Kerberos

KERBEROS

• Kerberos is an authentication protocol
• Kerberos provides SSO (Single Sign-On)
• Uses Port 88 TCP or UDP
• KDC (Key Distribution Center) uses 2 services: Authentication Service and a Ticket Granting Service
• Authentication Service handles authenticating user login requests
• The AS issues a TGT (Ticket Granting Ticket)
• To access any resource within the domain the client quests a Service Ticket
• The TGS (Ticket Granting Service) issues the Service Ticket to the client so they can access the resource
• TGT's are uniques to Kerberos only
• By default, the client and the Kerberos server have to be within a 5-minute window of each other for authentication to succeed. 
• Kerberos provides mutual authentication as the server authenticates to the client.
• Kerberos prevents eavesdropping and MITM attacks. (Man-In-The-Middle)

AAA Services (Authentication, Authorization, and Accounting)

AAA Services

RADIUS: Remote Authentication Dial-in User Service

• Port 1812 UDP for authentication
• Port 1813 TCP for accounting
• WPA Enterprise / WPA2 Enterprise both require a RADIUS server.
• RADIUS clients are also referred to as 802.1x clients.
• RADIUS is a client/server protocol.
• Communication between the client and the RADIUS server uses UDP
• RADIUS is vendor-neutral
• Only encrypts the passwords

Diameter

• Uses TCP for communication between client and server.
• Considered to be an improvement over RADIUS.
• Diameter also works with VoIP
• Used for both local and remote access

TACACS+: Terminal Access Controller Access-Control System Plus

• TACACS+ provides a more advanced AAA
• Three different servers, Authentication, Authorization, Accounting
• Communicates over TCP
• Uses Port 49 TCP
• Manages routers and switches (Network infrastructure devices)
• Encrypts the entire packet
• TACACS+ is a proprietary protocol

C - I - A: Confidentiality - Integrity - Availability

CIA 

Confidentiality: Making certain information (data) is only viewable by certain people.

1. Encryption is the main method for confidentiality. Whether it is file encryption, full disk encryption, or full device encryption for mobile devices. The user needing to read the information would need a decryption key to decipher the encryption first. 

2. ACL (Access Control Lists) is another method of providing confidentiality. This is not as secure as using encryption. There are different access control methods such as MAC (Mandatory Access Control), DAC ( Discretionary Access Control), Role-BAC (Role-Based Access Control), Rule-BAC (Rule-Based Access Control), and ABAC (Attribute Access Control). These methods and examples will be discussed in a different post.

3. Steganography: With this method, you could hide a document inside of another document, inside a photo, video file, or audio file. The carrier (the file used as the hiding method has to be larger than the file you are trying to hide) looks the same, in the case of the audio or video file they still play. 

Steganography is "Security through Obscurity"

Steganography can be used in some cases to bypass security controls such as DLP (Data Loss Prevention) systems. One way to detect this activity would be to employ file integrity monitoring. That way you would have the original hash and any modification to the file would produce a different hash. 

For the "Use Case" of confidentiality, encryption is used.

Integrity: Making sure that the data has not been altered, changed, corrupted, or modified by intentional or accidental means. 

Verifying integrity is provided through hashing. Hashing is a one-way function that produces a fixed-length output that cannot be reversed to produce the original input.

For the use case of integrity, hashing is used

Availability: This means that the information/data is accessible when the information is needed to modify or view the data.

Many things provide availability such as Load Balancing, Fault Tolerance, Alternate Sites (Hot, Warm, Cold, Mobile), Alternate Power (Generator, UPS), Backups, Patching, RAID, and HVAC.

Security Controls - Preventive

Preventive

What you are trying to do is prevent some form of security breach/incident.

Change management: Making sure that there or no outages that were not planned. Being as I work as an IT administrator, it's easy to want to make changes on the fly. The first step in this process is to submit the change plan and get approval. These changes can be network configuration changes or changing to a more current operating system. We need to plan, test, and practice before attempting the changes to reduce the chances of downtime on a production network.

Security awareness and training: Make users aware of social engineering attacks, email, and social network best practices. Once the users are aware of the tactics a social engineer might use, the less chance of them being fooled into revealing the passwords. For example, Microsoft is not going to call you and ask for your password, which is a threat actor attempting to social engineer you.

Disabling Accounts: Having an account disablement policy when an employee leaves the organization can help prevent the former employee from access their old account and possibly causing a security breach. 

In 2008 a contractor working for Fannie Mae was told during the day that he was being fired for a scripting error he made earlier in the month. He was allowed to work through the end of the day. He then loaded a logic bomb set to launch a few months later. Luckily for the company, the logic bomb was discovered, otherwise, it would have crashed 4000 servers crippling Fannie Mae.

Disabling his account as soon as he was notified would have prevented the contractor from installing the logic bomb.

Hardening systems: This best practice includes systems, applications, and operating systems. Disabling unnecessary services, and protocols. Applying security patches and updating firmware. Changing default usernames and passwords. Disabling unnecessary accounts. Disabling unused ports on switches.

RAID (Redundant Array of Independent Disks)

RAID

(Redundant Array of Independent Disks)

RAID 0:

RAID 0 provides no fault tolerance or redundancy. Requires a minimum of 2 disks. The information is spread across each drive (for example: as it fills one block then adds data to the next sequential block). 

RAID 0 is striping with no parity. If one drive fails, all the information is lost, unless you have a backup of the data.

This form of RAID is used for performance, multiple heads reading/writing at the same time.

Both drives should be of the same size and speed. If you have two 320 GB drives, theoretically you would have 640 GB of storage space using this configuration. 

RAID 0 is best used for video and audio streaming. It could also be used for something like a backup server. The actual backups are stored on other media than the system running the backup software. 

RAID 1:

RAID 1 requires 2 drives and is known as mirroring. The exact same data is written to both drives. With RAID 1 you can add another disk controller, this eliminates a single point of failure. Using two disk controllers in this configuration is known as duplexing.

If you are using two 320 GB drives, theoretically you will have 320 GB for storage. 

If one drive fails, all the data is retained on the other drive. You do not have to shut this system down to replace the failed drive. Simply remove the drive, take it out of the sled/carrier, and replace it with a new drive. Reinsert the drive, go to the console, and select rebuild array. 

Use this RAID configuration for operating systems, authentication servers. etc. You have minimal drive space to work with. 

RAID 5:

RAID 5 requires a minimum of 3 disks and is striping with one parity stripe. The equivalent of one drive is used for the parity information. This helps provide fault tolerance.

RAID 5 has great read performance as multiple heads read at the same time. As you increase the number of drives, so does the read speed. The write performance is slow due to the parity calculation on the full stripe. 

This RAID setup can afford the loss of only one drive, more than one drive, the data is lost. Remove the failed drive while the system is operational, install a new drive, go to the console, and select rebuild array. The performance will degrade slightly as it rebuilds the array. 

For three 320 GB drives, you will have 640 GB of storage space as the parity data will take up the equivalent of one drive.

RAID 6:

  

RAID 6 requires a minimum of 4 drives. It is configured as striping with dual parity. The equivalent of two drives is used for the parity information. This setup provides fault tolerance.

It has great read speed as multiple heads are reading at the same time. Write speed is even slower than RAID 5 as RAID 6 has to calculate dual parity for each stripe. 

RAID 6 can survive the failure of two simultaneous drives. Again take out the failed drive or dives, replace them with new drives. After reinserting the drives, go to the console and select rebuild array. 

Four 320 GB drives in a RAID 6 will give you 640 GB of storage space.

WIRELESS AUTHENTICATION PROTOCOLS

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) requires certificates to be installed on both the wireless clients and the server,  making this one of the most secure implementations of EAP.

PEAP (Protected EAP): PEAP only requires the server to have the certificate. PEAP encapsulates the EAP communication in a TLS tunnel.

LEAP (Lightweight EAP): Developed by Cisco, does not require a certificate on either the client or server. Cisco recommends using a stronger version such as EAP-FAST, as LEAP has a known weakness.

EAP-FAST (EAP Flexible Authentication via Secure Tunneling): Developed to replace LEAP. The use of certificates is optional.

EAP-TTLS (EAP Tunneled Transport Layer Security): Needs a certificate on the server, but not the client. The username and password are not sent in plain-text as the transmission is in an encrypted tunnel. PAP can be used for authentication due to the use of Tunneled TLS without the credentials being compromised.

802.1x: PEAP, EAP-TLS, and EAP-TTLS all require an 802.1x server. Some refer to the 802.1x as a RADIUS server.

WPA2/WPA Enterprise: This requires a RADIUS/802.1x server. Enterprise mode also requires the use of a certificate on the server. The user will also need a username and password to authenticate.

MALWARE TYPES - PART 3

Rootkits: Are programmed to provide continuous privileged access to a system. This malware remains hidden to avoid detection from an antivirus program. The rootkit will give access to a remote attacker to control items such as system processes. The controller of the rootkit has the ability to change system configuration, spy on users' actions.

The detection of such an infection is extremely difficult. The best way to remove a rootkit when detected is to wipe the system and reinstall the operating system and applications.

Ransomware: There are two different definitions of the types of ransomware. The first one starts out as scareware. The user clicks on something, a pop-up or web page appears mimicking an antivirus scan. The scan finds infections immediately (even though they don't exist), the number of infections it finds can be anywhere from the teens to the thousands of infections. You click on the button to clean the infections, and you get the notice that this is the Free version, you will need to purchase the Paid version. You pay for the new "Fake Antivirus" and miraculously it removes all the infections that were not there to start.

The second type takes on the name Crypto-malware: This version encrypts all your documents and photos. They give you anywhere from an hour to 7 days to pay them a fee to retrieve a decryption key, otherwise, your information remains encrypted or will be deleted. Most of these end up doubling the fee right after the deadline passes. Most of them require payment through Money Pak or Bitcoin.

Remote Access Trojan (RAT): This gives an attacker total control over the system. This gives the attacker access to any information on the system, the ability to spy on the victim or control the system.

RATs are very difficult to detect as they operate like remote management tools, and use common ports. They are typically delivered through a Trojan, via a phishing attack. The best way to protect against this is to have email opened in plain text rather than HTML.