CISSP21 Session4
CISSP21 Session4
to the CISSP
Bootcamp
Your instructor:
Michael J Shannon
CISSP #42221 / #524169,
CCNP-Security, PCNSE7,
AWS Certified Security – Specialty, • Class will begin at
GIAC GSEC, OpenFAIR, and 10:00 A.M. Central
ITIL 4 Managing Professional Standard Time (CST)
• Management access should be limited to secure protocol
alternatives, as in SSH instead of Telnet
• SSH2 is preferable to SSH1 whenever possible
• SSH2 uses symmetric encryption for the bulk data encryption
and asymmetric algorithms in their key management processes
• SSH2 uses DH for key exchange
• Router(config)#hostname CISSP-R1
• CISSP-R1(config)#ip domain-name
example.com
• CISSP-R1(config)#crypto key
generate rsa general-keys
modulus 2048
• The name for the keys will be:
CISSP-R1.example.com
• % The key modulus size is 2048
bits
• % Generating 2048 bit RSA keys,
keys will be non-exportable…
[OK](elapsed time was 0 seconds)
*Apr 9 19:01:50.517: %SSH-5-
ENABLED: SSH 1.99 has been enabled
• CISSP-R1(config)#username admin
secret S3curity3plus5
• CISSP-R1(config)#line vty 0 15
• CISSP-R1(config-line)#login
local
• CISSP-R1(config-line)#transport
input ssh
• SMTP is not natively secure, so it needs an extra security
layer: Secure/Multipurpose Internet Mail Exchanger
• S/MIME v3 has become the standard for email
message security
• Digital signatures are the most common S/MIME service
providing authentication, data integrity, and non-
repudiation
Message Unique Unique Signing
body sender recipient operation
captured information information performed
retrieved retrieved
+ -
Digital Encryption Encryption Message
signature operation message replaces sent
appended performed original
message
• Essentially the File Transfer Protocol over TLS
• Also called FTP over TLS and FTP Secure
• Typically used server-to-server
• Uses AES, RSA/DSA, and X509v3 certificates
• Explicit FTPS
• Selected parts or components for communication are
encrypted
• Implicit FTPS
• All communications are encrypted
• IETF-designed version of FTP that provides secure
data access and transfer over an SSH2 channel
• It is a function of the SSH Protocol and is also called
SSH File Transfer Protocol
• Both the commands and data are encrypted
• Platform-independent
• Slower than SCP
• DNSSEC (DNS Security Extensions) protects users
from DNS attacks and forces systems to detect DNS
attacks
• It adds a layer of trust on top of DNS by providing
authentication while the root DNS name servers
help verify domains
• To facilitate signature validation, DNSSEC adds a few new DNS
record types:
• RRSIG – contains a cryptographic signature
• DNSKEY – contains a public signing key
• DS – contains the hash of a DNSKEY record
• NSEC and NSEC3 – for explicit denial-of-existence of a DNS record
• CDNSKEY and CDS – for a child zone requesting updates to DS
record(s) in the parent zone
VoIP security
• Secure Real-Time Transport Protocol (SRTP) extends
the RTP protocol by providing enhanced security
techniques
• Provides encryption, integrity, and authentication
verification of data and messages transported by RTP
• Released in 2004 by Cisco Systems and Ericsson
• Uses AES as its default encryption cipher in
Segmented Integer Counter Mode and f8-mode to
allow the AES block cipher to be used as a stream
cipher for the RTP data stream
• LDAP was based on X.500 but is a lighter, cross-platform, and
standards-based solution
• LDAP servers are easy to install, maintain, and optimize, but they are
without solid security of the queries, updates, and valuable
information in the LDAP directory
• LDAPS (TCP 636) is LDAP over SSL/TLS
• SASL (Simple Authentication and Security Layer) BIND also offers
authentication services using mechanisms like Kerberos, or a client
certificate sent with TLS
• SNMPv3 can be configured in three modes:
• noAuthNoPriv – no cryptographic hash or
encryption (passwords)
• AuthNoPriv – cryptographic HMAC (SHA1 or SHA2)
to secure authentication credentials and provide
integrity, but no data encryption
• AuthPriv – HMAC for integrity and secure
authentication credentials, and encryption (AES) of
data
• QUIC is a "newish" transport protocol that was originally designed by
Jim Roskind at Google
• It reduces latency compared to using TCP
• Since TCP is implemented in operating system kernels, and middlebox
firmware, making significant changes to TCP is next to impossible
• QUIC is built on top of UDP – it has no such limitations
Control plane
SDN controller
SDN Datapath
CDPI
Enterprise
Enterprise SD-WAN
SD-WAN
controller/
orchestrator
CPE
CPE CPE CPE CPE
Leaf 1 Leaf 2 Leaf 3 Leaf 4 Leaf 5 Leaf 6 Leaf 7 Leaf 8 Leaf 9 Leaf 10 Leaf 11 Leaf 12 Leaf 96
10G
10G
40G
Ethernet- Ethernet- Ethernet- Ethernet- 40G
connected connected connected connected
end system end system end system end system 100G
IP-connected IP-connected IP-connected 25G
IP-connected
end system end system end system 50G
end system
• Switch port security as a base configuration on all layer 2 devices
• Hard code access and trunk ports
• Mitigate MAC flooding attacks
• Enable PortFast and auto-recovery
• Loop prevention and flood guard techniques
Authentication proxies
Interactive and transparent
Identity services
For ABAC engines and IdM
Integrated IDS/IPS
Modular and cloud-based IPS
Content security
With data loss prevention (DLP)
Advanced malware
protection
Cloud-based solutions
URL filtering
To enforce AUPs
Botnet filtering
DNS-based Anti-DDoS protection
Alert
ATTRIBUTION
COUNTERATTACK
• Deception is the first and most common phase of
active defense used by many organizations
• Fake telemetry involves augmenting existing enterprise
tools to offer critical threat intelligence for early breach
detection and high-fidelity alerting
• Making tools available on honeypots and honeynets for
attackers to use in order to attribute and attack back
• DNS sinkhole (or black hole DNS) is used to spoof DNS
servers to prevent resolving hostnames of specified URLs
• This can be accomplished by configuring the DNS forwarder to
return a false IP address to a specific URL
Attacker sends
malicious e-mail
Internet
Organization computer gets
email with malicious site link Attacker
The de facto
standard
• The replacement for the temporary WPA (2004)
• Devices require testing and certification from Wi-Fi
Alliance (2006)
• Supports Personal (PSK) and Enterprise modes
• Uses Counter Mode Cipher Block Chaining
Message Authentication Code Protocol
WPA2 Personal WPA2 Enterprise
Client-side No
No Yes No No
certificate required (PAC)
Server-side Yes No
No Yes No
certificate required (PAC)
WEP key
No Yes Yes Yes Yes
management
Authentication
One way Mutual Mutual Mutual Mutual
attributes
Password-based authentication
Internet server
Transmitter Receiver
PAN Technology
• Zigbee components can connect and communicate
using the same IoT language
• Millions of Zigbee products are already deployed in
smart homes and commercial buildings
• The network topology is a self-forming and self-healing
mesh
• Ranges are up to 300+ meters (line of sight) and up to
75-100 meter indoors
• Supports AES-128 at Network Layer and the
Application Layer
• Used in hotels, airports, and other commercial scenarios to
gather credentials or registration profiles before users can
access a public Wi-Fi
• 5G is the next generation of global networking
• All 5G devices in a cell are linked to the Internet and telephone
network by radio waves through a local antenna in the cell
• The goal is to deliver bandwidths up to 10 Gbps by using higher-
frequency radio waves than current cellular networks
No piggybacking/tailgating policy
• End users will have varying degrees of participation in
hardware, firmware, and software updates and
upgrades
• If fully automated, the user may only be able to
postpone (snooze) the process for a maximum amount
of time
• OS updates, WSUS, Silverlight, KACE, etc.
Security suites
• These are all-in-one, full-scale security packages that
offer a single, integrated solution
• There is only one vendor to get the upgrades and
updates from
• Depending on the security vendor, the suite may also
include a two-way firewall, parental control system, a
local spam filter, VPN to protect your data in transit,
online backup, and dedicated ransomware
protection
• Best practice is to install two products from different
vendors (e.g., Sophos + Malwarebytes)
1. Attacker 2. Phishing email 3. Targeted users 4. Compromised system
Attacker sends email with Poorly trained and unaware Target system is Remote Access Trojan (RAT)
malware attachment to use users open the attachment exploited Is installed on the target system
IT hygiene
• Most NGIPS and anti-virus systems use heuristic and ML
mechanisms to achieve better results than traditional
signature-based and anomaly-based solutions
• Heuristic engine used by an anti-malware/IPS program might
include proactive rules and behavioral analytics to look for
• a program that tries to copy itself into other programs (in other
words, a classic computer virus), or
• a program that tries to remain resident in memory after it has
finished executing
Network Admission Control (NAC)
was an industry initiative
sponsored by Cisco
• Cisco NAC and similar technologies are officially
on the exam but have been replaced by newer
solutions, such as TrustSec and Zero Trust Security
• It was part of the Cisco Self-Defending Network
initiative and is the foundation for enabling NAC
on Layer 2 and Layer 3 networks
• Do not trust anything inside or outside the
perimeter without stringent authentication and
verification
• Helps secure access from users and their
devices, API calls, IoT, microservices, containers
(Dockers, Kubernetes,) and more
WAP
Guest
server
Campus
network
NAC/EDR
server AD
federation
Identity
NAC/EDR services engine
server
External
Internal
scanner
scanner
Client vulnerability
data findings Internet
User interface
Servers
User interface
Security vendor network Client network
• IP Security (IPsec) offers security services to traffic crossing untrusted
networks, like the Internet, between two or more trusted devices or
networks
• IPsec VPNs can also be used to protect management traffic as it
crosses an organization's intranet and between front-end and back-
end services
• IPsec is also popular when connecting to cloud service providers
using managed site-to-site and peer-to-site VPN solutions
• IPsec is native to the IPv6 stack through the AH and ESP extension
headers
• IPsec and SSL VPNs are both cryptography-based
VPNs
• In terms of deployment, there are two basic types of
VPNs: site-to-site VPNs and remote-access VPNs Cloud service provider
• Remote access can be full-tunnel or clientless
• Originated in military and intelligence • Subjects are only given access to the
operations and pertains to data objects they need and nothing else unless
access and information flow they go through/pass a strict approval
process"
• Can be implemented using different
access control models although MAC • Can be implemented using different
is the most secure access control models although MAC is the
most secure
• Lattice models are effective
• Bell-LaPadula for confidentiality • Can use network operating system controls
or ABAC for different scenarios
• Biba or Clark-Wilson for integrity
• Processes where more than one entity is required to
complete a particular task
• Often involves dual operator principles as well SQL SQL
Backup
where two subjects are needed to modify a
particular object
• Automation and orchestration can help enforce
this principle
• Rotation of duties is also a related principle SQL SQL
Restore
• Example: forced (mandatory) vacations
• This principle involves avoiding direct client-to-server access
whenever feasible
• Uses various proxies for
• authentication (interactive or transparent)
• translation services (NAT)
• bastion (jump) hosts and CSP services
• web proxies for content and URL filtering, and
• using managed security service providers (MSSP) and cloud access security
brokers (CASB)
Service-level Organizational-level
agreement agreement
Inventory baselines
Patch
management
Develop
rollback
plans
Assess and classify
Perform assessment the risk based on
of existing controls analysis methods
and configurations and risk treatment
Syslog server
Applications Devices
Syslog
messages
Servers Servers
SIEM
• The term SIEM is a combination of security information
management (SIM) and security event management
(SEM)
• Centralize the storage and analysis of logs and other
security-related documentation to perform near real-
time analysis
• Can send filtered data to mining, big query, and data
warehousing servers in a data center or at a cloud
service provider
• Allow security and network professionals to take
countermeasures, perform rapid defensive actions,
and handle incidents
Log collection and aggregation Automated real-time alerting
Trusted Automated exchange of Indicator Predictive analysis and threat maps are
Information (TAXII) is a free and open generated by AI-driven and ML analysis
transport mechanism that standardizes the
automated exchange of cyber threat tools, often working with cloud service
information. Push and pull messages are provider managed services or MSSPs
supported – supporting both subscription
feeds and on-demand queries. TAXII
leverages existing protocols when possible –
with native support for HTTP and HTTPS
• Any data or information concerning an individual or
organization that can be collected legally from free, public
sources
• Is usually information found on the Internet but can be
sourced from books or reports in a public library, articles in a
newspaper/magazine, statements in a press release, and
FOIA reports
• Can be gathered using tools like Maltego, sharing centers,
and code repositories, like GitHub, among others
Vendor web sites Vulnerability feeds
cloud/sandboxing) Loader