3 - Network Security
- 3.1 Compare and contrast risk related concepts.
- 3.2 Compare and contrast common network vulnerabilities and threats.
- 3.3 Given a scenario, implement network hardening techniques.
- 3.4 Compare and contrast physical security controls.
- 3.5 Given a scenario, install and configure a basic firewall.
- 3.6 Explain the purpose of various network access control models.
- 3.7 Summarize basic forensic concepts.
3.1 Compare and contrast risk related concepts
• Disaster recovery
• Business continuity
• Battery backups/UPS
• First responders
• Data breach
• End user awareness and training
• Single point of failure
- Critical nodes
- Critical assets
- Redundancy
• Adherence to standards and policies
• Vulnerability scanning
• Penetration testing
• Business continuity
• Battery backups/UPS
• First responders
• Data breach
• End user awareness and training
• Single point of failure
- Critical nodes
- Critical assets
- Redundancy
• Adherence to standards and policies
• Vulnerability scanning
• Penetration testing
3.2 Compare and contrast common network vulnerabilities and threats
• Attacks/threats:
- DoS: A Denial of Service (DoS) attack is a type of network attack in which an attacker attempts to disrupt or disable devices that provide network services, including:
- Botnet: is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks which can be used to send spam email or participate in DDoS attacks.
- Traffic spike: A preliminary Distributed Denial of Service (DDoS) attack will cause an unexpected traffic spike on your network. One of the hallmarks of a DDoS attack is a major spike in traffic in the network as bots that have been recruited mount the attack. For this reason, any major spike in traffic should be regarded with suspicion. A network intrusion detection system (IDS) can recognize these traffic spikes and may be able to prevent them from growing larger or in some cases prevent the traffic in the first place. Some smaller organizations that cannot afford some of the more pricy intrusion prevention systems (IPSs) or IDSs make use of features present on their load balancers. Many of these products include DDoS mitigation features such as the TCP SYN cookie option. It allows the load balancer to react when the number of SYN requests reaches a certain point. At that point, the device will start dropping requests when the SYN queue is full.
- Coordinated attack: To properly amplify the attack the bots must attack the victim at the same time. The coordination of the bots is orchestrated by the command and control server. If all the bots can be instructed to attack at precisely the same second, the attack becomes much more dangerous to the victim.
- Reflective/amplified: A Reflective DoS attack involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go and flood the target.
- DNS: DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier. SNMP and NTP can also be exploited as reflector in an amplification attack.
- NTP: can be exploited as a reflector in an amplification attack. Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. Designed to synchronize the clocks of computers over a network. While NTP reflection attacks use the same process (as DNS) of recruiting bots to aid the attack, the attacks are not reflected off DNS servers; they are instead reflected off Network Time Protocol (NTP) servers. These servers are used to maintain time synchronmization between devices in a network. The attacker (and his bots) sends a small spoofed 8-byte UDP packet to vulnerable NTP servers that requests a large amount of data (megabytes worth of traffic) be sent to the DDoS's target IP address. The attackers use the monlist command, a remote command in older versions of NTP, that sends the requester a list of the last 600 hosts who have connected to that server. This attack can be prevented by using at least NTP version 4.2.7 (which was released in 2010).
- Smurfing: ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack, as the flooding hosts send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing hosts to send Echo Reply packets to the victim. Smurfing is a version of a DoS attack that floods its victim with spoofed broadcast ping messages. It basically involves stealing someone else's IP address. The bad guy spoofs the intended victim's IP address and then sends a large number of pings (IP echo requests) to IP broadcast addresses. The receiving router responds by delivering the broadcast to all hosts in the subnet, and all the hosts respond with an IP echo reply--all of them at the same time. On a network with hundreds of hosts, this results in major network gridlock because all the machines are kept busy responding to each echo request. The situation is even worse if the routers have not been configured to keep these types of broadcasts confined to the local subnet (which thankfully they are by default!). Fortunately, Smurf attacks aren't very common anymore because most routers are configured in a way that prevents them from forwarding broadcast packets to other networks. Plus, it's really easy to configure routers and hosts so they won't respond to ping requests directed toward broadcast addresses.
- Friendly/unintentional DoS: A Friendly DOS attack is a situation where a website ends up denied because of a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story.
- Physical attack: Physical attacks are those that cause hardware damage to a device. These attacks can be mitigated, but not eliminated, by preventing physical access to the device. Router, switches, firewalls, servers, and other infrastructure devices should be locked away and protected by strong access controls. Otherwise, you may be confronted with a permanent DoS.
- Permanent DoS: A Permanent DoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. A perminent DoS attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or defective firmware image.
- ARP cache poisoning: ARP cache poisoning occurs when an attacker redirects an IP address to the MAC address of a computer that is not the intended recipient. Before the attack can begin, the attacker must gain access to the target network. Once the attacker has gained access to the network, he or she can poison the ARP cache on the target computers by redirecting selected IP addresses to MAC addresses that the attacker chooses. At this point, the attacker could choose to capture and/or alter network traffic before forwarding it to the correct destination, or create a denial of service condition by pointing the selected IP address at a nonexistent MAC address. A common implementation of ARP cache poisoning is to poison the ARP cache of a switch. In this attack, the attacker sends frames with spoofed MAC addresses to the switch so that the switch will repeat traffic between a client and server out the port that the hacker is connected to.
- Packet/protocol abuse: Packet and protocol abuse takes advantage of no built in security; a major problem with TCP/IP protocols.
- Spoofing: An IP spoofing attack is a type of software attack in which an attacker creates IP packets with a forged source IP address and uses those packets to gain access to a remote device. After an attacker has broken into the system, attained access, and escalated their privileges, it is important for them to maintain their authority on the system so they can access it at a later time. They could put an OS backdoor on the target, but in some cases, the firewall on the victim may not allow outgoing TCP connections. One of the ways in which a hacker can get traffic through a firewall that would typically not be allowed is by concealing one protocol with another, which is a form of tunneling. TCP can be encapsulated into either DNS or ICMP, thereby bypassing the firewall restrictions. An example of this is using a program called Iodine to encapsulate IP traffic in DNS packets.
- Wireless:
- Evil twin: is an attack in which a rogue WAP poses as a legitimate wireless service provider to intercept information users transmit.
- Rogue AP: a rogue access point describes a situation in which a wireless access point has been placed on a network without the administrator's knowledge. The result is that it is possible to remotely access the rogue access point because it likely does not adhere to company security policies. So, all security can be compromised by a cheap wireless router placed on the corporate network.
- War driving: The act of searching for instances of wireless networks using wireless tracking devices such as tablets, mobile phones, or laptops. It locates wireless access points while traveling, which can be exploited to obtain unauthorized Internet access and potentially steal data. This process can be automated using a GPS device and war driving software. Common tools that are used for war driving and war chalking include NetStumbler, Kismet, Aircrack, and Airsnort. "War" is actually an acronym. The “war” in war driving and war chalking stands for wireless access receiver.
- War chalking: The act of using symbols to mark off a sidewalk or wall to indicate that there is an open wireless network which may be offering Internet access. "War" is actually an acronym. The “war” in war driving and war chalking stands for wireless access receiver.
- Bluejacking: Bluejacking is the sending of unsolicited messages (think spam) over the Bluetooth connection. While annoying, it is basically considered harmless. Bluetooth is often used for creating PANs or WPANs, and most Bluetooth devices come with a factor default PIN that you will want to change to more secure values. Bluejacking and bluesnarfing both have to do with exploiting flaws in Bluetooth (device-to-device) communication.
- Bluesnarfing: Bluesnarfing is the gaining of unauthorized access through a Bluetooth connection. This access can be gained through a mobile phone or any other device using Bluetooth. Once access has been gained, the attacker can copy any data in the same way they would with any other unauthorized access. Bluejacking and bluesnarfing both have to do with exploiting flaws in Bluetooth (device-to-device) communication.
- WPA/WEP/WPS attacks:
--> WPA attacks: After WEP cracking became an issue, the manufacturers of wireless equipment were faced with a problem. The IEEE was working on creating a new security standard (which became known as 802.11i) but were moving at their usual deliberate pace. In the meantime, companies were not deploying wireless networks because of security concerns. The Wi-Fi alliance created a temporary solution called Wi-Fi Portected Access (WPA) that was an improvement on WEP. Soon after WPA was rolled out, it was discovered that it also could be cracked. Cracking WPA required more effort than cracking WEP, and it required what is called a dictionary file (a file of words that could possibly be used as a password). It also required that the passphrase or password be a word in teh dictionary. Finally, it required capturing a large number of wireless frames, and the cracking process took a lot of time. Keep in mind that this type of attack is effective on any password-based system, including Wi-Fi Protected Access 2 (WPA2) when it uses passwords. But the point is that if the hackers had good reason to believe they were capturing valuable data, it could be done. Therefore, WPA is not considered good security unless it is employed as WPA2, which is based in the secure 802.11i architecture.
--> WEP attacks: Wired Equivalent Privacy (WEP) is a security protocol created in the early years of 802.11 development that was designed to both authenticate users and encrypt the wireless data they transmitted. It uses the RC4 algorithm in the encryption process. Soon after its adoption as a security measure, it was discovered that due to a weakness in the way the algorithm was employed, programs that became widely available on the Internet could be used to crack the WEP key. Once the key was known, it could be used to decrypt the data. Because of this, WEP is no longer considered to be a sufficient security mechanism in any situation where the data is sensitive.
--> WPS attacks: Wi-Fi Protected Setup (WPS) is a network security standard that attempts to allow users to easily secure a wireless home network. It works by enabling the user to add a device to the network without typing credentials; all the user needs to do is push the WPS button located on many home WAPs. When this function is enabled, which it is by default on many systems, it is possible for a hacker to perform a brute force attack on the password, and then later the network pre-shared key for WPA or WPA2. Users should disable this feature if the device allows this change.
- Brute force: In a brute force attack, the attacker uses password-cracking software to attempt every possible alphanumeric password combination. Such an attack might be used when it is not possible to take advantage of other weaknesses in the system. When password guessing, this method is very fast when used on short passwords, but for longer passwords it takes much longer. When key guessing, the key length used in the cipher determines the practical feasibility of performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones. A brute force attack might be used when it is not possible to take advantage of other weaknesses in the system. When password guessing, this method is very fast when used on short passwords, but for longer passwords, it takes much longer.
- Session hijacking: is used when the item used to validate a user's session, such as a cookie, is stolen and used by another to establish a session with a host that thinks it is still communicating with the first party. To use an overly simplistic analogy, imagine that you just finished a long cell phone conversation with a family member and then accidentally left your cell phone in the room while stepping outside. If I were to pick up that phone and press redial, the family member would see the caller ID, know that they had just been talking with you, and falsely assume that you were calling back. If I could imitate your voice, I could rattle off numerous nasty comments that would jeopardize the relationship. This same premise could be true if I could fool another host into thinking it was still talking to your computer rather than mine.
- Social engineering: Social engineering is a form of cracking. It can be used by both outsiders and people within an organization. Social engineering is a hacker term for tricking people into revealing their password or some form of security information. It might include trying to get users to send passwords or other information over email, shoulder surfing, or any other method that tricks users into divulging information. Social engineering is an attack that attempts to take advantage of human behavior. Example: An individual calls your help desk and asks you to reset their password, but the individual states that they are unclear about the account username and a particular server name. This is part of an attempt to gain unauthorized access to corporate assets, known as social engineering.
- Man-in-the-middle: A man-in-the-middle attack is a form of eavesdropping in which the attacker makes an independent connection between two victims (two clients or a client and a server) and relays information between the two victims as if they are directly talking to each other over a closed connection, when in reality the attacker is controlling the information that travels between the two victims. During the process, the attacker can view or steal information to use it fraudulently.
- VLAN hopping: is a method where an attacking host on a VLAN gains access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging:
- Effect of malware on the network: malware is a broad, general term for any software which can cause 'bad' things to happen. This software may not be in itself damaging, but may cause poor performance, or affect the workflow of the user through the presentation of ads, or even cause the PC to shut down unexpectedly. The effect of malware from a network perspective is that services offered by affected servers may run slowly, if at all, therefore not only affecting one user but all users connecting to the service.
- Insider threat/malicious employee: Damaging activity on your network can come from both inside and outside the network. Trusted users can go to the dark side with the proper motivation (i.e. perceived slight by the company, jealousy of other employees, monetary reward). The real danger presented by a trusted employee who turns malicious is that the employee is already inside your network and probably knows quite a bit about it. This is the reason for following the principle of least privilege, which prescribes that users be given access only to resources required to do their job.
- Zero-day attacks: A Zero day attack is an attack that exploits a previously unknown vulnerability in an application or operating system. In this situation developers have not had time to address the vulnerability and patch it. It is called a "zero day" because the developer has had zero days to fix the flaw.
- DoS: A Denial of Service (DoS) attack is a type of network attack in which an attacker attempts to disrupt or disable devices that provide network services, including:
- Flooding a network link with data to consume all available bandwidth ("ping flooding": involves flooding the victim with so much ping traffic that normal traffic fails to reach the system. Ping flooding is a basic DoS attack.)
- Sending data designed to exploit known flaws in an application
- Sending multiple service requests to consume a device's resources
- Flooding a user's email inbox with spam messages so genuine messages bounce back to the sender
- Botnet: is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks which can be used to send spam email or participate in DDoS attacks.
- Traffic spike: A preliminary Distributed Denial of Service (DDoS) attack will cause an unexpected traffic spike on your network. One of the hallmarks of a DDoS attack is a major spike in traffic in the network as bots that have been recruited mount the attack. For this reason, any major spike in traffic should be regarded with suspicion. A network intrusion detection system (IDS) can recognize these traffic spikes and may be able to prevent them from growing larger or in some cases prevent the traffic in the first place. Some smaller organizations that cannot afford some of the more pricy intrusion prevention systems (IPSs) or IDSs make use of features present on their load balancers. Many of these products include DDoS mitigation features such as the TCP SYN cookie option. It allows the load balancer to react when the number of SYN requests reaches a certain point. At that point, the device will start dropping requests when the SYN queue is full.
- Coordinated attack: To properly amplify the attack the bots must attack the victim at the same time. The coordination of the bots is orchestrated by the command and control server. If all the bots can be instructed to attack at precisely the same second, the attack becomes much more dangerous to the victim.
- Reflective/amplified: A Reflective DoS attack involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go and flood the target.
- DNS: DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier. SNMP and NTP can also be exploited as reflector in an amplification attack.
- NTP: can be exploited as a reflector in an amplification attack. Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. Designed to synchronize the clocks of computers over a network. While NTP reflection attacks use the same process (as DNS) of recruiting bots to aid the attack, the attacks are not reflected off DNS servers; they are instead reflected off Network Time Protocol (NTP) servers. These servers are used to maintain time synchronmization between devices in a network. The attacker (and his bots) sends a small spoofed 8-byte UDP packet to vulnerable NTP servers that requests a large amount of data (megabytes worth of traffic) be sent to the DDoS's target IP address. The attackers use the monlist command, a remote command in older versions of NTP, that sends the requester a list of the last 600 hosts who have connected to that server. This attack can be prevented by using at least NTP version 4.2.7 (which was released in 2010).
- Smurfing: ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack, as the flooding hosts send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing hosts to send Echo Reply packets to the victim. Smurfing is a version of a DoS attack that floods its victim with spoofed broadcast ping messages. It basically involves stealing someone else's IP address. The bad guy spoofs the intended victim's IP address and then sends a large number of pings (IP echo requests) to IP broadcast addresses. The receiving router responds by delivering the broadcast to all hosts in the subnet, and all the hosts respond with an IP echo reply--all of them at the same time. On a network with hundreds of hosts, this results in major network gridlock because all the machines are kept busy responding to each echo request. The situation is even worse if the routers have not been configured to keep these types of broadcasts confined to the local subnet (which thankfully they are by default!). Fortunately, Smurf attacks aren't very common anymore because most routers are configured in a way that prevents them from forwarding broadcast packets to other networks. Plus, it's really easy to configure routers and hosts so they won't respond to ping requests directed toward broadcast addresses.
- Friendly/unintentional DoS: A Friendly DOS attack is a situation where a website ends up denied because of a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story.
- Physical attack: Physical attacks are those that cause hardware damage to a device. These attacks can be mitigated, but not eliminated, by preventing physical access to the device. Router, switches, firewalls, servers, and other infrastructure devices should be locked away and protected by strong access controls. Otherwise, you may be confronted with a permanent DoS.
- Permanent DoS: A Permanent DoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. A perminent DoS attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or defective firmware image.
- ARP cache poisoning: ARP cache poisoning occurs when an attacker redirects an IP address to the MAC address of a computer that is not the intended recipient. Before the attack can begin, the attacker must gain access to the target network. Once the attacker has gained access to the network, he or she can poison the ARP cache on the target computers by redirecting selected IP addresses to MAC addresses that the attacker chooses. At this point, the attacker could choose to capture and/or alter network traffic before forwarding it to the correct destination, or create a denial of service condition by pointing the selected IP address at a nonexistent MAC address. A common implementation of ARP cache poisoning is to poison the ARP cache of a switch. In this attack, the attacker sends frames with spoofed MAC addresses to the switch so that the switch will repeat traffic between a client and server out the port that the hacker is connected to.
- Packet/protocol abuse: Packet and protocol abuse takes advantage of no built in security; a major problem with TCP/IP protocols.
- Spoofing: An IP spoofing attack is a type of software attack in which an attacker creates IP packets with a forged source IP address and uses those packets to gain access to a remote device. After an attacker has broken into the system, attained access, and escalated their privileges, it is important for them to maintain their authority on the system so they can access it at a later time. They could put an OS backdoor on the target, but in some cases, the firewall on the victim may not allow outgoing TCP connections. One of the ways in which a hacker can get traffic through a firewall that would typically not be allowed is by concealing one protocol with another, which is a form of tunneling. TCP can be encapsulated into either DNS or ICMP, thereby bypassing the firewall restrictions. An example of this is using a program called Iodine to encapsulate IP traffic in DNS packets.
- Wireless:
- Evil twin: is an attack in which a rogue WAP poses as a legitimate wireless service provider to intercept information users transmit.
- Rogue AP: a rogue access point describes a situation in which a wireless access point has been placed on a network without the administrator's knowledge. The result is that it is possible to remotely access the rogue access point because it likely does not adhere to company security policies. So, all security can be compromised by a cheap wireless router placed on the corporate network.
- War driving: The act of searching for instances of wireless networks using wireless tracking devices such as tablets, mobile phones, or laptops. It locates wireless access points while traveling, which can be exploited to obtain unauthorized Internet access and potentially steal data. This process can be automated using a GPS device and war driving software. Common tools that are used for war driving and war chalking include NetStumbler, Kismet, Aircrack, and Airsnort. "War" is actually an acronym. The “war” in war driving and war chalking stands for wireless access receiver.
- War chalking: The act of using symbols to mark off a sidewalk or wall to indicate that there is an open wireless network which may be offering Internet access. "War" is actually an acronym. The “war” in war driving and war chalking stands for wireless access receiver.
- Bluejacking: Bluejacking is the sending of unsolicited messages (think spam) over the Bluetooth connection. While annoying, it is basically considered harmless. Bluetooth is often used for creating PANs or WPANs, and most Bluetooth devices come with a factor default PIN that you will want to change to more secure values. Bluejacking and bluesnarfing both have to do with exploiting flaws in Bluetooth (device-to-device) communication.
- Bluesnarfing: Bluesnarfing is the gaining of unauthorized access through a Bluetooth connection. This access can be gained through a mobile phone or any other device using Bluetooth. Once access has been gained, the attacker can copy any data in the same way they would with any other unauthorized access. Bluejacking and bluesnarfing both have to do with exploiting flaws in Bluetooth (device-to-device) communication.
- WPA/WEP/WPS attacks:
--> WPA attacks: After WEP cracking became an issue, the manufacturers of wireless equipment were faced with a problem. The IEEE was working on creating a new security standard (which became known as 802.11i) but were moving at their usual deliberate pace. In the meantime, companies were not deploying wireless networks because of security concerns. The Wi-Fi alliance created a temporary solution called Wi-Fi Portected Access (WPA) that was an improvement on WEP. Soon after WPA was rolled out, it was discovered that it also could be cracked. Cracking WPA required more effort than cracking WEP, and it required what is called a dictionary file (a file of words that could possibly be used as a password). It also required that the passphrase or password be a word in teh dictionary. Finally, it required capturing a large number of wireless frames, and the cracking process took a lot of time. Keep in mind that this type of attack is effective on any password-based system, including Wi-Fi Protected Access 2 (WPA2) when it uses passwords. But the point is that if the hackers had good reason to believe they were capturing valuable data, it could be done. Therefore, WPA is not considered good security unless it is employed as WPA2, which is based in the secure 802.11i architecture.
--> WEP attacks: Wired Equivalent Privacy (WEP) is a security protocol created in the early years of 802.11 development that was designed to both authenticate users and encrypt the wireless data they transmitted. It uses the RC4 algorithm in the encryption process. Soon after its adoption as a security measure, it was discovered that due to a weakness in the way the algorithm was employed, programs that became widely available on the Internet could be used to crack the WEP key. Once the key was known, it could be used to decrypt the data. Because of this, WEP is no longer considered to be a sufficient security mechanism in any situation where the data is sensitive.
--> WPS attacks: Wi-Fi Protected Setup (WPS) is a network security standard that attempts to allow users to easily secure a wireless home network. It works by enabling the user to add a device to the network without typing credentials; all the user needs to do is push the WPS button located on many home WAPs. When this function is enabled, which it is by default on many systems, it is possible for a hacker to perform a brute force attack on the password, and then later the network pre-shared key for WPA or WPA2. Users should disable this feature if the device allows this change.
- Brute force: In a brute force attack, the attacker uses password-cracking software to attempt every possible alphanumeric password combination. Such an attack might be used when it is not possible to take advantage of other weaknesses in the system. When password guessing, this method is very fast when used on short passwords, but for longer passwords it takes much longer. When key guessing, the key length used in the cipher determines the practical feasibility of performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones. A brute force attack might be used when it is not possible to take advantage of other weaknesses in the system. When password guessing, this method is very fast when used on short passwords, but for longer passwords, it takes much longer.
- Session hijacking: is used when the item used to validate a user's session, such as a cookie, is stolen and used by another to establish a session with a host that thinks it is still communicating with the first party. To use an overly simplistic analogy, imagine that you just finished a long cell phone conversation with a family member and then accidentally left your cell phone in the room while stepping outside. If I were to pick up that phone and press redial, the family member would see the caller ID, know that they had just been talking with you, and falsely assume that you were calling back. If I could imitate your voice, I could rattle off numerous nasty comments that would jeopardize the relationship. This same premise could be true if I could fool another host into thinking it was still talking to your computer rather than mine.
- Social engineering: Social engineering is a form of cracking. It can be used by both outsiders and people within an organization. Social engineering is a hacker term for tricking people into revealing their password or some form of security information. It might include trying to get users to send passwords or other information over email, shoulder surfing, or any other method that tricks users into divulging information. Social engineering is an attack that attempts to take advantage of human behavior. Example: An individual calls your help desk and asks you to reset their password, but the individual states that they are unclear about the account username and a particular server name. This is part of an attempt to gain unauthorized access to corporate assets, known as social engineering.
- Man-in-the-middle: A man-in-the-middle attack is a form of eavesdropping in which the attacker makes an independent connection between two victims (two clients or a client and a server) and relays information between the two victims as if they are directly talking to each other over a closed connection, when in reality the attacker is controlling the information that travels between the two victims. During the process, the attacker can view or steal information to use it fraudulently.
- VLAN hopping: is a method where an attacking host on a VLAN gains access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging:
- A switch spoofing attack is where an attacking host imitates a trunking switch by speaking the tagging and trunking protocols used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
- A double tagging attack is where an attacking host connected on a 802.1q interface prepends two VLAN tags to packets that it transmits. The packet is forwarded without the first tag, because it is the native VLAN. The second (false) tag is then visible to the second switch that the packet encounters. This false VLAN tag indicates that the packet is destined for a target host on a second switch. The packet is then sent to the target host as though it originated on the target VLAN bypassing the network mechanisms that logically isolate VLANs from one another.
- Effect of malware on the network: malware is a broad, general term for any software which can cause 'bad' things to happen. This software may not be in itself damaging, but may cause poor performance, or affect the workflow of the user through the presentation of ads, or even cause the PC to shut down unexpectedly. The effect of malware from a network perspective is that services offered by affected servers may run slowly, if at all, therefore not only affecting one user but all users connecting to the service.
- Insider threat/malicious employee: Damaging activity on your network can come from both inside and outside the network. Trusted users can go to the dark side with the proper motivation (i.e. perceived slight by the company, jealousy of other employees, monetary reward). The real danger presented by a trusted employee who turns malicious is that the employee is already inside your network and probably knows quite a bit about it. This is the reason for following the principle of least privilege, which prescribes that users be given access only to resources required to do their job.
- Zero-day attacks: A Zero day attack is an attack that exploits a previously unknown vulnerability in an application or operating system. In this situation developers have not had time to address the vulnerability and patch it. It is called a "zero day" because the developer has had zero days to fix the flaw.
• Vulnerabilities:
- Unnecessary running services:
- Open ports:
- Unpatched/legacy systems:
- Unencrypted channels:
- Clear text credentials:
- Unsecure protocols: Unsecure protocols are ones that expose data and/or credentials in cleartext. This allows the potential for the credentials or data to be viewed and captured by someone else.
- TELNET: Passes authentication and data using cleartext. Because Telnet is an unsecure protocol for terminal emulation, many administrators prefer to use Secure Shell (SSH) instead. Telecommunications Network (Telnet) is a terminal emulation protocol that enables users at one site to simulate a session on a remote host as if the terminal were directly attached. You can connect to any host that is running a Telnet daemon or service. Connection-oriented, Telnet handles its own session negotiations and assists network administrators in remote administration such as connecting to a remote server or to a service such as FTP. However, it is not considered a secure protocol, since it transmits in cleartext.
- HTTP: Is subject to eavesdropping attacks which can let attackers gain access to website accounts and sensitive information.
- SLIP: Passes authentication using cleartext. Serial Line Internet Protocol (SLIP) is a legacy remote access protocol used for sending IP data streams over serial lines such as modem or phone connections and is another unsecure protocol that passes authentication using cleartext.
- FTP: All authentication is done in cleartext and data is cleartext as well.
- TFTP: Trivial File Transfer Protocol is a simple version of FTP that uses UDP as the transport protocol, and does not require a logon to the remote host.
- SNMPv1 and SNMPv2: Authentication is done in cleartext.
- TEMPEST/RF emanation: TEMPEST is a National Security Agency specification and NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and also how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC). Radio frequency emanation is where electronic equipment can emit unintentional radio signals from which eavesdroppers may reconstruct processed data from a remote but nearby location. This allows someone with the proper equipment to use those radio signals to see what is being displayed on a monitor or other display.
- Unnecessary running services:
- Open ports:
- Unpatched/legacy systems:
- Unencrypted channels:
- Clear text credentials:
- Unsecure protocols: Unsecure protocols are ones that expose data and/or credentials in cleartext. This allows the potential for the credentials or data to be viewed and captured by someone else.
- TELNET: Passes authentication and data using cleartext. Because Telnet is an unsecure protocol for terminal emulation, many administrators prefer to use Secure Shell (SSH) instead. Telecommunications Network (Telnet) is a terminal emulation protocol that enables users at one site to simulate a session on a remote host as if the terminal were directly attached. You can connect to any host that is running a Telnet daemon or service. Connection-oriented, Telnet handles its own session negotiations and assists network administrators in remote administration such as connecting to a remote server or to a service such as FTP. However, it is not considered a secure protocol, since it transmits in cleartext.
- HTTP: Is subject to eavesdropping attacks which can let attackers gain access to website accounts and sensitive information.
- SLIP: Passes authentication using cleartext. Serial Line Internet Protocol (SLIP) is a legacy remote access protocol used for sending IP data streams over serial lines such as modem or phone connections and is another unsecure protocol that passes authentication using cleartext.
- FTP: All authentication is done in cleartext and data is cleartext as well.
- TFTP: Trivial File Transfer Protocol is a simple version of FTP that uses UDP as the transport protocol, and does not require a logon to the remote host.
- SNMPv1 and SNMPv2: Authentication is done in cleartext.
- TEMPEST/RF emanation: TEMPEST is a National Security Agency specification and NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and also how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC). Radio frequency emanation is where electronic equipment can emit unintentional radio signals from which eavesdroppers may reconstruct processed data from a remote but nearby location. This allows someone with the proper equipment to use those radio signals to see what is being displayed on a monitor or other display.
3.3 Given a scenario, implement network hardening techniques
• Anti-malware software: Anti-malware software is a category of protective software that scans computers and sometimes networks for known viruses, Trojans, worms, and other malicious programs. Some anti-malware programs attempt to scan for unknown harmful software. It is advisable to install anti-malware software on all computers, and keep it updated according to your organization's patch management policy. In addition to detection, most anti-malware software is capable of logging scan and detection information. These logs should be monitored to make sure that scans are taking place and ensure that infections are reported properly.
- Host-based: Anti-malware can be host-based where the application runs on the host system and only protects that system. That system also needs to downloads its own updates.
- Cloud/server-based: Server-based and cloud-based anti-malware can manage anti-malware applications installed on other hosts and provide the updates to them. In some cases they can also run scans on the other hosts.
- Network-based: Network-based anti-malware scans traffic entering and leaving the network for malware. Used to scan traffic entering and leaving the network for viruses, Trojans, and worms.
• Switch port security:
- DHCP snooping: Can harden the security on the network to allow only clients with specific IP or MAC addresses to have access to the network. It uses information from the DHCP server to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible. DHCP snooping uses information from the DHCP server to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible.
- ARP inspection: ARP inspection validates Address Resolution Protocol (ARP) packets in a network. ARP inspection determines the validity of packets by performing an IP-to-MAC address binding inspection before forwarding the packet to the appropriate destination. ARP packets with invalid IP-to-MAC address bindings that fail the inspection are dropped.
- MAC address filtering: MAC address filtering provides a simple method of securing a wireless network. By configuring a wireless access point (WAP) to filter MAC addresses, you can control which wireless clients can access your network. Typically, an administrator configures a list of client MAC addresses that are allowed to join the network. Those pre-approved clients are granted access if the MAC address is “known” by the access point. A note of caution, though: It is not difficult for someone with a little skill and know-how to change a MAC address, falsely gain authorization by using another computer, and gain access to your network. Although MAC filtering is usually implemented on wireless networks, it can also be used on wired networks.
- VLAN assignments:
- Network segmentation: network segmentation by VLAN assignment increases security because traffic from one VLAN doesn’t interfere with traffic from other VLANs. Therefore, if one VLAN is compromised due to a virus or worm, it can be contained within that VLAN.
• Security policies: A corporate security policy is a formalized statement that defines how security will be implemented and managed within a particular organization. It describes the tasks the organization will undertake to protect the confidentiality, availability, and integrity of sensitive data and resources, including the network infrastructure, physical and electronic data, applications, hardware, computing devices, and the overall physical environment of an organization. It often consists of multiple individual policies that relate to separate security issues, such as password requirements and acceptable use of hardware guidelines.
• Disable unneeded network services: disabling or uninstalling unneeded services and programs on your computer increases its security by decreasing the number of paths or means by which an attacker can carry out an attack.
• Use secure protocols: Secure protocols are ones that do not expose data and/or credentials in cleartext, so they are less likely to allow for the credentials or data to be viewed and captured by someone else.
• Access lists:
- Web/content filtering: Blocks restricted websites or content. This can be accomplished by URL filtering, or inspection of each file or packet. Some firewalls have this functionality built in; in other cases, each request is passed to a filtering server that can approve or deny the request.
- Port filtering: The blocking of individual or ranges of TCP/IP ports is known as port filtering. Often, all ports above 1024 are blocked and then allowed individually as needed for certain services to function. Port security is the process of properly securing ports on a network. The process includes:
- Implicit deny: The principle of implicit deny dictates that when using a firewall, anything that is not explicitly allowed is denied. Users and software should only be allowed to access data and perform actions when permissions are specifically granted to them. No other action is allowed. Most hardware firewalls are configured out of the box with implicit deny in both directions, inbound and outbound. It is then up to the administrator to permit traffic as desired. Most administrators will allow some level of outbound traffic, but will continue to deny inbound traffic that is not already part of an established connection. Most software firewalls on a host are configured to permit all outbound traffic originating from the host, but with an implicit deny disallowing inbound traffic from entering the host. Usually, when an application or service is configured on a host, the host firewall is also automatically configured to permit the traffic by that service.
• Wireless security:
- WEP: Wired Equivalent Privacy is a protocol that provides 64-bit, 128-bit, and 256-bit encryption using the Rivest Cipher 4 (RC4) algorithm for wireless communication that uses the 802.11a and 802.11b protocols.
- WPA/WPA2: Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) have both a Personal and an Enterprise mode for wireless communications security.
- Enterprise:
- Personal:
- TKIP/AES: Temporal Key Integrity Protocol (TKIP) is what provides the encryption for the WPA protocol, and Advanced Encryption Standard (AES) is what provides the encryption for the WPA2 protocol.
- 802.1x: IEEE 802.1x is a standard for securing networks by implementing Extensible Authentication Protocol (EAP) as the authentication protocol over either a wired or wireless Ethernet LAN, rather than the more traditional implementation of EAP over Point-to-Point Protocol (PPP). IEEE 802.1x, often referred to as port authentication, employs an authentication service, such as Remote Authentication Dial-In User Service (RADIUS), to secure clients, removing the need to implement security features in access points (APs), which typically do not have the memory or processing resources to support complex authentication functions.
- TLS/TTLS:
--> Transport Layer Security (TLS) protocol is a security protocol that protects sensitive communication from being eavesdropped and tampered with. Requires that each user be issued a certificate.
--> Tunneled Transport Layer Security (TTLS) is an Extensible Authentication Protocol (EAP) that extends TLS by providing authentication that is as strong as TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates.
- MAC filtering: MAC address filtering provides a simple method of securing a wireless network. By configuring a wireless access point (WAP) to filter MAC addresses, you can control which wireless clients can access your network.
• User authentication
- CHAP/MSCHAP: CHAP uses a combination of MD5 hashing and a challenge-response mechanism, and authenticates without sending passwords as plaintext over the network. The security of the MD5 hash function is severely compromised. MS-CHAPv2 provides all the functionality of MS-CHAP, and in addition provides security features such as two-way authentication and stronger encryption keys.
- PAP: The Password Authentication Protocol (PAP) is a remote-access authentication method that sends client IDs and passwords as cleartext. It is generally used when a remote client is connecting to a non- Windows PPP server that does not support password encryption. When the server receives a client ID and password, it compares them to its local list of credentials. If a match is found, the server accepts the credentials and allows the remote client to access resources. If no match is found, the connection is terminated.
- EAP: Extensible Authentication Protocol (EAP) is a protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication. EAP categorizes the devices into different EAP types depending on each device's authentication scheme. The EAP method associated with each type enables the device to interact with a system's account database.
- Kerberos: authentication service that is based on a time-sensitive ticket-granting system.
- Multifactor authentication: Multifactor authentication is any authentication scheme that requires validation of at least two of the possible authentication factors. It can be any combination of who you are, what you have, and what you know. Multifactor can be more than two authentication methods.
- Two-factor authentication: Two-factor authentication is an authentication scheme that requires validation of two authentication factors. Requiring a physical ID card along with a secret password is an example of two-factor authentication. A bank ATM card is a common example of this.
- Single sign-on: SSO is a convenience mechanism used in enterprise networks where multiple, unrelated authentication systems exist. SSO is designed to make security easier for users, but this ease of use comes at a potential cost. SSO passwords must be ultra-secure.
• Hashes: The purpose of cryptographic hash functions is to encrypt passwords or other messages so that they can be transmitted securely over potentially non-secure channels. Hashing encryption is one-way encryption that transforms cleartext into ciphertext that is not intended to be decrypted. The result of the hashing process is called a hash, hash value, or message digest. The input data can vary in length, whereas the hash length is fixed. Two types of hashes you will encounter are MD5 and SHA. Each of these hashes is used for data verification. Typically, you will see them used to verify that the data you are downloading has not been tampered with.
- MD5: Message Digest version 5 is an algorithm that creates a 128-bit message digest from the input data. The data input can be a message of any size. The resulting hash digest is unique to the data from which it was created. The MD5 standard, created by Professor Ronald Rivest at MIT, is defined by IETF RFC 1321. The security of the MD5 hash function is severely compromised.
- SHA: Secure Hash Algorithm (SHA) was created by the National Institute of Standards and Technology (NIST) and the NSA. It is used for US government documents and other documents to create a digital signature. SHA-2 and SHA-3 have four variations: SHA-224, SHA-256, SHA-384, and SHA-512.
- Host-based: Anti-malware can be host-based where the application runs on the host system and only protects that system. That system also needs to downloads its own updates.
- Cloud/server-based: Server-based and cloud-based anti-malware can manage anti-malware applications installed on other hosts and provide the updates to them. In some cases they can also run scans on the other hosts.
- Network-based: Network-based anti-malware scans traffic entering and leaving the network for malware. Used to scan traffic entering and leaving the network for viruses, Trojans, and worms.
• Switch port security:
- DHCP snooping: Can harden the security on the network to allow only clients with specific IP or MAC addresses to have access to the network. It uses information from the DHCP server to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible. DHCP snooping uses information from the DHCP server to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible.
- ARP inspection: ARP inspection validates Address Resolution Protocol (ARP) packets in a network. ARP inspection determines the validity of packets by performing an IP-to-MAC address binding inspection before forwarding the packet to the appropriate destination. ARP packets with invalid IP-to-MAC address bindings that fail the inspection are dropped.
- MAC address filtering: MAC address filtering provides a simple method of securing a wireless network. By configuring a wireless access point (WAP) to filter MAC addresses, you can control which wireless clients can access your network. Typically, an administrator configures a list of client MAC addresses that are allowed to join the network. Those pre-approved clients are granted access if the MAC address is “known” by the access point. A note of caution, though: It is not difficult for someone with a little skill and know-how to change a MAC address, falsely gain authorization by using another computer, and gain access to your network. Although MAC filtering is usually implemented on wireless networks, it can also be used on wired networks.
- VLAN assignments:
- Network segmentation: network segmentation by VLAN assignment increases security because traffic from one VLAN doesn’t interfere with traffic from other VLANs. Therefore, if one VLAN is compromised due to a virus or worm, it can be contained within that VLAN.
• Security policies: A corporate security policy is a formalized statement that defines how security will be implemented and managed within a particular organization. It describes the tasks the organization will undertake to protect the confidentiality, availability, and integrity of sensitive data and resources, including the network infrastructure, physical and electronic data, applications, hardware, computing devices, and the overall physical environment of an organization. It often consists of multiple individual policies that relate to separate security issues, such as password requirements and acceptable use of hardware guidelines.
• Disable unneeded network services: disabling or uninstalling unneeded services and programs on your computer increases its security by decreasing the number of paths or means by which an attacker can carry out an attack.
• Use secure protocols: Secure protocols are ones that do not expose data and/or credentials in cleartext, so they are less likely to allow for the credentials or data to be viewed and captured by someone else.
- SSH - Is used for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It was designed as a replacement for Telnet and other insecure remote shell protocols.
- HTTPS - Is used for secure communication over a computer network, with especially wide deployment on the Internet. The main purpose for HTTPS is to prevent wiretapping and man-in-the-middle attacks.
- TLS/SSL - Are used to provide communication security over the Internet. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP).
- SFTP - Is used for secure file access, file transfer, and file management functionalities.
- SNMP (v3) - Is used for managing devices on IP networks. Version 3 added cryptographic security to secure data and user credentials.
- IPSec - Is used for securing IP communications by authenticating and encrypting each IP packet of a communication session.
• Access lists:
- Web/content filtering: Blocks restricted websites or content. This can be accomplished by URL filtering, or inspection of each file or packet. Some firewalls have this functionality built in; in other cases, each request is passed to a filtering server that can approve or deny the request.
- Port filtering: The blocking of individual or ranges of TCP/IP ports is known as port filtering. Often, all ports above 1024 are blocked and then allowed individually as needed for certain services to function. Port security is the process of properly securing ports on a network. The process includes:
- Disabling unnecessary services.
- Closing ports that are by default open or have limited functionality.
- Regularly applying the appropriate security patches.
- Hiding responses from ports that indicate their status and allow access to pre-configured connections only.
- Implicit deny: The principle of implicit deny dictates that when using a firewall, anything that is not explicitly allowed is denied. Users and software should only be allowed to access data and perform actions when permissions are specifically granted to them. No other action is allowed. Most hardware firewalls are configured out of the box with implicit deny in both directions, inbound and outbound. It is then up to the administrator to permit traffic as desired. Most administrators will allow some level of outbound traffic, but will continue to deny inbound traffic that is not already part of an established connection. Most software firewalls on a host are configured to permit all outbound traffic originating from the host, but with an implicit deny disallowing inbound traffic from entering the host. Usually, when an application or service is configured on a host, the host firewall is also automatically configured to permit the traffic by that service.
• Wireless security:
- WEP: Wired Equivalent Privacy is a protocol that provides 64-bit, 128-bit, and 256-bit encryption using the Rivest Cipher 4 (RC4) algorithm for wireless communication that uses the 802.11a and 802.11b protocols.
- WPA/WPA2: Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) have both a Personal and an Enterprise mode for wireless communications security.
- Enterprise:
- Personal:
- TKIP/AES: Temporal Key Integrity Protocol (TKIP) is what provides the encryption for the WPA protocol, and Advanced Encryption Standard (AES) is what provides the encryption for the WPA2 protocol.
- 802.1x: IEEE 802.1x is a standard for securing networks by implementing Extensible Authentication Protocol (EAP) as the authentication protocol over either a wired or wireless Ethernet LAN, rather than the more traditional implementation of EAP over Point-to-Point Protocol (PPP). IEEE 802.1x, often referred to as port authentication, employs an authentication service, such as Remote Authentication Dial-In User Service (RADIUS), to secure clients, removing the need to implement security features in access points (APs), which typically do not have the memory or processing resources to support complex authentication functions.
- TLS/TTLS:
--> Transport Layer Security (TLS) protocol is a security protocol that protects sensitive communication from being eavesdropped and tampered with. Requires that each user be issued a certificate.
--> Tunneled Transport Layer Security (TTLS) is an Extensible Authentication Protocol (EAP) that extends TLS by providing authentication that is as strong as TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates.
- MAC filtering: MAC address filtering provides a simple method of securing a wireless network. By configuring a wireless access point (WAP) to filter MAC addresses, you can control which wireless clients can access your network.
• User authentication
- CHAP/MSCHAP: CHAP uses a combination of MD5 hashing and a challenge-response mechanism, and authenticates without sending passwords as plaintext over the network. The security of the MD5 hash function is severely compromised. MS-CHAPv2 provides all the functionality of MS-CHAP, and in addition provides security features such as two-way authentication and stronger encryption keys.
- PAP: The Password Authentication Protocol (PAP) is a remote-access authentication method that sends client IDs and passwords as cleartext. It is generally used when a remote client is connecting to a non- Windows PPP server that does not support password encryption. When the server receives a client ID and password, it compares them to its local list of credentials. If a match is found, the server accepts the credentials and allows the remote client to access resources. If no match is found, the connection is terminated.
- EAP: Extensible Authentication Protocol (EAP) is a protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication. EAP categorizes the devices into different EAP types depending on each device's authentication scheme. The EAP method associated with each type enables the device to interact with a system's account database.
- Kerberos: authentication service that is based on a time-sensitive ticket-granting system.
- Multifactor authentication: Multifactor authentication is any authentication scheme that requires validation of at least two of the possible authentication factors. It can be any combination of who you are, what you have, and what you know. Multifactor can be more than two authentication methods.
- Two-factor authentication: Two-factor authentication is an authentication scheme that requires validation of two authentication factors. Requiring a physical ID card along with a secret password is an example of two-factor authentication. A bank ATM card is a common example of this.
- Single sign-on: SSO is a convenience mechanism used in enterprise networks where multiple, unrelated authentication systems exist. SSO is designed to make security easier for users, but this ease of use comes at a potential cost. SSO passwords must be ultra-secure.
• Hashes: The purpose of cryptographic hash functions is to encrypt passwords or other messages so that they can be transmitted securely over potentially non-secure channels. Hashing encryption is one-way encryption that transforms cleartext into ciphertext that is not intended to be decrypted. The result of the hashing process is called a hash, hash value, or message digest. The input data can vary in length, whereas the hash length is fixed. Two types of hashes you will encounter are MD5 and SHA. Each of these hashes is used for data verification. Typically, you will see them used to verify that the data you are downloading has not been tampered with.
- MD5: Message Digest version 5 is an algorithm that creates a 128-bit message digest from the input data. The data input can be a message of any size. The resulting hash digest is unique to the data from which it was created. The MD5 standard, created by Professor Ronald Rivest at MIT, is defined by IETF RFC 1321. The security of the MD5 hash function is severely compromised.
- SHA: Secure Hash Algorithm (SHA) was created by the National Institute of Standards and Technology (NIST) and the NSA. It is used for US government documents and other documents to create a digital signature. SHA-2 and SHA-3 have four variations: SHA-224, SHA-256, SHA-384, and SHA-512.
3.4 Compare and contrast physical security controls
Physical security is extremely important for data centers and server rooms where data is stored and electronic transactions occur. Companies often employ multiple layers of physical security. Door access controls, security guards, proximity readers, keypads, and mantraps all are used to enhance physical security.
• Mantraps: A mantrap is a two sets of interlocking doors inside a small space, where the first set of doors must close before the second set opens. If the the mantrap is manual, a guard locks and unlocks each door in sequence. In this case, an intercom or video camera is typically used to allow the guard to control the trap from a remote location. If the mantrap is automatic, identification or a key or some kind may be required for each door, and sometimes different measures may be required for each door. Metal detectors are often built in, in order to prevent entrance of people carrying weapons. Such use is particularly frequent in banks and jewelry shops.
• Network closets: Network closets house switches, hubs, routers, cables, concentrators, and other networking equipment. Network closets and server rooms provide a place to store your network hardware and your servers. At a minimum, they allow you to organize and remove equipment from open areas where it can be exposed to accidental damage or interference. They also provide an opportunity to secure and limit access to equipment. Physical access controls can be used to limit the users who can enter these rooms. A network closet contains the hubs, switches, and other network components for that floor or building. A server room contains some or all of the servers for an organization. Both rooms should be dry and have adequate electricity available. A server room may also require air-conditioning. Depending on the layout of the building and the requirements of the organization, these two areas can be in the same room or in separate rooms.
• Video monitoring: Video monitoring allows visual confirmation and identification of personnel entering the building. Video monitoring allows you to increase the visual awareness of your organization. On your video monitoring system, you can use traditional closed circuit (CC) analog cameras with a CCTV network. You can also use internet Protocol (IP) cameras, which are digital video cameras that connect to an IP network. IP cameras can be accessed across the network or the Internet. Some IP cameras also include local storage in case the network connection is lost. When the camera is connected to the network again, the data stored locally is downloaded to the video monitoring network. Video monitoring can take two forms:
- IP cameras/CCTVs
• Door access controls: Door access controls provide an electronic and programmable device that people have to interact with in order to gain access to a door. Some of these controls can also limit access based on the time and date. This includes devices such as electronic keypads, card readers, and intercoms.
• Proximity readers/key fob
• Biometrics: A biometric lock is a lock that is activated by biometric features, such as a fingerprint, voice, retina, or signature.
• Keypad/cipher locks: Cipher locks require that a user press buttons in the correct sequence in order to open a door. The buttons may be mechanical and built into the door handle, or they may be in the form of a keypad. A cipher lock may have four or five push buttons, depending on the manufacturer, and the code may be one to five digits. The codes can be changed at any time. Some organizations use keyed locks to maintain physical security, and use cipher locks to control access, limiting unannounced intrusions or unescorted entry to particular areas of a building.
• Security guard
• Mantraps: A mantrap is a two sets of interlocking doors inside a small space, where the first set of doors must close before the second set opens. If the the mantrap is manual, a guard locks and unlocks each door in sequence. In this case, an intercom or video camera is typically used to allow the guard to control the trap from a remote location. If the mantrap is automatic, identification or a key or some kind may be required for each door, and sometimes different measures may be required for each door. Metal detectors are often built in, in order to prevent entrance of people carrying weapons. Such use is particularly frequent in banks and jewelry shops.
• Network closets: Network closets house switches, hubs, routers, cables, concentrators, and other networking equipment. Network closets and server rooms provide a place to store your network hardware and your servers. At a minimum, they allow you to organize and remove equipment from open areas where it can be exposed to accidental damage or interference. They also provide an opportunity to secure and limit access to equipment. Physical access controls can be used to limit the users who can enter these rooms. A network closet contains the hubs, switches, and other network components for that floor or building. A server room contains some or all of the servers for an organization. Both rooms should be dry and have adequate electricity available. A server room may also require air-conditioning. Depending on the layout of the building and the requirements of the organization, these two areas can be in the same room or in separate rooms.
• Video monitoring: Video monitoring allows visual confirmation and identification of personnel entering the building. Video monitoring allows you to increase the visual awareness of your organization. On your video monitoring system, you can use traditional closed circuit (CC) analog cameras with a CCTV network. You can also use internet Protocol (IP) cameras, which are digital video cameras that connect to an IP network. IP cameras can be accessed across the network or the Internet. Some IP cameras also include local storage in case the network connection is lost. When the camera is connected to the network again, the data stored locally is downloaded to the video monitoring network. Video monitoring can take two forms:
- A video intercom that has a camera and a monitor so that users can see who is requesting access. This adds an added level of security when you are visually able to identify the person requesting entry.
- Video surveillance cameras don't restrict access by themselves but they do provide security. They allow you to monitor and document who has gained access to the building or sensitive areas. They can also act as a deterrent to those who want to violate your security.
- IP cameras/CCTVs
• Door access controls: Door access controls provide an electronic and programmable device that people have to interact with in order to gain access to a door. Some of these controls can also limit access based on the time and date. This includes devices such as electronic keypads, card readers, and intercoms.
• Proximity readers/key fob
• Biometrics: A biometric lock is a lock that is activated by biometric features, such as a fingerprint, voice, retina, or signature.
• Keypad/cipher locks: Cipher locks require that a user press buttons in the correct sequence in order to open a door. The buttons may be mechanical and built into the door handle, or they may be in the form of a keypad. A cipher lock may have four or five push buttons, depending on the manufacturer, and the code may be one to five digits. The codes can be changed at any time. Some organizations use keyed locks to maintain physical security, and use cipher locks to control access, limiting unannounced intrusions or unescorted entry to particular areas of a building.
• Security guard
3.5 Given a scenario, install and configure a basic firewall
• Types of firewalls:
- Host-based: A host-based firewall (also known as a personal firewall) is a software program that is installed directly onto a host and that filters incoming and outgoing packets to and from that host.
- Network-based: A network-based firewall is a dedicated hardware/software combination that protects all the computers on a network behind the firewall. A network-based firewall is a dedicated hardware/software combination that protects all the devices on a network by blocking unsolicited traffic. The correct configuration is Internet>Router>Firewall>Switch. This configuration forces all Internet traffic through the firewall.
- Software vs. hardware: Software and hardware firewalls can be used together, where the hardware firewall provides protection for the entire network and the software firewall provides additional protection for individual systems.
--> Software firewalls can be useful for small home offices and businesses, as well as providing extra protection to clients and servers on the internal network. The firewall provides many features that can be configured to suit various computing needs. Some features include:
- Application aware/context aware:
--> Application-aware firewalls provide the same capabilities as traditional firewalls, and they can also enforce security rules on applications, regardless of port or protocol. This allows them to protect against threats that can run over any port, use encryption, or tunnel to evade security.
--> Context-aware firewalls include application-aware capabilities and include the ability to extract the user identity, origin of the access, and the type of device used for the access. It can then permit or deny the access based on these attributes, thus giving you even more ways to protect against threats.
- Small office, home office firewall:
- Stateful vs. stateless inspection:
--> Stateful inspection examines the data within a packet as well as the state of the connection between the internal and external devices.
--> Stateless inspection examines the data within a packet but ignores the state of the connection between the internal and external devices. A stateless firewall performs a stateless inspection by comparing each individual packet to a rule set to see if there is a match, and then if there is a match, acts on that packet (permits or denies) based on the rule. It does not track the lifetime of a connection. It has no memory of whether there was a starting handshake, and cannot detect if an address, port, or protocol has changed in the middle of the conversation. Stateless firewalls can be easily deceived by specially crafted packets.
- UTM: Unified Threat Management (UTM) is a network security solution that is used to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console. UTMs provide multiple security functions such as network firewalling, network intrusion prevention, anti-malware, VPN, spam and content filtering, load balancing, data leak prevention and on-appliance reporting. UTMs can be network appliances or a cloud service.
• Settings/techniques:
- ACL: An access control list (ACL) is a set of data (user names, passwords, time and date, IP address, MAC address, etc.) that is used to control access to a resource, such as a device, file, or network. Firewall functionality was initially performed by ACLs, usually on routers. ACLs have good scalability and high-performance, but cannot read past packet headers like some firewalls can. For that reason ACL packet filtering alone does not have the capacity to keep threats out of the network.
- Virtual wire vs. routed:
--> In Routed mode, the firewall is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or RIP (in single context mode). Routed mode supports many interfaces where each is on a different subnet.
--> In Virtual Wire mode, the firewall logically binds two ports together and passes all traffic to the other port without any switching or routing. It is not seen as a router hop to connected devices. Full inspection and control for all traffic is enabled, and no networking protocol configuration is required.
- DMZ: A demilitarized zone (DMZ) is a small section of a private network that is located between two firewalls and made available for public access. A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole. The external firewall enables public clients to access the service whereas the internal firewall prevents them from connecting to protected internal hosts. The proper method to set up a demilitarized zone (DMZ) on your network is Internet>Firewall>DMZ>Firewall->Switch. The most secure configuration is to use two firewalls; one between the Internet and the DMZ and the other between the DMZ and the rest of the network. This scenario gives maximum protection to the DMZ and to the internal network.
- Implicit deny: The principle of implicit deny dictates that when using a firewall, anything that is not explicitly allowed is denied. Users and software should only be allowed to access data and perform actions when permissions are specifically granted to them. No other action is allowed. Most hardware firewalls are configured out of the box with implicit deny in both directions, inbound and outbound. It is then up to the administrator to permit traffic as desired. Most administrators will allow some level of outbound traffic, but will continue to deny inbound traffic that is not already part of an established connection. Most software firewalls on a host are configured to permit all outbound traffic originating from the host, but with an implicit deny disallowing inbound traffic from entering the host. Usually, when an application or service is configured on a host, the host firewall is also automatically configured to permit the traffic by that service.
- Block/allow: the most secure way to configure your firewall is to block all traffic; create exceptions as required.
- Outbound traffic:
- Inbound traffic:
- Firewall placement: It is important to consider where firewalls should be placed in your network. Typically, firewalls are placed on the network perimeter where the private LAN connects to the Internet or other public WAN. This is a critical placement because the private-public network edge is still considered particularly vulnerable to intrusions from external sources. Firewalls should also be placed throughout the internal network in key locations. This will help protect against internal threats. To increase protection from internal threats, firewalls can also be placed at internal network perimeters. Examples of these perimeters, or trust boundaries, are between switches and back-end servers, between different departments, and where a wireless LAN connects the wired network. Placing firewalls in multiple network segments also helps organizations comply with the latest corporate and industry governance mandates. Sarbanes-Oxley, Gramm-Leach-Bliley (GLB), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS), for example, contain requirements about information security auditing and tracking.
- Internal/external:
- Host-based: A host-based firewall (also known as a personal firewall) is a software program that is installed directly onto a host and that filters incoming and outgoing packets to and from that host.
- Network-based: A network-based firewall is a dedicated hardware/software combination that protects all the computers on a network behind the firewall. A network-based firewall is a dedicated hardware/software combination that protects all the devices on a network by blocking unsolicited traffic. The correct configuration is Internet>Router>Firewall>Switch. This configuration forces all Internet traffic through the firewall.
- Software vs. hardware: Software and hardware firewalls can be used together, where the hardware firewall provides protection for the entire network and the software firewall provides additional protection for individual systems.
--> Software firewalls can be useful for small home offices and businesses, as well as providing extra protection to clients and servers on the internal network. The firewall provides many features that can be configured to suit various computing needs. Some features include:
- Enabling or disabling port security on certain ports.
- Filtering inbound and outbound communication. A user can set up rules or exceptions in the firewall settings to limit access to the web.
- Reporting and logging activity.
- Protecting systems from malware and spyware.
- Blocking pop-up messages.
- Assigning, forwarding, and triggering ports.
- Application aware/context aware:
--> Application-aware firewalls provide the same capabilities as traditional firewalls, and they can also enforce security rules on applications, regardless of port or protocol. This allows them to protect against threats that can run over any port, use encryption, or tunnel to evade security.
--> Context-aware firewalls include application-aware capabilities and include the ability to extract the user identity, origin of the access, and the type of device used for the access. It can then permit or deny the access based on these attributes, thus giving you even more ways to protect against threats.
- Small office, home office firewall:
- Stateful vs. stateless inspection:
--> Stateful inspection examines the data within a packet as well as the state of the connection between the internal and external devices.
--> Stateless inspection examines the data within a packet but ignores the state of the connection between the internal and external devices. A stateless firewall performs a stateless inspection by comparing each individual packet to a rule set to see if there is a match, and then if there is a match, acts on that packet (permits or denies) based on the rule. It does not track the lifetime of a connection. It has no memory of whether there was a starting handshake, and cannot detect if an address, port, or protocol has changed in the middle of the conversation. Stateless firewalls can be easily deceived by specially crafted packets.
- UTM: Unified Threat Management (UTM) is a network security solution that is used to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console. UTMs provide multiple security functions such as network firewalling, network intrusion prevention, anti-malware, VPN, spam and content filtering, load balancing, data leak prevention and on-appliance reporting. UTMs can be network appliances or a cloud service.
• Settings/techniques:
- ACL: An access control list (ACL) is a set of data (user names, passwords, time and date, IP address, MAC address, etc.) that is used to control access to a resource, such as a device, file, or network. Firewall functionality was initially performed by ACLs, usually on routers. ACLs have good scalability and high-performance, but cannot read past packet headers like some firewalls can. For that reason ACL packet filtering alone does not have the capacity to keep threats out of the network.
- Virtual wire vs. routed:
--> In Routed mode, the firewall is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or RIP (in single context mode). Routed mode supports many interfaces where each is on a different subnet.
--> In Virtual Wire mode, the firewall logically binds two ports together and passes all traffic to the other port without any switching or routing. It is not seen as a router hop to connected devices. Full inspection and control for all traffic is enabled, and no networking protocol configuration is required.
- DMZ: A demilitarized zone (DMZ) is a small section of a private network that is located between two firewalls and made available for public access. A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole. The external firewall enables public clients to access the service whereas the internal firewall prevents them from connecting to protected internal hosts. The proper method to set up a demilitarized zone (DMZ) on your network is Internet>Firewall>DMZ>Firewall->Switch. The most secure configuration is to use two firewalls; one between the Internet and the DMZ and the other between the DMZ and the rest of the network. This scenario gives maximum protection to the DMZ and to the internal network.
- Implicit deny: The principle of implicit deny dictates that when using a firewall, anything that is not explicitly allowed is denied. Users and software should only be allowed to access data and perform actions when permissions are specifically granted to them. No other action is allowed. Most hardware firewalls are configured out of the box with implicit deny in both directions, inbound and outbound. It is then up to the administrator to permit traffic as desired. Most administrators will allow some level of outbound traffic, but will continue to deny inbound traffic that is not already part of an established connection. Most software firewalls on a host are configured to permit all outbound traffic originating from the host, but with an implicit deny disallowing inbound traffic from entering the host. Usually, when an application or service is configured on a host, the host firewall is also automatically configured to permit the traffic by that service.
- Block/allow: the most secure way to configure your firewall is to block all traffic; create exceptions as required.
- Outbound traffic:
- Inbound traffic:
- Firewall placement: It is important to consider where firewalls should be placed in your network. Typically, firewalls are placed on the network perimeter where the private LAN connects to the Internet or other public WAN. This is a critical placement because the private-public network edge is still considered particularly vulnerable to intrusions from external sources. Firewalls should also be placed throughout the internal network in key locations. This will help protect against internal threats. To increase protection from internal threats, firewalls can also be placed at internal network perimeters. Examples of these perimeters, or trust boundaries, are between switches and back-end servers, between different departments, and where a wireless LAN connects the wired network. Placing firewalls in multiple network segments also helps organizations comply with the latest corporate and industry governance mandates. Sarbanes-Oxley, Gramm-Leach-Bliley (GLB), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS), for example, contain requirements about information security auditing and tracking.
- Internal/external:
3.6 Explain the purpose of various network access control models
• 802.1x: A standard for securing networks by implementing EAP as the authentication protocol over either a wired or wireless Ethernet LAN, rather than the more traditional implementation of EAP over PPP. Both WPA and WPA2 have a Personal and Enterprise mode. Personal mode uses a preshared key (PSK) that all clients use for encryption. Enterprise mode uses 802.1x authentication and a unique encryption key for every client when they log on to the network.
• Posture assessment: If you conduct a network security assessment by collecting data on security agents such as antivirus and personal firewalls and Windows Registry settings. Sometimes, authorization in Network Access Control (NAC) can be done using a compliance check. This process is called posture assessment. In this process, a network's security is assessed based on the security applications that are running on the network. These might include such things as Windows registry settings or the presence of security agents such as antivirus or a personal firewall.
• Guest network: A guest network is a subset of an organization's network that is designed for temporary use by visitors. Typically, guest networks provide full Internet connectivity while severely restricting access to the internal intranet. This helps keep an organization's internal information private, and helps avoid spreading any malware that visitors may have on their systems.
• Persistent vs. non-persistent agents:
--> A persistent agent is a piece of software that installs on the client device, and can respond continuously to queries from the NAC about the device’s health. It stays on the device until uninstalled.
--> A non-persistent agent, also known as a dissolvable agent, is one that is installed on demand and then removed after it is used. The agent installs, responds to NAC queries to check the health of the device, authenticates the device, and then disappears when the session is over.
• Quarantine network: A quarantine network is a restricted network that provides users with routed access only to certain hosts and applications. Users are denied access to the network and are assigned to a quarantine network when a Network Access Control (NAC) product determines that an end user's device is out-of-date. They are assigned to a network that is routed only to patch and update servers, and not to the rest of the network. They can then update their devices to bring them up to NAC standards and gain access to the network. Another commonly used term for quarantine network is remediation network. These are often implemented using VLAN configurations.
• Edge vs. access control:
--> An edge network is a network located on the periphery of a centralized network. It is the one where an organization's network actually connects to the Internet, or to a provider’s carrier network. It is the least secure of all the organization's networks. It is physically located on the customer’s premises, and is a a link between the provider’s dmarc and the organization's router. Providers too can have an edge network, where they connect to other providers. Most edge devices are routers or firewalls.--> Access control starts at the edge network. A virtual private network (VPN) server, or even a firewall itself, can accept client VPN connections at the edge. These clients and their users have to pass some sort of access control to authenticate, and the client may also have to prove its health before the connection is accepted. If there is no VPN connection, the firewall will still have many access control rules to filter out undesirable or uninvited traffic.
• Posture assessment: If you conduct a network security assessment by collecting data on security agents such as antivirus and personal firewalls and Windows Registry settings. Sometimes, authorization in Network Access Control (NAC) can be done using a compliance check. This process is called posture assessment. In this process, a network's security is assessed based on the security applications that are running on the network. These might include such things as Windows registry settings or the presence of security agents such as antivirus or a personal firewall.
• Guest network: A guest network is a subset of an organization's network that is designed for temporary use by visitors. Typically, guest networks provide full Internet connectivity while severely restricting access to the internal intranet. This helps keep an organization's internal information private, and helps avoid spreading any malware that visitors may have on their systems.
• Persistent vs. non-persistent agents:
--> A persistent agent is a piece of software that installs on the client device, and can respond continuously to queries from the NAC about the device’s health. It stays on the device until uninstalled.
--> A non-persistent agent, also known as a dissolvable agent, is one that is installed on demand and then removed after it is used. The agent installs, responds to NAC queries to check the health of the device, authenticates the device, and then disappears when the session is over.
• Quarantine network: A quarantine network is a restricted network that provides users with routed access only to certain hosts and applications. Users are denied access to the network and are assigned to a quarantine network when a Network Access Control (NAC) product determines that an end user's device is out-of-date. They are assigned to a network that is routed only to patch and update servers, and not to the rest of the network. They can then update their devices to bring them up to NAC standards and gain access to the network. Another commonly used term for quarantine network is remediation network. These are often implemented using VLAN configurations.
• Edge vs. access control:
--> An edge network is a network located on the periphery of a centralized network. It is the one where an organization's network actually connects to the Internet, or to a provider’s carrier network. It is the least secure of all the organization's networks. It is physically located on the customer’s premises, and is a a link between the provider’s dmarc and the organization's router. Providers too can have an edge network, where they connect to other providers. Most edge devices are routers or firewalls.--> Access control starts at the edge network. A virtual private network (VPN) server, or even a firewall itself, can accept client VPN connections at the edge. These clients and their users have to pass some sort of access control to authenticate, and the client may also have to prove its health before the connection is accepted. If there is no VPN connection, the firewall will still have many access control rules to filter out undesirable or uninvited traffic.
3.7 Summarize basic forensic concepts
Basic Forensic Process: Anytime you have an incident that needs to be investigated, you need to have forensic process established to help you perform it properly. Below is a basic forensic process, the second step of which is to secure the area to preserve the scene of the incident.
• First responder: A first responder is the first experienced person or a team of trained professionals that arrive on the scene of an incident. In a non-IT environment, this term can be used to define the first trained person, such as a police officer or firefighter, to respond to an accident, a damage site, or a natural disaster. In the IT world, first responders can include security professionals, human resource personnel, or IT support professionals.
• Secure the area: The main point here is to isolate the system from other users so that the system remains as it was found after the breach. In the event of a situation that requires investigation, try to secure the area as best you can. If it is a physical location such as a room, then close off the area using doors. You can put up signs and send out a notice that the area is off limits until further notice. If it is a digital location then you can try to take it offline if it won't have a negative impact on operations. If it is a single computer or device, then you can put that in a secure location. The main idea is that you want to preserve the area as it is so that you can investigate without other people adding, removing, or altering any evidence that may exist.
- Escalate when necessary: If you have trouble getting the area secured because other people insist they need to be there, escalate the issue to a manager or other senior employee who can help you.
• Document the scene: Once the area is secured, then documentation of the scene can begin. Documentation of the scene begins with the first responder. It is important to start taking notes from the time of arrival at the scene. Include any details on the condition of the scene, and talk to witnesses, if any, and get their statements. Stick to the facts at this stage, and do not include your opinions or thoughts and guesses. You can also take photos and videos to help document the scene.
• eDiscovery: Electronic discovery, also known as eDiscovery, is the electronic aspect of identifying, collecting and producing electronically stored information (ESI) in response to a request in a law suit or investigation. ESI includes, but is not limited to, emails, documents, presentations, databases, voicemail, audio and video files, social media, and web sites. The nature of the incident and the investigation will determine what information will be ESI.
• Evidence/data collection: As you document a scene or perform eDiscovery, you can collect evidence or data. If you are trying to retrieve data that has been erased or damaged, then you may need to consult with a data collection and recovery specialist. They are trained and possess tools that enable them to recover data that is not normally recoverable through standard tools.
• Chain of custody: Regardless of shipping method, you have to use a chain of custody document to preserve the integrity of the handoff to different parties. The proper procedure involved in sending a server’s hard drive out to a third party for further analysis is to have each person involved sign for the drive using a chain of custody document. The idea of chain of custody is borrowed from law enforcement. The premise is to track the evidence from the time it is collected until it is released back to the owner. It will track the chronological handling of the evidence and is a paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
• Data transport: In certain situations you may need to transport data from your organization to another entity. Digital evidence can be altered, damaged, or destroyed due to improper handling. If this occurs the data may be unreadable, inadmissible or lead to an inaccurate conclusion. You will need to transport the data securely by using some sort of encrypted portable drive. You can also obtain devices built specifically for this purpose.
• Forensics report: A forensic report simply and succinctly summarizes the substantive evidence. It typically contains several sections to help the reader understand not only what was found (or not found) by the investigator, but also to detail the steps performed to acquire and analyze the data.
• Legal hold: A legal hold is a process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. The legal hold is initiated by a notice or communication from legal counsel to an organization that suspends the normal disposition or processing of records, such as backup tape recycling, archived media and other storage and management of documents and information. A legal hold will be issued as a result of current or anticipated litigation, audit, government investigation or other such matter to avoid evidence spoliation. Legal holds can encompass business procedures affecting active data, including, but not limited to, backup tape recycling.
- The process begins with the first responder who is the first experienced person or a team of trained professionals that arrive on the scene of an incident.
- The next step is to secure the area (escalate when necessary) to preserve the scene of the incident.
- Once the area is secured, then documentation of the scene can begin.
- Electronic discovery is perform to identify and collect any electronically stored information.
- Collect any other evidence and data related to the incident.
- Preserve the chain of custody when evidence is collected and until the end of the investigation.
- If data needs to be transported to another entity then follow proper data transport procedures.
- Report your forensic findings.
- If there is litigation then follow legal hold procedures.
• First responder: A first responder is the first experienced person or a team of trained professionals that arrive on the scene of an incident. In a non-IT environment, this term can be used to define the first trained person, such as a police officer or firefighter, to respond to an accident, a damage site, or a natural disaster. In the IT world, first responders can include security professionals, human resource personnel, or IT support professionals.
• Secure the area: The main point here is to isolate the system from other users so that the system remains as it was found after the breach. In the event of a situation that requires investigation, try to secure the area as best you can. If it is a physical location such as a room, then close off the area using doors. You can put up signs and send out a notice that the area is off limits until further notice. If it is a digital location then you can try to take it offline if it won't have a negative impact on operations. If it is a single computer or device, then you can put that in a secure location. The main idea is that you want to preserve the area as it is so that you can investigate without other people adding, removing, or altering any evidence that may exist.
- Escalate when necessary: If you have trouble getting the area secured because other people insist they need to be there, escalate the issue to a manager or other senior employee who can help you.
• Document the scene: Once the area is secured, then documentation of the scene can begin. Documentation of the scene begins with the first responder. It is important to start taking notes from the time of arrival at the scene. Include any details on the condition of the scene, and talk to witnesses, if any, and get their statements. Stick to the facts at this stage, and do not include your opinions or thoughts and guesses. You can also take photos and videos to help document the scene.
• eDiscovery: Electronic discovery, also known as eDiscovery, is the electronic aspect of identifying, collecting and producing electronically stored information (ESI) in response to a request in a law suit or investigation. ESI includes, but is not limited to, emails, documents, presentations, databases, voicemail, audio and video files, social media, and web sites. The nature of the incident and the investigation will determine what information will be ESI.
• Evidence/data collection: As you document a scene or perform eDiscovery, you can collect evidence or data. If you are trying to retrieve data that has been erased or damaged, then you may need to consult with a data collection and recovery specialist. They are trained and possess tools that enable them to recover data that is not normally recoverable through standard tools.
• Chain of custody: Regardless of shipping method, you have to use a chain of custody document to preserve the integrity of the handoff to different parties. The proper procedure involved in sending a server’s hard drive out to a third party for further analysis is to have each person involved sign for the drive using a chain of custody document. The idea of chain of custody is borrowed from law enforcement. The premise is to track the evidence from the time it is collected until it is released back to the owner. It will track the chronological handling of the evidence and is a paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
• Data transport: In certain situations you may need to transport data from your organization to another entity. Digital evidence can be altered, damaged, or destroyed due to improper handling. If this occurs the data may be unreadable, inadmissible or lead to an inaccurate conclusion. You will need to transport the data securely by using some sort of encrypted portable drive. You can also obtain devices built specifically for this purpose.
• Forensics report: A forensic report simply and succinctly summarizes the substantive evidence. It typically contains several sections to help the reader understand not only what was found (or not found) by the investigator, but also to detail the steps performed to acquire and analyze the data.
• Legal hold: A legal hold is a process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. The legal hold is initiated by a notice or communication from legal counsel to an organization that suspends the normal disposition or processing of records, such as backup tape recycling, archived media and other storage and management of documents and information. A legal hold will be issued as a result of current or anticipated litigation, audit, government investigation or other such matter to avoid evidence spoliation. Legal holds can encompass business procedures affecting active data, including, but not limited to, backup tape recycling.