This next Security+ chapter is on security tools and technologies. A lot of it rehashes the components discussed in the previous chapter. I’ll be honest with y’all, this part of the book isn’t terribly exciting, but I’m looking forward to having my first infosec cert under my belt.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
A protocol analyzer is a tool that can capture and analyze wired or wireless traffic passing over a given communications channel. This might also be called a packet sniffer, network analyzer, or packet analyzer. For this to work, you have to place a network interface into promiscuous mode. This means it listens for all packets, not just the ones addressed to it.
A switched port analyzer (SPAN) copies network traffic. Also called port mirroring or port monitoring. This copied traffic is then sent to a port designated for traffic capture and analysis. It might also be aggregated in an IDS or IPS.
An example of a protocol analyzer is Wireshark.
A tool for probing a network for ports. The tool will report back to the user which ports are open (“listening”), which are closed and which are filtered. An example of a network scanner is Nmap.
- “Live” host are found by sending ICMP, TCP or UDP packets. If a response is given, the port is open. No response or a timeout means it’s closed. If an access denied message comes back, it’s filtered.
- Network scanners can help identify which servers are running on which hosts, and on which ports. After you’ve scanned, determine if those services should be running at all.
- Scanners can be used for rogue system detection. You can actively scan for unauthorized devices. Alternatively, you can passively inspect traffic logs for communication with unauthorized devices.
- Network scanners can also be used to create network diagrams of how machines are connected to one another.
- You can also use wireless scanners such as Kismet, NetStumblr, or MiniStumblr. Add cracking ability via tools like AirSnort, AirCrack, and so on.
These are tools used by attackers to find weak passwords. Admins could also use them to test the password health of their own users and detect problems early.
These are programs designed to scan a system for issues. These issues might include misconfiguration, old software versions, and so on. They can operate at the network level, host level or application level.
- Network scanners are very broad and will scan for live hosts and services on those hosts.
- Host vulnerability scanners run on a specific host. That allows them to be more specialized than network scanners. They can search for issues related to a specific OS, weak password policies, etc.
- Application vulnerability scanners look for issues in a given application. One big category is testing for weaknesses in web-based applications. These tools can automate things like SQL injection.
There are several pages with security tool concepts that do not logically flow together. So, they’re going here in the concept grab-bag.
Configuration Compliance Scanner
All of this is a lot of work and automation goes a long way. SCAP is the security content automation protocol. It’s a protocol for managing information related to security configurations, and validating them in an automated way. There are tools to help with this, some that are SCAP compliant.
These are toolsets designed to help attackers exploit systems. Some of these tools include automation. Groupings of these tools represent (sorta) standardized ways of attacking, and a framework for moving through an attack. The most famous example is Metasploit.
Data Sanitation Tools
If you need to get rid of data, there are special data sanitization tools to help. These allow you to “destroy, purge or otherwise identify for destruction” data on systems. Probably pretty use for government and other highly regulated industries.
Steganography, or “stego” for short, is frequently found in CTFs. Stego is the science of hiding messages in other content. The book has nothing else to say about that so just… be aware, I guess?
A honeypot is a “fake” server designed to appear like the real thing. It’s meant to be a trap for attackers. Because it’s bait, any traffic to it can be assumed to be malicious.
Likewise, a honeynet is the network equivalent of a honeypot. It’s an entire network designed to look like an attackable, corporate network.
Pretty self-explanatory, but at scale, backups become an issue. If you have an entire enterprise to worry about, there are hundreds or thousands of servers and workstations. Each of those need to be backed up on an automated schedule. And, the data needs to be segregated, managed, etc. at scale.
This is a technique where you gather information on a service via banners. These banners show service types, versions, etc. HTTP, FTP, SMTP, and Telnet are all banner-issuing services. This information is useful to attackers, so maybe hide some of that, or provide less specific information.
Passive vs Active
This is far from the first time that this concept has shown up, but here we go again. Passive tools do not interact with the system in a way that allows detection. Active tools interact in a way that can be detected. One passive example is using Wireshark to examine traffic after the fact. An active example is port scanning using Nmap.
Here, we go through a bunch of command-line tools very quickly.
- ping: sends an echo request to a machine to determine if communication is possible.
- netstat: shows network connections to/from a system.
- tracert or traceroute: Windows command for tracing the route a packet takes over the network.
- nslookup and dig: get a DNS query for a specific address.
- arp: query or manipulate a device’s ARP table.
- ipconfig/ifconfig: manipulate network interfaces on a system (internet protocol configuration)
- tcpdump: a command line protocol analyzer that lets you look at packets from a network connection or a recorded file. (Create pcap files, yay!)
- nmap: created by Gordon Lyon in 1999 for network scanning and mapping. Check out their website, which is also clearly from the late 90s.
- netcat or nc: used for reading from or writing to network connections using TCP or UDP.
Security Technology Grab-Bag
It’s time for another grab bag, this time with security technologies. These are used to analyze security situations.
This is the host equivalent of the network IDS and IPS discussed in the previous chapter. Host-based intrusion detection (HIDS) systems generate alerts based on specified patterns. Host-based intrusion prevention (HIPS) systems are like HIDS, but can also execute automated responses.
Antivirus (AV) is pretty well-known. It checks files for matches to known malware signatures and alerts the users.
File Integrity Check
When you download a file from the internet, you can run a file integrity check. This ensures that the file has not been tampered with and that you received the file you intended to download.
Firewalls were also discussed in the last chapter. A host-based firewall is just what it sounds like. A firewall on a single host system. This allows it to be very specific. This might come in handy if you have a high-value server that you’re trying to protect.
This is an enterprise-type practice where you specify which applications can be run on a system. This allows you to combat malware. But, it’s also really annoying for engineers or other folks who need to install new programs.
Removable Media Control
This presents a risk for data exfiltration out of a system. Likewise, it provides a risk for malware getting into a system. Removable media controls prevent transfer to data from a system to a removable media location like a thumb drive.
Advanced Malware Tools
These are tools that allow a user to match known malware patterns and find indicators of compromise in a system. The book gives an example of Yara.
Patch Management Tools
Another thing that’s easy on its own, but difficult at scale. Patch management tools let admins keep records of software in an organization and whether it’s been updated. It also can generate alerts for users.
UTM is unified threat management. This is a marketing term for “all in one” devices. These devices package together lots of services like firewalls, IDS/IPS, anti-malware, content filtering and so on.
We’re back again with another mention of data loss prevention. This can also refer to technology that is used in an enterprise to prevent DLP. This might include scanning, preventing possible exfiltration methods and so on.
Data Execution Prevention
Data execution protection (DEP) enforces specific areas of memory as non-executable. This helps defend against attacks where a program is loaded into data storage and then executed.
Web Application Firewall
A web application firewall (WAF) is a type of content filter. It restricts HTTP/HTTPS traffic based on given rules. Like other application-specific things discussed in this chapter and last chapter, it can be highly specialized to a given application.