Professional Documents
Culture Documents
APNIC Slides - Cybersecurity Fundeimental
APNIC Slides - Cybersecurity Fundeimental
2 v1.0
Speakers
3 v1.0
Overview
4 v1.0
Information Security Landscape
5 v1.0
Security Breaches
Ref:
http://www.informationisbeautiful.net/
visualizations/worlds-biggest-data-
breaches-hacks/
Shortened: https://goo.gl/P1279w
6
6 v1.0
Security Breaches
• haveibeenpwned.com tracks
accounts that have been
compromised and released
into the public
❑ 346 pwned websites
❑ 6,931,949,148 pwned accounts
❑ 90,470 pastes
❑ 111,609,979 paste accounts
7
7 v1.0
Security Breaches
8
8 v1.0
Security Breaches
9
9 v1.0
Definition in Information Security
10 v1.0
InfoSec Definitions
11
11 v1.0
InfoSec Definitions
12
12 v1.0
InfoSec Definitions
13
13 v1.0
InfoSec Definitions
14
14 v1.0
InfoSec Definitions
On the night of Wednesday, August 27, two men dressed as computer technicians and
carrying tool bags entered the cargo processing and intelligence centre at Sydney
International Airport.
They presented themselves to the security desk as technicians sent by Electronic Data
Systems, the outsourced customs computer services provider which regularly sends people
to work on computers after normal office hours.
After supplying false names and signatures, they were given access to the top-security
mainframe room. They knew the room's location and no directions were needed.
Inside, they spent two hours disconnecting two computers, which they put on trolleys and
wheeled out of the room, past the security desk, into the lift and out of the building.
15
15 v1.0
InfoSec Definitions
16
16 v1.0
InfoSec Definitions
17
17 v1.0
InfoSec Definitions
CONSEQUENCE
❑ Commonly used in real-world risk Medium Low Medium High
18
18 v1.0
InfoSec Definitions
19
19 v1.0
InfoSec Definitions
20
20 v1.0
InfoSec Definitions
• Defence In Depth
• Discuss: Imagine you had a bar of gold to protect
❑ What container would you put it in?
❑ What room would the container be in?
❑ What locks are on the doors?
❑ Where is the room located in the building?
❑ What cameras are watching the room and building?
❑ What humans are watching the cameras?
❑ Who will respond with force to a theft attempt?
❑ Bonus question: How much did all of this cost?
22
22 v1.0
InfoSec Definitions
23
23 v1.0
CSIRT/CERT Introduction
24 v1.0
CSIRT / CERT
25 v1.0
Constituency
26 v1.0
Different Types of CSIRTs
• Enterprise CSIRTs • Analysis Centers
❑ provide incident handling services to • focus on synthesizing data from various
their parent organization. This could sources to determine trends and
be a CSIRT for a bank, a patterns in incident activity. This
manufacturing company, an ISP, a information can be used to help predict
university, or a federal agency. future activity or to provide early
warning when the activity matches a set
• National CSIRTs of previously determined characteristics.
❑ provide incident handling services to • Vendor Teams
a country. • handle reports of vulnerabilities in their
• Coordination Centers software or hardware products. They
may work within the organization to
❑ coordinate and facilitate the determine if their products are
handling of incidents across various vulnerable and to develop remediation
CSIRTs. Examples include the CERT and mitigation strategies. A vendor
Coordination Center or the United team may also be the internal CSIRT for
States Computer Emergency a vendor organization.
Readiness Team (US-CERT). • Incident Response Providers
• offer incident handling services as a for-
fee service to other organizations.
27 v1.0
Why a CSIRT?
• Security Incidents Happen! • Security Improvements
❑ Execute incident response plans
• Analyze Incidents and Provide
Assurance to customers and
Lessons Learned
❑
stakeholders
❑ Best Practice • Resource Allocation
• Mitigate Loss or Damage • Dedicated Service(s)
❑ Point of Contact • Human Resources, Skills
❑ Governance
• Specific Polices and SOPs
• Compliance to Standards
❑ Cyber Security Framework • Point of Contact
❑ ISO 27001, ITIL
❑ Compliance with Law or
Regulations
28 v1.0
Whois Database: Incident Response Team Object
inetnum: 1.1.1.0 - 1.1.1.255
netname: APNIC-LABS
descr: Research prefix for APNIC Labs
descr: APNIC
country: AU
admin-c: AR302-AP
tech-c: AR302-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-AU-APNIC-GM85-AP
mnt-irt: IRT-APNICRANDNET-AU
status: ASSIGNED PORTABLE
changed: hm-changed@apnic.net 20140507
changed: hm-changed@apnic.net 20140512
source: APNIC
irt: IRT-APNICRANDNET-AU
address: PO Box 3646
address: South Brisbane, QLD 4101
address: Australia
e-mail: abuse@apnic.net
abuse-mailbox: abuse@apnic.net
admin-c: AR302-AP
tech-c: AR302-AP
auth: # Filtered
mnt-by: MAINT-AU-APNIC-GM85-AP
changed: hm-changed@apnic.net 20110922
source: APNIC
29 v1.0 29
Infrastructure Security Fundamentals
30 v1.0
Device Access Control (Physical)
• Lock up the server room. Equipment kept in highly restrictive
environments
• Set up surveillance
• Make sure the most vulnerable devices are in that locked room
• Keep intruders from opening the case
• Protect the portables
• Pack up the backups
• Disable the drives
• Social engineering training and awareness
• Console access
❑ password protected
❑ access via OOB (Out-of-band) management
❑ configure timeouts
31 v1.0
Fundamental Device Protection (Logical)
• Secure logical access to routers with passwords and timeouts
• Never leave passwords in clear-text
• Authenticate individual users
• Restrict logical access to specified trusted hosts
• Allow remote vty access only through SSH
• Protect SNMP if used
• Shut down unused interfaces & unneeded services
• Ensure accurate timestamps for all logging
• Create appropriate banners
32 v1.0
Management Plane Filters
• Authenticate Access
• Define Explicit Access To/From Management Stations
❑ SNMP
❑ Syslog
❑ TFTP
❑ NTP
❑ AAA Protocols
❑ SSH
33 v1.0
Secure Access with Passwords and Logout Timers
34 v1.0
Radius Authentication (AAA)
aaa new-model
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
!
radius-server host 192.168.1.250 auth-port 1812 acct-port 1813
radius-server key 7 0130310759262E000B69560F
35 v1.0
Never Leave Passwords in Clear-Text
• operations
Shut down unused interfaces & unneeded services
❑ Cisco proprietary encryption method
• Ensure accurate timestamps for all logging
• secret command
• Create appropriate banners ❑ Uses MD5 to produce a one-way hash
❑ Cannot be decrypted
❑ Use “command secret 5 <password>”
to cut/paste another “enable secret” password
36 v1.0
Authenticate Individual Users
37 v1.0
Restrict Access to Trusted Hosts
38 v1.0
Securing SSH
39 v1.0
Securing SNMP
40 v1.0
Turn Off Unused Services
Feature Description Default Recommendation Cisco IOS Command
CDP Proprietary layer 2 protocol Enabled no cdp run
between Cisco devices
TCP small servers Standard TCP network services: IOS V11.3: disabled This is a legacy feature, disable no service tcp-small-
echo, chargen, etc IOS V11.2: enabled it explicitly servers
UDP small servers Standard UDP network services: IOS V11.3: disabled This is a legacy feature, disable no service udp-small-
echo, discard, etc IOS V11.2: enabled it explicitly servers
Finger Unix user lookup service, allows Enabled Unauthorized persons don’t no service finger
remote listing of logged in users. need to know this, disable it.
HTTP server Some Cisco IOS devices offer web- Varies by device If not in use, explicitly disable, no ip http server
based configuration otherwise restrict access
Bootp server Service to allow other routers to Enabled This is rarely needed and may no ip bootp server
boot from this one open a security hole, disable it
41 v1.0
Turn Off Unused Services
Feature Description Default Recommendation Cisco IOS Command
PAD Service Router will support X.25 packet Enabled Disable if not explicitly needed no service pad
assembler service
IP source routing Feature that allows a packet to Enabled Can be helpful in attacks, no ip source-route
specify its own route disable it
Proxy ARP Router will act as a proxy for layer Enabled Disable this service unless the no ip proxy-arp
2 address resolution router is serving as a LAN bridge
IP directed Packets can identify a target LAN Enabled (IOS V11.3 & Directed broadcast can be used no ip directed-broadcast
broadcast for broadcasts earlier) for attacks, disable it
42 v1.0
Configuration Example
43
43 v1.0
Ensure Accurate Timestamps for all Logging
44 v1.0
Configuration change logging
Router# configure terminal
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-config)# logging enable
Router(config-archive-log-config)# logging size 200
Router(config-archive-log-config)# hidekeys
Router(config-archive-log-config)# notify syslog
45 v1.0
Create Appropriate Banner
46 v1.0
Data Plane (Packet) Filters
47 v1.0
Filtering Deployment Considerations
48 v1.0
Filtering Recommendations
• Log filter port messages properly
• Allow only internal addresses to enter the router from the internal interface
• Block packets from outside (untrusted) that are obviously fake or commonly
used for attacks
• Block packets that claim to have a source address of any internal (trusted)
network.
49 v1.0
Filtering Recommendations
50 v1.0
RFC2827 (BCP38) – Ingress Filtering
51 v1.0
BCP38
ISP A
Enterprise B
Whole IP address block: 10.0.0.0/8
52 v1.0
Techniques for BCP38
53 v1.0
Infrastructure Filters Summary
54 v1.0
General Filtering Best Practices
• Explicitly deny all traffic and only allow what you need
• The default policy should be that if the firewall doesn't know
what to do with the packet, deny/drop it
• Don't rely only on your firewall for all protection of your
network
• Implement multiple layers of network protection
• Make sure all of the network traffic passes through the
firewall
• Log all firewall exceptions (if possible)
55 v1.0
Cryptography
56 v1.0
Cryptography
• Terminology
❑ Cryptography
▪ From Greek, “crypto” meaning hidden or secret, “graphy” meaning writing
❑ Cryptanalysis 57
57 v1.0
2
Cryptography
ENCRYPTION DECRYPTION
ALGORITHM ALGORITHM
Plaintext Ciphertext Plaintext
Symmetric Key
Cryptography Shared Key Shared Key
Asymmetric Key
Cryptography Public Key Private Key
58 v1.0 58
Symmetric Key Algorithm
• Examples:
❑ DES, 3DES, AES, RC4, RC6, Blowfish
59 v1.0 59
Symmetric Key Algorithm
ENCRYPTION DECRYPTION
ALGORITHM ALGORITHM
Symmetric Key
Shared Key Shared Key Cryptography
60 v1.0 60
Asymmetric Key Algorithm
61 v1.0 61
How Public Key Cryptography works
Alice and Bob, they are using Public Key pairs to communicate.
What are the keys do they have?
62 v1.0
How to Use Public Key Cryptography
Alice and Bob, they are using Public Key pairs to communicate.
63 v1.0
Communication between Alice and Bob for Encryption
Alice Bob
Alice Bob
64 v1.0
Use Case
• email
❑ encrypting: to send confidential information
❑ signing: to prove the message actually comes from you and is not
modified during delivery
• File distribution
❑ signing: to prove the contents is distributed by you and not modified
since signed
❑ you can generate separate signature file if needed
▪ you have the original file and signature file for it
65 v1.0
Cryptography
❑ Common implementations
▪ SSL 66
▪ PGP / GPG
66 v1.0
VPN and IPsec
67 v1.0
Virtual Private Network
69 v1.0 69
IPsec
• Confidentiality
❑ By encrypting data
71 v1.0 71
Benefits of IPsec
• Anti-replay protection
❑ Optional; the sender must provide it but the recipient may ignore
• Authentication
❑ Signatures and certificates
❑ All these while still maintaining the ability to route through existing
IP networks
• Key management
❑ IKE – session negotiation and establishment
❑ Sessions are rekeyed or deleted automatically
❑ Secret keys are securely established and authenticated
❑ Remote peer is authenticated through varying options
72 v1.0 72
Authentication Header (AH)
73 v1.0 73
Encapsulating Security Payload (ESP)
• Uses IP protocol 50
• Provides all that is offered by AH, plus data confidentiality
❑ uses symmetric key encryption
• Must encrypt and/or authenticate in each packet
❑ Encryption occurs before authentication
• Authentication is applied to data in the IPsec header as well
as the data contained as payload
74 v1.0 74
IPsec Architecture
AH Security
Authentication Header Protocols
Encapsulating Security
Payload
IKE
75 v1.0 75
Working Process of IPsec
IKE Phase 2
3
IPsec Tunnel
76 v1.0 76
IPsec Modes
• Tunnel Mode
❑ Entire IP packet is encrypted and becomes the data component of a
new (and larger) IP packet.
❑ Frequently used in an IPsec site-to-site VPN
• Transport Mode
❑ IPsec header is inserted into the IP packet
❑ No new packet is created
❑ Works well in networks where increasing a packet’s size could cause
an issue
❑ Frequently used for remote-access VPNs
77 v1.0 77
Tunnel vs. Transport Mode IPsec
IP IP
IPsec TCP Transport Mode
Header Header Header Payload
IPsec
78 v1.0 78
Capture: Telnet
79
79 v1.0
Capture: Telnet + IPsec
80
80 v1.0
IPsec Best Practices
81 v1.0 81
DoS and DDos
82 v1.0
What is DoS and DDoS?
83 v1.0
Impacts of a DDoS
84
84 v1.0
DoS by Layers
Protocols and
OSI Model TCP/IP Model Services Attacks
85 v1.0
Anatomy of a Plain DoS Attack
Attacker
(1) Attacker send any valid or
invalid traffic to the target
Target server
IP = 10.10.1.1 86
86 v1.0
Anatomy of a Plain DDoS Attack
Target server
IP = 10.10.1.1 87
87 v1.0
Anatomy of a
Reflected Amplification Attack
... 88
Target server
(4) evil.com responds
IP = 10.10.1.1 with 4000 byte TXT record evil.com
Open recursive authoritative
DNS servers name server
88 v1.0
Reflection and Amplification
https://www.us-cert.gov/ncas/alerts/TA14-017A
89 v1.0
Amplification Factors
Bandwidth Bandwidth
Amplification Amplification
Protocol Factor Protocol Factor
Multicast DNS (mDNS) 2-10 LDAP 46 to 55
BitTorrent 3.8 TFTP 60
NetBIOS 3.8 Quake Network Protocol 63.9
Steam Protocol 5.5 RIPv1 131.24
SNMPv2 6.3 QOTD 140.3
Portmap (RPCbind) 7 to 28 CHARGEN 358.8 90
90 v1.0
DNS Amplification Example
92 v1.0
Any questions?
93 v1.0
Acknowledgements
94 v1.0
APNIC Helpdesk Chat
95 v1.0
96 v1.0
97