Study notes for CCNP Security CORE study: 350-701 SCOR (v1.1)
Security principals
Data at rest (on disk)
Data in motion (traveling across the network)
CIA triangle
- Confidentially: hide data (encrypt) from unauthorized individuals
- Integrity: Make sure data was not modified (permissions / hashing / immutable backups /modify log)
- Availability: Ensure the data remains available (HA / systems work and are useable)
Principle of least privilege (being call ZTNA zero trust network access)
- User has the rights they need to do their job and no more
- Switch port for printer is on printer vlan.
- Firewalls allow access with ACLs
- User privs allow access to files
Defence in depth
- Multiple layers of security
- If something fails we have another chance to stop or limit the attack
- We have firewalls / DMZs / ACL's
- Windows user rights
- Segregated VLANs
- MFA
- SIEM/SOC monitoring
- Backups
Separation of duties
- Make sure to have 2 staff for everything
- 2 helpdesk
- 2 firewall guys
- 2 security guys
- 2 windows guys
Accounting/auditing
- Logging activities network / file / dns / web
Security terms
- Asset (anything valuable)
- Threat (What we protect against)
- Vulnerability (exploitable weakness)
- Risk (chance for compromising asset)
- Countermeasure (a method of reducing risk)
- Risk management (identify, assess, prioritize and monitor risks)
- The goal of risk management is to eliminate or minimize risk
Asset classification
- Needed to distinguish between more/less important assets
- Our customer database is more valuable than a printer but both have value
- Classification helps to better secure them
How to classify assets ?
- Value
- Replacement cost
- Age
- Usefulness
Lets say we have an old web server (asset). We run a pen test (counter measure) on the www server and find vulnerabilities (exploitable weakness). There is a risk that these vulns could be exploited (threat) and compromise our asset (item of value).
Gov vs public
Gov sector
- Unclassified
- Sensitive but unclassified (SBU)
- Confidential
- Secret
- Top secret
Public sector
- Public
- Sensitive
- Private
- Confidential
- To find better countermeasure
Vulnerability categories
- Physical
- Human
- Hardware and software
- Incorrect designs
- Misconfig
- Weakness in protocols
- Physical (door locks swipes / guards / cctc)
- Technical/logical (software/hardware
- Administrative (processes and procedures, guidelines and standards)
Security threats
Threats
- Anything that can harm our systems
- A hacker can run a ddos to take down our systems
- A storm could knock out power to take down our systems
- Hackers
- Criminals
- Terrorists
- Disgruntled employees
- Compeditors
- Nation state actors
Common attack methods
- Reconnaissance (network scanning / discovery)
- Social engineering (fooling/tricking people)
- Privilege escalation (getting more access, going from user to admin)
- Code execution (activation malicious code)
- Backdoors (remote access software for attackers)
- Covert channels (hidden comms channel)
- Trust exploitation (Web server in DMZ can talk to DB server on the LAN)
- Man in the middle (proxy to read and/or change data in flight)
- Denial of service attacks (stopping a service from working by overloading it)
- Password guessing and cracking
- Dictionary attack uses a password list of known passwords
- Brute force is trying every combinations of a password (takes too long if passwords are strong and have rotation policies)
IPS fundamentals
Intrusion detection system (IDS)
Looks at a copy of the real traffic and detects issues
Sends alerts to IT admin but doesn't do anything
Intrusion prevention system (IPS)
This one looks at the live traffic and can take action like block hosts etc.
How the hardware is connected
SW1 > span port > IDS
When we have multiple switches we setup remote span
RSPAN
SW3 > RSPAN vlan > SW2 > RSPAN > SW1 > SPAN port > IDS
IPS generally runs on a firewall
traffic in > firewall (IPS) > traffic out
The IPS inspects traffic passing through and can block. Only allowed traffic makes it out the other side.
Sensor deployment modes
- Promiscuous/passive
- SPAN, RSPAN or network tap
- No deploy, can't become a bottle neck
Inline
- L2
- L3 (firepower can do this)
- throughput and latenct
- Fail open or fail close (if it fails do we stop all traffic or let it flow)
hosts > SW1 > trunk > IPS > trunk > SW1 > hosts
IPS types
- NIPS (network based)
- HIPS (host based, agent installed)
Old HIPS agents slowed down systems, now we have a light weight client to connect to an engine in the cloud. HIPS can look at encrypted flows, NIPS can't do this without MITM/SSL decryption but even then its not perfect and there are cases where it won't work. EVE has signatures for encrypted traffic.
How IPS sensors detect
- Signatures (Rules/conditions describing an attack)
- Anomaly detection (Learns normal activity and alerts on strange activity)
- Policy based (Standard rules configured by admin)
- Reputation based (external database has info on attackers like their public IPs/hashes)
How IPS sensors respond
- Alert/alarm
- Drop the packet
- Block this connection
- Reset close the TCP connection similar to drop/block
- Shun block (block all further traffic from this host)
- Block list - attackers
- Allow list - our known good devices that we trust
Sensor decisions
- True positive - The sensor detected and took the right action eg dropped it
- True negative - Normal traffic did not trigger the system. IPS did the right thing.
- False positive - A signature triggered for normal traffic. Blocked good traffic.
- False negative - The sensor did not detect malicious traffic and it was allowed.
Cisco's firepower
- FMC is the management VM (can be hosted on site or in cloud)
- FTD is the hardware firewall
- Can deploy as IPS or IDS
- Cisco provide signatures and block lists
Email security
Workers use email everyday so its a common attack vector
The most common being phishing
- Spam is unsolicited messages usually selling something often scams
- There are different types of malicious email
- The email attachment contains malware, we ask the user to open the attached pdf
- We ask the user to click a link from our email which could have malware or ask them to enter creds
- Often the link is designed to trick the user into thinking its legitimate like real-microsoft.com
- The code of the email can have something malicious (block pictures loading)
- Direct phishing acting as a trusted part to get confidential data
- Acting as a trusted supplier and asking them to update payment details, often they will try to create a fake pressure
- Whaling - targeting CEO, head of IT, head of accounting, head of sales etc. They will usually have access to important data
- Vishing - phishing but over the phone/voice call
- smishing - sms phishing
ESA
- Email security and enforcement
- Email security
- Reputation filtering based on sender
- outbreak filtering
- amp with talos intel and more
- policy enforcment
- inbound/outbound rate limiting
- Encryption
- DLP (drop emails that have personal info in them)
ESA has physical boxes available C- and X-
- Internet > FW > DMZ > ESA
- The other setup the ESA has two interfaces so it can talk to the inside server
- Internet > FW > DMZ > ESA > Inside > LAN email server
- Virtual ESAV
- Hybrid - cloud for inbound, on-prem for outbound
Email exchange
- Emails are forwarded based on the destination domain name joe@site.com
- DNS lookup on site.com, specifically a mail exchange (MX lookup) on the domain
- site.com has a MX record created which points to the IP(s) of their mail server
- There may be MX > URL, then A lookup for that URL to IP
- In the end we lookup the IP of where to send the email
Incoming mail
- Domain is site.com
- Public DNS / Internet > router > ASA > DMZ > ESA > SW > Email server
- Sending to joe@site.com
- We send to our local SMTP server lets say gmail
- That mail server looks up the MX record of site.com
- email.site.com
- This will resolve to the IP of the ESA
- The ESA receives the email and inspects it
- If its all good its forwarded to the inside Email server
Outgoing mail
- PC > SW > Email server > ASA > ESA
- joe wants to send email out to bob@gmail.com
- If it was a local address like it@site.com then the email server could just send direct because its trusted
- Since its external email "gmail.com" the email will be sent to the ESA
- ESA now inspects it
- Now does MX lookup on gmail.com
- Then sends the email to the IP of the gmail email server
- The key take away here is that inside/LAN mail maybe configured to go direct
WSA security
- Cisco's web proxy but really replaced by cisco umbrella now
- Fast web proxy with advanced content filtering
- Designed for https and FTP
- Strong caching inspection policy enforcment and antimalware
- Relies on multiple technologies and engines
- URL filtering
- AVC - Application visibility and control
- L4 traffic monitor (like an IDS)
- HTTPs decryption (also available in FTD and cisco umbrella)
Web proxy mode
- L4 traffic monitor
- Explicit forward mode (client needs config from pac file etc)
- Transparent mode - clients don't need any config. WCCPv2 needs to be setup.
- Traffic is redirected by router/ASA/L4 switch using WCCPv2
- LAN > WSA > ASA > Internet
- L4TM using span port/hub/network tap.
Endpoint protection tools
- AV: Windows defender, 3rd party tools like Sophos, Cisco AMP
- Software firewall
- Encryption
- Host based IPS (HIPS)
Malware
- Any software that is bad (worms / virus / dropper / adware / spyware etc)
- Adware - show ads to user and generate money for the owner
- Spyware - Gathers info from the pc and sell the data to databrokers. Some of them may steal bank details etc.
- Ransomware - locks the PC / encrypts file shares and demand a ransome to unlock
- Virus - It may just copy its self, but could destroy your system etc. It depends on the payload
- Worm - self replicating, doesn't need to be executed.
- Trojan - Usually provides remote access to an attacker. Make the machine part of a botnet
Anti-malware
- Signatures - can't detect day-0 or often variants
- Heuristics - sandbox and execute and see if it behaves similar to malware, can find variants.
- Behavioural - command tools / tactics used by attackers. Can catch 0 days but not always.
- Most modern AV's will use a combination of these
- Signatures must always be kept up to take so cloud connected AV is best
Personal or software firewall
- This is a firewall running on the endpoint
- A firewall like ASA / FTD / Palo is protecting multiple endpoints
- Windows its windows firewall (and 3rd parties)
- Linux is iptables
PC > Coffee shop WIFI > Internet > HQ > LAN
PC > VPN > Coffee shop WIFI > Internet > VPN > HQ > LAN
Cisco AMP
- Uses but doesn't rely on signatures
- It's connected to the network firewall too
- It's also logging what actions were taken on a PC
- Suspect files can be uploaded to cisco for analysis and sandboxing
- If a file is discovered to be malicious later AMP has a record and can go back and remove it everywhere
- It offers a before / during / after protection
Encryption
- Private key and passphrase should be kept safe
- Many modern OS build it in
- Windows has bitlocker
- OS X has some too.
- Many linux distros offer it too
- We can encrypt single files/folders or whole disks
- Whole disk is common in corporate world in case a laptop is lost or stolen
Cisco AMP endpoint client changes
AMP for endpoints became Cisco secure endpoint which has become Cisco secure client
EDR endpoint detection and response
EPP endpoint protection platform
XDR Extended detection and response (often adds AI correlation and automation/playbooks)
