Table of Contents
- The Security Threat Landscape
- Common Attacks
- Common Social Engineering Attacks
- Firewalls and IDS/IPS
- Firewalls vs Packet Filters
- Cryptography
- The numbers before the passwd in the config file?
- Controlling and Monitoring User Access (AAA)
- Final thoughts
The Security Threat Landscape
These are my general security notes as I have been preparing for the CCNA exam. Notes on Port Security, DHCP Snooping, and Dynamic ARP Inspection are coming in the next couple of days. 🙂 As always, hit me up on LinkedIn if you want to connect and chat, always love meeting new people. Feel free to comment if I missed something.
- Threat: has the potential to cause harm to an IT asset.
- Vulnerability: a weakness that compromises the security or funtionality of a system or the integrity of data.
- Exploit: uses a weakness to compromise the security or funtionality of a system.
- Threat: the likelihood of an attacker successfully using an exploit.
- Mitigation: techniques to eliminate or reduce the potential of and seriousness of an attack.
- Malware: is malicious software, including:
- Viruses: software which inserts itself into other software and can spread from computer to computer. Requires human action to spread.
- Worms: a self-propagating virus that can replicate itself.
- Trojan horses: malicious software which looks legitimate to trick humans into triggering it. Often installs back doors.
- Ransomware: Encrypt data with the attacker's key and asks the victim to pay a ransom to obtain the key.
Common Attacks
- TCP Syn Flood Attack.
- DDos, A distributed denial of service.
- Reflection and Amplification Attack.
- Man In The Middle Attacks such as ARP spoofing.
- Password Attacks.
- Malware.
Attack | Counter Measures |
---|---|
VLAN Hopping | Static access ports, disabling of DTP, avoidance of trunk native VLAN on access ports. |
STP Spoofing | BDPU Guard/Root Guard |
CAM/MAC Spoofing | Port Security (MAC LIMIT) |
ARP Spoofing | ARP inspection |
DHCP Starvation | Port Security |
DHCP Server Spoofing | DHCP snooping |
Common Social Engineering Attacks
Attack Type | Goal |
---|---|
Social Engineering | Exploits human trust and social behavior. |
Phishing | Disguises a malicious invitation as something legitimate. |
Spear phishing | Targets group of similar users. |
Whaling | Targets high-profile individuals. |
Vishing | Uses voice calls. |
Smishing | Uses SMS text messages. |
Pharming | Uses legitimate services to send users to a compromised site. |
Watering hole | Targets specific victims who visit a compromised site. |
Firewalls and IDS/IPS
- IDS: Intrusion detection system.
- IPS: Intrusion prevention system.
- IDS and IPS use signatures to inspect packets up to layer 7 of the OSI stack, looking for traffic patterns which match known attacks.
- They can also use anomaly-based inspection to look for unusual behaviour, such as a host sending more traffic than usual.
- They require skilled staff to tune the IPS to their own particualar environment and minimize false postitives and negatives.
- IDS sits alongside the traffic flow and informs security administrators of any potential concerns.
- IPS sits inline with the traffic flow and can also block attacks.
- An IDS may also have the capability to tell a firewall to block attacks.
Firewalls vs Packet Filters
- Firewalls secure traffic passing through them by either permitting or denying it.
- Stateful firewalls maintain a connection table which tracks the two-way 'state' of traffic passing through the firewall.
- Return traffic is permitted by default.
- Firewall rules example:
- Deny all traffic from outside to inside.
- Permit outbound we traffic from 10.10.10.0/24.
- Next Generation Firewalls move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and user based security.
- Deep packet inspection analyses packets up to layer 7 of the OSI stack.
- Different permissions can be applied to different users.
- The Cisco ASA with FirePower is a Next Generation Firewall.
Cryptography
- Cryptography provides these services to data:
- Authenticity (proof of source).
- Confidentiality (privacy and secrecy).
- Integrity (has not changed in transit).
- Non-repudiation (non-deniability).
Symmetric Encryption
- With symmetric encryption, the same shared key both encrypts and decrypts the data.
- The shared key is know by both the sender and receiver and must be kept secret.
- Fast.
- Used for large transmissions (eg., email, secure web traffic, IPsec).
- Algorithms include DES, 3DES, AES, SEAL.
Asymmetric Encryption
- Asymmetric encryption uses private and public key pairs.
- Data encrypted with the public key can only be decrypted with the private key, and vice versa.
- Data encrypted with the public key cannot be decrypted with the public key.
- Only the private key must be kept secret.
- The public key can be available in the public domain.
- It's slow.
- Used for small transmission (symmetric key exchange, digital signatures).
- Algorithms include: RSA, ECDSA.
Transport Layer Security TLS
- SSL: Secure Socket Layer (Deprecated).
- TLS: Transport Layer Security (successor to SSL).
- Can be used to provide secure web browsing with HTTP (can also be used with other applications such as email).
- Uses symmetric cryptography to encrypt transmitted data.
- Symmetric keys are generated uniquely for each connection.
- Authentication is provided by public key cryptography.
- Message Authentication Code provides integrity.
The numbers before the passwd in the config file?
Type 0, the password is clear text.
Type 7, it was originally a type 0 password, created by enable password
but it has been encrypted using the service password-encryption
command.
Type 5 is hashed using MD5.
Type 4 and 8 is PBKDF2.
Type 9 uses the Scrypt algorithm.
Here are a few commands and Encoding Types for the enable secret
command.
Command | Type | Algorithm |
---|---|---|
enable [algorithm-type md5] secret password | 5 | MD5 |
enable algorithm-type sha256 secret password | 8 | SHA-256 |
enable algorithm-type scrypt secret password | 9 | SHA-256 |
Controlling and Monitoring User Access (AAA)
- AAA server is for example Cisco's ISE platform or Microsoft's Active Directory. AAA servers usually support the following two protocols to communicate with enterprise resources.
- TACACS+: A Cisco proprietary protocol that separates each of the AAA functions. Communication is secure and encrypted over TCP port 49.
- RADIUS: A standards-based protocol that combines authentication and authorization into a single resource. Communication uses UDP ports 1812 and 1813 (accounting) but is not completely encrypted.
- Authentication: Who is the user?
- Authorization: What is the user allowed to do?
- Accounting: What did the user do?
Final thoughts
This information is gathered from Cisco Press and other places. I hope it served as a general introduction or a refresher on the topic. The security threat landscape is always shifting and that can either be draining or exciting, it all depends on our perspective. I like to look at it as exciting and an ongoing opportunity for development instead of settling ,or to feel content with what I know today. Cybersecurity is a growing industry that needs more skilled people. If you are interested in IT but haven't decided which path to pursue, I suggest you take a look at it. If you missed my blog about access control lists, check it out here.