vs. active
    • Passive
      • Watches traffic
    • Active
      • Sends traffic to a device, watch the results
      • Query a login page
      • Try a known vulnerability
      • Check account access
  • Protocol analyzer (Jason Dion, Mike Meyers)
    • Gather packets on the network
    • View traffic patterns
    • Identify unknown traffic
  • Network scanners (Mike Meyers)
    • Scan for IP addresses and open ports
      • Also for operating systems, services, etc.
    • Scan IP range
    • Rogue system detection
    • e.g. nmap, zenmap, Angry IP scanner
    • Visually graph devices
    • Rogue system detection
    • Network mapping
  • Wireless scanners/cracker
    • Wireless monitoring
      • Packet cpature
    • Open source projects
      • Aircrack-ng Suite, Fern
  • Password cracker
    • Hashes not salted easier to crack
    • But getting the hashes is not trivial
    • John the Ripper, Ophcrack
  • Vulnerability scanner (Mike Meyers)
    • Active test, but minimally invasive
    • e.g. Microsoft Baseline Security Analyzer, Tenable Nessus, Nikto
      • Scan one or many devices
      • Automate the process, report on findings
  • Configuration compliance scanner
    • Operating system version, install applications, network settings, anti-virus/anti-malware settings and versions, server configuration, etc.
    • Auditing may be ongoing
      • Report on current status
      • Integrated with login process and/or VPN connection
  • Exploitation frameworks
    • Instead of writing exploit from scratch
    • e.g.
      • BeEF
      • RouterSploit
      • Metasploit
  • Data sanitization tools
    • Overwrite the data once, and it's gone
    • e.g.
      • Darik's Boot and Nuke (DBAN)
      • Microsoft's SDelete
  • Steganography tools
    • Embed data inside image
    • Network based
      • Embed messages in TCP packets
    • Invisible watermarks on print
  • Honeypot (Mike Meyers)
    • Attract the bad guys
    • Bad guys are probably a bot
    • Create virtual world to explore
    • projecthoneypot.org, honeyd
  • Backup utilities
    • Real-time file sync
      • rsync
    • Regular partial backups
      • Hourly incremental backups
    • Full backups
    • Complete coverage, fast recovery
  • Banner grabbing
    • "Banner grabbing is a process where someone connects to a web server and gathers information by 'grabbing their banner' which can be done through netcat fairly easily." (Dion)
    • Applications can be chatty
      • They can say too much
    • capture with telnet, nc, nmap
  • Command line tools (James Messer, Mike Meyers 1, Mike Meyers 2)
    • ping
      • Test if device is available
      • Determine round trip
      • Uses ICMP
    • netstat
      • Show all active connections: netstat -a
      • Show binaries (Windows): netstat -b
      • Do not resolve names: netstat -n
    • tracert
      • traceroute
      • Determine the route a packet takes to a destination
      • Map the entire path
      • tracert (Windows) or traceroute (POSIX)
      • Uses ICMP
    • nslookup/dig
      • Lookup information from DNS servers
      • Canonical names, IP addresses, cache timers, etc.
      • nslookup
        • Both Windows and POSIX-based
        • Lookup names and IP addresses
        • Deprecated (use dig instead)
      • dig (domain information groper)
        • More advanced domain information
    • arp
      • Determine MAC address based on IP address
      • View ARP table: arp -a
    • ipconfig/ip/ifconfig
    • tcpdump
      • "Tcpdump is a packet sniffer made for Linux but has been/can be ported to Windows." (Dion)
      • Capture packets from the command line
      • -> standard pcap format
    • nmap
      • Network mapper
      • Port scan to see what devices are available
      • nmap [ip]
      • sudo nmap -O - determine OS
    • netcat
      • "Read" or "write" to the network
      • Open a port and send or receive some traffic
        • Listen to a port numberf
        • Transfer data
        • Scan ports and send data to a port
      • Become a backdoor
      • Also: Ncat

2.3 Given a scenario, troubleshoot common security issues. (James Messer)

  • Unencrypted credentials/clear text
    • Some protocols send authentication information in the clear
  • Logs and events anomalies (Mike Meyers)
    • Gather as much information as possible
    • Consolidated to SIEM
  • Permission issues
    • Door left open; no lockpicking required
    • Files left open on S3 buckets
  • Access violations
    • Segmentation fault
    • Prevent access to a restricted area
  • Certificate issues
    • A certificate should be signed by someone you trust
    • Should be relatively new
    • Proper TLS checks; prevent man-in-the-middle
  • Data exfiltration
    • "Data exfiltration is where an attacker attempts to steal a copy of your data and export it from your system." (Conklin)
  • Misconfigured devices
    • Leaving defaults in place can make it easy to guess user/pass
    • Outdated software
    • Mainentance code
    • Firewall
      • Rules that provide too much access
      • Can be difficult to audit
    • Content filter
    • Access points
      • Ensure management console not accessible via wireless side
  • Weak security configurations
    • Expired, weak, cracked encryption standards
      • e.g. DES, WEP, SHA-1
  • Personnel issues
    • Policy violation
      • See AUP document
    • Insider threat
      • Authenticated users have more free reign than non-authenticated
      • Important to assign correct permissions
    • Social engineering
      • We're always willing to help someone in need
      • They're steal everything over the phone
    • Social media
      • Internal information made available to anybody on the outside
      • Most organizations have policy and marketing team
    • Personal email
      • Emails sent from work imply endorsement by the organization
      • Uses company resources
  • Unauthorized software
    • Malware, spyware, randomsare
    • May conflict with organization's mission-critical software
    • Licensing
  • Baseline deviation (Jason Dion)
    • Everything should be well documented
    • Changes to the norm should be identified
    • Common with VPNs
      • Securit posture analysis
  • License compliance violation (availability/integrity)
    • Valid licenses required
    • Availability
      • Meeting expiration date may cause problems
    • Integrity
      • Invalid license: app my only work part of the time
  • Asset management
    • Identify and track computing assets
    • Respond faster to security problem
    • Track licenses
  • Authentication issues
    • Determining if someone is really who they say they are
    • Use more factors
    • Lapse in any part of authentication can open the entire network

2.4 Given a scenario, analyze and interpret output from security technologies. (James Messer, Mike Meyers)

  • HIDS/HIPS: Intrusion (detection|prevention) system (Mike Meyers)
    • Now integerated into many endpoint products
    • Protects based on signatures
    • Because it's on the host, it can read decrypted data
    • Protect based on activity
      • Why are you modifying that file?
  • Antivirus
    • Stop download, prevent execution
    • Quarantine
  • File integrity check
    • Integrity check of OS
      • sfc /scannow
  • Host-based firewall (Jason Dion)
    • Restrict access to your personal computer
    • Log connection attempts
  • Application whitelisting
    • Only allow specific applications on OS
    • Application hash
      • Identifier of app
    • Certificate
      • Digitally signed apps
    • Path
      • Only run applications in these folders
    • Network zone
  • Removable media control
    • USB drives, portable hard drives
    • Drives brought from home
    • Exfiltration
    • Windows Event Log
      • Security auditing
  • Advanced malware tools
    • Specialized removal and recovery tools
    • Malware is pervasive
    • Usually best to delete and restore from good backup
  • Patch management tools
    • List of patches installed
  • UTM: Unified Thread Management
    • All-in-one security appliance
    • URL inspection
    • Malware inspection
    • Spam filter
    • CSU/DSU
    • Router/Switch
    • IDS/IPS
    • Bandwidth shaper
    • VPN endpoint
  • DLP (Jason Dion)
    • Watch traffic and identify certain kinds of traffic
      • e.g. SSNs, CC numbers
    • Stop information from getting out
  • Data execution prevention
    • No-eXecute bit
      • Intel calls it the XD bit (eXecute disable)
      • AMD calls it Enhanced Virus Protection
  • WAF: Web application firewall
    • "Performs restrictions based on rules associated with HTTP/HTTPS traffic. By definition, web application firewalls are a form of content filter." (Conklin)
    • Can be used to protect a web server from XSS attacks

2.5 Given a scenario, deploy mobile devices securely. (Jason Dion)

  • Connection methods (James Messer, Mike Meyers)
    • Cellular
      • Cell phones
      • Traffic monitoring
      • Worldwide access
    • WiFi
      • Local network access
      • Data capture
        • Encrypt data
    • SATCOM: Satellite communications
      • Remote locations, natural disasters
      • Handheld devices can be security risk
    • NFC: Near field communication
      • Payment systems
      • Bootstrap for wireless
      • Identity system
      • Security concerns
        • Remote capture
        • Frequency jamming
        • Relay / replay attack
        • Loss of device
    • ANT: Wireless sensor network protocol
      • 2.4 GHz ISM band
      • Fitness devices, heart rate monitors
      • IoT, low power
      • Encryption optional
    • Infrared
      • Included on many smartphones
      • Control entertainment system
    • USB: Universal Serial Bus
      • Physical access is always a concern
      • Exfiltration
    • Bluetooth (Jason Dion)
      • "Bluetooth is a short-range, low-power wireless protocol that transmits in the 2.4-GHz band, the same band used for 802.11." (Conklin)
  • Mobile device management (MDM) concepts (James Messer, Mike Meyers)
    • Application management
      • Some organizations whitelist
      • "Your company may have to restrict the types of applications that can be downloaded and used on mobile devices. If you need very strong protection, your company can be very proactive and provide an enterprise application store where only company-approved applications are available." (Conklin)
    • MCM: Mobile Content management Management
      • Secure access to data
      • Protect data from outsiders
      • DLP: Data Loss Prevention
      • Managed from the Mobile Device Manager (MDM)
    • Remote wipe
      • Security administrator can remote delete all information on device
      • Awlays have a backup
    • Geolocation
      • Track location of device within a few feet
    • Geofencing
      • Restrict or allow features when device is in particular area
    • Screen locks
      • Numbers vs. alphanumeric
      • Simple or strong
      • Keep people out of your data
      • Define a lockout policy
    • Push notification services
      • Message appears on screen with no intervention required
    • Passwords and pins
      • Password, patterns, pins
      • Trigger recovery process from MDM
    • Biometrics
      • Fingerprint, face
      • Managed from MDMk
    • Context-aware authentication
      • Where you normally login
      • Where you frequent
      • Other devices paired
    • Containerization (Mike Meyers)
      • Separate personal and company data
      • Wipe only company data if employee leaves
    • Storage segmentation
      • "Storage segmentation is similar to containerization in that it represents a logical separation of the storage in the unit. Some companies have developed capabilities to create separate virtual containers to keep personal data separate from corporate data and applications." (Conklin)
    • Full device encryption
      • Scramble all the data on the mobile device
      • Isn't trivial
        • Uses lots of CPU cycles
  • Enforcement and monitoring (James Messer, Mike Meyers)
    • Third-party app stores
      • MDM can allow or deny app store usage
    • Rooting/jailbreaking
      • Replace operating system to have complete access to device
      • Sideloading
        • Downloading from somewhere other than the app store
      • Custom firmware
    • Carrier unlocking
      • If carrier allows
      • Carrier lock may be illegal in your country
      • Moving to another carrier can circumvent the MDM
    • Firmware OTA updates
      • Operating system updates
      • No cable required
      • Security patches
      • MDM can manage what OTA updates are allowed
    • Camera use
      • Corporate espionage, inappropriate use
      • Camera use controlled by MDM
      • Geo-fencing
    • SMS/MMS
      • Text messages, video, audio
      • MDM can enable/disable
    • External media
      • Removable drives
      • SD card flash memory
      • MDM can prevent use
    • USB OTG: On-the-go
      • Device acts as both host and storage device
      • Makes data transfer easy
    • Recording microphone
      • Microphone on every mobile device
      • Every state has different laws
    • GPS tagging
      • Location services
      • Geotagged pictures
    • WiFi direct/ad hoc
      • SSID configurations
      • WiFi Direct simplifies the process
        • Easily connect many devices together
        • Common to see in home devices
      • "In Wi-Fi direct, two Wi-Fi devices connect to each other via a single-hop connection. In essence, one of the two devices acts as an access point for the other device." (Conklin)
    • Tethering
      • Turn phone into hotspot
      • Could turn phone into rogue access point
    • Payment methods
      • NFC
      • Disabling this may limit liability organization has
  • Deployment models (James Messer, Mike Meyers)
    • BYOD: Bring Your Own Device (Jason Dion)
      • Needs to meet the company's requirements
      • Difficult to manage
      • Contains both personal and corporate data
    • COPE
      • Corporate owned, personally enabled
      • Company buys
      • Organization manages device
    • CYOD
      • Choose your own device
    • Corporate-owned
      • Where security is extremely important
      • No personal use
    • VDI: Virtual Desktop Infrastructure / Virtual Mobile Infrastructure
      • Applications are completely separate from the mobile device
      • Mobile device is window into application
      • Apps built for one VMI platform

2.6 Given a scenario, implement secure protocols. (James Messer, Jason Dion, Mike Meyers 1, Mike Meyers 2)

  • Voice and video
    • SRTP: Secure Real-Time Transport Protocol / Secure RTP
      • Secure version of the RTP
      • Keep VOIP conversations confidential
      • Uses AES encryption to encrypt voice/video flow
      • Integrity, replay protection
        • HMAC-SHA1 - Hash based message authentication code using SHA1
  • Time synchronization
    • NTPsec: Secure network time protocol
  • Email and web
    • S/MIME (Jason Dion)
      • Digitally sign and encrypt mail content in mail client
      • Requires PKI
    • Secure POP/IMAP
      • Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL
    • SSL/TLS (Jason Dion)
      • If the email is browser based, always encrypt with SSL
    • HTTPS
      • HTTP over SSL
      • Uses combination of asymmetric and symmetric encryption
      • Public key on server
  • File transfer
    • FTPS
      • FTP over SSL (FTP_SSL)
      • This is not SFTP
    • SFTP: SSH File Transfer Protocol
      • Resume interrupted transfers, directory listings, remote file removal
  • Directory services
    • LDAPS: Lightweight Directory Access Protocol Secure
      • Non-standard implementation of LDAP over SSL
    • SASL: Simple Authentication and Security Layer
      • Provides authentication using many different methods
      • Kerberos or client certificate
  • Remote access
    • SSH: Secure Shell (Jason Dion)
      • Don't use Telnet
      • Encrypted terminal communication
  • Domain name resolution
    • DNSSEC: Domain Name System Security Extensions
      • DNS has not security in the original design
      • Validate DNS responses
        • Origin authentication
        • Data integrity
      • Public key cryptography
      • Signed DNS records are published in DNS
  • Routing and switching
    • SNMPv3: Simple Network Management Protocol version 3 (Jason Dion, Mike Meyers)
      • "SNMP (Simple Network Management Protocol) is used when a person installs agents on client computers to monitor those systems from a single remote location." (uCertify)
      • "SNMP (Simple Network Management Protocol) can pass passwords over the network." (uCertify)
      • Confidentiality - Encrypted data
      • Integrity - No tampering of data
      • Authentication - Verifies the source
  • Network address allocation
    • Securing DHCP
      • No built-in security
      • No secure version of the protocolk
    • Rogue DHCP servers
      • In Active Directory, DHCP servers must be authorized
      • Cisco calls this DHCP Snooping
    • DHCP client DoS - Starvation attack
      • Use spoofed MAC addresses to exhaust the DHCP pool
  • Subscription services
    • Automated subscriptions
      • Anti-virus / anti-malware
      • IPS updates
      • Malicious IP address databases / firewall method
    • Check for encyption and integrity checks
      • May require an additional public key configuration
      • Set up a trust relationship