Security+ Topic - Account Policy Enforcement

Oh the dreaded ‘your password is about to expire’!  How many of you absolutely hate it when the time comes for a forced password update and you are waiting until the very last second where it forces it upon you?  Well this change is one that is for the better no matter how you slice it.  For the two big operating systems, Linux and Unix (ok Windows too), there are password enforcement options for your environment.  While I won’t go into how those get implemented in this article due to it being a generalized overview, it is simple enough to do an internet search on the implementation process.

Lets start with the credential management itself.  Most commonly used would be the Active Directory infrastructure and one of the most important servers to protect.  This server is mostly seen in the user realm of things for everyone to get logged in after having their morning coffee.  Sure this server may seem like its only function is making sure passwords get changed every 90 days but securing this server is a big deal in the scope of your security best practices.  In the event that this server were to be compromised, it may be possible for someone to inject their own administrative account into the domain.  Guess what happens after that?  The entire network is then at the mercy of the attacker.  They no longer need anything special as they gave themselves administrative credentials to every server and every application that uses a centralized credential system.  Now is this to say that we should not use a centralized credential system?  Oh no no no.  Without these important parts to the puzzle, IT admins would be going crazy with lost passwords and logins that may never exist in the first place.  It just boils down to ensuring that your server is protected.

Now lets move on to the password complexity portion.  I’m sure that you have encountered a password complexity requirement that adds on one more special character than your common password normally has.  How do deal with it?  Most people just add a ! at the end and call it a day.  My suggestion on this one is to ensure you start off with an extremely secure password to begin with.  Utilizing a password generator and manager is a little more than I want to go into at the moment but if you can generate some crazy passwords and still have security for easy access, I say go for it.

Well what about lockout and disabling of passwords in your environment?  This is one item of concern that must be part of your password security policy.  Some departments will cycle through employees quickly and some have rather long tenure.  No matter the situation you absolutely need password lockout and expiration.  If and when an employee leaves the company, that user can slip through the cracks of user removal.  Or it could be that due to the employee's status at time of leave (legal issue), the user account is required to remain active so that information can be gathered as part of the legal process.  By automatic lockout  and password expiration, you prevent an old employee from removing items after they leave the company.

What it boils down to is putting up with the crap side of security.  Inconvenience.  Make sure that you have a password and account policy in place per best practices and it goes a long way for giving attackers one more hurdle to jump through if they compromise the network.  Its all about the layers in security.

Security+ Topic - Data Backups with Security Policy and Procedures

At present I work for a backup company making sure that when your server goes down, you will be able to recover the data.  The big question that comes up is the security of that data off-site.  Traditional backup software would simply make a copy of your file and place it onto a drive someplace else.  Then when changes were made it would write a new file to another folder.  Later software then placed all those backed up files into a container file and did a differential or incremental into a new file.  The main issue with these backups is that once the file is at a remote location, there are extra security issues that need accounted for.

Your data is only as safe as what is protecting it.  Lets take for example an extremely locked down database server that you spent many hours protecting.  Your backup admin then has the needed permissions to perform that backup and sends the data over to their backup server on another subnet.  It is very possible that the backup data could be easily reached by an outsider by compromising the backup server instead of the production server.  A lot of hard work goes down the drain when the same safety precautions are not applied to the backup server as is the production server.  Sometimes it can be entirely possible for a company to have multiple backup servers in separate subnets so that production servers can have their backup servers locked down to high standards while a users backup server would be somewhere locked down but not needing to meet high standards such as PCI compliance.

This all boils down to your company's policy for their backups.  A lot of IT admin that I speak to do not have this policy in place but is best practice for their sake and their company.  Items are to be included such as over-the-wire encryption, encryption at rest, password authentication to retrieve data, and general requirements for making sure the server is secure.  While this does venture into another topic I will cover later, it presents an initial headache that acts as insurance for later.  In the event of a data breach, by ensuring the backup server has met the requirements of IT policy, as defined by management, it protects the IT admin.

The procedures for making sure your backups are secure can be quite different for a lot of companies.  This goes back to how they are securing their data.  One procedure or process could simply be an encrypted backup on an encrypted USB drive.  This may be enough for a small company to walk the backup to a bank safe once a week.  Another process or procedure may be to ensure that a backup server meets strict industry standards such as PCI compliance.  For larger companies it is not feasible to secure all their data at a bank vault weekly so they must make sure the server is protected from outside threats.

Before deciding on a backup software to use it is very important to cover where and how the backed up data will be stored. Each piece of software you find will have many options for your needs and by generating a list or going off company policy you can ensure that everything is meeting the security industry standards your company has agreed to abide by.

Security+ Topic - FTP & Telnet Security (or lack thereof)

Usually the secure protocols that we enjoy today have a rough and shaky past.  This is extremely true for protocols that I can assure will be used by you during your time in IT.  Even major companies are still using these insecure protocols because they are easy to use and reduce customer stress when moving files through the internet.  I am firstly referring to the FTP protocol of which almost every company happily uses.  Secondly I would like to address the use of Telnet which is much less common as a connection method across the internet but widely used on internal networks.

So why not use FTP?  What if I encrypt my files and then transfer via FTP?  What about SFTP?  Well lets talk about each one of these.  At the very basics of the situation is that FTP sends everything in clear text on the wire.  You may have heard of this before but you need to understand what this means.  When you open a network packet, there are of course ones and zeros.  More importantly is that the header of the packet contains everything it needs such as MAC addresses and IP information.  This stuff is required for network travel and cannot be encrypted for the network to work.  The same process used to view the header information is then used to analyze the payload of the packet.  While the actual data (such as a your passwords.xls document) may be encrypted, the FTP protocol itself with authentication information is sent in the clear.

After someone is able to compromise the username and password of your FTP connection, they can then log into the FTP server and grab anything that may have been uploaded.  Even if the files you transferred to the FTP server are encrypted themselves, you are still at risk.  Once those files are downloaded to the attacker computer, they can brute force or password crack a file as fast as their machine or server cluster will allow.  So why are big companies still using it?  Risk vs cost.  Generally speaking it is cheaper to just implement an FTP server and go from there and if something happens, it was the user who decided to transmit their data via the unsecure FTP protocol.

This brings up SFTP or SCP protocols that can be used to transfer files.  Why this hasn’t become the golden standard is beyond me for transferring files.  It is entirely possible to setup the SSH server (SSH is used for the SFTP/SCP to move data) that is locked down to nothing but transferring those files.

On a final note of this whole transmitting in clear text issue is Telnet.  Telnet has been historically used for the management of network routing and switching.  It is possible to have a server setup with Telnet but most IT admins are very aware that if they allow a telnet connection, they are basically opening the server to the world.  Telnet transmits everything, and I mean everything, in clear text on the wire.  This means that if you type “my password is abc123”, whoever is looking at the packets will see it word for word.  Being that everything can be viewed, unless you are on an extremely secure network being one hundred percent sure that no one was sniffing the wire, you could log into a device to reset the password whereupon you log out and the attacker will know exactly what the new password is.

Whats the moral of the story?  STOP USING FTP and TELNET!  If for some reason your device doesn’t support SFTP/SCP/SSH then there are alternate methods of connecting to that device.  One item I will specifically mention here is a Linux server with a console connection to an older Cisco router.  The older routers only supported Telnet but if you can SSH into a server, then console in the router, you completely eliminate the insecure protocol from the equation.

Security+ Topic - SSID Disable and MAC Filter

When it comes to wireless it seems that everyone and their dog (literally their dog) has a wireless network connection.  This particular post comes into play at the basic levels of wireless security for keeping out the next door neighbor kid.  Its a good starting point for consumer grade gear but do not be fooled.  Anyone with even a little bit of skill can blow your SSID disabling and MAC filtering totally out of the water.

Lets start out with what it is.  SSID disabling is exactly as it sounds like where the access point is not broadcasting the SSID used to make a connection.  This doesn’t mean that it doesn’t exist.  Just that it is not being advertised.  This can be a great deterrent for anyone driving by your access point and seeing if anything is available.  For anyone that drives by and is able to pick up on your wireless network but notices that its hidden, they will probably move on to an easier target.  But wait, didn’t I just say that it is disabled and not broadcasting?  Yes I did.  Even though you are not broadcasting your SSID the SSID is still in use for your network devices to talk to the access point.  Anyone with a little bit of time is able to sniff some wireless packets and determine the access point SSID even though it is not broadcasting.

The process of gathering SSID information is with a simple wireless network sniffer.  There are a lot of tools available from the linux savvy to the windows savvy.  These are not your simple network protocol analyzers such as wireshark or tcpdump.  One of those tools will analyze packs on the wire (or wireless) after a network connection is made.  Yes yes they could be used before that but for the sake of this post, lets not get too deep.  What happens is that your computer sends out network packets that get tagged for the specific SSID you are communicating with.  Many access points are able to utilize the same network frequency so the SSID is in use for the access point to determine if the packet is destined for them or not.  Just because you are connected to an access point doesn’t mean that everyone else isn’t getting those same packets.

Ok so now lets take it a step further by just saying that only specific computers are allowed onto your network.  This is where the MAC address filtering comes into play.  Pretty much every access point you can buy comes with this feature which is great for keeping the kids from connecting to your access point when they discover your password on the sticky note under your keyboard.  Basically the access point looks to an authorized (or unauthorized) list for if it will allow a node to authenticate with the access point.  Simple enough right?  Sure for some basic SOHO security.  If your password is discovered but you are allowing only specific MAC addresses, the attacker simply has to change their MAC address on their network adapter.  If you were paying attention in your CompTIA A+ class then you may be scratching your head at this point as MAC address should not be able to be changed.  Well, programmers can be some tricky people which makes it so that software can fool the hardware side of things and send out a fake MAC address.

The network side of things gets a little tricky at this point if there are two computers with the same MAC addresses.  An attacker trying to utilize an authenticated MAC address as their own will usually wait until that machine goes offline which will then clear up the network connection (think shutting the lid on your laptop or leaving the house with your phone).  Any way you dice the situation, these are great security measures for the cheap  to help with security in layers.  Layer the security deep and make your wireless network a harder target so the attacker will move on to something easier.

Security+ Topic - VLAN Management

Those of us that have been around for a while remember the days of one hub or switch being a physical connection that determined the users network.  Sure you and your neighbor at work could be on different subnets but the management of setting it up was much more hands on.  The wiring to the patch panel was all the same and the big difference came from the patch panel to the switch.  Ever seen one of those messy cable management photos?  Most likely it came from an older setup with vlans in place.  Any time that a user switch desks, the cable needed pulled from part of the patch panel to another patch panel.

Now with the implementation of vlans we are able to cleanly make network connections, sometimes without the need for a patch panel, and virtually move a users network connection on the back-end.  This becomes a big deal for ease of management as someone simply plugs in their computer to the new spot and off they go doing their daily activities.  The common phrase of ease of access leads to lack of security is extremely true in this case.  If your co-worker is able to move their computer to a new desk and immediately get network access, doesn’t that mean anyone could it?  Even someone from outside the company?  Yes.  Yes it does.

There are many ways to implement your VLAN to focus on security and the easiest one to enforce is the default vlan0 on most switches.  By putting your vlan0 on a network with no outside resources, it allows for users to plug into the network easily but not have any access they should not have.  An implementation of DHCP pared with DNS redirect to an internal HTTP server gives you a simple company spash page informing the user to contact the IT department to gain access.  Even if you do nothing with the vlan0 and have all connected machines get an APIPA address can do the trick from a basic security perspective.  First, any connected and authorized user will immediately go to the IT department with their issue of not being able to access company resources.  This is good.  Second, an unauthorized machine is stuck in that vlan0 with an APIPA address that they cannot do anything with…. Kind of.  If for some reason people on your network are using hostnames to talk to each other across that APIPA link then there could be cause for concern.

The next part of managing your VLAN’s to be secure would be making sure that no user access port is set to be enabled for trunking.  Even with the most secure VLAN setup, if a port is set to allow trunking then you have lost your awesome secure vlan implementation.  A user or attacker could use that port to negotiate a trunk and then gain access to any vlan on that switch they see fit to start scanning or attacking.  Most vendors have the option to set a trunk to allow for access or trunk or automatic.  Generally these are set for automatic and can be set to access with a simple command.  Set your trunks manually and you do not have to worry about it.

Security+ Topic - URL Squatting Hosts File Fake

Have you ever entered in the wrong URL and get that lovely browser message saying that it cannot find what you are looking for?  Lucky for you, that was all you got.  Lets say that you accidentally typed in the name of your bank incorrectly but this time a page loaded that looks just like you bank.  Would you have noticed that the URL is incorrect?  Might you have thought that the bank  just bought the mis-typed URL so that they can redirect you and make it easier on you?  What if that incorrect URL was actually not your bank at all?

The case of a URL being squatted on with a fake website is a real security threat.  It is also a very hard threat to protect against.  While it may be easy to say bankone.com is allowed and bnakone.com is not allowed, it can be a bit harder to say that bank1.com is or is not allowed.  A lot of this can be taken care of my making sure that users are educated and the HTTPS portion of the URL is looked for when loading a page.  Really the best answer would be to have the end user educated.  If something doesn’t look right, then STOP.  Make a phone call to the financial institution or an email to the company saying you want to verify if the URL you loaded is right for the company.

A big question at this point is if the invalid site, the copy, is easily recognized as a fake website.  Sometimes yes and sometimes no depending on the level of complexity by the bad guy.  The site may be setup with a simple splash page mimicking the original and that is all.  It could also be setup with all links working correctly and takes you to more fake pages.  The most simple way to verify real or fake is the URL at the top and every financial institution would have the ‘lock’ for secured with SSL.  The reality of it is that this impacts most people that are not security savvy.  They simply want to load their supposedly secure website and then move on.

One more item of concern here is the hosts file on your computer.  A little story here is some fun I had with a co-worker.  Playing a trick on them, we changed their hosts file to point google.com, yahoo.com, etc etc to another server in our network that made it look like their system was hijacked.  Based on the way the system was reacting, with only specific websites doing this, it was obvious that the hosts file was modified.  He was one hundred percent convinced that his system had a major virus and he had wiped the system within the hour.  Long story short I got called away for a bit and was not there to let him in on the prank and thus not able to prevent him from wiping his system.  Lets break this down though.  I could have used the exact same method to re-route his URL requests to a server of my own.  The major difference here is that the URL WOULD BE CORRECT.  It wouldn’t have the lock for being secured with SSL but everything else would LOOK ok.  This method for a remote bad guy is not quite as ideal though as their method can be easily identified.  They lose access to your system, then their fake website goes offline, you immediately see the page no longer loads and start investigating.  Plus you have a record of the fake servers IP address to block moving forward.

Security+ Topic - Vulnerability vs Penetration Testing

I had a college classmate who was in computer security penetration testing business.  I always wondered what that must be like and finally got a small taste of it when I started using scanning tools on my own network.  I say that I only got a sample of it because I wasn't really don't any penetration testing at all.  What I was doing is simply looking for any potential vulnerabilities.  There is a big difference between them of which I am going to go over here.

Starting with the vulnerability scanning, this is the easiest thing that you can do.  It starts with a basic scan of a network looking for any ports that may be open or any servers that you may be able to get access to.  By scanning the network for open ports, you could identify a rogue ftp server or someone has setup a personal file server not allowed by company policy.  This plays into the vulnerability scanning due to any old software that these systems may be running.  It doesn't even have to be a rogue device either as you can scan your own equipment to see if there is anything showing on the network that should be.

A scan of the network can be much more than just a scan.  A vulnerability scan is where you start to get into the meat of a simple port scan.  For basic network processing it is required that the listening software report back certain version or function information so that the software wanting to talk to the listening port knows what or how to communicate.  The vulnerability scan will utilize that information against an internal database of vulnerabilities it is aware of.  As an example, the code that it gets back could indicate an outdated FTP server that when certain attacks are performed, it allows login without password.  The information gained could also give away the operating system so that an attacker may know where to start on some specific attacks.  At this point in the game the vulnerability scanning is all about information gather.  Gathering for the bad guys to find a hole or gathering for the good guys to prevent a hole from being exploited.

Now comes the next part of the penetration testing.  Taking all of the previous information we can then push forward with actually breaking or getting into a remote system.  Penetration testing is simply the act of using exploited code or brute forcing your way through a barrier.  Sometimes an attacker can do a scan of the system and find that remote desktop is open.  Then they brute force their way into the system via the remote desktop protocol.  Another scenario is that the previous scan finds an exploit where if they pass certain code to the remote desktop protocol, it overloads the service and then allows passwordless login.  Penetration testing can get quite in-depth and so the actual work could be performed by you or a penetration test company.  Usually these companies do a great job as they don't care what you have in place.  What I mean by that is you may have some unsecure way to initially connect and then use a secure method to go through the WAN.  Well, that penetration company will try anything and if they find the hole you left open even though you thought it was secure then you can bet on it eventually being exploited by the bad guys.  Better for an unbiased company to find it and report it to you than deal with a security breach.

Security+ Topic - NAT

Network address translation was developed to provide one public network address to many internal private network nodes.  In the realm of network security this becomes a big part of layered security.  Any nodes that are behind the network translation device is then easily hidden from everything else on public side of the network.  For full disclosure, NAT in generic terms is a thrown around acronym for network address translation in combination with port address translation.  A google search can give you some good information about the two in combination as that overview is outside the scope of this blog article.

Take for example a small business network with limited finances to put forward on network security.  A network address translation solution is perfect for them as it requires minimal effort.  Another assumption here is that the small business has a DSL or Cable modem as their primary mode of internet connection.  It doesn’t have to be limited to it but makes the example easy to understand.  Using only one consumer grade router (used loosely) that comes standard with network address translation, the business can place their publicly facing server directly connected to the ISP router.  Any ports being forwarded to provide services can be done on the ISP router and makes for easy management.  Then the second router in the environment has its uplink/isp port plugged into another LAN port on the same ISP router.  Company desktops or laptops are then plugged into this second router and are invisible to the public facing server.  As far as the server is concerned, all requests from the company users comes from the uplink address on the second router.

As a company grows they are then able to expand on this idea while still keeping things cheap for the company.  Lets say the company has grown enough for them to have a sales department in addition to their developers.  You wouldn’t want them on the same network as its best practice to keep everyone on their own subnet.  With the purchase of just one more router, plugged into another LAN port on the ISP router, instantly provides another security boundary with its own network.  Each network will be able to reach the servers plugged into the ISP router without easy access to the other network.  Port forwarding could be put in place for any special needs but you need to practice good security setup and only allow through what is absolutely needed.  There is a server on the shared network that can be used as the central hub for any cross-network functions.

Obviously if the company has hit the point of needing to expand even further than a different solution would be needed such as dedicated Cisco router and firewall put in place.  One thing to also note is that by default each network may have the same addressing.  192.168.0.x would be the most common.  As part of setup and easier troubleshooting, each add-on router should have its internal DHCP setup into a different scope.  Example router 1 having internal addressing of 172.16.1.x and router 2 internal addressing of 172.16.2.x would work well.

The security aspect of the network visibility works in reverse as well.  If for some reason the servers directly connected to the ISP router become compromised, they will have no easy way to see any of the user computers behind the router.  Of course if the router you are putting users behind has a flaw to allow them GUI/TUI access then they could create a hop into the network or forward ports as  needed.  Either way the added layer of security provided for cheap makes for a great addition for small businesses.

Security+ Topic - Access Control Lists

When we talk about network and system security, there is an increasing thought of complicated attack scenarios with complex routines written for defending against it.  Sure there may be some complex attacks out there that we should prevent but lets get back to basics for a moment.  What is the one most simple thing that you can do to keep your network resources safe?  Access Control Lists.

Some environments could have an awesome firewall in place that takes care off all their security requirements and some environments could simply have a DSL router.  In either and any case, they can benefit from access control lists setup to prevent any number of network traffic.  In the simplest of terms lets take a scenario with two network segments.  One for servers and one for users.  Normally your users only need specific access to the servers so you would allow one or two ports into your server network from your users network.  Sounds like a firewall right?  Yes an ACL is similar to your firewall in this scenario.  An ACL take it a bit further though on the router level so that traffic gets dropped before it even hits a network or host.

When the environment gets a bit larger though is when a dedicated firewall will be an ideal solution for sorting what traffic is allowed to which networks.  Still though an access control list is very important.  Security is all about layers right?  So why not layer your firewall to specific access as it travels through the network.  It may not be as granular so that your router can focus on routing instead of firewall rules.  One example here is that you could put an ACL in place to block everything but outbound stateful connections on port 80 for a specific department.  Then set your fancy firewall to filter the URL’s or destinations that are trying to be reached.  This allows a drop in network traffic from even attempting escape from their network as well as reducing firewall load so that it can focus on the HTTP traffic.

This brings up ACL’s as part of a security breach network wide.  An access control list can be put in place to block ICMP traffic between networks but OK to the router.  If one machine gets compromised and the malicious user simply tries to ping  hosts for where to make their next attack, then you have slowed their host discovery and possibly eliminated the threat if they rely on that ping response for their next attack.  One common scenario you may encounter is a SQL server physically or logically behind an internet facing server.  The server would only have one network connection to a second NIC on the internet facing server making it look as if it were much more secure on an isolated network.  Again back to layers of security, a network ACL could be put into place here allowing only specific items through so if something does get compromised the attacker wouldn’t have one more layer to break before being able to move compromised data out of your network.

Are access control lists perfect?  No.  That is why there are network firewalls, IDS, IPS, and a slew of technologies available.  Are the still relevant?  YES!  Adding this layer of security is very important as every layer counts.  Most of the time it is already built into your network routing products so you may as well use it!