Comptia Sec Plus Objectives

Fraudulent attempt to obtain sensitive information or data, by disguising oneself as a trustworthy entity in an electronic communication.

When someone tries to trick you into giving them your private information via a text or SMS message.

Using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward

Irrelevant or unsolicited messages sent to a large number of Internet users, for illegitimate advertising, and other activities such as phishing, and spreading malware

Spam delivered through instant messaging (IM) instead of through e-mail messaging

The act of sending emails to specific and well-researched targets while pretending to be a trusted sender

Exploration of a system's trash bin for the purpose of finding details in order for a hacker to have a successful online assault.

When someone watches over your shoulder to nab valuable information as you key it into an electronic device.

Cyberattack intended to redirect a website's traffic to another, fake site.

Social engineering attempt by cyber threat actors in which they trick employees into helping them gain unauthorized access into the company premises.

Procedures or techniques involving interacting with and communicating with others that is designed to gather knowledge or inform

Spear phishing that focuses on one specific high level executive or influencer

Prepend is a word that means to attach content as a prefix. For example, a prepend command could be used in a scripting language that a programmer would enter into a certain function or code module. It would add certain characters of text to the beginning of some variable or object.

Identity fraud is the use of stolen information such as making fake ID's and fake bank accounts

Using fraudulent invoices to steal from a company

The use of MITM attacks, DNS poisoning, phishing, etc. to amass large numbers of credentials (username / password combinations) for reuse.

Information gathering about a target network

Cyber hoax scams are attacks that exploit unsuspecting users to provide valuable information, such as login credentials or money.

Typically involves an email that seems to come from a trusted source.

Security exploit in which the attacker seeks to compromise a specific group of end-users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment.

Type of cybersquatting used by imposters that involve registering domains with intentionally misspelled names of popular web addresses to install malware on the user's system facebook.com faceboook.com

The practice of presenting oneself as someone else in order to obtain private information.

Sway public opinion on political and social issues. Example, using fake accounts to sway legitimate accounts

Wage war non-traditionally - with cyberwarfare/influencing foreign elections

Planned, coordinated marketing efforts using one or more social media platforms.

Authority: an attacker may try to appear to have a certain level authority. Intimidation: may try to make the victim think that something terrible is going to happen if they don't comply with the attacker's wishes. Consensus: An attacker may try to sway the mind of a victim using names they are familiar with, saying that such ones provided them information (they are fishing for) in the past and you should be able to do the same. Scarcity: An attacker may try to set a time limit on a victim so that they can comply with their wishes by a certain deadline. Familiarity: they make you familiar with them on the phone and make you want to do things for them. Trust: The attacker in this case can claim to be a friend or close associate of someone you may know very well and that's trusted. Urgency: When attackers want you to act and not think, they want you to do what they want as quickly as possible so that there's no time to spot all the red flags.

A program or file designed to be disruptive, invasive, and harmful to your computer.

Software that encrypts programs and data until a ransom is paid to remove it.

Independent computer programs that copy themselves from one computer to other computers over a network.

Program that installs itself on a computer, typically without the user's informed consent

Software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.

A computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network

self-propagating malware that infects its host and connects back to a central server(s).

Malware to remain in place for as long as possible, quietly mining in the background.

A computer program or part of a program that lies dormant until it is triggered by a specific logical event.

Type of malware that infects your PC or mobile device and gathers information about you, including the sites you visit, the things you download, your usernames and passwords, payment information, and the emails you send and receive.

software that tracks or logs the keys struck on your keyboard, typically in a covert manner so that you don't know that your actions are being monitored.

Type of malware that allows covert surveillance, a backdoor for administrative control and unfettered and unauthorized remote access to a victim's machine.

software program, typically malicious, that provides privileged, root-level (i.e., administrative) access to a computer while concealing its presence on that machine

refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application.

Any type of attack in which the attacker attempts to obtain and make use of passwords illegitimately.

Try a few passwords and move on before account lockout

An attack method that takes all the words from a dictionary file and attempts to log on by entering each dictionary entry as a password.

An attempt to guess a password by attempting every possible combination of characters and numbers in it. Offline is faster because you don't have to wait for server response.

An attack on a password that uses a large prebuilt data set of hashes. Compares the password to the hash table.

No encryption of stored passwords

Identifies as a Human Interface Device (HID) bypasses the need for rights/permission.

Has malicious file or have operate as a HID. Rubber Ducky USB is an example.

Get card details from a skimmer and create a duplicate card. Magnetic stripe is clone but the chip can not

Stealing credit card information

1. Tainted training for machine learning (ML) 2. Security of machine learning algorithms

Attack on a trusted source that works closely with the target that will bypass security measures

Cloud: Offsite, usually managed by third party, lower cost, no data centers, limited downtime On-premises attack: On-site, full control of data, system check can occur at anytime, high cost and time consumption

1. Birthday attack: Hash collision - same hash value for two different plaintext 2. Collision: Different input should never create the same hash 3. Downgrade: Instead of using a good encryption, it is downgraded to something not secured

Exploiting a vulnerability in software to gain access to resources that the user would normally be restricted from obtaining.

Code injected by malicious web users into web pages viewed by other users.

Adding your own information into a data stream.

Calling SQL commands that return outside the intended information

A set of rules for data transfer and storage. Modifying XML requests

Used by almost everyone. Modify LDAP requests to manipulate application results

A Windows library containing code and data that another application will use. When an application calls the DLL, it will create a new thread under itself running malicious code

Spill information into other areas of memory

Useful information that is transmitted over the network is intercepted and replayed to appear as someone else. Not an on-path attack because doesn't require the original workstation.

1. Server-side 2. Cross-site

Memory pointed to a null part of memory that can cause a DOS attack or show debug error to attacker

Read files from a web server that are outside the website's file directory

An undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time

Giving too much information during an error

Validation doesn't occur on input, a hacker can inject malicious data into the application

Vulnerabilities in the application's commination path. Example - sensitive data, DoS, privileged access

Specialized DoS that may only require one device Example - ZIP bomb

Unused memory not properly releassed

Combination of on-path attack with a downgrade attack Example - HTTP downgrade

Interaction between hardware and OS which is often trusted

Filling in the space between two objects Example - Window's backwards compatibility mode

Metamorphic malware - different program each time it is downloaded to avoid the same signatures for anti-virus that check for it

capture of a password's hash, instead of plain text password

Wifi that looks legitimate but actually malicious

Unauthorized wireless access point that could become a potential backdoor Prevented by using 802.1X (Network Access Control) so that you must authenticate regardless of connection type

Attacker access valuable data via bluetooth device - High security issue

Sending of unsolicited messages to another device via Bluetooth - Low security issue

Constantly connect/disconnect of wireless connection Requires old versions of 802.11 to DOS you

DOS by spamming junk data

Wireless data via radio frequencies that can be exposed to any wifi attacks

A set of standards primarily for smartphones and smart cards that can be used to establish communication between devices in close proximity.

A 24-bit value used in WEP that changes each time a packet is encrypted.

Redirects your traffic and takes information along the way

Attacker is on local network that send a message to override the ARP cache so that messages are sent to the attacker and forwarded to the dest

Attacker starts sending traffic with different source MAC addresses - forcing out the legitimates MAC addresses There is a limit on a MAC address table so now the switch will start sending traffic to all interfaces

Bypass MAC filters or DOS

A hierarchical system for naming resources on the Internet.

Get access to the domain registration account

Technique used by criminals to alter DNS records and drive users to fake sites, to committing phishing. How - modify the host file on client's device - man in the middle - alter the DNS record on the server to resolve to another IP address

Similar named websites

The Internet is tracking your security posture. So that the more people click spam of an email, the more your company mail is considered spam. Same with URLs

An attack that uses many computers to perform a DoS attack.

Normal definition of DDOS

Break or make application work harder

The hardware and software for industrial equipment

Windows command line .ps1 file extension

General purpose scripting language

Linux/Unix shell and command language

Automate functions within an APPLICATON

programming language you can use to create macros

Attacker in the network and undetected over a period of time

Current or former employee, contractor or other partner that has or had authorized access and intentionally misused that access

Government

A protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage.

Runs pre-made scripts without any knowledge of what's really happening

Professional criminals motivated by money

Ethical hacker

Malicious hacker

Finds a vulnerability but doesn't use it

Going rogue, working around the internal IT team

Competitor

APTs, and nation states have a penchant for long-term attacks, which requires this which only major organizations or government can manage over time.

This can be simple or multifold in nature. A script kiddie is just trying to make a technique work. A more skilled threat actor is usually pursuing a specific objective, such as trying to make a point as a hacktivist. At the top of the intent pyramid is the APT threat actor, whose intent or motivation is at least threefold.

Physical access - Attach keylogger - Transfer files - Destroy data center - Change admin password

- Default login credentials - Rogue access point - Evil twin - Protocol vulnerabilities

- Phishing attacks - Deliver malware - Social engineering attacks

Tamper with the underlying infrastructure/manufacturing process - Gain access to a network using a vendor - Malware can modify the manufacturing process - Counterfeit networking equipment

Information from your social media accounts

Get around firewall via removable medias (USB) - Malicious software on USB flash drives - USB device acts as keyboard - Data exfiltration - take data and walk out

Public-facing applications and services

Research the threats

Open-source information Information from internet, media (newspapers, television), public government reports, professional and academic publications, and other openly available.

Someone else has already compiled the threat information and sell it

Researchers find vulnerabilities - Common Vulnerabilities and Exposures (CVE) - U.S. National Vulnerability Database (NVD)

Public threat intelligence - government Private threat intelligence - private companies

- unusual outbound traffic - anomalies in privileged account - geographic irregularities - login failures - swells in database read volume - large html responses - many requests for one file - mismatched port-applications - suspicious registry changes - spikes in dns requests from one host - weird login times

System that enables the sharing of attack indicators between the US government and the private sector as soon as the treat is verified

- describes cyber threat information - includes motivations, abilities, capabilities and response information

- Securely shares STIX data between organizations

Analyze large amounts of data very quickly - identify behaviors from data - create a forecast for potential attacks - less emphasis on signature by using machine learning

Identify attacks and trends

See what hackers are building

Vendors wrote the software

Automated vulnerability notifications

Watch and learn from researchers/people who done things

Research from academic professionals, extreme writeups

A document published by the Internet Society and written by Internet Engineering Task Force (IETF) that details information about standardized Internet protocols and those in various development stages.

Gathering of local peers

Hacking group conversations

Monitor threat announcements - US Department of Homeland Security

Understand the methods attackers are using - Different types of TTPs apply to different entities

Vulnerabilities that has not been detected or published.

- Open permissions - Unsecure root accounts - Errors - Weak encryption - Unsecure protocols - Default settings - Open ports and services

Information that has been exposed without security

Message can provide information to attacker

Non-encrypted protocols

Every application and network device has a default login

Services will open ports, managed by a firewall

Expect the worst

1. System integration - TP can do things on the inside 2. Lack of vendor support - they need to care

can't control security from third parties. Their software might be infected

Must secure the environment for code development - Use VPN - Isolate the system away from the rest of the network - Check for backdoors

- Store in encrypted form - Transfer via encryption

Firmware: Operating system: Applications:

Old old old things

- Unsecured database could be deleted

Use for self gaining purposes

rip money

rip public relations

lost of time and availability

Find the attacker before they find you. Intelligence data is reactive.

An overwhelming amount of security data or Separate teams. Too much to detect, analyze, and react.

Move the troops. Set a firewall rule, block IP address, delete malicious software.

Not penetration test, trying to determine if there is a potential to gain access. - Port scan - Identify systems (servers, workstations, laptops) - Test from outside/inside

Vulnerability doesn't exist - Different from low severity vulnerability, because a FP doesn't exist

Vulnerability exist, but you didn't detect it

Lack of security controls - No firewall - No anti-virus - No anti-spyware Misconfigurations - Open shares - Guest access Real vulnerabilities - Show new ones - Sometimes old ones

Credentialed - inside attack (normal user) Non-credentialed - the scanner can't login to the remote device (from random from internet)

Intrusive - try out the vulnerability and see if it works Non-intrusive - gather information, don't try to exploit a vulnerability

Desktop/mobile apps

Software on webserver

The application of vulnerability scanning to network devices to search for vulnerabilities at the network level. - Misconfigured firewalls - Open ports

0 to 10

Validate the security of device configurations - account configurations, local device settings - firewall rules, authentication options

Logging of security events and information Syslog - standard for message logging. Requires terabytes of storage for this data

- Network packets

- Server authentication attempts - VPN connections - Firewall session logs - Denied outbound traffic flows - Network utilizations

- Detect insider threats - Identify targeted attacks - Catches what the SIEM and DLP systems might miss

How the public views the organization - if they hate you, they hack you

Important metrics in the incoming logs - Tracks, informs, reacts to logs

Usually includes advanced reporting features

Real-time information

- Automate routine, tedious, and time-intensive activities - Connect many different tools together (Firewalls, account management, email filters)

Given information

No information

Mix information

An important documents - Defines purpose and scope - IP address ranges - Emergency contacts - How to handle sensitive information

Move from system to system (inside)

Once you're there, you need to make sure there's a way back in - Setup backdoor

Leave the network in its original state

Reward

Gain access to systems that would normally not be accessible

Passive - Learn as much as you can from open sources Active - Trying the doors, actively send information into the network looking for holes.

Combine WiFi monitoring and a GPS (Search from your plane or drone)

Combine WiFi monitoring and a GPS (Search from your car)

Open Source Intelligence, is the practice of collecting information from published or otherwise publicly available sources.

Red-Team: Hired attackers Blue-Team: Protecting Data White-Team: Manages the red and blue team (referees/managers) Purple-Team: Working together share information with each other

The only constant is change

Layout of network

The security of an application environment should be well defined - (Firewall settings, patch levels, OS file versions)

Create a standard to be understood by everyone

An IP address plan or model

Data that resides in a country is subject to the laws of that country - EU citizen data must be stored in EU

A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users.

Hide some of the original data

Encode information into unreadable data - Confusion - encrypted data is drastically diff than plain. - Able to convert back and front if you have a key

Data on a storage device

Data in transit over the network - TLS - IPsec

Data is actively processing in memory - Data is almost always decrypted - Take data out of the RAM

Replace sensitive data with a non-sensitive placeholder - Credit card number one time use - Not encryption

Control how data is used Restrict data access to unauthorized persons

Legal implications

Identify the attack, limit the impact of the attacker - Limit data exfiltration - Limit access to sensitive data

Encryption of data for transport layer - SSL/TLS relies on trust via certificates, sign by a third party

transforming plaintext of any length into a short code called a hash

Application Programming Interface - On-path attack - intercept and modify API messages - API injection - inject data into an API message - DDoS - one bad API call can bring down a system

Recovery site is prepped - data is synchronized

An exact replica of the main site

No hardware/data/people - empty building

Between hot and cold - big room and hardware is ready and waiting

Attract the bad guys, trap them here

Bait for the honeynet - (password.txt) - Alert is sent if the file is accessed

Multiple honeypots

Machine learning - interpret big data to identify the invisible - Learn how malware looks and act - Stop malware based on actions instead of signatures

A DNA that hands out incorrect IP address - Can be bad - redirect users to a malicious site - Can be good - redirect known malicious domains to a benign IP address

Fog - A cloud that's close to your data. Cloud -> Fog -> IoT - A distributed cloud architecture.

The location of relatively small servers close to the end users to save resources in terms of network bandwidth and provide improved responsiveness. No server needed, bc user's machine will compute everything. So many positives for the user.

Instead of full computer, it is a smaller application with enough computing power to connect to the cloud. - See what's happening in the cloud via computer

Contains everything you need to run an application. You can multiple containers under an OS and each container is isolated from other containers. Virtualized vs. Containerized - Multiple OS vs Single OS

Monolithic applications - one big application that does everything Microservices - specialized section of the monolithic application Client <- API Gateway <- microservices <- databases

Using a central control program separate from network devices to manage the flow of data on a network. - Connect a bunch of webservers and database via an internal firewall

You must see the traffic to secure the data.

FaaS - Function as a Service -application are separated into individual autonomous functions. Remove the OS from the equation Developer runs a stateless compute container. Handles API request. Create containers if needed.

Service integration and Management (SIAM) - single place for all services

Assigning permissions to cloud resources. - Specific region, deny others - IP ranges, deny others - Allow users, deny others

Virtual Private Cloud (VPC) - private information stored created in public cloud Transit Gateway - connects VPC with TG - allows access to all the VPC

Run many different operating systems on the same hardware

Click a button - you've just built a server or multiple servers. You can easily confuse what each virtual object is used for so keep documentation.

Escape VM and take over host.

Commission/Decommission of assets from the time it is installed, until the time it is decommissioned and disposed. Create things when they are needed

Techniques used while coding to provide as much security as possible.

Instead client calling a SQL command, the client will request the command from the database itself. - Old days, client requests SELECT * FROM table but they could modify it for bad doings. - Now, client requests CALL items and that's it no modifications possible. Only a list of commands to chose from

Making code hard to read by normal people.

Copy and pasta. - If that old code has security issue then rip. - Some code can be Dead Code which is computed but not used.

Validation - never trust user input Server-side validation - all checks occur on the server, safer but slower Client-side validation - all checks on the client side Use both

Be mindful of how memory is used

Speed up development Potential security risk

Disclosing sensitive data to attackers.

An open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

Alternative compiler paths, changes the final binary file.

Repeatable tasks are completed the same way each time no matter who is executing the task, reduces errors. Increase scalability - as volume and rate increases, automation enables continuous processing of information. Enable "more with less" - Existing resources can do more volume or provide opportunities for existing resources to work on higher-level tasks.

Using technology to automate IT processes.

Check for a particular event and react

Perform ongoing automated checks Cloud-based technologies allow for constant change Automatically validate a configuration before going live

Code is constantly written and merged - Many chances for security problems - So many checks are created

A methodology that focuses on making sure software is always in a releasable state throughout its lifecycle. - Automate the testing process - Automate the release process

- Even more automation Entire testing and deploying process is automated

Increase or decrease resources

Adapt to increase load

Multiple different login via trusted sources (FB, Google, Twitter)

A system you can trust

A one-time password that changes after a set period of time.

A one-time password

Text code for pw

Primitive password

Physical hardware token

an alert or email message sent to your phone

call for authentication

insert into computer for authentication

the identification of a user based fingerprint, iris, face, voice, or handwriting

finger

Back of eye

front of eye (color, texture)

face

voice

vein on arm

how you walk

Letting bad people in

Letting good people in

Between good and bad - just right

- Comparing to what you know - password - Have - smart card - Are - biometric

Where - where are you Do - signature / similar to biometric but not exactly bc it is something you are doing Know - social factor

- Prove you are who you say you are - Based on your id, what is your access - Accounting, record yourself

Cloud - 3rd party, centralized platform, automation options with API integration On-premises - internal monitoring and management

Balance server

Aggregate bandwidth, redundant paths

- Short-term backup power Has batteries on the inside

Internal and external power supply

Power outlets that can be controlled

Specialized high performance network of storage devices

Copy VM to another VM

Speed, Money, Security

Everything Backup Time - High Restore Time - Low

All files that has changed since last incremental Backup Time - Low Restore Time - High

All files that has changed since last full backup Backup Time - Moderate Restore Time - Moderate

Connect to a shared storage device across the network

Look and feel like a separate storage device

To the cloud

Capture an exactly replica of everything on a storage drive.

Speed difference Security

The cloud is always in motion

Fall back to a previous snapshot

Redundancy Doesn't always mean availability due to a special case of turning on the redundant device Higher cost

Which cores are needed first before other components are restored - Restore database first before anything else is restored.

Different technologies can help bypass a single point of failure. - Using multiple different OS - Many vendors

All crytography is temporary

Admin control Physical Technical Combine them together

Hardware/software designed for a specific function Cons - Limited features - Limit upgradability - Limits in communication options - Power may be using batteries bc no access to power - Computational power low - Network may not have access - Limited hardware/crypto options - Inability to patch - Authentication - Range - Low cost can affect quality - Implied trust Pros - Low cost - Single function however may be using batteries

an integrated circuit that can be configured after being manufactured. Reprogram the FPGA

PC manages industrial equipment (Distributed control systems) No access from the outside (no internet access)

Sensors that can be connected to the internet Smart devices Wearable technology Facility automation Note - weak security

Temperature, air quality, lighting

TIO manufacturers are not security professional

Ex/ Heart monitors - uses old OS

Tesla

DoS could damage the aircraft

Measure power and water usage

Uses IP technology to transmit telephone calls

Systems that provide and regulate heating and cooling.

No pilot

An all-in-one output device that usually combines a scanner, a laser or inkjet printer, and a fax modem.

An operating system with a deterministic processing schedule - No time to wait for other processes - Industrial/Military equipment

Embedded systems with camera

Embedded system runs on this. Ex/ Raspberry Pi

Uses higher frequencies - Significant IoT impacts - Bandwidth becomes less of a constraint - Larger data transfer - Faster monitoring and notification - Additional cloud processing

Communicate analog signals over a narrow range of frequencies - Over longer distance - Conserve the frequency use - SCADA - Sensors in oil field

Uses a SINGLE cable with a digital signal Ethernet connection

Used to provide information to a cellular network provider

IoT networking - Open standard - IEEE 802.15.4 PAN Alternative to WiFi and Bluetooth - Longer distance/Less power than Bluetooth/WiFi Mesh network of all Zigbee devices in your home Uses the ISM band - Industrial, Scientific, and Medical

All doors normally unlocked - Opening one door causes other to lock All doors normally locked - Unlocking one door prevents others from being unlocked When one is open the other cannot be unlocked

Circuit base, motion based, panic button based

Signs of information (dangers)

Video cameras and receivers used for surveillance in areas that require security monitoring.

Blend into the environment by not advertising information and protecting it

Guards: Robot sentries: Reception: Two-person integrity/control: No single person will have complete access to an area

Biometrics: Electronic: Physical: Cable Locks: Lock your hardware to the physical location

Blocks data transfer when connecting to USB port

Attacker avoid light Fence: Tall, Hard to cut, See through or not

Detects your access card

Identify water leaks

Blocks electromagnetic fields Not a comprehensive solution because not all signal types can be blocked

Separate subnet from the internal network

Physically secure the data

Physical separation between networks

Secured ROOM to store backup media or other important things

Smaller object to protect things

Hot air is taken out

Cool air is blown here

Burning: No going back Shredding: Pulping: Removes the ink and recycles paper Pulverizing: Degaussing: Strong electromagnetic field to destroy Third-party solutions:

Prove the message was not changed is not fake because sign with a private key and verify with a public key

Add some random data

Refers to the process used to exchange keys between users who send a message and those who receive it.

An algorithm that uses elliptic curves instead of prime numbers to compute keys. Good for low CPU devices

Public key systems that generate random public keys that are different for each session.

Protect against eavesdropping using quantum cryptography - Send unbreakable encryption because if it's identical on both sides then the key was not viewed during transmission

1 and 0 are both in the same bit so compare to traditional computing

Breaks our existing encryption mechanism

Temporary

Authenticated: Unauthenticated: Counter:

Keep track of transaction Everyone on the blockchain network maintains the ledger Cryptocurrency

Stream: Encrypt one bit or byte at a time, used with symmetric encryption. High speed, low hardware complexity Block: Encrypt fixed-length group (64 bit/128 bit)

Symmetric - A single, shared key for all encryption Doesn't scale very well Asymmetric - Two (or more) mathematically related keys - Public Key - anyone can see - Private Key - used to decrypt the public key - Two way encryption and decryption Basically - I need the public key from another user to send them encrypted information, they need the private key to decrypt that information Con - requires CPU power to decrypt information

Low CPU and power requirement

Audio: Hide information in Audio Video: Hide information in Video Image: Hide information in Image

Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.

Confidentiality Integrity Obfuscation - hides malware code from the computer

Mobile devices, portable systems Requires ECC for asymmetric encryption

Fast computation time

Most power encryption possible - longer keys

Modern malware tries to hide itself. Encrypted data hides the active malware code. Decryption occurs during execution.

Password hashing. Protect the original password. Add salts to randomize the stored password hash.

A digital signature provides both integrity and the origin of the data. Confirm the authenticity of data. The only person that could have sent the data is the sender. Example - Message Authentication Code (MAC)

Need speed and power CPU

Make sure the size doesn't increase pass your limit Block must be fixed length so if it is short, additional data is added in

Larger keys are better

Asymmetric is slower than symmetric

A specific cryptographic technology can become less sure over time

Randoms numbers are critical Nothing can be predictable

Single key is a Single point of failure Multiple keys require more overhead

IoT devices have limited CPU, memory, power

Encrypted terminal communication and file transfer

For encrypted telephone calls

Protocol for reading and writing directories over an IP network

Using SSL to encrypt data NOT SFTP

Using SSH to transfer file Allows - File system functions - Resume interruption

Internet Protocol Security - commination between two location - data is encrypted Very standardized - common in use Setup - Authentication Header - Encapsulation Security Payload

AH - Hash of the packet and a shared key This doesn't provide encryption - Provides integrity - Guarantees data origin - Prevents replay attacks ------------------------------------- Encapsulation Security Payload - Encrypts and authenticates the tunneled data - Combines with AH for integrity and authentication of the outer header

Two ways to send encrypted data Transport - IP Header / IPsec Header / Data / IPsec Trailers Tunnel - New IP Header / IPsecHeader / IP Header / Data / IPsec Trailer Difference - Transport the headers are not encrypted - Tunnel it is - Tunnel is also better and more common

NTP

S/MIME - Secure/Multipurpose Internet Mail Extensions - public key encryption and digital signing of mail content Secure POP and Secure IMAP - Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL SSL/TLS - If the mail is browser based always encrypt with SSL

The process of converting a domain name into a public IP address. DNSSEC - Domain Name System Security Extension

Automated subscriptions/updates - Anti-virus / Anti-malware signature updates - IPS updates - Malicious IP address databases / Firewall updates Constant updates uses a different method of updating (different Protocols and communicating to diff IP addresses) Check for encryption and integrity checks - so that we know we are getting information from trusted sources

Protect all user end points

Protection from specifically malware (Trojans, worms, macro viruses) Both terms are usually used interchangeably nowadays

Malware refers to broader category (spyware, ransomware, fileless malware) Both terms are usually used interchangeably nowadays

A method of threat protection - Scale to meet the increasing number of threats Detection of malisous code without using just signatures. Includes - Behavioral analysis, machine learning, process monitoring - Looking for actions instead of signatures Respond to the threat - Isolate the system - Quarantine the threat - Rollback

Data Loss Prevention Stop the data before the attacker gets it If the system detects that sensitive data is being sent outside the system, it can block it

Firewall of the network Identify applications on the network and filter their data Broad Security controls - Sets policies for application's features (allow viewing of Twitter but no posting to it) - Identify attacks and malware - Examine encrypted data - Prevent access to URLs or URL categories

Firewall of the endpoint Software-based firewall (Personal firewall) - Allow/disallow incoming/outgoing traffic - ID and block unknown processes

Uses log files to ID intrusions

Recognize and block known attacks Uses log files to ID intrusions HIPS Identifications - Signatures, heuristics, behavioral - Buffer overflows, registry updates, writing files to the Windows folder - Access to non-encrypted data IPS is both detective or preventive

Perfect infection point - Control of the kernel mode - means the control of everything Chain of trust - Secure boot, trusted boot, and measured boot

Security of software BIOs contain manufacturer's public key so no one can do a fake update to your computer Secure boot verifies the bootloader so that no software can change the boot order

Checks nothing on this computer has changed UEFI stores the hash of the firmware, boot drivers, and everything else loaded during the Secure Boot and Trusted Boot process - Stored in the TPM of the system

Device provides aan operational report to a verification server - If anything is different on the computer compare to what is stored on the server, the system can be shutdown

Don't store the actual data in the database but store a token. Replace sensitive data with a non-sensitive placeholder - Common with credit card processing Nothing is hashed or encrypted. The original data and token aren't mathematically related.

Random data added to a password when hashing. Salt should all be random. Random tables won't table with salted hashes because the random values mess up matching without salts hashes.

Hashes represent data as a fixed length string of text. Must have - No collisions - One-way trip

What is the expected input. - Document all inputs. - Check and correct all input (normalization)

Secure cookies have a secure attribute set - Only browser will only send it over HTTPS Sensitive information should not be saved in cookies.

Allow and no allow certain task in communication. Enforces HTTPS communication Prevent XSS attacks - Only allow scripts, stylesheets, or images from the local site - Prevent data from loading an inline frame (iframe)

The application code can be digitally signed by the developer. - A trusted CA signs the developer's public key. - Developer signs the code with their private key. - For internal apps, use your own CA

Analysis of source code carried out without execution of that software.

Send random input to an application to find an opportunity to find an exploit.

A technique of penetration testing that can include providing unexpected values as input to an application to make it crash. Take a lot of time and processing power.

Minimize the attack surface - Remove all possible entry points.

Every open port is a possible entry point. Close everything except required ports. Controlled by the firewall - IP - Ports NGFW (Next-Gen Firewall) - Controls applications

Primary configuration database for Windows. Almost everything can be configured from the registry. Some registry changes are important security settings - Configure registry permissions. - Disable SMBv1 (Enabling a vul)

Best protection against data compromise in the event of physical theft of the device.

Keep OS up to date. User Accounts - Minimum password lengths and complexity. - Account limitations

Monthly updates Third-party updates Auto-update: not always the best option because the updates need to be check to be good first - However, if it is an important update - then it will be pushed in.

Opal:

The hardware starting point in a chain of trust. The trust has to start somewhere - Trusted Platform Module (TPM) - Hardware Security Module (HSM) - Designed to be the hardware root of the trust

Hardware Security A specification for cryptographic function - Hardware to help with encryption Cryptographic processor - Random Number generator Persistent memory - Comes with a unique key Versatile memory - Storage keys, hardware configuration information Password protected - No dictionary attacks

Applications cannot access unrelated resources.

Split tunnel - Admin can config data to be sent into the tunnel while other data can be sent to outside the tunnel Full tunnel - VPN Concentrator decrypts VPN's data - User can't send data to another device not part of the tunnel

Site-to-site (Corporate Network to remote site) - VPN Concentrator to VPN concentrator

Internet Protocol Security - Security for OSI Layer 3 - Encryption and packet signing - Very standardized Two core IPSec protocols - Authentication Header - Encapsulation Security Payload

No firewall issue - No requirement for digital certificates or shared passwords like IPSec - Can be run from browser

- API support - Web cryptography API - No application needed, all in browser Needs - A browser that supports HTML5

Control at the edge - hard to change - Your internet link - Managed primarily through firewall rules - Firewall rules rarely change Access Control - rules can change at anytime - Control from wherever you are - Access can be based on many rules - Access can be easily revoked or changed

Physical ports Control and Protect - Limit overall traffic - Control specific traffic types - Watch for unusual or unwanted traffic

The switch can control broadcasts - Limit the number of broadcasts per second Can often be used to control multicast and unknown unicast traffic Manage by specific values or percentages - Control amount of broadcasts

Spanning tree takes time to determine if a switch port should forward frames - Bypass the listening and learning states of Spanning tree protocol because we expect an end user device to be connected - Problem - this trust can be abused by connecting another switch and then there would be another loop Solution - BPDU guard - The switch is constantly watching for a BPDU frame because of a possible switch on this communication and disable this interface before a loop could happen.

Connect two switches to each other - They'll send traffic back and forth forever - Bringing down a network Spanning tree protocol prevents loops - Block ports to disconnect loops - If a path crashes then the protocol will create a new path to communicate to the destination

IP tracking on a layer 2 device (switch) - The switch is a DHCP firewall - Trusted: Routers, switches, DHCP servers - Untrusted: Other computers, unofficial DHCP servers Switch watches for DHCP conversations - Adds a list of untrusted devices to a table Filters invalid IP and DHCP information - Static IP addresses - Devices acting as DHCP servers - Other invalid traffic patterns

Media Access Control - Hardware address Limit access through the physical hardware address

Access secure network zones - Provide an access mechanism to a protect network

Sits between the user and external network - Receives the user requests and sends the request on their behalf (the proxy) - Useful for caching information, access control, URL content scanning Forward: Control user's access to internet Reverse: User's of the internet are hitting your proxy and gain access to your network (reverse of forward) Open: Third-party, uncontrolled proxy - big security concern because the data can be changed

Intrusion Detection System/Prevention System - Watch network traffic Intrusions - Exploits against OS, apps, etc. - Buffer overflow, cross-site scripting Detection vs Prevention Detection - Alarm you but may not prevent Prevention - Stop it before it gets into the network

Looks for a perfect match of malicious code

Heuristics - Use AI to identify attacks Behavior - Observe and report attacks

Build a baseline of what's normal on your network. - Any anomaly will report the attack

Passive - Examine a copy of the traffic - No way to block in realtime Inline - Malicious traffic is immediately identified

Collect information to give to the collector - Intrusion prevention systems - Firewall logs - Authentication logs - Web server access logs - Database transaction logs - Email logs

Collects data from sensors and represent it to the admin in a report format. - syslog servers - SIEM consoles

Not like a normal firewall - Applies rules to HTTP/HTTPS conversations Allow or deny based on expected input - Upon seeing SQL injection, deny the input

Next-Generation Firewall Control applications along with the default of the old firewall - Intrusion Prevention Systems - Network-based firewall OSI Application Layer Requires some advanced decodes - Every packet must be analyzed and categorized before a security decision is determined Content filtering

Stateful firewall remember the state of the session - Only one rule needed for each connection ACLs Table -> Session Table

Older Does not keep track of traffic flow - Both direction needs their own state of rules (in/out)

Old - replaced with NGFW Unified Threat Management - URL filter/ Content inspection - Malware inspection - Spam filter - CSU/DSU - Router, Switch - Firewall - IDS/IPS - Bandwidth shaper - VPN endpoint

Open source - Provide traditional firewall functionality Proprietary - features include application control and high-speed hardware

Hardware - Purpose built hardware provides efficient and flexible connectivity options Software - firewalls can be installed almost anywhere

Appliance - Provide the fastest throughput Host-based - Are application-aware and can view non-encrypted data Virtual - provide valuable East/West network security

Port taps:

WPA2 encryption - CCMP block cipher mode - Encryption of wifi - Message Integrity Check Problems - PSK Brute-force attack - if the attacker has one part of the key by listening to the four-way handshake - When the attacker has the hash they can brute-force PSK - Pre-shared key

WPA3 encryption - GCMP block cipher mode - Encryption of wifi - Stronger than WPA2 - Message Integrity Check Upgrade from WPA2 - Include mutual authentication - Create a shared session key without sending that key across the network - No more four-way handshakes, hashes - New key per session

Used with WPA2 for encryption and integrity check

- Key exchange with an authentication component - Everyone uses a different session key, even with the same PSK - An IEEE standard - the dragonfly handshake

An authentication framework that provides general guidance for authentication methods.

Using TLS tunnel, but instead of using a shared secret using a PAC this is using a digital certificate. Server needs the certificate but the users do not need it.

EAP-Flexible Authentication via Secure Tunneling Supplicant receives PAC Supplicant and AS mutually authenticate and negotiate a TLS tunnel User authentication occurs over the TLS tunnel

EAP-Transport Layer Security - Uses PKI, requiring both server-side and client-side certificates. Very strong security

Extensible Authentication Protocol-Tunneled Transport Layer Security Requires a digital certificate on the Authentication Server - Does not require digital certificates on every device - Builds a TLS tunnel using this digital certificate Once the tunnel is created, other authentication methods can be used inside the TLS tunnel - Other EAPs - MSCHAPv2 - Anything else

A standard that authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails.

Link a user's identity across multiple authentication servers

PSK - Everyone uses the same key to login Enterprise - Authenticated users individually with the authentication server Open - No password is required

An automated setup for mobile devices. Different ways to connnect - PIN configured on access point - Push a button on the access point - Near field communication - bring mobile device close to access point Problems - WPS sucks because easy to brute force

Authentication to the network - When you try to connect to a starbucks WiFi and they send you to some random page to accept something - Removes access after session expires

Sample the existing wireless spectrum Identify existing access points Work around existing frequencies - layout and plan for interference Plan for ongoing site surveys - things will certainly change

Identify wireless signal strengths

Analyze the wifi of the area - Signal coverage - Potential interference

Overlapping channels - Frequency conflicts - use non-overlapping channels - Automatic or manual configurations

Minimal overlap - Maximize coverage, minimize the number of access points Avoid interference - Electronic devices (microwaves) - Building materials - Third-party wireless networks Signal control - Place APs where the users are - Avoid excessive signal distance

Wireless controllers - Centralized management of wireless access points - Manage system configuration and performance Securing wireless controllers - Control access to management console - Use strong encryption with HTTPS - Automatic logout after no activity Securing access points - Use strong passwords - Update to the latest fireware

Mobile devices Separate land into cells Security concerns - Traffic monitoring - Location tracking - Worldwide access to a mobile device

Local network access Same security concerns like cellular - Data capture - On-path attack - modify/monitor data - DoS

High speed communication over short distance Connects to our mobile devices - Car - Headset

Near field communication - Payment systems Pog Security Concerns - Information can be capture but you have to be close - Jamming is possible - Relay/Replay attack - Loss of NFC device will make you unable to use the function of your NFC device

Connecting two devices

Example - router to all devices in the house - Does not imply full connectivity between nodes

Created by the US DoD - Over 30 satellites currently in orbit - Need 4 satellite to be precise

It's everywhere - Access badges - Inventory/Assembly line tracking - Pet/Animal identification - Anything that needs to be tracked Radar technology - Bidirectional communication - RF powers the tag, ID is transmitted back

Hardware Security Module that has shrank to a microSD card form Provides: - Encryption - Key Generation - Digital signatures - Authentication Secure storage: - Protect private keys - Cryptocurrency storage

UEM - Allows end users to use different devices all together with the same security policy - All devices can be used anywhere and not one place

Provision, update, and remove apps - Keep everyone running at the correct version Create an enterprise app catalog - Users can choose and install the apps they need Monitor application use Wipe application from use

Security enhancements for android - Supports access control security policies Goal - Provide security for entire Android policy system Protect privileged Android system daemons Centralized Policy Copnfiguration - Manages Android deployments

Centralized app store - Apple App Store - Google Play Not all applications are secure - Vulnerabilities, data leakage Not all applications are appropriate for business use - Games, IM, etc. MDM can allow or deny app store use

Mobile devices are purpose-built system with no need to access the OS Android - Rooting Apple - Jailbreaking To do: - Install custom firmware and replace the existing OS Uncontrolled access - MDM becomes useless

Go outside the scope of the App Store and download and install apps directly

Replaces the OS and makes the MDM useless

Most phones are locked to a carrier because the carrier is subsidizing the cost of the phone You can unlock the phone: - If your carrier allows it from paying it off or having it for a while - A carrier lock may be illegal in your country Moving carriers can put your MDM at risk

OS of mobile devices are constantly changing Updates are over the air May not be good updates

Cameras are controversial - Corporate espionage, inappropriate use Almost impossible to control on the device Camera use can be controlled by the MDM - Always disabled - Enabled except for certain locations

Short Message Service/Multimedia Messaging Service - Text messages, video, audio Control of data can be a concern: - Data leak, financial disclosures - Inbound notifications, phishing attempts MDM can enable or disable SMS/MMS

Store data onto external or removable drives MDM can set security policies on these devices

Cable that can connect to mobile device between two devices

Capturing audio has a lot of legal concerns depending on your state MDM can disable or geo-fence the feature

Phone knows your location - Adds your location to document metadata - Every document many contain a geotag

We're so used to access points Ad hoc: Connect wireless devices directly with one another Wifi Direct: Simplifies the process - Easily connect many devices together - Common to see in-home devices Simplify can add vulnerabilities

Use your personal wireless router for other devices Concern - Could allow outsiders into the network accidently

Apply Pay, Android Pay, Samsung Pay NFC

Personal use and cooperate use of a personal device

Corporate owned first and allowed for personal use

You can choose what device to get and the company buys it for company/personal use

No personal use at all

All the data is store somewhere (not on your mobile device) and you connect to it Application can be managed centrally - No need to update all mobile devices

One permission mistake can cause a data breach Public access should not be default Options: - Identity and Access Management (IAM) - Bucket policies - Globally blocking public access - Don't put data in the cloud unless it really needs to be there

Cloud data is more accessible than non-cloud data Server-side encryption - Encrypt the data in the cloud - Data is encrypted when stored on the disk Client-side encryption - Data is already encrypted when sent to the cloud - Performed by the application Key management is critical

Copy data from one place to another Disaster recovery, high availability - Plan for problems - Maintain uptime if an outage occurs - Hot site for disaster recovery Data analysis - Analytics big data analysis Backups - Constant duplication of data

Always available incase of emergency

A cloud contains virtual devices - Servers, databases, storage devices Virtual switches, virtual routers - Build the network from the cloud console - The same configurations as a physical device Difference - Can be made at anytime - Fast

Private cloud - All interal IP addresses - only way to connect is to use some kind of private network - No access from internet Public cloud - External IP address - Anyone can connect Hybrid cloud - Best of both worlds

The cloud contains separate VPCs, containers, and microservices Separation is a security opportunity - Data is separate from the application - Add security systems between application components Virtualized security technologies - Web application Firewall (WAF) - Next-Generation Firewall (NGFW) -- Many NGFW include Intrusion Prevention System (IPS) to check for known malicious code that may be on the network

Microservice architecture API calls can include risk - Attempts to access critical data - Geographic origin - Unusual API calls API monitoring - View specific API queries - Monitor incoming and outgoing data

A firewall for compute instances - Control inbound and outbound traffic flows Layer 4 port number - TCP or UDP port Layer 3 address - Individual addresses - CIDR block notation - IPv4 or IPv6

Provision resources when they are needed - Based on demand - Provisioned automatically Scale up and down - Allocate compute resources where and twhen they are needed - Rapid elaticy - Pay for only what's used Ongoing monitoring

Granular security controls - Identify and manage very specific data flow - Each instance of a data flow is different Define and set policies - Allow uploads to the corporates box.com file share - Deny certain uploads to personal box.com file share

VPC gateway endpoint - Allow private cloud subnets to communicate to other cloud services Keep private resources private - Internet connectivity not required

Containers have similar security concerns as any other application deployment methods - Bugs, insufficient security controls, misconfigurations Use containers-specific OS - A minimalist OS designed for containers Group container types on the same host - The same purpose, sensitivity, and threat posturte - Limit the scope of any intrusion

Cloud access security broker - Enforce security policy on users Four characteristics - Visibility: Determine what apps are in use and are they authorized - Compliance: Are Users complying with HIPAA? PCI - Threat Prevention: Allow access by authorized users, prevent attacks - Data Security: Ensure that all data transfers are encrypted and Protect the transfer of PII and DLP

Secure cloud based applications - Application misconfigurations - Authorization and access - API security

Protect users and devices Go beyond URLs and GET requests - Examine the application API - Dropbox for personal use or corporate use Examine JSON strings and API requests - Allow or disallow certain activites Instance-aware security - A development instance is different than a production instance

Cost: Need for segmentation: Between microservices, VMs, or VPC Open systems Interconnection (OSI) Layers: Layer 4 TCP/UDP, Layer 7 Applications

Cloud native controls - Integrated and supported by cloud provider - Many configuration options - No additional cost - Security is part of the infrastructure Third-party solutions - Support across multiple cloud providers - Single pane of glass - Extend policies outside the scope of the cloud provider - More extensive reporting

A service that can vouch for who a person is. Third party application providing identity. Standards - SAML, OAuth, OpenID Connect, Etc.

An identifier or property of an entity Personal Attributes - Name, email, phone number, Employer ID - Department name, job title, mail stop One or more attributes can be used for identification.

Digital certificate - Assigned to a person or device Bind the identity of the certificate owner to a public and private key - Encrypt data - Create a digital signature Requires an existing public-key infrastructure (PKI) - The Certificate Authority (CA) is the trusted entity - The CA digitally signs the certificates

USB Token - Certificate is on the USB device

Secure Shell (SSH) - Secure terminal communication Use a key instead of username and password - Public/private keys - Critical for automation

- Integrates with devices - May require a PIN

An account on a computer associated with a specific person - Associates the user with an ID number - Storage and files can be private to that user even if another person uses the same computer - No privileged access to the OS - Most people will have this type of account

Shared account Issue - No way to know exactly who was working - Difficult to determine the proper privileges - Everyone needs to be notified of password change Don't do this

Access to a computer for guests - No access to change settings, modify applications, view other user's files - Usually no password - Can cause security problems - Must be controled

Used exclusively by services running on a computer - No interactive/user access - Web server, database server, etc. Access can be defined for a specific service - Web server rights and permissions will be different than database server Commonly use usernames and password - You'll need to determine the best policy for password updates

Make your password string to prevent brute-force attack At least 8 characters

System remembers password used in the past

Network location - Based on IP subnet

Automatically allow or restrict access when the user is in a specific location

Metadata of a document or file - GPS coordinates

Determine's a user's location based on geolocation - GPS - 802.11 - IP address

Access only during normal work hours

Control access to an account

Is everything following the policy - Audits are used to make sure people are following the policies Things to look for auditing - Permission (everyone getting admin account) - Usage (how are resources are being used)

Account is locked out after too many incorrect passwords - Prevent brute force attacks

Disable account - Part of normal change process ( when someone leaves the company) - You don't want to delete accounts because they may contain important decrption keys

Hardware-based authentication

Password managers

Trusted Platform Module A specification for cryptographic functions - Hardware to help with all of this encryption stuff Cryptographic processor - Random number generator Persistent memory - Comes with a unique key during production Password protected - No dictionary attacks

Use personal knowledge as an authentication factor Static KBA - Pre-configured shared secrets - Often used with account recovery - What was the make and model of your first car? Dynamic KBA - Questions are based on an identity verification service - What was your street number when you were living in Texas

Challenge-Handshake Authentication Protocol - Encrypted challenge sent over the network Three-way handshake - After link is established, server sends a challenge message - Client responds with a password hash calculated form the challenge and the password - Server compares received hash with stored hash Challenge-Response continues - Occurs periodically during the connection - User never knows it happens Overall: - We are only sending challenges - Or response to challenges Variations: MS-CHAP - still sucks and old

A basic authentication method - Used in legacy OS - rare to see singularly used Problem: PAP is in the clear - Weak authentication scheme - Non-encrypted password exchange - We didn't require encryption on analog dialup lines - The APPLICATION would need to provide any encryption

The IEEE standard that defines port-based security for wireless network access control Used in conjunction with an access database - RADIUS, LDAP, TACACS+

Remote Authentication Dial-in User Service One of the more common AAA protocols - Support on any platforms/devices just not dial-in Centralize authentication for users - Routers, switches, firewalls Available - On almost any server OS Usage - VPN Concentrator

Using one authentication credential to access multiple accounts or applications.

Open standard for authentication and authorization - You can authenticate through a third-party to gain access - One standard does it all, sort of Not originally designed for mobile apps - This has been SAML's largest roadblock How Client -> Resource Server -> Client -> Authorization Server -> Client -> Resource Server

TACACS (old) - Remote authentication protocol - Created to control access to dial-up lines to ARPANET TACACS+ - The latest version of TACASCS, not backward compatible - More authentication requests and response codes - Released as an open standard in 1993 Usage - Cisco device

Authorization framework - Determines what resources a user will be able to access Create by Twitter, Google, and many others Not an authentication protocol - OpenID connect handles the single sign-on authentication - OAuth provides authorization between application Example - Zapier wants to access your Google Account: This will allow Zapier to See, edit, create and delete all of your Google Drive files

Network authentication protocol - Authenticate once, trusted by the system - No need to reauthenticate to everything - Mutual authentication - the client and the server: Protect against on-path or replay attacks Integrated into Microsoft Usage - Microsoft network

Topic

Users can have complex relationships to applications and data - Access may be based on many different criteria ABAC can consider many parameters Combine and evaluate multiple parameters - Resources information, IP address, time of day desired action, relationship to the data, etc

You have a role in your organization - Manager, director, team lead, project manager Administrators provide access based on the role of the user - Rights are gained implicitly instead of explicitly In Windows, use Groups to provide role-based access control - You are in shipping and receiving so you can use the shipping software - You are the manager, so you can review shipping logs

Generic term for following rules - Condition other than who you are Access is determined through system-enforced rules - System administrators, not users The rule is associated with the object Rule examples

Mandatory Access Control The OS limits the operation on an object - Based on security clearance levels Every object gets a security label - Confidential, secret, top secret, etc Labeling of objects uses predefined rules - The administrator decides who gets access to what security level - Users can not change settings

You create a spreadsheet - As the owner, you control who has access - You can modify access at any time Very flexible access control - And very weak security

Difficult to apply old methods of authentication to new methods of working - Mobile workforce, many different devices, constantly changing cloud Conditions - Employee or partner, location, type of application accessed, device Controls - Allow or block, require MFAA, provide limited access, require password reset Administrators can build complex access rules - Complete control over data access

Managing superuser access - Administrator and Root - You don't want this in the wrong hands Store privileged accounts in a digital vault - Access is only granted from the vault by request - These privileges are temporary PAM advantages - Centralized password management - Enables automation - Manage access for each user - Extensive tracking and auditing

Store files and access them Accessing information - Access control list - Group/user rights and permission Encryption can be built in

Topic

- Certificates are based on the name of the server - A wildcard domain will apply to all server names in a domain - *.google.com -> something.google.com

SAN - Extension to an X.509 certificate - Lists additional identification information - Allow a certificate to support many different domains A single certificates can support many many websites

Developers can provide a level of trust - Applications can be signed by the developers The user's OS will examine the signature - Checks the developer's signature - Validates that the software has not been modified Is this a trusted software?

Internal certificates don't need to be signed by a public CA - Your company is the only one going to user it - No need to purchase trust for devices that already trust you Build your own CA - Issue your own certificates signed by your own CA Install the CA certificate/trusted chain on all devices - They'll now trust any certificate signed by your company

You have to manage many devices How can you truly authenticate a device? - Put a certificate on the device that you signed Other business processes rely on the certificate - Access to the remote access VPN from authorized devices - Management software can validate the end device

Use cryptography in an email platform - You'll need public key cryptography Encrypting emails - Use a recipient's public key to encrypt Receiving encrypted emails - Use your private key to decrypt Digital signatures - Use your private key to digitally sign an email - Non-repudiation, integrity

Associate a certificate with a user - A powerful electronic ID card Use as an additional authentication factor - Limit access without the certificate Integrate onto smart cards - Use as both an physical and digital access card

The public key certificate that identifies the root CA (Certificate Authority) - Everything starts with this certificate The root certificate issues other certificates THIS IS A VERY IMPORTANT CERTIFICATE - Take all security precautions - Access to the root certificate allows for the creation of any trusted certificate Allow to this allow the attackers to create any type of certificate under your domain

Owner of the certificate has some control over a DNS domain

- Additional checks have verified the certificate owner's identity - Browser used to show a green name on the address bar (BANK OF AMERICAN CORPORATION US) - Promote the use of SSL which is now outdated

Privacy enhanced mail (PEM) - Format designed to transfer syntax for data structures - Binary format

A very common format - BASE64 encoded DER certificate - Generally the format provided by CAs - Supported on many different platforms ASCII format - Letters and numbers - Easy to email - Readable

Primarily a Windows X.509 file extension. - Can be encoded as binary DER format or as the ASCII PEM format. Usually contains a public key. -Private keys would be transferred in the .pfx file format. Common format for Windows Certificates. - Look for the .cer extension.

PKCS #12 - Public Key Cryptography Standards #12 .p12/.pfx file Transfer multiple certificates at one time This is a Container Format for many certificates - Often used to transfer a private and public key pair - The container can be password protected

Public Key Cryptography Standards #7 .p7b ifle Stored in ASCII format Contains certificates and chain certificates - Private keys are not included in a .p7b file

Topic

Distribute the load - Then take the root CA offline and protect it Root CA -> Intermediate CA -> Issued certificates

Online Certificate Status Protocol - Provides scalability for OCSP checks The CA is responsible for responding to all client OCSP requests - This may not scale well Instead, have the certificate holder verify their own status - Status information is stored on the certificate holder's server OCSP status is "stapled" into the SSL/TLS handshake - Digitally signed by the CA

You're communicating over TLS/SSL to a server - How do you really know it's legitimate server? "Pin" the expected certificate or public key to an application - Compiled in the app or added at first run If the expected certificate or public key doesn't match, the application can decide what to do. - Shut down, show a message

Single CA - Everyone receives their certificates from one authority Hierarchical - Single CA issues certs to intermediate CAs Mesh - Cross-certifying CAs - Doesn't scale well Web-of-trust - Alternative to traditional PKI Mutual Authentication - Server authenticates to the client and the client authenticates to the server

Someone else holds your decryption keys - Your private keys are in the hands of a 3rd-party This can be a legitimate business arrangement - A business might need access to employee information - Government agencies may need to decrypt partner data

Chain of trust - List all of the certs between the server and the root CA The chain starts with the SSL certificate - And ends with the Root CA certificate Any certificate between the SSL certificate and the root certificate is a chain certificate - Or intermediate certificate The web server needs to be configured with the proper chain - Or the end-user may receive an error