secure network architecture
TRANSCRIPT
DMZ
• Ademilitarizedzone(DMZ)orperimeternetworkisanetworkareathatsitsbetweenanorganization'sinternalnetworkandanexternalnetwork,orabufferzone betweenprotectedandunprotectednetworks.
• DMZsoftenhavepublicfacingsystemssuchasFTP,SMTP,andHTTPservers.
• ADMZwouldbeconfiguredwithinarouter orfirewall.
IntranetandExtranet
• AnintranetisaprivatecomputernetworkthatusesInternetprotocolstosecurelysharepartofanorganization'sinformationoroperationswithitsemployees.
• AnextranetisaprivatenetworkthatusesInternetprotocolstosecurelysharepartofanorganization'sinformationoroperationswithsuppliers,vendors,partners,customersorotherbusinesses.OftencalledB2B– Business-to-Businesswebsites
WirelessNetworkTopology• Awirelessnetworkmakesupalldevicesconnectedwirelesslyintotheotherwisewirednetwork.
• AWirelessSiteSurveyinvolvesavisittothesitetotestforRFinterference,andtoidentifyoptimuminstallationlocations(andnumberrequired)forWAPs.
• AfterinstallingWAPs,createa“heatmap”ofthenetworktoshowsignalcoverage.ThenyoucanadjustyourWAPplacementaccordingly.
• UtilizeWPA/WPA2forencryptiononyourwirelessnetwork.
GuestNetwork
• Guestnetworksallowguestsoranybodyconnecttothenetworkinordertogaininternetaccess.Thisisusefulforbusinesseslikehotels,airports,oranybusinessthatexpectsnon-employeestoenterthebuilding.
• Aguestnetworkisutilizedforhighavailabilityandforeaseofconnection,buthassecurityrisks.• Needstobelogicallysegmentedfromtherestofthenetworktopreventintrusion.
• Forabsolutesecurity,don’thaveaguestnetworkifpossible.
HoneypotandHoneynet• Ahoneypotisatrap settoattract,detect,observe,deflect,orinsomemannercounteractattemptsatunauthorizeduseofinformationsystems.
• Twoormorehoneypotsonanetworkformahoneynet.
• Useahoneypot/nettoprotect yourcompanywhilealsoresearchingattackmethodsbeingusedagainstyourcompany.
• HoneypotsandhoneynetswouldbelocatedintheDMZ.
NAT(NetworkAddressTranslation)• HidesprivateIPaddressesfromInternetandwill
translateprivateIPaddressestoapoolofpublicIPaddresses
• PAT (PortAddressTranslation)isavariationofNATthatallowsasinglepublicIPaddresstobeusedbymanyhostsonaprivatenetwork.
• Static-NAT isavariationthatwouldallowoutsidetraffictoenteryourcompany.Thisisoftenusedtoallowinternettraffictoreachyourweb-servers.
192.168.12.100
NATServer
192.168.12.20 192.168.12.30
24.96.83.120
PhysicalIsolation
• Physicallyisolatingacomputerfromotherdevicesisthemostsecurewaytoprotectit,moresothanlogicallyseparatingitfromthenetwork.• Whenonlylogicallyseparated,somebodycouldpotentiallycircumventthosecontrols.
• Notalldevicescanaffordtobeseparatedfromthenetwork.
• Andexampleofphysicalisolationisairgapping.
AirGapping
• Airgappingistheactofphysicallyisolatingonesystemorafewsystemsfromthenetworkasawhole.Thisprovidesthemostsecurityforthosedevices.• Ifadevicedoesn’tneedtobeconnectedtothepublicnetwork,noreasontoallowittodoso.
• Occasionally,airgappingisnotpurelyphysically,anddevicescanbeconsideredairgappedwhentheirtrafficistunneledthroughothernetworks.
VLAN• AvirtualLAN,commonlyknownasaVLAN,isagroupofhoststhatareplacedonthesameIPnetwork,regardlessoftheirphysicallocation.
• AVLANhasthesameattributesasaphysicalLAN,butitallowsforendstationstobegroupedtogethereveniftheyarenotlocatedonthesamenetworkswitch.
• AVLANcanbeusedtologicallyseparateanetworkthroughaswitchandcanbeusedtopreventattacksononenetworkfromspreadingtoothernetworks.
• AVLANstillneedsaroutertocontrolcommunicationfromoneVLANtotheanother.
• Usefirewallrules(ACL’s)ontheroutertocontrolinter-VLANcommunication.
VLAN– commonuses• BYOD =BringYourOwnDevice.Ifallowingemployeestousetheirownmobiledevicesonthecorporatenetwork,confinethemtotheirownVLAN.
• PlaceprintersontheirownVLANtoreducetheriskofdataleakage duetoprintingsensitivedocuments.
• VoIP=VoiceoverIP.Thisisthenewbreedofphonesthatconnecttothedatanetworkinsteadofusinganalogphonelines.PutyourVoIPtraffic(andcorrespondingSIP andRTPtraffic)onitsownVLANtoprotectyourphonesystem.
VirtualizationTechnology• Virtualizationmeanstocreateavirtualversionofadeviceorresource,suchasaserver,storagedevice,network,orevenanoperatingsystem.• Theframeworkdividestheresourceintooneormoreexecutionenvironments.
• Usedtoisolateahostoperatingsystemfromsometypesofsecuritythreats.
• Abenefittousingvirtualizationtechnologyisthatifaninstanceiscompromised,thedamagecanbecompartmentalized.
• Virtualmachinescanbeusedtoofferanenvironmentwheremalwarecanbeexecutedwithminimalrisktoequipmentandsoftware.
VirtualizationTechnologycont.
• VM’sareagreatwaytotestpatchesbeforedeployingthemtoproductionmachines.
• VM’scontainasnapshotfeaturethatlet’syouquicklymakeaclone/copyoftheVM.Thenifsomethingyoudo/change/installcausesaproblem,youcanjustrolltheVMbacktoaprevioussnapshot.
• PopularvirtualizationapplicationsareVMware,VirtualBox(Oracle),Hyper-V(Microsoft),andParallels(Mac)
SecurityDevices&TechnologyPlacement
Proxies Sensors Filters
Firewalls VPNConcentrators SSLAccelerators
LoadBalancers AggregationSwitches
PortMirrors
ProxyServer
• Aproxyserverisaserverthatactsasago-betweenforrequestsfromclientsseekingresourcesfromtheInternet.
• Aproxyservercombinestwofunctions:Itcachesweb-pageslocallytospeedupaccessrequests,whilealsoactingasacontentfiltertoblockusersfromvisitinginappropriatesites.
• Ifyouwanttoknowwhatwebsitesyourusersarevisiting,setupaproxyserver.
• ThebestwaytosecureyouremailinfrastructureistosetupanemailproxyserverintheDMZandtheemailserverintheinternalnetwork.
NetworkedSensors
• Asensorisaphysicaldeviceusetomeasuretheconditionsoftheareatheyarein.Measuringattributessuchastemperature,humidity,motion,andpossiblymuchmore.• Thereisn’ttrulyalimittowhatasensorcandetect.
• Thesensorsareplacedinwhicheverenvironmenttheyaretryingtomeasure,andsendsinformation,generallywirelessly,backtoaserver.
InternetContentFilter
• UseanInternetcontentfiltertodenytraffictowebsitesthathavepornographicmaterialthatisinappropriate.
• Awhitelist isalistofdiscreteentriesthatareknowntobebenign.
• ConfigureInternetcontentfilteringtoapprovewebsitesthatyourusersareallowedtoview.
Firewall• Afirewallisahardwareorsoftwaredevicewhichisconfiguredtopermit,deny,orproxydatathroughacomputernetworkwhichhasdifferentlevelsoftrust.
• Modernfirewallsutilizestateful packetinspection.
• Hardwarefirewallsaregenerallyontheedgeofthenetworkwheretheinternalnetworkendsandanexternalnetwork(liketheinternet)begins.
• Afirewallcanmitigateportscanning.
VPNConcentrators• VPNconcentratorsincorporatethemostadvancedencryptionandauthenticationtechniquesavailable.• Theyarebuiltspecificallyforcreatingaremote-accessorsite-to-siteVPN.• Theyareideallydeployedwheretherequirementisforasingledevicetohandleaverylargenumber ofVPNtunnels.• Theywerespecificallydevelopedtoaddresstherequirementforapurpose-built,remote-accessVPNdevice.
SSL/TLSaccelerator
• AnSSL/TLSacceleratorhandslargeamountsofeitherSSLorTLSencryption,dependingontheprotocolinuse.Thistakesalotoftheheavyliftingawayfromthemachinethatisutilizingtheencryption.
• AnSSLacceleratororTLSacceleratorwillspeeduptheprocessofperformingapublickeyhandshake.
• Canappearasachiponahostmachine.
AggregationSwitch
• Anaggregationswitchistheswitchonthenetworkthatallconnectionsoffofonesegmentofthenetworkultimatelyterminatebeforereachingtherouter.
• Thispreventstheneedtohaveahighernumberofportsintherouter.Alloftheedgeswitchesconnecttotheaggregationswitch,whichinturnconnectstotherouterinstead.• Highlyreducestherouterportsused.
MirroredPorts
• Mirroredportsreceiveacopyofalltrafficthatisconfiguretoflowthroughanotherport,allowingamonitoringdevicesuchasaNetworkIntrusionDetectionSystemtogetacopyofalltrafficsoitcandetectmaliciousattacks.• Forexample,alltrafficthatisincomingoroutgoingonportone,canbecopiedtoalsobesentoutofporttwo.
• Thisallowsadevicetodetectattacksonthenetworkwithouthavingtoworkinlinewiththetraffic.
SoftwareDefinedNetworking
• AccordingtotheOpenNetworkingFoundation(ONF),softwaredefinednetworking(SDN)isanetworkarchitecturethatdecouplesthecontrolanddataplanes,movingthecontrolplane(networkintelligenceandpolicymaking)toanapplicationcalledacontroller.
• Allowsamoredynamicandscalablenetworkformoreefficientcomputing.
FDE&SED
• FDE(FullDiskEncryption)isencryptingeverybitofdataofaharddrive,protectingyourdataiftheharddriveisphysicallystolen.However,dataisn’ttransferableasitisdecryptedasitisreadintomemory.
• SED(SelfEncryptingDrive)specificallydescribesaharddrivethathasencryptionkeymanagementhappenontheharddriveitself,creatingamoretamper-freeenvironment.
TrustedPlatformModule• TheTrustedPlatformModule(TPM)isachiponacomputer’s(ortablet’s)motherboardthatcangenerateandstoreencryptionkeysforvariouspurposes.
• TPMcanalsoperformencryptiondutiesinsteadofrelyingonsoftwaretodotheencryption.
• Forexample,Microsoft’sBitLockerusesTPMtoencryptthecontentsoftheharddisk.
HardwareSecurityModule• IfyoursystemdoesnotcomewithaTPM,youcanaddaHSM (HardwareSecurityModule)instead.It’ssimilartoaTPMbutitisintheformofaplug-incardorexternalsecuritydevicethatcanbeattachedtoaserver.
• AHSMcanbeaddedtoserversthatdoalargeamountofencryption,suchasVPNserversorCertificateAuthorities.
• Hardwareencryptionisalwaysfasterthansoftwareencryption!
• BothTPMandHSMprovidestorageforRSAorasymmetrickeysandcanassistinauthentication.
UEFI/BIOS
• BIOSisthebasicfirmwareusedtobootintoacomputerandgiveitthefirstbasicinstructionsitrequirestoloadabootloader.
• UEFIisanewerreplacementtoBIOS,andcontainsmanyadvantagesovertheolderBIOSsuchasafeatureknownassecureboot.
SecureBoot
• SecurebootisafeatureofUEFIthatprotectsacomputerfrombootingintountrustedbootloaders,preventingitfrombeingsusceptibletomaliciousbootloaders.• Looksforthedigitalsignaturesofthebootloaders,totestiftheyaretrusted.
• Ifthebootloaderisunsigned,securebootwillpreventtheoperatingsystemfrombooting,unlesssecurebootisdisabledfirst.
SupplyChain
• Asecuresupplychainisnecessarytoguaranteetheintegrityoftheequipmentbesuppliedtoacompany.• Anuntrustworthysuppliercan’tbetrustedtoprovidequalitysupplies.• Asupplychainmustbesecure/protecttoprotectfromtheft.• Allsuppliesshouldbescreenedandinspectedtoinsureallequipmentisaccountedforanduntamperedwith.
EMI/EMP
• EMI(Electro-magneticInterference)cancausesysteminstabilitywhenapieceofmajorpowerequipmentisoperatingnearmoresensitivecomputingequipment.• EvenrunningnetworkingcablesbyflorescentlightscancauseEMI.
• AnEMP(Electro-magneticPulse)isasuddensurgeofelectromagneticenergythatcandamagecomputerequipment.
OperatingSystemsTypes PatchManagement Disabling
unnecessaryports
LeastFunctionality SecureConfigurations
TrustedOS
ApplicationWhitelisting/Blacklisting
Defaultaccounts&passwords
TypesofOperatingSystems
• Network:Anetworkoperatingsystemisdesignedtofunctionwithotherworkstationsinmind,allowingsomeforofresourcesharingoverthenetwork.
• Server:AServeroperatingsystemisdesignedtoeasilyworkwithmanyotherclientsasaserverintheserver-clientrelationship.
• Workstation:Aworkstation’soperatingsystemisthebasicformofoperatingsystemthatprovidesfunctionalityforitsusers.
TypesofOperatingSystems
• Kiosk:Kioskoperatingsystemsaredesignedwithafocusontheuserinterfaceandprotectingtheoperatingsystemfromtheuser,asmanyusersareexpecttouseanindividualsystem.• Generallytouchscreencompatible
• Mobile: AmobileOSisspecificallydevelopedforatabletsorsmartphones.Itisdesignedtobelightweightandtoutilizeatouchscreenforfunctionality.
PatchesandPatchManagement
• Patchmanagementisanareaofsystemsmanagementthatinvolvesacquiring,testing,andinstallingmultiplepatches(codechanges)toanadministeredcomputersystem.• Tasksinclude:
• Maintainingcurrentknowledgeofavailablepatches• Decidingwhatpatchesareappropriateforparticularsystems• Ensuringthatpatchesareinstalledproperly• Testingsystemsafterinstallation• Documentingallassociatedprocedures,suchasspecificconfigurationsrequired
UnnecessaryPortsandServices
• Whenaserviceisnolongerorneverwasneededonasystem,itshouldbedisabledtopreventauserfromabusingthatservice.• Certainservicescangiveusersmoreaccesstotheoperatingsystemthanintended.
• Openportsonafirewallcanalsopotentiallycompromiseanetwork,astheycanbeexploitedandusedasanentrypointtothenetwork.• Unusedportsshouldbeclosed.
SecureConfigurations
• Secureconfigurationsaresimplythelockingdownofcomputerstopreventamaliciousindividualfromexploitingasystemorhavingfullcontroloverasystem.
• Leastfunctionalitycanhelpkeepasystemsecurebygivingitthebareamountoffunctionalitythatisrequiredofittodoitsintendedfunction.• Forexample,ifamachinedoesn’tneedtohaveaccesstothenetwork,don’tletitconnecttoone!
TrustedOS
• ATrustedoperatingsystemisatypeofoperatingsystemthatfitsintocertaingovernmentregulationsandpreventsthecominglingofcertaintypesofdata.• UtilizestheMandatoryAccessControlmodelwhichclassifiesdatausingoneofafewdataclassifications.(suchassecret,confidential,andtopsecret)
• Commonlyimplementedinagovernmentenvironment.
ApplicationWhitelisting• ApplicationWhitelistingisaprocesswhereonlycompanyapprovedapplicationscanberunoncorporatecomputers.
• OnceApplicationWhitelistingisenabled,onlyapprovedapplicationsareallowedtorun.
• ApplicationWhitelistingrequiresthatapplicationsbesigned bythecompanytoprovetheyareauthorized.
• ApplicationBlacklisting isthereverseofWhitelisting.WhileWhitelistingcreatesalistofallowedprograms,BlacklistingcreatesalistofspecificprogramsthatareNOTallowedtorun.
DefaultAccounts
• Adefaultaccountisusingthemainaccountthatwassuppliedbythedevicevendor.
• Ifatallpossible:• Alwayschange(orbetteryetremove)thedefaultaccount.• Createanewaccountandmakesurethatyouuseacomplexpassword.• EventrytogetawayfromusingtheaccountnameAdministratororAdmin.
WeakandDefaultPasswords
• Aweakpasswordisapasswordthatcanbeeasilyguessed.Passwordsshouldbelongenoughandmeetsomesortofcomplexitytobehardtoguessorbecrackedbyapasswordcracker.
• Whencreatingastrongpassword,lengthisthemostimportantfactor toconsider.Thisiscloselyfollowedbycomplexity,whichusesupper-case,lower-case,specialcharacters,andnumbers.
• Alwayschangedefaultpasswordsinsoftwareandhardware!Untilyoudo,thepasswordcanbeeasilyobtainedbydownloadingvendordocumentation.
PasswordPolicy
• Apasswordpolicyisasetofrulesdesignedtoenhancecomputersecuritybyencouraginguserstoemploystrongpasswordsandusethemproperly.
• Adomainpasswordpolicyisapasswordpolicythatisconfiguredandappliedinanetworkedenvironment.AnexamplewouldbethedomainpasswordpolicywithinWindowsActiveDirectory.
• UseaGPO (GroupPolicyObject)tosetyourdomain’spasswordpolicy.
PasswordsandUserAccounts• Topreventusersfromre-usingoldpasswords,youmustusethesetwopoliciestogether:• EnforcePasswordHistory• MinimumPasswordAge
• AnAccountLockoutThresholdcanmitigateBruteForceattacks(tryingeverypossiblecombinationofletters,numbers,special-characters).
• Inthesecuritylog,thefailedlogoneventscanhelpyoudetectBruteForcepasswordcrackingattempts.
WirelessMice&Keyboards
• Mostwirelessmiceandkeyboardswerenotdesignedwithsecurityinmind,andcanbehijackedbyrogueradiosignalsthatanattackercancreatetoattempttohijackwirelessperipheraldevices.
• Ahijackedmouseorkeyboardcouldbepotentiallyusedtosendmaliciouscommandsorrunmaliciousscriptsonthetargetedsystem.
Printers&MFDs
• PrintersandMulti-functionDevicescanalsobethetargetofattacks,especiallyiftheyconnectwirelessly.• AMulti-functiondeviceforexamplewouldbeaprinter,scanner,andfaxallinone.
• Largeamountsofsensitiveinformationcantraveltotheprinter,whichneedstobeprotectedsoanattackercan’tinterceptthetraffic.
ExternalStorage
• Externalstorage,ifnecessarily,shouldbekeptphysicallysecuretopreventtheftandencryptedinordertoprotecttheinformationofthestoragedevice.• Networkedstoragedevicesshouldhaveproperaccesscontrolstologicallypreventaccess.
• Ifexternalstorageisnotnecessary,accessshouldbedisabledtopreventcompromiseanddataexfiltration.
VendorDiversity
• Buyingmultipledevicesfromvariousvenderscanprovidealevelofdefenseindepth,whichisaddedsecuritybyimplementingmorethanonetypeofsecuritycontrol.
• Onevendor’sdevicemighthaveaglaringsecurityflawthatanothervender’sdevicemightnothave.Additionally,thefailingsinonevender’sequipmentisgenerallydifferentthanfailingsofanother.
ControlDiversity
• Implementingdifferenttypesofcontrolsalsohelpsfurtherprotectanetwork/system.
• Administrativecontrolscansetupthepoliciesoutliningtherequirementsthecompanyanitsemployeesshouldfollowtoprotectasystem.
• Atechnicalcontrolisanimplementedcontrol,determiningforexample,howafirewallissetup.Usually,ithasthebackingofasecuritypolicy,whichreinforcesthetechnicalcontrol.
UserTraining
• Despiteallsecuritydevicesthatexistonanorganization’snetwork,acompanycanstillbecompromisedwithouteveractuallybreachingthosecontrols.
• Socialengineeringattacksattempttotrickthepeople,notthesystemsinordertobreachasystem.
• Theonlywayaroundthis,andawaytoreinforcethecurrentlayersofdefense,istotrainusersinbestpracticesandsecuritycontrols.
Sandboxing
• Asandbox isatestingenvironmentthatisolatesuntestedcodechangesandoutrightexperimentationfromtheproductionenvironmentorrepository,inthecontextofsoftwaredevelopmentincludingWebdevelopmentandrevisioncontrol.• Sandboxingprotects"live"serversandtheirdata,vettedsourcecodedistributions,andothercollectionsofcode,dataand/orcontentfromchangesthatcouldbedamagingtoamission-criticalsystemorwhichcouldsimplybedifficulttorevert.
StagingEnvironments
• Development. Inadditiontobeingthesandboxforinitialcoding,it’salsotheplacetowhichallbrokenbuild,bug,andproblemreportsgetsent.Onebestpracticeistosetupaneditorialdomainthatyoudon’thavetoregisterwithDNS.YoucanrestrictaccessbasedonIPaddressorrequireaVPNforlogin.
• Test. Inthissandbox,developerstestcodebeforesendingitonforintegration.It’saplacetotestindividualprojects,notentireapplications.
StagingEnvironmentscont.
• Demo. TheDemosandboxholdsworkingsoftwarefordemonstrationtostakeholders.
• Staging. Thisenvironmentsimulatesyouractualproductionenvironmentandallowsyoutotestyourapplicationandhowitworkswithotherapplications.
• Production. Deploytheapplicationintoproductiononlyafterrigoroustestinganddebugging.
SecurityBaseline
• TheITbaselineprotectionisamethodologytoidentifyandimplementcomputersecuritymeasuresinanorganization.• TheaimistheachievementofanadequateandappropriatelevelofsecurityforITsystems.
• Toreachthisgoalrecommendswell-proventechnical,organizational,personnel,andinfrastructuralsafeguards.
SecurityBaselinecont.
• Thefollowingstepsaretakenpursuanttothebaselineprotectionprocessduringstructureanalysisandprotectionneedsanalysis:• TheITnetworkisdefined.• ITstructureanalysisiscarriedout.• Protectionneedsdeterminationiscarriedout.• Abaselinesecuritycheckiscarriedout.• ITbaselineprotectionmeasuresareimplemented.
IntegrityMeasurement
• Integrityofinformationreferstoprotectinginformationfrombeingmodifiedbyunauthorizedparties• Ameasureintendedtoallowthereceivertodeterminethattheinformationprovidedbyasystemiscorrect.
• Tocheckifthecorrectinformationistransferredfromoneapplicationtoother.
• Integrityschemesoftenusesomeofthesameunderlyingtechnologiesasconfidentialityschemes,buttheyusuallyinvolveaddinginformationtoacommunication,toformthebasisofanalgorithmiccheck,ratherthantheencodingallofthecommunication.
HVAC• HVAC (climatecontrol)isparticularlyimportantinthedesignofcomputerserverroomswherehumidityandtemperaturemustbecloselyregulated.
• Staticelectricitywouldbeamajorissuewithlowhumidity,whilecorrosioncouldhappeninhighhumidity.
• HVACistoensuredataandsystemsavailability.
• AnFM-200 deploymentshouldbeconnectedtoyourHVACsystem.Intheeventofafire,whentheCo2isreleased,youdon’twantyourHVACsystemblowingfreshairintotheroom.
SCADA
• SCADA systems(SupervisoryControlAndDataAcquisition)gatherandanalyzereal-timedata.Theyareusedtomonitorandcontrolaplantorequipmentinindustriessuchastelecommunications,waterandwastecontrol,energy,oil,andgasrefiningandtransportation.Theyrunourelevators,escalators,manufacturing/industrial/foodprocessingequipment,etc.PrettymucheverythingaroundusiscontrolledbySCADAsystems.
• UnfortunatelySCADAsystemsarenowbeingshowntohavenumerousvulnerabilities,whichmeansthatallofourcriticalinfrastructureisatriskfromcyber-attack!
SoC
• SoC(Systemonachip)isessentiallyanentiresystemonintegratedcircuit.Thiscanincludesomeperipherals,suchasaGPUortheabilitytoconnecttothenetworkthroughawirelessorwiredconnection.
• ASoCgenerallyconsumeslowamountsofpower,soisappealinginmobileenvironmentsthatareconcernedwithpowerconsumption.
VideoSurveillance• Closed-circuittelevision(CCTV)istheuseofvideocamerastotransmitasignaltoalimitedsetofmonitors.• CCTV isadetective securitycontroltype.
• Ifyouneedalow-costwaytotrackpeoplewhoenterthedatacenter,useaCCTVsystem.
• Fakecamerasareaninexpensivedeterrent securitycontroltype.
• Fencing,lighting,locks,andCCTV’sareforthesafety ofpersonnelandguests.
SmartDevices&IoT
• TheInternetofThings(IoT)referstoalloftheotherwisemundaneobjectsthataregaininginternetconnectivity.Thesedevicesarenormallyreferredtoassmartdevices.
• Smartdevicescanincludelights,locks,thermostats,andpotentiallyinfiniteotherdevicesthatcouldconnecttoanIPnetwork.Thebasicideabehindtheinternetofthings,ishavingmanydevicesallworkingforpeoplefromvariousareasfrombusinesstohomeuse.
SmartDevices&IoT cont.
• Aconcernwithsmartdevicesishowunmanagedandunmonitoredtheyareincombinationwithhowprominenttheyhavebecomeinmodernsociety.Smartdevicesarepoppingupanywherefromcasualdaytodayusebyemployees,tocertainbusinessdevices.
• Thesedevicescanbehackedlikeanyothercomputer,whichcanleadtolargescalecompromise.Thiscanallowanydevice,fromwatchtodooraccesssystemtobehackedoverthenetwork.
WearableTechnology
• Somesmartdevicescanbewornonthebody,suchassmartwatchesasthemostcommonexample.Though,thiscanbesomethingwearableor,inalesscommonexample,asanimplant.
• Averycommonexamplecouldbeafitnesstrackerwhichtracksaperson’sphysicalactivity.
HomeAutomation
• HomeAutomationisanotherincreasinglypopulartypeofsmartdeviceseeingcommonuse.Smarthomedevicesallowautomatedcontrolofvarioushomesystems.
• Commonuseincludeslocks,lights,andhomesecuritydevicessuchascameras.
Printers/MFP
• MultifunctionPrinters(MFP)cancommonlybecontrolledovertheinternet.Thispossesasecurityriskasamisconfiguredprintercanhaveonofmanypossiblecompromisesoccur.• Anattackercouldinterceptaprintjob,possiblyexposingconfidentialinformation.• Toomanyprintjobscouldbesent,causingaDOS.
SmartMedicalDevices
• SmartMedicaldeviceshavetheabilitytoaccessavastdatabaseofmedicalrecordsonotherresources.Thiscouldallowformoreaccuratediagnosticsbeforebeinganalyzedbyahumanbeing
• Thesedevicescanalsoimprovehowtheyanalyzeresults,andlearntobemoreeffectiveovertime.
Vehicles
• Variousembeddedsystemsarealsobeingimplementedintomotorvehiclesforsmarterignition,security,andaudiosystems.
• Otherimprovementsarerapidlybeingimplementedsuchasautomateddriving.• Thiscanalsoposeasecuritythreat,suchasacarbeinghackedtopreventitfromstopping.
Aircraft/UAVCont.
• AUAVorUnmannedAerialVehicleisanasmallaircraft,usuallyreferringtoadrone.Dronesgenerallyrequirethedroneitself,acontroller,andanoperator.• Somedronescanoperatesemi-automatically.
• Dronescanpresentasecurityrisk,astheycanbeequipwithcamerasthatcantakediscreetpicturesofalocationwithoutahumanphysicallyenteringanarea.
DevelopmentModels
• Thewaterfallmodelisasequentialdesignprocess.Likeawaterfall,themodelgoesthroughstagesofdevelopment,makingmostoftheprocessplannedoutbeforetheprojectstarts.Thismakesthewaterfallmodellessadaptabletochangesoverthecourseofdevelopment.
DevelopmentModelscont.
• Agilemodelisacombinationofiterativeandincrementalprocessmodelswithfocusonprocessadaptabilityandcustomersatisfactionbyrapiddeliveryofworkingsoftwareproduct.• AgileMethodsbreaktheproductintosmallincrementalbuilds.• Thesebuildsareprovidediniterations.• Eachiterationtypicallylastsfromaboutonetothreeweeks.• Everyiterationinvolvescrossfunctionalteamsworkingsimultaneouslyonvariousareas
ProvisioningvsDeprovisioning
• Userprovisioning isthesettingupandassigningofuseraccountswhenanewaccountisaddedormodified.Partofthisprocessisgenerallyautomatedsoasimpleframeworkcanbefollowedforeachnewaccount.
• Deprovisioning istheactofremovingaccessfromanaccountafteranemployeeisremovedfromacurrentposition,bybeingfiredforexample.Deprovisioningisessentialasitfreesupresourcesandpreventsanex-employeefromexploitingtheiroldaccount.
VersionControl
• Itisimportanttomanageallupdatesbeingpushedouttosoftware,aswellasanychangesimplementedtothevariousconfigurationsacrossmanysystems.
• Properversioncontrolkeepstrackofallchangesmadeovertimeandrecordswhatversionnumberthesechangesoccurredin.• Thismakesiteasytolookbackatpreviousversionsandseewhichchangesweremadeandwhomadethem.
ChangeManagement• ChangeManagementprocessistheprocessofrequesting,determiningattainability,planning,implementing,andevaluationofchangestoasystem.
• Beforeimplementingachangeincodingforanapplicationonyourproductionservers,ChangeManagementshouldbefollowed.
• Changemanagementisawaytomanageupdatesforoperatingsystemsandfirmware.
• Whenchanging/updatingasystemorapplication,besuretoincludesystemroll-backproceduresincasethechangecausesthesystemtocrashorbecomeunstable.
ErrorandExceptionHandling• Applicationsshouldbedesignedtowithstanderrorswithoutcrashing.DevelopersuseSEH (StructuredExceptionHandling)asawaytogracefullydealwithproblemsthatariseduringprocessing.
• Propererrorhandlingwoulddetectafaultwithinaprogrammingmodule,andre-startthatmoduleinsteadofjustcrashingtheapplicationandcausingaDOS.
• Errormessagesshouldnotgivetoomuchinformationabouttheinnerworkingsoftheprogram.Insteadofdisplayingthefaultylineofcode,givetheuseragenericerrormessage,forexample“Error#232:ContacttheAdministrator”.
InputValidation• Inputvalidation,alsocalleddatavalidation,istheprocessofensuringthataprogramoperatesonclean,correct,andusefuldata.
• Alwaysassumedataheadingtoyourback-endserversispotentiallyhostileandmustbesanitizedbeforeprocessing.
• UsingaWAF (WebApplicationFirewall)infrontofyourwebanddatabaseserversisonewaytoprovideinputvalidationandsanitization.
CodeSigning
• CodeSigning isusedtoverifylegitimatecode,confirmingitisnotamalicioussubstitute.Thesignatureincludedwiththecodeischeckedtomakesurethecodeisunchangedandlegitimate.• Thesystemsinusecanconfirmthedigitalsignaturemuchlikeabankchecksyoursignaturetodetectfraudulentcharges.
Obfuscation
• Obfuscationistheactofobscuringsomething.
• CodeObfuscationistheactofmakingcodethatisdeliberatelyhardtoreadandreverseengineer.Thismitigatesthethreatofamaliciousattackerreverseengineeringthecode.• Canalsocauseanissueforacompanyiftheoriginalwriterofthecodeleavesthecompany,andwastheonlyindividualtodesignthecode.
Server-SidevsClient-Side
• Whenrunningontheclientside,codeisruninabrowserontheclientmachine.Thistakestheloadoffoftheserver,butexposestheprocesstotheclient,whocouldmaliciouslymanipulatethecodeasitruns.
• Whenrunningontheserverside,thecodeisrunontheactualserver.Thisincreasestheamountofworktheserverhastoexecute,butseparatestheprocessfromtheclients,preventclientsidemanipulation.
StaticCodeAnalysisvsDynamicCodeAnalysis
• Staticcodeanalysisisperformedonthecodeitself,byexaminingitlinebylineinordertofindinefficienciesormaliciouscode.Thisprocesscanalsobesemi-automated.
• DynamicCodeAnalysisisperformedasthecodeisrunning,allowingforaperspectiveimpossiblewithstaticcodeanalysis.Thisallowsthecodetobeexaminedasitisinteractingwithotherpartsofthecode.
StressTesting
• Stresstestinganapplicationpushesittoitslimitsinanattempttoanalyzewhatcancauseittocrash.StresstestingisimportanttofindvulnerabilitiesthatcouldotherwiseopentheapplicationuptoDOSattackslater.
• StresstestingcanbeperformedbyessentiallytryingtoperformaDenialofServiceattackonyourownapplication.
SecurityLighting
• Securitylightingisanothereffectiveformofdeterrence.Intrudersarelesslikelytoenterwell-litareasforfearofbeingseen.• Doors,gates,andotherentrances,inparticular,shouldbewelllittoallowcloseobservationofpeopleenteringandexiting.
• Whenlightingthegroundsofafacility,itisgenerallymoreeffectivehavewidely-dispersedlow-intensitylightratherthanhigh-intensityspotlights,becausethelattercanhaveatendencytocreateblindspots forsecuritypersonnelandCCTVcameras.
Signs
• Theinitiallayerofsecurityforacampus,building,office,orotherphysicalspaceusescrimepreventionthroughenvironmentaldesigntodeterthreats.Someofthemostcommonexamplesarealsothemostbasic:warningsignsorwindowstickers.• Signsandstickersworksolelyaspsychologicaldeterrentsastheyhavenowayofphysicallystoppinganattack.
PhysicalBarriers
• Physicalbarrierssuchasfences,walls,andvehiclebarriersactastheoutermostlayerofsecurity.• Theyservetopreventordelayattacks,andalsoactasapsychologicaldeterrent bymakinganattemptseemmoredifficultandestablishingaperimeter.
• Tallfencingwithbarbedwire,razorwireormetalspikesareoftenemplacedontheperimeterofaproperty,generallyinanattempttodissuadeanyintrusionattempts.
SecurityGuards
• Securitypersonnel playacentralroleinalllayersofsecurity.• Manyofthetechnologiesandsystemsthatareinplaceareuselesswithoutpersonneltrainedtomonitorthemandwhichknowshowtoproperlyrespondtobreachesinsecurity.
• Securitypersonnelhavemanyresponsibilitiessuchaspatrolsandmanningcheckpoints,administeringelectronicaccesscontrol,respondingtoalarms,andtomonitorandevaluatefootage.
Alarms
• Alarmsystems canbeinstalledtoalertsecuritypersonnelwhenunauthorizedaccessisattempted.• Alarmsystemsworktogetherwithphysicalbarriers,mechanicalsystems,andsecurityguards,servingtotriggeraresponsewhensomeothersecuritymeasurehasbeenbreached.
• Theyexistinavarietyofsensorsincluding motionsensors,contactsensors,and glassbreakdetectors.
• However,alarmsareonlyusefulifthereisaprompt responsewhentheyaretriggered.
LockingCabinet
• Alockingcabinetwouldbegreattousetopreventtheftofdevicesandunusedassets.Forexample,lockingcabinetsareoftenusedindata-centerstolockuptools,software,andequipment.
• Whenthelaptopsarenotinusetheyshouldbelockedup.
Safe• Asafeisaverygoodplacetokeepvaluables;whetheritbetechnologydevices,importantpapers,oreventapebackups.
• Whengettingasafe,youshouldlookforonethathasahighfirerating.
• Safesareoftenusedinofficestolockuppetty-cashforofficesupplies.
DoorAccessSystems
• Adooraccesssystemisaphysicaldevicethatwillauthenticateapersonandeitherallowentryordenyentryintoabuildingorroom.
• Adooraccesssystemmightconsistofabiometricreader,akeypad,oratokendevice.
TurnstileandMantrap
• Turnstile- aformofgatewhichallowsonepersontopassatatime.
• Mantrap- physicalsecuritydevicesorconstructionsdesignedtoentrapaperson.
– Amantrapcancreateasecuritybufferzonebetweentworooms.
– Mantrapsaregoodatstoppingpiggybackingandtailgating.
FaradayCage
• AFaradaycageisametallicmeshthatprotectsasystemfromelectromagneticfields.AnidealFaradaycageconsistsofanunbroken,perfectlyconductingshell.• Thoughnotachievableinpractice,thisideacanbeapproachedbyusingfine-meshcopperscreening.Forbestresultstheinstallationshouldbedirectlyconnectedtoanearthground.
• Aheavy-dutyFaradaycagecanprotectagainstdirectlightningstrikes.
Biometrics
• Biometricsaretheauthenticationtechniquesthatrelyonmeasurablephysicalcharacteristicsthatcanbeautomaticallychecked.
• Themainlimitationwithbiometricsistheyareexpensiveandcomplex.
• Biometricsareconsideredphysicalaccesscontrolmethods,notlogical.
Biometricscont.
• Afalsenegativeiswhenabiometricsystemreportsthataverifieduserisunauthorized.
• Afalsepositiveiswhenabiometricsystemidentifiesanunauthorizeduserandallowsthemaccess.
• Atruepositiveiswhenabiometricscanneridentifiesusersthatareauthorizedandallowsthemaccess.
• Athumbprintscannerteststhehumanauthenticationprocessof“somethingauseris”.
Barricade/Bollard
• ABarricadeisanyobjectorstructurethatcreatesabarrierorobstacletocontrol,blockpassageorforcetheflowoftrafficinthedesireddirection.
• A bollard isasturdy,short,verticalpost.Abollardisdesignedtoallowpersonneltopassthroughanareawithoutallowingvehiclestoenter.• Commonlyseenattheentrancesofbuildings,topreventcarsfromcrashingintotheentrance.
EnvironmentalControlsFireSuppression
HVAC
Hot andColdAisles
VideoSurveillance
Note:Changingenvironmentalcontrolsisanattackvectorthatcancauseextensivephysicaldamagetoadatacenterwithoutphysicalaccess.
HVAC• HVAC (climatecontrol)isparticularlyimportantinthedesignofcomputerserverroomswherehumidityandtemperaturemustbecloselyregulated.
• Staticelectricitywouldbeamajorissuewithlowhumidity,whilecorrosioncouldhappeninhighhumidity.
• HVACistoensuredataandsystemsavailability.
• AnFM-200 deploymentshouldbeconnectedtoyourHVACsystem.Intheeventofafire,whentheCo2isreleased,youdon’twantyourHVACsystemblowingfreshairintotheroom.
HotandColdAisles• Hotandcoldaislesareanacceptedbestpracticeforcabinetlayoutwithinadatacenter.• Thedesignusesairconditioners,fans,andraisedfloorsasacoolinginfrastructureandfocusesonseparationoftheinletcoldairandtheexhausthotair.• Whenplacingserversinaserverrackmakesurethattheservers’airintaketowardthecoldaisle.
FireSuppression
• CarbonDioxide(Co2)extinguishersareusedforclassBandCfires.
• Watercouldcausethemostdamagetoelectricalequipment.
• Halon andCo2firesuppressionsystemswillputoutafirewithout causinganyharmtoyourcomputersystems.Theyalsowon’tleaveaharmfulresidue.• Agoodchoiceforanelectricalfireonacomputersystemorserverroom.• AnFM-200 systemreleasesagaslikeCo2orHalon toputoutelectricalfires.
VideoSurveillance• Closed-circuittelevision(CCTV)istheuseofvideocamerastotransmitasignaltoalimitedsetofmonitors.• CCTV isadetective securitycontroltype.
• Ifyouneedalow-costwaytotrackpeoplewhoenterthedatacenter,useaCCTVsystem.
• Fakecamerasareaninexpensivedeterrent securitycontroltype.
• Fencing,lighting,locks,andCCTV’sareforthesafety ofpersonnelandguests.
HardwareLocks• Ahardwarelockisusingsometypeofphysicalmeanstophysically lockdownacomputerdevice.
• Anexampleofahardwarelockwouldbeacablelockthatwouldsecurealaptoporevenaserver.
ScreenFilters
• Monitorfilterscanbeusedtoincreaseprivacybypreventingscreensfrombeingviewedfromtheside;inthiscase,theyarealsocalled privacyscreens.• Thestandardtypeofanti-glarefilterconsistsofacoatingthatreducesthereflectionfromaglassorplasticsurface.
• Anoldervarietyofanti-glarefilterusedameshfilterthathadtheappearanceofanylonscreen.Thoughtitworkeditalsodecreasedthequalityofthescreenimage.
SecurityLog
• Thesecuritylogrecordseventssuchasvalidandinvalidlogonattempts aswellaseventsrelatedtoresourceusesuchasthecreating,opening,ordeletingoffiles.
• Anend-usershouldhavenoaccesstologgedeventstosecuritylogs.
• Anexampleofabruteforceattackdiscovery:• Whileviewingthesecuritylog,younoticethatauserhadattemptedtologontothenetwork1,564times.
PhysicalLog
• Aphysicallogisanactualhardcopytypeoflogthatsomeonemighthavetosigninandoutof.
• Thepurposeofaphysicalaccessloginadatacenteristomaintainalistofpersonnelwhoenterthefacility.
Hypervisor
• A hypervisor isapieceofhardwareorsoftwarethatrunsmultipleinstancesofvirtualmachineseitherdirectlyoffofthehardwareofthemachine,orontopofanexistingoperatingsystem
• Type-1hypervisorsrundirectlyonthehardwareandruntheguestvirtualmachinesontop.Type-1hypervisorstendtorunfasterandarelesspronetocompromise.
Hypervisorcont.
• Type-2hypervisorsrunasanapplicationontopofanexistingoperatingsystem.Type-2hypervisorsrunslowerandaremorepronetocompromisethanatype-1butitiscapableofbeingrunonanyexistingmachine.
• Containerbasedvirtualizationrunsmanyisolatedguestsontopofahostoperatingsystem.Insteadofeachusingtheirownvirtualmachine,eachguestjustrunsinanisolatedenvironmentfromthehostOS.• Thisisolatedenvironmentisknownasacontainer.
VMSprawlAvoidance
• Virtualizationsprawliswhenthequantityandorganizationofvirtualmachinesonanetworkhitapointwheretheadmincannolongermanagethem.• VMsmightbeeasytocreate,buttheyhavemanyofthesameissuesastheirphysicalcounterparts.Theyrequirecontinualsupportandneedtostayuptodate.• Properlicensing• Secureconfigurations• Complianttocompanypolicy
• Tomitigatethisissuetheadminshoulduseonecentralimage,orafewcentralizedimages,andremoveolderandlesserusedimagesfromservice.
VMEscape
• Virtualmachineescapeisanissuewhereanattackerwouldbeableto“escape”theircurrentvirtualmachinetoaccessotherVMsonthehost,orthehostitself.• AnexploitlikethisisincreasinglydangerousbecauseofthegrowinguseofVMsintheprofessionalenvironment.
• TominimizetheriskofVMescape:• Onlyinstallnecessaryapplications,andbeselectiveinwhatisinstalled.• KeepVMsuptodateandpatched.• Minimizeuserprivilegetoonlywhatisneeded.
CloudStorage
• Cloudstorageisdatastoragethatishostedoverthenetworkandtypicallyhostsdatacrossmanydifferentdrivesandservers.Thecloudstorageproviderisresponsibletomaintaintheseservers.• Peopleandorganizationsbuyorleasestoragecapacityfromtheproviderstostoreuser,organization,orapplicationdata.
• Cloudstoragegenerallycontainsmulti-tenantdata.Thismeansyourdataanallothercustomer’sdataiskeptonthesamedevices.
CloudComputing
• Cloudcomputingreferstotheon-demandprovisionofcomputationalresources(data,softwareorhardware)viaacomputernetwork,ratherthanfromalocalcomputer.
• Aprovidercloudfacilitatescomputingforheavilyutilizedsystemsandnetworks.Itcanstoremulti-tenantdata withdifferentsecurityrequirements.
• Asecuritycontrolthatislostwithcloudcomputingisphysicalcontrolofthedata.
CloudComputing– SoftwareasaService• SoftwareasaService(SaaS)"deliverssoftwareasaserviceovertheInternet,eliminatingtheneedtoinstallandruntheapplication onthecustomer'sowncomputersandsimplifyingmaintenanceandsupport.
• SoftwareasaService(SaaS)isagoodsolutionifbudgetrequirementsdonotallowforadditionalserversorhiringnewpersonnel.
• Webmail wouldbeclassifiedasaSoftwareasaService(SaaS)technology.
CloudComputing– PlatformasaService
• PlatformasaService(PaaS)- Itfacilitatesdeploymentofapplicationswithoutthecostandcomplexityofbuyingandmanagingtheunderlyinghardwareandsoftwarelayers.
• Itprovidesaneasy-to-configureoperatingsystemandon-demandcomputingforcustomers.
CloudComputing– InfrastructureasaService
• Cloudinfrastructureservices,alsoknownasInfrastructureasaService(IaaS),delivercomputerinfrastructure– typicallyaplatformvirtualizationenvironment– asaservice.
• Forexample,thecloudproviderprovidestheentireinfrastructureoverthenetwork.Thiscanincludecomputer,servers,andeventhesystemsrequiredinelectricalorwaterinfrastructures.
CloudComputing- SECaaS
• Securityasaservice (SECaaS)iswhenacloudserviceproviderisinchargeofprovidingsometypeofsecurityserviceoverthecloud.Thisremovesacompany’sneedtobuytheirowndedicatedsecurityhardware.• Thiscouldincludeanythingfromanti-virusservicestosomeformofintrusionpreventionsystem.
• Canalsoprovidecloud-specificsecurity,whichhasgrowingimportancewithtoday’scloudcentriccomputing.
• SECaaS ischeaperthanhostingalloftheseservicesonthelocalnetwork,sincenoneofthehardwareneedstobeboughtandmaintained.
TypesofClouds
• Inapubliccloud,athird-partyprovideroffersarangeofservicestothegeneralpublicovertheinternet.Datafromseveralcorporateorindividualclientsmaysharethesameserver.
• Aprivatecloudissimilarinprinciple,butissetupbehindafirewallandprovideshostedservicestoonlyalimitednumberofapprovedusers.
TypesofCloudscont.
• Hybridcloudisamixofbothaprivateandpubliccloud.Thisallowstheorganizationtoshifttheworkloadbetweenthetwoasneedsdemand,allowingforincreasedflexibility.
• A communitycloud isacloudinfrastructurethatissharedamongafewgroups,suchaspartneringcorporations,butisotherwiseprivate.Thisisgenerallyusedandcontrolledbyorganizationsthathavesharedorsimilarinterests.
OnPremisevsHostedvsCloud
• On-Premise“Cloud”isasolutionthatishostedlocally.Thoughnotastrulyacloudsolution,itcanactasaprivatecloudforotherbusinesslocations.Theorganizationdoesn'thavetoworryaboutwhocontrolstheirdata.
• AHostedcloudishostedbyanothervendorfortheorganization.Thesecanbeaccessedremotelybuttheorganizationlosescontrolofthehardware.Cloud-hostedapplicationstendtonotbehostedasmulti-tenantunlikenormalcloudsolutions.
OnPremisevsHostedvsCloudcont.
• Cloudimplementationtimesaremuchshorterandrequirenosetupofhardwarefortheorganization.Theshared,multi-tenantserverscanbequicklyupgradedasnecessaryforalltenantsonthesystem.
• BoththeHostedandCloudsolutionallowsforincreasedscalabilityandreducedcostfortheorganization.Though,themorethecompanysavesinhostingthehardwareandsoftware,thelesscontroltheyhave.
VDI
• Virtualdesktopinfrastructure(VDI)isusedtoseparatetheuser’sphysicalmachineandtheirdesktop.Thisallowstheusertopulltheirdesktopfromaserver,virtually.• WithPersistentVDI,theuserkeepsallchangesmadetothedesktopeachtimeitisaccesses,justlikeaphysicaldesktopcomputer.
• WithNonpersistant VDI,theuser’sdesktoprevertstoitsoriginalstateeachtimetheuserisfinishedwiththeirworkandlogsout.