Index
A
AAA (authentication, authorization, accounting), 156-158
accounting, 157-158
authentication, 156-157
authorization, 157
RADIUS (Remote Authentication Dial-In User Service), 158-159
TACACS (Terminal Access Control Access Control System), 159-160
acceptable encryption security policy, 46
Acceptable Use Policy, 46, 57-64
Conclusion section, 63-64
Enforcement section, 63
General Use and Ownership section, 58-59
Overview section, 57-58
Purpose section, 58
Scope section, 58
Security and Proprietary Ownership Information section, 59-60
Unacceptable Use section, 60-63
access
controlling, 128
hackers, 26-30
RBAC (role based access control), 128
access points, wireless networking
association, 319
rogue/unauthorized, 316-317
accounting, 157-158
ACLs
packet filtering, 131-136
grocery list analogy, 132-136
static, creating, 224
acquisition assessment policy, 47
Acrobat (Adobe), 34
Active Port Scan Results example, 18-19
Active reports (CORE IMPACT Pro), 384
Active X, attacks, 37
address filtering (MAC), wireless networking, 320-321
ad-hoc wireless networking, 306
administrative access, limiting, 111
Adobe software, attacks, 34
advisories (security), 86-98
Apple, 89
awareness, 88
Cisco, 89
incidents, responses, 90-91
Microsoft, 89-90
NIST security documents, 90
responding to, 87-98
roles, 91
AES (Advanced Encryption Standard), 172-173
aggressive mode (IKE), 274
Aircrack-ng, 327
alerts (security), 86-98
all-in-one firewalls, 204
analog/ISDN line security policy, 46
Analogy as a Standard Access List example, 134
anomaly detection, IDSs (intrusion detection systems), 337, 346-347
anti-establishment hacking, 3
antivirus process security policy, 47
antivirus software, attacks, 33
AnyConnect VPN Secure Mobility Solution, 295
AP deployment guidelines, wireless networking, 317-318
Apple, NSA (National Security Agency) Security Configuration Guides, 121
Apple security advisories, 89
application service providers (ASP) standards, 47
application-level protection, 144-147
applications, attacks, 27-28
ARP spoofing, 367-368
ASAs (Adaptive Security Appliances), VPNs (virtual private networks), 264
Attack Path reports (CORE IMPACT Pro), 384
attack patterns, IDSs (intrusion detection systems), 351
attack signatures, IDSs (intrusion detection systems), 351
Active X, 37
applications, 27-28
ARP spoofing, 367-368
automated, 27
back doors, 368-369
botnets, 36
brute force, 37
compressed files, 37
DDoS (Distributed Denial of Service), 36
vulnerability analysis, 365
DoS (Denial of Service), 36
preventing, 366-367
vulnerability analysis, 363
wireless networks, 315
firewalking, 369-370
fraggle, vulnerability analysis, 364
Heartland Payment Systems, 50
ICMP flood, 38
IP spoofing, 37
Java, 37
Land (C), 37
LAND (Local Area Network Denial), 369
misconfiguration, 28
MitM (man-in-the-middle), 367
operating systems, 27
origins, 32-33
packet analyzers, 363
packet sniffing, wireless networks, 313-314
phishing, 35
ping of death, 367
ping pong, 369
ping scans, 37
port scan, 36
process, 9-32
covering tracks, 31-32
enumeration, 23-26
escalating privilege, 30
footprinting, 11-17
gaining access, 26-30
reconnaissance, 9-11
scanning, 18-23
rogue access points, wireless networks, 316-317
scripted, 29-30
session hijacking, vulnerability analysis, 362-363
Smurf, 37
vulnerability analysis, 364
sniffing packets, 39
source routing, 37-38
SYN flood, 36
vulnerability analysis, 364-365
targeted, 27
TJX Companies, 52
UDP flood, 36
unauthorized access points, wireless networking, 316-317
vulnerability analysis, 361-370
Xmas tree, 369
zero day, 36
attorneys, Internet, 51
audit vulnerability scanning, 47
authentication, 156-157
EAP (Extensible Authentication Protocol), 321-323
IPsec VPNs (virtual private networks), 268-269
multi-factor, 161-167
OSPF (Open Shortest Path First), 251-254
RADIUS (Remote Authentication Dial-In User Service), 158-159
two-factor, 161-167
authorization, 157
automated attacks, 27
automatically forwarded email, 47
awareness
security advisories, 88
users, 128
B
back doors, 368-369
backup software, 100
attacks, 34
bandwidth, as hacking target, 5
bandwidth availability, wireless networking, 307
best practices, 98-102
change control processes, 98
Cisco, 110-118
IOS, 110-111
passwords, 110-111
hotfixes, 101
security updates, 101-102
service packs, 101
Blade Runner, 85
Bluetooth device security, 47
Zeus, 31
branch design zone guides, 107
Broderick, Matthew, 307
browsers, attacks, 36
brute force attacks, 37
brute force guess passwords, 29
buffer memory overflows, 29
Business Case, Extranet Connection Policy, 75
C
campus design zone guides, 107-108
capturing passwords, 29
Carlin, George, 299
casing the joint. See footprinting
centralized sensor management, IDSs (intrusion detection systems), 336
CERT coordination center, 40
change control processes, 98
Childs, Terry, 53
choke points, edge routers, 220-224
choke routers, 221-224
CIS (Center for Internet Security), 40-41
Cisco
best practices, 110-118
IOS, 110-111
passwords, 110-111
ISE (Identity Services Engine), 166
NSA (National Security Agency) Security Configuration Guides, 119
Cisco AnyConnect VPN Secure Mobility Solution, 295
Cisco IOS Firewall IDS
FFS IDS, 230-234
intrusion detection, 229-234
Cisco SAFE 2.0, 106
Cisco Secure Consulting Services, 375
Cisco security advisories, 89
Cisco TrustSec, 164-167
Cisco Validated Design (CVD) program, 107-110
Cisco Web Reputation Filters, 155
client software, VPNs (virtual private networks), 264
client-based filtering, 149
clients (email), attacks, 34
Client-Side Penetration Test reports (CORE IMPACT Pro), 384
Client-Side User reports (CORE IMPACT Pro), 384
code listings
Active Port Scan Results (1-2), 18-19
Analogy as a Standard Access List (5-1), 134
Firewall with Self-Hosted Internal Web Server (7-2), 209-214
Query Via nbstat (1-5), 25
RADIUS Configuration (5-3), 159
Sample Cisco ASA Firewall Rules (7-1), 199
Secure IOS Template (8-1), 235-250
Standard Access List Filtering Packets (5-2), 135
TACACS Configuration (5-4), 160
Telnet to Mail Server, Doing Some Reconnaissance (1-3), 20-21
Using DNS for Passive Reconnaissance via dig Command (1-1), 13-14
Using nbtstat -c to Display NetBIOS Names (1-6), 25
Using Windows Net View (1-4), 24
commands, dig, 13-14
common security policies, 48-49
common vulnerabilities and exposures (CVE), 39-40
compressed files, attacks, 37
compromised confidential data, 196
Computer Crime and Intellectual Property website, 50
Conclusion section
Acceptable Use Policy, 63-64
Extranet Connection Policy, 76-77
Password Policy, 68-69
Virtual Private Network (VPN) Security Policy, 71
confidential data, compromised, 196
configuration
IPsec, 284-286
ISAKMP (Internet Security Association Key Management Protocol), 281-283
perimeter routers, 220
routers, as VPN peers, 281-286
VPNs (virtual private networks), 286-289
content filtering, 147-150
limitations, 150
controlling access, 128
CORE IMPACT, 30
CORE IMPACT Pro, 382-386
documentation, 386
reports, 384-385
vulnerability updates, 386
corporate policies, 53-57
coverage, wireless networking, 306-307
curiosity, hacking, 3
CVD (Cisco Validated Design) program, 107-110
CVE (common vulnerabilities and exposures), 39-40
cyberwarfare, 4
D
Data Center Design Center guides, 108-109
data integrity, IPsec VPNs (virtual private networks), 268-269
database credentials coding, 47
database software, attacks, 34
DDoS (Distributed Denial of Service) attacks, 36
vulnerability analysis, 365
deception systems, honeypots, 355
Definitions section, Wireless Communication Policy, 73
Definitions section (security policy), 56
delivering, security policies, 77-78
Delta reports (CORE IMPACT Pro), 385
Demilitarized Zone (DMZ), firewalls, 206-214
Denial of Service (DoS). See DoS (Denial of Service) attacks
deployment, VPNs (virtual private networks), 270-271
design concepts
controlling access, 128
incident response teams, 130-131
layered security, 128
monitoring, 129
RBAC (role based access control), 128
user awareness, 128
design strategies, honeypots, 356-357
detailed packet flow, SPI (Stateful Packet Inspection), 138-139
detection software, HIDS (host-based intrusion detection systems), 341
dial-in access policies, 47
Diffie-Hellman algorithm, IPsec, 279-280
dig command, DNS passive reconnaissance, 13-14
disaster recovery, 374
Distributed Denial of Service (DDoS) attacks. See DDoS (Distributed Denial of Service) attacks
DMZ (Demilitarized Zone), firewalls, 47, 206-214
DNS (Domain Name System) attacks, 35
passive reconnaissance, dig command, 13-14
documentation
CORE IMPACT Pro, 384-386
security scanners, 379
DoS (Denial of Service) attacks, 6, 36
IDSs (intrusion detection systems), 353
preventing, 366-367
vulnerability analysis, 363
wireless networking, 315
downstream liability, 195-196
downtime
backups, 100
networks, 196
dynamic NAT, 142
dynamic proxy firewalls, 145
E
EAP (Extensible Authentication Protocol), 321-323
EAP-PSK, 323
EAP-TLS, 322-323
EAP-TTLS, 323
eavesdropping, wireless networks, 313-314
echo reply (ICMP) attacks, 38
economic motivations, hacking, 4
edge routers
as a choke point, 220-224
configuring, 220
as a packet inspector, 220
Email and Communications Activities subsection, Acceptable Use Policy, 62-63
email clients, attacks, 34
E-mail Retention policy, 47
employee information, 6
encryption
AES (Advanced Encryption Standard), 172-173
Triple DES, 171-172
encryption modes, IPsec, 271-272
Enforcement section, 56
Acceptable Use Policy, 63
Password Policy, 68
Wireless Communication Policy, 73
enterprise firewalls, 204
enumeration, 23-26
escalating privilege, 30
Establishing Connectivity section, Extranet Connection Policy, 75
ETTERCAP, 29
event correlation, IDSs (intrusion detection systems), 336
examples
Active Port Scan Results (1-2), 18-19
Analogy as a Standard Access List (5.1), 134
Firewall with Self-Hosted Internal Web Server (7-2), 209-214
Query Via nbstat (1-5), 25
RADIUS Configuration (5-3), 159
Sample Cisco ASA Firewall Rules (7-1), 199
Secure IOS Template (8-1), 235-250
Standard Access List Filtering Packets (5-2), 135
TACACS Configuration (5-4), 160
Telnet to Mail Server, Doing Some Reconnaissance (1-3), 20-21
Using DNS for Passive Reconnaissance via dig Command (1-1), 13-14
Using nbtstat -c to Display NetBIOS Names (1-6), 25
Using Windows Net View (1.4), 24
excessive user rights, 34
Executive Summary reports (CORE IMPACT Pro), 385
Extensible Authentication Protocol (EAP), 321-323
external vulnerability analysis, 371-373
Extranet Connection Policy, 74-77
Business Case, 75
Conclusion section, 76-77
Establishing Connectivity section, 75
Modifying or Changing Connectivity and Access section, 76
Point of Contact (POC), 75
Purpose section, 74
Scope section, 74-75
Security Review, 75
Terminating Access section, 76
Third-Party Connection Agreement, 75
extranet VPNs, 262
extranets, security policies, 47
F
false negatives, IDSs (intrusion detection systems), 352
false positives, IDSs (intrusion detection systems), 336, 352
fame, hacking, 3
FFS IDS, 230-234
filtering
malware, 201
packets, 134-136
ACLs, 131-136
reactive, 154-155
traffic, 149
filtering network traffic, firewalls, 201
filters
Cisco Web Reputation, 155
content, 147-150
firewalking, 369-370
Firewall/ASAs, 115-118
Firewall with Self-Hosted Internal Web Server example, 209-214
all-in-one, 204
benefits, 195
Cisco IOS Firewall IDS, intrusion detection, 229-234
DMZ (Demilitarized Zone), 206-214
downstream liability, 195-196
enterprise, 204
filtering network traffic, 201
functions, 196-197
implementing, 203-205
inbound access policies, 205-206
limitations, 214-215
lost data, 196
operations, 200-206
outbound access policies, 206
personal, 203-204
proxies, 145
security policies, 200
security policy, 197-200
SPI (Stateful Packet Inspection), 139
VPNs (virtual private networks), 264
zone-based, routers, 224-229
FISMA Vulnerability Validation reports (CORE IMPACT Pro), 385
Flash (Adobe), attacks, 34
footprinting, 11-17
goals, 12-13
fraggle attacks, vulnerability analysis, 364
fragmentation, IDSs (intrusion detection systems), 353
freeware security scanners, 376-382
functionality, PPTP (Point-to-Point Tunneling Protocol), 177-178
G
General Network Access Requirements subsection, Wireless Communication Policy, 72-73
General Password Construction Guidelines, Password Policy, 66-67
General Policy section, Password Policy, 65-66
General Use and Ownership section, Acceptable Use Policy, 58-59
GFI LANGuard, 29
grocery list analogy, packet filtering via ACLs, 132-136
H
hackers, 1-2
hactivism, 4
stereotypes, 7
tasks, 26
attacks, process, 9-32
motivations, 3-4
targets, 2-3
choice, 7-8
opportunity, 4-7
hacking tools, wireless, 325-329
hactivism, 4
Hammersley, Ben, 308
hard drive space, as hacking target, 5
Hawking, Stephen, 331
HaXor, 359
header condition signatures, NIDS (network-based intrusion systems), 342
Health Insurance Portability and Accounting Act (HIPAA) of 1996, 50, 81
Heartland Payment Systems, attack on, 50
helpdesk, forewarning, 100
HIDS (host-based intrusion detection systems), 337-341
detection software, 341
versus NIDS, 350-351
HIPAA (Health Insurance Portability and Accounting Act) of 1996, 50, 81
History section (security policy), 56
Home Wireless Device Requirements subsection, Wireless Communication Policy, 73
deception systems, 355
design strategies, 356-357
limitations, 357
multideception systems, 356
port monitoring, 355
production, 355
research, 355
Host reports (CORE IMPACT Pro), 385
host unreachable (ICMP) attacks, 38
host-based IDSs (intrusion detection systems), 337-341
hotfixes, 97
best practices, 101
uninstalling, 99
I
ICMP flood attacks, 38
identity theft, 4
IDSs (intrusion detection systems), 331-333, 335-346. See also HIDS (host-based intrusion detection systems); NIDS (network-based intrusion systems)
anomaly detection, 337, 346-347
attack patterns, 351
attack signatures, 351
centralized sensor management, 336
combining methods, 347
DoS (Denial of Service) attacks, 353
elimination of false positives, 336
event correlation, 336
fragmentation, 353
host-based, 337-341
intrusion prevention, 347-348
limitations, 350-353
NBA (network behavior analysis), 338-339
network-based, 338-339, 341-343
origins, 335
pattern detection, 346
products, 348-350
signature detection, 346
signatures, 336
matching, 337
standards-based implementation, 336
stateful protocol analysis, 347
thresholds, 336
IEEE 802.1x, 162-164
IKE (Internet Key Exchange), VPNs (virtual private networks), 274-275
IM (instant messaging), attacks, 34
implementation, firewalls, 203-205
implementing, VPNs (virtual private networks), 264-265
inbound access policies, firewalls, 205-206
inbound telnet, limiting access, 112-113
incident response teams, 130-131
incidents, defining, 92
industry best practices, 98-102
change control processes, 98
industry standards, security policies, 79-82
Information Asset Sensitivity, 48
Information System Audit Logging, 48
Information Technology Law (IT Law), 51
infrastructure, wireless networking, 305
Inge, William Ralph, 359
inline wiretap, NIDS (network-based intrusion systems), 341
instant messaging, attacks, 34
intercepting data, wireless networks, 313-314
Internal Lab security, 48
internal vulnerability assessment, 370-371
Internet lawyers, 51
Internet Security Association Key Management Protocol (ISAKMP), 272-273
configuring, 281-283
Internet Storm Center, 41
Internet usage policies, 48
intrusion detection, 331-345. See also IDSs (intrusion detection systems)
Cisco IOS Firewall IDS, 229-234
IDSs (intrusion detection systems), 331-333, 336-339, 345-346
methods, 345-353
signature detection, 346
NBA (network behavior analysis), 344-345
wireless, 343-344
intrusion detection systems (IDSs). See IDSs (intrusion detection systems), 347-348
IOS best practices, Cisco, 110-111
IPsec, 276-280
Configuring, 282-286
Diffie-Hellman algorithm, 279-280
encryption modes, 271-272
IKE Phase 1, 277-278
IKE Phase 2, 278
PFS (perfect forward secrecy), 278-279
protocols, 272-273
SAs (security associations), 275-276
transforms, 284-285
tunneling data, 269-270
VPNs (virtual private networks), 257-259, 265-267, 271-273
authentication, 268-269
configuring routers, 281-286
data integrity, 268-269
IKE (Internet Key Exchange), 274-275
security considerations, 293-295
versus SSL VPNs, 290-293
zone-based policy firewalls, 224-225
ISAKMP (Internet Security Association Key Management Protocol), 272-273
configuring, 281-283
preshared keys, 282
ISE (Identity Services Engine), 166
ISO certification, 77-79
ISO/IEC 27002 information security standard, 78-79
IT professionals, arrogance, 2-3
J-K
Java, attacks, 37
Jones, Matt, 308
keystroke loggers, 31
L
L2TP (Layer 2 Tunneling Protocol), 179-182
Lab and Isolated Wireless Device Requirements subsection, Wireless Communication Policy, 72
Land (C) attacks, 37
LAND (Local Area Network Denial) attacks, 369
LANs (local area networks), 301-304
LAND (Local Area Network Denial), 369
WLANs (wireless LANs), 301-304
benefits, 303
radio frequency, 303-304
standard characteristics, 301-302
Wi-Fi (Wireless Fidelity), 302-303
large ICMP packet attacks, 38
lawyers, Internet, 51
Layer 2 Tunneling Protocol (L2TP), 179-182
layered security, 128
VPNs (virtual private networks), 270-271
LEAP (Lightweight Extensible Authentication Protocol), 321-322
legal precedences, 50-51
Lightweight Extensible Authentication Protocol (LEAP), 322
limitations, honeypots, 357
line access controls, limiting, 111
long-term states, IDSs (intrusion detection systems), 352
loose route attacks, 38
lost data, firewalls, 196
M
MAC address filtering, 320-321
main mode (IKE), 274
malicious web pages, 147
malware, filtering, 201
man-in-the-middle attacks, 367
Massachusetts 201: Standards for the Protection of Personal Information of Residents of the Commonwealth, 81-82
matching signatures, IDSs (intrusion detection systems), 337
MD5 (Message Digest 5) algorithm, 173-175
MD5 route authentication, OSPF (Open Shortest Path First), 253-254
media players, attacks, 33
Message Digest 5 algorithm, 173-175
Metasploit Framework, 376
METASPLOIT PRO, 30
Microsoft, security, 121-125
Microsoft KB Articles, 98
Microsoft security bulletins, 89-90
Microsoft Security Compliance Manager, 124-125
Microsoft Windows, NSA (National Security Agency) Security Configuration Guides, 119-121
misconfiguration attacks, 28
MitM (man-in-the-middle) attacks, 367
modes of operation, wireless networking, 305-306
Modifying or Changing Connectivity and Access section, Extranet Connection policy, 76
motivations, hacking, 3-4
multideception systems, honeypots, 356
multi-factor authentication, 161-167
N
NAC (Network Access Control), 162-164
NAT (Network Address Translation), 140-144, 205-206
dynamic, 142
limitations, 143-144
overloading, 142
static, 142
National Institute of Standards and Technology (NIST), 258
National Vulnerability Database (NVD), 41
NBA (network behavior analysis), 338-339, 344-345
nbstat command, 25
neighbor authentication, OSPF (Open Shortest Path First), 252
Netcat, 31
NetStumbler, 325-326
Network Access Control (NAC), 162-164
Network Address Translation (NAT). See NAT (Network Address Translation)
network security organizations, 39-42
network security standards, 105
Cisco SAFE 2.0, 106
CVD (Cisco Validated Design) program, 107-110
network traffic, filtering, firewalls, 201
network-based IDSs (intrusion detection systems), 338-339, 341-343
networks, downtime, 196
NIDS (network-based intrusion systems), 338-339, 341-343
header condition signatures, 342
versus HIDS, 350-351
inline wiretap, 341
port mirroring, 342
port signatures, 342
string signatures, 342
NIST (National Institute and Technology), 258
NIST security documents, 90
NMAP (Network Mapper), 29, 376-377
NSA (National Security Agency) Security Configuration Guides, 118-121
Apple, 121
Cisco Systems, 119
Microsoft Windows, 119-121
NVD (National Vulnerability Database), 41
O
office firewalls, 204
office software, attacks, 34
OmniPeek, 327-329
operating systems, attacks, 27
operations, SSH (Secure Shell), 186-187
organizations, responsibilities and expectations, 50-53
origins, attacks, 32-33
OSPF (Open Shortest Path First)
authentication, 251-254
MD5 route authentication, 253-254
plaintext route authentication, 253
outbound access policies, firewalls, 206
outbound telnet, limiting access, 112-113
overloading NAT, 142
Overview section, 56
Acceptable Use Policy, 57-58
Password Policy, 64
P
P2P (peer-to-peer), attacks, 35
packet analyzers, 363
packet filtering
ACLs, 131-136
grocery list analogy, 132-136
Layer 3, 131
limitations, 136
packet filters, placement, 135
packet flow, proxies, 144
packet inspector, edge routers, 220
packet sniffers, wireless, 326-327
packet sniffing, wireless, 313-314
packets
sniffing, 39
SPI (Stateful Packet Inspection), 136-140
parameter problem on datagram (ICMP) attacks, 38
Password Policy, 64-69
Conclusion section, 68-69
Enforcement section, 68
General Password Construction Guidelines, 66-67
General Policy section, 65-66
Overview section, 64
Password Protection Standards, 67-68
Purpose section, 64
Scope section, 64-65
Password Protection Standards, Password Policy, 67-68
passwords
brute force guess, 29
capturing, 29
policies, 48
securing, 110-111
try and sniff, 29
PAT (Port Address Translation), 142
patches, uninstalling, 99
pattern detection, IDSs (intrusion detection systems), 346
pattern evasion, IDSs (intrusion detection systems), 353
Payment Card Industry Data Security Standard (PCI DSS), 80
PCI DSS (Payment Card Industry Data Security Standard), 80
PCI Vulnerability Validation reports (CORE IMPACT Pro), 385
peer-to-peer (P2P), attacks, 35
penetration assessment, 370-373
penetration testing, 370-375
perfect forward secrecy (PFS), IPsec, 278-279
perimeter routers, configuring, 220
personal communication devices, policies, 48
personal employee information, as hacking target, 6
personal firewalls, 203-204
PFS (perfect forward secrecy), IPsec, 278-279
phishing, 35
spear phishing, 35
vishing, 35
whaling, 35
physical security assessment, 373-374
ping of death, 367
ping pong attacks, 369
ping scans, 37
PKI (Public Key Infrastructure) encryption, 150-152
plaintext route authentication, OSPF (Open Shortest Path First), 253
Point of Contact (POC), Extranet Connection Policy, 75
Point-to-Point Tunneling Protocol (PPTP), 177-179
policies (security), 45-49
Acceptable Use Policy, 46, 57-64
Conclusion section, 63-64
Enforcement section, 63
General Use and Ownership section, 58-59
Overview section, 57-58
Purpose section, 58
Scope section, 58
Security and Proprietary Ownership Information section, 59-60
Unacceptable Use section, 60-63
common, 48-49
corporate, 53-57
Definitions section, 56
delivering, 77-78
Enforcement section, 56
Extranet Connection Policy, 74-77
Business Case, 75
Conclusion section, 76-77
Establishing Connectivity section, 75
Modifying or Changing Connectivity and Access section, 76
Point of Contact (POC), 75
Purpose section, 74
Scope section, 74-75
Security Review, 75
Terminating Access section, 76
Third-Party Connection Agreement, 75
firewalls, 197-200
History section, 56
industry standards, 79-82
ISO certification, 77-79
Microsoft, 121-124
Overview section, 56
Password Policy, 64-69
Conclusion section, 68-69
Enforcement section, 68
General Password Construction Guidelines, 66-67
General Policy section, 65-66
Overview section, 64
Password Protection Standards, 67-68
Purpose section, 64
Scope section, 64-65
Policy section, 56
Purpose section, 56
RBAC (role based access control), 55
relevant, 54
Revision section, 56
samples, 79
Scope section, 56
SLAs (service-level agreements), 45
Virtual Private Network (VPN) Security Policy, 31, 69-71
Conclusion section, 71
Policy section, 70-71
Purpose section, 69
Scope section, 69
Wireless Communication Policy, 71-74
Definitions section, 73
Enforcement section, 73
Policy Statement, 72-73
Revision History, 73
Scope section, 72
Policy section
Virtual Private Network (VPN) Security Policy, 70-71
Policy Statement, Wireless Communication Policy, 72-73
port forwarding, SSH (Secure Shell), 187-188
port mirroring, NIDS (network-based intrusion systems), 342
port monitoring, honeypots, 355
port scan attacks, 36
port signatures, NIDS (network-based intrusion systems), 342
PPTP (Point-to-Point Tunneling Protocol), 177-179
functionality, 177-178
limitations, 178-179
preshared keys, ISAKMP (Internet Security Association Key Management Protocol), 282
privileges, escalating, 30
procedural risk assessment, 374
procedures, 85-86
establishing, 94
attacks, 9-32
covering tracks, 31-32
enumeration, 23-26
escalating privilege, 30
footprinting, 11-17
gaining access, 26-30
reconnaissance, 9-11
scanning, 18-23
change control, 98
production honeypots, 355
protocols
authentication, EAP (Extensible Authentication Protocol), 321-323
IPsec, 272-273
Message Digest 5 algorithm, 173-175
routing, security, 251-254
AES (Advanced Encryption Standard), 172-173
L2TP (Layer 2 Tunneling Protocol), 179-182
PPTP (Point-to-Point Tunneling Protocol), 177-179
SHA (Secure Hash Algorithm), 175-177
SNMP v3 (Simple Network Management Protocol Version 3), 188-191
SSH (Secure Shell), 182-188
Triple DES, 171-172
proxies, 144-147
firewalls, 145
limitations, 146-147
packet flow, 144
Public Key Infrastructure (PKI) encryption, 150-152
public libraries, content filtering, 147
Purpose section, 56
Acceptable Use Policy, 58
Extranet Connection Policy, 74
Password Policy, 64
Virtual Private Network (VPN) Security Policy, 69
Q-R
Qoncert, 375
Query Via nbstat example, 25
radio frequency, 303-304
RADIUS (Remote Authentication Dial-In User Service), 158-159
versus TACACS, 160
RADIUS Configuration example, 159
RBAC (role based access control), 28, 55, 128
reactive filtering, 154-155
Reader (Adobe), attacks, 34
Reagan, Ronald, 127
reconnaissance, 9-11
goals, 12-13
record route attacks, 37
redirect (ICMP) attacks, 38
relevant security policies, 54
remote access policies, 48
remote access VPNs, 259-261
removable media
attacks, 35
policies, 48
reporting, security scanners, 379
reports, CORE IMPACT Pro, 384-385
reputation-based security, 152-156
research honeypots, 355
resource limitations, IDSs (intrusion detection systems), 352
responding to security advisories, 87-98
awareness, 88
responsibilities and expectations, organizations, 50-53
Retina version 5.11.10, 380
Revision History, Wireless Communication Policy, 73
Revision section (security policy), 56
risk assessment, 48
risks, common, 33-36
rogue access points, wireless networks, 316-317
role based access control (RBAC), 28, 55, 128
roles, establishing, 91
configuring, IPsec VPNs (virtual private networks), 281-286
edge
as a choke point, 220-224
as a packet inspector, 220
perimeter, configuring, 220
policies, 49
VPNs (virtual private networks), 264
zone-based firewalls, 224-229
routing protocols, security, OSPF (Open Shortest Path First), 251-252
S
SAFE (Cisco) 2.0, 106
Sample Cisco ASA Firewall Rules, 199
SANS (SysAdmin, Audit, Network, Security) Institute, 40
Sarbanes-Oxley Act of 2002, 80-81
SAs (security associations)
IPsec, 275-276
VPNs (virtual private networks), 273
SAS (Statement on Auditing Standards) series, 82
SATAN, 29
scanning, 18-23
scanners (security), 375-382
documentation, 379
reporting, 379
scan and detection accuracy, 378
vulnerability updates, 379-380
scheduled downtime, backups, 100
Scope section, 56
Acceptable Use Policy, 58
Extranet Connection Policy, 74-75
Password Policy, 64-65
Virtual Private Network (VPN) Security Policy, 69
Wireless Communication Policy, 72
SCORE, 41
script source route attacks, 38
scripted attacks, 29-30
Secure Consulting Services (Cisco), 375
Secure Hash Algorithm (SHA), 175-177
Secure IOS template, 234-250
Secure Shell (SSH). See SSH (Secure Shell).
advisories, 86-98
Apple, 89
awareness, 88
Cisco, 89
incidents, responses, 90-91
Microsoft, 89-90
NIST security documents, 90
responding to, 87-98
roles, 91
alerts, 86-98
Microsoft, 121-125
wireless networking, 329-330
Security and Proprietary Ownership Information section, Acceptable Use Policy, 59-60
security assessments, 370-375
security associations (SAs)
IPsec, 275-276
VPNs (virtual private networks), 273
Security Compliance Manager (Microsoft), 124-125
Security Configuration Guides (NSA), 118-121
Apple, 121
Cisco Systems, 119
Microsoft Windows, 119-121
security design zone guides, 109-110
security patches, uninstalling, 99
Acceptable Use Policy, 46, 57-64
Conclusion section, 63-64
Enforcement section, 63
General Use and Ownership section, 58-59
Overview section, 57-58
Purpose section, 58
Scope section, 58
Security and Proprietary Ownership Information section, 59-60
Unacceptable Use section, 60-63
common, 48-49
corporate, 53-57
Definitions section, 56
delivering, 77-78
Enforcement section, 56
Extranet Connection Policy, 74-77
Business Case, 75
Conclusion section, 76-77
Establishing Connectivity section, 75
Modifying or Changing Connectivity and Access section, 76
Point of Contact (POC), 75
Purpose section, 74
Scope section, 74-75
Security Review, 75
Terminating Access section, 76
Third-Party Connection Agreement, 75
firewalls, 197-200
History section, 56
industry standards, 79-82
ISO certification, 77-79
Microsoft, 121-124
Overview section, 56
Password Policy, 64-69
Conclusion section, 68-69
Enforcement section, 68
General Password Construction Guidelines, 66-67
General Policy section, 65-66
Overview section, 64
Password Protection Standards, 67-68
Purpose section, 64
Scope section, 64-65
Policy section, 56
Purpose section, 56
RBAC (role based access control), 55
relevant, 54
Revision section, 56
samples, 79
Scope section, 56
SLAs (service-level agreements), 45
Virtual Private Network (VPN) Security Policy, 31, 69-71
Conclusion section, 71
Policy section, 70-71
Purpose section, 69
Scope section, 69
Wireless Communication Policy, 71-74
Definitions section, 73
Enforcement section, 73
Policy Statement, 72-73
Revision History, 73
Scope section, 72
security protocols, 169-171, 192
AES (Advanced Encryption Standard), 172-173
L2TP (Layer 2 Tunneling Protocol), 179-182
Message Digest 5 algorithm, 173-175
PPTP (Point-to-Point Tunneling Protocol), 177-179
SHA (Secure Hash Algorithm), 175-177
SNMP v3 (Simple Network Management Protocol Version 3), 188-191
SSH (Secure Shell), 182-188
Triple DES, 171-172
Security Review, Extranet Connection Policy, 75
security scanners, 375-382
documentation, 379
reporting, 379
scan and detection accuracy, 378
vulnerability updates, 379-380
security updates, 97
applying, 99
best practices, 101-102
SecurityFocus, 42
sensor blindness, IDSs (intrusion detection systems), 352
server-based filtering, 149
servers
as hacking targets, 5
policies, 49
service packs, 97
best practices, 101
keeping up with, 100
uninstalling, 99
Service Set Identifier (SSID). See SSID (Service Set Identifier).
service-level agreements (SLAs), 45
session hijacking, 362-363
session timeouts, establishing, 113
SHA (Secure Hash Algorithm), 175-177
signature detection, IDSs (intrusion detection systems), 346
signatures
IDSs (intrusion detection systems), 336
matching, 337
site-to-site VPNs, 258, 261-262
SLAs (service-level agreements), 45
small-to-medium office firewalls, 204
Smurf attacks, 37
vulnerability analysis, 364
sniffing packets, 39
wireless networks, 313-314
SNMP v3 (Simple Network Management Protocol Version 3), 188-191
Snort IDS/IPS, 348-350
social messaging, 34
source quench (ICMP) attacks, 38
source routing attacks, 37-38
spam, content filtering, 147
spamming, warspamming, 311-312
spear phishing, 35
SPI (Stateful Packet Inspection), 136-140
detailed packet flow, 138-139
firewalls, 139
limitations, 139-140
split tunneling, VPNs (virtual private networks), 265
SSH (Secure Shell), 182-188
Limitations, 188
operation, 186-187
port forwarding, 187-188
versus Telnet, 184-185
tunneling, 187-188
SSID (Service Set Identifier), 310
wireless networks, 318
SSL (Secure Sockets Layer)
attacks, 35
VPNs (virtual private networks), 290-293
security considerations, 293-295
Standard Access List Filtering Packets example, 135
standard proxy firewalls, 145
Stateful Packet Inspection (ISP). See SPI (Stateful Packet Inspection)
stateful protocol analysis, IDSs (intrusion detection systems), 347
Statement on Auditing Standards (SAS) 70 series, 82
static ACLs, creating, 224
static NAT (Network Address Translation), 142
stereotypes, hackers, 7
storage limitations, IDSs (intrusion detection systems), 352
string signatures, NIDS (network-based intrusion systems), 342
switches, policies, 49
SYN flood attacks, 36
vulnerability analysis, 364-365
System and Network Activities subsection, Acceptable Use Policy, 61-62
System Message Logging (syslog), 229
T
TACACS (Terminal Access Control Access Control System), 159-160
versus RADIUS, 160
TACACS Configuration example, 160
TACACS+, 112
choice, 7-8
opportunity, 4-7
TCP wrappers, 341
versus SSH (Secure Shell), 184-185
Telnet to Mail Server, Doing Some Reconnaissance example, 20-21
telnetting, 22
templates, Secure IOS, 234-250
Terminating Access section, Extranet Connection Policy, 76
testing, 99
Third-Party Connection Agreement, Extranet Connection Policy, 75
threat agents, 86
threats. See also attacks
common, 33-36
DoS (Denial of Service), wireless networks, 315
packet sniffing, wireless networking, 313-314
rogue access points, wireless networks, 316-317
unauthorized access points, wireless networks, 316-317
vulnerability analysis, 361-370
wireless networking, 312-321
thresholds, IDSs (intrusion detection systems), 336
time exceed for a datagram (ICMP) attacks, 38
timeouts, establishing, 113
TJX Companies, attack on, 52
traffic filtering, 149
transforms, IPsec, 284-285
Transport mode (IPsec), 272
trapdoors, 368-369
Trend reports (CORE IMPACT Pro), 385
Triple DES encryption, 171-172
Trojan horses, 147
TrustSec (Cisco), 164-167
try and sniff passwords, 29
Tunnel mode (IPsec), 271
tunneling, SSH (Secure Shell), 187-188
tunneling data, IPsec VPNs (virtual private networks), 269-270
Twain, Mark, 193
two-factor authentication, 161-167
U
UDP flood attacks, 36
Unacceptable Use section, Acceptable Use Policy, 60-63
uninstalling service packs, 99
University of East Anglia, hacking scandal, 4
updates (security), 97
applying, 99
URL-filtering, 154
user awareness education, 54-55
user rights, excessive, 34
users, awareness, 128
Using DNS for Passive Reconnaissance via dig Command example, 13-14
Using nbtstat -c to Display NetBIOS Names example, 25
Using Windows Net View example, 24
V
Virtual Private Network (VPN) Security Policy, 31, 69-71
Conclusion section, 71
Policy section, 70-71
Purpose section, 69
Scope section, 69
viruses, 147
vishing, 35
VNC (Virtual Network Computing), 31
vos Savant, Marlene, 45
VPN (Virtual Private Network) Security Policy. See Virtual Private Network (VPN) Security Policy
VPN peers, routers, configuring, 281-286
VPNs (virtual private networks), 261-265, 296
ASAs (Adaptive Security Appliances), 264
benefits, 263-264
client software, 264
configuring, firewalls, 286-289
deployment, 270-271
extranet, 262
firewalls, 264
goals, 263-264
implementation strategies, 264-265
IPsec VPNs (virtual private networks), 257-259, 265-267
authentication, 268-269
data integrity, 268-269
encryption modes, 271-272
IKE (Internet Key Exchange), 274-275
tunneling data, 269-270
layered security, 270-271
remote access, 259-261
routers, 264
SAs (security associations), 273
security policies, 49
site-to-site, 258-262
split tunneling, 265
SSL (Secure Sockets Layer), 289-290
vulnerability analysis, 361-370
ARP spoofing, 367-368
back doors, 368-369
common, 33-36
CORE IMPACT Pro, 382-386
DDoS (Distributed Denial of Service) attacks, 365
disaster recovery, 374
DoS (Denial of Service) attacks, 363
external vulnerability, 371-373
firewalking, 369-370
fraggle attacks, 364
information handling security assessment, 375
internal vulnerability, 370-371
IP spoofing, 362-363
LAND (Local Area Network Denial), 369
MitM (man-in-the-middle), 367
packet analyzers, 363
penetration assessment, 370-371
penetration testing, 370-375
physical security assessment, 373-374
ping of death, 367
ping pong attacks, 369
procedural risk assessment, 374
security assessments, 370-375
security scanners, 375-382
session hijacking, 362-363
Smurf attacks, 364
SYN flood attacks, 364-365
teardrop attacks, 365
Xmas tree attacks, 369
Vulnerability reports (CORE IMPACT Pro), 385
vulnerability scanners, 375-382
scan and detection accuracy, 378
vulnerability updates, CORE IMPACT Pro, 386
W
WAN design zone guides, 107
WAP (wireless access points), 304
warchalking, wireless networking, 307-309
wardriving, wireless networking, 309-311
WarGames, 307-308
warspamming, 311-312
warspying, 312
Web Application Vulnerability reports (CORE IMPACT Pro), 385
web browsers, attacks, 36
WEP (Wired Equivalent Privacy), 319-320
whaling (phishing), 35
whois tool, 16
Wi-Fi (Wireless Fidelity), 302-303
Wiki-Leak, 4
Windows, enumerating, 24-26
Windows 7, security policies, 122-123
Windows Server 2003, security policies, 122
Windows Server 2008, security policies, 123
Windows XP Professional, security policies, 122
Wired Equivalent Privacy (WEP), wireless networks, 319-320
wireless access point (WAP), 304
Wireless Communication Policy, 71-74
Definitions section, 73
Enforcement section, 73
Policy Statement, 72-73
Revision History, 73
Scope section, 72
wireless hacking tools, 325-329
wireless IDSs (intrusion detection systems), 338-339, 343-344
wireless networking
access points, association, 319
ad-hoc, 306
AP deployment guidelines, 317-318
bandwidth availability, 307
coverage, 306-307
device associations, 319
EAP (Extensible Authentication Protocol), 321-323
infrastructure, 305
MAC address filtering, 320-321
modes of operation, 305-306
security, 304-307, 323-324, 329-330
SSID (Service Set Identifier), 318
threats, 312-321
DoS (Denial of Service) attacks, 315
packet sniffing, 313-314
rogue/unauthorized access points, 316-317
warchalking, 307-309
wardriving, 309-311
warspamming, 311-312
warspying, 312
WEP (Wired Equivalent Privacy), 319-320
wireless hacking tools, 325-329
wireless packet sniffers, 326-327
Wireless Penetration Test reports (CORE IMPACT Pro), 385
wireless security, 299-300
wireless networking, 304-307
threats, 312-321
WLANs (wireless LANs), 301-304
Wireshark, 329
WLANs (wireless LANs), 301-304
benefits, 303
radio frequency, 303-304
standard characteristics, 301-302
Wi-Fi (Wireless Fidelity), 302-303
World Trade Organization (WTO), denial of service attack, 4
X
Xmas tree attacks, 369
Z
zero day attacks, 36
Zeus botnet, 31
ZFW (zone-based firewalls), 224-229