802.1X: Ensuring Authorized Access in Wired and Wireless Networks

 802.1x

802.1X is a network authentication protocol that provides a secure method for controlling access to wired and wireless networks. It's part of the IEEE 802 family of networking standards and is primarily used for port-based network access control (PNAC).

How 802.1X Works

802.1X operates using three key components:

• Supplicant (Client Device) – This is the device that wants to connect to the network, such as a laptop, phone, or IoT device.
• Authenticator (Network Access Device) – This is the network device controlling access, such as a switch for wired connections or an access point (AP) for wireless networks.
• Authentication Server (RADIUS Server) – The backend server verifies the credentials and allows or denies access.

Authentication Process

1. Initial Connection – The supplicant attempts to connect to the authenticator.

2. EAP (Extensible Authentication Protocol) Exchange – The authenticator requests authentication, and the supplicant sends its credentials.

3. Credential Validation – The authentication server verifies the credentials using a configured authentication method, such as EAP-TLS, PEAP, or EAP-MD5.

4. Access Granted or Denied—If the authenticator is successful, it allows network access. If authentication fails, the device is denied access or placed into a guest network.

Security Benefits

• Prevents Unauthorized Access – Only authenticated devices can join the network.
• Centralized Authentication – Using RADIUS servers allows for better control over user access.
• Encryption Support – When combined with WPA2-Enterprise, 802.1X offers strong encryption for Wi-Fi security.

Common Use Cases

• Enterprise Networks – Large organizations use 802.1X to secure wired and wireless networks.
• Public Wi-Fi Security – Many institutions, like universities, implement 802.1X for secure Wi-Fi access.
• IoT Device Authentication – Ensures that only trusted devices connect to sensitive networks.

Using Fake Data to Catch Real Threats: The Power of Honeytokens

 Honeytoken

A honeytoken is a cybersecurity deception technique to detect unauthorized access or malicious activity. It involves creating fake data or resources that appear valuable to attackers but serve no real purpose other than to act as a trap.

Here are some key points about honeytokens:

• Types of Honeytokens: They can take various forms, such as fake documents, database records, credentials, or API keys.
• Detection and Alerts: When an attacker interacts with a honeytoken, it triggers an alert, notifying the security team of potential unauthorized access.
• Intelligence Gathering: Honeytokens help gather information about the attacker’s methods and behavior, which can be used to strengthen security measures.
• Difference from Honeypots: Unlike honeypots, decoy systems are designed to attract attackers, and honeytokens are individual data embedded within real systems.

Using honeytokens, organizations can enhance their ability to detect and respond to security threats more effectively.

 Honeyfile

A honeyfile is a decoy file used in cybersecurity to detect unauthorized access and gather intelligence on potential attackers. These files are designed to look like valuable or sensitive information, such as passwords, financial records, or confidential documents.

 Here are some key points about honeyfiles:

•  Bait for Attackers: Honeyfiles contain enticing data that attracts cybercriminals. When an attacker tries to access a honeyfile, it triggers an alert to the security team.
• Detection and Monitoring: By monitoring access to honeyfiles, organizations can detect suspicious activity early and respond to potential threats before they cause significant harm.
• Intelligence Gathering: Interactions with honey files provide valuable insights into attackers' methods and tactics, helping to improve overall security measures.
• Types of Honeyfiles: Examples include "passwords.txt" or "financials.xlsx" files that contain sensitive information but are trapped.

Honeyfiles are a proactive security measure that helps organizations avoid cyber threats by identifying and analyzing malicious activities.

 Honeypot & Honeynet

A honeypot is a decoy system in cybersecurity that lures in cyber attackers so that security teams can learn how attackers operate:

How it works

A honeypot is a fake system that looks and acts like a legitimate target, such as a server, network, or application. It's designed to be vulnerable and enticing to attackers. When an attacker breaks into the honeypot, the IT team can observe the attacker's techniques and how the system's defenses hold up.

Benefits

• Honeypots can help organizations:
• Improve their cybersecurity strategy
• Identify potential blind spots in their architecture
• Prioritize security efforts
• Reduce the risk of false positives
• Reduce the time it takes to discover attacks

Types of honeypots

Spider honeypots are designed to attract web crawlers by creating web pages or links only accessible to automated crawlers.

Multiple honeypots are called a honeynet.

Cost and maintenance

Honeypots are typically low maintenance and run on their own with minimal monitoring.

 SIEM

Security Information and Event Management (SIEM) is a solution that helps organizations detect, analyze, and respond to security threats in real time. It combines two key functions: Security Information Management (SIM) and Security Event Management (SEM).

Here are some core features of SIEM:

Log Management: Collects and aggregates log data from servers, applications, and network devices.

Event Correlation: Analyzes log data to identify patterns and correlations that may indicate security threats.

Real-Time Monitoring: Provides continuous monitoring of security events to quickly detect and respond to threats.

Incident Response: Helps manage and respond to security incidents by providing alerts and detailed reports.

Compliance Reporting: Assists organizations meet regulatory compliance requirements by generating necessary reports.

Keys to the exam:

Aggregates, Correlates, is a Detective Control

SIEM systems are essential for maintaining a robust security posture and ensuring that potential threats are identified and mitigated before they can cause significant harm.

 PAM (Privilege Access Management)

Privileged Access Management (PAM) is a cybersecurity strategy that protects organizations from cyberthreats by managing and securing accounts with elevated access to sensitive data and systems:

What it does

PAM monitors, detects, and prevents unauthorized access to critical resources. It also provides visibility into who uses privileged accounts and what they do.

Here are some key aspects of PAM:

• Principle of Least Privilege: Ensures users only have the minimum level of access necessary to perform their jobs.
• Monitoring and Auditing: Tracks and records activities of privileged accounts to detect and respond to suspicious behavior.
• Credential Management: Automates the management of passwords and other credentials to reduce the risk of misuse.
• Just-in-Time Access: This feature provides temporary access to critical resources as needed, reducing the window of opportunity for potential attacks.

 How it works

PAM uses a combination of people, processes, and technology. It's based on the principle of least privilege, which limits access to the minimum required to perform a user's job functions.

Why it's important

PAM is considered a critical security discipline for reducing cyber risk and mitigating the damage from external attacks and insider threats. Verizon estimates that 49% of security breaches involve compromised privileged credentials.

Other names

PAM is also known as privileged identity management (PIM) or privileged access security (PAS).

Some examples of privileged users include System and account administrators, Upper management, Security personnel, HR professionals, and Finance employees.

 Mimikatz

Mimikatz is an open-source tool that allows users to extract sensitive data from Windows computers, such as passwords, Kerberos tickets, and NTLM hashes:

How it works

Mimikatz can extract unencrypted passwords from Windows memory, which allows malicious actors to access a system's security tokens and restricted information.

Here are some key capabilities of Mimikatz:

• Credential Dumping: Extracts passwords, hashes, PINs, and Kerberos tickets from memory.
• Pass-the-Hash: Uses hashed passwords to authenticate without needing the plaintext password.
• Pass-the-Ticket: Uses Kerberos tickets to authenticate to other systems.
• Golden Ticket: Creates Kerberos tickets that provide domain admin access.

How it's delivered

Mimikatz is often delivered and executed without writing to disk, which helps it avoid detection.

How it's been used

Mimikatz was a component of the NotPetya ransomware worm, which is believed to have caused over a billion dollars in damages.

How to protect against it

Companies and organizations can protect their systems against Mimikatz using security patches, up-to-date software, and multi-factor authentication.

Mimikatz was developed in 2007 by French ethical hacker Benjamin Delpy to demonstrate vulnerabilities in Windows authentication systems.