This blog is all about Cyber Security and IT

Wednesday, March 27, 2019

Understanding the Basics: Confidentiality, Integrity and Availability




Confidentiality, integrity, and availability, often known as CIA, are the building blocks of information security .

Any attack on an information system will compromise one, two, or all three of these components. Based on which of these components is being compromised the most, efficient security controls can be designed accordingly.


Confidentiality

In layman’s terms, something that is confidential is secret and is not supposed to be disclosed to unintended people or entities. What’s the first thing that comes to your mind that needs to be kept confidential? Probably
your passwords and ATM PINs . There may be many parameters and information items that need to be kept confidential during a particular communication. If confidentiality is compromised, it might result in
unauthorized access to your systems or severe loss to your privacy!

Integrity

In context of the information security (InfoSec) world, integrity means that when a sender sends data, the receiver must receive exactly the same data as sent by the sender. For example, if someone sends a message “Hello!”, then the receiver must receive “Hello!” . Any addition or subtraction of data during transit would mean the integrity has been compromised.

Availability

Availability implies that information is available to the authorized parties whenever required. For example, consider a server that stores the payroll data of company employees. The finance team wants to access it at of fiscal year-end for some reporting purpose. If the server is able to provide all the requested information to the requestors, then its availability is considered good and healthy. But if the server goes down at all (for any intentional or unintentional reason), and the finance team is not able to retrieve required data in time, then we say that the information availability has been affected or compromised.

During an attack on a computer system, at least one of the three, confidentiality, integrity or availability, is affected or compromised.

Various attacks on Confidentiality, Integrity and Availability

Attacks that affect Confidentiality are:
Packet sniffing, password cracking, dumpster diving, wiretapping, keylogging, phishing

Attacks that affect Integrity are:
Salami attacks, data diddling attacks, session hijacking, man-inthe- middle attack

Attacks that affect Availability are :
DoS and DDoS attacks, SYN flood attacks, physical attacks on

How to Conduct Pentesting for any organisation (Complete Tutorial)



Pentesting means finding vulnerabilities by using various techniques and methods .





Organisations hire consultants who have team of complete auditors who perfrom the pentesting .





Auditors are those who know how to find vulnerabilities and perform exploits as well to check the securities issues .





Auditors perform the task depending upon the agreement signed between the organisation and the auditors .





Based on the agreement , Pentesting will be performed. Just like we have different type of hackings like ... black ,white and grey box .. similarly auditors perform pentesting based on the the rights provided to them.






Types of hacking





External pentesting
This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service. Example of public hosts: router, firewall, web server, mail server, name server, etc.





Internal pentesting
As the name suggests, this type of hacking is executed from the customer’s internal network.





Black box hacking
This mode is applicable to external testing only. It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information.





Gray box hacking
This method is often refer to internal pentestings. Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited.





White box hacking
White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems.





Phases of hacking


 


Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases.
There is a general consensus among the entities and information security
professionals that these phases are 5 in the following order:
1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues
Usually these phases are represented as a cycle that is commonly called “the circle of hacking” with the aim of emphasizing that the cracker can continue the process over and over again.



Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:






Monday, March 18, 2019

Firewall, IDS, and IPS



The three devices commonly used to provide security are the firewall, the IDS, and the IPS.





Firewall





A firewall is a network security system that actively monitors and regulates the inbound and outbound network traffic based on a predefined security ruleset. A firewall typically acts a barrier between a trusted, secure internal network and an outside network, such as the Internet, which may not be secured enough. A firewall helps screen out malicious users, viruses, and worms that try to access your network from the Internet.





Some firewalls are simply software that runs on your computer, while other firewalls are sets of complete hardware devices and appliances. Firewalls can operate on individual hosts but are widely implemented on the network level. Firewalls are often used to create a Demilitarized Zone (DMZ), a physical or logical subsection of a network that separates the internal private LAN from the external untrusted network like the Internet. The resources that need to be accessed externally over the Internet, such as a web server hosting a website, are kept in the DMZ. The remaining resources, like the database server and backup servers are all kept in an internal private LAN and are not directly accessible over the Internet. Because the resources in a DMZ are directly accessible to the public, they need to be hardened for security. Firewalls also offer a feature known as stateful inspection , which monitors and keeps track of all the network connections and ensures that all inbound packets are the result of an outbound request. This feature was primarily designed to prevent harmful packets from entering the network and also defend against common information-gathering techniques like port scanning.





Intrusion Detection System





Unlike a typical firewall, which functions on predefined rules, an intrusion detection system is more intelligent in the way it detects various attacks. While a firewall may just check and restrict access to a particular system (based on IP address and port), the IDS would go an extra mile to check whether the traffic contains any malicious code, which might lead to an attack. Just as an anti-virus program has a signature database of known viruses, an IDS has a signature database for known and common attacks. It checks all packets traversing the network and tries to match them against its signature database. If a match is found, it raises an alert about the attack so that the network/system administrator can take appropriate steps to prevent it.





Intrusion Prevention System





An intrusion prevention system does all the jobs that an IDS does, but it also stops the attack (by dropping packets) whenever it encounters malicious traffic in network packets. This ensures an automated response to an attack and reduces manual intervention.


Do you know where the passwords are stored in linux?



Two important files in the Linux system are responsible for storing user credentials:





/etc/passwd





Is a text file that stores all the account information (except the password) required for user login.





The following sample entry from an /etc/passwd file will help clarify its components:









1. User Name: This is the username used to log in.





2. Password: The X character implies that encrypted password for this user is stored in the /etc/shadow file.





3. User ID (UID): Each user on the system has a unique ID. UID 0 (zero) is reserved for the root user.





4. Group ID (GID): This is the group ID of the group to which the user belongs.





5. User ID Info: This comment field can store additional information about the user, including email, telephone number, and so on.





6. Home Directory: This is the default directory that will be available for the user after login. All the user-specific documents and settings are stored in the respective home directory.





7. Command/Shell Path: This is the path to the command prompt, or shell .





/etc/shadow









Is a text file that stores actual passwords in hashed format. It also stores parameters related to the password policy that has been applied for the user. Following is an example entry from the /etc/shadow file:





1. Username: This is the username to which the password belongs.





2. Password: This is the password stored in hashed format.





3. Last password change: This field indicates the number of days since the last password change.





4. Minimum Age: This denotes the number of days remaining before the user can change his or her password.





5. Maximum Age: This denotes the maximum number of days after which the user must change his or her password.





6. Expiry Warning: This denotes the number of days before which the user must be warned about the password expiring.





7. Inactive: This is the duration in days after password expiry that the account will be disabled.


Wednesday, March 13, 2019

Defensive measures for Protecting Exploitation in Organisational Environment



Create a security policy that includes a section about password guidelines (key length, use of special characters, periodical expiration of keys, account blocking policy, etc.)






Enable auditing services at the operating system level in end-user devices, servers and communications equipment and use log correlation software to perform event monitoring.






Restrict access to the Administrator and root account so that it cannot perform logon through the network, but only physically in the computer console.






Use port security and admission control (NAC) on networking devices so that only authorized users can connect to the network.
Replace insecure protocols that send information in plain text as HTTP, SMTP, TELNET, FTP, with their secure counterparts which use digital certificates and encryption for transmission: HTTPS, SMTP, SSL, SSH, SFTP, etc.






Set the switches to detect the sending of free and unauthorized ARP and other known attacks and react to port violation taking appropriate actions and reporting the event.






Implement secure authentication protocols in wireless equipment and isolate wireless segments from other internal subnets using intelligent next generation firewalls68.





Configure intelligent next generation firewalls and other network devices to block attacks.






Use network and security management software for threat detection, vulnerability assessment and automatic response to events.






Design and implement an Information Security Policy based on the ISO 27000 standard.






mplement awareness campaigns about good practices on information security for the end-users.






Train staff from the IT and related departments about information security and specialized topics such as ethical hacking, computer forensics and defense mechanisms.






Define profiles for IT personnel and establish which international certifications on information security your functionaries must obtain according to their position.


Tuesday, March 12, 2019

Preventive Measures to Stop Enumeration




Multiple protocols are susceptible of enumeration, we should ask our
client which ones are really needed in the network. The obvious preventive measure is to disable those insecure protocols that are not required in the network.
However, this is not always feasible, especially if there are legacy applications in the organization that depends on insecure protocols to operate and for which there is no migration scheduled in the short term.






Some defensive measures that you can suggest to your client are:






Configure filter rules on the perimeter firewall(s) to prevent that protocols susceptible to enumeration that do not perform a public function be exposed to Internet (e.g. Netbios).






Implement a migration plan to update the version of legacy operating systems and applications periodically based on cost/benefit. In companies where the number of workstations is large, you might consider a project to replace the desktops by thin clients by using virtualization. License costs are usually lower in virtual environments.






Similarly, in environments with many servers, a consolidation process could not only provide savings in energy consumption, but also on maintenance costs of hardware/software and administration.






If you have a predominantly Windows network, you can deploy Active Directory policies to prevent the establishment of invalid logon sessions and disable the login through the network for the built-in Administrator account. However, care must be taken with legacy programs that could use null sessions.


Monday, March 11, 2019

Defensive measures for Less exposure of Vulnerabilities during scanning



Although the only 100% secure network is the one that is disconnected, we may take defensive measures that help us minimize security risks in our infrastructure during the scan.





Here are some precautions that we can take:






To start, you cannot scan an application that is not installed. This means that before putting a target on production we should do a “hardening” of the operating system, applications and services.






Hardening means “minimize”. Therefore, for a server to perform a specific function there is no point to enable unnecessary services, neither should be installed applications that do not serve the intended purpose. For example,
if the target would be only a Web server (HTTP/HTTPS), then why the service IRC (chat) have to be enabled?






By preventing unnecessary applications remaining active on the equipment, we prevent that potential vulnerabilities become a point for future exploitation.






Enable automatic update of the operating system patches that fix security issues so they are installed in a timely manner.






Keep up support contracts with the hardware/software providers, to reach them in case of an eventuality, for example; a zero-day vulnerability (for which there is no patch yet).






Redesigning the network to include security measures such as segmentation to separate security zones by intelligent next generation firewalls.






Set rules in firewalls to filter unauthorized access from the Internet and internal subnets ports.






Install intrusion prevention systems (IPS) that can work with firewalls and other network devices to detect threats (such as ping sweeps, mass scanning, etc.) and block them immediately.






Perform periodic analysis of vulnerabilities to detect any possible threats to the security of our network and take appropriate corrective actions.