Security fundamentals
Security Layers
Core Security Principles
graph LR; A[Confidenciality]; B[Integrity]; C[Availability]; A --- B; B --- C; C --- A;
- CIA triad (iron triangle):
- Confidenciality: avoid unauthorized users access to information.
- Encryption keys: the unauthorized gets “cypher text” (scrambled data).
- Data and states encryption:
- At Rest (stored).
- In transit (protocol in communication).
- User (application, hence the authorized software list).
- Access control to computer (log in). Principle of least prviledge.
- Integrity: data has not been modified.
- Access control: write permissions.
- Version control: recover different versions.
- Hash functions: no information is modified on transit.
- Availability: servers “are alive”.
- Redundancy.
- Fault tolerance: back-up.
- Confidenciality: avoid unauthorized users access to information.
Threats vulnerabilities and and exploits
- Threats: event with potential for adverse effect (virus, phishing, DDoS).
- Threat actors: individuals who pose a threat.
- Script kiddies: no skills.
- Malicious insiders: employees or contractors.
- Hacktivist: perceived idiologist.
- State sponsored: funded by governments (APT: Advance Persistent threats).
- Cyberterrorist: Proliferate fear and discord.
- Threat actors: individuals who pose a threat.
- Vulnerabilities: weakness which allows threat to materialize.
- Passwords: weak passwords are prone to attacks.
- Legacy systems: lack of support and patching.
- Default or weak configurations: easily discoverable.
- Unpatched systems: missing security updates.
- Unsecure protocols: unauthorized data access.
- Exploits: technique or tool used againts weaknesses.
- Social engineering: soliciting information from authorized user.
- Malware: gain access through unathorized software.
- “Man in the middle” or “on path attack”: eavesdropping or unathorized access.
- Password attacks: gain access to password protected systems.
- Zero-day: recently discovered vulnerability, “and nobody knows about it”, plus lifecycle path takes time.
Risks and impact
- Concepts:
- Risk: probability of a loss, damage, compromise or exposure of system (not always malicious, it can be accidental).
- Breach: unauthorized access (violating security policy).
- Impact: Extent of a risk if it materializes.
- Risk: probability of a loss, damage, compromise or exposure of system (not always malicious, it can be accidental).
- Risk management: risk matrix to meassure impact (likelihood vs severity). Priority on mitigation.
- NIST: guidance with risk management framework.
- Prepare (define essential activities).
- Categorize (what we have?).
- Select (select set of controls).
- Implement (implementation and documentation of controls).
- Assess (do these controls work for us?).
- Authorize (someone in charge).
- Monitor (monitor the controls, in order to evolve.
- NIST: guidance with risk management framework.
Security by design, not by an afterthought.
Physical security
- Outside the building:
- Fencing: guards (someone who can react), CCTV (Close Caption TV + cameras), lights, locks, barrciades, ballards.
- Architecture reinforcements.
- Startegic positioning of trees.
- Inside:
- Access Control recepcionist
- Cameras (and motion sensors).
- Architecture: doors swinging inside (takes longer to get out), furniture positioning, secure access (“demarcation point”: work through 2 doors, man trap).
- Key readers or biometrics.
- Physical safe (keep abalog info, hard drive with ROOT_CA).
- Fire, water, carbon monoxide detectors: protect the human assets.
- Datacenters:
- Fire supression system.
- Heating, ventilaction, AC.
- Cage lock on racks.
- Physical intrusion detection lock on computer workstations and servers.
- Kensington locks on laptops (password-managed locks).
- Privacy screen filters: keep people from shoulder-surfing.
Browser security
- Change settings on chromium: Privacy, Search, Services
- Tracking protection (best intention… keep it balanced, or websites may stop to work).
- Reputation data.
- Exception to the rules (e.g. old government websites).
- Clear browser data (clean the cookies!).
- Privacy: “do not tracking” (expect best intention from website).
- Security:
- Manage certificates.
- Website typo protection (protects againts “typo squatting”).
- Secure DNS: usually default by OS.
- Site premissions restrictions!
- Tracking protection (best intention… keep it balanced, or websites may stop to work).
Wireless security
- Access Point:
- Change default configurations:
- Change and hide SSID (identifier).
- Protocols:
- WEP: weakest, avoid.
- WPA: weak, avoid.
- WPA2: strong.
- WPA3: strongest.
- WPS: it had best intentions, bad outcome, avoid.
- Update firmware.
- Consider using allowlists for critical systems.
- Consider activating HTTPS.
- Avoid remote management access (your Internet provider may not allow you to do it).
- Change default configurations:
- Authentication server (RADIUS, enterprise level).
- MAC filterting (enterprise level).
Social engineering
Get personal identifying information using deception tactics.
- Low hanging fruit: people without proper training.
- Phishing: threat actors:
- spam: unsolicited emails.
- phishing: fraudulent emails (not targeted).
- spear phishing: fraudulent emails (targeted).
- whaling: fraudulent emails (high-profile employees).
- Baiting: playing on your necessity (e.g. “usually” too good to be true”,”found a thumbdrive”).
- Tailgating: someone enters right behind you (not intended).
- Piggibacking: someone enters right behind you, and you are letting them in (there is an accomplince).
- Pre-texting: use emotional strings with a story made ahead of time.
- Shoulder-surfing: looking the screen standing behind the people typing.
OS
AAA: Authentication, Authorization, Accounting.
User Authentication
Proving you are who you say you are.
- Identity and Access management: credentials + challenge (authentication factors, multifactor authentication).
- Decentralized (example:
C:\Windows\system32\configcontains the database registry onSAMfile, small workgroups). - Centralized (Single Sign-On, Domain environments like Windows Active Directory, on an authority known as Authentication server).
- Decentralized (example:
- Authentication protocols:
- NTLM: Windows authentication protocol.
- Kerberos: a centralized time sensitive authentication protocol (Open, MIT, on Windows Active Directory).
- RADIUS: industry standard for authenticating and authorizing remote users (Open).
- EAP: authentication framework used commonly on wireless network.
Password Policies
Strings of characters stored in database.
- Password attacks:
- Dictionary attack: using a word list.
- Brute-force: trying every possible combination (more characters = stronger passwords).
- Rainbow tables: using database of password hashes (most usual passwords, like “123456”).
- Phishing: email attack using deception.
- Password policy: fine line between security and usability.
- Complexity: use all character sets.
- Length: minimum ammount of characters.
- Maximum age: maximum duration of a password.
- History: unique passwords required before password reuse.
- Account lockout: with time limit, or with administrator contact (
secpol.mscin Windows).
Authorization
Once you are authenticated: whar your priviledges over certain resources?
- Permissions: ACL (Access Control List). They are inherited directory-wise, and can be splitted between local and network permissions (shared permissions).
- Security principle: review the effective permissions.
- System: full control.
- Administrator: full control.
- Users: read and write.
- User01: read only.
- Unix permissions:
- Read (
r). - Write (
w). - Execute (
x).
- Read (
Accounting
What did you do.
Audit Policies
Track events:
- User activities:
- Login activities.
- Accessed resources.
- Priviledged access.
- Policy changes.
- System activities:
- File access.
- Priviledged access.
- Policy changes.
- Service and dependency changes.
Encryption
graph LR; A[fa:fa-file Clear text]; B[fa:fa-lock Cypher text]; C[fa:fa-file Clear text]; A -- encryption --> B B -- decryption --> C
Encryption: cryptographic operation which applies transformation based on keys:
- Types:
- Symmetrical key.
- 🔑 Single key: same key encrypts and decrypts.
- Faster.
- Key exchange concerns.
- Asymmetrical key:
- 🔑 Public key encrypts.
- 🔑 Private key decrypts.
- Slowers.
- Symmetrical key.
- Places where it happens:
- Software (OS bitlocker).
- Hardware: dedicated devices.
Certificates
Certificates: file for validating public keys (handled in HTTPS).
- Utility:
- Validation (integrity).
- Public keys (communication).
- Identification (validate source: users, computers, network devices, software which validates via hash).
- Types:
- DER: base 64 encoded (human readable, export only public).
- PKCS: PKCS#7 (export only public), PKCS#12 (export public+private, like a spare key).
Certificate authorities: issues the certificates, handle validation (not expired, not revoked).
- Multi-tier structure:
- ROOTCA: top of trust.
- Subordinate CAs: endorsed by the root (secondary).
- Types:
- Public:
- Trusted on Internet.
- Available to buy.
- Provide PKI.
- Private:
- Not publicly trusted.
- Internal use.
- Requires infrastructure.
- Public:
Malware
Umbrella term for malicious software.
- Types:
- Virus:
- Rogue process which corrupts information.
- Replicates itself.
- Requires user interaction.
- Worm:
- Replicates itself big time.
- Crawls through network.
- Hinder performance.
- Does not require user interaction.
- Ransomware:
- Requires user interaction.
- Encrypts your information, threat actor asks ransom for providing you the private key for recovery.
- Botnet:
- Set of remote controlled computers: zombie computers.
- C2: Command and control
- Coordinated attack.
- Rootkit:
- Infects boot level (Root user UNIX, or Boot-kit on Windows, most priviledge on hardware level, before OS is loaded).
- Buffer overflow:
- Memory location gets loaded until it makes information spill out to portions not checked.
- Hinder performance.
- Run random code.
- Torjan horse:
- Masquearades as benign file.
- Carrier for other malicious attacks.
- Backdoor:
- May be for administrative purposes (e.g. technician handles process).
- May be used to exploit the system.
- Spyware:
- Collect information and sends it to 3rd party.
- Adware:
- Pop-ups on Internet.
- Adblockers help with this.
- Scareware: subtype of adware: “You are infected” mesage.
- Zero-day: vulnerability exploitable, that no one knows about it 😭.
- Virus:
Network
Firewalls
Security piece of software, or hardware device (dedicated resources), which acts as barrier between public and private networks. They screen thre traffic “making decisions” (stateless, or more complex with states).
graph LR; A[fa:fa-laptop Laptop]; C[fa:fa-laptop Laptop]; subgraph Firewall B[fa:fa-fire Firewall device] D[fa:fa-file File] E[fa:fa-certificate Certificate] end; A -- inboud traffic --> B; B -- inboud traffic --> C; B -- inspection --> D; D -- checks ACL --> E; E -- apply action --> B; E -- default implicit deny --> B;
❗ Check inbound and outbound traffic!
Network Isolation
graph TD; A((fa:fa-route router)); subgraph BroadcastDomain_A B[fa:fa-toggle-on switch] D[fa:fa-network-wired VLAN] E[fa:fa-network-wired VLAN] end; subgraph BroadcastDomain_B C[fa:fa-toggle-on switch] F[fa:fa-network-wired VLAN] G[fa:fa-network-wired VLAN] end; A --> B; A --> C; B --> D; B --> E; C --> F; C --> G;
Communication types:
- Unit cast: one to one.
- Broadcast: one to all.
- Multicast: one to a group (pay-per-view).
Routers do not pass broadcast communications between networks: it generates subnets (different solutions may be applied on each one).
- Broadcast domain: group of computers “within earshot” of broadcast domain.
- Switch: device that acts as barrier.
- VLAN: logical separation of computers within switch.
- Switch: device that acts as barrier.
- NAT (Network Address Translation):
- Internet: internal IP addresses can not be routed on the Internet by themselves.
- Broadcast domain: group of computers “within earshot” of broadcast domain.
graph TD; A((fa:fa-route router)); G[fa:fa-cloud Internet] subgraph BroadcastDomain B[fa:fa-toggle-on switch] C[fa:fa-network-wired VLAN] D[fa:fa-network-wired VLAN] end; subgraph Perimeter network E[fa:fa-server server published] F[fa:fa-server honeypot] end; A --> B; B --> C; B --> D; E -- firewalled --> A; G -- firewalled --> F; G -- firewalled --> E;
- Perimeter network (edge network, screened subnet (for remediations, until it complies with policy), DMZ).
- Honeypots (decoys).
- Isolation (domain, server).
- VPN (goes through internel with tunneled encryption, so it gets some internal network priviledges).
graph TD; A[fa:fa-cloud Internet] B(fa:fa-phone ISP carrier) E[fa:fa-phone ISP carrier]; subgraph Company_A C((fa:fa-route router)) D[fa:fa-computerComputer] end; subgraph Company_B F((fa:fa-route router)) G[fa:fa-computer Computer] end; A --> B; B --> C; C --> D; A --> E; E --> F; F --> G; C -. VPN tunneled encryption .- F;
Secure Protocols
Network protocol components:
- Rules (e.g. best effort).
- Syntax.
- Synchronization.
- Error recovery.
Web protocols:
- HTTP (port 80, insecure).
- HTTPS (port 443, secure).
Remote access control:
- Telnet (port 23, insecure).
- SSH (port 22, secure).
- RDP (port 3389, secure, windows devices).
File transfer:
- FTP (port 21, insecure, usually handled through tunnels).
- SFTP (port 22, secure).
IPSec
Authenticate data origin: protocols can be combined, they are implemented with IPSec policies.
- Authentication Header (AH): autheticate computers between each other, no encryption.
- Encapsulating Security Payload (ASP): encrypt communications (confidentiality).
Modes:
- Transport (IP packet encrypted).
- Tunnel (entire packet encrypted, included payload, used in VPNs).
Security associations: 2 for each computer:
- Define parameters, encryption types.
- Set up encrypted security communication, that’s where we transfer communications over.
Package going through tunnel has several fields (track communications):
- ID: identifier security association.
- Sequence: number, when the information is sent through the tunnel, it can be reconstructed on destination.
- Encrypted data.
- Checksum: hash, to verify integrity.
Software
Client side
- Implement authentication.
- Authorization: principle of least priviledge.
- User account control: elevated access only when it is required.
- Use authorized software, with proper certificates.
- Have network security (antivirus, firewall with implict deny).
- OS should be updated, with proper encryption.
Email protection
Threat:
- Spam (unsolicited emails).
- Phishing (malicious emails).
- Pharming (fraudulent redirect, to grab credentials).
- Spoofing (malicious emails appearing legitimate).
Email server verification:
- SPF (specify IP addresses of email server for domain).
- DKIM (email authentication mecanism: the email itself came from the authorized source).
- DMARC (indicates if SPF and DKIM are implemented).
Protect devices mitigation techniques:
- Email server:
- Anti-malware software.
- Basic hardening.
- Firewall.
- Spam filters (deny list, having SPF-DKIM-DMARC, content).
- Email client:
- Anti-malware software.
- Antispam.
- Firewall.
- Disable macros.
- Attachments (scan).
- Email server:
Server-side protection
Techniques:
- Access Control (authorized users only).
- Steer way from defaults (weak or easily discoverable).
- Principle of least priviledge (limit root or administrative access).
- Patch management (security updates).
- Malware protection (real-time protection).
- Use trusted boot loaders.
Security protocols
Weak Strong HTTP HTTPS SLL_1, TL_S1.1 TLS_1.2, TLS_1.3 SMBv1 SMBv3 SNMPv1 SNMPv3 Telnet SSH FTP SFTP DNS (improved?) DNSSEC (certified)