CompTIA Network+ N10-008 – Network Security Part 3

4. Network Security Attacks (Part 3)

Network security attacks, part three Now, I know I said I was only going to give you two videos on network attacks, but we covered all of the aspects of confidentiality, integrity, and availability, and there were still a couple of more attacks that I wanted to go through. And so this is kind of our miscellaneous section on network attacks. Some other attacks that you should consider include things like insider threats, phishing, ransomware, logic bond DE authentication, and VLAN hopping. We’re going to talk about each of those in this lesson. Insider threats.

An insider threat is an employee or other trusted insider who uses their network access to harm the company. Now, this is a dangerous person, because it’s really hard to find these people. Your systems have already authenticated them because they have a valid username and password. They may have your encryption keys. They know how your systems are set up. These are dangerous people for you because they know how to get into your system, and you have a very hard time detecting them. What’s the best way to catch an insider? Well, it’s by observing.

And so another employee might see somebody doing some weird things, like downloading large quantities of data at weird times of the day. Or it may be somebody who just openly speaks out that they don’t like the company, they hate the company, and they’re going to see the company hurt. These are the types of people you want to keep an eye on, and your network security administrators really have to do a good job of figuring out who they are and monitoring those people’s access. Next, we have a logic bomb. A logic bomb is a specific type of malware that’s tied to either a logical event or a time. This is frequently the case in security.

We talk about this as the disc-running administrator going back to our insider threat, who decides that they’re going to make sure that when they leave the company, the company’s going to pay. A great example of this is found in the movie Jurassic Park. The computer guy had a script running that said if he didn’t write in a certain code every day, then the system would go down. And this guy, obviously in Jurassic Park, gets eaten by a dinosaur, and so he can’t do it, and then the system goes down. That’s a logic bomb, because if this doesn’t happen, then bad things will happen. Conversely, you can have it set up so that, “Hey, on February 29, 2020, this malware is going to launch.” Right. It’s based on a date and time either way. This is what we consider a logic bomb.

Phishing. Phishing is when an attacker sends an email to get a user to click a link. Here’s an example of one that I’ve seen: It came from PayPal. No, it didn’t. It came from an attacker, but it looks legitimate. They’ve got PayPal’s logo. They’ve got some information on there, and then they’ve got this thing that says, “Click to confirm your account information.” How many people do you think will fall for this? You’d be pleasantly surprised. In phishing attempts that we have done as part of penetration tests, we’ve seen response rates as high as 60% or 70% of users clicking those links. Even when you have bad grammar, bad spelling, and mislabeled things, people still click on them. Phishing is a bad thing, and the best thing you can do to help is train your users. Next, we have ransomware.

And this has been running rampant over the last year. Attackers gain control of your files, encrypt them, and then hold them for ransom. The most common way of doing this is by asking for bitcoin. This is a specific type of malware that is really focused on crimeware. They really just want your money, so they’re going to try to hold your files, your photos, and your personal information captive, and they’ll say they’ll give it back to you and give you the encryption key if you go ahead and give them $100 or $500. This is very dangerous, and it’s been causing a lot of problems in the news. What can you do to prevent it? Make sure that you’re not subject to phishing attacks by training your users, because that’s one of the most common infection vectors for ransomware. Also, make sure you have good antivirus and antimalware solutions on your computer, and finally, ensure you have good backups of everything in an offline environment. So the worst-case scenario is that you can rebuild your servers. deauthentication Deauthentication happens when an attacker deauthenticates your victim from the network.

This is very common in wireless hacking attacks. In my wireless hacking class, I teach you how to do a deauthentication attack that kicks the person off the network, and then when they go to reconnect, we can capture that handshake and get their username and password. Again, this is something you want to be careful of, and make sure that if you’re using a wireless network, you’re aware of these types of techniques because they are extremely common.

And finally, VLAN hopping. VLAN hopping is when an attacker physically connects to a different switch port in the office to access a different VLAN. When we talked about VLANs before, we said we might have a VLAN for accounting and one for it. Well, if I take my computer and my laptop off of my accounting network and I walk over to the area that it is in and I plug into their network, I may now be in their VLAN, which means I can start getting data off their systems by manually assigning switch ports and using Knack for authentication. We can prevent this. And you want to make sure you turn your switch ports into what we call “no negotiate” mode and “access” mode. And I have the commands here on the screen. Not that you need to memorise these commands, but just understand the concept of what VLAN hopping is: moving yourself from one VLAN to the other, usually by doing it physically.

5. Protecting the Network

protecting the network. So we spent the last couple of videos talking about all the different types of attacks. What can you do to stop them? Well, in this lesson, we’re going to focus on how we can protect our networks. To successfully defend your network, you have to use a mixture of many different controls. Things like physical controls, user training, patching, vulnerability scanning, honey pots and honey nets, remote access security, good security policies, and conducting incident response When all of this goes wrong, we’ll talk about each of those in these lessons and then focus on security policies and incident response in their own separate lessons. Physical controls are going to reduce your unauthorised access. These are things like cameras, man traps, keypads, lock facilities, barbed wire fences, and all of these types of things. If it’s something that physically keeps somebody out of a room or out of a building, it’s a physical control.

Some ways to authenticate access in the physical control domain are using RFID badges, like the ones you see here on the screen, using biometrics or a key, or a fob using passwords or PIN numbers. All sorts of different authentication methods rely on physical controls. Next, we have user training. Users are one of the greatest vulnerabilities to our network, and every single study that I have read keeps saying that the biggest bang for your buck is conducting good user training to be able to secure your networks. Training should include social engineering awareness, virus transmission dangers, password security, email security, and physical security. We want our users to know how they can help us and be part of the team to keep attackers out of our networks. Next, we have vulnerability scanning, or vulnerability scanners. This is periodically going to allow us to test our network to verify that the security components are behaving as we expect and that they’re detecting any known vulnerabilities. Vulnerability scanners are an application that we use to conduct these tests, and there are some great examples like Nessus, Zen map, and Nap. With a vulnerability scanner, I can scan my network and determine what systems are and are not patched. I can scan the network and figure out which ports are open and which ones are closed, and then that gives me a baseline from which to deviate and start protecting my network even further.

A great example of this is the Zen map. As you can see here on the screen, I can go ahead and type in some website addresses and scan, and it will tell me what ports are open and what path we took to get there. In the example here, we have Insecure.org that was scanned, and you can see that they have SSH open on port 22, they have their SMTP server closed, they have DNS open on port 53, and other things like this. This now tells me what version of these softwares they’re running and how I can begin working to attack them. If I was going to be going after them during a penetration test, Next, we have Nessus, and Nessus is another vulnerability scanner.

Instead of focusing on the network, though, Nessus really is focusing on the host. And it can scan all of my hosts and tell me which ones are patched and which ones aren’t. So, as you can see here, the one with the most red is the least secure host and the one that has the most problems. I would then want to go on that host and start patching it and fixing it with all of the Windows security updates to bring it into compliance. Next, we have Patching, which is a great segue because once we’ve identified the system in Nessus, we need to install a patch. Now, patches are designed to correct a known bug or fix a known vulnerability in a program.

And I’ll tell you, if there’s a patch for something, you can be sure that an attacker has figured out a way to attack it as well. And so you want to implement them as they become available, but you always want to test them first. So you should have them in a lab environment, verify they work, and then roll it out to your production network. Updates are going to add new features to a program, but patches fix broken things. They’re going to fix any known vulnerabilities and bring your system up to a more secure state. Next, we have honey pots and honey nets.

Now, that sounds kind of funny. What are they? Well, they’re systems that we build that serve as an attractive target for an attacker. Wait, I want to have attackers attacking me. Well, maybe sometimes we’ll put a honey pot or a honey net in our network so that if an attacker starts breaking in, they’ll go after that, thinking it’s an easy target and wasting their time. Attackers are going to use their resources to attack my honeypots and leave my real servers alone. At least, that’s the theory. A honeypot is a single machine, and a honey net is a network of multiple honeypots that looks like a bunch of servers or a bunch of clients. Now, malware researchers also put out honey nets, and the reason they do it is to collect the ways attackers are conducting attacks and learn from them. You are unlikely to have a honey pot or a honey net in your network.

Most networks don’t use them. But if you’re in a cybersecurity role, you may have these set up so you can learn more about those attacks. And finally, I have a nice summary slide here, and it’s one of the ones that I recommend putting in your notes. We are talking about remote access security. This is a way for us to control access to our network devices, like routers, switches, servers, and clients, so that we can remotely control and configure them. These are the things that we want to add to provide security so that we can do this remotely and protect them, but not allow attackers in. We can use SSH, which is secure remote access, via a terminal emulator over port 22. We have Radius, which is an open standard for UDP-based authentication.

For network authentication, we have Tackis Plus, which is a Cisco proprietary standard that runs over TCP. Again, for remote network access, we have Kerberos, which is used for authentication between clients and servers in a Windows domain. We also have IEEE 802 One X, which allows or denies wired or wireless clients access to your network.

And this is another way to do network authentication. We have two-factor authentication. We never want to rely on just a username and password, but instead we want to use something—you know, something you have or something you are—because this is going to give us additional security. We also have single sign-on, and this is where you can authenticate on one system and then have access to multiple systems. This is good because, again, users are our biggest failure point. And if they have to remember a different username or password for every single system, chances are they’re going to write them down or they’re going to use the same one anyway. By using single sign-on, it simplifies the process for your user but still gives you good authentication because you can use two-factor authentication for that single sign-on.

6. Security Policies

Security policies. Now, we’ve mentioned a lot of technical controls, but that’s not the only way for you to secure your networks. One of the biggest is having a good security policy. If you don’t have a security policy or if you don’t enforce your policy, it will be a major source of security breaches. If I tell people, “Don’t do this,” but I never stop them from doing it or check that they’ve done it, that’s going to be a big lapse.

Now, your security policies are going to serve multiple purposes. They can protect your assets. They can make employees aware of the obligations that they have. They identify specific security solutions or concerns, and they act as a baseline for ongoing security monitoring and measurements. One of the biggest policies that your organisation needs to have is what’s called an “AUP,” or an acceptable use policy. This is a common component of your corporate security policy. This could state that the employee agrees to be monitored.

It may say that they can’t use it for social media or access personal files. Whatever your acceptable use is at your company, make it known to your employees what they are and are not allowed to do on your systems. Now, when we look at these security policies, they contain a myriad of other complementary policies. Underneath the major security policy, larger organisations are going to have complex and separate policies, whereas smaller organisations may have just a single security policy. In my organization, we have a single-security policy here at Deon Training.

Now, when I’ve worked for larger organizations, we’ve had several dozen or even hundreds of different security policies, all working in tandem underneath the larger governing policy. And this diagram on the screen just shows you three different types of policies that get categorized. Underneath the larger governing policy, there’s the governing policy, the technical policies, the end-user policies, and your standards, guidelines, and procedures.

Now, if you really want to dig in deep and learn a lot about security policy, I recommend you take a look at the CompTIA Advanced Security Professional Certification, because they do a good job of really digging into these policies for the network. Plus, you just need to know the basics. You need to understand that a governing policy is focused on technicians and managers. It’s a high-level document that focuses on the organisation at large. Now, when you get into the technical policies, these are more focused policies. There may be one for passwords, another for email, and yet another for wireless devices or remote access.

You could even implement a “bring your own device” policy. Any of these technical domains will have their own policy associated with them if you’re in a large enough organization. Next, you have your end-user policies—things like the acceptable use policy, the privileging user agreement, onboarding and off boarding procedures, consent to monitoring, nondisclosure agreements, cellular device policies, and many, many others. If the end user has to understand how to do something or what things are allowed to be done, That’s really where the end-user policies are going to be focused. And finally, we have standards, guidelines, and procedures. Standards, guidelines, and procedures are really going to tell you what things are done in the organization. When dealing with standards, we’re going to use AES encryption.

That’s our standard, right? The guidelines may tell us, kind of like the governing policy, how we are going to do things. Now, these aren’t step-by-step instructions. They are just overarching guidelines for you. Now, procedures, on the other hand, are going to be done step by step. And so I might have a procedure that says, “Here’s how you create a new user account, here’s how you change a password, here’s how you get remote access,” those types of things.

Now, one of the policies I want to spend just a little bit of time on is BYOD, or bring your own device. This is becoming extremely popular in organizations, but you have to be careful with it. There are some advantages to bringing your own device, but there are also numerous disadvantages. Some of the benefits include lower costs for the organization. So if I let you bring your laptop in and do your own work on your own laptop, I don’t have to provide you with a laptop. And so that saves me money. But when I let you connect your laptop to my network, I’m now accepting all of the risk because you may not have the latest antivirus, you may not have patched your system, and you may still be running a Windows XP laptop for all I know.

But if I let you bring your own device, I’m taking on all those risks in. Now, bring your own device, which also has other vulnerabilities. If you’re dealing with tablets and smartphones, they have Bluetooth in them. You can be subject to blue jacking, which is sending unauthorised messages over Bluetooth; blue snaring, which is going to provide unauthorised access to wireless through Bluetooth; or blue bugging, which is an unauthorised backdoor that connects Bluetooth back to the attacker. All of these things, when you bring in your own device, are starting to add additional risk to your network. And so I would really caution you to think twice before allowing you to bring your own device. In our organization, we provide a laptop, a tablet, and a phone for each employee to do their work on. We do not want them using their own devices on our network. Next, we have data loss prevention.

Now, DLP is a policy that seeks to minimise accidental or malicious data loss. The policy should apply to the entire network, not just your file server or email server. How is your organisation going to guard its sensitive data? That’s the question you have to ask yourself. Are you going to do it at the client level for the data that’s being processed in an operation? Are you going to do it on the network level? The data that’s being transmitted all over the place, are you going to do it at the spring storage level? In my organization, we use data-at-rest encryption to prevent our data from being subject to confidentiality breaches. We also have a data loss prevention system. So if a large amount of data is being sent off, such as to Dropbox or Google Drive, it will flag and we will be notified. And then we can look into why those employees are sending all of this data outside of our network. In some cases, it’s a very legitimate reason; in others, it isn’t.

For example, if one of my employees is uploading all of the video content from here into one of our video servers or video distribution platforms, which can be gigabytes and gigabytes of information, you guarantee that our data loss prevention is going to flag that and ask, “Why did so and so upload 45GB of video?” Well, because she was uploading a brand new course, and that’s part of her job. That’s okay; we’ll look at that log and clear it. But again, your policy is going to say, “What is the threshold, what is acceptable, and what is not acceptable?” Next, we have the system lifecycle.

When you have a system, you are responsible for it from cradle to grave, from birth to death. It’s going to go through all of these different stages, from conceptual design to preliminary design to detailed design, to installation and production of the network, to operations and support throughout the lifecycle, to phasing out and disposal. 70% of your time is going to be spent in operations and support. It is the largest portion of the life cycle, but when we’re done with it, we have all the waste or all the data. How are we going to get rid of all these hard drives that we have? How are we going to get rid of these old CRT monitors? All of these things are something you need to think about in your policies, and you should have a disposal policy to discuss that. Next, we have licencing restrictions and export controls.

All of your software needs to have the proper licensing, including any virtual machines. So if you’re running a virtual server and you have eight Windows machines on there, you should have eight licences or authorizations from Microsoft, right? Depending on what your licencing agreement is, some items are restricted from being exported to certain regions of the world. And so, depending on what software you have, if you’re using cryptography, for instance, that can become an issue.

There are certain levels of cryptography that are allowed worldwide and certain levels that you can’t export outside the United States or some other countries. If your organisation is operating across borders, you need to check with legal and compliance to ensure you aren’t breaking any laws by sending data back and forth and using certain ports, protocols, or encryption. Lastly, we have incident response. Now, an incident response is what you’re going to do when there’s a security violation. Are you going to call the police? Are you going to handle it at home? Are you going to fire the employee? Are you going to take the machine off the network, wipe it, and then put it back on? What is your plan? Well, that all depends on your incident response plan.

If you plan to work in incident response, I recommend you look into the CompTIA Security+ or CompTIA Cyber Security Analyst certifications. It focuses a lot on incident response. In fact, one of the four domains focuses almost exclusively on incident response because it’s so important to that certification in Network Plus and you just need to know that incident response is the way you handle something that goes wrong. And, if you intend to prosecute a computer crime, you must ensure that the chain of custody is maintained. And remember that there are three things we look for: means, motive, and opportunity. By what means did the person or attacker have the technical skills to perform the attack? The motive: why did they perform the attack? Do they have the time and resources to carry out the attack? So if they had the means, motive, and opportunity, they may have been the attackers who did it. If they don’t have all three, then they may not be the right person. Again, you won’t be dealing with this much in network administration unless you’re assisting cybersecurity analysts, who are responsible for the majority of incident response.