The content of this article can be associated or mapped to CompTIA Security+ Exam Objective 1.0 “Network Security”. The internet is a scary place. The reason it is so scary is because of everything; even casual users, broadcast when surfing the net. While many of you basic users out there in the world just want to keep in touch with friends, shop, or just watch cat videos there are many other users who seek to do harm. Just being on the internet and updating social media can put you at risk because most of what you do is unencrypted. As a comparison think about everything you do in your car on the way to and from your destination. Now imagine your car being completely see-through and not only can everyone see what you might be doing other than driving but for those who listen hard enough can hear everything as well. Makes you think twice about picking your nose at that stoplight huh? Parents with kids, this message is also for you if you let your children use the internet for school or to play video games. Someone who can see every move you make on the internet can not only deliver malware such as viruses and worms but they can more directly target you.
Enter the Virtual Private Network or VPN. These awesome tools can make us all so much safer on the internet regardless of your level of use. Essentially VPNs do for us (going back to my see-through car comparison) what the opaque features of our cars do for us just imagine your car now also has blacked out windows and is completely sound proof and nearly indestructible. The VPN encrypts everything you do on the internet and makes it nearly impossible to be targeted directly for malware and other types of cyber-attacks. It is not fool-proof but suffice it to say it’s damn close. Truth be told there is no excuse not to be using a VPN. For starters they are easy to implement. I’m not going to go into all the details here but do an internet search for videos on how to install and use VPN and you will become an expert in no time. If you shop around for different VPN solutions and have a “brand name” in mind you can search for that and get specific instructions. Once it is setup it really is as simple as making sure you turn it on BEFORE you jump on the internet. There are dozens of options some free and some not and all things considered they are all very similar in operation. I personally recommend paying for the service though as paid VPNs are usually easier to use and are supported or maintained.
I am not paid or sponsored by anyone for the content of this blog (wish I was) but I personally use Private Internet Access or PIA and it’s so easy even I can do it so that means you can too. Why did I choose that one? Because a trusted colleague was using it and recommended it so I did and have no complaints. The cost is roughly $5 a month and I pay every quarter so $15 and I can use the same account actively on 3 devices at a time. So my work laptop, my personal laptop, and my PS4 can all be logged in and protected at the same time. One of the key things I recommend is make sure the VPN service you choose does not log activity (defeats the purpose of staying anonymous and protected) and that the service provides full protection and does not leak your IP address through what is known as a WebRTC Request leak. If you want to know how to test this just go to ipleak.net after you turn your VPN on and see what the results are. Let’s say you set your VPN to give you an IP out of Romania and ipleak.net shows your real internal IP anywhere than the service is not completely protecting you. So be safe out there and get yourself a VPN.
The content of this article can be associated or mapped to CompTIA Security+ Exam Objective 3.2 “Summarize Various Types of Attack”. Regardless of your dealings with computers, be it as a network administrator for a corporate enterprise or a basic user who surfs the internet at home, chances are you have an email address. Just like regular mail cyberspace presents us with a fair amount of annoying junk or stuff posing as mail otherwise known as SPAM. While SPAM is generally annoying, it can serve as an attack vector for threat actors seeking to do harm. Generally and quite frequently SPAM contains advertisements or coupons for products you may or may not be interested in and usually contains hyperlinks and for the most part is genuinely harmless. Alternatively, threat actors or ‘bad guys’ use SPAM with the intent of conning the uneducated into disclosing viable personal information or even to deliver malicious payloads to our computer. The real downside here is it is difficult to tell the difference what is merely a benign nuisance and what is truly evil.
Let’s lay down some best practices and ground rules. Since we have already discussed that it is difficult to tell the difference, any email you didn’t expect or didn’t come from a known source should be deleted. Let’s face it, if your bank or bill collectors or doctor really need important information from you they will call you or send you paper mail. If you do get suckered into opening it do not click I highly recommend not clicking on any hyperlinks. For the sake of argument let’s say you do get an official looking email from your bank or similarly important organization call the source and verify. Don’t respond to the email and again don’t click on any embedded links. When in doubt, call the source. You may want to ask “did you mean to send this email?” or “is this form requesting my signature available for completion on the official website?”. I get document alerts from my bank and CPA all the time but not once has any official email requested my signature, confirmation of SSN, or anything of the sort outside the confines of the protected and secure website. Here’s the kicker, truly malicious SPAM may appear official in every way and may even include a hyperlink to your “bank” but DO NOT click on it. Instead, manually open a browser and navigate to the official website the old-fashioned way. Also remember that anything that is too good to be true probably is. No one wants to give you anything for free and no one has ever won the lottery by email so chances are…It’s a trap!
Now the reasoning behind the ground rules is simple. Hyperlinks can be manipulated very easily for example if I sent you an email saying Click Here to confirm your account information somewhere in the message body. Go on, click it, I can wait…Now while this is a lame demonstration it is a demonstration nonetheless. Instead of being directed to your account information page you would have been directed to the Drudge Report website. Now in a truly malicious SPAM attack that same destination could’ve redirected the unsuspecting user to a malicious payload delivery site before redirecting you to the official site. Though it may go unnoticed that brief visit to the delivery site could have dropped a virus on your system or worse directed you to a spoofed website where you would be prompted to enter your login information thus giving your credentials to a bad guy trying to gain access to your bank or steal your personal information for identity theft. Truth be told, I could go on and on about the various potential outcomes from SPAM. For many, just understanding that unexpected emails should be approached and handled cautiously should be enough to keep you better protected from the various threats SPAM presents and facilitates. Just remember the rules I provided above and you will be okay. When in doubt call the source and confirm the transmission otherwise, just delete it.
Security Information and Event Management (SIEM) is not specifically mentioned in the CompTIA Security+ Exam Objectives. However, the implementations of a network’s security infrastructure that feed SIEM are specifically mentioned in CompTIA Security+ Exam Objective 1.0 “Network Security”. Where SIEM fits into the security construct is serving as an aggregation for all SYSLOG traffic coming from any configured device(s). Intrusion Detection and Prevention, Firewalls, Domain Controllers, Core Switches, VPN concentrators and many other devices have the capability to feed the SIEM construct. With that being said, SIEM is passive and relies solely on the input of those configured devices as well as their verbosity settings. SIEM does offer near-real time alerts and provides a single touch point for monitoring analysts and contracted security service providers. The reason I use the words “near-real time” and not “real-time” is because I personally believe this to be a misnomer. Everyone is looking for that magical blinking red light and alarm to sound to signify an attack in progress. Anything that requires a threshold of the rule-set and notifications to be sent to a monitoring analyst is not real-time. In-fact, nothing could be more reactionary. So SIEM, by its design, is passive but that should not take away from the capability SIEM provides.
Where most people get SIEM wrong is because of the belief that it is an active protection system. That is what an intrusion detection or prevention system and firewall are used for. Now it is not unfair to say that SIEM is not capable of protecting a network. If configured properly to receive logs from a web filter or domain controller it could be used to identify traffic to malicious hosts or to alert when a user has downloaded a non-permitted executable file. From that point a network admin can isolate the system and prevent malware from spreading or reconfigure existing security systems to prohibit future activities that triggered the SIEM alert notification. The important take away is that the SIEM device is not going to do that for you. Also, remember the input based function of SIEM. If the device isn’t monitored, the verbosity setting not set quite right, or a threat agent circumvents a firewall or other protective measure than the SIEM will not see it and thus, not generate the notification. SIEM is also not intelligent and cannot make up for shortcomings in configuration. If the rules and thresholds are not set to see X but instead only Y and Z than anything falling under the X category will go unnoticed.
We have to remember that security should be addressed in layers. A single firewall may provide adequate protection for a network but it will not nearly be as effective as a network protected by a firewall and an intrusion detection or prevention system. Those security mechanisms are great but monitoring all of those systems is nearly impossible. SIEM provides the bridge between systems to provide a single reference point for situational awareness and intelligence for the admin team. SIEM also adds the layer of situational awareness to overall systemic behavior of the network as well. Where threats are not detected SIEM can also provide insight and generate notifications of application or system crashes. And that is something firewalls and other security devices fail. It also does really well in forensic analysis of events leading up to a suspected breech or incident. Instead of querying logs from 5 different sources, the SIEM can be the proverbial one-stop-shop for an investigation. Despite the shortcomings, SIEM is a must-have for any network but SIEM cannot and should not be implemented without due expectation management. For more information on SIEM you can research any of the SIEM products on the market; Splunk, Tripwire, NetIQ, and Arcsight are but a few. There will be some differences in capability between these and some may even have enhanced features to remedy the identified shortcomings above but those are usually much more expensive and those advanced features are not organically SIEM but instead advanced security utilities infused with SIEM capability.
The content of this article can be associated or mapped to CompTIA Security+ Exam Objective 1.0 “Network Security” or more specifically, firewalls and web filters. First off the title requires a brief explanation. No I am not a fascist but one of my professors called me a security Nazi after grading one of my assignments discussing firewall rules and policy development for a fake company. That being said, I am frequently asked by my clients what they can do to better harden their enterprise. They ask about the latest technology or the latest threat like ‘Ransomware’. To be perfectly honest many organizations are already equipped to handle such threats. All it takes is a little bit more support from management to enforce said policies. But let’s talk about the tech for a minute.
Web Filters are by far my favorite piece of IT Security Infrastructure. If we can all agree that the internet is a boiling cesspool of viruses, identity thieves, and quizzes that tell you which care bear you are and the internal network or LAN is our bastion of good – achieving the company mission statement. Then the web filter is one of the best things to protect the LAN from the evil that lurks in the World Wide Web. I feel the eyebrows rising but bear with me and remember I’m about to talk about firewalls too. If you are a Network Security Administrator then the web filter is your best friend. For those that don’t know, the web filter is a program that screens websites for permitted or blocked content and permits or blocks said content respectively. (Rouse, 2017)
So why do I favor the web filter you ask? Because it protects us from the most lethal threat to a corporate network…The USER! (DeCarlo, 2007) If we examine some of the biggest daily issues that a network faces many of the issues can be tied to user activity within the network. Whether it’s Johnny in the HR department checking the local scores of his favorite team or Suzie in accounting checking her horoscope, each site they visit poses the potential threat of delivering malware to their machine. So the best thing a network admin can do is block sites like that altogether and prevent users from visiting those sites. My professional recommendation is to block any and all URLs that are not specifically required for the network to function. It’s harsh but let’s face it Johnny and Suzie need to be working and not using company assets to do the useless stuff the internet has to offer. This is best done through a whitelist feature that is equipped in nearly all modern web filters. Whitelisting is great because it implicitly denies communication with all URLs that are not listed. Johnny and Suzie will be okay if they want to waste company time, they can do it with their personal smartphones on the public Wi-Fi so that excuse about morale is a poor one at best.
Firewalls are my next favorite security implement because they provide that barrier from the evils of the internet that the web filter doesn’t cover which originates from the internet. Where it can be argued web filters basically protect the LAN from outbound traffic, the firewall protects it from inbound traffic. You know; all those threat agents from China, Russia, and everywhere else on the planet that is fighting to get in and steal your customer or patient data. Firewalls are a necessity. It is important to discern that firewalls do perform some of the same tasks a web filter does so while a network could survive on just a firewall just remember that security is about layering and redundancy. That is why many firewalls come equipped with a web filter application to work in concert with the firewall. I know I mentioned corporate networks a lot but the good news is these features are also often contained within aftermarket wireless routers. My Asus has both a firewall and a web filter, in the form of parental controls I can leverage to protect my home network as well. Which, if you have small children or teenagers, you should appreciate and employ because let’s be honest the last thing on a kid’s mind is security while surfing the web.
DeCarlo, A. L. (2007, March 21). Biggest security threat? Your users. Retrieved February 16, 2017, from http://www.computerworld.com/article/2543940/networking/biggest-security-threat–your-users.html
Rouse, M. (n.d.). What is Web filter? – Definition from WhatIs.com. Retrieved February 16, 2017, from http://searchsecurity.techtarget.com/definition/Web-filter