Category: Cybersecurity

Posted on

Network Vulnerability Knowledge

Term Description
Risk Analysis
  • This is a discipline in which analysts evaluate the risk posed by vulnerabilities to a specific organization.
  • A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.
Vulnerability Assessment
  • This test employs software to scan internet facing servers and internal networks for various types of vulnerabilities.
  • These vulnerabilities include unknown infections, weaknesses in web-facing database services, missing software patches, unnecessary listening ports, etc.
  • Tools for vulnerability assessment include the open source OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus, Qualys, and FireEye Mandiant services.
  • Vulnerability assessment includes, but goes beyond, port scanning.
Penetration Testing
  • This type of test uses authorized simulated attacks to test the strength of network security.
  • Internal personnel with hacker experience, or professional ethical hackers, identify assets that could be targeted by threat actors.
  • A series of exploits is used to test security of those assets.
  • Simulated exploit software tools are frequently used.
  • Penetration testing does not only verify that vulnerabilities exist, it actually exploits those vulnerabilities to determine the potential impact of a successful exploit.
  • An individual penetration test is often known as a pen test.
  • Metasploit is a tool used in penetration testing.
  • CORE Impact offers penetration testing software and services.

Common Vulnerabilities and Exposures (CVE)

cve.mitre.org

https://www.cvedetails.com/cve/CVE-2005-1943/

National Vulnerability Database (NVD)

nvd.NIST.gov

Posted on

Cybersecurity Softwares

  • Windows Defender Firewall – First included with Windows XP, Windows Firewall (now Windows Defender Firewall) uses a profile-based approach to firewall functionality. Access to public networks is assigned the restrictive Public firewall profile. The Private profile is for computers that are isolated from the internet by other security devices, such as a home router with firewall functionality. The Domain profile is the third available profile. It is chosen for connections to a trusted network, such as a business network that is assumed to have an adequate security infrastructure. Windows Firewall has logging functionality and can be centrally managed with customized group security policies from a management server such as System Center 2012 Configuration Manager.
  • iptables – This is an application that allows Linux system administrators to configure network access rules that are part of the Linux kernel Netfilter modules.
  • nftables – The successor to iptables, nftables is a Linux firewall application that uses a simple virtual machine in the Linux kernel. Code is executed within the virtual machine that inspects network packets and implements decision rules regarding packet acceptance and forwarding.
  • TCP Wrappers – This is a rule-based access control and logging system for Linux. Packet filtering is based on IP addresses and network services.

HIDS Examples are Cisco AMP, AlienVault USM, Tripwire, and Open Source HIDS SECurity (OSSEC).

The Spamhaus Project is an example of a free block list service.

Cuckoo Sandbox is a popular free malware analysis system sandbox.

Other online public sandboxes services are VirusTotal, Joe Sandbox, ANY.RUN, and CrowdStrike Falcon Sandbox.

ApateDNS analyze DNS query request from a host.

ProcMonitor, ProcExp64, RegShot catch event on a PC

Examples of popular web proxies are Squid, CCProxy, Apache Traffic Server, and WinGate.

Cisco’s line of NextGen Firewall devices (NGFW) use Firepower Services to consolidate multiple security layers into a single platform

Posted on

Asymmetric Encryption

Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality

Private Key (Encrypt) + Public Key (Decrypt) = Authentication

Hash Operation = Integrity

QuickHash software

Some examples of Certificate Authorities are IdenTrust, DigiCert, Sectigo, GlobalSign, and GoDaddy. These CAs charge for their services. Let’s Encrypt is a non-profit CA that offers certificates free of charge.

 

Posted on

Security Policy

A comprehensive security policy has a number of benefits, including the following:

  • Demonstrates an organization’s commitment to security
  • Sets the rules for expected behavior
  • Ensures consistency in system operations, software and hardware acquisition and use, and maintenance
  • Defines the legal consequences of violations
  • Gives security staff the backing of management

Security policies are used to inform users, staff, and managers of an organization’s requirements for protecting technology and information assets. A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.

The table lists policies that may be included in a security policy.

Policy Description
Identification and authentication policy Specifies authorized persons that can have access to network resources and identity verification procedures.
Password policies Ensures passwords meet minimum requirements and are changed regularly.
Acceptable Use Policy (AUP) Identifies network applications and uses that are acceptable to the organization. It may also identify ramifications if this policy is violated.
Remote access policy Identifies how remote users can access a network and what is accessible via remote connectivity.
Network maintenance policy Specifies network device operating systems and end user application update procedures.
Incident handling procedures Describes how security incidents are handled.

One of the most common security policy components is an AUP.

A BYOD (Bring Your Own Device) security policy should be developed to accomplish the following:

  • Specify the goals of the BYOD program.
  • Identify which employees can bring their own devices.
  • Identify which devices will be supported.
  • Identify the level of access employees are granted when using personal devices.
  • Describe the rights to access and activities permitted to security personnel on the device.
  • Identify which regulations must be adhered to when using employee devices.
  • Identify safeguards to put in place if a device is compromised.

The table lists BYOD security best practices to help mitigate BYOD vulnerabilities.

Best Practice Description
Password protected access Use unique passwords for each device and account.
Manually control wireless connectivity Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted networks.
Keep updated Always keep the device OS and other software updated. Updated software often contains security patches to mitigate against the latest threats or exploits.
Back up data Enable backup of the device in case it is lost or stolen.
Enable “Find my Device” Subscribe to a device locator service with remote wipe feature.
Provide antivirus software Provide antivirus software for approved BYOD devices.
Use Mobile Device Management (MDM) software MDM software enables IT teams to implement security settings and software configurations on all devices that connect to company networks.

Access Control Models

The table lists various types of access control methods.

Access Control Models Description
Discretionary access control (DAC)
  • This is the least restrictive model and allows users to control access to their data as owners of that data.
  • DAC may use ACLs or other methods to specify which users or groups of users have access to the information.
Mandatory access control (MAC)
  • This applies the strictest access control and is typically used in military or mission critical applications.
  • It assigns security level labels to information and enables users with access based on their security level clearance.
Role-based access control (RBAC)
  • Access decisions are based on an individual’s roles and responsibilities within the organization.
  • Different roles are assigned security privileges, and individuals are assigned to the RBAC profile for the role.
  • Roles may include different positions, job classifications or groups of job classifications.
  • Also known as a type of non-discretionary access control.
Attribute-based access control (ABAC) ABAC allows access based on attributes of the object (resource) to be accessed, the subject (user) accessing the resource, and environmental factors regarding how the object is to be accessed, such as time of day.
Rule-based access control (RBAC)
  • Network security staff specify sets of rules regarding or conditions that are associated with access to data or systems.
  • These rules may specify permitted or denied IP addresses, or certain protocols and other conditions.
  • Also known as Rule Based RBAC.
Time-based access control (TAC) TAC Allows access to network resources based on time and day.
AAA Component Description
Authentication
  • Users and administrators must prove that they are who they say they are.
  • Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods.
  • AAA authentication provides a centralized way to control access to the network.
Authorization
  • After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform.
  • An example is “User ‘student’ can access host server XYZ using SSH only.”
Accounting
  • Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made.
  • Accounting keeps track of how network resources are used.
  • An example is “User ‘student’ accessed host server XYZ using SSH for 15 minutes.”

The table lists the differences between the two protocols.

TACACS+ RADIUS
Functionality It separates authentication, authorization, and accounting functions according to the AAA architecture. This allows modularity of the security server implementation. It combines authentication and authorization but separates accounting, which allows less flexibility in implementation than TACACS+
Standard Mostly Cisco supported Open/RFC standard
Transport TCP port 49 UDP ports 1812 and 1813, or 1645 and 1646
Protocol CHAP Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) Unidirectional challenge and response from the RADIUS security server to the RADIUS client
Confidentiality Encrypts the entire body of the packet but leaves a standard TACACS+ header. Encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is unencrypted, leaving the username, authorized services, and accounting unprotected.
Customization Provides authorization of router commands on a per-user or per-group basis Has no option to authorize router commands on a per-user or per-group basis
Accounting Limited Extensive
Type of Accounting Information Description
Network Accounting Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts.
Connection Accounting Connection accounting captures information about all outbound connections that are made from the AAA client, such as by SSH.
EXEC Accounting EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.
System Accounting System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).
Command Accounting Command accounting captures information about the EXEC shell commands for a specified privilege level, as well as the date and time each command was executed, and the user who executed it.
Resource Accounting The Cisco implementation of AAA accounting captures “start” and “stop” record support for connections that have passed user authentication. The additional feature of generating “stop” records for connections that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.

The table lists a few important network security organizations.

Organization Description
SANS SysAdmin, Audit, Network, Security (SANS) Institute resources are largely free upon request and include:

  • The Internet Storm Center – the popular internet early warning system
  • NewsBites, the weekly digest of news articles about computer security.
  • @RISK, the weekly digest of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked
  • Flash security alerts
  • Reading Room – more than 1,200 award-winning, original research papers.
  • SANS also develops security courses.
Mitre The Mitre Corporation maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations.
FIRST Forum of Incident Response and Security Teams (FIRST) is a security organization that brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in information sharing, incident prevention and rapid reaction.
SecurityNewsWire A security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities.
(ISC)2 International Information Systems Security Certification Consortium (ISC2) provides vendor neutral education products and career services to more than 75,000+ industry professionals in more than 135 countries.
CIS The Center for Internet Security (CIS) is a focal point for cyber threat prevention, protection, response, and recovery for state, local, tribal, and territorial (SLTT) governments through the Multi-State Information Sharing and Analysis Center (MS-ISAC). The MS-ISAC offers 24×7 cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response.

Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report.

Search the internet to locate and download Cisco Cybersecurity Reports from the Cisco website.

You can also subscribe to receive notifications of new blogs by email. Cisco Talos also offers a series of over 80 podcasts that can be played from the internet or downloaded to your device of choice.

Talos maintains the security incident detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools.

FireEye offers SIEM and SOAR with the Helix Security Platform, which uses behavioral analysis and advanced threat detection and is supported by the FireEye Mandiant worldwide threat intelligence network.

The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS).

The MITRE Corporation defines unique CVE Identifiers for publicly known information-security vulnerabilities to make it easier to share data.

  • Structured Threat Information Expression (STIX) – This is a set of specifications for exchanging cyber threat information between organizations. The Cyber Observable Expression (CybOX) standard has been incorporated into STIX.
  • Trusted Automated Exchange of Indicator Information (TAXII) – This is the specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support STIX.
  • CybOX – This is a set of standardized schema for specifying, capturing, characterizing, and communicating events and properties of network operations that supports many cybersecurity functions.

The Malware Information Sharing Platform (MISP) is an open source platform for sharing indicators of compromise for newly discovered threats.

Posted on

Evolution of Security Tools

Understanding network security requires you to understand the following terms: threat, vulnerability, attack surface, exploit, and risk. Risk management is the process that balances the operational costs of providing protective measures with the gains achieved by protecting the asset. Four common ways to manage risk are risk acceptance, risk avoidance, risk reduction, and risk transfer. Hacker is a term used to describe a threat actor. White hat hackers are ethical hackers using their skills for good, ethical, and legal purposes. Grey hat hackers are individuals who commit crimes and do unethical things, but not for personal gain or to cause damage. Black hat hackers are criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Threat actors include script kiddies, vulnerability brokers, hacktivists, cybercriminals, and state-sponsored hackers. Many network attacks can be prevented by sharing information about indicators of compromise (IOC). Many governments are promoting cybersecurity. CISA and NCSA are examples of such organizations.

 

Categories of Tools Description
password crackers Passwords are the most vulnerable security threat. Password cracking tools are often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. Password crackers repeatedly make guesses in order to crack the password and access the system. Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
wireless hacking tools Wireless networks are more susceptible to network security threats. Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
network scanning and hacking tools Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
packet crafting tools Packet crafting tools are used to probe and test a firewall’s robustness using specially crafted forged packets. Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
packet sniffers Packet sniffers tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
rootkit detectors A rootkit detector is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
fuzzers to search vulnerabilities Fuzzers are tools used by threat actors when attempting to discover a computer system’s security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
forensic tools White hat hackers use forensic tools to sniff out any trace of evidence existing in a particular computer system. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.
debuggers Debugger tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.
hacking operating systems Hacking operating systems are specially designed operating systems preloaded with tools and technologies optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
encryption tools These tools safeguard the contents of an organization’s data when it is stored or transmitted. Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the data. Examples of these tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.
vulnerability exploitation tools These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.
vulnerability scanners These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of these tools include Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.

Note: There are many tools available on the internet to create ARP MiTM attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others.