SEC602 – Scanning and Remediating Vulnerabilities with OpenVAS

For this task I will invistage the Check for weak SSL cyhpher. Some older chyspers have a limit to the length of the key making them possible to crack this is likely to be the corse of the error this can be fix by changing the SSL key for a longer one. Some older way of forming cyphers are insecure and can be avoided. The strength of these cythers is mainly judged based on how long it would take to crack any given encription. Any thing which is insecrue will considered weak, anything that will take 10 year to crack is considered median and anything longer is considered strong. It is possible take we could change any SSL we used to be of at least a mediaum level by it is better to keep all sercuirty and the greates level possible so we should aim for strong cyphers.

The CVSS Score is a system for scoring how much of a risk any given vanrability is so people can decide in what order they go about fixing the vanrability. The CVSS database store vanrabilities basied on their score and also explains what percentage of vanrability each score makes up. The database sort infomration such as the complexability of useing an explore, if a explort can be access remotely and what products the vanrability effect. Some of the infomration stored here effects the score that a product gets, for example most 10 scores are low to medium complexity and can be use remotely making them more serious threats. While most 2 to 3 score recquire local access to the device to access and have complexity scores from low to high.

To use a vanrability scanner to find explores a user would need to scan the system a device for vanrability. Once vanrability are found the user need to priorities what order the explorts will be dealt with, in most cases the scaner should be able to help by providing scores for this. Once the order is decided the user would need to research the issue, although some scanner might provide information it is best to do some research if conditions allow. Once the high prioity epoloits are fix it is best to rescan the system to check that the issues were actual resolve, multiple scan are also useful as the scanner can often miss vanrabilities and rescanning allows the users to find any issues which were missed. Once this is completed the user can then repeat this processes until as many of the vanbility as fessible are fixed. It is best to resolve as many issues as possible but due to time constrants it can be not possible to clear all isssue which is why we complete high piroity issues first.

SEC602-Network Vulnerabilities Part 2

A DOS attack is when a person or group send thousands of messages to a server in an attempt to slow or bring down the server. By sending thousands of messages to a server the server gets overwhelmed trying to process the information this courses the server to slowdown or in some cases completely stop working. Because of this normal users can’t access the server normally as the server is too busy trying to deal with all of the bot spam. One important part of a DOS attack is the portraiture needs to have significantly good equipment as they need good internet and hardware to be able to send enough information to overwhelm the server.

Hping3 is a more advance form of the normal ping function and is able to properly produce many form of basic network communications. It’s many purpose is to send different forms of packets to test things such as firewall rules. In this lab we used Hping to affect the funtionally of a web server. Normally Hping would send a small packet of a certain procol type the server would recieve it and send back a responce. Under normal cercamstance this wouldn’t effect the funtionality of the server however because we send a large string of this small packets the server go overwelmed trying to reply to them all, this corsed a slow down in the sever due to the DOS attack.

Phishing is a term to describe when one person masquerades as another to trick someone into giving them information or preforming a certain task such as downloading malware. Phishing is one of the most common forms of hacking nowadays. An anti-phishing tool bar like the one used in this lab add functionality to the browser to allow the browser to identify whether or not a given site is the one which the user thinks it is. This is useful as in a lot of cases a user can have trouble spotting the difference between a fake site and a real one especially if the users isn’t looking for clues that a site is fake. How a anti-phishing tool bar like the one we used work is it checks a sites URL agains an online database similarly to how an anti-virus works.

SEC602 – Backup and Recovery

Windows server has the ability to create backups. A system can be restored to the point in which it was backed up. This allows for easy recovery if something goes wrong with the system. As part of this lab we set up an automatic backup, this backup was set to happen daily this means that at a certain point in the day the entire the backup will happen. As every business will have a different needs when it comes to acceptable data lose and heavy traffic hour it is important to plan backups at time and intervals which suit the company. We can also choice where the back up is stored in the case of this lab we stored it on a partition on the computer however it would be wise to store backups away from the central system because if anything happen to the computer the backup will also be damaged. When we were setting up the backup we got to choice what part of the system which we backup in this case we choose to back up the system state but businesses will once again have different needs. Some businesses may only need files backup while others will need the entire system backup. When restore a backup will take the system back to the point it was at when it was backed up, if the backup is only partial it will only restore that part of the system.

A backup system allows a company to be assured that if something goes wrong they will not lose all of their data and/or wont have to completely rebuild there system. By having regular backups occur during low traffic times for the system the users are able to be able to at any point restore the system to how it was when it was backed up. This is significantly faster than rebuilding the system from scratch and restarting all of the lost work. Because of this a backup can save companies time and money if anything goes wrong. Although backups are a good for of insurance they have a few costs. A back up requires a lot of space as such can be vary resource intensive. Backups also take time to preform and have to be segued around times when their is a low amount of traffic in the network.

Backups are an important part of security as most businesses wont be able to handle losing even a small amount of work such as a days work, therefore it is important to be able to use backups efficiently. I think that this lab would have been better if it went into more detail on different types of backups such as incremental as it is likely most businesses wont have the ability to fully backup the system fully everyday. The lab should have also gone into detail into how to archive and delete backups. This is an important part of backups as it is important to save older backups for sometime after a new backup is created just encase their are any issues with the new backup such as malware but a company can’t afford to store backups indefinitely.

SEC602 – Data Encryption

Bitlocker is a program which allows for volumes of data to be encrypted and protected by a password. Bitlocker also allows for recover keys to be generated to gain access if the user forgets their password. The purpose of this encryption is to prevent access to information by unauthorized users. The prescription on the dive means that even if a user uses a tool like karli linix to gain access to the drive the information will be encryption and is therefore useless. To gain access to the drive a user must enter their password in the drive. Once the password has been enter the user won’t need to enter the password again until the computer is restarted. If the user forgets there password they can instead use a recovery key which is generated when the device is first encrypted to unencrypted the device.

Bitlocker allow a user to protect a drive from interference through a password or smart card. Bitlocker provides more protection that a standard password like a computer has as it encrypts the data on the drive preventing someone from access the drive through no standard means such as with karli linux. If someone gain access to the the device through means such as forge-ting to lock the system or someone using an exploit to get past the login screen the that person still wouldn’t be able to gain access to the encrypted files.

Data recovery keys should be stored away from the device they are for too prevent the key from being found by someone trying to access the encrypted device. It would be preferable for the device to not be one which is in use such as a desktop as this runs the risk of someone finding the password by accident. I believe that the recovery key should be stored on a device such as a USB as a USB can easierly be stored somewhere safe. I would also recommend that device the key is stored on be stored in a safe place such a safe.

Encryption is an important way to protect information which needs to be protected. Since bit locker is an a tool which comes with many modern windows systems it is likely to be commonly used in bussnesses. I therefore believe that it would be a useful tool to know how to use. It is also important to think about how to store recovery tools as with out them data can be lost which can be debilitating for a company depending on how important that information is. If the recovery key is too easy to find it will likely be easy for someone to bypasses the encryption making it worthless. It would be useful for the lab to cover other types of encryption as it is possible that not all businesses will use bitlocker.

SEC602 – Implementing DNSSEC

The purpose of DNS is to translate human readable names of sites into IP addresses. DNS is insecure as when a device requests a response from a DNS server that device has no way of knowing if the response it receives is from the DNS server it wished to contact. DNSSEC is an extension on normal DNS functionality, adding the ability for the DNS server to authenticate it’s self using a Pre-shared key. During this lab we configure DNS servers to function with DNSSEC.

For this lab we created our own primary look up zone to configure as to not interfere with the labs system this zone is what were configured to work with DNSSEC. The zone was configured with a default key. Once the zone was configured it was possible to share the dns information like another file in the network. This allowed as to create a second server which didn’t sort any of it’s own DNS records but instead gain them from the original server.

On top of the read only server and the master server we also created a second DNS server for redundence. By creating multiple server which all share the same authentication information it is possible to create trust within the server.

Once DNSSEC was set up we were able to replicate the information about the DNS servers to the devices in the network. This can be done manually but is more efficient to do with policies.

Once set up computers on the network were able to gain DNS records from the appropriate server. However as part of this activity we explored ways to prevent the server from working such as clearing caches from the a server or removing/changing the PSK. Were also briefly touch uppon creating customer keys in which we created a key which was as large as the system allowed us to create.

Further thoughts:

DNS is a common service which is needed for most internet functionality, it is therefore important for it to be secure. Without authentication it would be easy for a bad actor device on the network to redirect traffic to malisices sites by creating false DNS records. Therefore I believe it is important to be able to properly configure DNSSEC. I think that this lab did a good job of demonstrating the chains of trust which are used when setting up DNSSEC.

SEC602 – Implementing a Network Policy Server

In this lab we implemented RADIUS which is feature which allows users to connect to a centralized server. RADIUS allows authenticated, authorized users to connect to a single centralized server which can provide functionally such as being able to mange use from a single databases and being able to record a users usage of a system. RADIUS allows the use to decide which users can connect to a system this can either be based on factors such as IP address or based on users/groups. RADIUS can also take logs of what activities users preform. These log store information such as user credentials, IP address and duration of connection.

In this lab we set up a VPN which would only let devices with IP addresses ranging from 10.10.0.100 to 10.10.0.120 and who were part of the user group generalit. From these sercurity setting we can assume only devices on this network could connect to the VPN we set up. We can also see that if a user is not part of the generalit group they are unable to connect as scene by john.summers who couldn’t connect to the vpn. Another security function we set up was the logging of connections. For this activity were set the server to create a daily log called In{date} this allows us to monitor what events have occurred on the server.

The log we create were in plain text form meaning that they can easily be read by anyone with access to them. However we did also use third part pieces of software to between sort and view the logs. In the log were contained information such as IP, addresses names of users, time of connection and if the connection was successful. As we set the server to create daily log we can easily find information for a spicific date as each day has it’s own file.

SEC602 -Wi-Fi Access Point Security

An open network doesn’t provide any of the requirements for what is needed so we can ignore this. Like wise only implementing a captive portal doesn’t provide encryption which is one of the requirement for this network.

Schools may not expand in size but we can expect there to be a large fluctuation in the number of students attending the school at any given year, also as technology advances it is likely that move devices will be added on to the network because of this we want to choose a scalable security solution. A virtual private network will not provide the flexibility needed for a school network to cope with fluctuations in traffic. It sis likely that if a large school choose this solution they would need to either purchase hardware for a VPN which is significantly larger than what the school currently needs, which will likely increase the costs for the school or the school would need to limit the number of devices a student can have which could be difficult as VPNs only provide user end validation.

WPA2-PSK + AES is not suitable in my option because even though it provides a lot of what we need for the schools security it has limitations. The scalibility may not be enought for a large school which is likely using BYOD, it’s Authorisation is vendor dependent which could lead to issues if the vendor lies or there is an oversight in what the admonistration chooses to purchase. Because of this I think it would be best to avoid this possible solution.

Out of the remain three options WPA2-EAP with 802.1x, WPA2 with Captive Portal and WPA2+AES+ 802.1x + Per User PSK, WPA2 with Captive Portal is more complicated to connect to. As the demographic for this project is high school students it is likely we want to have the connection process to be as easy as possible because teenagers are likely not going to want to deal with a hard to use complicated system.

In my opion the two remaining options of WPA2-EAP with 802.1x and WPA2+AES+ 802.1x + Per User PSK are comparable to each other. WPA2-EAP with 802.1x is slightly easier to administrate that WPA2+AES+ 802.1x + Per User PSK but is slightly less secure. WPA2+AES+ 802.1x + Per User PSK provides device and user authentication and Authorization. Personal I would use WPA2+AES+ 802.1x + Per User PSK as it is more security and we want to have the network be as secure as feasibly possible. Also from my personal experience teenagers have a habit of tinkering with any part of a network which they have access to. By providing device authentication we can prevent outlier security risks such as students connecting insecure devices to the network.

Some common security issues include that which could come from users in this case students. These include issues such as out of date devices which can be mitigate by only allowing devices with WPA2, bad user log in which can be mitigate by setting stricter password rules and the extension of the networks wireless network outside of the set area or this can be the result of a user adding an additional access point using one of there own devices as a hot spot, though proper group policy and rules these issue can be prevented.

Outside entities might try and gain access to the network as they can see it. Problems such as this can be mitigate by restringing the area the network covers, restricting the times the network is available and having strong sercurity in place to keep unauterised users out.

Other things which need to be considered include BYOD devices needing there own network as they are less controlable that school devices. Special guests needing a larger range of priverlages than a normal guest would need. Students need protecting from certain forms of content so some restrictions need to be put in place.

SEC602 – Firewall Rule Based Management

HTTP uses port 80 and HTTPS uses port 443 for a web server to be able to work with these protocols the firewall would need to allow communications through on these ports.

FTP over TLS/SSL  need to have a rule added to the firewall which allows TCP to pass through insection. The rule can be added with a command like ‘netsh advfirewall firewall add rule name=”FTP for IIS7″ service=ftpsvc action=allow protocol=TCP dir=in’. The user also must disable stateful insection of FTP communications. Port 21 must be open.

SMTP uses port 25 so the firewall must allow commuications on that port through. If an application is being used to manage email on the server the firewall might need the email application added to it’s white list as well.

Remote administration can be implement by selecting the Windows Management Instrumentation exception option on the windows firewall screen. The port 443 must be open.

MariaDB requires both inbound and outbound rules which open port 3306. Although if installed properly these rules should automatically be created. These rules must function on Domain, private, and public networks as such need to work with the 103.28.250.99/192.168.0.2 ip addresses.

MSSQL uses port 1433 with tcp so the fire wall must allow this. For the sever verson of MSSQL an additional port must be opened for UDP this port is 1434.

Rules:

HTTP; Inbound/ Detestation 103.28.251.162 port 80 Source any port 80. Outbound / Detestation Any port 80 Source 192.168.0.1

Firewall rules are important as they allow users to decide what ports and programs are allowed to interact with their system. With out strong rules it becomes easy for outside entities to interact with a system. However, strong rules can prevent programs and services to function properly. This is why is is important to be able to create and manage firewall rules. With additional knowledge of the programs which need to run on a network it could be possible to create firewall rules which only allow desired programs and services to function on the network. I feel that the example used in this lab were not sufficient to learn about configuring firewall rules. Through this lab we only did the most most basic of changes to a preexisting firewall rule. I think that this task would have be a lot more help full if instead on focusing on ‘testing’ the rules of the firewall were working, even though we were turning the same rule off and on, we could have work with different rules or created our own.

SEC602 – Implementing NAT and OpenSSH

This is a limit on how many IPv4 addresses exist to save on the amount of IPs used certain addresses only can exist inside local networks allowing for then to be reused in different networks. That way this is utilised when the private networks are connected to the internet is by utilising NAT. NAT acts as a middle man in communications between local networks and the interenet remembering where each request is going or has come from. NAT firewalls only allow commications which have been requested from devices in a network to pass through. This prevents unwanted files from penetrating the network. By only letting commuications which were requested from with in the network pass we can ensure that any bad actors who are trying to gain access to the network can just access the network, while not interferring with ligitimate request from devices in the network. NAT firewall would normally be pair with other firewall funtionality as many common attacks are not stopped by NAT firewalls such as trojin or phishing attacks.

OpenSSH is a tool which helps to remotely connect to devices. OpenSSH prevents the connect from being observed or interferedwith by encripting the communication between the two devices. As the name surjects the program uses the SSH protocal to complete its commuciations. As part for the program the program provides tools for managing sercurity cetficates. Two uses of OpenSSH are providing sercure commucation with other devices such as in the lab when we connected to a server using SSH. This is important as it allows use to remotely connect to a devices and access it which is an important part of managing networks, OpenSSH also allows us to have this connection being sercure so we don’t have to worry about out side interference. Another use of OpenSSH is to sercure unsecure commucation protocols such as Telnet. As protocals like telnet don’t provide encription on their own and send all of their passwords as plain text we could use SSH to and encryption to these communications. This would be useful if for some reson we needed to use one of these protocols and we wanted to be safe.

Critical thinking

I think it would be useful if this lab when over move uses of the OpenSSH programs as in this lab we only set up a remote connection with the program. We didn’t go over important parts of this connection such as how this connection is encrypted.

I think NAT firewalls are useful tools as we don’t want outside efences to be able to enter our network without permission. I forsee NATfirewalls still be relenvent into the distant future. NAT firewalls use NAT which is a protocal which has come about because of the need to reuse IP addresses. IPv6 doesn’t need to use NAT so there for in the future is is possible that NAT firewalls won’t be as relevent as it is now. Although the need of a stateful filewall is still an important one I believe that spicifically NAT firewall may not be the best solution as they can prevent the implementaion of more robust sercurity techniques which will last the implemetaion of IPv6 and internet of things techonlogies. It is also possible that the implementaion of IPv6 will take such a long time that none of this concerns with ever matter.

SEC602 – Managing Certificates

As discussed in a previous blog the AD certificate services is a windows server role which allows a users to create and manage private keys/cetifications. Thought the certifcation sevices a use can allow users to request certification and them manage the requests. This allows for the server to verifie a users account. Some examples of how Certification can be used includes encripting files and managing emails.

CA Web Enrollment allow from a certficate to be validated or request though a web browser. Through this funtion it is possible for a user to be able to preform basic CA tasks such as requesting a cetification on downloading the centification list.( Archiveddocs. (n.d.). )

Key archival is when a private key is saved so if it is ever lost due to an event such as the destrution of a computer which stored the key or the thieft of a smart card. By saving the key in such a way it can easierly be restore. When a user regains a key they are able to have the same access they had before for example if a user was to encript a file the they would not be able to unencript it until they gain their primary key.

( Key Archival and Key Recovery. (n.d.). )

They Key recovery agent is a service which allows for the recovery of keys on windows server. Windows server does not natively have access to recover keys so without it if a key is lost it is lost perminately.

( Enabling Key Recovery in Active Directory Certificate Services )

One use of User Certification is the ability to encript files. Once a user is validated their certificate can then be used as a key to encripted files. This means to gain access to the files the user would then need to have access to their private key so they could prove who they are. Another use for User Certification is the ability to use it in tandom with windows networking sharing features and group policies this would allow a user to set shares which only users with cetain validations have access too.

Archiveddocs. (n.d.). Certification Authority Web Enrollment Guidance. Retrieved September 2, 2019, from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v%3dws.11)

Enabling Key Recovery in Active Directory Certificate Services. (2009, March 20). Retrieved September 2, 2019, from IT Pro website: https://www.itprotoday.com/active-directory/enabling-key-recovery-active-directory-certificate-services

Key Archival and Key Recovery. (n.d.). Retrieved September 2, 2019, from Versasec website: http://versasec.zendesk.com/hc/en-us/articles/115000828553-Key-Archival-and-Key-Recovery