4.7 Given a scenario, troubleshoot and resolve common security issues - Paiet/Tech-Journal-for-Everything GitHub Wiki

4.7 Given a scenario, troubleshoot and resolve common security issues

  • Misconfigured firewall
    • Admin error in configuration
      • Allowing traffic that should be blocked
      • Blocking traffic that should be allowed
      • Blocking ALL traffic
        • Verify your protocols. Know your port numbers!
        • Check your rule order
          • Is there an implicit deny?
  • Open/closed ports
    • Make sure that there aren't any unused running services
      • Perform a port scan to see what ports are open
      • Disable all unused services and close any unused ports
        • Ports can be blocked using a firewall
  • Misconfigured ACLs/applications
    • ACL issues will be similar to that of firewall problems
    • Untested/unhardened web applications
      • Execute malicious code on the server by accepting unvalidated input
        • Cross-Site Scripting
        • SQL Injection
  • Malware
    • Infection usually occurs from email attachments and file sharing programs like bittorrent
    • Install anti-virus software on all systems
      • Run scheduled scans and updates regularly
    • Implement Network Access Control system
  • Denial of service
    • Traffic spikes
    • Friendly/Unintentional DoS
    • DDOS
      • Amplified Attacks
      • Reflective Attacks
    • DDoS Mitigation Appliances
  • ICMP related issues
    • Ping of death
      • Attempts to overwhelm a system by sending it over- sized packets at a rate it can't keep up with
        • Causes reboots or system hangs in some systems
        • sudo hping3 -c 1000000 -d 65550 -S -p 80 --flood
      • Most systems are patched against this attack
    • Unreachable default gateway
      • Get a user to switch default gateways to one that is under the control of the attacker
      • Use SSL/TLS encryption throughout the session so that any captured data is unusable
  • Unpatched firmware/OSs
    • Leaves device open to attack as KNOWN exploits are not being corrected through patching
    • Have a regular update schedule in place
      • Patch critical and security issues ASAP!
  • Malicious users
    • Trusted
      • Cause accidental damage
      • Can be coerced to performing malicious acts by money, jealousy, or revenge against the company
      • To mitigate the fallout make sure that users only have necessary privileges and no more
    • Untrusted users
      • Cause intentional damage
      • Is usually very highly skilled
      • Multi-layered access approach can help
      • IDS/IPS alerts and careful auditing will also help
    • Packet sniffing
      • User looks for data by capturing data from the network with specialized software
      • Cleartext is easily gathered (passwords/user)
      • Use encryption
  • Authentication issues
    • TACACS/RADIUS misconfigurations
      • Verify port numbers are properly configured
        • This applies to both client and server
      • Check for pre-shared key mismatch
      • Verify that the supplicant is in the proper RADIUS or TACACS+ server group
      • Verify the user is actually configured in the server (and configured properly)
    • Default passwords/settings
      • Defaults are easily disseminated through an internet search
      • Change default usernames/passwords immediately
      • Disable default accounts that aren't being used
  • Improper access/backdoor access
    • Allows access to a system without needing to use normal means of authentication
    • Backdoor programs/software
      • BO2K
      • Sub7
      • The Beast
    • Run up-to-date AV/AntiMalware
  • ARP issues
    • ARP Cache Poisoning
      • Man-in-the-Middle Attacks
    • ARP poisoning/spoofing detection
    • Static ARP entries in router
  • Banner grabbing/OUI
    • Used to gather information about a target computer for the purposes of finding weaknesses to exploit
    • Turn off any unused services and block unused ports
  • Domain/local group configurations
    • Make sure to disable or rename Local administrator accounts
      • Can be used to gain access to a system and then elevate privileges or use system as an attack base
  • Jamming
    • Wireless attack
    • Overwhelms the radio frequency that an AP is on by sending a much stronger signal effectively DoS'ing it
      • Can also be used during an Evil Twin attack
        • Jammer AP has the same SSID as the victim, so victim clients connect to it
    • Might be possible to detect the jammer signal with a wireless analyzer and contact authorities