19. Firewalls
We’ve talked about VoIP; let’s talk a little bit more about intrusion detection. We know that intrusion detection is basically surveillance cameras on your network, but it can be more than that. There are many, many intrusion detection tools. Some are free, some are paid, and some are highly sophisticated. The whole idea of intrusion detection is that you can’t monitor the network all the time. So I need devices that are out there, monitoring and logging all the traffic that goes by.
Remember, I had said before that for intrusion detection, I’d put my surveillance cameras, which are basically my sensors, in key locations around the network. I’ll put them right by the firewall, right by the VPN server, right by the servers, and right by the VoIP PBX. I’ll put it in all key locations—key entry and exit points—and put it right by wireless access points, basically, so I can monitor the important traffic. It’s just kind of like in a metropolitan area, where you’ll see that they’ll have cameras around key intersections on the city streets. You don’t put it in a neighborhood; you probably don’t put an ID where the less important but centrally important traffic is, such as some workstations. You probably don’t put an ID there unless you can afford to put it everywhere, but you put it in the key locations. Now we know that the sensors have been placed. These are basically little cameras that capture and log, and they’re controlled by a central console unless they’re individually configured.
But usually, it’s a central console that tells them what to look for, and you as an admin will configure what you want the IDs to look for. So these things are watching all the traffic as it goes by for signs of attack, and they’re logging it. And if it’s intrusion prevention, they are then reporting it. And possibly the console is telling the firewall to reconfigure itself to stop the traffic. But IDs don’t have to be just network-based. They can also be “host-based,” meaning that you can have network-based IDs where you place sensors around the network in key locations and they report to a central console. However, on individual servers, host-based IDs can be used to monitor what’s going on within the server. See, a network-based ID does not care what goes on inside a server. It doesn’t care if people are altering files, deleting things, or changing passwords. It doesn’t care or know about that. It cares about traffic out on the street, so to speak. A host-based ID doesn’t care that someone is scanning a server’s port. It matters that somebody just deleted a file, somebody just changed the operating system, somebody just changed a security policy in the operating system, and somebody just changed an administrator’s password.
That’s what a host-based ID does. So if you’re going to have a comprehensive intrusion detection system, you’ll have both network-based and, on key machines, host-based detection. And there are a whole bunch of products. Some are free, some are paid, and some are better than others. Some of them, when you install them, are pretty much impossible to take off. and that’s by design. So then you can look at the logs and see, okay, what’s been going on. Some host-based IDs forward their logs to another location, essentially putting them in a secure location. Even if the hacker compromises that one box, the log has already been moved to an unknown location. And even if you can figure it out, you can’t get to that server. That server won’t allow the connection. So you can have two approaches to intrusion detection, and as an assistant, you want to look and see, okay, what is intrusion detection? Intrusion prevention. Is it network-based or host-based? Both: what did you install the host based on?
Where did you put the sensors that are network-based, and where’s the console? And let me see your logs. So we’re monitoring what’s going on in traffic, and we’re monitoring what’s going on on key servers with intrusion detection. The next thing we’re going to talk about is different kinds of firewalls and firewall implementations.
20. Firewall Implementation
Okay, we’ve talked about what firewalls do in general. Let’s see the implementations. We have something called a “demilitarised zone,” which is taken from the idea that, like North and South Korea right now, there is sort of an area between their two borders called the “DMZ.” So the demilitarised zone, which is a semipublic network that is not fully trusted, is not totally internal, if not totally external. We also have a variant on that called a perimeter network. And we have a concept called “multi-homed” device servers. Sometimes you have a server in your own organisation that you make accessible to the public on the Internet. Like maybe you’re hosting a web server—you’re not hosting it on some third-party service, but you’re maintaining your own web server, your own VPN server, your own email server, your own DNS server, or whatever.
Sometimes you have servers that are exposed to the public network. They are usually hidden behind a firewall, but they are still exposed to the public network. And we allow people in the general public on the Internet to actually come through and make a connection because, hey, it’s the web server, and they need to see your website. There are some broad terms that are occasionally used to refer to these publicly accessible servers. One is a “screened host,” which is basically some server or computer that’s hiding behind a firewall. Another is a “bastion host,” and that’s basically anything that is connected to the public network. So if you see these terms, you’ll know that they basically refer to servers or computers that are exposed to the public on purpose. So here’s a diagram of a typical demilitarised zone (DMZ).
And I have the internal company land over here with various computers. And I have two firewalls. I’ll have an external firewall connected to the Internet and an internal firewall connected to the LAN. Now, this is a small little network right here that probably has one or two bastion hosts in it, like a web server and maybe a public DNS server and maybe a VPN server, maybe.Despite the fact that some VPN servers are completely outside and out on the Internet, their IP addresses are completely public. In the internal network, they are almost certainly private. And then in the DMZ, they could be public or private. And that totally depends on how you implement your DMZ. I believe they are frequently private these days, but they could still be public. I’ve seen implementations of both. So here’s a DMZ: two firewalls, external and internal. And people on the Internet, if they want to hack into the land, have to get past both.
And from an IS auditor’s perspective, we prefer to make the two firewalls be two different products. Because if you can break past one, you don’t just automatically break past the other. You have to have two different types of approaches. Here is a variant called a perimeter network, sometimes called a screen subnet. It’s basically one firewall. But, unlike the previous example, where one firewall only has two connections in the screen subnet or the perimeter network, one firewall has three or four connections, one to the Internet, one to the land, and one to the DMZ, the perimeter network, and the screen subnet. When we use the term “DMZ,” we tend to think of a two-firewall implementation. And when we talk about perimeter networks, we tend to think of a third interface coming off of that same firewall.
Obviously, in a perimeter network screen subnet kind of situation, you have a single firewall, which can be a single point of failure or a single security risk. But this is also a very common implementation as well. And the perimeter network can have either public or private addresses, with private addresses being the most common. And the web server or whatever bastion host is on there—whatever screened host is on there—is something that the public wants to get to. It’s the company website. So we have two implementations of our firewall: the DMZ and the perimeter. For maintaining your firewall, you need to generally review the logs. You need to start out by using the vendors’ best practises for configuring and locking down firewalls. Firewalls are locked down by default, but they still have default passwords, which you need to change, and they still have to be set up. So make sure that you review the logs and patch them if there is a need to do so. Vendors will occasionally put out patches for their products, and you should review the rule sets to make sure that the firewall rules have not been changed inappropriately. which means, of course, that you have to document what is appropriate. So here is a typical network all put together. This is actually a rather simple diagram in terms of a larger network.
Notice that I have the internal local area network (LAN) here, and I’ve got maybe a VoIP phone here, probably on their own switch or their own VLAN. I might have a PBX and a regular phone system as well. I’m in the middle of moving everything from the PBX down to VoIP. I’ll perhaps have a VPN server with its own little protection. Most VPN servers have sort of their own little firewall on their interface, but it bypasses the firewalls and sends people out on the internet tunnel to the VPN server, and they get into the land that way. I’ll set up a DMZ or a screen subnet or something with potentially publicly accessible servers, and people from the internet will connect to it. But the people on the Internet are never going past this point. They’re never going past the internal firewall. At the very least, we hope not. So, taking the things we’ve been discussing, a sort of typical network scenario, the next thing we’re going to talk about is taking network protection a step further with something called Nap or Network Access Protection.
21. Network Access Protection
We looked at firewalls; let’s look at another way of protecting the network. So many people are road warriors. They’re working on the road. They’re working from home; they’re telecommuters. How do we protect the network when those folks try to connect? There’s a framework called Network Access Protection. It’s not a single product. And most vendors—most of the big operating system vendors—have some way of implementing this.
But there’s a framework of many services that come together to protect the network. Usually, when remote connections try to come in, they have a lot of moving parts, but here are some of the parts that are involved. It starts with a central network access protection server, usually a server running a service on it. And so, like, for Microsoft Windows Server 2012, it’s the Network Protection and Access services. NPAs. But anyway, you’ve got this central server, this central NAP server. And the NAP server will have policies that govern when and how client computers can connect to it. Nap is now commonly used to force connecting client computers to prove their health. And the health is, for example, do you have the most recent antivirus update? Do you have at least this particular service pack and patch level?
Do you have your firewall set a certain way? Do you have at least these updates? Do you have the latest anti-spyware update? And the client tries to make a connection, like a wireless connection, which means now we’ve got somebody sitting in a lobby or even at their desk trying to make a wireless connection. But even though it’s a very short range, it’s still not directly connected to the land. It’s trying to connect with the land. Or we have someone who comes and plugs into a switch. I walked in with my laptop; I’m going to plug it into a switch or I’m VPNing across the Internet. I’m connecting to a VPN server. Or I’m dialling up using a dial-up modem because maybe there’s no Internet where I am. So I’m going to make a dial-up connection, and I can even do that across a cellular network.
So I dial up all of these enforcement points. These points of access basically put me on hold, and they go and ask the Central Network Access Protection Server. And typically, that server is also something called a “radius server.” Radius Server simply requires users or computers, usually users, to authenticate before allowing them to connect to the network. And these wireless access points, VPN servers, dial-up servers, even DHCP servers There are a variety of different implementations. Basically, ask, “Okay, what’s the policy?” And then the Nap server will say, “Okay, the policy is that the client that’s connecting has to have this, this, and this to prove its health. It’s got to have this patch, that antivirus, this firewall configuration, whatever it is.” And the request is sent to this client that’s trying to connect. Now the client will have a small service running on it with a small agent who takes the policy and says, “Oh, I’ve got to prove this.” And it will essentially generate something—a type of proof—which is then forwarded back to the Nap server. And the Nap server says, “Okay, yeah, let them on.” It usually uses the Radius protocol, but it can use other kinds of protocols.
So anyway, the Nap server and the Radius server have said to the WAP, the switch, the VPN server, and the dialup server, “Yeah, they’re okay; let them on.” Only then is that connection allowed to go past that point. You’ve seen something similar before, but not with your health. Whenever you’ve gone to a hotspot or a hotel and you make a connection, you can’t go anywhere until you open a browser and actually log on. That’s like a very simple implementation of radius. Nap takes Radius one step farther. Not only do you have to log on to either the computer or the user account, or both, but your computer also has to be certified. It has to prove that it has a certain level of health before it’s allowed to connect to the network. And the Nap server here can sometimes go and query a directory service server to authenticate the user. It’s similar to a Microsoft domain controller, an attack on X server, or another server that has the usernames, passwords, or authentications in this case.
It can also keep all of its logs on another server, which can be the same server or separate servers. And it can save all of its accounting logs so that we can see exactly who got on, what they did, what protocol they used, how long they were on, et cetera, et cetera. Very often, the authentication part and the accounting part are moved to other servers. They don’t have to be. They can all be on the same server as the Radius server. So this is the network access protection infrastructure. It takes a fair amount of work to actually implement, but larger organisations will implement it to protect them from all of the hundreds, thousands, or even millions of employees coming and going with hundreds or thousands of laptops and mobile devices attempting to connect either directly wirelessly, across the Internet, or via a dial-up connection. The next thing we’re going to talk about is something fun called a honeypot.
22. Honey Pot
Let’s move on to something called a “honey pot,” also known as a “honey net” in some circles. A honey pot is nothing more than a ruse. Have you ever been to a store that has its doors wide open? It’s open air, and it puts junky little things and tables out front.
So if someone’s going to steal something, they’re going to steal junk that nobody cares about. Honey Pot is basically a fake server, a decoy that will hopefully keep hackers busy enough that they’re busy hacking away at the decoy and not getting to the real network. Now the Honeypot can be a whole fake network, and there is an organisation called Honeynet.org. There’s a Honeynet Project where you can simply download a bootable DVD and it’ll act as if it’s the real thing. And hackers don’t know, so they’re happily busy hacking away at something that ultimately won’t mean anything. When we use honeypots and honeynets, we’re trying to distract hackers from the real deal. You may have heard of an organisation called Akamai. Akamai basically has mirrors all over the Internet. And when you download something from Microsoft or Amazon or whatever, you’re probably downloading it from Microsoft as well as a number of other organizations. When you download stuff, you’re probably downloading from Akamai mirrors. Akamai is aware of the physical location of all of its servers.
Akamai is a great example of having lots of Honey Pots.Also, if you do a port scan against an Akamai server, it’ll show all kinds of things open, and you go, “Ha.” You go in and try to hack them. You’ve just walked into a honey net or a honey pot, and you don’t even realise it. Many organisations will put up honey nets and honey pots just to try to protect their network and have a decoy out there. You have to be careful from an auditor’s perspective because you can log who’s connecting. But generally, you cannot use that information to harass anyone because it would be considered entrapment. But you can log it to see what’s going on, keep them busy, and just keep an eye on certain IP addresses or sources so that if they actually do make it to the real firewall, now you know to watch out for that one. So that’s the idea of the Honey Pot or Honeynet: attackers are lured to the Honeypot, which can log the attacks and detect them. It’s insecure, but it doesn’t really have or mean anything. Of course, you’ve got to be careful.
If you have a poorly implemented honeypot or honeynet that gets taken over, it could be used as a jumping-off point to stage an attack on the internal network. So we use “Honey Pots,” like I say, as yet another security mechanism on our network. We can have software-based honey pots.There are very simple, free ones on the Internet. We can have hardware-based ones. We can have more complex ones. We can have ones where you just boot a DVD, and it’s a Linux system that’s this fake thing. So we can have them, or you can have combinations of software and hardware, whatever works for your particular organization. As an IS auditor, if it’s a larger organization, I’m interested in knowing what honeypots you have. And usually the honeypots sit outside the firewall, where they seem to be completely vulnerable, or they might sit in the DMZ. So I’m interested in what kind of decoys the organisation is using to protect its network. The following topic will be a little more about portable and wireless devices, the protocols we’ll use, and the vulnerabilities of those devices.
23. Risks to Portable And Wireless Devices
We’ve talked a little bit about honey pots. Let’s talk now about the risks to portable and wireless devices. And we all know that there are laptops, tablets, smartphones, little cell phones, mobile phones, whatever, and PDAs; we don’t tend to use the term “PDA” much anymore, the personal digital assistant. But there are all kinds of their little, tiny laptops called netbooks and little tablets and notepads and whatever. All of these, because they are wireless, have their risks. So if we’re going to have wireless devices, we’ve got to have some controls in place.
And I’d like to know what your security policy is for wireless connectivity and security. Do you have one? What is your security policy regarding approving wireless devices, approving wireless networks, and approving people using this particular operating system on a smartphone as opposed to that particular operating system? And what have you done to lock down a Windows phone or an Android phone? And so with these devices, you need to make sure that they’re just approved and people aren’t just using whatever because now it’s just free for all the devices.
Also, because they’re small, they can easily be stolen. They need to be stored properly, and they need to be secured when not in use. Like laptops, they can have a physical lock that’s connected to the chassis and bolted down to a table, but otherwise you can easily have these little things stolen or lost. I mean, I was in a crowd one time, and someone picked my pocket and stole my phone right out of my pocket, and I had a very deep pocket, and I didn’t even notice. Or when I went into a courtroom, I saw a judge walk in with his laptop handcuffed to his hand until he sat down. So, I mean, you want to have a lot of security for these devices.
You’ll frequently have contract cleaning crews or other people who don’t directly work for you. You have to be careful because we’ve heard plenty of stories in the news about night shift janitors stealing a laptop, not realizing they just wanted the laptop so they could have it or sell it for a few hundred dollars or whatever. not realizing that it had maybe millions of dollars’ worth of information on it. not caring about that either. I mean, there have been a few high-profile cases of personally identifiable information being found on a stolen laptop. There are government agencies that I won’t name that will have to admit that in the course of a year they’ll have thousands of laptops stolen across the big agencies. So we really have to control the security of these things. We have to realise that there’s always a high risk of these things being stolen or broken. What do you do about the data that’s on them? And this is why we’re using things like BitLocker, where the whole drive is encrypted and you have to access it through a chip on the motherboard. What are you doing? in case it’s stolen, damaged, or whatever. I remember a high-profile story a few years ago about a vice president of a large organisation who sold his own old phone on eBay and forgot to wipe out secret merger information where they were about to acquire another company. Man, I wish I had bought that phone. That information would have been worth a whole lot.
Anyway, you have to have mechanisms to remotely wipe, like email systems. If people are picking up email on their phones through an email system like, say, Microsoft Exchange, there will be policies to be able to remotely wipe stolen devices or have the drives always encrypted because of the risk of theft or damage. So make sure that you have a wireless standards policy and that you have proper network security protocols that have been implemented for your wireless. So let’s talk about wireless. Wireless is just a radio wave, albeit one in the microwave band, and what we call “wireless” or “WiFi” actually uses an unlicensed spectrum. A part of the band is called the Industrial, Scientific, and Medical (ISM) band. It’s unlicensed, which means as long as you’re not transmitting with too much power, any baby monitor, garage door opener, cordless phone, and your wireless device are all sharing a common band, which means huge amounts of interference. Now, there are tonnes of free and paid tools out there that you can install on a laptop or a phone. Walk around and look for wireless access points, signals, or just noise if you’re just trying to set up a wireless access point. In the United States, we are allowed to use eleven channels.
They overlap each other’s channels, one through eleven. Some countries have 12, 13, and 14. So sometimes you’re looking for less noisy channels. Usually the ones on the far ends in the middle, like 1, 6, and 11, are the noisy ones. The ones sort of in the middle of those tend to be less noisy, so we can have performance issues. But this is a radio wave. Who knows who’s listening in? If you’re not using some form of encryption, we can just listen in and capture your whole transmission, reconstruct phone calls, reconstruct files that you send, and capture passwords and usernames. So you’ve got to realize that there are loads of security risks. Most users don’t realise that wireless can go quite a ways. It can go for miles with the right kind of antenna, and it’s not just confined to four walls. Wireless is typically intended for short-range connectivity, but it can be extended under the right conditions.
So we have the laptops and the mobile phones, but you can also, of course, have wireless routers and wireless switches. And wireless switches are routers that act as repeaters to get the wireless signal out into the patio, or out into the courtyard, or out onto the terrace, or out to another part of the building. So when we talk about wireless security, there are some security mechanisms, and that’s what you want to define in your wireless security policy. One of the simplest is to hide the service set identifier, or SSID. Now that’s like putting a two-foot fence around your perimeter. But basically, an SSID is the workgroup name of the wireless access point. So if you ever just look for hot spots you can connect to, you’ll see Linksys Bongo. at TWiFi, some airport name, some hotel name, the name of your department, whatever, and you make a connection.
That’s the SSID. And the presumption is that if we don’t transmit the name, because basically a wireless access point will send out what’s called a “beacon,” it will periodically transmit the name, saying “hi,” “I’m here,” and “my name is Slinksys,” come and connect to me. If we don’t allow it to send out the beacons, then you figure we can’t connect to it. Like I said, it’s a two-foot-high fence. Backtrack is one of many tools that can simply capture all wireless traffic off the air, and every wireless frame transmitted will have the SSID embedded in it anyway. So that’s not much of a security mechanism, and certainly don’t depend on it. The only thing we really can do is use good encryption. There are many types of encryption. There’s the old wired equivalent, privacy WebWEP, which was cracked a long time ago. There are plenty of tutorials that will take you by the hand, step by step, on how to crack a web key. You can crack a 128-bit web key in ten minutes in security classes. I demo it sometimes.
So that’s been replaced by something called the WPA, which basically addressed some of the weaknesses. WEP had no way of stamping each individual frame. It was a weak implementation of the RC4 algorithm. So it was easy. If you captured enough, it was easy to start guessing the key. So WPA started to address some of those weaknesses. Then WPA went on to be something called WPA Two. We have an enterprise version where, when you connect to the wireless, you actually have to authenticate to a Radius server before the wireless lets you on the network. That’s something we see all the time in high-traffic areas and places like airports and hotels. And there’s also WPA-2 personal. We don’t have a Radius server that does the authentication. Instead, we just use a little password-appreciation key. But we have all the strength otherwise of WPA Two. The problem with using the stronger ones is that not all wireless clients can support them.
These days, most wireless devices support WPA 2, but every once in a while, you’ll have to go down to something a little bit weaker, like Web. All of these, one way or another, ultimately because you’re transmitting radio, have their weaknesses. Like WPA. I can’t crack the encryption very effectively, but I can go through passwords in a dictionary attack or WPA too. If we are not careful about how we store the keys or how we store control over the radio server, they all have weaknesses. So we want to see the policy and how it was implemented, as well as how well it was implemented. Here’s a typical wireless network, which is actually very small, like a small office or home office network. You’ve got a wireless router or switch—probably a router. You can get only wireless switches; they may be linked to another switch. And you’ve got desktops.
Some desktops plug straight into the wireless router because most wireless routers have like a couple of switch ports in the back as well. Some of them will have an external switch, and you’ll have a whole bunch of desktops, printers, and whatever else plugged into it. Then, of course, this thing has antennas, one or two antennas, and you’ll have phones, laptops, tablets, and wireless devices connecting to it. This wireless router then connects to your cable modem, DSL modem, or whatever, and then that connects you to the internet. So a very classic sort of wireless network All of these have inherent risks and vulnerabilities. Default passwords, default usernames, not protected, not configured very carefully, unpatched applications, an operating system that has not been hardened and locked down, wireless connections that are not using stronger protocols or passwords So we have risks with all of those. The next thing we’re going to talk about is Bluetooth.
24. Bluetooth
Let’s talk about something that may seem a little bit abstract, but as an IS auditor, you need to know that it exists and you need to be familiar with the lingo. Networking is such a huge, vast, broad topic that it’s very easy to overlook certain things. There is a standardized model of the networking process that was created some time ago by the International Standard and its organization, the ISO, and it is called the OSI, or Open System Interconnect Model. The reason why you, as an IS auditor, need to know it is that, when you’re trying to be thorough, you’ll want to look at every stage in the networking process. And this model will help you focus on that.
And in fact, you’ll hear network engineers talk about it; I think it’s a layer-three problem. I think it’s a layer-two problem. Well, we’re now going to know what those layers are. The OSI model came about because the ISO was looking at networking products and back. Once upon a time, all networking products were proprietary. You had to buy a specific vendor’s hardware and software, and nothing worked together. And the ISO said, “Well, we’re a standards body.” Why don’t we figure out what they all have in common? Let’s come up with a common model so that if you’re a hardware vendor, you just focus kind of on one stage in networking and make sure that your part works with the other layers.
So they decided that networking really boils down to seven steps, and they laid them out, starting with step seven, or layer seven, at the top and going down to layer one at the bottom. You may need to know this in general for the CISA exam. At the very, very top is the application layer, layer seven. Now, what this is is that a user opens a browser or an email client, or they want to send a print job, or they want to connect to a file share. They want to do something on the network, and there’s an application that wants to get on the network. The application layer is kind of like a customer service counter, where that application can ask the operating system for network services, and the application will speak some kind of language in order to talk to the network. And so here’s where these seven layers of protocols come into play. HTTP, https, FTP, SMB, telnet, DNS, DHCP, SSH, FTPS, NFS, and CIFS are all network protocols. Cisco often refers to the application layer as the user interface because the user is so often allowed to interact at this level as well. The next layer down, layer six, is the presentation layer. And the presentation layer’s job is basically to let the two sides, like my client and your server, negotiate a common format for the data.
Have you ever been to a website and wanted to watch something, like a movie trailer, but you got a pop-up saying you needed the latest Adobe Flash plugin? Well, that’s the presentation layer, basically. One side was unable to get the other side to recognise that particular format. And so whoever wrote the application wrote something to warn the user, and they even hopefully provided a link. So you can just go get the plugin very easily at the presentation layer. That’s where we’re going to see levels of encryption, like 40 bit and 128 bit. That’s where we’re going to see SSL, and that’s where we’re going to see TLS. That’s where we’re going to see the compression and the codecs—all the media types. So is it a WMV? Is it an MP4? Is it an MP3? Is it a RM? Is it an MLV? Is it a TIFF? A GIF? A JPEG? A bitmap? These are negotiated to make sure both sides can understand them. What is the character set? ASCII ebbsdic Unicode So this is the sixth presentation layer, the fifth job layer, and the fifth session layer.
This is where we have the very, very first inkling of connecting to somebody with whom we haven’t connected yet. But we’re starting to have the first inkling because when I open a browser, my browser wants to go to a web server. Now, on my one box, I can have one IP address, but lots of different things are going on, and I can have like five browsers open. How do I distinguish five browsers on one IP address? Each browser gets a different port. All in all, the browsers go to a particular IP address on a web server that’s listening on port 80. However, my browser first listens for or uses port 1000 to identify itself. The next browser uses 1001, and the next one uses 1002. How many ports are there on any one box? Although we do not use all of them, there are 65 536 of them. And so, this is a 16-bit number that the operating system assigns to the application, whichever instance of the application is a port number, and it’s used to identify itself when it makes a connection. So I have an IP address and a port number.
And that’s how that web server works. I can have five browsers. That’s how that web server separates and distinguishes all five of my browsers. And this is how I, as a user, can have my browsers open. And I’m watching something on here, and this never starts showing up here because each browser has its own little port, and when I close the browser, the port’s given back to the OS. So we keep the separate conversations separate. It is true that there are other mechanisms, but in today’s day and age, ports are the most common mechanism that we use. Now, down to layer four. This is sort of a pivotal layer. The transport layer hides or abstracts the mechanical details of the network from the upper layers and from the application itself. The transport layer’s job is to actually establish the session between me and you.
And here is where we have TCP and UDP. And there are other protocols, but these are the two main ones. TCP actually has a handshake. How are you? I want to start a session. This is my starting number. What’s your starting number? Thank you very much. Thank you very much. Now let’s go. And then, when we’re done, we handshake. Goodbye. UDP just doesn’t bother the handshake. It just sends data. But this is where we actually have a session. In most cases, if we’re using TCP, we not only establish it, we have a handshake, and we have starting numbers. TCP, on the other hand, will take a large document, such as an entire movie, an email, a file, or whatever, and download an entire web page with graphics. It’ll take this big thing and chop it up into little pieces, manageable segments, and it’ll put a little sequence number on each of them.
Part of the handshake is to say, “My sequence number is this.” What’s your sequence number? And that’s how we start. And so, in this way, all the little pieces are numbered. And then it sends them and waits for an acknowledgement. And if we don’t get an acknowledgement, it’ll retransmit. So TCP establishes the connection. It manages the connection; it makes sure that all the little pieces get there; it resequences them and puts them back in order. And there are also fields in the TCP header that can basically say, “Hey, I can take more in one gulp or less.” So speed up, slow down, because this is my receive buffer and window size. So the transport layer’s job is to take data, break it up into manageable chunks, sequence it, start a session, manage that session, and finish that session.
But we might have all these little pieces, right? We have all these little pieces, but these little pieces don’t yet have any sort of address on them. They have TCP sequence numbers but no addresses. So the third layer, the “three network layer,” is where we really start to get down to the mechanics of networking. Each of these could have a different TCP sequence number, allowing the entire thing to be reassembled. However, layer three IP will assign an IP address to the source and destination. and all the little pieces will go. So layer three’s job is to add a logical address, an IP address, and choose the best route. We’re going to go this way or that way. And on the Internet, your route can change from time to time, depending on whether we get congested here. Okay, rerouting IP is the main protocol that we use these days at that layer. But it also has a friend called ICMP. And ICMP is basically the Internet control message protocol. It’s how routers talk to each other—oh, it expired in transit. I had to throw it away. It’s unreachable. Or even just a diagnostic echo request and echo reply, which we use in ping.
So we do all this sorting of addressing and routing at layer three. And naturally, on a hardware level, a router’s primary function is at layer three. also because routers are mostly focused on IP addresses and getting from one network to another. This now brings us down to layer two, the data link layer. And it actually is broken up into sublayers, but it’s beyond the scope of this class to get too deep into that. However, the data link layer’s job is to assign a physical address to a network. So, layer three: assign a logical address, such as an IP address. Layer two is now going to put on a physical address for that particular network segment—mac address, frame, relay, Delsi number, ATM circuit number, telephone number for PPP x 25, identifier—whatever the physical address for that network segment is. And it’s going to shape up the data, getting it ready for transmission on that particular type of media.
Then finally, down at the very bottom, layer one, the physical layer, is where we actually transmit ones and zeros. So it’s the speed, the duplex, the clockrate, the voltages, the waveforms—is it baseband, broadband connectors, cabling, wired, wireless, infrared, fibre optic? We’re basically sending ones and zeroes. And this is the whole networking process, as described by the OSI model. It’s useful to be aware of the existence of these layers so that when auditing, you can ensure that everyone has looked at every single layer, because every single layer here has the potential for vulnerability. Now you might ask, “Where does a firewall work?” Well, potentially on all layers, but generally, when we think of firewalls, we tend to think of layers three and up. Where does a proxy work? Well, it tends to work around the application layer because it’s mostly grabbing content. Where does a switch work? tends to work down at the data link layer because that’s where the Mac addresses are. How do we distinguish between a local-area network and a wide-area network?
Land and Wan are layer-two protocols. Where does a repeater or a network card work? Generally, we have a network interface card for one specific layer two protocol, such as an Ethernet nick or a wireless access point, that is, 800 and 211 that has the wireless access protocol. So anyway, this is the OSI model. TCP/IP, the Department of Defense’s model, now maps directly to the OSI model. In the TCP/IP DoD model, they basically lumped five, six, and seven together and simply called it “application.” Transport is transportation, although some folks call it “host to host.” Internet is the name for layer three, the network layer. Then they combined the two bottom ones and called it Network Interface, also known as Network Access. So we have these models, and they’re very, very useful when you’re trying to determine not only why something isn’t working but also make sure we have coverage for all aspects of networking. The last thing we’re going to talk about is data handling and classification.
25. OSI Networking
Bluetooth is a type of wireless that is similar to WiFi. And now they actually have two different IEEE standards. Wireless is something like 8211, a B GN.Bluetooth’s identifier is 8215. But the concept is extremely similar and operates in sort of the same band. Bluetooth, rather than having a little short-range image network that might go across a floor or across a building or across a parking lot or around a conference area or something like that, is meant to have a little, tiny network called a personal area network. And you’ve probably seen this symbol, the Bluetooth symbol, and you’ve probably seen a lot of these Bluetooth headsets. So someone will have a Bluetooth-enabled phone and a Bluetooth earpiece here, and they will walk around, and it can have a little microphone, the mic is here, or whatever. And the Bluetooth headset makes a constant Bluetooth connection to the phone. But Bluetooth is not limited to just headsets and phones.
You have Bluetooth keyboards, so the keyboard is completely wireless. You can have Bluetooth printers, Bluetooth car keys, and other remote control devices. It’s meant for a very short-range link, usually only within a room, and usually only like 1 meter, 3 meters, or possibly 10 meters. There are ways to extend it, but it’s a little beyond the scope of this class. So Bluetooth is meant to be very narrow. Just like wireless, it has all the same vulnerabilities due to its default configurations. Now, the whole premise behind Bluetooth is that when two Bluetooth-capable devices come into proximity with each other, they try to form an association automatically. Obviously, if you’ve ever used Bluetooth on a phone with your laptop, you have to say, “Yes, it’s okay to form an association,” but people try to do it. And if you don’t configure Bluetooth carefully, devices can automatically form associations. You don’t even realise it. And now I’m stealing stuff off of the device. I’m stealing data or I’m hacking into that device. I have noticed that there are some trends toward using Bluetooth in automobiles, and that’s fantastic. I’m concerned about all of the security risks that go with using Bluetooth or any other wireless in an automobile, getting into a car, getting into a home, or getting into a security system.
As a result, security is always a tug of war between convenience, functionality, and performance and security. And you have to find something in the middle—a balance in the middle. So the risks associated with portable and wireless devices are related to data emanation. And this isn’t just wireless or portable. My very monitor is giving off electromagnetic signals. It is possible under certain conditions to pick up those signals and recreate a screen. So in highly secure environments, they’ll put something called a “Faraday cage,” which is basically a cage of wires in the walls, in the ceiling, and on the floor so that emanations can’t get past that. That’s an extremely high-security environment, but also my wireless devices.
They’re transmitting on radio or microwave frequency, they’re retransmitting, and it’s possible to pickup the data that way. If it is a Bluetooth device, we could possibly hijack the session. So I have a connection between this device and that device, but some other device comes in and takes over my connection. Blue jacking is kind of like carjacking, but it’s called “blue jacking” or “blue snarfing.” I make an association in the background and start stealing contact lists and data off of it. There are many tools and tutorials available on the Internet that will allow you to do this automatically. And so there is a very common security risk. Or we’re breaking the encryption, the Web, or the Debian PA encryption. These are being cracked for wireless connections. Or maybe we’re connecting with data in plain text. or it’s stored on the device in plain text.
Then the device gets stolen. And now you can access the data there. The wireless devices and the phones themselves can get viruses, or we can have more classic hacking attacks. Buffer overflows occur when I write a piece of code for some part of an application and fail to put security boundaries around the input that comes in, allowing malicious input to enter. There’s a whole mechanism behind it, but basically it finds a way to put in more and more input until the service begins printing out its own code and now brings in malicious code, which now runs at that service’s privilege level. So I mean, even the mobile devices—certainly laptops—are going to be vulnerable to that. Of course, one thing we can do is provide wireless access. We can actually have SSL sessions over wireless just as easily as we can have SSL sessions and other kinds of encryption over a wired connection. But then, of course, we have to worry about that. We never required authentication, and the pin to associate one Bluetooth device with another was still left at the default 1234 or something like that.
Then there are rogue wireless access points, which are not necessarily malicious but are plugged in for convenience, and we’ll have to go around with something looking for wireless signal and try to find these unauthorised rogue access points. So these are all the risks associated with portable and wireless technology. And when you, as a CISA, are looking for this stuff, you want to see what the wireless, portable, and mobile security policy is and all the procedures you have in place, and then go and prove to yourself whether or not they’re effective. And we’ll prove it by scanning the network, scanning for wireless signals, scanning for Bluetooth, doing vulnerability scanning on all these devices, and trying to penetration test these devices, even the secured ones that are secured.Can we still break in? There are loads of tools that you can use for free or pay to do this, and you can hire services and people to do it.
And in your own Sisa team, you’ll probably have people who specialise in that, including yourself. And when we do penetration testing, we can either test something that we know very specifically or we can just blindly do what we call “black box” testing. Let me just see what I can discover. So you’re going to want to do all of these things when you’re trying to deal with network security. The last thing I want to share with you in this little section is something called the OSI model and the DoD model. It is a little bit arcane, but it is important to know it exists because it describes how networking is thought of both on a theoretical and practical level. And an IS auditor needs to know that information.
26. Managing Data
We spent a very long, very well spent, and worthwhile amount of time on networking concepts and networking vulnerabilities. We talked about OSI, wireless, Bluetooth, network devices, network security, and protocol. Of course, networking is all about data. So let’s talk about managing data, whether it’s on a network or not. First and foremost, consider data classification. Not all data is meant for all eyes, right? Alternatively, all ears. There are several different classification levels, and you may even have more. If you’re in the military, you’ll, of course, see others. You’ll see classified, secret, and top secret. But in the private sector, we tend to call things public, confidential, private, or sensitive.
The main thing is that it doesn’t really matter if we’re going to call this confidential or sensitive; the main thing is that there is some procedure in place for identifying what does constitute confidential or sensitive. Confidential information would generally be personally identifiable employee information, such as social security numbers, health information, salaries, and other information that not everyone should know. Sensitive is not so much personally identifiable as things that we really shouldn’t let the general public see, like sales figures or just internal operational stuff that’s really not meant for just everybody. And then you can have flat-out private, which can really refer to an individual. So while confidential, well, we might say that your salary will be confidential and your health information will be confidential. We can also have it just downright private, which is just for this individual. For example, when I was working around health clinics, only certain people, including the immediate health provider for that patient, were allowed to see that really private information, that health history.
There could be other confidential information that was not “exactly what dosages and what’s your diagnosis,” but that a health official could see. But if it’s really private and just specific to an individual, then it should only be viewable by the individual’s immediate healthcare provider and not some government official or a hospital administrator. So you have to determine now what the categorization and classification of your data are. If you’re in the military, you’ll also have things classified as “secret” and “top secret.” So, as an IS auditor, check to see if there is a policy that describes how to classify data and if it is being classified, and different types of data should be handled and stored differently. Some of it, for example, if it’s truly private, should be encrypted. If it’s confidential, it certainly should have access controls on it sensitive.
Maybe you don’t have so many access controls, but you make sure that nobody accidentally attaches a spreadsheet to an email and sends it outside of your organization. Whereas with “public,” that is meant to be viewed by the general public. Even so, you don’t want people tampering with it; you want it to still maintain its integrity, but you also want it to be completely viewable. So when we talk about these different classification levels, we see that there’s personal confidential, corporate confidential, sensitive, public, and client confidential. Like, maybe it’s information about a client or a customer, or it’s private, or it’s a trade secret. Just see what sorts of classifications are being used, how they’re being defined, and how they’re being protected. If it’s confidential, we’ll want to store it. We’ll want to store it carefully. We’ll make sure that the hard drives are protected if we take them out. antistatic bags, magnetic media. You want to stack it up; don’t lay it flat. Keep it away from anything that could inadvertently wipe it out, like fans or motors, and keep it in acid-free containers so that if it’s stored for a long period of time, nothing happens to it.
Floppy disks, which you may still have, but also any magnetic media that cannot be written on with, say, a pen. I mean, some people have taken really big sensitive floppies and written hard on them, and now you’ve damaged them. Use felt-tip pens, and that’s really true. It’s also too easy to damage CDs and DVDs; however, don’t gob them or expose them to anything for an extended period of time. And even long exposure to water—even though they’re kind of plastic-encased—can get in and destroy them. Of course, keep all of this stuff out of direct sunlight, excessive moisture, and dusty areas when transporting and storing confidential data. Try not to get liquid on them. Avoid magnetic fields and electronic devices such as monitors, speakers, fans, and motors that could generate a field. If it’s optical media, you don’t worry about that so much. But if it’s magnetic media, that’s a whole different thing. Try not to transport during a strong magnetic storm. Well, I mean, you need to protect it because it’s possible that you’ll have static and you’ll have lightning strikes or whatever. We just want to protect our media, especially if it’s magnetic, from any electromagnetic interference or force.
And then, of course, if the manufacturer has any recommendations for humidity, temperature, and ways of storing, you want to follow all those things. You must have a procedure in place for disposing of this waste. Typically, it’s shredding. I remember working in a financial firm, where they had special trash bins that were locked and meant specifically for shredding. And so anything, even if it wasn’t particularly confidential, if it was even the least bit sensitive, if it was just internal operational stuff, we threw it right in that bin, and it went straight to the shredder. So make sure that there are proper disposal procedures for printed stuff, magnetic media, hard drives, and other stuff too. There are organisations that will give away their computers to charity. But what do you do with all the data on the hard drive? Some of them simply won’t include hard drives. They’ll replace them. It’s good enough to degauss the hard drive for some of them. Some of them are so sensitive that the only thing they’ll do is destroy the hard drive to absolutely make sure that no one is getting that last little bit of magnetic imprint off that drive.
So how do we evaluate the confidential information process and procedure? The big thing is we want to see their documentation. How do you intend to treat this stuff, and does it comply with any legal, regulatory, or contractual requirement? We want to verify that they’re in compliance, and we want to make sure that they have a method for classifying data and that they are classifying the data, and that they’re handling classified data in different ways accordingly, storing it, transporting it, and protecting it. We want to make sure that media, of course, is labelled such that we know its classification, its creation date, and any other labeling. And we want to make sure that everybody knows how to handle this, that they have awareness, and that they’re not just carelessly leaving things around, because I really have seen people carelessly leave stuff around that was sensitive or confidential. They leave it waiting to be destroyed, and it’s sitting there by a stairwell out the back on the warehouse dock, or whatever. And that’s because somebody wasn’t trained well enough or just wasn’t following procedure. And with that, that is lesson six.
