Blue, Red, White, & Purple Teams explained

 Organization Security Exercise Types

An organization will use its own security people for training purposes to learn how to defend against an attack. There are a couple different scenarios that can be implemented. Pit a Red Team against a Blue Team, the other is to allow both teams to share information.

Red Team: This team acts as the aggressor, they will attempt to break into the network without sharing information with the Blue Team.

Blue Team: This team is the defensive team that attempts to detect and prevent any infiltration.

White Team: Sets the roles of engagements and monitors the exercise.

This team also will be the arbitrator and can stop the exercise at any point it becomes destructive.

Purple Team: In this type of exercise the Red and Blue teams share information and collaborate throughout the exercise. 

DNS Record Types to know for the exam

 DNS RECORD TYPES

Make sure you know the following DNA record types for this exam and how they are used:

A: host (IPv4). Maps the name to an IPv4 address.

AAAA: host (IPv6) Maps the name to an IPv6 address.

CNAME: (Canonical Name): Alias. Example: Sites that use www as the hostname of a webserver might call it something different internally such as Dallwebserver1.

MX: Mail Exchanger. This is used for an email server.

NS: Name Server. Provides a list of the authoritative DNS servers responsible for the domain that you are trying to query.

PTR: Pointer. This is a reverse record, it resolves IPv4 or IPv6 addresses to domain names.

SOA: Start of Authority. Keeps track of all of the DNS changes to help with replication.

TXT: Text. Stores descriptive information about the domain in a text format. 

SPF: Sender Policy Framework. This helps prevent spammers from sending emails from your domain, using the email addresses of your email servers. 

What is HSTS?

 HSTS

HSTS (HTTP Strict Transport Security)

This is enabled on the webserver. It is designed to prevent downgrade attacks such as SSL stripping and Man-in-the-Middle attacks. Even if the user enters HTTP into the URL the connection will either be blocked or if configured on the webserver it will automatically connect using HTTPS.

WIRELESS AUTHENTICATION METHODS

These authenticate the device only. These devices do not use TLS as this is only used with certificates. Do not use a username only a password (PSK).

 WEP (Wired Equivalent Privacy)

·       Built on RC4 – uses a 24-bit IV – PSK (Pre-Shared Key)

·       Prone to IV (Initialization Vector) attack

 

WPA (Wi-Fi Protected Access)

·       Built on RC4 – uses TKIP (Temporal Key Integrity Protocol)

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

 

WPA2 (Wi-Fi Protected Access 2)

·       Built on AES – uses CCMP

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

·       AES replaced RC4, CCMP replaced TKIP

 

WPA3 (Wi-Fi Protected Access 3)

• Built on GCMP-256 (Galois/Counter Mode Protocol)
• Replaces PSK with SAE (Simultaneous Authentication of Equals)

 

WPS (Wi-Fi Protected Setup)

• Connection normally used with a pushbutton
• If there is no push button, use the 8-digit PIN on the bottom of the AP
• Prone to a brute force attack, can be broken in less than 11,000 attempt
• Tools used for cracking WPS: Reaver, Wifite, Wash 

 

The following authenticate the user and require certificates. When using certificates you must use TLS.

 

Enterprise Mode / 802.1x Authentication

• Using this method requires a RADIUS server
• Authentication can be accomplished with a username & password, smart card, or token
• Authentication is used against an enterprise directory service / AAA server / RADIUS
• 802.1x requires a Supplicant, Authenticator, and Authentication server (AAA / RADIUS) 

 

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

• Certificates required on both the server and wireless device (Supplicant)
• Provides mutual authentication
• Authenticates the user – uses an enterprise directory service

 

EAP-TTLS (Extensible Authentication Protocol – Tunneled Transport Layer Security)

• Certificate on the server only
• Authenticates the user - uses an enterprise directory service
• End-to-end protection of authentication credentials

 

PEAP (Protected Extensible Authentication Protocol)

• Certificate on the server only
• Uses TLS
• Authenticates the user – uses an enterprise directory service
• End-to-end protection of authentication credentials

 

The following authenticate the user and do not use certificates

 

LEAP (Lightweight Extensible Authentication Protocol)

• Does not require certificates
• Replaced with EAP-FAST

 

EAP-FAST (Flexible Authentication via Secure Tunneling)

• Does not use certificates
• Replaced LEAP

 

The following is RADIUS federation

 

Multiple organizations allow access to one another’s users

Uses the native 802.1x client (Supplicant)

Each organization has a RADIUS server and joins a mesh

Facebook Group for study help.

 CompTIA Exam Certification Study Group

 

I have started a Facebook group to help individuals pass the CompTIA exams; A+, Network+, Security+, and soon to come CySA+. Included will be explanations on different concepts. This will be a place for questions that they are unsure if the answers are correct and explanations. 

Below is the link to join the group. 

  https://www.facebook.com/groups/2411609635806164/?epa=SEARCH_BOX

Mission Essential Functions / Critical Systems

CRITICAL SYSTEMS AND FUNCTIONS

MTD (Maximum Tolerable Downtime): This is the longest period of time a business outage without this causing permanent business failure. Each organization will have its own MTD. 

RTO (Recovery Time Objective): This is the expected time it will take to get a system back online and functional. If the RTO exceeds the MTD, have a plan in place to move to an alternate site.

RPO (Recovery Point Objective): This the measure in a time of how much data the company is will to lose. IF the RPO is 4 hours, the backup must run every 4 hours, if the RPO is 12 hours, a backup must run every 12 hours.

KPI (Key Performance Indicators): This is a measurement of the reliability of an asset such as a server.

1. MTTF (Mean Time to Failure): This is normally an estimate of the expected lifetime of a product, estimated in thousands of hours.

2. MTBF (Mean Time Between Failures): This is the rating of a component/device that predicts the time between failures. This can be list in ten of thousands or thousands of hours. 

3. MTTR (Mean Time to Repair): This is the actual time it takes to get a system back online. People often confuse this with RTO which is the expected time, not the actual time to repair. This can also be referred to as "replace" or "recover". 

Media Sanitization Methods - Hard Drive / Paper

HARD DISKS

If the goal is for the media never to be reused, there are three methods (for mechanical drives, not solid-state)

1. One method is shredding. You would need to disassemble the drive and take the platters and run them through a shredder.

2. The other method is to use powerful magnets, this is typically done with a piece of specialized machinery that can be quite costly. If you had several dives, the degaussing method is the fastest of the two options.

3. Another method is to use pulverizing where a machine crushes the drive to destroy all components and the data is unrecoverable. 

If the plan is to repurpose the drives the best method is to employ a disk wiping/overwriting program. It is better to use a program that writes random patterns of ones and zeroes. There are specialized tools that can still recover data if all you use is the zero-filling approach. Wiping is also known as purging. 

Formatting will not help with wiping data. All it does is remove the reference to the data. 

Solid State Drives sometimes come with a built-in data sanitization tool. Degaussing will not work on SSD's. 

PAPER MEDIA

Best to use a cross-cut shredder. Some of these devices are rated down to the size of the cut it makes. 

Another method is that some high-security organizations will add water to the paper after it has been shredded. This displaces the ink. This is known as "Pulping."

You can also burn paper documents. We did this in the military. Since the information we had was considered Top Secret, we burned the paper in an incinerator that had a screen at the top to keep the ashes from floating off. Then we pulverized the ashes. 

Identity and Authentication Factors

IDENTITY

The first part of a login process is providing some form of identification, such as a username or email address. 

AUTHENTICATION FACTORS

Proves that the user is who they claim to be. Authentication credentials should be kept secret. This helps prevent unauthorized users from gaining access to confidential information. There are five authentication factors.

1. Something you know: Password, PIN, passphrase, security question answer, CAPTCHA, a PIN that was mailed to you.

2.  Something you have: CAC (Common Access Card), PIV (Personal Identity Verification), Smart Card, Digital Certificate (CAC, PIV, & Smart Card are all digital certificates), PIN or code sent to your cell phone, key fob or token (pic to the right)

3. Something you are: Fingerprint, iris scan, retina scan, facial scan, voice pattern, palm geometry.

4. Somewhere you are: IP address, MAC address, GPS location computer name.

5. Something you do: Signature analysis, signature dynamics, have the user sign their name, keyboard timing, keystroke dynamics, gait (the way you walk), finger swipe pattern.

Certificates - PKI (Public Key Infrastructure)

Types of Certificates

Self-signed: This type of certificate is owned by the server that signed it. They will be untrusted inside an organization until the certificate is imported into the machine attempting to access the server,

Root: Identifies the CA (Certificate Authority). There is no other authority higher than the root, therefore its certificate must be self-signed.

User: There are certificate templates for standard users, administrators, recovery agents, smart card logon, etc.

Email: These are used for digital signature and the encryption/decryption of emails. Emails can be referred to as messages or electronic messages.

Code-signing certificates: These are used with software/applications to validate the end-user the integrity of the product.

Domain Validation (DV): This proves the ownership for a domain. Not the most secure method as it is vulnerable to compromise.

Extended Validation (EV): A thorough check is required to validate the ownership of the domain. This is also the most trusted certificate. EV protects against phishing attacks. 

Subject Alternative Name (SAN): Some organizations own multiple domains and may choose to combine them into one certificate. 

google.com

google.ca

android.com

youtube.com

Above are just a few of the domains Google owns. These can be combined into one certificate, making this certificate a SAN. If the company adds another domain after the certificate has been issued, they will need to purchase a new certificate.

Below is another example of when you would use a SAN certificate. If the organization installed three different web servers and the certificate needed to match the hostname, it would need a SAN certificate.

sales.example.com

info.example.com

training.example.com

In this case, the hostnames for the above are as follows: "sales", "info", and "training". 

Wildcard: The Wildcard certificate will protect all first-level sub-domains as long as they belong to the same domain. This reduces the burden of an administrator have to account for a certificate for each sub-domain.

research.practice.com

marketing.practice.com

dallas.practice.com

chicago.practice.com

seattle.practice.com

The five above all belong to the same domain, so instead of five certificates, one could be purchased:

*.practice.com

X.509 Certificate: What you need to know

Hashed with SHA

Encrypted with RSA

The entity that issued the certificate

The entity that the certificate was issued to

The validity date: from and to

SSL/TLS Accelerator vs SSL Decryptor

SSL/TLS Accelerator

An SSL/TLS Accelerator is normally a plug-in card on the web server, can also be included in a load balancing appliance. The web server is busy heading out the proper web page to be displayed. In the mean-time, the accelerator handles the decryption and encryption for the TLS session. 

The accelerator does not inspect the traffic. 

SSL Decryptor

An SSL decryptor is sometimes called an inspector or interceptor. It is employed as some type of proxy to inspect encrypted traffic as it enters or leaves the network. 

This protects against someone trying to use encryption to exfiltrate data. The device is placed at the edge of the network. 

The decryptor can perform the following functions"

1. Block connections using a weak cipher suite. 

2. Prevent inspection of authorized traffic that is subject to privacy.

3. Prevent sessions that cannot be inspected.

Hashing Algorithms: MD5, SHA, RIPEMD, & HMAC

HASHING

Hashing is used to verify integrity, making sure the media has not been altered, changed, or modified by accidental or intentional means. Hashing can also be called a checksum or message digest. 

A hash is a one-way function that produces a fixed-length output. This output cannot be reversed to produce the original input. Hashing only alerts you to the fact that something has changed, in other words, it has lost its integrity.

Hashing is used for many reasons:
1. The most common and widely used methods are with passwords. When an individual login to the PC their password is hashed and matched against the hashes that are stored if it matches the user is authenticated.

2. Sometimes hashing is used to make sure financial records have not been changed. This process can be performed daily, weekly, or monthly. This is referred to as "file integrity monitoring."

3. File integrity monitoring can be used to check the hash value of image files. If the "hash value has changed" on website images, or other images being sent or stored at the organization, then the most likely explanation is someone is using "steganography" to hide stolen data.

4. Running a file integrity program to check configuration files on network devices to compare them to the previous week or months hashes to look for changes.

5. Vendors sometimes provide these for applications, patches, and updates to verify you received the entire download or that it has not been modified. You would need to run a hashing algorithm to see if the hash matches that on the website.

HASHING ALGORITHMS

MD5 - Message-Digest 5 uses a 128-bit has value. It is the fast of the hashing algorithms but has documented collisions. Despite being deprecated it is still one of the most widely used hashing programs.

SHA/SHA-1 - Secure Hash Algorithm. SHA was created to address the weaknesses of MD5. Both SHA and SHA-1 use a 160-bit digest. 

SHA-2 was created to address the problems with SHA-1. SHA-2 uses longer digests (256, 384, & 512).

RIPEMD - RACE Integrity Primitives Evaluation Message Digest. Produces performance and encryption strength similar to SHA-1.

HMAC - Hash-based Message Authentication Code is used to verify both the integrity and authenticity of a message. It combines a hash function and a secret key.