Cyber Security | Active Directory Security Assessment

Active Directory Security Assessment

Active Directory is backbone of windows servers in an organization. It stores all the data related to accounts. Active Directory stores data as objects. An object is a single element, such as a user, group, application, or device. It categorizes directory objects by name and attributes.  

Organizations often face challenge to properly maintain configurations and keep up to date security improvements of Active Directory. As well poorly configured AD policy can expose the environment into potential threats. Sometimes misconfiguration is also critical to security. Many Windows security subsystems are integrated with it, and many of them can be used to secure it.

There is a series of repetitive tasks that can be considered to continually improve the basic security posture and respond to variations in threats, knowledge, infrastructure and requirement. 

While doing security assessment, there are three basic phases of the assessment. 

1. Gather data from on site of remote.
2. Analyze the result
3. Complete assessment and provide recommendations

The Active Directory Assessment focuses on several parameters, such as;

• Site Topology and Subnets
• Operational processes
• Active Directory Replication
• Domain Controller Health
• Active Directory Database
• Account Information
• OS Information and Networking
• Infrastructure design and defense, Security boundary
• SYSVOL and Group Policy Health
• Name Resolution (DNS)
• File & registry permission
• Administrative role and structure

The following checklist may help organizations to assess and maintain the security of their Active Directory deployments: 

• Ensure that the logical (forest, domain and trust-relationship) structure of your Active Directory is conceptually secure. 
• Ensure that all Active Directory configuration (e.g. Schema, Replication, FSMOs, Backups) data is sound and secure. 
• Ensure that adequate Active Directory management, security and disaster-recovery plans are in place and implemented. 
• Ensure that adequate physical, system and network security is provided for all Domain Control Ensure that the number of IT personnel who possess unrestricted administrative access in Active Directory is minimal. 
• Ensure that all non-critical administrative tasks (e.g. password resets) are delegated based on the principal of least privilege. 
• Ensure that IT personnel can audit all administrative delegations (i.e. assess and verify effective access) in Active Directory. 
• Ensure that auditing mechanisms are in place to capture the enactment of all admin/delegated tasks in Active Directory.
• Ensure that all applications and tools used by IT personnel are trustworthy (i.e. verifiably safe, reputable and secure).
• Ensure that security and effective access audits are performed on a regular basis to consistently ensure security.

- DR

Communication Instruments, Equipment and Testers

Instruments, Equipment and Testers

In this post I am going to tell few instruments, equipment used for testing the network, connectivity during implementation phase. As we know Ethernet and Fibre optic are the primary cable medium for communication, sometimes we need to check the connectivity to ensure our network is ok to function.

Below are few equipment on a brief note.

Ethernet Tester

The ethernet tester is often known as RJ45 Cable tester, UTP wire Test, CAT6/CAT7 tester, LAN tester and wire continuity tester etc. It automatically runs all tests and checks for continuity, open, shorted and crossed wire pairs.

It verifies the wiring is correct and connector is fitted well.

 

Ethernet Cable Tester

Network PoE Tester

Similar to ethernet tester the Network PoE tester is used for the testing of LAN cable, however additionally it helps in testing the PoE of ethernet cable. This performs a continuity test of the Ethernet cables, to identify the PoE types and to measure the PoE performance. The PoE tester consists of a transmitter / main unit and a remote unit. 

The basic Features such as;

• Continuity test
• Cable test
• Voltage measurement
• Detection of the PoE standard
• PoE power measurement
• It has LCD with graphics menu

 

Network PoE Tester

OTDR: Optical Time-Domain Reflecto meter

It is an Opto-electronics device used to detect any problems on the fibre links. To check the health of the signal communication through fibre. Latest OTDR are being used for FTTX test with PON networks, Fibre trouble shooting etc. The range of test distance can be starting from 100m, 500m, 2, 5, 1020, 40, 80, 120km and up to 160KM.

OTDR

3C Splicing Machine

Optical Fiber Splicing Machine is an optical fiber fusion splicer, deployed for fusion and protection of Optical fiber cables. Fusion Splicing is a best way to join two fibers together by using heat. Whether the fiber was broken or not long enough, a fusion splicer makes the job easier. Splicing fiber optic cable is considered as fairly simple procedure. Prepared fiber ends are placed in the splicer and automatically aligned and then fused together. This method ensures greater reliability with less light being scattered or reflected back by the splice. The splice itself if done correctly should be as strong as the original optical fiber.

Splicing Machine

Optical spectrum analyzer

An Optical Spectrum Analyzer (OSA) is an instrument designed to measure and display the distribution of power of an optical source over a specified wavelength distance. The OSA trace displays power in the vertical scale and the wavelength in the horizontal scale. It operates in bands like C band, L band. 

Applications: Transceiver Testing and Verification, wavelength and power testing, 

Optical Spectrum Analyzer

Optical Power Meter

To measure the power in optical signal or optical cable, optical power meter (OPM) is used. It consists of sensor, amplifier and display. This is one type of handheld equipment to test optical light source (OLS), Visual Fault Locator (VFL). Some instruments have self-calibration, real time display of power consumption high sensitivity and high accuracy. It is used to check power loss in in optical fibre. Similarly, GPON power meter is one device used to check speed on FTTX and other parameters. 

Optical Power Meter

Optical Power Meter

PON Power Meter

Optical Light Source:

In fiber optics technology, a source of light (laser, LED, etc.)  is used to emit electromagnetic radiation in order to check whether there is faults, breaks and microbends, characterizing link-loss or certifying LAN/WANs. As recommended by the ITU-T (G.983.3), light sources are also used to test PON networks at three different wavelengths (1310/1490/1550 nm). It is a handheld device offers measuring fibre optic light continuously , loss and quality in the field. 

Optical Light Source

Optical Variable attenuator

Optical Variable Attenuator is a compact and portable instrument widely used in fiber link certification and routine maintenance as well as in lab environment.

OVA

** All Image source Google. com

-DR

Utility Tools for Work, Practice and Learn. | Part-1

Utility Tools | Part -1

Earlier the engineers and technical people were dependent on command line activity only. But now a days, tools, software evolved a huge change. The GUI interface makes the user more friendly ever. We all are working in IT systems, Networking systems, Server domain, cloud domain. We all know some basic tools to be used for our day to day job activity. Whether it may be to login into the device, communicating with the device, monitor the network, to generate the report or to practice our learning or doing lab training. There are many tools available let it be paid tool or open source software. Some tools come by default with OEM for device health monitoring. Many open-source tool’s source code are now available at GitHub site. So in case a developer wants to add some new feature or to release any patch to particular software or package can do it. In early 19’s there were technical magazines in market with bundle of tools in CD/DVD for free. After rise of internet and eBooks, the hardcopy magazines now became rare gradually. So lets discuss few of the tools for day to day use. 

Note:

You should always download software from authorized site only. Do not trust images or links or advertisements at unknown source. Software should not be pirated. 

Lets discus the basic tools and working techniques.

CMD: 

CMD or Command Line is first default windows tool to start initially. Through command line one can check its IP Address, HOST NAME, OS Version, Ping to other devices in the network, format disk, create directory, check disk, trace route, shut down system etc. 

By default, typing CMD in search bar at windows 10, you can reach in the command console. Or you can type CMD in Run program to reach the console. In my earlier post I have provided some windows CMD commands. 

PuTTY:

PuTTY is an SSH and telnet client, or known as terminal emulator, serial console application developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source code and is developed and supported by a group of volunteers. It supports many protocols such as SSH, Telnet, TCP/IP etc. 

Through PuTTY you can login or enter into your switch or router console. You can read your device configuration, edit, and check your interface, can perform loop back test etc. 

In the initial configuration, it have many options to log in such as Host name, Port Number, Connection type etc. 

Ping Master

Ping Master is a window based and GUI based ping utility. It can give customizable packet sizes, timeout length, number of ping attempts, and size of the ping packet. You can ping as many TCP/IP addresses as you want.

Ping Sweep 

The SolarWind's Ping Sweep tool performs a Ping activity on a list or range of IP addresses. The information pulled back from this ping utility gives you understandings into the devices on your network and the performance of DHCP and DNS servers as well as reporting on the transfer speeds to all network nodes. It has key features such as Network auto discovery, Live status report, performance alert etc. 

Site 24X7 (Paid tool)

Site24x7 is a cloud-based service that monitors IT infrastructure, cloud applications, and website performance, user behavior, application performance, server monitoring, Real time monitoring, network mapping, health dashboard, VoIP monitoring and Sensor monitoring etc.

Nmap

Nmap is an open source tool that provides system information and is used by most network administrators. It uses RAW IP packets to determine following parameters of a network:

• Hosts available on the network (open or closed)
• Services, application name and version
• Operating System and version
• Information on IP protocols
• Information on reverse DNS, Device type and MAC address.

Output after Nmap scanning is Port Table: It lists the port number and protocol, service name, state (open filtered or close filtered)

HTTP Tunnel

A tunneling protocol is a communications protocol that allows for the movement of data from one network to another.

HTTPTunnel is a tunneling software that can tunnel network connections through restrictive HTTP proxies over pure HTTP “GET” and “POST” requests. 

Sometimes client machines are shielded by a firewall that does not allow you to connect to server directly at specified port. If the firewall allows HTTP connections, you can use dotConnect for MySQL together with HTTP tunneling software to connect to MySQL server.

There are many tunnels available. The main idea of such software is that it creates a bidirectional virtual data connection tunneled in HTTP requests. It accepts the requests on some port, say, 8080, decodes the data and forwards it to some other host and port. Thus you can communicate with any server via HTTP traffic that is usually allowed.

IPMessanger

IP Messenger is an application that helps in chat inside your local area network. It allows users to stay in contact with different clients in your system. The app is based on TCP/IP (UDP). You can even send data from one host to another host through this app. Its free to use and does not require server. Easy and have a pop-up style. It detects all the systems in a network automatically. 

Packet Tracer

Everyone must aware about packet tracer. It is cisco proprietary network simulation tool. Useful for CCNA, CCNP and CCNA security practitioners. Its free to use and it provides a realistic simulation and visualization learning environment. It enables multi-user, real-time collaboration and competition for dynamic learning. Presently 8.0 version is available where you can test Network Controller similar to real world SDN controller. 

Networx

NetWorx is a simple and powerful tool that helps calculate your network bandwidth consumption situation. By it, you can collect bandwidth usage data and measure the speed of your Internet or any other network connections. It can help you identify possible sources of network problems, ensure that you do not exceed the bandwidth limits specified by your ISP. 

• Clear graphic and/or numeric display.
• Usage reports, exportable to a variety of file formats.
• Close supervision of uploads and downloads.
• Support of cable modems, ADSL, WiFi cards, and more.
• Network information and testing tools with advanced netstat that displays applications using your Internet connection.
• Options to notify the user or automatically disconnect from the Internet when the network activity exceeds a certain level.
• Speed meter for testing Internet connection speed.
• Connection Monitor for regular connection status checks.

Open VPN

OpenVPN is a virtual private network tool that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. Now a days the Open VPN is supporting IoT communications. It is an open source tool that can be implemented at both client and server applications. It uses the OpenSSL library to provide encryption of both the data and control channels. The OpenSSL does all the encryption and authentication work.

Provides secure access for remote employees to corporate resources and public cloud networks. It enforces zero trust access and helps in Cyber threat protection and content filtering.

SNMP Scan

SNMP scanning is the process of using a Simple Network Management Protocol (SNMP) to collect critical data about the status of devices on a network. SNMP polling helps users to gather information about the managed devices on their network, and they can use this information to modify and regulate network settings and activity.

It is very helpful for discovering and mapping devices. It helps easily detect network topology and create maps visually displaying network performance metrics. This allows users to view and update the physical and logical relationships between network devices like routers, switches, and servers.

Netflow traffic analyzer

Netflow traffic analyzer is another tool used to bandwidth monitoring. It can help in application traffic alerting and network traffic analysis. It provides clear visibility such as to Monitor your network, discover traffic patterns, and avoid bandwidth hogs with NetFlow Traffic Analyzer (NTA) and User Device Tracker NetFlow solutions.

Other features are as, Faster troubleshooting, increased efficiency, and greater visibility into malicious traffic flows in the network.

Virtual Box

Oracle VM VirtualBox is a free and open-source hosted hypervisor for x86, AMD64/Intel64 virtualization tool, developed by Oracle Corporation. VirtualBox can be installed on Windows, macOS, Linux, Solaris and OpenSolaris. Anyone can use it at home for learning purpose too. You can install other OS along side with your existing OS to learn the new environment and can take the fun.

There are other range of products for available technologies mentioned below. You can use any tools as per your requirement. 

• IP Address Manager
• VoIP Manager
• Log Analyser
• Patch Manager
• Server Application Monitor
• Access Rights Manager
• Web Performance Monitor
• Virtualization Manager
• Database performance manager
• Database mapper
• Servicedesk Management
• EMS
• Helpdesk Management

-DR

Cyber Security | Infrastructure Security Management

Infrastructure Security Management 

Security breaches now a days are becoming more sophisticated and multifaceted. keeping up to date cyber security defense strategy is the challenge now. Certain areas need to be focused along with adopting best solutions in the market. An Infrastructure Audit is another way to check the gaps and update the network. All the controls need to be checked and implemented to keep secure of the infrastructure. 

Below is the security check list with respect to Infrastructure Security;

• Set offline access protection or end point protection on desktops, laptops and servers should be there (BitLocker etc.).
• Implementation of the process execution prevention (AppLocker, BeyondTrust, Avecto, Viewfinity etc.).
• Log centralization, log reviews - searching for the anomalies, certain log error codes. Performing the regular audits of code running on the servers (SIEM, Sysmon, Splunk etc.).
• Maintenance: Backup implementation and regular updating. Take your back up in time and regularly. Use automatic backup solution. (vendor specific solutions, WSUS, etc.).
• Review of the settings and services running on servers and workstations (examples: using the accounts that are not built in, that are too privileged, reviewing service files locations, changing permissions where necessary – Security Description Definition Language, changing accounts to gMSAs where possible.
• Set limitation of the amount of services running on the servers (SCW and manual activities).
• Implementation of the anti-exploit solutions (EMET etc.) and anti-virus solutions (McAfee, Symantec, NOD32 etc.).
• Reviewing the configuration of the client-side firewall and enabling the programs that can communicate through the network only.
• Manage the local administrator’s password.
• Implementation of scoping (role management) for permissions and employee roles (SQL Admins, Server Admins etc.). On the other way, this can be referred as user access management. Establishment of access control policy is also needed. 
• Implementation of the network segmentation (VLANs, VPN, IPSec Isolation, 802.1x etc.). Network segregation is very important. All the domains should be separated such as desktop domain, server domain, public access domain, cloud domain, network domain etc.
• Implement Data protection techniques or DLP through out the network.  
• Implement Identity Management, Password Management.
• Periodically review configurations and carry out Vulnerability Assessment and Penetration Testing (Internal / External) by internal team or 3rd party vendors. 
• Finally, Security Awareness Program among employees and technical training to administrators and new joiners are also important. 

Therefore the above points may be considered for strengthening your infrastructure whether its is large, medium or small.

Do you have any comments and suggestions. Feel free to post below. 

-DR

Risk and Risk Management

Defining Risk and Risk Management

Risk 

Risk is an intersection between asset, vulnerability and Threat. Risk is probability of realization of a threat.

The combination of the probability of an event and its consequences are known as Risk.

There are many types of Risks available such as; Enterprise Risk, Regulatory Risk, Financial, Reputational, Conduct, Environmental, Management, Technology, Operational, legal risk.

Strategic Risk:

Risks that results directly from specific industry or organization at a specific time frame. 

Example of strategic risk is failure to upgrade a system after obsolete. Using old devices or obsolete devices lead to attacks.

Compliance Risk:

Compliance Risks are legislative, regulatory, statutory risks based on standards and practices.

Standards such as ISO/IEC 27001, NIST, HIPPA, SOX, GDPR etc.

Operational Risk:

The Risk resulting from inadequate or failed internal processes, people and systems or from external events is known as operational risk.

Example:-

Human Error, Fraud, IT system Failure, Management Problem, Commercial disputed, Accidents.

Technology Risk:

Risk resulting from failures in technology or data or applications that negatively impact the business.

Example:-

Website crashing, Security incident due to data theft, virus attack, etc.

Business Risk:

This is real-time identification of risks or red flags in controls in a business.

Example:-

Inaccurate finance data, Financial data leakage, Fraudulent transactions etc. 

Information Security Risk:

Information Security Risk is a sub set of Technology Risk. The risk to organization operations, assets, individuals due to unauthorized access, use, disclosure, disruption, modification or destruction of information and information system by outsiders.

There are two types of risk analysis method used known as Qualitative Risk analysis and Quantitative Risk analysis.

Quantitative Risk analysis

Quantitative Risk analysis focuses on numerical evaluation of risks. It is performed to understand the probability and impact of risks. The main benefit is it results measurable data and is very helpful during Business Impact Analysis (BIA). 

Qualitative analysis uses data such as historic records, past experiments, industry practices and test data. 

Qualitative Risk analysis

In qualitative risk analysis, it is the process of evaluating risk considering their probability of occurrence and impact. Qualitative analysis is simple and used frequently where risk level is low. 

The risk rating comes with values such as Very High, High, Moderate, Low and Very low. 

Risk Assessment

The evaluation of the possibility of a threat or vulnerability existing. The below steps are done during a risk assessment.

1. Identify Critical Asset or Resource.
2. Identify relevant risk in terms of vulnerability and threat.
3. Perform Impact Analysis on basis of quantitative and qualitative approach.
4. Prioritize risk and document.
5. Risk treatment.

Risk Management

Risk Management is about taking decision and actions to address uncertain outcomes or risks. Information Security risk management is the process to identify, evaluate, treat risks across the organization.

Risk Management is the identification, evaluation, and prioritization of Risks. 

As per NIST 800-37 standard, Risk Management Framework states, step by step process for risk management.

1. Categorize Information System

2. Select Security Controls

3. Implement Security Controls

4. Assess Security Controls

5. Authorize Information System

6. Monitor Security Controls

Risk Management is important in an organization because without it, an organization can not define its objective for the future.

Steps to manage risks are as mentioned below;

• Identification of Assets: During this first step, it is to count all the information systems, software, hardware, services, people, records, procedures.
• Evaluation: Based on the criticality of asset and its importance to business operation assets can be evaluated. It can be noted as Low, Medium, and High. The CIA Triad may be followed (Confidentiality, Integrity and Availability)
• Risk Assessment: Carry out risk assessment and perform impact analysis based on quantitative and qualitative approach. Document the outcomes of assessment such as name of risk owner, implemented controls, asset value, level of threat, level of vulnerability and impact to the organization. A risk matrix table can be prepared.
• Risk Treatment: The final step is to mitigate the risks or reduce the risks based on selection of appropriate security controls and risk treatment plan (RTP).

Below is the Risk Assessment Formula (Sample)

SLE X ARO = ALE

Similarly

Cyber Risk =     Threat X Vulnerability X Information Value

ALE: Annual loss expectancy. This is a measure to identify how much loss a organization could expect in a year (Financial value).

SLE: Single loss expectancy and it donates how much organization can expect to lose at any one time.

ARO: Annualized rate of occurrence. It is outcome of historical data of a event occurring within a year. 

What do you mean by Risk Acceptance?

Risk Acceptance is a strategy in dealing with risk in which it is finalized a best approach to accept the risk and its consequences. Means you understand the risk and you decide not to do anything about it. 

Risk Register:

Risk Register in an tool for risk analysis used during IT/ Enterprise/ Financial Risk Management. It holds all the identified risks within a organization.

It contains:

• All identified risks
• Risk Category
• Likelihood of occurrence
• Impact
• Risk ownership details
• Response Plan

Risk Treatment:

After identification of risks, the actions and steps are known as risk treatment. Several options of risk treatment are there such as:

• Avoid
• Transfer
• Response
• Reduce
• Accept
• Mitigate
• Prevent
• Control
• Share

Steps for Risk Treatment:

Below are the basic steps for carrying out a risk treatment plan. 

• Identify risks and treatment options.
• Develop a plan
• Document the details & approach
• Accountability/ Ownership
• Timelines for resolution

Industry frameworks for risk management:

There are large number of publicly available frameworks for security risk management. 

NIST 800-30 (CSF): Cyber Security Framework

This is published by National Institute of Standards and Technology (NIST) and is largely used by govt. organizations, defense sectors, etc. This is available freely on web.

ISO/IEC 31000: 

Published by International Standards organization and is available on license basis is the parent standard that provided overall guidelines and principles to manage many different types of risks in a systematic, transparent and reliable manner.

Threat:

Any condition that could cause harm, loss, damage or compromise to an asset are known as threats. 

Example:-

Phishing attack, Password stolen, Virus attack

Vulnerability:

Any weakness in the system design, implementation, software code are known as vulnerabilities. A security vulnerability is a weakness, flaw or error found in a security system. 

For example:-

Broken authentication, Misconfiguration, Poor encryption, Unpatched task, Week password

-DR

SAN Protocols

SAN Protocols

SAN is the most common storage networking technology. Now a days all business-critical applications run by enterprises prefer SAN only to achieve high throughput and low latency. Flash storage is rapidly growing in case of deployments due to its high performance. As in previous post we have known a little understanding about the SAN and NAS. Here we will have another little basic on the SAN protocols.  The common SAN protocols are FCP, iSCSI, FCoE, FC-NVMe. Lets have a overview of them to know more. 

FCP Overview

FCP or Fibre Channel Protocol used as SAN or block protocol. It uses fibre channel transport protocols. Mostly used protocol in case of largest deployments. It uses dedicated adapters, cables, and switches, and it's different from ethernet at all layers of the OSI layer up to the physical layer level. It uses cards which are called HBAs, host bus adapters, and they look very like normal ethernet network cards but they're different. And it uses switches across the network, but we use fibre channel switches, they look like ethernet switches, but they are different. Fibre channel is different than ethernet at every level. It supports bandwidths of from 1- 128 GB per second and sends SCSI commands over the fibre channel. 

iSCSI overview

It stands for the Internet Small Computer System Interface protocol. iSCSI encapsulates SCSI commands inside an Ethernet frame and then uses an IP Ethernet network for transport. It runs over Ethernet networks, and it was a less expensive alternative to Fibre Channel. The SAN Fibre Channel was expensive due to its own dedicated infrastructure and only accepted hardware types. Then iSCSI was developed to be a less expensive alternative running over standard Ethernet networks. It is a popular SAN technology and it runs over Ethernet, rather than Fibre Channel, it can share the data network or have its own dedicated network infrastructure. For normal storage performance, presently network cards or faster network cards were being used that makes more feasible to run iSCSI over a shared network. 

iSCSI shares a lot of the same characteristics as of Fibre Channel. It uses IQNs for the addressing. IQN is known as iSCSI Qualified Names. We can alternatively use the EUI (Extended Unique Identifier). Those are both two alternative ways of doing addressing in iSCSI. IQN is used more commonly. The IQN can be up to 255 characters long. iSCSI runs over standard Ethernet, so individual ports in the host are addressed by IP addresses, as like a normal Ethernet network. 

FCoE

Known as Fibre Channel over Ethernet It is same as iSCSI protocol and it encapsulates an FC frame inside an Ethernet datagram. Like iSCSI, it uses an IP Ethernet network for transport.

FC-NVMe

Known as Non-Volatile Memory Express over Fibre Channel which is block level access protocol. It is a newer technology that uses faster PCI express bus and allows to release with best performance of  SSDs. NVMe, SAS and SATA are not compatible with each other, that means they can not be fitted in same drive. so you can fit SAS and SATA drives in the same drive bay, but the NVMe drives have got completely different connector, so you cannot fit an NVMe drive into a SAS bay, and you can't fit a SAS or SATA drive into a NVMe bay.  

So that's all. Further we may cover on more. 

-DR