Security

Fundamentals
Based on Security+
Hello!
I am Abdulrahman AlDaej

Info Security Analyst

CEH,CHFI

You can find me at:

Twitter : @a9_4

2
1.
Security 101

The Basics of Information Security

3
 “
Nothing is ever completely or truly
secure. There is always a way
around or through any security
precaution that we construct.

4
 Great!
Now that it’s
understood that there is
no perfect scenario, we
can move on to some
security basics

5
 The Basics of Information Security
◎ Information security:
is the act of protecting data and information systems from
unauthorized access, unlawful modification and disruption,
disclosure, corruption, and destruction

◎ Unauthorized access:
Access to computer resources and data without consent of
the owner. It might include approaching the system, ,
communicating, storing and retrieving data.

◎ Malicious software:
Known as malware, this includes computer viruses, worms,
Trojan horses, spyware, rootkits, adware, ransomware.

◎ Anti-malware software:
Anti-malware protects a computer from the various forms
of malware and, if necessary, detects and removes them.
6
The CIA of Computer Security

Confidentiality Integrity Availability

This concept centers This means that data To ensuring that

on preventing the has not been authorized parties
disclosure of tampered with. are able to access
information to the information
unauthorized when needed
persons

7
The AAA of computer security:

Authentication Authorization Accounting

The process of The process of The process of

identifying an granting or denying keeping track of a
individual, usually a user access to user's activity while
based on a network resources accessing the
username and once the user has network resources
password been authenticated.

8
Time for Testing ourselves and answering
some questions!

9
Part 1 . Threats,
Attacks
Malware types

10
MALWARE:
Malware refers to software that has been designed for
some nefarious purpose

◎ Malware could do many things:

• Gather information
• Participate in a group
• Show you advertising
• Encrypt your data

11
Malware types

◎ Viruses
◎ Ransomware
◎ Worms
◎ Trojan Horse
◎ Rootkit
◎ Keylogger
◎ Adware/Spyware
◎ Botnet

12
 Viruses

A virus is a program or piece of code

that runs on your computer
without your knowledge

◎ Designed to attach themselves

to other code and replicate

◎ Replicates when an infected file

executes or launches

13
Types of Viruses

• Polymorphic:
• Change its code using encryption key
• Each copy looks different after each use
• Changes are designed not to affect the functionality

• Armored:
• Tricking the Antivirus into thinking that it is located in a different
place from where it actually resides.

• Boot sector:
• Loads into the first sector of the hard drive; when the computer
boots, the virus then loads into memory

14
Ransomware:
A malware that restrict access to a computer
and demands that a ransom be paid.

• Probably a fake ransom

• Locks your computer “by the police”
• The ransom may be avoided
• A security professional may be able to remove it

• Crypto-malware:
Encrypts files on a system and then leaves them unusable either
permanently acting as a denial of service, or temporarily until a ransom
is paid, making it ransomware.

15
16
 Protecting against ransomware

• Always have a backup - an offline backup

• Keep your operating system up to date
• Keep your applications up to date
• Keep your anti-virus up to date

ExamAlert
Ransomware is unique, in that the attacker directly demands payment, often through
cryptocurrencies. The amount requested often is relatively low, to ensure a higher
likelihood of payment.

17
 Worm

Worms are pieces of code that attempt

to penetrate networks and computer
Systems and create a new copy of itself
on the penetrated system.

• Doesn’t need you to do anything

• Self-propagates and spreads quickly

• Stuxnet is a good Example

ExamAlert
Viruses are executed by some type of action, such as running a program.
Worms act like a virus but also have the ability to travel without human action. 18
 Trojan Horse

A piece of software that appears to do

one thing but hides some other functionality

• Must be copied and installed by the user

• Doesn’t really care much about replicating
• May open the gates for other programs
• Remote Access Trojans (RATs) is a trojan
Help to gain unauthorized access to a target system

ExamAlert
Trojans trick users by disguising their true intent to deliver a malicious payload. When
executed, a remote access Trojan provides a remotely accessible backdoor for an attacker
to covertly monitor the system or easily gain entry.
19
Rootkit

A piece of software that can be installed

and hidden on a computer mainly
to compromise the system and gain
escalated privileges

• Modifies core system files

• Won’t see it in Task Manager
• Also invisible to traditional anti-virus

20
 Finding and Removing rootkits

• Look for the unusual

• Anti-malware scans
• Use a remover specific to the rootkit

ExamAlert
Rootkits can be included as part of software packages, can be installed through an
unpatched vulnerability, or can be downloaded and installed by users.

21
Keylogger

A keylogger is a piece of software that logs

all of the keystrokes that a user enters.

• Web site login URLs, passwords,

messages, search engine queries
• Send it to the bad guys

22
Adware

A programs that are designed to display

advertisements on your computer and
redirect your search requests to advertising
websites and collect marketing-type data about you

• Pop-ups with pop-ups

• May be included with other software
• May cause performance issues

23
Spyware

software that “spies” on users,

recording and reporting on their activities.
It can record keystrokes

• Advertising, identity theft, affiliate fraud

• Browser monitoring - Capture surfing habits

Trojan Horse vs Spyware ?

24
Bots and Botnet

A piece of software that performs some task,

under the control of another program.

• Once your machine is infected, it becomes a bot

• Sit around. Wait for instructions.
• Botnet is a group of bots working together
• Distributed Denial of service (DDoS)
• Botnets are for sale

25
Logic Bomb

A piece of code that sits dormant for

a period of time until some event or
date invokes its malicious payload

• Often left by someone with grudge

• Difficult to identify
• Difficult to recover if it goes off

26
Backdoor

were originally nothing more than

methods used by software developers to
ensure that they could gain access to an
application even if something were to
happen in the future to prevent normal
access methods

• Backdoor using trojan or spyware

• Some malware software can take
advantage of backdoors created by
other malware

27
Time for Testing ourselves and answering
some questions!

28
Part 1 . Threats,
Attacks
Attacks Types

29
 Social Engineering

Social engineering is the process by

which an attacker seeks to extract useful
information from users, often
by just tricking them into
helping the attacker.

• Social engineering is extremely

successful because it relies on human
emotions.

ExamAlert
the best defense against social engineering is ongoing user
awareness and education.
30
 Social Engineering Examples

• An attacker calls a valid user and impersonates a guest, temp agent, or

new user, asking for assistance in accessing the network or requesting
details on the business processes of the organization.
• An attacker contacts a legitimate user and poses as a technical aide
attempting to update some type of information. The attacker asks for
identifying user details that can then be used to gain access.
• An attacker provides the user with a “helpful” program or agent through
email, a website, or other means of distribution. This program might
require the user to enter login details or personal information useful to the
attacker, or it might install other programs that compromise the system’s
security.

31
Principles of Social Engineering
(Reasons for Effectiveness)

• Authority:
I’m calling from the help desk/office of the CEO/police.
• Intimidation
There will be bad things if you don’t help
• Consensus / social proof
Your co-worker Jill did this for me last week
• Scarcity/ Urgency
Act quickly, don’t think
• Familiarity / liking
Someone you know, we have common friends
• Trust
I’m from IT, and I’m here to help

32
 Phishing and Related Attacks

Phishing is an attempt to acquire

sensitive information by masquerading as
a trustworthy entity via electronic
communication, usually email.

ExamAlert
Phishing combines technical deceit with the elements of
traditional social engineering. Be sure to know the variants
of phishing attacks.

33
 Phishing types

• Spear phishing:
This is a targeted version of phishing. Whereas phishing often
Involves mass emailing, spear phishing might go after a specific individual.
• Whaling:
Whaling is identical to spear phishing, except for the size of the
fish. Whaling employs spear phishing tactics but goes after high- profile
targets such as an executive within a company.
• Vishing:
This attack is also known as voice phishing. The attacker uses fake
caller ID to appear as a trusted organization and attempts to get the
individual to enter account details via the phone.
• Smishing:
Also known as SMS phishing, this attack uses phishing methods
through text messaging.

34
The big phish

• March 19, 2016

• Former chairman of the 2016 Hillary Clinton
• Gmail personal account with messages from 2007
through 2016
• Podesta used the bit.ly link in the email to “reset” his
password
• Wasn’t actually a Google reset link
• Every email was made available on WikiLeaks
• Don’t underestimate the effects of phishing

35
Tailgating (Piggybacking)

following closely behind someone who

has authorized physical access within an
environment.

Watch for tailgating:

• Policy for visitors
• You should be able to identify anyone
• Mantrap
• Who are you and why are you here?

36
 Impersonation

Impersonation is simply a method in

which someone assumes the
character or appearance of someone
else

Protect against Impersonation

• Always verify before revealing info
• Call back, verify through 3rd parties

37
 Dumpster Diving

Digging through a company’s

trash bins or dumpsters to gain
information

• Gather details that can be used for a

different attack
• Just after end of month end of quarter
• Always Shred your documents

38
Shoulder Surfing

Looking over someone’s

shoulder to obtain information

• Many people want to see for Curiosity,

industrial espionage, competitive
advantage
• Be careful for your password and ATM
PIN
• Use privacy filters

39
 Hoaxes

A message warning the recipients of

a non-existent computer virus
threat. The message is usually a chain e-
mail that tells the recipients to forward it to
everyone they know.

• Consume lots of resources and time

• If it sounds too good to be true

40
 Watering Hole Attacks

The attacker attacks a site that the

target frequently visits.
The goal is often to compromise
the larger environment

• if your network was really secure

• You didn’t even plug in that USB key
from the parking lot
• Not opening any email attachments.
• Then attacker may use Watering hole

41
APPLICATION/SERVICE ATTACKS

• Denial-of-service (DoS) :

In a DoS attack, the attacker attempts to deny authorized

users access to the computer system or network itself. This
can be accomplished by crashing the system—taking it
offline—or by sending so many requests that the machine is
overwhelmed.

42
DoS Attacks:

• SYN flood :

This attack takes advantage of the TCP three-way

handshake. The source system sends a flood of SYN
requests but never sends the final ACK, thus creating half-
open TCP sessions.

43
DoS Attacks:
• Smurf/smurfing:
The attacker sends (ICMP) ping packets to the broadcast
address of the network, replacing the original source
address in the ping packets with the source address of the
victim.

• Fraggle attack :
The same as Smurf but uses User Datagram Protocol UDP

44
DoS Attacks:

• Ping flood:

A ping flood attempts to block service or reduce activity on

a host by sending ping requests directly to the victim. A
variation of this type of attack is the ping of death, in which
the packet size is too large (more than 32 bytes) and the
system does not know how to handle the packets.

45
DoS Attacks:
• The Teardrop:
Packet fragments are sent in a jumbled
and confused order. When the receiving
device attempts to reassemble them, but
won’t know how to handle the request.
Older versions of operating systems will
simply just crash when this occurs.

• Land attack:
Packet send to the victim system with the
same source and destination IP address

46
Distributed Denial-of-Service
(DDoS)

DoS attacks are conducted using

a single attacking system. A DoS
attack employing multiple
attacking systems is known as
a distributed denial-of-service
(DDoS) attack.

• Launch an army of computers to

bring down a service
• This is why the bad guys have
botnets
• Thousands or millions of computers
at your command

47
◎That’s it for today

48
OSI Model

49
 Man-in-the-Middle

An attacker intercepts traffic and

then tricks the parties at both ends
into believing that they are
communicating with each other

• Redirects your traffic then passes it on

to the destination
• You never know your traffic was
redirected.
• Will be limited if the communication is
encrypted

ExamAlert
A man-in-the-middle attack takes place when a computer
intercepts traffic and either eavesdrops on the traffic or
alters it. 50
Man-in-the-Browser

A Trojan Horse or similar malware to

gain important information from
users of websites, especially
banking and credit card information

• Different input fields are added to the

website
• Transfer money without you knowing.

51
 ARP Poisoning
Every hardware has MAC address that must be
associated with an IP address. Address Resolution
Protocol (ARP), which operates at Layer 2 (data link
layer) of the OSI model, associates MAC addresses to
IP addresses. ARP is a simple lower-layer protocol
that consists of requests and replies without
validation.

• ARP request “Who has this IP address?”

• ARP reply “I have that IP address; my MAC address
is…”
• Reverse ARP request (RARP) “Who has this MAC
address?”
• RARP reply “I have that MAC address; my IP
address is…”
52
Buffer Overflow

In a buffer overflow, the input buffer

that is used to hold program input is
overwritten with data that is larger than
the buffer can hold.

• 7- to 10-character phone number instead

receives a string of 150 characters?
• Will fill memory, overwriting other portions
of the programs
• The program can execute a command
supplied by the attacker.
• Inherit the level of privilege enjoyed by the
program being exploited.
• Poor programming and programming
language weaknesses
53
Injection

When user input is used without input

validation, Injection flaws allow
attackers to relay malicious code
through an application to another
system.

• • Enabled because of bad programming

• • The application should properly handle
input and output
• • So many different data types
• • HTML, SQL, XML, LDAP, etc.

54
Cross-Site Scripting (XSS)
The cause of the XSS is weak user input
validation. If input is not validated properly,
an attacker can include a script in their input
make cause unwanted action on user’s
browser.

• Login to Haraj
• Haraj saved cookie (Your ID session)
• An Attacker submitted an ad in Haraj with
java script (no validation)
• You visited his AD, and he stole your
cookie after the script executed by your
browser.

• Takes advantage of the trust a user has

for a site
55
Cross-site request forgery (CSRF )

This attack causes end users to execute

an unwanted action on a site they are
already logged into.

• Cross-site Request forgery happens in

authenticated sessions when the server trusts
the user/browser

• Cross-Site scripting doesn't need an

authenticated session and can be exploited
when the vulnerable website doesn't do the
basics of validating or escaping input.

56
 Privilege Escalation

Privilege escalation is the result of actions

that allows an adversary to obtain a higher
level of permissions on a system or network.

• Exploit a vulnerability
• Gain higher-level access to a system
From normal user to an admin
• Higher-level access means more capabilities

57
 DNS Poisoning (Spoofing)
An attack that exploits vulnerabilities in the domain
name system (DNS) to divert Internet traffic away
from legitimate servers and towards fake ones.

• Your ISP runs its own DNS servers

• Your router functions as a DNS server
• An attacker pointing google.com to his site

58
 Zero Day
An attack to exploit computer application
vulnerabilities that are unknown to others or
even the software developer and not patched
yet.

• Someone is working to find the next big vulnerability

Your router functions as a DNS server
• The good guys share these with the developer

ExamAlert
Effective security policies, training, and mitigating controls are
more effective, even compared to the most aggressive patch-
management strategies, when it comes to zero-day exploits.
59
 Hijacking and Related Attacks
Hijacking is a form of attack where the
attacker hijacks a user’s experience,
typically after the exchange of credentials.

• Session Hijacking :
An attacker uses source-routed IP packets to insert
commands into an active communication

Preventing Session Hijacking:

• Encrypt end-to-end
• They can’t capture your session ID if they can’t see
it
• Firefox extension: HTTPS Everywhere, Force-TLS
• Personal VPN (OpenVPN, VyprVPN, etc.)

60
 Hijacking and Related Attacks

• Clickjacking:
You’re clicking on a button but you’re actually
clicking on something else.

• URL Hijacking (Typosquatting):

URL hijacking is a generic name for a wide range
of attacks that target the URL
If the correct URL is used, you get the desired
content. If the URL is tampered with or altered

● Take advantage of poor spelling

● Sell the badly spelled domain to the actual owner
● Looks like the real site, please login

61
 Driver Manipulation

Code that is not part of the OS and is developed by

firms other than the OS developer

- Not protected as other parts of the core system.

• Shimming:
Shimming is the process of putting a layer of
code between the device driver and the
operating system.

• Windows has it’s own shim for backwards

compatibility

62
 WIRELESS ATTACKS

Wireless is connecting users to networks via

a radio signal, freeing machines from wires.

Wired vs. wireless Attacks

• Similar to a wired attacks

• Wireless doesn’t change those attacks
• Wireless adds some additional capabilities
• This is a big concern for the security professional
• Much easier to capture the data

63
Replay Attack

Attacks where the attacker simply sends a data

element (e.g. a data packet) which was previously
sent by some other user, in the hope of reproducing
the effect.

EXAM TIP
The best method for defending against replay attacks is
through the use of encryption

64
Rogue access points
Access point that has been added to one's network
without one's knowledge.

Evil Twins
Access point that looks and acts just like a legitimate
AP and entices the end-user to connect to our access
point.

• Configure it exactly the same way as an existing

network
• Same SSID and security settings
• Overpower the existing access points
• Send Disassociation frame with spoofed MAC
• Of the victim to Access point

65
Jamming
Jamming is a form of denial of service that
specifically targets the radio spectrum aspect of
wireless.

WPS
Wi-Fi Protected Setup (WPS) is a network security
standard that was created to provide users with an
easy method of configuring wireless networks

• Allows “easy” setup of a mobile device

• A passphrase can be complicated to a novice
• PIN configured on access point
• Must be entered on the mobile device
Or push a button on the access point

66
Bluejacking
Sending of unauthorized messages to another
Bluetooth device

• Typical functional distance is about 10 meters and

Bluetooth should be enabled

Bluesnarfing
Instead of sending an unsolicited message to the
victim’s phone, the attacker copies off the victim’s
information

• If you know the file, you can download it without

authentication
• This weakness was patched

67
RFID
Radio frequency identification (RFID) tags are used in
a wide range of use cases. From tracking devices to
keys

• Active tags have a power source

• Passive tags utilize the RF energy transmitted to
them for power
• Access badges
• Pet/Animal identification
• Anything that needs to be tracked

RFID Attacks:
• Data capture
• View communication
• Spoof the reader
• Write your own data to the tag
68
Cryptographic Attacks
The basic intention of an attacker is to break a
cryptosystem and to find the plaintext from the
ciphertext.

• You’ve encrypted data and sent it to another

person
• Is it really secure?
• How do you know?

Brute Force
The password-cracking program attempts all
possible password combinations.

69
Dictionary
A password-cracking program that uses a list
of dictionary words to try to guess the
password
• People use common words as passwords
• You can find them in the dictionary
• password, ninja, football, admin
• Many common wordlists available on the ‘net
• Some are customized by language or line of work

Hybrid Attack
Dictionary Attack method as well as brute force
attack

70
Rainbow Tables

Cracking passwords that have been hashed.

Rainbow tables can most easily be thought
of as a very large set of precomputed hash
values for every possible combination of
characters.
• An optimized, pre-built set of hashes
• Doesn’t need to contain every hash
• The calculations have already been done
• Remarkable speed increase

71
Known Plaintext/Ciphertext

if an attacker knows any of the plaintext that

has been encrypted and have the resulting
encrypted file, with a flawed encryption
algorithm you can use that to break the rest
of the encryption.

72
Downgrade

the attacker takes advantage of a

commonly employed principle to support
backward compatibility, to downgrade
the security to a lower or nonexistent
state

• Example :
intercepting web traffic and redirecting
the user from the secure, HTTPS version
of a website to an unencrypted HTTP
version.

73
Time for Testing ourselves and answering
some questions!

74
Part 1 . Threats,
Attacks
Threat Actor Types

75
THREAT ACTOR TYPES

Script Kiddies
Script kiddies use tools without any knowledge
And cannot write sophisticated code and might
not even know how to program.

Often unaware themselves of the potential

consequences of their actions

• Not very sophisticated

• No formal funding
• Looking for low hanging fruit
• Working the ego,
and want to make a name

76
Hacktivists

When hackers work together for a collectivist

effort, typically on behalf of some cause, they are
referred to as hacktivists. Ex: Anonymous

Often unaware themselves of the potential

consequences of their actions

• Hackers with a purpose

• Social change or a political agenda
• Very specific hacks
• DoS, web site defacing, release of private
documents, etc.
• Funding is limited

77
Organized Crime

Group of professional do criminal activity in the

internet world like: Fraud, extortion, theft,
embezzlement.

• Very sophisticated
• Motivated by money
• One person hacks, another sells the data,
another handles customer support
• Funding is not an issue

78
Nation States/APT

Nation state threat actors are government

sponsored, although those ties might not always
be acknowledged.
Advanced persistent threats (APT) are often
associated with nation state threat actors (low
and slow)

• Highest sophistication
• United States and Israel destroyed 1,000
nuclear centrifuges with the Stuxnet worm.
• Massive resources available

79
Competitors
• Many different motivations
• DoS, espionage, harm reputation
• High level of sophistication
• Shut down your competitor during an
event
• Steal customer lists
• Corrupt manufacturing databases
• Take financial information

80
Threat Actor Attributes

Internal/External:
Internal threat actors have access to the system.
External threat actors have an additional step, the
establishment of access to the system

External: Script kiddies, hacktivists, organized crime,

and nation state actors
Internal threat actors: system administrators or end
users.

• Level of Sophistication
• Resources/Funding
• Intent/Motivation

81
Open Source Intelligence (OSINT)

Information available for collection from publicly

available information sources.
Attackers use OSINT to discover data that helps them
more easily attack a target

Organizations use OSINT to defend against such

attacks and also identify and prioritize potential
threat actors

• Television
• Newspapers and magazines
• Social-networking sites
• Company websites
• Conferences

82
Time for Testing ourselves and answering
some questions!

83
Part 1 . Threats,
Attacks
Penetration Testing

84
Penetration Testing

Pen Test, testing a computer system, network or Web

application to find vulnerabilities that an attacker could
exploit
Pen tests are often the most aggressive form of security
testing

• Similar to vulnerability scanning

• Except we actually try to exploit the vulnerabilities
• Often a compliance mandate.

• Exam Alert:
Pen Tests are focused efforts to determine the effectiveness of
the security controls used to protect a system..

85
Passive Reconnaissance

Reconnaissance is considered either passive or active.

Passive techniques are less risky because they do not
require actively engaging with the targeted systems.

• Learn about target from open sources

• Difficult to protect or identify
• Corporate web site, online forums, Reddit, Social
engineering, dumpster diving

• Tool used for Passive Recon: Tripwire

86
Active Reconnaissance

testing involves tools that actually interact with

the network and systems in a manner that their
use can be observed
Active reconnaissance can provide a lot of
information, but may alert defenders to the
impending attack.

• Ping scans, port scans

• OS scans, OS fingerprinting
• Service scans, version scans
• Tool used for Active Recon: nmap, zenmap,
nessus

87
Initial Exploitation

A key element of a penetration test is the actual

exploitation of a vulnerability

Exploiting the vulnerabilities serves two purposes:

1. First, it demonstrates the level of risk that is

actually present
2. Second, it demonstrates the viability of the
mechanism of the attack vector

88
The pivot

Pivoting is a key method used by a pen tester or

attacker to move across a network. The first step
is the attacker obtaining a presence on a
machine, call it Machine A. The attacker then
remotely through this machine examines the
network again, using Machine A’s IP address. This
enables an attacker to see sections of networks
that were not observable from their previous
position.

• The foothold point

• Must move his tools to Machine A, and control
those tools remotely from another machine.
• Easy to detect

89
Persistence
This enables the tester to gain additional
compromising information. Achieving
persistence also involves planting back
doors to allow continued remote access into
the systems.

• Set up a backdoor
• Build user accounts, change or verify
default passwords

Escalation of Privilege
The movement from a lower-level account to
an account that enables root-level activity.
Can help to delete logs that could lead to
detection of the attack.

90
Black Box Test
• The pen tester knows nothing about the systems
under attack
• “Blind” test
• Not actually test how secure your systems are. It
really only tests how well hidden they are

White Box Test

• The pen tester has knowledge of the inner systems.
• more efficient and cost-effective

Grey Box Test

• A mix of black and white
• Focus on certain systems or applications

91
Time for Testing ourselves and answering
some questions!

92
Part 1 . Threats,
Attacks
Vulnerability Scanning

93
Vulnerability scanning

The process of examining your systems and

network devices for holes, weaknesses, and
issues and finding them before a potential
attacker does.

• Tools called vulnerability scanners

• Usually not aggressive, unlike a
penetration test
• Port scan to see what’s open
• Identify systems and security devices
• Test from the outside and inside
• Vulnerability Scanner uses signatures

94
Vulnerability Scanning Scan Types

Non-intrusive scans:
• Gather information, don’t try to exploit a
vulnerability

Intrusive Scans:
• You’ll try out the vulnerability to see if it works

Non-credentialed scans
• The scanner can’t login to the remote device

Credentialed scans
• You’re a normal user, emulates an insider attack.

95
Vulnerability scan results
• Lack of security controls
• No firewall, no anti-virus
• Misconfigurations - Open shares, guest access
• Real vulnerabilities

False positive
• “False alarm", a result that indicates a given
danger exists, when it does not.

False Negative
• “No alarm", a result which wrongly indicates
that a danger is absent

96
Vulnerability Types

Race condition
When a device or system attempts to perform two
or more operations at the same time.
• The operations must be done in the proper
sequence

End-of-life vulnerabilities
• Without vendor support, no security patches.
• WannaCrypt ransomware infects hundreds of
thousands of computers
• End-of-live systems were wide open

97
Vulnerability Types

Improper input handling

All input should be considered malicious
Check everything. Trust nobody. SQL injections,
buffer overflows, denial of service

• The operations must be done in the proper

sequence

Improper error handling

• Error messages should be just informational
enough
• Avoid too much detail

98
Vulnerability Types

Memory Leak
• The application fails to release memory when
no longer needed
• Begins to slowly grow in size
• Eventually uses all available memory and
system crashes

NULL Pointer dereference

• Programming technique that references a
portion of memory
• What happens if that reference points to
nothing?
• Application crash, debug information
displayed, Denial of Service, etc
99
Vulnerability Types

System sprawl/undocumented assets

• Keeping track every system is a challenge
• Test platforms, active operating systems,
production VMs
• Not part of regular security patches
• These become pivot points

Architecture/design weaknesses
• The best security system fails if you don’t have
locks on the doors
• What if firewall is not in the right place?

100
Time for Testing ourselves and answering
some questions!

101
 Part 2 . Technology
and Tools
PERIMETER SECURITY

Small Tip:
Keep in mind that each organization
has different needs and might use
additional tools for perimeter defense

102
Firewall
• A device or application that analyzes packet headers
and enforces policy based on protocol type, source
address, destination address, source port, and/or
destination port. Packets that do not match policy are
rejected

Firewall Rules
• Access control lists (ACLs) Allow or disallow traffic
based on Source IP, Destination IP, port number, time
of day, application.

Implicit deny:
• Most firewalls include a deny at the end of the list Even
if you didn’t put one.
• Unless you explicitly permit it, traffic cannot pass.

103
104
Stateless firewall
• Access Control List (ACL) firewall
• Does not keep track of traffic flows
• Each packet is individually examined,
regardless of past history
• Faster and perform better under heavier traffic
loads

Stateful Firewall
• Remembers the “state” of the session
• Watch traffic streams from end to end
• Everything within a valid flow is allowed
• Better at identifying unauthorized and forged
communications

• Question: On which layer firewall works ?

105
VPN Concentrators
• A VPN concentrator is a type of networking
device that used to allow multiple external
users to access internal network resources
using secure features that are built into the
device (VPN)
• Often integrated into a firewall

Remote access VPN

• On-demand access from a remote device
• Software connects to a VPN concentrator
• Software can be configured as always-on

Site-to-Site VPN
• Always-on or almost always
• Firewalls often act as VPN concentrators
Probably already have firewalls in place

106
IP Sec (Internet Protocol Security)
• A set of protocols that provides security
for Internet Protocol (layer 3)
• Authentication and encryption for every
packet
• Confidentiality and integrity/anti-replay
Encryption.
• Common to use multi-vendor
implementations

IPSec protocols
Authentication Header (AH):
• Hash of the packet and a shared key
using MD5, SHA-1, or SHA-2 (Integrity)

Encapsulation Security Payload (ESP):

• Encrypts the packet using 3DES or AES
107
Intrusion Detection System (IDS) and
Intrusion Prevention System (IPS)
A device or application that analyzes whole
packets, both header and payload, looking for
known events.
When a known event is detected a log message is
generated detailing the event.

• Stop exploits against operating systems,

applications, etc.
• Buffer overflows, cross-site scripting, other
vulnerabilities
• Detection (IDS) – Alarm or alert
• Prevention (IPS) - Stop it before it gets into
the network

108
IDS/IPS Detection technologies

• Signature-based - Look for a perfect match

• Anomaly-based - Build a baseline of what’s

“normal”

• Behavior-based - Observe and report

Detect zero day attacks,

• Heuristics - Use artificial intelligence to identify

109
Passive Monitoring
• Examine a copy of the traffic
• Port mirror (The switch sends a copy of all
network packets seen on one port)
• No way to block (prevent) traffic

Out-of-band response
• When malicious traffic is identified, IDS/IPS
sends TCP RST (reset) frames
• After-the-fact

Inline monitoring
• IDS/IPS sits physically inline
• All traffic passes through the IDS/IPS

In-band response
• Malicious traffic is immediately identified
• Dropped at the IPS
• Does not proceed through the network

110
Routers

A router is a networking device connects

networks together and forwards data packets
between computer networks.
• layer 3 device
• Routers inside of switches sometimes called
• “layer 3 switches”

SWITCH
A switch is a device in a computer network
that connects together other using ports.

• layer 2 device
• Forwards traffic based on MAC address

111
Port Security
Enables individual switch ports to be configured
to allow only a specified number of source MAC
addresses to come in through the port.
• MAC addresses can be spoofed
• Port security can provide useful network
security functionality.

Loop Prevention
• Connect two switches to each other
• They’ll send traffic back and forth forever
• There’s no “counting” mechanism at the MAC
layer
• This is an easy way to bring down a network
• Easy to resolve using Spanning Tree Protocol

112
Proxy
A Server or an application sits between the users
and the external network.
• Receives the user requests and sends the
request on their behalf (the proxy)
• Useful for caching information, access
control,
• URL filtering, content scanning
• Transparent, Users will not notice it

Forward Proxy
Destination server thinks the requests coming from
the proxy (to protect the internal users)
Reverse Proxy
Users thinks the response coming directly from the
server. (To protect the internal servers)

113
LOAD BALANCER
A load balancer is a device that acts as a reverse
proxy and distributes network or application
traffic across a number of Servers

• Distribute the load between multiple servers

• Invisible to the end-user

Round-Robin scheduling
• Sending each new request to the next server
• All requests are sent to servers in equal.

Affinity scheduling
• Designed to keep a host connected to the same
server across a session.
• Web applications, can benefit from affinity-based
scheduling.

114
Active-Passive Load Balancing
First load balancer is actively doing the
balancing while the secondary load balancer
passively observes and is ready to step in at any
time the primary system fails.

Active-Active Load Balancing

All the load balancers are active, sharing the load
balancing duties. Active-active load balancing can
have performance efficiencies

115
Wireless Access Point (WAP)
Networking hardware device that allows a Wi-
Fi device to connect to a wired network
• WAP is an OSI layer 2 device

(SSID) Service Set Identifier

• Change the SSID to something not-so obvious
• Disable SSID broadcasting?

(MAC) Media Access Control filtering

• Limit access through the physical address
• MAC addresses can be spoofed

Signal Strength
• Set it as low as you can, How low is low?
• Require some additional study
• Location, location, location

116
Wi-Fi Band Selection
• 2.4-GHz band used for older standards
such as 802.11a/b/g is crowded and
subject to interference
• Newer standards such as 802.11n and
802.11ac use the 5-GHz band

Antenna types:
Omnidirectional antennas:
• Included on most access points
• Signal is evenly distributed on all sides
• No ability to focus the signal

Directional antennas:
• Focus the signal
• Increased distances
• Send and receive in a single direction

117