WIFI WPA Comparison
Wi-Fi Protected Setup (WPS)
users connect devices to a secure Wi-Fi network without having to manually enter the Wi-Fi password.
* Uses methods like push-button or PIN.
* security experts and vendors often recommend disabling WPS
Wi-Fi Protected Access (WPA)
protocol protects Wi-Fi networks.
* RC4 stream cipher
* TKIP (Temporal Key Integrity Protocol)
* Uses 802.1X / EAP for enterprise networks.
* Supports pre-shared keys (PSK) for home networks.
* Now insecure
GCM vs CCMP vs TKIP (Wi-Fi Context)
Protocol Encryption Used In Notes
TKIP RC4-based WPA1 Weak, deprecated, pre-shared key
CCMP AES-CCM WPA2 Very secure
GCMP AES-GCM WPA3 Even faster & secure
- WPA2 Personal
Very secure, pre-shared key (PSK)
Advanced Encryption Standard (AES) encryption
- WPA3 Personal
pre-shared key, but Password-Authenticated Key Exchange (PAKE)
Simultaneous Authentication of Equals (SAE) encryption
SAE uses Dragonfly handshake (Diffie-Hellman)
- WPA3 Enterprise
802.1x authentication (port based network access control fw) - users have a unique set of credentials
- RADIUS (Remote Authentication Dial-In User Service) verifies credentials
- AES Galois Counter Mode (GCM) encryption
- Also supports more authentication types implementing
Extensible Authentication Protocol (EAP)
EAP-TLS client-server certificates for mutual authentication
EAP-TTLS and PEAP utilize a server-side certificate
dynamic encryption key management, automatically changing the encryption keys used during a user’s session.
Enhanced Open—encrypts traffic between devices and the access point, even without a password, which increases privacy and security on open networks.
Wi-Fi Easy Connect—allows connecting devices by scanning a QR code, reducing the need for complicated configurations while maintaining secure connections.
Network Security
Network Security
firewall - first line of defense. monitors and controls the incoming and outgoing network traffic based on predetermined rules. barrier between a trusted internal network and untrusted external networks.
Intrusion detection systems (IDS) monitors network traffic for signs of possible incidents and alerts systems administrators when such activities are detected.
Intrusion protection systems (IPS) not only detects but also prevents identified threats by automatically taking action, such as blocking network traffic or terminating connections.
Web filters complement these measures by controlling access to Internet content. They prevent users from accessing potentially malicious websites, block the download of malicious files, and can even monitor and control access to restricted sites.
Access Control Lists (ACL) - list of permissions associated with a network device (router or a switch), controls traffic at a network interface level.
-typically use packet information like source and destination IP addresses, port numbers, and the protocol to decide whether to permit or deny the traffic.
-traffic control across the network
IDS/IPS
Host-based IDS/IPS (HIDS/HIPS)
* installed on individual systems or servers, and they monitor and analyze system behavior and configurations for suspicious activities
* use signature-based detection, anomaly detection, and behavior analysis to identify suspicious activities.
* Very effective at identifying insider threats, detecting changes in system files, and monitoring non-network events like local logins and system processes.
* Ex. OSSEC, open-source, cross-platform HIDS solution that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and active response.
* do not effectively detect network-wide anomalies (confined to the activities on the host on which they are installed)
* HIDs doesfile integrity monitoring (FIM) OS package verifies signatures. used to detect changes on important files or OS config
Network-based IDS/IPS (NIDS/NIPS)
- monitornetwork, traffic looking patterns or signatures of known threats and unusual network packet behavior. - effective at identifying and responding to threats across multiple systems, like distributed denial-of-service (DDoS) attacks or network scanning activities.
* can’t provide detailed visibility into host-specific activities or detect threats that don’t involve network traffic
Intrusion detection systems (IDS)
Intrusion detection systems (IDS), such as Snort, are designed to detect potential threats and generate alerts. IDS systems are passive, inspecting network traffic, identifying potential threats based on predefined rules or unusual behavior, and sending alerts to administrators. They do not actively block or prevent threats but notify of the potential issue
Intrusion prevention systems (IPS), like Suricata, are proactive security tools that detect potential threats and take action to prevent or mitigate them. An IPS identifies a threat using methods similar to an IDS and can block traffic from the offending source, drop malicious packets, or reset connections to disrupt an attack.
Endpoint Security
endpoint detection and response (EDR)
provide real - time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.
- next-generation endpoint agents are more likely to be managed from a cloud portal and use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis.
- works against APTs
- Extended detection and response (XDR)broadens scope to incorporate data from the network, cloud platforms, email gateway, firewall, and other essential infrastructure components
Mobile Deployment Models
Bring your own device (BYOD)-Bring Your Own Device
mobile device is owned by the employee
popular with employees but poses significant risk for security operations
Corporate owned, business only (COBO)
property of the organization and may only be used for company business
Corporate owned, personally enabled (COPE)
chosen and supplied by the organization and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to the requirements of established acceptable use policies).
Choose your own device (CYOD)
COPE except the employee is given a choice of devices to select from
Ports - File Transfer & Email
Secure File Transfer Protocol (SFTP) Secure Shell (SSH) over TCP port 22
Implicit TLS (FTPS) port 990
SMTP (email) communications can be secured using TLS.
Typical SMPT set ups
Port 25 used for message relay
Port 587 used by mail clients to submit messages for delivery
Port 465 implicit TLS BUT deprecated
Secure POP (POP3S) used to download messages
secured over TCP port 995
Secure IMAP (IMAPS) used to download messages
connects multiple clients to the same mailbox simultaneously
Secured with TLS tunnel, over TCP port 993
Bluetooth
Bluetoothis a radio-based wireless technology designed to implement short-range personal area networking.
Example exploit: BlueBorne
even a device in non-discoverable mode can still be detected.
vunerabilities:
bluejacking - a sort of spam where someone sends you an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for malware, as demonstrated by the Obad Android Trojan malware
Bluesnarfing- using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (four-digit) PIN code is vulnerable to brute force password guessing.
Attacks
13.999 STUDY
Attacks
Application Attack
Targets weakness within OS or installed application
ARP Poisoning
Respond to DNS queries with spoofed replies
Canonicalization Attack
- Attempt to circumvent web server command filtrations by using the canonicalization of plaintext (might allow code injection or directory traversal)
Computer Worm
- Computers increased memory usage
- Repeatedly sending requests out to random IP ranges
Denial of Service
Resource consumption and resource instability
Directory Traversal attack
Attackers attempts of getting to the parent directory
- uptick in requests for files not listed on the site
- Sometimes uses canonicalization
Forgery Attack
Attempts to hijack ongoing authenticated session to perform an action without users consent
- Look un URL analysis and web server logs to detect
Injection Attack
Exploits unsecure way in which the application processes requests and queries
- Common example attack attempts to cause the server to run OS shell commands and return the output to the browser
- Look un URL analysis and web server logs to detect
On path Attack (man in the middle)
- Data change after transmission. Ex. Client says numbers changed after verbal agreement.
PUPS
Potentially unwanted
Remote Access Trojan (RAT)
- Frequent common with an unknown external IP address
- Unauthorized software on the workstation
- Actively transmitting sensitive system data to external address (exfiltrate data)
- Possibly receiving commands or files in return
-
Replay Attack
Areplay attackworks by capturing or guessing the token value, and then submitting it to reestablish the session illegitimately.
- Session ending and then immediately reestablishing would most likely be this type
- Attackers can capture cookies by sniffing network traffic via an on-path attack or when they are sent over an unsecured network, like a public Wi-Fi hotspot.
- Session cookies can also be compromised via cross-site scripting (XSS).Cross-site scripting (XSS) is an attack technique that runs malicious code in a browser in the context of a trusted site or application.
- Look un URL analysis and web server logs to detect
Rootkit
Attack gained SYSTEM level access, cleaning logs, uses variations on known files names to remain unfound.
KeyLogger
After Clean Up, More Logins at Varying Times
Installed key logger compromised user accounts
Backdoor Virus
- Used to regain access to network once company thinks foothold is gone
- does not capture login credentials
Botnet
- Collection of compromised computers used or sold to another hacker
- - attackers use botnets for distributed denial of service attacks
Logic Bomb
???
Domain name system client cache poisoning
- Attacker edits local client HOSTS file, causing traffic to be redirected to malicious web site instead
Domain name system (DNS) poisoning attack
Traffic appears to be coming from another location that does not exist (to confuse company looking for an infection)
Script Virus
Email with file attachment with odd double extension .ps1
Powershelgl script implies executable
Web Server Under Attack
Large increase in logins, failed intrusion attempts
Gain control of host, steal data, gain further access
Regulations
- ISO/IEC 27001— information security management system (ISMS) framework security controls
- ISO/IEC 27002—extension ISO 27001 , specific controls to include in an ISMS.
- ISO/IEC 27017—extension ISO 27001, specific to cloud services.
- ISO/IEC 27018—extension ISO 27001, specific to protecting personally identifiable information (PII) in public clouds.
- NIST (National Institute of Standards and Technology) Special Publication 800-63—A US government standard for digital identity guidelines, including password and access control requirements.
- PCI DSS (Payment Card Industry Data Security Standard)—A standard for organizations that handle credit cards from major card providers, including requirements for protecting cardholder data.
- FIPS (Federal Information Processing Standards)—FIPS are standards and guidelines developed by NIST for federal computer systems in the United States that specify requirements for cryptography.
- CCPA is the California Consumer Privacy Act. It’s a state law in California that gives consumers more control over their personal data and how businesses use it.
- SOX stands for the Sarbanes‑Oxley Act (formally, the Sarbanes‑Oxley Act of 2002). It’s a U.S. federal law that was passed to improve corporate governance and financial transparency for publicly traded companies.
Requires top executives (CEO, CFO) to personally certify the accuracy of financial statements
email security
Sender Policy Framework (SPF) is an email authentication method that helps detect and prevent sender address forgery commonly used in phishing and spam emails. SPF works by verifying the sender’s IP address against a list of authorized sending IP addresses published in the DNS TXT records of the email sender’s domain. When an email is received, the receiving mail server checks the SPF record of the sender’s domain to verify the email originated from one of the pre-authorized systems.
DomainKeys Identified Mail (DKIM) leverages encryption features to enable email verification by allowing the sender to sign emails using a digital signature. The receiving email server uses a DKIM record in the sender’s DNS record to verify the signature and the email’s integrity.
Domain-based Message Authentication, Reporting & Conformance (DMARC) uses the results of SPF and DKIM checks to define rules for handling messages, such as moving messages to quarantine or spam, rejecting them outright, or tagging the message. DMARC also provides reporting capabilities,
