C - I - A: Confidentiality - Integrity - Availability

CIA 

Confidentiality: Making certain information (data) is only viewable by certain people.

1. Encryption is the main method for confidentiality. Whether it is file encryption, full disk encryption, or full device encryption for mobile devices. The user needing to read the information would need a decryption key to decipher the encryption first. 

2. ACL (Access Control Lists) is another method of providing confidentiality. This is not as secure as using encryption. There are different access control methods such as MAC (Mandatory Access Control), DAC ( Discretionary Access Control), Role-BAC (Role-Based Access Control), Rule-BAC (Rule-Based Access Control), and ABAC (Attribute Access Control). These methods and examples will be discussed in a different post.

3. Steganography: With this method, you could hide a document inside of another document, inside a photo, video file, or audio file. The carrier (the file used as the hiding method has to be larger than the file you are trying to hide) looks the same, in the case of the audio or video file they still play. 

Steganography is "Security through Obscurity"

Steganography can be used in some cases to bypass security controls such as DLP (Data Loss Prevention) systems. One way to detect this activity would be to employ file integrity monitoring. That way you would have the original hash and any modification to the file would produce a different hash. 

For the "Use Case" of confidentiality, encryption is used.

Integrity: Making sure that the data has not been altered, changed, corrupted, or modified by intentional or accidental means. 

Verifying integrity is provided through hashing. Hashing is a one-way function that produces a fixed-length output that cannot be reversed to produce the original input.

For the use case of integrity, hashing is used

Availability: This means that the information/data is accessible when the information is needed to modify or view the data.

Many things provide availability such as Load Balancing, Fault Tolerance, Alternate Sites (Hot, Warm, Cold, Mobile), Alternate Power (Generator, UPS), Backups, Patching, RAID, and HVAC.

Security Controls - Preventive

Preventive

What you are trying to do is prevent some form of security breach/incident.

Change management: Making sure that there or no outages that were not planned. Being as I work as an IT administrator, it's easy to want to make changes on the fly. The first step in this process is to submit the change plan and get approval. These changes can be network configuration changes or changing to a more current operating system. We need to plan, test, and practice before attempting the changes to reduce the chances of downtime on a production network.

Security awareness and training: Make users aware of social engineering attacks, email, and social network best practices. Once the users are aware of the tactics a social engineer might use, the less chance of them being fooled into revealing the passwords. For example, Microsoft is not going to call you and ask for your password, which is a threat actor attempting to social engineer you.

Disabling Accounts: Having an account disablement policy when an employee leaves the organization can help prevent the former employee from access their old account and possibly causing a security breach. 

In 2008 a contractor working for Fannie Mae was told during the day that he was being fired for a scripting error he made earlier in the month. He was allowed to work through the end of the day. He then loaded a logic bomb set to launch a few months later. Luckily for the company, the logic bomb was discovered, otherwise, it would have crashed 4000 servers crippling Fannie Mae.

Disabling his account as soon as he was notified would have prevented the contractor from installing the logic bomb.

Hardening systems: This best practice includes systems, applications, and operating systems. Disabling unnecessary services, and protocols. Applying security patches and updating firmware. Changing default usernames and passwords. Disabling unnecessary accounts. Disabling unused ports on switches.

RAID (Redundant Array of Independent Disks)

RAID

(Redundant Array of Independent Disks)

RAID 0:

RAID 0 provides no fault tolerance or redundancy. Requires a minimum of 2 disks. The information is spread across each drive (for example: as it fills one block then adds data to the next sequential block). 

RAID 0 is striping with no parity. If one drive fails, all the information is lost, unless you have a backup of the data.

This form of RAID is used for performance, multiple heads reading/writing at the same time.

Both drives should be of the same size and speed. If you have two 320 GB drives, theoretically you would have 640 GB of storage space using this configuration. 

RAID 0 is best used for video and audio streaming. It could also be used for something like a backup server. The actual backups are stored on other media than the system running the backup software. 

RAID 1:

RAID 1 requires 2 drives and is known as mirroring. The exact same data is written to both drives. With RAID 1 you can add another disk controller, this eliminates a single point of failure. Using two disk controllers in this configuration is known as duplexing.

If you are using two 320 GB drives, theoretically you will have 320 GB for storage. 

If one drive fails, all the data is retained on the other drive. You do not have to shut this system down to replace the failed drive. Simply remove the drive, take it out of the sled/carrier, and replace it with a new drive. Reinsert the drive, go to the console, and select rebuild array. 

Use this RAID configuration for operating systems, authentication servers. etc. You have minimal drive space to work with. 

RAID 5:

RAID 5 requires a minimum of 3 disks and is striping with one parity stripe. The equivalent of one drive is used for the parity information. This helps provide fault tolerance.

RAID 5 has great read performance as multiple heads read at the same time. As you increase the number of drives, so does the read speed. The write performance is slow due to the parity calculation on the full stripe. 

This RAID setup can afford the loss of only one drive, more than one drive, the data is lost. Remove the failed drive while the system is operational, install a new drive, go to the console, and select rebuild array. The performance will degrade slightly as it rebuilds the array. 

For three 320 GB drives, you will have 640 GB of storage space as the parity data will take up the equivalent of one drive.

RAID 6:

  

RAID 6 requires a minimum of 4 drives. It is configured as striping with dual parity. The equivalent of two drives is used for the parity information. This setup provides fault tolerance.

It has great read speed as multiple heads are reading at the same time. Write speed is even slower than RAID 5 as RAID 6 has to calculate dual parity for each stripe. 

RAID 6 can survive the failure of two simultaneous drives. Again take out the failed drive or dives, replace them with new drives. After reinserting the drives, go to the console and select rebuild array. 

Four 320 GB drives in a RAID 6 will give you 640 GB of storage space.

WIRELESS AUTHENTICATION PROTOCOLS

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) requires certificates to be installed on both the wireless clients and the server,  making this one of the most secure implementations of EAP.

PEAP (Protected EAP): PEAP only requires the server to have the certificate. PEAP encapsulates the EAP communication in a TLS tunnel.

LEAP (Lightweight EAP): Developed by Cisco, does not require a certificate on either the client or server. Cisco recommends using a stronger version such as EAP-FAST, as LEAP has a known weakness.

EAP-FAST (EAP Flexible Authentication via Secure Tunneling): Developed to replace LEAP. The use of certificates is optional.

EAP-TTLS (EAP Tunneled Transport Layer Security): Needs a certificate on the server, but not the client. The username and password are not sent in plain-text as the transmission is in an encrypted tunnel. PAP can be used for authentication due to the use of Tunneled TLS without the credentials being compromised.

802.1x: PEAP, EAP-TLS, and EAP-TTLS all require an 802.1x server. Some refer to the 802.1x as a RADIUS server.

WPA2/WPA Enterprise: This requires a RADIUS/802.1x server. Enterprise mode also requires the use of a certificate on the server. The user will also need a username and password to authenticate.

MALWARE TYPES - PART 3

Rootkits: Are programmed to provide continuous privileged access to a system. This malware remains hidden to avoid detection from an antivirus program. The rootkit will give access to a remote attacker to control items such as system processes. The controller of the rootkit has the ability to change system configuration, spy on users' actions.

The detection of such an infection is extremely difficult. The best way to remove a rootkit when detected is to wipe the system and reinstall the operating system and applications.

Ransomware: There are two different definitions of the types of ransomware. The first one starts out as scareware. The user clicks on something, a pop-up or web page appears mimicking an antivirus scan. The scan finds infections immediately (even though they don't exist), the number of infections it finds can be anywhere from the teens to the thousands of infections. You click on the button to clean the infections, and you get the notice that this is the Free version, you will need to purchase the Paid version. You pay for the new "Fake Antivirus" and miraculously it removes all the infections that were not there to start.

The second type takes on the name Crypto-malware: This version encrypts all your documents and photos. They give you anywhere from an hour to 7 days to pay them a fee to retrieve a decryption key, otherwise, your information remains encrypted or will be deleted. Most of these end up doubling the fee right after the deadline passes. Most of them require payment through Money Pak or Bitcoin.

Remote Access Trojan (RAT): This gives an attacker total control over the system. This gives the attacker access to any information on the system, the ability to spy on the victim or control the system.

RATs are very difficult to detect as they operate like remote management tools, and use common ports. They are typically delivered through a Trojan, via a phishing attack. The best way to protect against this is to have email opened in plain text rather than HTML.

MALWARE TYPES - Part 2

Logic Bombs: A piece of code that is on a target PC/Sever until it is triggered by an event. That event can be a specific date or time, or when a certain condition is met. The event is specific to what the programmer coded the malware to run.

• It could be a script that runs every payday, if their name isn't included (meaning they have been laid off/fired) in the payroll report, the malware is triggered to run a predetermined time afterward.
• Another event could be when the company hires the 250th (just picked a random number for the example), employee.
• The date is another possibility, launched on a specific date.

Worms: Worms are a type of malware that self-replicates. The worm moves through the network consuming bandwidth. Worms take advantage of weaknesses in certain networking protocols. 

Worms are known to take advantage of the weakness found in SMBv1, spreading through the network over port 445, Microsoft's file-sharing port.

USB flash drives tend to be one of the easiest ways to introduce a worm into the network. Users will find a USB on a table or floor, pick it up and install it to see what is on the device and to determine the owner. There are vendors that will have out free USBs that are infected at conferences like Def Con.

Botnets:  A botnet is a collection of Internet-connected devices, PCs, webcams, etc. These devices are normally on 24 hours per day and have decent bandwidth. The owners of these devices are unaware that their device is participating in the botnet. The devices are known as zombies and perform whatever the handler has programmed them to do:

• DDoS; Distributed Denial of Service attack on a single target
• Send SPAM from these devices
• Download other malware like keyloggers

Botnets typically use anywhere from 5,000 to 20,000 devices

One of the largest DDoS attacks happened in November of 2016, which was an attack against DNS servers. This time the bot was comprised mostly of DVR players and digital cameras. 

MALWARE TYPES - Part 1

Virus: This is malicious code that attaches to a host program/application. After a user initiates an action such as launching the application. Some viruses deliver the payload immediately, others wait for the virus to replicate.

Symptoms vary, the virus may open a backdoor for an attacker, delete files, install a zombie and join the system to a botnet, or cause the system to reboot intermittently.

Polymorphic Virus: This type of virus has the ability to change its binary pattern as it replicates or when it is executed. The code is encrypted and uses different encryption after each infection. The ability to change code makes it difficult for an antivirus program to detect this malware.

Armored Virus: This type of malware is able to fool antivirus programs as to its true location, making the antivirus believe it is located in one area while being located in a completely different area. Armored viruses use obfuscated code making it difficult to reverse engineer.

Trojans: Trojans are disguised as something useful, such as a screensaver, or legitimate software. Trojans are added to keygens so that a user activates pirated software. Here are some of the things that occur as a result of a trojan:

• Backdoor: gives an attacker remote control
• Email: Be used to harvest emails from the system
• Usernames & Passwords: Steal this info for bank accounts
• Download: Can be used to update itself or download other malware

One of the platforms for Trojans to be delivered is through email attachments. The best way to protect against this: to prevent executables from running, open the email in plain text, not HTML

CompTIA SYO-501 Security+ covers all of these in the objectives