Computer Networks Security from Scratch | Mohammad Adly | Skillshare

Computer Networks Security from Scratch

Mohammad Adly, Ph. D. Computer Networks

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
30 Lessons (4h 26m)
    • 1. Security Goals and Concepts

      8:53
    • 2. Securing the Network Design

      10:07
    • 3. TCP/IP Security and Tools

      11:50
    • 4. Port Scanning and Tools

      11:15
    • 5. Sniffing and Tools

      10:18
    • 6. Why Using Firewalls?

      12:49
    • 7. Firewalls Rules

      10:31
    • 8. Firewalls Filtering

      8:33
    • 9. Honeypots

      6:42
    • 10. Bypassing Firewalls and Tools

      8:00
    • 11. What is IDS?

      11:16
    • 12. Network IDS (NIDS)

      6:08
    • 13. Network IDS Challenges

      8:55
    • 14. Snort as IDS

      8:20
    • 15. IPS

      7:21
    • 16. WEP

      10:40
    • 17. WPA and AES

      8:31
    • 18. Wireless Security Misconceptions

      8:39
    • 19. Wireless Attacks and Mitigation

      9:08
    • 20. Secure Wireless Network Design

      8:41
    • 21. Physical Security Objectives

      10:45
    • 22. Physical Security Threats and Mitigation

      10:50
    • 23. Defense in Depth (DiD)

      7:18
    • 24. What is an Incident?

      5:40
    • 25. Incident Handling

      13:50
    • 26. CIA

      6:10
    • 27. Assets, Threats, and Vulnerabilities

      4:10
    • 28. Risk and Network Intrusion

      5:36
    • 29. Common Attacks

      8:46
    • 30. Security Recommendations

      6:18

About This Class

This course enables cyber security beginners and professionals to know all about the security of computer networks. By the end of the course the student will be able to deal with firewalls, IDS, IPS, and honeypot devices. The course demonstrates as well the essential terminologies used by the security officers such as the risk, vulnerabilities, threats, and others.

Transcripts

1. Security Goals and Concepts: Welcome to the security goals and concerts lectures in the first Security section. Let's discuss this balance between access and security. Let's imagine that someone has $10 to save. Let's imagine that this person has both a safe that costs $1000 to keep these $10 safe off course. He would look insane if he does. So. This is the balance between excess and security. This is the balance between what are the efforts you are exerting to keep your assets secure? And how much does it cost If you lose this assets balance between access and security should be kept in mind for every security specialist, because sometimes the security specialist makes the security very complicated so that the legitimate users themselves suffer to reach the resources they need to do their work. Sometimes the security is so much Khost E for the legitimate access to be done, so you must keep balance between security and access. To be a good security specialist. What are the goals off the security? The goals off the security is to keep three important things confidentiality, availability and integrity off. The resource is you are securing confidentiality, integrity, availability, see i e. It is not the American intelligence. It is the security goals. Confidentiality s keeping information and resources away from being read or being, uh, known by illegitimate users. Integrity s keeping it away from change and modification availability is keeping it alive, keeping it valid, keeping it there for the legitimate users to access. So when these three circles meet, the point of intersection is the point off security. The point of intersection is where security exists. The confidentiality is ensuring that information is not revealed toe on authorized persons data while being transmitted or while being stored should only be revealed toe intended audience. This is keeping confidentiality Integrity is ensuring consistency of data, ensuring that data has not been changed or modified either while stored or transmitted integrity is making it possible to detect any modification. Off date availability is insuring that legitimate users are not denied off access to information resources to protect from the DOS attacks that in all of service attacks availability is ensuring that the service is there and the service is existing for legitimate users to access the assets. The assets is a very important concept that we should know about as security specialists. Everything that has value for an organization or that has impact on the business continue. T is an asset people, data hardware, software, physical devices and documents or of these. All of these are assets for the organization, and assets differs from an organization toe another. For example, a bank. The most precious assets for it is the current accounts. A hospital. The most precious assets for it is the medical records of the Patients Software house. The most precious assets are the patents and sore schools for a university, for example, teaching materials and grades off the students are the most important assets to protect and to keep safe assets should be identified to create information security system. You should know what you are protecting. A security specialist. You should know what is the most precious thing for this organization to protect. Most security specialist good one must be fully aware of the assets he or she is protecting inside the organization. What is a threat? A threat can be a person or a thing, or an event or an idea which poses danger to an asset. The threat is a possible breach toe The following toe confidentiality to integrity, toe availability of resources or even toe the legitimate use off these resources. It's a possible means off breaching a security policy, and we will talk much more about policy in the coming sections. It's exploiting a vulnerability, intentionally or accidentally. It's obtaining or damaging or destroying an asset. This is a threat or possibly doing so. A threat is what we are trying to protect us. It's against what is a vulnerability. A vulnerability is the back door is the weakness is the work around? Is the absence off safeguards, holes or gaps in a security system or security program is a vulnerability. It can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a back door in our protection efforts. Exploit. Exploit is a program or script or code that is targeting a vulnerability. It aims to perform unauthorized operation. An example of an exploit is a backdoor Trojan used to grant unauthorized access to a machine, and exploit is the way or a tool by which an attacker uses a vulnerability to damage the target system. What is the risk? The risk is a measure off the coast off realized vulnerability. It is the potential for loss or damaging or destroying and asset inside the organization. The risk is a result of a threat exploiting the vulnerability. Risks exist when our system have a vulnerability that a given threat can attack. Security mainly deals with managing risk to your critical assets. Security, basically is an exercise in los reduction and risk reduction. It's impossible to eliminate risk. Totally, I cannot say whatever happens inside this organization, risk is zero person. This is not existing. This is impossible, but risk is the probability off a threat crossing or touching a vulnerability. Your target is to minimize risk to make it as minimum as possible. To diminish its effect toe. Minimize its existence. But you can never eliminate the risk. Totally. The impact the impact is a result of an exploited vulnerability is the effect. The impact can be deleted files, loss of information loss off the company, image loss off privacy, off the clients loss off any off the C. I. A. Is the impact. It is the effect. It is the possible damage. Four their assets that being protected. The risk assessment depends on a very well known formula. The risk is the caution off the multiplication off threat times vulnerability, times impact. Sometimes it is threatens vulnerability only without multiplying impact. But we hear introduced the more complete formula. The vulnerability could be the password that is vulnerable for dictionary or exhaustive key attacks or getting the the week password is a vulnerability. The threat is the intruder or the attacker who is trying to guess this password toe brute. Force this password to try to know what this password is. If it is weak and the threat exists than the risk is very high. The risk resource is within the system are prone for illegal access, modification or damage by the intruder. This is the risk. If the threat is high, the vulnerability is high. The impact is high, so you have a very high risk. Sometimes you have a very high vulnerability about a low threat. So you have a low risk some hard. Sometimes you have a very high threat, very high vulnerability about a very low impact. Nothing will happen if this password has been guest. So the risk here is low. Risk is high when the three parameters are high threat, vulnerability and impact. By this, we hope that we have introduced some of the security goals and concepts. Thank you 2. Securing the Network Design: Now let's explore together how to secure the network from the point off design, how to design a secure network from the beginning, As we can see in this design, and when we say they were designed, it is a point off choice. It's something that is optional. I mean that this design we are viewing right now and we are demonstrating right now is not an obligate terry design. It's an example. Design off a secure network. Let's explore it and lets them in a straight the things that makes it secure. Point by point, Let's see here that we are dividing be network here in tow. Some sections. A section that is called the Internet, a section on the left that is composed off the servers off the company or the organization that needs to be protected the most. A section on the right that is called DMC Demilitarized Zone servers. This section is a problem for every security specialist because it needs to things that seems to be contradictory. It needs to be published to the Internet, and it needs to be protected at the same time from the Internet. So this is the headache off every security specialist. This section the D M C section. It is usually composed off the Web, the male and the DNS servers and other servers that needs to be published to the Internet. Off course we can see here the router that is connected, the whole network to the Internet and switches that are composing the local area netter off the organization on the firewall. The fire wall is the only security device we have here. We do not yet understand the composition of the Far wall, and we do not need this at this point. But we will view here the firewall as a security device, securing the communication between these sections. That's all. And that's that's enough for right now. And let's see how this firewall is protecting each off the sections from each other and protecting the whole organization from the Internet. The goals off the network design is to publish separate male Web and Deanna servers to the Internet toe, allow these servers to be published, and to be viewed by the Internet. These servers toe work needs to be viewed by the Internet, otherwise it will be useless, so you cannot claim that you have a male or a wet already, and a server that is completely isolated from the Internet. Through the firewall, it should be published, and another goal is to provide appropriate access for the internal network for your employees, for your internal servers through the Internet and the word appropriate. Here is the key word. What is the meaning off appropriate appropriate means that you can access the resources off the Internet and you are not vulnerable to attacks. You are not susceptible to attacks from the wicked people over the Internet. You should protect the internal network from external attacks. External attacks can be from the Internet, and the attacks also can be internal from other people inside your network that are accidentally, intentionally or that are weakened enough. Toe attack. Your resource is over the network. Let's see here that we have divided our network into three sections. The public section, which is the Internet, which does not lie under my control. As a security specialist. The Internet is the vector off all the wicked people on on the world, and it is the source of all the attacks. I have the semi public zone, the demilitarized zone, the M said, which contains the Web server, the mail server, the Vienna Server and any other server that needs to be published to the Internet and at the same time to be protected from the Internet attacks. And we have the third section, which is the private internal system, which is composed off the Etch Our servers, the RND servers, the employees, the people working in the organization that data the assets off the company that workstations the machines that needs to be connected to the Internet. Tow surfing the Internet to send and receive email to search the Internet on Google or something. And at the same time, it is the assets that needs to be preserved and kept and protected from the Internet attacks. They need to be exposed to the Internet, but not with the same level as the EMS that servers at your service and are the servers needs to be connecting to the Internet as surfing or as searching the Internet, but not as servers available for the Internet, such as the Web and DNS and the mail servers existing in the demilitarized zone. Let's have a look here at the placement off the fire world. The far wall here is placed to protect the sections off the network from each other. It is placed between the internal and the other networks. Let's remember that the internal is the section at the left. The other networks are the section up, like the Internet and the section right light right that the EMS that service So it is placed between the semi public, which is the DMC Zone, and the private network, which is the H, R and R and D servers it protects from Internet, the private systems. It protects the semi public servers from the private systems it protects from the semi public servers to the Internet. It protects the Internet from the semi public servers. It protects the communication between each of these sections from the other sections. It protects the traffic from private systems to the Internet, the traffic from private systems to the semi public servers, the traffic from semi public servers to the Internet and the traffic from the Internet. To see me public servers. It protects each of these masses and each of these ways by inspecting the traffic, going from here to there and going from here to there from being malicious or from being and traffic from an attacker we should hear No, a concept that is called defense in depth defence in depth means that you do not put all your eggs in one basket. You do not diminish or you do not reduce all your protecting devices. It one device that is called a Pharrell, for example. No, you should protect the firewall itself by placing a border router with an access control list. This access control list protects the firewall from the traffic coming from the Internet. Do the internal network. You should limit the visibility off traffic between systems if one off our systems is compromised and this is MAWR probable for the systems in the D M that zone, so you should minimize the consequences as much as possible. You should not allow the compromise a Shinto. Enter your internal network. It should be blocked by the firewall protecting the traffic coming from the D. M. Said toe the internal network. You should minimize the consequences. You should stop the propagation effect off this attack from being propagated from one off the sections to another, and this is done mainly through the firewood. Let's have a look here at a concert. That is, the virtual is dividing one physical switch into two or more virtual switches through dividing it in tow. Virtual ends. The villain is composed off one or more port inside the switch that is composing Villain one and four villain one toe. Communicate with villain toe. This needs a crowder Toby inside or really Earth three. Switch to be between them, so villains need some form of routing to tie them together for connectivity. This routing can be done via router or via layer Freeze. Which villains can spend multiple switches. One villain can exist on switch one and switch toe and 33 and by the same concept switch. One can be composed, a villain, one villain to and villain three. Sometimes this is limited by vendor specific switches, so all the switches needs to be Cisco switches or wow, a switches toe be composed or to spend multiple villains across. And sometimes this is not a restriction. Let's have a look at this design. We have here three switches, three physical switches at the left, each off. These witches is composed off three villains. One is the marketing villain. The other is the sales villain. The third is the support villain, and at the same time, each off this villains exists on the three switches. So if one off the switches is compromised, the villain still exists on the other switches and at the same time, each switches composed off three villains. So we hear divided the villains according toe the functionality off the employees. Marketing employees needs to communicate with each other much more than other employees. So they are place the inside one villain and sales employees the same way and support in place the same way. Each villain is a broadcast domain, so people needs to communicate much with each other, are placed on the same villain, and people that needs to communicate less with each other are on separate villains that must pass through the router toe, be transferred from a villain toe Another. By this, we have introduced the secure design off a network. Thank you 3. TCP/IP Security and Tools: Now let's know about the TCP I p security and the tools used for TCP I p Security. Let's have a look again at the header off the I. P Protocol. This is simply the header of the I. P Protocol. Let's focus on the field that is called protocol. Inside this headed this field can take the values either one or six or 70 if the protocol field is one than the protocol forming this packet is the ICMP proto call. If it is six than the protocol. Forming this packet at the upper layer is the TCP Protocol. If it is seven than the protocol forming this packet at the upper layer is the UDP Protocol . So you can either have in your network 16 or 17 for ICMP, TCP or UDP on secretly. So you have some fields to suspect inside this heather, the virtual field. Why would you have on your network a packet that has in the virgin field off the I P Heather, the number that is not equal to forge any number that is not equal to four? This means that this heather is not i p virtual Ford. Why would you have it all Your network. You may think of i p version six, but I p version six is a completely different version off on completely different headed. So it would be 128 bits I p address, for example. So if it is not equal to four, discard this packet if the love field is more than five and there are no options in this header So this length field is not representing the actual size off this packet header, so it should be discarded. The tt l the time to live if it is something like can or less So this packet has bean passing so long time over the Internet. Why would you have such packet on your network? It may be a lost packet. It has been alive for a long time over the Internet without reaching the destination. Maybe it is malicious. Maybe it is an attack again. Why would you have a packet that is not recipe or UDP or ICMP? According to the protocol field in the I P. Heather, why would you have it on your network? If it is not one or six or 17 then discard this packet from the protocol field of it Now think state ful Think about fragmentation. Why do we need fragmentation? Because sometimes the MTU, the maximum transmission unit off the sending network is greater than the empty off the receiving network. So we need toe fragment, the packet too divided into fragments so that the MTU off the receiving network is fix it. Add is suited. Toe this back in. To do this fragmentation, you have to feels the idea and the office it different fragments should have the same idea field different pregnant should have sequence off offset fields. That tells the sequence off these frag fragments. So what if the last fragment off this packet is never sent the router off the network receiving these packets will keep storing fragments and more fragments. Still, it is over flu. That's maybe what the the attacker is trying to do. What if Overland p off letting offset numbers are sent one, then two, then four, then won again. Which means that the officer numbers or the fragmentation offset numbers are not telling a sequence off fragments. This means that it wants toe the router to discard all the fragments it is receiving because it will never be able tow. Assemble once more the fragments off the original packet about submitting. Consider who are on the same subject with each other. One summit is like the virtual, and one submit is one growth costuming. One submit should convey the people talking to each other much more than people on other sub nets. So consider who are on the same subject. Do not put the attacker and the victim on the same subject. You are making it easier for the attacker. By this way, consider donating network address translation and using private addressing. Remember that each I P address, starting with the number 10 for example, is a private ipads. It cannot be published to the Internet with its value. It needs some form off network address translation that uses one rial i p to communicate a group of private I P addresses to the Internet. This form of communication using the network address translation is more secure than exposing all of the I P addresses off your network to the Internet. One sub net is a broadcast domain. It is the same as villain. Consider this and consider that the attacker and the victim should not be on the same broadcast domain by any means. Now let us move to the UDP. Headed the UDP. Heather is simple. It is just the sore sport Destination port message length and checks on. Why would you use the UDP traffic? If you don't have either audio or video traffic in your network, why would you allow UDP to be there? Is it for the sake of the anus? DNS can be used and can work over TCP. So is it the sake for the sake off anti P network time protocol or the four the boot people to call? Consider this. Consider having UDP heather from the very beginning on your network. UDP traffic can cause flooding UDP traffic and overflow Your letter. The UDP port is the same concept port as the TCP. It is either a trusted port, which is less than 1024 in number or it is a federal port, which is more than 1024 port numbers. Less than 1024 is four servers port members that that are ephemeral that are used more than or greater than the number 1094 are for that ordinary machines that are not servers. Look at the TCP Heather. We have so many fields of the TCP Heather, let's let's focus here on the flags off the TCP Heather, let's recall here that we have ftp working on port number 21. Tell it on 20. Port number 23 SMTP port number 25 The N s sport number 53 actually, two people number 80. Why would you allow traffic toe talk toe the http server on a port That is not the port number 80 or the end. A server on a poor that the sport. That's not the port number 53. Why would you allow this? Why would you allow destination port number in a packet which is greater than 1024 toe? Enter your DMC zone. Remember that the DMC zone is composed off servers. So all the port numbers there should be less than 1024. Why would you allow anyone to talk your to your server with airport number that is greater than 1024? Let's remember the flags once again. The acknowledgement the same. The reset, the push, the thin and the flags that are used in the TCP Heather. And let's recall that we have three way handshake between the client and the server at the beginning of the communication. It is used by a sin. Pack it with the sin flag, put toe one and the sequence number. For example, 100. The server replies with a sin packet and egg packet using the number 101. Remember that this acknowledgement 101 is because that the scene was used with 100. So it is the sin plus one. And remember also that the client should acknowledge the server once more with an acknowledgment number 501. Why 501 because of the sin synchronisation number that was sent was 500. These three call me The three packets are the three way handshake at the beginning off any session between two TCP machines and the four hours at the bottom are the four way handshake used for finalizing and ending in termination off the TCP communication between two TCP machines. It starts with Finn with a sequence number and then acknowledgement with an acknowledgement number, then FN from the same server with sequence number, then acknowledgement with an acknowledgement number that equals Do the sequence number plus one. This is the ordinary and the normal. Three way handshake and four way handshake at the beginning. And the ending off communication between two TCP machines. Why would you have sin? Plus Finn, why would you have egg? Plus Finn, why would you have simples act without a saying that it's proceeding it? Why would you have acknowledgement without simplistic? Why would you have reset with anything else? Why would you have? They were the communication off legs inside your network? Why did you have a weird communication off combination off legs that do not follow the normal communication off? Three way handshake and four way handshake, if any off. These combinations exist on your network. So this says that you have malicious traffic inside your network. Now, before ending this lecture, we would like to explore it will. That is very useful for the TCP I P traffic, which is called the engage packet builder. That's here. Start with the installation off engaged packet builders. This engage packet builder is a tool. Toke left some packets with the values that you like with whatever values that you like to craft with whatever headers that you like to set this image packet Miller is free and can be downloaded from the Internet easily and how it looked And hear how it looks like you can see here that you can set any off the TCP flags with whatever value you like to set. You can set the source I p addresses registration I p address off the packet, the type of service feel the fragmentation feels the protocol feels with whatever values that you can like and you can at the end, send the packet with these values that you have said it can use the recipe, the UDP, the ICMP packets. You can use whatever protocol toe craft a packet and choose even the number of packets you want to set or you want to send with this configuration and send them to whatever destination I p address you would like toa set. This is very helpful in understanding the TCP I people toe called Heathers. Thank you 4. Port Scanning and Tools: this lecture, we will talk about the fourth scanning and the tools used in this sport. Scanning the four scanning is a passive way off attacking the network when you scan for the ports and as we know the ports. And the port number is a parameter that is defined in the transport layer in Layer four. When you scan for open ports in a certain machine, so you are scaring for a back door on this machine. An open port with no reason and open port with no service is told on it. That is intended to be there is a back door is a vulnerability in this machine board scanning is an introduction toe. Active attacks Port scanning itself is a breach for the confidentiality. It can be used to identify the network and row a map of this network that is not allowed for you to know about. So you can draw a map off the servers and the machines, and you can know the braking systems. Working on this network there switches and routers and can know many, many things on this network. Through only port scanning, you can scan the ports of each machine starting from number 1 to 6 65,535 and you can scan each poor twice once for TCP connections and once for UDP connections on the market, there are several and various tools that are used for port scanning. We will hear. Try to use the end map, the end map and it's G I virgin that it's cooled Sandman that works over Windows because it is easier and more friendly in usage. We will try these both tools toe skin and practice the port scanning over the network. This is an output off and Matt for port scanning. Let's see what this output tells us. It says that it has scanned the machine. Has having the I p understand a tender, tender five. It's can the ports that are less than 1024 and scanned it for its state either disclosed or open. We can see this machine as very vulnerable. It has many open ports that can be susceptible for attacks that can be used by Attackers. Toe compromise This machine to remotely administrate this machine to know many, many things about this machine and copy and paste files from these machines. Whatever the attacking tool can do to this machine. It can be done through these open ports that are open for no reason. 4 2123 25 79 98 111113513514515 And each port off them is mentioned. What? The service should be there. It seems that this machine is an ordinary machine, that no service is supposed to be there. And this part of this we can see a number of open ports for no reason existing on this machine, which means that this machine is vulnerable, very vulnerable to many types of attacks. The attacker Can you several software tools to intrude and Logan and check in inside these machines through one off its open ports. The port scanning types. There are several types off ports gaining. Either you can ping the machine to know the open ports. This is called the pinks can. Either you can simulate a nal connection with this machine through sending is syn packet and receiving seen ack packet and some then sending back and act packet. This this is sport cold. If we open skin which means that this sport is fully open and vulnerable to any type of connection. It has achieved the three way handshaking completely, or you can use the the the half open skin that sends sin packets and only receives the ah response in this type off. Scanning. You do not need to achieve the three way handshaking completely. You can achieve a porch partially you. Can she part of it by sending sin Oreck or Finn and receive one response. No need to receive that full response off their full open scan. So that's why it is called half open scan type. We need here before completing a report scanning to set our rule that applies on port scanning and on any tool that can be thought here in our course. The difference between a security administrator that we aim to graduate from the scores and a hacker that it is not intended to be the aim off our course at old is permission. You can make board scanning with permission as security administrator, but you cannot make port scanning without permission because at this point you are a hacker . You can sniff the network with permission. Then you are security administrator, but if you sniff the network without permission, then you are a hacker. The difference between security administrator in inaction and a hacker is getting the permission. Getting the permission from the owner of the network from the CEO off the organization from the administrator from the higher level, getting it published and known that you are achieving port scanning for security reasons. And you're not a hacker that is achieving port or performing port scanning for attacking visas. Board scanning can be used for the identification of a breeding system. If you scan the open ports and send some packets to a certain machine and then received the response, you can analyze the response and compares this response against the fingerprint off the responses off Windows or the fingerprint of the responses off Lennox or the fingerprint off the responses off Mac. Then you can say, because I have sent this machine such packet and received such response, this machine should be windows. This machine should be Lennix. This machine should be make, and moreover, you can identify the version of the operating system, the servers up and running on this operating system. Either this operating system is up to date or not, dispatch it or not. You can develop so many fingerprints for this operating system and determine many, many information about this operating system only by port skating and by sending in some packets and receiving their response and analyzing it. Hand. Matt Toole is a port scanning software. It can be used on Windows and Linux. Zen map is the gur the geographical user interface version off and map. It is easy, and it's interface is friendly so that it can show the output off the boards gaining operation. Now here we will try toe install the end map over this machine and see how is it installed ? Very simple. After administration, you will find that you can give this and map the I P address the target I p address that you want to scan or the range of I P addresses that you want to scan and it will show you each i p address with the open ports existing on it, each port with its state either closed or open, and then you can have a an imagination or an image or a an idea about how this network works and how this network is operating and the types of machines And what are the server machines? What are the client machines? What are the switches on this network and so on, of course. And the map stands for network Met here it is now installing, and it is helpful that we install it together online to see the steps off the installation on the steps off the set up the steps off running such a tool Very easy and very simple and very friendly. It needs no expedience, and it is somehow educational that can show so many helpful output. - Now the installation has ended, and now we can start using and map and map is now installed on the desktop. And here we can determine the target I p address that needs to be scanned. And here we can they find the type off scan it can be. More than one type of scan can either beeping quick, quick scam plus or any type off scan. And here we will have the output machines, and here we will have the list off the open ports on each machine. So this would how the output off and map look like it's very easy. You just determine here the I P address off the machine that you would like to scan and start pressing skin. Then the output will start showing on here, showing the open ports on this machine. I'm here scanning the local machine, and it here showed some open ports on my machine that are used for sharing and things like this. 5. Sniffing and Tools: Let's now talk about sniffing and the tools used for sniffing. The worst living means that you are allowed to capture data as it is transmitted over the network. Sniffing can be used by network professionals and security officers to diagnose the network . Issues toe, identify the malicious traffic toe, identify the abnormal conditions that the network may be passing through. It is used also by malicious users. Toe capture unencrypted data such as user names or any transmitted data over the network. Once again, sniffing is like port. Scaring the difference between sniffing by a legitimate user and slipping by an attacker is the permission. The permission is the way that you identify yourself, either as a security officer or an attacker. Sniffing is a way of passive taking it in breaches, the confidentiality off the data. It does not cause the image direct damage toe, the integrity or the availability off data. But it reaches the confidentiality. Any passive a taking is always a way or an introduction toe the active taking that follows . So any Attackers thoughts by sniffing my ports, gaining by reconnaissance for the network. Then it moves to Activia, taking by damaging or by denial E off services or by ah losing data or other ways off active. Attacking Mississippi Dump is a software that is free to download from the Internet. It's a very famous and well known sniffer software. It is used with the lip Pekka packet capturing library. DeSipio dump has also been ported to Windows as win dump. It's a simple protocol analyzer. It captures that packets and says that this is a TCP packet. This is UDP packet. This is the N S. This is SMTP It can analyze the protocol used to send this package. It tells you whether it DNs packet is a query to resolve an airport. I mean, a website, for example, query from a climb to resolve the name off a website in tow, an I P address or the name server response that sends the I P address Do the same client that was requesting the domain name that is hippie dump is command line interface. This is the drawback. Sometimes that some people do not use it much. You can request more packet information. More information about that sniffed packet with the switches Miners V minus over V or minus triple V if use minus V, then you are requesting a certain type of information minus double V. More types of information and more quantity of information about this packet and minus Triple V says that you are requesting more and more information about this packet. Information in terms off protocol data Source. I p This Nation I p source sports number station, Port number and such information. Let's have a look at an output off the Mississippi dump. We can say here a packet of the first line that is identified by the time stamp ending in the number six, then the source host name, which is being dot net, then a greater than sign, then the destination host name, which is my host dot com, followed by Colon. Then the type of protocol usedto reply to this packet, which is ICMP, which says that it is an AK request. This is this is an equity crisp packets and son from pink thought not to my host dot com, using the ICMP Protocol and using the don't fragment flag. The next bracket is the reply. It says that my host don't come is sending pink dot net icmp echo reply with don't fragment flag. The next is logged dot net sending cysts log dot com locked up. Not using poor. 3155 and six lakh dot com using 514 and this type off packet the source's locked out met. The destination is sea slug dot com. Is you the people to call? And the size is 101 bites. The last one is sent from San .net from the port free to 938 toe may not come on poor 25 with the sin flag and with initial sequence number that is 24 86 31 sequence number 24 86 31. And with size the euro and with the wind value 8760. These are the details that can be shown over the TCP dumb for a certain packet. This is the heather details off the both the I P and the TCP protocols. For such packet, the TCP dumb by the fault only reads the 1st 68 bytes. This is by default, but it can be increased. How you can specify the switch minus us, followed by the number of bytes you want to see p them to read, which can be more than 68 bites. You can say, for example, that you can disappeared. I'm fine. It's US 1500 if you want to capture the entire packet because most of the TCP packets ranging size off 1500 bytes. This is another example of the TCP dump output. This is a complete board communication that starts my connection establishment sin sin, Eck, Eck and data transfer in the box in the middle and then connection Termination Finn Ec, Finn EC. These is a sequence off communication happening between two machines starting by the three way handshake at the first box, then data transfer at the middle box and then finally connection termination by the four way handshake at the box at the bottom. Now we can have a look at the war. Short, while short, is a very well known packet sniffer. That's a sample of the output off our short Let's analyze it together. It starts at the left by the number of the packet packet number 1234 and so on. Then the time stamp off the packet, the time at which the packet was captured. Then the source i p. Address off the packet. 10.1 point 50.134 for example, for the first packet and registration I P, which is 64 not 12. 26 not 36. And on the protocol used by this packet and then some information about this packet. Some data from inside this packet we can see here a series of packets that were captured that were displayed by the sequence number, the times them, the source demonstration, the protocol and some information in the middle box. You can say some off the data from this packet that can be displayed, and in the last box you can see more data in the middle box. The data are related toe that they telling player headers, the frame, the Ethernet and such headers. And then, at the end, the bottom box. You can see some off the binary data off the included message inside this packet before we and we can have a look at how wire shark is installed and how does it work? We can here try to install the wild Schork software on this machine and try to run it together to see how simple it is and how easily it can sniff some packets from the network . The installation is very easy and very straightforward. It does not need any sort of experience, and then we can move toe their usage off this wire short, while shark is free to download what short is educational? Very friendly and very Ah, I mean very simple gur geographical user interface that can be used by anyone to sniff packets from any network you are short can sniff packets among different machines and show their information. Source. I beans, The Nation I p. Sore sport, the station port number size and some information from the message included insides. This packet. Let's keep recording the installation off this software and see how it is run on any machine that can download it. This is how the installation ends, and we can now run while shark here watch. Schork is ah recognizing that courts and the wireless cards inside the laptop it may ask to download some updates this time, maybe depending on the speed off network you have. After we're short runs, we can hear find an image like this that says that it has captured some packets, captured some packets by times. Their source I p order may name destination I p or domain name protocol information. And this would be the output off our short. We can use our shark using a filter. For example, you can apply filter that only captures the TCP packets or that only displays the DNS packets. And so on. What? Schork has so many capabilities that can be used by professionals. Thank you. 6. Why Using Firewalls?: Welcome to this section about firewalls and honey pots. Let's start about asking a question. Why using a firewall? What is the firewall? The fire wall is one of the most effective and most common security tools. It protects the internal letter from users inside the external letter. The internal matter could be the network of your enterprise, the network of your company, the network of your bank and the external at work is the Internet the vector off all the wicked people on the on the world? So you must protect your internal network from the external threats from the attacks that might arrive to your network from all over the world from people that maybe intentionally or accidentally wanting to heck or attack or break the confidentiality or integrity or availability of your data. The far world recites between these two networks between the internal and the external. The firewall placement is between two or more networks to offer protection for one of them against the other. It offers the protection for your internal letter from the external by residing between both by acting as a gateway that inspects all the traffic. Arriving to your internal letter from the external letter. It controls the traffic between these networks controls by inspection controls by allowing and negating such traffic controls. By saying that this traffic is good, it can arrive to my network and saying this traffic is not good, so it is forbidden to enter my nutter. This type of control is an art because it needs the firewood to be placed in a play in a place that is a bottleneck. That is a gate for your network to be able to inspect and control all the traffic, not just some of it. All the traffic arriving to your internal network from the external letter. The Far Wall is a very effective tool to prevent unauthorized access to prevent breaking confidentiality, integrity or availability to prevent any unauthenticated breathing. Writing modification deletion for your important data inside the network. Once again, why do you use firewalls? Let's have a look at this diagram E. The far wall is at the center and we have so many P letters inside this diagram. Every piece is a probability. You can see that there is a probability off indications and warning at the right side. That is probability off indication and warning off attack before it arrives to the firewood . And so let's this indication and warning be through that board the router that has, for example, an excess control list and reciting between the firewall and the Internet. It can indicate it can son, warning it can even detect the attack and negated, negated and act as a world and act as a something that makes the arrival off this traffic forbidden inside the network. So you have a probability off early detection. You have another probability off early negation, for example, by the border routed, residing between the fire will and the Internet that can detect and negate any malicious traffic from arriving to netter. When this malicious traffic by passes, this border router arrives at the fire, will you have another probability off detection indication this time, it is not an early detection or negation. This time, it's common detection indication by the firewall itself. If this traffic for a reason on another bypasses, the far will enters your network so you have another layer of defense inside your network that recites behind the fire rule. Maybe this is the personal far wall on each device. May be that this is the anti virus residing on each device or on each machine inside your network. So you have another probability off late detection and late negation. Why do we call this late? Because the traffic has already bypass the firewall has entered your network maybe has caused some damage to your machines. So this defection and this negation is late off course, a good security officer. A good security specialists act as an engineer, too. Maximize the probability off early detection, early negation off detection and negation and minimizes the probability of late detection and native Gatien as much as possible. It is not a very big problem that you detect or negate late off course. The big problem is that you do not detect at all or you do not do not negate at all. But try toe work on the side of early detection and early negation of detection and negation in common. But try toe. Let it minimized that you detect and negate late that you depend on the host defense machines. The host fire rule the host anti virus to detect and negate the attacks, arriving to your natural the benefits of the far will are so many because the far wound protects internal and external systems from your attack. The internal systems is the internal servers you have external systems is the servers also have that need to be broadcast it over the Internet. Remember, we have the Web server, the mail server. The DNS server needs to be protected and needs also to be exposed to the Internet at the same side toe act. It's functionality because it needs to be a d n. A server toe receive queries and son responses, so it should be exposed to the Internet. The firewall filters the communication based on content. It says that this packet is okay. It can pass. It's this This packet is not okay so it cannot pass. This type of filtering is based on the content, and we here mean by the content they had er and the body off the packet itself. Based on the heather, you can filter some communications based on the body off the packets. You can filter some other communications, and in old, the firewall should be able to detect and read so the most level off the packet to be able to filter the communication based on the content residing on it, either the heather or the body. The Far wall can perform the net by itself. The network address Translation. It can act as the defy the device intermediate between the internal network and the external Internet. Their device intermediate between the private I P addresses starting by 10 not, for example, inside your internal network and the external Internet, which you must be represented on it through one really I p address. Some far walls can perform this network address. Translation. This network address translation by itself is a means of protection is a means off security . It can prevent that direct communication between external machines on the Internet and internal machines on your network. This is some form of protection that saves a lot of effort by itself from letting the attacker communicate directly to your machine. The far old has a very good advantage in the very good feature. It has the advantage and the feature off logging logging means recording logging means writing every packet that it has denied in its lock file, which AIDS in intrusion detection, which AIDS to know who is the attacker through the source. I Pierre this off this united Beckett, who is the attacker and how is he a taking my network through the port number, for example, on this day night back and it is very helpful this logging in forensics in going toe the court and saying that this man, this attacker or this network is trying to breach the confidentiality or the integrity or the availability off mine uttered. So it's held very helpful in finding evidence in recording evidence and in detecting the Attackers and asking for some ah, help in defending them from their authorities. There are some shortcomings of the far walls, and we insist on mentioning them because some off the security specialists think that the Pharrell is everything. Once you have placed their Pharrell, you are protected. This is not true. Firewall is never and everything. And there is not a single technique in security that is everything. Everything means everything. Everything means that you use all the possible techniques encryption, passwords, anti viruses, fire wounds, ideas. I PS is every possible technique for protection to protect your network and to protect your machines. So there are some shortcomings off our wounds that attacks at the application layer at Layer seven, their six year five or at Layer seven may sneak through because the firewall cannot detect the attacks inside the content body off the packet. If I will apply the rule on the firewall that it sneaks every bit and byte in the packet, it would lead to a very slow performance off the network because every packet will arrive needs to be inspected fully before passing inside the record. This would lead to a very slow network, and that's something that I do not need to do. So what's the alternative is to let the far would only expect the heather That would be fine and leads to Fast Network and at the same time, protected network. Some connections may bypass the firewall, like the connection from the telephone line, the virtual private network connections, the VP and all the connections from my extra knit. These can be some connections that bypassing the far wall, and the far world rules are not applied on them. Some organizations may let down their doored on other security areas, such as using passwords, patches, encryption they let down their doors because they think firewood is enough. The firewall is there. It is expensive. It's working. It says that everything is good. So it is enough so we can use weak passwords. We don't. We do not need to patch our systems. We do not need toe. We do not need to apply encryption algorithms, and this is not true. If you are, apply such techniques like strong passwords, patching and updating the operating systems off the machines using encryption whenever possible, you will have better security, and you will have much more better traffic inside your network. Then what would The fire will only lead to where to place the firewood. We have seen in previous lecture a placement off the far rule single firewall between the internal letter, the Demilitarized Zone and the external letter, which is the Internet. Here we can see another example of the far wall placement you can place to firewalls. One firewall between the Internet and the Demilitarized Zone, where your web, sir very sides. Another Pharrell between the demilitarized zone and your internal network, where your data and precious servers re sites so you can have too far wolves acting as two layers off protection. Acting as two layers off filtering the communications between the Internet, where all the evil eyes and between your internal network, where all the precious things and or the data and all your employees are working. And all the things that you care for our reciting. You now have two layers off protection. Two layers of inspection for the traffic arriving from the Internet to your internal letter , and one of them is filtering the communications, arriving to your demilitarized zone according to some rules. The other is filtering that communications arriving from the Internet and from the demilitarized Zone into your internal network. According toa other rules. This would lead to some form off security to your internal letter from external attacks. Thank you. 7. Firewalls Rules: Hello and let's talk here about the rules off the firewalls and how are they working? What do we mean by a rule in the firewall? The rules is the line that specifies for the firewood. What to do with the packet. What is the decision that the firewood should take for an inspected packet or inspected Siri's off packets in the traffic? The firewall, once established and once placed inside a network, needs to know what to hello and what to prevent. What type off traffic is good and what type of traffic is not good, what is wanted and what is unwanted. Not every traffic is good for good. Not every traffic is good here and good there. What might be good for a certain network might be bad for another. What might be bad for search The network might be allowed for another. There is no good traffic for good. There is no bad traffic for good. Every organization and every security specialists responsible for the far wall should determine what is good and what is bad for his network. According toe the assets. According toe the threats according to the vulnerabilities, according toe the functionality off this organization. Either it is education, training, financial organization or military or something that is belonging. Toa the security authority. Let's say that the fire will rule controls the decision of the firewall on inspector traffic, either to accept this traffic or two rejected toe allowed inside my network or toe Bennett from inside mine uttered the rule controls. What happens when a packet does not match an existing rule? Which will? This is exactly that if all too, by the fall, the firewall is either accepting traffic or rejecting traffic. If you buy the fault will accept all traffic. Then you should specify through the rules configuring this far old what traffic to reject and vice versa. If you will reject all the traffic venue should specify through the rules of your far own. What traffic to accept. If you choose your default rule, Toby deny, then your firewall will be more restrictive will be more cautious and more sensitive to any traffic. It will event all the traffic from entering your network and allow the traffic that are matching the rule's below. There was configuring this firewood if you choose to t to be the fault, allow as the default rule, then he will be more permissive. You will be more flexible than your far would will accept all the traffic except what is matching the rules that are saying which packets and which traffic to reject the default rule and its choice is very important. Why? Because the effect off the default rule is very efficient and very obvious on your security posture. If you choose to be the full deny, this helps protect against previously unknown attacks or vulnerabilities. What does this mean? There are some types of attacks that are old zero day attacks or zero day vulnerabilities, that these attacks that appeared today that were invented today at that we're are striking the world today, So we don't know exactly as security officers, the nature, the type of this attack and what are the criteria? We should put inside the configuration of the far wall to protect from this attack. So if you choose your far wall Toby the fault, then I Toby denying by the fourth any traffic, then this would be very helpful for says the zero day attacks and zero day vulnerabilities . Then you will be say from this point of view, but it is not a golden rule. Toby. They fold allow, or it is not a golden rule. Toby the full deny why I can give you an advice, Toby. Default. Allow order your or your rule to be the fault. Allow if your organization is educational or training organization because it needs to be flexible. Students inside Oregon organization needs to be exposed. Toe the traffic to all the websites, toe all the world on the Internet and needs to be restricted. Onley toe some things that are 100% evil, 100% unwanted. If your organization is security authority or a bank, then every attack would be off. Great damage would be off great danger, so you would prefer your default rule. Toby. The full deny Toby, protected from any unknown attack from zero day attacks on vulnerabilities and toe, allow only what is good bye 100% toe. Allow only what you are. Sure that it would not cause any damage because any strike or any damage may be off great harm and off great impact on your network. Let's have an example off the firewall rules. An example. Here It is a simple example written in the C code or in echoed off the programming language that is called C or you do not need to know C or Java or any programming language to understand this. It's very simple. It says that if the source I p equals 1 63 1 2125 and the distillation I p equals 1 63 don't want went one got 11 12 These are inspected inside the header of the packet. In addition, toe the sore sport and destination port. If the source port equals 2050 the decision port equals 80. Then accept this packet so the fire will would have now a rule saying that if the source i p equals so and so the station r p equals so and so so sport equals so on, so indecision portrait. But soon So then you can accept this packet allowed to enter from your external letter to your internal letter. Another rule might be contradicting. This might be you might think that if the source i p equals so and so the station are people so and so, so supportive. Well, so and so. And the station ports equal soon so then reject this back and do not allow this packet to enter from your external letter. Toe your internal letter. These are two examples for off course. They are not on the same firewall, either this or that or that would exist on the far wall. These are two examples off a firewall rules to demonstrate what there will means. It's a condition and an action, a criteria and a decision. If so and so then take such a decision. If so and so then take the other decision. Let's hear say that the action of the firewall is responsible off two types of traffic. The ingress traffic, which is that the traffic that is entering your network that is called the incoming traffic that is entering your not or coming from the Internet. And this traffic may contain malicious and evil and unwanted packets. So you are responsible toe allow only addresses that do not belong to belong toe the protected net or reserve the range are allowed in onto the protected. That which means that it is unlock chick, that you allow a pack it coming from the Internet. Having a source. I p belongs to your protected net. How come? Is it coming from outside or coming from inside? If it is coming from outside, why does it have that source I p address as an I P address belonging to the range off my protected net. It here should be malicious. It here should be something fake, something unreal and something suspicious that should be banned from the network and should be avoided from our network and should ah allow and should be rejected and configured. The firewall toe rejected the egress traffic. It's the outgoing traffic and some security officers fall in a very big mistake. I'm responsible only he says to himself that I'm responsible only off the English traffic, which is more important. No, the egress traffic is as important as the Inglis. They are equally important. You are responsible as a security officer off protecting others from the intentional were accidental attacks that are happening inside your network and may affect the outside of your network. You should protect also your machines from the traffic generated from them going to the outside of the network. It could claim that your machines are in fact, the generating unwanted traffic, flooding the network with unwanted traffic, and it can say that you are infected by a virus or work. So for the egress or the outgoing traffic, you can say that only addresses that belonged to the protected network are allowed out onto the Internet. It has no meaning that you say I will allow this packet toe Get outside from my nature to the Internet and its source, I p does not belong to my range. Why would you allow this? You may call some damage. We cause some problem to the outside of the network. Or you may think that your inside machines are infected on are generated fake packets and fake traffic and unwanted traffic that you need to clean them or you need toe. Think again, off the security posture off your natural. This is how the firewall is in action and how the fire rule is acting inside your network to protect the inside network from outside Attackers and the outside network from the inside attacks. Let's have a look at the manage it excess. If we have a network that is composed of my protected net and the Internet, you should think off, allowing only connections on poor 25 off type TCP to your mail servers. Allow connections only off type TCP and Port number 80 as the station portrayal Web server . Allow connections either disappear really P and Port number 53 to your d n a server. These are the only connections allowed into your demilitarized zone. Other connections can be banned and can be denied and rejected by the fire rule. If inspected, arriving from the Internet to your protected net. Thank you. 8. Firewalls Filtering: Now let's talk about the filtering of the far walls and classifying firewalls. According to its filtering types, the packet filter firewalls is the first type off our world. We are going toe explain. This type of far rule is low and firewalls. It is not very secure. It is. It does not offer the maximum security, but it offers the maximum speed. It's very forced. It can enhance the security. It can make it better because it relies on the destination port. On taking the decision about the traffic on filtering the traffic. As you can see in the diagram, that firewall investigates their UDP, the sport, which is the field that contains the destination port number off this UDP packet according to this value off this field, the fire wound decides whether to accept this packet or rejected whether toe allowed into your network or to ban it from your net. So this type of firewall checks only the heather checks only some fields related toe. The source i p. Destination I p. Sore Sport number Destination Port number and takes the decision whether to accept this packet or reject this packet. According so these fields only so the data content inside this packet passes unchecked. The data content may contain some malicious code may be dangerous, maybe unwanted traffic. So this type of firewall will be susceptible to such types of attacks that depend on the content because the content here passes unchecked. So let's have a look. Also at The Net Firewall the network address Translation. Firewood. This diagram describes how the net happens. How the network address translation happens at the middle. We have been a device. This device is facing the Internet with an interface cord that has really I p address 1 $28 . 38 Not one, not one, And that has another. This device had has another NIC or network interface card with a virtual I p address. That is 1 72 not 16. Not one, not one. Now this device has two faces, one with real I p. Facing the Internet. Another one with virtual I. P. Facing the Internet. This Internet is your internal network and it is Phil filled with virtual I p addresses. It is filled with R I P addresses that are not real. The machines having I P addresses 1 72 not 16.1 dot 10 or 20 or 30 or 40 are your machines inside your network? All of these machines are seen by the Internet as machines, having the I P address 1 28 or 38.1 dot one. What is the advantage of this? Any machine on the Internet would not be able tow. Have direct access to any off the internal machines with 1 70 to about 16.1 dot 10. Because this netting hides the internal network to be access directly from any machine on the Internet, this not device acts as if our world it provides a single address outside are protected network, so it protects your internal letter from any direct communication that could be malicious. Then a device can contain a far wall with certain rules to allow some types of communication and toe Ben and toe reject other types of communications to be done or to be communicated with your internal machines. This is the other type off fire wards, so we have packet filtering far rules that firewalls, and we have the third type that its proxy firewalls proxy far olds maintained complete TCP Connection State and sequencing through two connections. The proxy Far Wall makes the connection itself so the destination server and makes another separate connection to the user inside your internal network. So it makes two separate communications. And in between these two separate communications, it investigates the traffic. Arriving from the outside network, toe the inside better through a process table that manages to keep the connections the street that gives the U other the feelings that that he is connecting to the Internet directly through this process table, we have the opportunity to inspect every single bit and byte in the arriving traffic to this firewalled and to take decision either to accept this packet, either toe allow this traffic or to reject this traffic. This proxy firewall is the most secure form off the far ruled, but it has the disadvantage off slower performance because it inspects every single packet and every single field inside this packet to take the decision either toe allow or toe reject. We had the two extremes that packet filtering far rules, which is very fast but low performance. The proxy firewall, which is very slow but high performance. We can have something intermediate, which is called the state full inspection. It inspects traffic by group of packets, not by each single packet. It inspects packets, maybe five by five or 10. By can it has dedicated approx is actually running the protocol. So the user machine inside your internal network is not in direct is not in a direct communication with your server in on the Internet. So this state will inspection cannot be fooled by using an unexpected destination port. It cannot be fooled by one malicious packet or a series off malicious packets. So this state full inspection in the fire rule allows it toe detect the attack that is composed of a series off packets, an attack that is composed of a series of pack. It can pass through the packet filtering firewall because each packet in the series is good in itself. But by state for inspection, you can discover that this packet in addition to this, the following one in addition to the following one are forming and attack state will inspection cannot be fooled by such type of attack. State full inspection provides a balance between packet filtering and proxies. It is not so slow. It is not so fast and it is not so poor performance and it is not the best performers, but it is an acceptable performance and is a good choice in most of the cases. We have also hear the personal firewalls the far walls that are not separating two networks but are set on side on your machine as windows or UNIX machine to protect your machine from the network that it is connected to from the traffic arriving to it from the network. The personal far wound can be just the packet filtering like the I P tables commands on the linen and can be state for firewalls on UNIX, likely next Net Filter and I PF and open BSD PF. The personal far will can be the Windows firewall built in inside any Windows machines right now, and can also be an application control firewall designed by third party program, just such as own alarm or any other program. Any other third party company that has built or designed the firewall to be is established and set up on the user machine to protect it from any malicious network connection. To summarize the far wounds, it can be a primary intrusion detection sensor. It can be your primary and first wall of defense. Firewalls provide a mix of capabilities to meet requirements. You can use packet filters in sometimes Statesville inspection at other times application. Get ways at other times proxy fire woods at maybe your border network and ah, packet filters inside your eternal at work or on the contrary, use packet filters on the border and the proxy inspections at the inside network. You can use a mixture off the capabilities off the firewalls and detect and designed the security required by each off the far walls installed on your network. Thank you. 9. Honeypots: the honey pots. The Honey Pots is a advances concept in the world off security that we need to know about. What is a honeypot. Honeypot is a trap is a decoy machine is something that is unreal that is made inside your network toe. Attract Attackers. The goal off the presence off honey pot is to know more about the attacker, his identity, his way off, attacking toe. Get some more evidence from him to get some more forensics about him and to be able to know him or and consequently to be able to protect yourself in a better way from him. The honey pot can be a host step or a network tip. For example, you can set a host inside your network to be a hearty part by running real services on a sacrificial computer or simulated instrumented services. For example, you can run the Web servers on a computer that is not really containing webpages or containing HTML content, which means that it is a fake Web server with empty content. Why do you do so toe attract attacker story thing? You're really Web server to this server and then to know more about them to know. How are they attacking their I P addresses their militia software. They are using their techniques off attack and to get evidence and forensics against them, to be able tow, face them in the court, for example, and to be ableto no mawr and configure your defense devices more to be more defensive against them. The honey pot can be an attack trip, a full network off fake machines that the intruder thing. They found a vulnerable organization. Not only machine, a vulnerable organization containing a fake Web server, d n, a server, mail server and other machines. Some of the honeypot Softwares or systems can do so can convinced the attacker that he has found a vulnerable organization and keep attacking him and keep collecting information about him. Then he would fall in this strapped to be to be faced by his cyber crimes and by his attacks he's trying to do Once more of the honey pot is a decoy. If machines aerial machine comes hot or becomes a very hot target for the Attackers becomes attacked so many times per day or per week, you can think of changing the I P address and the main name off this really machine and put in a honeypot instead. Put in a fake machine acting the same service instead but with no content. For example, if a quip server something like this. So you have protected your machine, your real machine by changing the I p address and name, and you have attracted the attacker to know more about this malicious software or this person tryingto take your nutter, throw this decoding machine or through this honeypot, you have set up Deanna's mail servers. Web servers make great honey pots on their A new sports. How you can do so you can monitor the unused ports off the Web server. The port numbers that are other than port number 80 can be monitored for persons who are trying to contact this Web server on port number 20 or 21 for example. For example, you can know more about these Attackers, and why are they taking this machine specifically on a port number that has no service instrumented on it that has no service riel service on the sport, and you can know their i p their way of a taking, and then you can build a defensive system that is more efficient in facing them. I want to use the honeypot. The far wall, properly configured, stops any type of attack, trying to a take a machine on report number that is not supposed to be active. But you cannot learn anything about the attacker at this time so you can use the honeypot toe. Attract the attacker to know more information on about him, which might be fruitful and might be beneficial to build a better defensive system against his attacks. Why to use the honey pots. If you have mail servers or Web servers over Deanna servers that attract most off the fire on the Internet, you can have their unused ports instrument in em. As we have said, the end result could be to slow down the pace off the attacker and increase the arrests increased the arrests of the attacker. The honey pot is an advanced technique, and this is a very important sentence. This is a very important thing to keep in mind. The honey pot is an advanced technique. Either you set up a honeypot and you are 100% sure that it is fruitful and beneficial or you give up the idea. You do not set up this honey pot at all. Do everything else. Before setting up the honeypot, establish a firewall configured correctly. Use encryption, use passwords, patch your systems, upgrade your operating systems and do everything else. The best way to capture new worms for analysis is using a honeypot. You can have the risk of having attacker to use the honeypot if they break the controls. The honey pot is supposed to be awake machine toe, attract Attackers, So think off the risk you are having when setting up a honeypot. If it is not 100% safe, give up the idea and think of something else as a defensive technique other than the honeypot. Some of the well known honey pots or honeypot pro that's over history has been the Deception Toolkit, the Semantic Decoys server. Previously name as men trapped the handy net or the honey the these were. Some software is intended to be honey pots that were installed on systems on sometimes installed on a full network to convinced the attacker that there is a vulnerable machine or available network. Here, come and try your taking techniques, and then you can collect evidence and you can know more about his taking techniques. Thank you 10. Bypassing Firewalls and Tools: Now let's know something about bypassing the firewalls and explore the Windows firewalls existing on each Windows machines. And how can it be configured? And how does it work? The peer to peer file sharing programs, the programs that are cold current, sometimes the programs that are like as our image and something like these programs. These programs may introduce security weaknesses inside your machine. It's a hole in a firewood because they are sometimes dynamic in using their port number, so the firewall cannot catch every traffic coming out from them or coming tow them. They can change the port number. They are communicating, and at the same time they can transfer data from machine inside the network to the Internet . Other machine in the Internet, these programs can transfer any type of files. Pdf files MP three files, MP four files. Audiophiles Videophiles Any type trials that are existing on your hard disk inside the network to the Internet, so you are giving away network information. You are giving away data from your machine toe. Other machines. Sometimes you say to yourself that I'm giving away the data I want to do on day. I want to give away. This is not always correct. Sometimes this programs such programs give away information accidentally that he did not mean to give away. These programs are most of the time security drawback or security hole inside your network , and they are sometimes not good for that security posture inside your defense systems. And they are a problem for your firewall facing all the time. So you are establishing if our own configuring far will and at the same time, fun eating it with such programs for file sharing, to share songs and movies and maybe pdf files or something like this. Anyhow, there is nothing that is good for old, and there is nothing that is evil for if you need these programs. If you are aware off the type off ports and aware of the mechanisms they are using and you are trusted and you are trusting them for the way they work, so welcome, you can use them if it is not required that you transfer files through such way. So take care that these programs may bypass your far wall and maybe security hole inside your organization. The modems take care of something. As a security officer the more you are restrictive, the more restrictive the side firewood policy, the more likely, then please will use modems. They will feel the fire world is fighting them. They will feel the far wall is standing between them, and the Internet is a forbidding or is preventing them from accessing so much websites that they need to do their work. So the more restrictive you do, the more slow your network is, the more likely your employees will use the ice. Be motive. The USB modem toe contact Their Internet service providers toe be connected to the Internet through their eyes, peas and without passing through your firewall to get more speed, maybe to access more programs. Maybe so. Let's remember once again the balance between the access and the security. If you are restrictive, very restrictive than it is more likely that your employees use the these modems. If you achieve the balance, then it is less likely that your employees think of using these USB motives. Let's have now a look at the Windows firewall. This is how the Windows firewall looks. Let's say the configuration of the windows far woods and see here that you have some inbound rules for the incoming traffic and some outbound rules for the outgoing traffic. Let's see here, what are the types off programs that can send data from your machine? And here, What are the type off programs that can that your machine can receive? Data from you can at any point of time, configure a new rule for a program or report number or a pre defined roar or a custom rules , And then think off the type of rule that you are trying toe toe configure. For example, if it is a port, so is a TCP port or you the people. What are the type of the port you want to configure the rule for, and then you configure it. And what is the action that you want to be taken? What is the profile that you will give to this well and what is the name that you will give to this rule to be added to the rules off the windows? Firewall This These are the rules that the windows far will I reusing on my machine here. These are the rules that the windows far will are applying toe control, the traffic coming out from my machine and arriving toe my machine. If you double click on any off these rules, you will get more information about the type of rule, the name, a brief text or a brief description about how the rule works, What type of connection does it allow, and the port numbers and that type off control it is applying on your machine at a certain point off time. You can turn on or turn off your windows. Firewall. If you turn off your in this fire, will you? We should be aware that your machine is now fully exposed to the Internet. Any type of communication can take place between machines on the Internet and your machine , and then you are exposed toe So many Attackers on the Internet that can attack your machine . It is always advised that you turn on your windows firewood. It is always advised that you keep these radio bottoms on. Never turn off your windows far well, unless and it is mentioned here that it is not recommended on us unless you are completely aware of what you are trying to do. You can also use some third party programmes to install more firewalls on your machine. Just like the zone alarm on any third party software that can act as personal, far old on your machine. You can explore the monitoring that you're far wall is executing right now. You can explore the connection security rules. You can filter your rules inbound and outbound, either by profile or by state or by group. You will have a lot of rules. As you can see on this on your ah, when this fire will, you do not need to understand everywhere than every rule. But generally I think by now you have known a brief idea a broad idea about these rules. And you can take your time to explore it line by line and try to ask yourself why this rule here? What is it doing? And what do I gain from? It isn't necessary. Do I have to enable it? Although I need toe, disable it for sometimes. Thank you 11. What is IDS?: Welcome Toe the Intrusion Detection and Intrusion Prevention section. Let's start by defining what is ideas intrusion detection system. What is intrusion detection? Intrusion detection can be host based or network based host based is named Etch I DS host based Intrusion Detection System, which means that intrusion detection on the Holst level detecting the intrusion that may happen toe the machines level toe. The operating system level Network based, is in detecting the intrusion on the network level on the traffic level, and that is what we are concerned about. More the intrusion detection reports, attacks against monitored systems or networks. And here, let us focus on the word reports it does not defend. It does not take action. It just reports the attacks through generating alerts against the monitor systems that can be hosts that can be machines, servers and networks. Composed off several machines and composed off connecting devices, switches, routers and such things. The intrusion detection system is an alarm system. It reports and producers and generates alerts. It's immature technology that has significant utilization. It is an advanced the technology that had bean recently invading and spreading all over the world off cybersecurity. The ideas is not a replacement for the following. It's not replacement for the firewood. It's not a replacement for strong security policies inside an organisation. It's not a replacement for system hardening through upgrading the operating system and patching the operating system with the updates produced over the websites and the servers dedicated for such purpose. It is not a replacement for other defense in that the idea techniques it is part off the defense in depth but not a reported replacement for the defense in depth techniques. It's not a low maintenance tool. It requires trained analysts. It requires technicians and security engineers that takes care of the alerts being generated and act accordingly. It is not an inexpensive tool. It is expensive. It is expensive in terms, off maintenance, in terms, off, taking care off in terms off, sometimes price. If it is on up lines, it's expensive and advanced the technology that you should think before placing in your system security. It's not a sort of silver bullet. It is not a replacement for all other techniques, and nothing in security is a replacement. For another thing, you should apply the ideas, apply the firewall, apply strong policies apply system, ordering timely patch your systems and all in old. Focus on building a defense in depths. Technique. Toby Safe and to feel secure in the cyber world. Let's move to the ideas in action. Let's suppose that an attacker used and map or San Matt to scan a host for open ports. And let's recall here that an open port for no reason is a vulnerability inside the system . If the attacker manages to scan and find the open ports already, the victim may use the wire. Schork, the sniffer we have talked about before to lock the Attackers activity and to lock the Attackers i p address. This is something that we need to know about the attacker. The ideas tool used, which is here the wild Schork presented data toe. Another is to take action. It is just a data presenter. It is just an alarm system, just something that said that so and so happened at seven or eight o'clock or something like this. It says that the attacker whose I P addresses so and so has locked your system at the time . So and so, which means that you should act according to this alert you should hard than your system. According to this, alert alerts can be helpful to stop further advance of the Attackers and to log some forensics against their taker to know more about the attacker and toe act. Accordingly, the types of alerts alerts are generated from events of interest. Let's hear. Imagine that the life off security specialist is filled off reading events, events that are good and events that are says that something has went wrong events that says that it is okay and events that says that something is not okay. So among the events that are generated from the anti virus, from the ideas from the firewall from this several security devices we are looking for some events off interest, some events that says that we should take action. We should take care off this event. This event is interesting and deeds in intrusion from our side, not intrusion, not not not the bad intrusion off Attackers, but needs to be addressed by our side. Rules specify which events generate others off course. The smart rules that you apply to the ideas says what are the alerts that should be generated? According Toa what events and we have several types of alerts. We have several types of alerts that can be generated and can be classified according to the importance and the priority off such event. So you specify rules. You set rules that says that this event if happened, send me an alert. Show me an alert and this event it happened. It does not need you as an idea system to show an alert. This event is ordinary, and this event is suspicious. What are the types of events? We have four types of events and this is a very important definition that we should know. We have the true positive events, which means that the ideas has generated an alert and this alert is through positive. And this alert is significant for an attack. We are always looking for through things, not false things. Because we have through negative through negative means, that there is no alert and really at the same time, there is no attack. So both through positive and through negative needs to be maximized, we hope and we dream that every alerts are too positive and two negative. But unfortunately, we have the full spas. It false positive means that there is an alert that is generated and at the same time it does not signify aerial attack. It says that the door is just open or the window is just open and there is no attack. False positive means that the idea system has screamed has produced an alert for nothing for no important reason. False negative means that the idea system is sleeping while we are hacked. It is not generating any alerts, but at the same time the attacker is here and he's on our system. This is the two ports that are representing false, positive and false negative. We need to minimize. We are dreaming off having all to positive and all through negative alerts. You should consider which one is the worst toe have on your network because you may think that through negative is good and also false. Negative is not harmful is not so harmful for my system. I can I can afford having some fools negative, but and I cannot afford having a lot off fools. Positive alerts. I do not have technicians and analysts enough to read all the false positive alerts I have . On the other hand, you may think the other way. You may say I cannot afford to have fools negative. I cannot afford having an attack on my system. While the ideas is not generating any other, it's a matter of your choice. But your decision should depend on how serious your attacks and how serious and how important audio information and audio assets to your system. The allergies can be just a line on the screen, showing up on the screen that the I P address so and so has attacked your system or a beep from that idea server or an email sent by the idea server toe the email address off the security specialist or an SMS from the idea system through the same card in the idea system toe the mobile phone off the security specialist or a phone coach aerial phone call at midnight, you received from the idea system with a certain drink that says that there is an attack. Wake up, we are under attack. An important type of ideas is the ideas is used by the Etch are the human resource is it is a content content monitoring system. The human resources inside the organization may use and ideas toe monitor the content toe ethically spy on the employees to know what are they are exchanging? What type of information are they exchanging between each other? What type of Chet what up of emails? What type off information is passing between them? The HR ideas may monitor the Web pages they are visiting. The instant messaging. They are exchanging the email, the emails they are exchanging and can monitor any confidential information leakage from the organization toe the outside of the network. It helps to address any inside attacker who is trying toe spread the confidential information off the organization, toe the Internet or sending un appropriate emails or visiting unwanted websites or sending chat messages that are unethical or things like this. This needs investigation by the human Resources Department from the organization to take decision. Accord accordingly. Against this in pre, it identifies this ideas identifies violations against the company. Acceptable use policy when you are given, resource is inside your company. This resource is has an acceptable use policy. You are given an email address to use only for business. If use this email address to send friendly emails or toe using the bandwidths off the company or the organization toe visit websites and our loading the visit websites forge your own amusement and downloading songs and movies toward. So you are violating that policy on acceptable use off the company. And this may need etch our investigation. Thank you. 12. Network IDS (NIDS): Let's focus now on the network intrusion detection system. The needs The network intrusion detection system is deployed as a passive sensor at the network. Aggregation points at the points where all the traffic passes. For example, it can be set on or behind directly the border router or be directly behind the firewall. It can capture traffic like a sniffer and then compares this traffic to certain signatures . Does this traffic contains so and so as a signature? If yes, then generate and alert. This is how the network intrusion detection system works. It detects events of interest on the rhetoric. And remember, we have a lot of events shown by sniffer shown banner by an anti virus shown by a firewall . But we are interested in the events of interest on the network that shows something suspicious, something that could lead to an incident. So if uses the analysis of the signature off the normally traffic off application or protocol to say that this traffic is an event of interest and to generate and alert, signifying that something wrong is going on something that needs to be taken care off by the security administrator. The signature analysis is depending on the rules that indicating criteria in packet that represent the event of interest rules are applied to packets as they are received by the ideas. Alerts are created when matches are found in the following issues. Either the protocol, for example, we have caught a traffic that is you, the people to call, and this UDP political is unwanted on our network. So let's generate and alert the I P address we have caught on a traffic that is from unwanted I p address or targeting unwanted port number targetting payload content or containing payload content that is unwanted or that is not allowed inside the letter string , matching even the content itself off. The webpage can contain some words that are not allowed to enter our network. The traffic flow analysis, for example it is not common or it is not natural in some organisations to find that the utilization off the bend with is 99% at toe oclock in the morning. This is not you. This is not normal. This is shows that something abnormal is happening because a tour clock in the morning there is no one inside the organization. So why is there Traffic usage reaching 90% of our bend with at this time is the reserve a running? Maybe on maybe not. So we should analyze the such situation to reach a conclusion and to define what is normal and what is not. Some flags in protocol heather, such as the same plus Finn egg plus Finn in the TCP heather. Some flags that cannot be but combined with each other in normal traffic or in healthy traffic signifies that something wrong is going on inside this traffic that are flowing through the ideas. What will the ideas do? Generate an alert? A normally analysis flags an ominous condition. In traffic on the network, for example, the traffic is fluctuating from 80% 70% to 10% to 20%. This is not normal. Unexpected conditions are identified as suspicious. We need to know what normal is. We should know. What is the normal conditions to say that we had some abnormal conditions on our network and what is normal here can be abnormal there. What is normal for a hospital can be abnormal for a bank. The network here differs from the network there. The network here, maybe working 24 by seven. The network very is working only on the working hours inside the bank. So we need to know what is normal and what is acceptable for each network. And we need to know what can be flagged as suspicious. It is usually based on good traffic as baseline for future analysis. This anomaly analysis depends on targetting the network and observing the network for some time when we are sure that this traffic is good traffic and running at good times off the network at certain period of time. Then with we said this as bees line usually an inclusive detection method, this is a very important condition that happens when you find that the traffic off the network itself has a problem. That the behavior off the traffic has a problem. So this is an inclusion inclusive detection method to use the network intrusion detection system to alert you against this type off. Ah, abnormal condition. You can use the application protocol analysis ideas has understanding off the logic for specific application or protocol will understands. How does it work and what protocol does it use and what Heather's does it use and what signals does it send so it can use the application protocol analysis Any practical activity that is not known as normal ISF lacked. It is difficult. This type off analysis is difficult to implement because few protocol implementations are standard and some so many protocols that are used over the network around standards. So you cannot define what is normal, what is abnormal due to the standard because there is no standard toe compare with. So you need to train train your idea system to know what is normal and what is abnormal. For such protocol. It is usually an exclusive, also detection method. The ideas is exclusive detection method for application and protocol analysis. By this, we hope that we have introduced some overview for the needs network intrusion detection system. Thank you. 13. Network IDS Challenges: Now it's time to know about some off the challenges that will face the needs that will face the security administrator who will think off deploying the network intrusion detection system. One off the challenges is how to include deployment and excess limitations. Toe this network intrusion detection system. How would you face the shortage that you may face in the storage in the processing off the machine running that network intrusion detection system? Because it is not coping with all the size of the traffic it is receiving? Maybe the storage is not enough. The processing is not enough. So this would be a problem. And this would be, uh, something that would limit that the performance off this network intrusion intrusion detection system. How would you analyze the encrypted traffic? How would you cope with some traffic that needs to be decrypted before being analyzed and before generating alerts related to it? Encrypted traffic that is off unknown or that is off hard decrypting protocols leads to poor performance and slow performance for the network intrusion detection system. How would you deal with the quantity versus the quality off signatures? Would you generate an alert for certain quantity off signatures or for some quality off signatures that signifies an attack. Would Yuzhin rate on alert for 10 signatures for a certain type of traffic, or originate an attack for a certain one that is signifying a problem, a serious problem for such type of attack? You can do so, and you can do so. You can follow this way or fall of that way. It's a point off design. It's a point of your choice. So that's why we are presenting here some concepts that you can use in your design in deploying and using this technology that is used. That is called network intrusion detection system. It is very closely for proper management. It needs someone who dedicates his time toe, analyze that the traffic, analyzed the alerts, take care off what it is generating and know how to react and know how toe move and how toe face the problems that are generated through the needs alerts. So we have deployment challenges, including also the access limitations, sometimes over a switch that it is hard toe ex toe, generate excess or to grant access for the needs toe all off the traffic because the switch is separate collision domains so you cannot sniff over the switch and needs. The violence that is deployed over the switch cannot have access to all of the traffic. So where to put this? Needs Toby accessible for all the traffic and to reach all the traffic. Toby. Easy for it. Toe. Analyze the deployment off this needs. Need trained people trained security specialists to be able to deploy this needs toe set up . This needs to configure the rules toe. Specify what are the type of alerts for each rule to categorize the alerts to detect the events of interest. Toe? No. When we need this needs device to scream and to say there is a big problem And when do we need this needs to just show a line on the screen saying that, uh, we have a problem or we have something that is wrong. So the deployment and access limitations are something that composers a challenge facing this knits. So there are a lot of challenges our a lot off things that needs to be thought off and needs to be determined. If you are going to use the needs technology in your network, you should think either to use the deep inspection or the shallow inspection. The shallow inspection is fast but provides little fidelity because it examines only the heather information of each packet and examines some limited payload data. May be the 1st 65 bites or something like this. So it is fast because the examination is for small portion off the packet on Lee the Heather. But the security is somehow off little fidelity because the attack may decide in the data, not the payload data. I mean, not that they had the attack. Maybe sneaky may be a way off this shallows veteran and may reach your network after such inspection. So if you are interested about speed, then you should think off shallow inspection. But if you are interested about fidelity, you should think off. Deep inspection. Deep inspection is slow. It requires a state for tracking off data. It stores and mothers the data by group one or two or three packets my group and then expects them as a group. Oldfields, including variable length, feels, which is hard to do and then takes the dish the decision either to generate an alert for all of them or toe let them pass without an alert toe, detect them as malicious traffic or dietetic them as normal traffic. So this deep inspection takes time and consumes resources, but it leads to higher fidelity in the security. It leads to more security posture. And, of course, if you are going to use the deep inspection, be prepared with the resources regarding the processing, the storage and the letter connection, and the off course that security specialists that will be responsible for observing the alerts, taking action and reading the lock files related to this needs to be and tow benefit from the all the features off this needs that you have used or decided to deploy as deep inspection knits. Let's have a look at this diagram and see where can I place than it's in this diagram? We can say the intrusion detection probe is set into two points in the traffic coming from the Internet reaching the firewall. The input off the firewall from the Internet is detected through the intrusion detection probe and the output off the firewall toe. The demilitarized zone is detected through the intrusion detection proof. It is as if this intrusion detection proof is measuring the performance of the far rule. Is it acting good? Is there a difference between the import to the far wall and the output of the firewood? Or this fire will needs more configuration and more enhancement. So we are analyzing the performance off this fire world through the intrusion detection probes that are placed to its input and place to its output and seemingly comparing both off them in the same diagram. We may have an intrusion detection system in the internal network that is sampling and taking samples and generating alerts toe the internal network traffic, which may be more important for us. So this intrusion detection system at the bottom, which is trying to detect any attacks on the intern electric and generate alerts over this internal network, maybe more important to us than the intrusion detection system that is above because the alerts on the one at the bottom signifies that your internal letter, your precious network, your valuable later your servers are under attack, so you may period. It ties. You're intrusion detection systems one over another. You may period eyes alerts over another. You may set priorities toe the events of interest. Really generated from this one and generated from the other one. So these are all points of design that needs some experience and some artistic touches off the security specialists handing these needs devices. Thank you. 14. Snort as IDS: Let's have an example of an intrusion detection system that is well known. That is very commonly used in the cyber. Security, which is snort snores, is low Coast is lightweight intrusion detection system. It is suitable for month for monitoring multiple sites and multiple sensors for the ideas it is. That's why it is common. It is very popular. It is very educational as well and used for the training purposes. It has low fools alarm rate. Most off the alarms are true either positive or negative, and that is always the dream off. The security specialists toe have low false alarm rate. It has no effort for reporting. It is easily can report and generate alerts and can generate different formats off alerts that can be reported to the security specialist responsible for the ideas in many ways and easily and in a friendly way in the way he wants. And at the time he wants. Let's have a look at this snore. Capturing it is it can. It looks like to a great extent, the capturing off a sniffer. But we have here RPC info query that is written between two EST risk, which means that this is a text written by the administrator toe. Identify for himself. What is this capturing? Telling? We have here the time stamp at the left and then the source I p address 211 thought 72.115 dot 100 the port number. The sore sport number is 623 then an arrow, then the destination I P address or the station. The main aims at good y know debuted at 98 then that the station port number is 111. We have the TCP Protocol that sends this packet. We have the TT l value that is 46 the type of service value the I. D value that is used for fragmentation and the flag don't fragment is set. We have the EC flag set and the wind flag is set and we have the sequence number written in Hexi Decimal. We have some off the TCP options off the TCP fields off options that are written here and stated and mentioned here their values in heck citizen it. So we have some good information about this packet that can be investigated and can be examined either to generate and alert or to let this traffic pass as something that is event off. No interest. I mean, so this is a an example or example off. What cans? North capture. Let's hear. Configure some snort rule and some basics northward. Let's say that the rule says alert me. Send me an alert if traffic is sent by the TCP Protocol from any source i, p and any source sport number. But for the destination i p address 1 92 1 68.1 dot zero slash 24. Which means that the whole sub network off this night I d on the port number. The station port number is 80 and show on the screen. A message that says inbound http Traffic. This is a rule that says that you you as ideas to generate and alert. If you find a traffic matching this condition, what could happen? The output is at the bottom so we can say the message is here in Mt. Http. Traffic is displayed and we can see here the times them The date is 9 February, for example, and the timestamp is generated, and the source I p is matching the source. I pee in the rule, which he says any so anything is making conversation. I p is matching the station. I pee in the rule. The station port number is 80 exactly as the protocol Mississippi. So this is matching our rule. The DTL valued the type of service value, the identification on other values in this packet. So here we have a successful alert that matches the rule being configured by the security administrator. So the output tells some information about the packet that has been captured by the snort rule and shows that you have an alert here. You told me you, as the security administrator told me as an ideas toe capture such packet with such rules. And here you have this alert on the screen. Let's have another example with advance, it's nor truth alert TCP any any, which means that alert me if a pro coup if an A packet is captured by the TCP portable that was crafted by thes e people to quote with any source i p and any sore sport. But the destination I p or the station network is 1 92 on 68 1.1 dot zero slash 24 and the station port number is 80. But here we are examining the content. The content must contain the word seizure. I bent slash test dot c g i. The message to be displayed is attempted cge I'd been access. This is the message that will be displayed on the screen when such packet is captured. Let's see the output at the bottom. The output displays the message attempted CGE Iben access and two exclamation marks. And then let's see that that source i p sore sport number the station i p This nation port number all our matching the rule configured on on snore. So this is a successful also rule that our successful other that has been generated according rule And here we can say the message that displayed on the screen that should capture the eyesight off the security specialists To know that this is an attempted CGE I've been access to your system may be the one configuring the rule is not the same one reading the output so he can read the text that says attempted seizure. I'd be in excess and do not follow or complete reading the rest of the output, which may look complicated for him so he can know the type of attack from just the message that has been displayed and act accordingly if required. Let's say some of the pros and cons off the needs off the network intrusion detection system. One of the pros it is is that it is fairly easy to set up. It does not need much effort to set up. It does not affect the speed of the network or ad load toe the system it monitors. This is very important, and this is Some of the networks are very sensitive to security appliances and security procedures that it leads the letter to poor performance. The day's most of the time is not the cons is sounds. Sorters have limited speed. Sometimes sinister sensors have little speed, so they miss the some packets and miss some traffic uninvestigated, almost impossible to detect attacks, not in the rules that if there is no rule to detect the attacks, then the ideas will miss this attack and will pass this attack and will not generate and alert for these. I think it is very susceptible to low and slow attacks whenever the attacker is slow whenever the attacker is patient, theater AC is more likely to succeed. Toe bypassed the fire wound. The ideas, the anti virus and other security and other defense appliances needs in conclusion is an important port off the robust perimeter defense. It should be applied whenever needed, and it should be applied with the coast off it, which is the high mental since the the taking care off the alerts being generated and knowing exactly what on how does it work and knowing exactly how to open figure. It's rule set. Thank you. 15. IPS: that's know something about the intrusion prevention system. The i PS, which is the evolution off the ideas, the intrusion detection system. What is I ps I PS stops takes on systems and networks from being effective, And here we can say that the I PS is not a just a passive monitored, just like the ideas it's here, an active element that can stop attack that can face a take that can eliminate the number of attacks and take actions, according TOA alerts, and prevents the attacks from being effective and from damaging and from spreading across the network. It has two types off intrusion prevention. One of them is the network intrusion prevention system, and the other is the host based intrusion prevention system. One of them is for the network traffic, and the other is for the host for the machine and its operating system. One of them is concerned with the a normalised traffic bed packets and such things, and the other is concerned with the the the attacks that they are taking place inside the machine itself, which is the host based intrusion prevention system. The I PS is a technology that is more reason than the ideas that is the development and the evolution of the ideas. The I PS is very rapidly maturing, and it is one day by day replacing the ideas. And day by day we can find more products and more appliances from the giant companies and the hardware vendors acting as I PS or intrusion prevention systems. The nips challenges the network intrusion prevention system challenges is mainly these points starting the false positives. How much false positives can you afford? How can you afford the false positives or not? And here it is repeated here two times the false positives and another question that says, Can you afford the false positives? Can you let the I PS record every single event on your network and generate an alert on it ? And you, as an analyst, keep reading it and define what is is off interest and what is not this? Is there coast off affording false positives? The Nips may support a limited suit off network applications. That's why the nips may miss some other applications because he don't know about their behavior. So they it cannot know about what is normal. What is abnormal, What is good and what is not good so it can act only according to what is known for it, which is which can be a limited suit off network applications that has said signatures and known types off packets transferred between them. It requires more system resources than the ideas because here it takes actions, so it requires more processing and storage and network men with. And you should ask yourself, Can you afford false positives or not? Accordingly assigned the human resources that would be assigned for the network intrusion prevention system? If you cannot afford false positives, then you should assign much human resources trained security specialists. I mean over this I ps for this i ps to monitor and to take action according toe, the efforts being generated keeping up with the traffic demands. We all hope that the lips does not act as a bottleneck, whereas a slowing point for the traffic and do not miss any single packet on the letter. This is our dream. But can the I ps do so with its limited resources? We hope so. Can it keep up with the traffic demands? Can't keep up with the gigabytes over the network keeping running and exploring every packet being transmitted over the network and taking the decision and generating alert if necessary. This is what we hope for for the nothing intrusion prevention system. We tend to have less expensive rule based. We turn toe have rule based that is acting at the critical situations only to take actions and to stop this this ah, traffic or this packet from being transmitted So the rule based should be more more. I mean more accurate but less expensive than the rule based off the ideas. Some of the recommendations regarding the network intrusion prevention system is toe first toe put it on the network in a learning motorist to know some things about the normal traffic before starting to face the abnormal traffic and taking actions accordingly. So what should it know about the normal traffic? It's true. Bullet should know about that size off this traffic, that apology off the network, the architecture of the network and things that look normal and things that are in good condition about the network to be able to, they find that there has been a change in the traffic has been a change in the topology or the architecture and generate and alert accordingly so that the analyst also react accordingly. That's should be the learning mode off the I PS to know about traffic topology architecture to know about the environment it is controlling and monitoring and to know about the normal in this traffic and this topology in this architecture to be able to detect the changes in any of them and generate alerts regarding any of them. The Nips big requires trained analysts, trained analyst trained security specialists, Toby investigating and analysing their alerts being generated by the Network Intrusion Prevention System, and determined the actions to be taken accordingly. It is not a replacement for a firewood. Nothing is a replacement for anything. So the ideas the i ps, the fire wound, the anti virus, they patching the passwords, the security policy, everything. Everything should be there in a defense in the technique to be able to have a security posture, nothing is a replacement for nothing, even if it is immature technology, modern technology, more reason than the ideas. But it does not replace firewalls. What are the I PS products based on? It can be an ideas plus something that takes a decision, according Toa alerts generated by the ideas where a fire will plus something that takes decision according toe, their capture of the far wall and anti virus plus something. This is that host based I PS and anti virus plus something that removes the virus detected by the anti virus. Or it just can be an extra widget acting over the network to detect malicious traffic or malicious ah, traffic conditions or malicious packets or malicious heather's or anything that is unwanted over the network and stops it from being effective and from damaging that network we are controlling. Thank you. 16. WEP: Now let's explore the wired equivalent privacy. The W E p proto cold. Sometimes it is miss Under Misinterpreted as the wireless encryption protocol, but the exact interpretation is wired equivalent. Privacy. Let's review some of the concepts about the wireless network executed. The wireless networks are more problematic in regarding the security issues than the wired networks. Because of the open transmission media, the transmission media is the air, and the air is open for everyone to sniff is open for everyone. Toe capture the traffic and start attacking is open for everyone in the color in the area covered toe. Send and receive messages through the air, toe the transmission and the connecting devices in a wireless network so it is more problematic and more difficult. And let us say that most of the time off, the security officer will be spent on two issues. Securing the servers and securing the wireless network. Your headache as a security specialist will come from two sources. Your servers, your demilitarized zone, especially the Web mail Deanna servers. Those will be the hot spots of your attack and the wireless network that will convey and include most of the guests. Most of the people that you are not controlling. Most of the people that are visitors do your premises or to your organization, and you don't know much about them and about the security set up so they will be a source off attack, and they will be something that you should take care off and isolate from your wild better . So this open transmission media is susceptible for sniffing. The white area of coverage is not always an advantage for the wireless networks. Sometimes wide area of coverage leads toe more problems in the world. Isn it? Sometimes people tend to buy more strong or stronger antenna and try toe. Let the coverage area be greater as as great, responsible and maximize the coverage area of the world is not. This is not always in the advantage off security, because sometimes this area exceeds the limits off the premises itself, exceeds the limits off the organization of the building itself and tends to be around the building itself. Tow the cars and, ah, people passing the street around the building itself. So you are not controlling who is accessing your excess point, who is in reach off your wireless network? So this can be a point that you must take care off, and you must know for how distant your wireless network is reaching. They hire bit, operate. This is something by the nature of communications of artist communications. It has high bit rate than the wire. Not this is something that is unwanted, but it is accepted in regard. Toe the flexibility and mobility and ah, so much advantages off the world. Better. Sometimes you need toe. Isolate your wireless network from your sensitive data. Isolate your wireless network from your servers, your precious servers. You're sensitive data and information. This isolation is done through placing, if our old, for example, or placing some villain separation or placing them through separate physical switches. And this isolation is needed because you need to separate a vector of Attackers that may exist on the wireless network from your sensitive and precious information that are on your wired infrastructure. So you may need as a security officer to think off the way off separation that you will follow. Sometimes you require encryption in transient in transient off transmission. Off the data. The data is in the air, so how would you protect it. Sometimes you may think off encrypting the data. What is meant by encryption? We will see in the next slide. But encryption makes the data keeps the confidentiality of the data makes the data heart Toby Red and to be captured and to be interpreted. It can be captured in encrypted form, so it is useless. It looks like cipher text, not plain text. And at the same time it is having the advantage off flexibility and mobility of the wireless network. And at the same time it is keeping its confidentiality. Let's have a look at the word encryption. What is meant by encryption encryption? Is the process off encoding a message off or information? What is encoding encoding is letting the message transfer from the form off plain text toe the form off cipher text. So only authorized parties can access this information. Why? Because only authorized parties can decrypt the data and returned the data to its original form from Cypher. Text to plain text. One. Once again, there is a science, a very big science that's called a cryptography, where much, much mathematics is involvement that you can. Cryptography is the way how to encrypt and how to decrypt and how to use the keys of encryption decryption on the ways. And this is a very big signs that it uses that binary mathematics and specifies the ways off encryption and decryption for the data decryption is the reverse process of encryption . Decryption is transferring. The data wants more from cipher text that cannot be read into data. Let's have a look at this diagram. You can say you can see the word Hello, hello After being encrypted is transferred in something in the middle that has no meaning, that, if read by any person, does not mean to him anything. But after passing again to the decryption key, it returns to the word Hello. So the left is encryption, and the right is the description. And in between we have just cipher text that cannot be read by anyone. So only the authorized parties here, according to this diagram, has access to the right information and can read the word. Hello. We have encryption that transfers data into cipher. We have decryption that transferred cipher into later, and we have the key off encryption. The key of encryption can be a sequence of one's of zeros. The longer the key, the harder to be broken. The longer the key, the harder this encryption algorithm gets and and the holder, this encryption algorithm is against breaking and against decryption as well. So the key can be a sequence of ones and zeros. That can be, for example, eight bits long or 16 bits long. That can be hard for guessing, and that can be used for encryption. And the same key sometimes is used for decryption. If this the encryption is symmetric, or something like this and some other times, the key of encryption is different than the key off decryption in a symmetric encryption algorithms. This is a very brief introduction about the word encryption. Let's see here, the wired equivalent privacy, the debris E P. As an encryption protocol for wireless networks. It was built to suit the I Triple E eight 100 and 2.11 which is the WiFi standard. It will start getting preserving the confidentiality off data, not breaking the confidentiality of data. It used a key that is 10 to 26 Hexi decimal digits, which means that it is 40 to 104 bits in length, so it is long enough long enough to be good for some time. It included the methods for encryption data using a shared secret, and they are C four encryption. Agree. This is a very well known encryption with a strong one that has been well known for a long time and that has been defending, breaking and defending being broken by any attacker for a long time. But now it is not advisable to use the W E. P. At one time, the EVP was widely used at what at some time that BP was the main encryption protocol for all of the wireless networks until it has been broken and anti, and it has been announced it superseded. We have some drawbacks off. The WPP shared secrets that are used the Sharkey's that are used, the shirt secrets that are used to England. Corruption and encryption do not remain secretive. It is shared among some people, so it may be shared among Attackers as well. The WP has in ability to rotate the Web keys, rotating the Rockies make their encryption algorithm stronger, and this inability makes that that creepy, stagnant so produced the stagnant shirt secret implementations has led the WPP to be easily broken and to be easily in intruded by Attackers. Accelerated Web tracking becoming common so you can search the Internet about cracking the WPP. You would reach many Softwares and many videos on many websites that can explain step by step. Hey, how can you break and read and access any wireless network using the W E. P encryption algorithm to encrypt its data? So in 2003 the WiFi alliance announced that WPP had been superseded, and we here in the scores advise and recommend you do not use that BP as your encryption algorithm. If even if it is existing among your options eliminated from your choices, eliminated from your options. And do not use that BP as the encryption like prison for wireless networks, we have other promising encryption agreements worldwide standards that we are going to introduce in the coming slides. Thank you 17. WPA and AES: Let's explore now the W P. A and the A E s algorithms for the encryption of wireless traffic traversing the air media . The that B p A stands for WiFi protected access. It was announced by the WiFi a lance in 2000 and three as a successor for the debris. E p. Who has, which has been proven to be weak and been proven to be so except susceptible toe breaking. It is a security standard for wireless Internet connections or for WiFi that is, that B p A. It has improved upon and replaced the wired equivalent privacy privacy WPP. It provides more sophisticated data encryption than that creepy, more strong, more advanced encryption, more encryption that can face any a taking attempts. It offers a future that was not there in the w p A, which is the user authentication. It authenticates the user, sending the data so that you can check that the data has not bean change it, and moreover, the data is being sent by the authenticated user and not anyone else. That B p A has generated two versions WP a one in 2000 and three once that every E p has disappeared and been superseded in 2003. WP A one has been produced and a year later WP a two in 2000 and four, which is the current version off WP a or the WiFi Protected Access Protocol WP a one is the most common WP a configuration using W P a P s K T shirt key. So the most common configuration for this is this encryption protocol using the pre Shirky . The key is used by the B p a r 256 bits. Remember, the longer the key, the stronger the encryption agrees. So there is a significant increase over the 64 bit. And when 28 bits keys used the in the WPP system. So there is an advancement. This is an evolution. This is an innovation. This is much harder in breaking, then the WPP. It has a new future also that checks the message integrity to determine if an attacker captured or altered packets between excess point and client. This was not there in the BP, and this is a feature that was introduced by WP a one. Their encryption algorithm used by the creepy one, was called temporal Kee Integrity Protocol or T keep It was known by the T keep. This was their encryption algorithm that was no t keep employs a pair packet key system. Remember, the creepy had many problems in its key that was stagnant. That was not irritating Key. And here we are trying toe. Treat these problems through using a pair packet key system, which makes it harder toe figure out the ski, which makes it harder to break this encryption algorithm. It is radically more secure than fix it. Key used in the WPP system so W. P. A had many advantages and many innovations and many at advancements than the W E p. In spite of this G a one head, so many drawbacks because it's like its predecessor has been shown Toby vulnerable to intrusion via the proof of concept. Theoretically using research and papers, it has been vulnerable to intrusion and apply it. Public administrations also show that WP a one is vulnerable toe intrusion. The process by WP eight, by which WP eight is breach, it is not direct attack on the algorithm, although such attacks have been successfully demonstrated, so it has been successfully demonstrated the W P. A is susceptible to attack, but the process the most common process for breaching WP a was not through attacking its algorithm. It was a taking on supplementary system that was rolled out by the WP by the WP or with the debris p A. This was the most common wait or technique used to attack the WP. The WiFi protected set up the WPS designed to make it easy to link devices to modern excess Point. This was one off the steps to try toe let the b p a live longer and stay longer in the market. The deputy A to as off 2000 and six has been officially superseded or has been officially being the supersede off the WP a one So DeVry Ph who has appeared on the world in 2000 for But in 2006 WP A one has been superseded by WP a to officially the significant changes between WP a two and every p a one was the following. The man better used off advancing encryption standard A s algorithm, which is a very strong encryption and rhythm that has not been proven. Toby attack a bill proven Toby broken easily. The introduction off CCMP countered cipher mode with block chaining message authentication code protocol, very long name, but it is just the replacement for the t Keep the encryption agreement that was used by tableau P A one anyhow, ticket is still preserved in the creepy a tow for the fullback system and four interoperability with the WP A one to be interoperable with that. Devices using such encryption with the devices using the WP a tow provide interoperability between both encryption aggressive debris P a one and WP Aito Security Implement implications off the known WP a tow vulnerabilities are limited, so it is still a good recommendation to use WP a tow with the A s algorithm encryption and with specifically the configuration. Using the A S is very strong and it is less susceptible to breaking. Let's record here that there is no encryption algorithm that is perfect. There is no encryption agreement that is 100% against breaking. There is no such thing. It is a matter of time. It is a matter off advancement in research and in technologies that makes an algorithm encryption algorithm stronger than it's predecessor and makes an algorithm supersedes other angry. It's a matter of time until this current algorithm is being break broken. Then it is replaced by another one. So the W P A. Two is a commander to be used on the wireless networks right now. And right now it is available by old wireless devices vendors you can easily find in the market. Excess points Wireless cards. So many ones. Devices Applying the WP A tow encryption algorithm among its options so you can use this choice. Use this option to encrypt the traffic between your while discord and excess point and between two wireless cars. If it is an ad hoc network being established so you can apply this algorithm safely and feel more safe, feel more confident that your data will not be broken with you. End the confidentiality, integrity and availability off your data will not be broken through this encryption algorithm. Encryption in prison focuses on that available. The integrity and the confidentiality it sometimes does not really is not related to the availability off the data anyhow. WP A two is a good recommendation four security officers to use on the wireless networks right now. Thank you 18. Wireless Security Misconceptions: Let's discuss here some of the well known misconceptions about the wireless security. Some of the general misconceptions are as follows. Some of the organizations think that they are not using wireless for sensitive data, so the wireless network is not in direct connection toe the sensitive data. So we are safe. We do not need to worry about security. This is not true, because if your wireless network is part of your infrastructure, so it is connected to your sensitive data in some way, either direct or indirect. So consider isolation. Consider separating. Both traffic either's through separate villains, either through placement off firewall or by encrypting the traffic or by controlling the traffic passing from the wireless network toe the wired infrastructure. It is not enough to say that my wireless infrastructure does not contain any sensitive data , but it is connected toe the wired, so think how it is connected. Think how the attacker may use your Wireless Network Toe act to access the wired infrastructure and two X is the servers and reach your precious data and damage them. You should think off the traversing traffic between the wireless and the wired and how to be controlled and how to be filtered. Some organizations say that we don't have any wireless, and often they discover that they have. They have wireless network through some rogue excess points. What is the meaning off road excess point? It is an unauthorized excess point, deployed with little security or with no security at all, deployed by an in pre who thought that he needs to access the natural crematory or toe access the network from the corridor or from another room. So he, with good intentions, implemented an excess point inside his registration. Jack 45 connection or slot. And instead of placing his machine, he placed a rogue excess point with no security at all. He managed to access the network through this rogue excess point. But the problem is, he allowed others to access your network, even from outside the building or from outside his room. He allowed them and gave them access to your network through this rogue excess point that contains no security at all. So he injector the security hole inside your network. He created the back door that you are not aware off, and there are some ways that you can use toe identify and to discover the excess points existing in your building or in your premises, and start to think how was where they created and how toe eliminate them and how to remove them from your nutter. One more thing is, what about your ad hoc networks? What about the meeting rooms? What about the two employees who sit in the meeting room and establish ad hoc matter between their laptops to transfer them? They their data. This is a wireless network that is transferred or that is established temporarily inside your building that is, transferring data that belongs to the laptops or the mobile phones off your employees. It may be sensitive data it maybe data that you do not want toe exchange between laptops. So what about the adult networks and thinking about the attack networks that may be established inside your premises and you are not aware off? How would you face this? And how would you control this? These are wireless networks that you don't know about and that are under your control, and accessing your sensitive information needs to be under your control and needs toe be applied with security measures off your choice. Other misconceptions is that some organizations say we cloak our society service set identify re cloak means that we hide So people cannot join our wireless that this is a good defense, that you cloak your a society but do not depend on this defense and say that it is impossible for anyone to know about this hidden in society. No, it is possible, because by passively listening to the network and attacker can capture the network name by using any sniffer by using a wireless differ toe capture that wireless traffic and analyzing this traffic, you can know the network name. You can know the hidden service set. Identify. There are some Softwares that can show you that broad cost that service that identifies societies and the hidden service that identifies and they are free, like the NSS inside the the Insider with double s. This is a software that is free and used, maybe set up on your laptop and can show you the broadcasted assess ideas and the hidden SS ideas as well. With no effort from your side at all, you can say to yourself that I'm using make based access control that restricts access toe authorized users. Yes, this is good. This is a good defense, but it is not 100% protecting your letter because an attacker can monitor the network toe, identify valid make addresses and spoof his make address with another valid make address and fools your make address control. You can say that what is safe, that creepy is safe, and we have demonstrated through the lectures before that weapon is unsafe and it is superseded by W. P A, which has been superseded also by WP a version two. You can tell yourself that the nose attack that in all of service attacks requires expensive hardware that is not easily accessible. And this is a misconception. This is not true. An attacker can launch those attack with a $10 wireless card only $10 maybe cheaper wireless card and can Jamie your signal and can intrude your signal and can cause the not of service for your excess point. And you can find that your machines are not reaching the excess point, and the excess point is not communicating with your machines. So your machines are not connected to the wireless network, and there is a case that is denial of service with only 10 dollar wireless card used by an attacker with some readily available software on this world is card that can jam signals and can produce signals that interfere with the wireless networks you have, and prevent your signals from reaching the excess point and the signals from the excess point from teaching your machines. And by this you can cause a denial of service on your wireless that this is possible and this are this. This is one of the attacks that can be used on your wireless network, and, of course it has a mitigation. So we should be aware of these misconceptions. And in general, we do not depend totally on one defensive technique and say that it is 100% protecting monitor. There is no such technique. You should build your defense in depth. The i d. Remember this term defense end up, and you should let the attacker suffer from one defensive technique, toe another to another until reaching your network. If he will reach it, you you need to slow his space. You need to make him suffer and take longer time until you can catch him and block him and know about him and enhancing security techniques before he can reach your precious network . Be aware of the zero day attacks and off the vulnerabilities that appear at the same day. You are working because these they're the zero day attacks needs you to be alert. And Toby aware off the defensive techniques for this attack at the same day before it gets you down and it attacks you and it damages you. Totally. Thank you. 19. Wireless Attacks and Mitigation: it's time to talk about some off the very well known wireless attacks and their mitigation attacks on specialized and dedicated for the wireless networks and the way off their mitigation. One off these attacks is the eavesdropping. It is something like sniffing and like knowing or capturing some off the traffic on the wireless network without being authenticated or without being, um, permitted to do so. This type of attack is very well known because some off the coverage area of the wireless networks may lie outside of the building outside of the premises. So you can sit in your car beside the building or the premises off this organization using the wireless network and can capture some of their traffic. This is called eavesdropping. It's mitigation is simple. Just use strong encryption in the lowest layer protocol person. You should use encryption to keep your confidentiality. Whatever the attacker can read, he cannot interpret or understand the nature or the information or the plain text of your data. He's just capturing cipher text and cannot interpreted into plain text. Design your wireless network with caution and take care. What is your coverage area? Minimize your coverage area designed the world's network so that it is not covering more area than controlled. It is not covering areas that are not under your site that are not the areas that you are not aware off. You are not covering with your wireless network areas that are designed for guests or that your network with a packet sniffer, or that your wireless network with a packet sniffer and determine what can an attacker see what is the type of the traffic that the attacker can see. Try to be the first to see this traffic before the attacker himself, because when you or that your network, you will be able to see the vulnerabilities, the drawbacks that back towards that the attacker can sneak through into your nutter so you can be the 1st 1 toe. Close these back doors and mitigate these vulnerabilities masquerading and its mitigation must Reading happens when an attacker sports his identity as a legitimate node or excess point. He tricks unsuspecting users to giving up sensitive information. It's something like you are putting a mask on your face and pretending to be someone else, someone trusted for that victim so that he gives up some sensitive information to your side . You can trick a note or an excess point so that it thinks that you are and authenticated user. But in fact your a malicious user. And you need to know some of the traffic that it's passing through this network and that is traversing through this network, and you are trying to access it without permission. Sometimes the mitigation is the use off mutual authentication Wallace protocols like people or TLS or any other protocols that are more recent than people. Teoh TLS that uses mutual authentication that authenticates moves the sender and the receiver sides toe. Be sure that the sender is the the rightful sunder. The rights Under is sending the data and rightful receiver is receiving the data, and no one else has bean intruding or capturing the data in between. You can use us lt LS for passing sensitive information to Web applications so you can be sure that sensitive information for Web applications are also safe and are also being protected by such protection takings. The dust, the dust is the denial of service that us is making your wireless. That would appear that it is not that rendering your wireless network as it is closed or as it is not working in the right way. So there are many, many ways that you can cause those attack on your wireless network. You can jam the signals off the wireless network. You can stop the excess points from working. You can do many, many things toe, render the network to be stopped over there or to be appearing as it an out of service. What can you do as a mitigation for this? Not attack? You can upgrade the firmware off faulty WiFi courts. Just keep although your firmware off your excess points off your WiFi cards off any wireless device. Keep it upgraded and up to date because every patch appears or every pitch is developed by the vendor. Off this world s card, our gets the security as the first target and targets difficult the security at the first place, and every touch is more secure than the preceding one. The patch off today is more secure than the patch of yesterday, so patching and upgrading the firm where it is a very, very good, helpful method for keeping the security up to date. You should also understand the impact of another attack against your environment. What if it does? Attack is successful. What would it prevent? What would it hide? What would it prevent from excess? What would make it impossible to excess and what is affordable for me and what is not affordable for me? If this happens as security specialists, so I should know and understand the impact of a heart attack, and I should not be 100% sure that those attack is impossible. No, it is possible, and you should consider and imagine if it happens, what would be its impact on my network? Think of using wireless intrusion detection system. Remember that the interim texture system is an alarm system producing alerts, so you need to produce maybe a sniffer toe, sniff the wireless traffic and set some criteria on it. If you find the packet with so and so address and so and so port number, just show me an alert through a line on the screen or a beep, or send me an email or send me an SMS. This would be a good defensive technique for your wireless network. Prepare a response strategy. Just be prepared if there is an attack. Imagine that this this attack or that attack has happened. What would you do and do this beforehand? That the attack takes place before? Because the worst time you think is the worst time. You think that is the time you are under attack? You should think while you are relaxing, you should take your decision and prepare your planes where you are relaxing not while you are under attack while you're on the tech. Your mind is not clear and you're thinking is not the right thinking at all. Rogue excess point is a very well known a take for the wireless network. It is unauthorized. Excess point connected to a private network often is told with the full settings and without security at all, without password, without encryption, even without upgraded firmware without anything at all. So it permits full access to another for unauthorized for an unauthorized user so you can perform rogue excess point defections. Very simple. Just carry your wireless card and move through the place and try toe detect and see what is the wireless signals. It is catching and it is receiving. You can find rogue excess points inside some rooms and corridors that were not meant to be there and that we're not plant with her and that you did not put there by your hand. So these are really excess points and need to be removed by yourself. Use mutual authentication. Wallace protocols such as people as the less tow. Avoid rogue ex points, the Glory wireless intrusion sections as well and deploy strong wireless than this would look strange. But if your world is land is a strong, no one will think off implementing broke excess point in any place they will depend on your strong wireless land. They are covered everywhere. They are covered in all the places they are supposed to be covered in. Then no one will think off developing off deploying drogue excess point and you will save yourself some effort. Thank you. 20. Secure Wireless Network Design: Now we can move toe the secure wireless network design. We need toe apply security from the point of design off the network. So that design itself, How can it be secure while applying the wireless networks and while merging the wireless network with the wired ones? Let's have a look at this diagram. This diagram is just a modification off the preceding diagram that contained no wireless networks. We have just added an amended here, the wireless not to exception. So let's have a look at the Internet that is connected toe the network off the organization through a border router and then through a multi home fire wood. That section at the right, is the same section we have seen before switches that are connected to servers. Some of them may be the demilitarized zone. Some of them may be the internal letter cough the organization, and some of them can contain the workstations inside the internal letter of the organizations, the workstations where the employees can work So this the section at the right is pretty well known. Tow, tow us. The section at the left is at the left of the far wall is the new section, we can see that we have several wireless excess points that the AP wireless excess points that are connected to a segregated switch is separate. Switch separate switch from all the other networks that are that is communicating. All the wireless excess points together so we can see some features off security here in the in this design that can be them on the street through first installing or the wireless excess points on a segregated switch. Then this segregated, which is connected to the internal letter through the firewall through the firewall and not directly connected to the wired letter. So by these two security features, you can have some guarantee and some safe precautions that your wireless traffic will not sneak through. Toe the wire, the network and word infrastructure. A new investigated. It will be investigated. First, it will be checked by the firewall first, and it will. The far would will. This will decide either to accept or reject this traffic. And one more thing if it happened that an attacker tries to access your network through this wireless section, so it will be accessing the segregated which, if it happened that this switch get compromised, so it will only keep compromised by itself. And it will not move the attack. Two other switches because it is separated and segregated from others. Witches and the traffic passing from it to other switches is checked and investigated by the firewood. Let's observe here also that the wireless devices having the separates, which that contains no wire devices at the same time. So it it is. It looks like a separate network that is connected toe another network without any merging between them. All the traffic passing from the wireless network to the wire network is investigated and checked by the firewall, as you can see, so these is a point of design. This is a point that you can take into consideration. While did are designing your network with its both wired sections and wireless sections. Let's summarize here some points about the wireless security. You should consider design at all layers of the S. I model at the physical layer. At that, they telling clears at the physical area. You should minimize the coverage area. You should know about the coverage area of your wireless network and the datalink clear. You should secure your excess point because it's a device working at later toe at layer three. You should have a look at the routers and the access control lists they are applying on this layer between the world and the world. So at every layer off the S. O. S, I model seven layers, you have some measure on some action and some procedure of security that you can apply You can. And you need to identify specific areas of coverage that is under control and that is not extending toe outside your premises. You should audit your worlds, lands for rogue and unauthorized clients and rogue unauthorized excess points that has been installed without your permission. As security specialist inside the place, you should consider deploying wireless intrusion detection system. You should consider setting up a wireless ideas, such as a sniffers or something that has some rules to generate alerts upon. You should migrate to DeVry p A version two because it is the current and the unbroken so far encryption algorithm used by the wireless networks. And keep in mind the A s or the advances encryption standard, which is a component inside the W p. A. To now let's have a look at a tool, a software tool that is used to locate excess points and determine their SS ID's determine and show me on. It's screen their societies, even if it is hidden a society's so it Show me the SS ID's both broadcasted and hidden. It shows also the make addresses off the off the excess point itself, which is the hardware address off the Device Network adapter. It shows the SS ideas 32 characters already that it's like a password on a wireless land if it is hidden the name of the excess point if it is available. I mean, if it is set the channel that the excess point is using the channel. Remember the channels and that bend with used divided into several channels. And there is a guard Ben between each off them and some excess point use channels. One some excess points huge talents 75 11 and so on. To keep the interference between the excess point as low as possible, it shows the vendor off the excess point. It shows that this is the point is the is off brand. So and so it shows the encryption, and Griff mused inside this excess point, whether it is the creepy or another algorithm. So it shows some useful information about this excess point. And remember, this tool can be used by security officer to know about it. Wireless network with permission and can be used also by an attacker to know about the wireless network off someone else without permission. The difference between using this software by a security officer or by an attacker is the permission. The word permission should be a key word inside our head. This is a sample of the output off the insider software. Now you can see the make address off the excess point. The SS i. D. Serves set on the identify of the network. It is running the name of the excess point that channel used, and here it is 666 For all the vendor off the Excess Point and the company that has produced this excess point, the type AP is excess point. The encryption, whether it is the BP or other encryption algorithm way, are here, are focusing on the weakness off the BP that it is easily broken and and can be easily broadcast through this export. You can find at the left side off this diagram. Some of the excess points displayed with channels, SS ideas and filters and things like this. You can use insider software that has so many Softwares that can work with the same way. You can use this insider to draw a map off the wireless network inside your organization and no much more information about them inside your organization. While setting up this software on your laptop and moving freely inside the organization. It's not Wait, and it can throw a map for your network easily, and it needs no much experience that we set up and we run inside your network. Thank you. 21. Physical Security Objectives: Now it's time to talk about the physical security, physical security objectives and how it is related toe the objective of our course and the subject of our course, which is the network security is the relegation. Yes, there is a relation. The physical security describes security measures that are designed to deny unauthorized access toe the following two facilities toe equipment to resource is so the building, the equipment inside the building, the software, the hardware resources inside any equipment. Our old a target for the physical security measures toe, then I unauthorized access to any off them. Physical security is off the great importance, and sometimes you design a very sophisticated fire wound. Very strong, far rule and very costly. One with very good rule said, and you forget to hide its power appliance. So the attacker will easily the touch its power appliance and cause it Toby denial of service for the firewood and leaves your network exposed, totally exposed to attacks. This is a very simple and very easy attack to be done but very dangerous and very effective and off high impact on your network. Suppose that you're far rule is exposed in a corridor with no excess scored. Supposed that you're far wool is beside the window that that is exposed to very high temperature. You're far rule can be easily denial of service by some physical attacks that you did not take into consideration that you have for gotten toe. Put your security measures so importance of the physical security lines, mainly that it is very easy to be attacked through and very dangerous and off high impact. If, at that proof, the importance of physical security is that it protects personal. And let's focus on this word. First of all, you should protect your personal and property from damage or harm. Secondly, you can protect your property from damage or harm. But first comes the personal. The physical security should be impress, implicit in every logical security control. If you apply Pharrell, then keep it safe. If you put an access control list on the router, then keep the router in a safe place away from being the touch it away from high temperature away from any physical security attack that may cause. Then out of service of it, you may have a very expensive router, very speedy, very good. Very well configured through the exit control list. And once it is, damage it through some water during the cleaning, for example, and you can see that your router, your very dear router and very sophisticated router is attacked by the Lyle off service attack. The importance of the physical security is that it is usually based on assumptions. What if cleaning is not done in the proper way? What if the temperature rises? What if the air condition for falls or fails toe? Protect your or to adjust the temperature in your room? What if something goes in fire? Okay, so it is usually based on assumptions and accordingly, accordingly, you design your security measures in the physical security plan and physical security essence. The importance of the physical security is that it is sometimes overlooked, and sometimes it is forgotten. You, as security specialists sometimes concentrate and focus highly on the logic and the firewall and the configuration and the ideas and the I PS and on the outer access control list and so many things, and you overlook who is entering your facility, where does he go inside your facility? Is there some excess card? Is there some civilians cameras toe record the end toe. Have any documentation for his movement inside your building? How does he enter room? And is he escorted inside the building, or does he have the Freedom toe room? Inside the building, without any escorting so so many, many things could happen could affect your security plan or policy. And could you cause you a high damage? Because are very simple acts that you have forgotten because you have overlooked physical security? The objectives wants more safety. And remember, remember that personal human beings the soles off human beings is number one personal is more important than servers, then information, then data, then anything inside the building than any equipment than anything inside the building. However expensive it is the personal. The human being is more valuable, is more expensive and should be protected first if the building goes in fire. So we should keep the personal safe as the first priority and then move toe the information and data and the patents inside the building and the equipment and other things. But keep in your mind that personal is number one to be safe. If any physical security at that happens, the objectives of the physical security. Safeguarding information. Secondly, equipment, infrastructure facilities, other company as its after personal okay, information equipment and infrastructure and facilities. Other company acids may be it or get for the physical security attacks and may be exposed to physical security attacks and safeguarding them by so many physical security measures is your target. When you design your physical security plan or you design your physical security tools and technologies that you are going to use to protect your information and equipment and infrastructure, you are targetting providing authorized access and only authorized access. Keeping confidentiality, keeping integrity, keeping availability. Keeping the C I. A is the meaning authorized access only authorized access. So the data this is confidentiality only authorized access by modification by keeping integrity Onley authorized access that should be kept. This is by keeping the availability off the data. Remember the C I. A. Remember that authorized access is the target off any security measure that you are taking and should be implied off any security measure that you are taking, including the physical security. What a physical security is overlooked. Suppose that you are using very strong passwords with very good encryption and breath, but it can be easily overlooked if the attacker can physically sit in front off the server or off the laptop and use a boot city. Any password, however strong, will be by Post will have no value at this time. Encryption is another security measure that you can apply on your data. But suppose that physically there is a key logger, a piece of hardware that can be attached between your keyboard and your case or between your keyboard internally and the mother board of your laptop. This key logger can log and can record every keystroke you are you are doing or you are executing. The key logger can be a software hidden software on your laptop as well. So what would be the key logs you will type after typing your user name for your email account, for example, it should be the password. Then the key logger will know or will and can transmit the passwords through a wireless transmission at the spot. Do the attacker overlooking all your encryption algorithms or all your ah, measures that you have taken in choosing your password by through a simple key logger that is $1 in price and can be installed in a hidden place between the keyboard and the main case or software that run getting to transmit. If every key log you are striking the virus is if you are setting up the best anti virus in the world, but you are allowing flash memory cities and the videos to be inserted physically in your machines, what could your anti virus do? Sometimes it will fall with with zero day attacks, and there they viruses. It would save you much effort and much coast and much licenses war, the anti virus software and much updating and upgrading for the anti virus. It should be done, I know, but it could be much easier task for the antibodies that is good and updated and upgraded. Toe. Keep your data away from viruses if you bend and restrict using the flesh, memories and CDs and DVDs to your machine and entering even your facility or your premises with such equipment like the Flesh Memories and CDs and DVDs, consider redundancy as a physical security measures considered using multiple servers. Consider using mirrors, which is really time copies that are running for the servers. Consider using rate five, for example, or any raid version for the redundancy off hard disks to avoid the loss off data. Whenever a hard disk is not working, malfunctioning is now out of power or is having any physical attack that may affect it. So redundancy is a good physical security measure that could be applied that can save much data whenever there is a physical security malfunctioning in the place. Thank you. 22. Physical Security Threats and Mitigation: Let's detail here in this lecture the physical security threats and it's mitigation one by one. Let's recall here that safety is number one and safety off humans is number one. Inside this number one, the safety off humans is the top priority off the physical security policy that should be existing in any enterprise or in any organization. The safety threats can be something that has been put in fire, some smoke due to fire or due to other that is affecting or spreading over the whole premises. Toxins. Water flooding that could be due. Toa some water flooding off rains or some water flooding off, malfunctioning off the some off the water devices inside the premises or water flooding. Do you tow cleaning in in a wrong way inside the premises. That has raised the level of the water inside that room containing servers so that the water has entered or has affected the servers. Hardware. Remember always that electron ICS do not like water and inner Frank's do not love water and or not like to cooperate with water. Water could be killing sometimes and take care off. How do you clean your facility? How to use water in cleaning. And how do people using water in cleaning use it in cleaning your facility? The temperature extremes is another threat for the safety. Very high temperature and very low temperature. The high temperature off course is more dangerous, and the problem of high temperature is sometimes that your room is glass room and the temperature is very high inside and you see it from outside as order. You do not know what is the temperature inside the room until you enter this room. The power loss is another threat. And ah, repeated power loss is a very big threat, and it can cause very high damage to your devices. And it can cause data loss, and it can pose total failure off. Some devices can cause a lot of problems to your devices, so take care off our loss and off the repeated power loss in specific. So how do you mitigate such threats? First of all, you should use sensors if you want to be a good specialists in the field of security, be the 1st 1 to know about any attack, especially the physical security attacks. You sick, you sensors for the level of water for the temperature for that smoke for any for fire for any off such threats. In the previous slides, you sensors toe set alarms you sensors toe tell you to be the 1st 1 to know that there is fire. There is water flooding. There is high temperature or very low temperature in some places. You should use sensors to tell you so, and you should use devices to respond. Firefighting system. Uninterrupted power supply or UPS, air conditioning or edge HVAC system. Heating, ventilation, air conditioning systems. These are the devices that can respond fire, fighting for fire, uninterrupted for supply for the power loss or the repeated power loss it can hold. The device is working for upto several days. If it is something that is a brand and eggs and expensive their conditioning and the edge HVAC systems can cause the temperature to be adjusted on a certain temperature. But keep in mind that high temperature is how the classroom cannot be cannot be detected unless there is a good sensor inside or unless you enter the room by itself. Sometimes you look from outside the room to the glass room, off the servers and the data center and you can feel that everything is OK while the temperature there has used has Richard 40 C switches somehow dangerous for your devices use signs. And this is a very good and very easy and very important security threat mitigation, For example. You can say that this room is for staff only. And then if you find someone who is not belonging to the stuff inside this room, you can escort him outside of this room. Remember? You need to escort him and do not tell him Go out. You need to escort him. You need to be with him while going out because he can go out and return after some while toe the same home. You signs that stuff Only this room is for the This room is a server room. This room is for employees only. And such signs such written signs can save use much time and effort for the people doing mistakes unintentionally. You can help them by these signs to know what is correct and what is not correct. If they make a mistake accidentally, it would be once or twice, or something like this. And you keep your time and effort and you save your mindful people doing we could things harming your devices tryingto take your devices intentionally and they are. They know exactly what they are doing and off course. You said use some should set procedures to respond. You should have your security policy. You should have something written that is given to the employees at this first day off work that says that your excess card allows you toe to enter such room and do not enter such room. You're your job is allowing you to use such servers and rot, enter such servers or do not exist. Such servers your job require so and so, and your job is restricted to so and so and such actions are not allowed for your job to be done. He should know and he should sign. He should sign on this security policy, and he should read it as a written document front from the first day and from the very beginning off his job days because after this, you will remind him that on Page five in the security policy book, it is written so and so and you have violated such rule, you can be forgiven for the first time, but the second time you must be punished. You must face. And you must. You must be aware of what you are doing in the violation off the security policy. This can save much time and effort for you as security officer inside the place. This can save many, many a Nintendo Chinna attacks, and you should focus on the intentional attacks or the accidental attacks. Only the unauthorized physical access can be controlled through some devices like the locks , physical locks the man taps. The man trap is two doors that keeping the person between them. He cannot after entering the first door, either he can enter the second or or keep locked inside the man trap until he enters the second door. Or he keep keep in his place until someone from the security team comes toe free him. This helps people who are trying passwords and who are guessing some ways off accessing an authorized excess that they get trapped. Either you use the right way to access the room or UK get trapped, and this would make him think twice and would make him considered using this man trip. If he is not authorized to enter or toe Xs the resource he is heading. Toe use fences, for example. Toe. Prevent your wireless coverage area from extending outside your premises and toe limit and toe control. Who is entering your building and can be ableto record this movement. Use contract band checks, X ray scanners, mental detectors, metal detectors, toe control, their devices entering and leaving your premises to control the flash memory CDs, DVDs, portable hard disks and portable devices entering and leaving your place. And to be able, for example, toe. Ban them to prevent them from entering or leaving your premises. If your security policy requires through so or if your security policy is, this is designed to do so, you can use bag inspection. Personal bags inspection toe Also prevent such devices from entering and leaving your place . The portable devices The Flesh member is the CDs. That's the external hard disks, Portable hard disks and such devices can be the real threat to your organization after you have set the firewall, the ideas, the excess scores and everything else. Use reducer villians cameras and said them in the right places toe detect every movement and used trained people in front. Off these video cameras trained people who know what exactly to do. If so and so happens. Use video cameras whenever possible and keep some train people in the in front of the screens and use video servers toe record the output off these cameras daily to be able tow . Use it as reference if an incident takes place in your premises. The mitigation off any unauthorized physical access to a place is escorting from restricted area. Let me say it again. Escorting and not Do not tell him. Just tell him. Get out of the place. He will get out of the race and he will return. But escorting him will be the rial prevention from excess ing this please physically, Again. Thank you. 23. Defense in Depth (DiD): one of the well known terminologies in the world off network security and cyber security in general is the defense in depth you will find and you will meet this term in many references and text books and presentations. Talking about the cybersecurity, the network security telling you that you should apply the defense in depth technique and sometimes they appear be the abbreviation the I. D. What do we mean by defence in depth? Look at this diagram. You will find that the main target for any attack is the information. The information is at the center at the core. Off this diagram, the information is accessed and manipulated through an application by the users. And this application resides in a host with which is a machine. Having an operating system and it can be a laptop can be a server. It can be even a vile phone. This host is connected to other machines through a network. So it is a shell inside another inside another, inside another, and every shell off these. Every circle of these has its own security measures that applies on it by itself and not on any other else. The information has its own to be its own ways of protection. Application is the same. Host is the same, and the network is the same. And finally, you need toe make the attacker suffer from passing by the network with its defense techniques than the host with its defense techniques, then the application with its defense techniques than the information with its defense techniques. You let him suffer. You let him pass through the defense in depth. You let him pass by so many layers off defense so that he get bored or he get quote or he get objected. Or he get prevented by some means off prevention in any off these layers. Do not put all your security technology techniques or security technologies in one basket. Do not put all your eggs in one basket. Once fired or once attacked or compromised, then your castle is down. No, you should apply this defense in depth technique. Put your security in layers. Apply whenever you find a tick. A security technology, either encryption, where far old or interim detection or password or access control or physical security or or physical security, By the way, lies here. Physical security is a shell, including all this, the network and the host on the application and the information. Physical security lives here and has and has there only here. So a play every single security technology you know about whenever needed whenever possible . Keep in mind the balance between security and access. Do not buy a safe that cost you $1000 to keep inside it. $10. You would be insane if you do so, don't spend much much effort for protecting information that has no problem if compromised or if lost. So apply the security techniques here and make the attacker suffer. And after all, be aware and be sure that you are still vulnerable for the zero day attacks for that. Ah, new viruses and worms. And so if I'm still valuable, why do I have to apply all these techniques? This is a good question. The answer is, if you will be vulnerable, we will. We will never, to a certain extent, that zero day attacks the new attacks will not get you toe 0% or will will not cause you 100% losses or damages. It will cause limited damages and homes. If you are applying the defense in depth and if you are applying the security technologies one by one in each layer off your system, so the information how it is protected through encryption, for example, using an encryption algorithm for the information residing and hard disks can protect thes information from being from being theft from being, ah read from being transported through ah, portable devices from being modified from being deleted. Okay, using applications, licenses, applications, updated applications, thrusted applications. Okay, applications that are concerned mainly with the security, for example that allows the accessing off information through a user name and password and checks the identity keeps the confidentiality and integrity and availability. Using such applications is some sort off security and is the security defence in depth technique so that you are not exposing your information to be read or to be modified or to be deleted through your application. Using it, you try to use license its software because the license its software is up to date an update from the point of view off security. So try toe, be upgrading your software application, updating yourself the application by all the patches that are available for it toe. Apply the security on the application layer. Try to use upgraded and updated upgraded and updated operating systems on your host. Okay. To try to use secure version off your operating system on your host, try toe. Apply personal firewall or host based far Wall on your host. Try to close a new sports on your host so that you can apply the defense in depth technique . On the host level, I'm the network level. You have a lot of technologies and all our courses about the network security. So you know about the firewall, the ideas, the exit control list on the router. You can now mentioned a lot of things that you can use to apply the network security on your network. These are technologies problem technologies, technologies that came first of your mind. If you are going toe, apply the defense in depth technique. Use each of these technologies in its corresponding layered. To be sure that you are applying defense in up. That your attacker is suffering is facing one technique, then another. Then another. He gets more or he gets called or he a. He reaches at least the least amount of information possible for him to be read or Toby Ah . Deleted or to be modified. This is a very good concept that is commonly applied in security nowadays, which is called Defense in depth. And that's why we were very key in to introduce it in our course. Thank you. 24. What is an Incident?: now let's get introduced to some of the terminology is related. Toe incident handling. Let's define what is an incident, and let's start by defining what is an event. Let's agree first, that if you are going toe, pursue your carrier as security specialist. Most of your time during your job would be reading events. Events are the lines output lines from the security devices in your organization or in your company, such as that lions produced by the anti virus by the ideas by the firewall. All of these are logging some events on their lock files, and your job would be to read these events, analyze them and correlate them and act accordingly to these events. What is an event and event is any observable occurrence in a system and or a network such as rebooting off a system is an event if it is repeated. Crashing off the system is an event if it is repeated or if it has no observable reasons. Packet flooding within a network generating unwanted packets within a network is an event. It may be due to normal reasons for increased traffic, and it may be to you do toe attack off of ours off a worm over your network. So the event itself can be due to an incident or can be due to normal reasons. Normal. Increase it on traffic. So all incidents are composed of events. But we cannot be fooled to say not all events are incidents. The system reboots, the system crashes, the packet flooding within. And that's where these are events that are observable to us. But it has some normal reasons, some acceptable reasons. So they are not incidents inside our organization. We should focus on a certain type of events that are the events of interest, E O. I. The event of interest which are remarkable, which seems to be abnormal, which seems to have malicious software as contribution in it, which seems to be a sign of an attack or something. These are the events of interest and the experience of security. Specialist detects by first sight what is an event that is normal. And what is an event that is an event of interest. To say that this event is en incident. You should determine the cause and effect. You should determine the attacker and the victim. You should determine the malware and the system attacked to say that this event is an incident. Signs of an incident. That incident has many signs that could be that, and I ds has generated an alert. Some unexplained entries in a locked file failed events that is repeated bad Logan events that are repeated for Windows for email account for any Web account. Unexplained new accounts Who created those accounts? And for whom are those accounts created? So these are signs of an incident that say that something is wrong and something is not correct going on the system reboots. If it is not due to power failure or do toe power failure, that is repeated. So the system reboots. So we should take care off this sign and determine the cause and the effect toe. Define the complete incident. Poor performance. So the poor performance, their network is slow. That Web server is heavy there. Ah, email accounts are not logging easily, so these are all signs of an incident that could be for normal reasons. So it is. It is a normal event, not an incident or could be toe due to attack or militia software, virus, worm or malware. So it is here can be defined as an incident. Let's have examples off incidents. Which of the following is an incident and attack a running netball Skins against UNIX system and attack at exploiting sun mail on a UNIX system. A backup tapes containing sensitive information is missing. The 1st 2 we hear, say an attacker explicitly and determining the type off the skin. Determining the type off the attack. It's in the first. It is not by skins. It's in the second. It's exploiting some male, and we are determining the victim here in both lines. It is a UNIX system that is being attacked by an attacker through some way, some some known technique off attacks. So the 1st 2 are clear to be incidents and should be address it and should. And you should, as basically specialist, take your defensive techniques against them. But the 3rd 1 a backup tapes containing sensitive information, is missing. You here have a probability that this backup tape is being used Is being restored is being legitimate legitimately used by the system administrator to restore the information inside it so it can be an incident? It cannot be an incident. It could be. It couldn't be so. It is not a an incident or it cannot be defined clearly explicitly as an incident. Yet you should determine the cause off the missing off this state. Why it is missing. Is it missing by or is it now under the control of legitimate users? Or is it now under the control off illegitimate users? If illegitimate, then it is an incident. If it is under the control of legitimate user, then it is a normal action off restoring some information from this back up. By this week, I hope that we already now toe know about the incident handling steps in the next lecture. Thank you. 25. Incident Handling: it's time for the incident handling incident handling in a very big subject incident handling could be a separate course and one off the specializations inside the cyber security or the incident. Security is incident handling specialist. We are here briefing the steps off the incident, handling in a condense it for so the incident handling steps can be said briefly as the preparation for incident handling number one identification off the incident. Containment of the incident, eradication off the effect off the incident, recovery from the incident and then establishing a meeting for the lessons learned and toe know more about. How did this incident affect us and toe Enhance our security posture than before the preparation. The first step if you prepare. If you fail to prepare, then prepare to fail. Planning is everything. You should set your policy. You should determine and announce and make it published and documented and signed. What are the allowed operations inside your company or your premises? And what are that? Forbidden ones? Your employees should know this should sign on a written policy on the first day off the off their work and should be updated if this policy is updated this is very important. This is very important to avoid the accident, the unintentional attacks and to focus on the intentional ones and to set your defense is to be to be, ah, to be ready for such attacks on Lee and to save much time and effort for the mistakes that some in please do because they are. They don't know about the policy. They do not know about the policy update. They did not get aware that the things that they are doing is not correct. Obtain your management support. You should tell your manager you should tell your c O that once we are under attack, I should gain so and so privileges. I should have access to servers. Our shoes should have access toe that server room. I should be able to call the administrators even if they are on vacation. Are should be maybe the manager off the whole place until this attack passes. Maybe this is the solution. So let the management be aware that we are susceptible to incidents. We may be under attack any time by Z today attack, for example. So as an incident handler, I will be in charge. I will be able to direct some people that are not in my team or not in my department and ask them for four passwords. For example, Ask them to do certain tasks toe recover from this incident. Select your team members. Your team members may include the developers that server administrators, the physical security personal. Select your team members. That may differ. Do you tow the nature of the incident? Identify contacts in other organizations. You should be aware about the illegal and the law enforcement procedures inside your country inside your region. About the cybercrimes about the incidents. Whom to go toe complain that you have been attacked by so and so whom. Togo to show him your forensics and your evidence is off the attack. And what are the actions that he or she as an organization, legal organization or law enforcement organization can take against your attacker? You should update your disaster recovery plan, and on the first place, you should create a disaster recovery plan. Toby Ready when there is an incident, and to be able to recover from this incident, you should provide checklist and procedures and checklists, for example, for the servers for the passwords for the accounts and procedures. Toe do this checklist. Which means that assigned this checklist toe certain stuff to do this checklist and to report to you the output of it. You should have emergency communications plan. You should have numbers for numbers, email addresses and even the number of rooms extensions off that emergency people that you may need at any time you are under attack or at any time you need an incident. This should be prepared. This should be known beforehand not prepared at the time of the incident. But before any incident happens, he should have your train stuff. You should have a stuff that is aware off the cybersecurity and network security plants, principles that has started and that has been told the concepts and principles or that has bean graduated from our course. For example, identification. How to identify an incident complete identification so should include the cause and effect . Be willing to alert early, but do not jump to a conclusion. You may say that we are under attack. We are having a problem, but do not jump to conclusion that there is an attacker and the attacker is so or that we have been infected by the malware or the virus that is named. So do not jump to a conclusion. You may alert early that there is something wrong in the server or on the network. Be very cautious when notifying, because you should notify the correct people. The correct people should not include. By all means any potential attacker, the attacker, maybe an insider. And he may be among the list you are notifying, so he may change his method off attacking by your notification. This is not correct. Notify the correct people, the relevant people, the responsible people who are completely willing to help and avoid any potential attacker from your list off notification Utilized Help Disk The Helpless may tell you that the system that is reporting has been rebooting since one week ago, and there has been trouble tickets to take this problem. This would be very helpful. Utilize the help desk to know the history off this incident. You may reach that conclusions fester. By this way, assign a primary handler who would be the principal or the primary incident handler for this incident. It should be assigned. It should be known, and it should be given that relevant and the appropriate privileges determine whether an event is an incident. You should define here that the causes so and so and the effect is so and so so this is not a normal event. It's an incident, and there is something wrong that has went. It is not something abnormal to you toe abnormal traffic or abnormal conditions we're having right now. It is something wrong. It is something that has effect off that has a cruise off an attack by software or and human at a human attacker or something like this. Identify a possible witnesses and evidence. Try to know who has witnessed the system while rebooting. And what is the evidence that the system is rebooting? Try toe. Identify. Who are the your eye witnesses? Eye witnesses is more reliable than the logs in the machines off the anti virus or the firewall or so answer. And the evidence could be taken afterwards from the logs off the anniversary of our wall. But I witnesses are more reliable. Make a clean backup of the system. Clean backup, do not fall in the trap of making a compromised backup of the system. Make a clean backup of the system to be restored in the recovery process. Coming forward. Containment containment is to stop the bleeding. If you have a leading person in front of you, you do not start by treating him. You stop the bleeding first, so you secure the area, make a clean backup, possibly pull the system of the network to a prevent their infection and the transfer off the worm through the network to other systems. Possibly this would be the solution and possibly not change passwords, toe prevent and tow. Avoid very excess off the attacker to your system. Maybe the attacker has gained the access through brute, forcing the password. So change the password to prevent him from re accessing. While you are containing the incident, he might be any excess ing and doing things that are still unwanted on your system. Eradication Eradication is fixing the problem, and it should be before putting back online. Do not rush. Putting back online the system determined the cause and symptom during the eradication. Improve your defenses and then perform vulnerability analysis using any software during the eradication. To be sure that the malware, the virus or the attacker is not there right now. Before putting back the system online, be sure that you have the cause and symptom the right goes and symptoms improve your defenses. Improve the defenses to be better than the case that you have been while being being attacked. The recovery recovery means that you are restoring. You are returning to the case where you had been before being attacked. Recovery is enduring the clean system again, so make sure you do not restore compromised boot. Validate your system. Using some software that says that there is no back door still existing, there is no viruses, although there are no viruses or malware. Is that are there? Validate the system before rushing into putting back online. Decide went to restore operations. And do not rush. Just restore the operations. At the point, you are sure that the system is clean. The system is back. The system is can be fully running without problems and cannot be reinfected again. Monitor the system for sometimes. Is it acted, acting in a normal way? Is it acting in the way you are looking for? Is it acting in such a way that it has been acting before? or there is something abnormal. There is something unwanted. So try to monitor the system for some time that it is acting in the normal way. The lessons learned the lessons learned is a very important step. So issued developer report and do not point with accusation toe someone just point the accusation toe. Some reason not to persons. This would be better. Try to get consensus on the report and we hear, say, try to get consensus. In some cases, you may not get the full consensus among the team members on your report. So you are trying to get the most consensus you can get on the developed report, conduct a lessons learned meeting, conduct a meeting that you can say that we have missed in our security systems so and so and we should add these systems to our security policy. Or we should add such technology, which would update so such systems. We should up great such devices and so on. Send your recommendations toe through the manager of the management. The management should be aware of what happened and what needs to be done. They should be in the picture. They should be with you and it is sometimes a layer of defense that you need a firewall. For example, if this is the recommendation, if there is no far will, you are still susceptible for attack and the management should be aware of this and accepting the risk make follow up meetings. What have we don't since our last meeting? Did we enhance? Did we con duct or execute the recommendations? Is it possible? Is it impossible to have such recommendations in hand? So we should know that the output of the follow up meeting to know where we are now because some recommendations may be sent to the management and then send to nowhere without notifying you? Even some of the key mistakes in incident handling is failure to report or ask for help. You turned always to say that everything is okay. Everything is good. So you failed to report or ask for help. No, do not do this. If there is a problem report that there is a problem, ask for her that there is a problem. This would save much effort in time and cost sometimes, then failing to report. You may mishandle or destroy the evidence. The evidence may be off good use after the recovery, and after the lessons learned toe, go to court toe goto the law enforcement organizations and ask for your rights. You may fail to create working backups. The backup is there, but it is not working. The back of is there, but it is compromised, so you may fail to create. So this such type of backup you may fail to contain or educate, you may fail to know which are the appropriate virus removal tools or which are the appropriate anti virus toe. Remove this malware. This could be your failure. You may fail to prevent the reinfection. You may fail to enhance your security posture to be ableto avoid reinfection off the virus . So this would be your failure. All humor failed or forget or ignore applying the lessons learned meeting. This is very dangerous if you do so, because if you fail toe, apply this lesson learned. Meeting. You are still susceptible for the reinfection and the virus or the more well or the attacker may visit your premises once again. Thank you 26. CIA: once again we know you two more to know more about the C I A. The confidentiality, integrity and availability in the world off cyber and network security Here is the very well known triangle confidentiality. Confidentiality is protecting data from being dread from being I mean from reading it by someone who is not authorized to read it. Integrity is protecting it from modification from changing from alerting from, I mean, altering from being change it by someone who is not authorized to do so. Availability is protecting information from being deleted from being destroyed and keeping it available for the legitimate and authorized access all the time. The ways toe xs control to protect this C I A. Are generally three ways. Is it toe authenticate someone based on something he knows, like the password or based on something he has like an excess core toe xs a physical room, for example, all the token that changes password every 60 seconds. This changing password is on a screen on this token and you are standing holding this tokcan in front of the server and typing that password that are appearing on the token on the screen off the server, which is which means that the attacker to attack this server needs toe, have the token itself and stand in front of the server the same second, he's typing the password, appearing on the screen off the token, So you are making it hard for him. If this token is stolen by itself, there's no problem. He has to be in front of the server at the same second. Sometimes you gain or you give access control. According to something, he is the one you are tryingto Santic. Eight is having, for example, such fingerprint such voiceprint or I signature or retina signature. It is based on this that you are authenticating him and telling that he is the person allowed to access this system passwords. And there is a lot to be said about passwords. Passwords should be mandatory for all accounts. No accounts should be allowed to be with no passwords. Passwords need to change every 60 days. 60 days is a point of design. Sometimes maybe you can be more restrictive and change it every 30 days. Sometimes you can be more flexible and change it every 90 days. Accounts must be locked after three failed attempts and three years, a point of design also can look logs out after one or five. All passwords must contains Alfa numeric and special characters. Toby, a good password and strong passwords. And it should be off minimum length. Let's say six characters. Sometimes people say that it should be off minimum length of eight characters. This this is also a point of design. You cannot allow the reuse off previous three passwords or five passengers. You should keep the password history toe. Enforce the man changing this password to change it. Really change it to change it. And do not fool the system by print by typing the old password. As in you one. Passwords should not contain birthdays, names, poor teams or any related information to the password owners. His wife, his Children names his, ah, his country any any name that can, or any name that is included in the dictionary, the English dictionary or the dictionary off his language. It should be a word that has no meaning in any dictionary. An example of a strong password. Is this this password WLS mtl s exclamation mark at hash dollar Sign percentage five t So this is an example of a strong password mixing alpha numeric special characters, capital and small letters. And this would be could be an example off a good password that is hard for tracking. Not impossible for taking, but just hard for taking. Let's seven look at the biometric that came used for excess control. It can be the hand drama it can be. The retina can be the iris, the voiceprint, the mannerisms. So how it works is written right here. The hand geometry measures the hand in three dimensions. The retina scans the blood vessels on the retina, but make sure that the nothing has not affected by the Evita's or pregnancy. It is affected in women by pregnancy, and in old people buy diabetes. The iris scans the artist patterns. It's more safe, and it has no comments. So far. The voice print sometimes can be fooled by recording, and sometimes your voiceprint changes by illness or by your psychological. Ah, circumstances samples a user repeating a phrase and compares it to an area recording. This is how the voice print works. Mannerisms is something like the handwriting or the keystrokes. It compares your handwriting's tried etcetera. Two samples on the file. It can change due to stress or injury or limb limp or 10 dough. NATO scan cause fools rejects So there is no solution that is 100% safe, 100% working, 100% accurate. There is no such that such method by metrics, even biometric skin act and can have problems and can act in the wrong way. Thank you. 27. Assets, Threats, and Vulnerabilities: Let's recall again some important definitions about cybersecurity or network security, which are the assets, threats and vulnerabilities. What is the meaning off each of these important terminologies in the world off cybersecurity as its means everything that have value for an organization or impact on its business? Continue. T assets may include the personal, the hardware, the software, the physical devices owned by this organization. Some documents owned by this organizations are all assets for these organizations, as it should be identified to create information security system. A security specialist should ask and should know precisely what he is trying to protect. What is the most precious thing in this organization that you are trying to protect and that you fear to get lost or to get reached by the C I A. Confidentiality, integrity or availability? It should be clear. What are your assets? Assets may differ from one place to another. The assets off the hospital is the medical records of the patients. The assets of the telecommunication operator is the accounts off the users. The assets off the bank is the bank accounts off the clients and so on. Every organization has its own assets and has its own priorities in protecting its assets. And as it is, what we are trying to protect. That's why we should know as security specialists, what are the essence exactly? The threats, the threats, maybe person thing, event or idea, which poses danger to an asset. The threat in terms off that breaks the assets confidentiality, integrity or availability, or causes some malfunctioning in the legitimate use off such asset. So it may cause then out of service on using such as its. So the threat is something trying toe harm or damage one of your essence, a possible means by which is security policy. My maybe breach. It is lost in off integrity or confidentiality. This is a threat anything that can exploit the vulnerability intentionally or accidentally , and obtain damage or destroy. And as it either threat so it can be potential it It can be possible that this threat breaks the C I. A. Confidentiality, integrity, availability off on assets. So it is. It must be considered as threat, and it must be thought off how toe face it, how to eliminate it and how to get rid of it. A threat is what we are trying to protect against vulnerability. This is the weakness. This is the back door. This is the hole in our system. Weakness or absence off safeguards. This is the gap in the security program. It can be exploited by threats to gain unauthorized access to an asset. This is the danger off the vulnerability. When the vulnerability meets the threat, then risk exists. High vulnerability. High frat means high risk. If the vulnerability is low, the threat is high, if one, or if the vulnerability is high and the threat is low, so the risk may be low. But it is very danger toe. Let the vulnerability go high and the threat go high, so your risk will be very high and it needs addressing at once. A vulnerability is a weakness or gap in our protection efforts. There is always a vulnerability in your system. Your duty is to explorer systems against vulnerability strengthened. Patch your systems and try toe. Let your vulnerability meets. No threats at the same time to minimize or to eliminate risk as much as possible. Thank you 28. Risk and Network Intrusion: Now let's define the risk and know more about the network intrusion techniques. The risk is what security deals with the risk is the goal off security to be minimized Security deals with managing risk to your critical assets. Security is basically an exercise in los reduction in risk elimination. It's impossible to totally eliminate risk, but you are practicing and applying your signore ity Security technologies toe. Make risk as minimum as possible. The risk assessment is a branch and very known, well known section in the cybersecurity that you can be specialized in tow and your bone would be to determine the sources of risk and to minimize them or eliminate them as much as you can risk is the probability off a threat. Crossing or touching a vulnerability risk is when the threat meets the vulnerability and then most of them, if off high probability than the risk is off. High probability. Let's have a look at this formula. Risk equals threat multiplied by vulnerabilities multiplied by impact. Sometimes it is threat multiplied by vulnerabilities only, but here we are introducing the complete formula. If the threat is high, the vulnerabilities are high. Then the risk would be very high. You have very for high risk and issued address, and you should know how to toe eliminate, for example, the threat. Maybe an attacker who is good at password guessing the vulnerability, maybe some users that are not good at choosing their passwords. If both meet, then the probability off cracking the passwords would be very high if one of them is existing and the other is not there, I mean, if the attacker is there. But users are using strong passwords, so the risk is less. The risk is smaller and the risk can be handled in easier way. But if both are high, so it is something that we should take care off, and we should try toe, minimize either threat or minimize the vulnerable. What about the impact? The impact is the third element that effects the risk we can imagine at our example. If there is an attacker who is trying toe guess a password for an account that has no value , that is useless, that is useless. And at the same time, the vulnerability is there because they use are creating this account has used weak passwords. You will imagine that the attacker can guess the password easily. But the impact off this s word guessing and the impact of this loss off this account is small, so it is not of a big importance. It's not of a big deal. So the impact of losing this account is small. So this leads to a very small risk at the EMP. What are the intrusion detection techniques and what are the risks of intrusion? Touch. We can have some information theft. Breaking into computer toe obtained confidential information makes means breaking the confidentiality of the information. Information can be used or sold for various purposes according to this theft, they tell us and manipulation breaking onto a computer to destroy or alter data records, which means destroying means breaking the availability and altering be means breaking the integrity off the data records identities after you may think first off, stealing the user name and password off someone before accessing his account and destroying his information. For example, personal information is stolen for the purpose off taking over someone's identity. Using this information, anyone can obtain legal documents, can apply for credits and make authorized online activities, So identity theft is the first step towards information theft. Identity theft is not is not a goal by itself, but it can be a step towards more dangerous attacks. Disruption of service or denial of service is preventing legitimate users from accessing services to which they should be entitled, which means breaking the availability off the service, something that is very dangerous or very high impact and can be caused sometimes very easily by taking off the power supply off this router or of this server toe cause this website to be down for some time. So the disruption of services some risk off nutter intrusion If you take off the power of the excess point the router. This which the whole network will be down. These are examples off some network intrusion. And here is a diagram that shows some hacker trying toe heck from an external letter, the internal network that contains his victim through the Internet. So my now we have introduced the meaning of risk and the possibilities and the risks off network intrusion. Thank you 29. Common Attacks: Now, let's know some off the common attacks in the cyber security and network security world. The social engineering, the social injury Ning is the ability off something or someone to influence the behavior of a group of people. It's here. We it is related toe fooling someone toe. Give away some information that he is not supposed to give, like user name or password or a network map or some information that he is not support to tell you about as an attacker here. In this diagram, you can call the, for example, the in pre of the technical support, telling him about a problem that is not existing and out off his skirts. He's trying to help you, so he may tell you the user I d off someone you need to know to attack or the password or something like this. Social engineering is a step towards more dangerous attacks, and it is very commonly used as a component off the attacks. Fishing fishing is a some form off social injury. The Fisher pretends to represent legitimate from outside the organization. The Fisher tells the unsuspecting customer that he is maybe the his bank, and he needs to know about his bank account and password to check his accounts. This is some sort of fishing. It can be over. The phone can be over. Email can be by any means of communication that you are sending someone toe fool him and toe. Let him be your victim and tell you or give you some off his assets to be used. Let's know the difference between viruses, worms and Trojan horses. Viruses are programs that run and spreads my modifying other programs or finds viruses are always contained in one PC. Virus cannot start by itself. It needs to be activated. Once activated, a virus may do nothing more than replicate. Replicate itself and spread. Fill the hard disk or damage some files, deleted some files or do something that is harmful to your data. Worms is just like viruses. They are harmful programs, but they are. They have an advantage over viruses that can spread and copy itself to any connected host on the network, can run independently and spread quickly. Need to attach itself. An existing program do not necessarily require activation or human intervention can activate itself and run itself. What about Trojan horses? It's an UN self replicating program. It is just a backdoor that is, or a root kit that is installed on a certain system to give the attacker information or access to this system. It is an insult replicating program that is written toe appear like legitimate program, when in fact it is an attack tool. It relies upon its legitimate appearance to deceive the victim into initiating the program . Once initiated, it's a backdoor. Once initiated, it gives the Attackers access to this. So to this system, it may be a relative hardness. The software itself or can contain code that can damage the contents of the computer's hard drive. But pro visions can also create a back door into a system allowing hackers to gain access. The Trojan horse itself as a software may be harmless, but it's harm is that it opens the back door. It allows an attacker from outside the host to X is the host to read the files to delete the files, to copy the files or toe do anything toe. The binder is inside. This host the dust, and it does not of service and distributed denial officers. Those attacks are aggressive attacks on an individual computer or groups off computers with the intent to deny services to intended users. You can launch it. US attack, like the diagram on the right on a Web server toe, may let the server down to let the server inaccessible for its legitimate users. Those attacks can target and user system servers, routers, and that clings to let them down to let them useless to let them UN accessible for the legitimate users as if the server is not there, the outer is not there or the network is not connected. That denial of service can be then out of service or distributed in our service. The distributed denial of service is more sophisticated and potentially damaging from the form off the does a peck. It is designed to saturate and overwhelm network links with useless data. The down the Dido's is distributed. Is it US attack that is distributed among so many Attackers that may overwhelm or flood the network with useless data so that the network is down so that all the servers, all the users on the rental feel that there is no network and are then are denied their services does and Dido's are very common attacks nowadays to and sometimes very sophisticated toe attack and toe may be launched from some some, um, I mean launch some ransom acquisition against AH organizations, brute force, spyware and cookies. Brute force is first. It was done by First Computer that is used to try to guess passwords. The attacker tries a large number off possibilities in rapid succession. Possibilities of pastors off course in Robinson sexual succession to gain access toe crack , the code, the code of the passport to guess the right password off an email account or an active directory account, Windows account or any type of account. Brute force attacks can cause a denial of service due to excessive traffic because it is repeated so many times to get the right password and it can look out the user account. The attacker can cause this account to be locked out and not accessible by the legitimate account owner. The spyware is a program that gathers personal information from your computer without your permission or knowledge. This information is son toe advertisers or others on the Internet and can include passwords and account numbers. It can include passwords, account numbers and it can cause some damage. And somehow for your accounts or banking accounts, accounts, I mean on the systems on the windows and so on or the banking accounts. And it is something that may cause some illegitimate access to such accounts, and it is something that we must take care off. Tracking cook is a form of spyware but are not always bad because they are used to record the information about inveterate user. When they visit websites, you visit a website tracking cookie on the code of the website tricks some of your information, your age, your gender, your country, your place of residence in order to help advertising you with the right products that may interest you according to age, gender and, um, place off residents. The spam. The spammer is any serious network threat that can overload ice peas or Internet service providers, email servers and individual and user systems. A person or organization responsible for Senate sending spam is called the spanner spanner . Spamming means sending so many emails or so many communication messages. Do so many recipients that are not related to each other telling them something. Spammers over make use off unsecured email servers to forward email. Spammers can heck can use hacking techniques to take control of home computers such as viruses, worms, Trojan horse spammers send an email with an attachment containing viruses or worms or Trojan horses to one million users. For example, 10 off them may open. This attachment may download and install this program. So the spammer, by this way, has gained access to this computers that were fooled by his attachment. And now it is under his control. Thank you. 30. Security Recommendations: the journey has come to an end. Let's have some security recommendations and summarize some of the main recommendations that we can advice as security specialists will be made on the network. Let's have an idea about the malware propagation techniques. It is sometimes through the removable media, like the flesh. See the DVD or something like this. Fresh memories or flash drives the email attachments. Web browsing can be a propagation teak. For someone where social networks can be some also a propagation technique, the network vulnerabilities can cause the malware to spread over the network. Instant messaging applications can spread malware either through the chatting itself or through the attachment and files being transferred the peer to peer networks. All of these are malware propagation techniques and should be taken care off. And should we should be aware of all these, and we should put in mind how to defend against malware propagation through any off these techniques or any off these networks. It is recommended that you define a security policy. Always end wherever you are responsible for security, ask for the policy. If not, then take it as your duty to define the security policy for the place use upgraded operating system. Used the most recent version off Windows or Lennox and updated with the patches off the windows or Lennox being published every now and then, it is always related to security, and it's always lately rendering to a more secure operating system. Enforce the strong passwords, complex passwords that change every now and then, and that causes the account to look out after. So after three or four bad love on attempts and that are not repeated and that are kept in the history. So in four strong passwords, this is very helpful. Implement Firewall You should implement far want to protect your network traffic from militias, traffic and to protect your devices in internal network and demilitarized zone from malicious and wicked connections and attacks that may come through the Internet or even from inside. Attackers isolate both off the D, M, Z and wireless networks through separate switches through the firewall or through any defensive technique that isolate your Internet. That with precious assets from both off the demilitarized zone that is exposed to the Internet and the wireless, not Rivette is exposed to guests. Deploy anti virus on every single machine may be on the on the network. Maybe so. Deploy and dividers to protect your machines to protect your system. Systems from the viruses and malware utilize ideas, and I PS ideas is very good to very good technology and security. I PS is also very good, but it is very advanced. Whenever there they are necessary, go ahead and utilize them. But take care of utilizing i PS, namely because it may cause some problems. It takes some decisions, so you should be trained and you should be a security good security specialist. Understanding what I PS does before using it. Considered honeypot, if necessary, Considered the employ. Deploying honeypot inside your network if necessary. It made give you more and more information about your Attackers, and there are taking techniques and give you evidence and forensics about them. Upgrade and update the firmware off the switches, the routers off them while devices off any device that is running through a firmware upgrade and update the firmware always and whenever possible. Because this upgrading and updating leads to better security for sure physically secure servers and network equipment, and considered the physical security off the servers, electric equipment, the machines, even the people themselves. The physical security is a very component and very effective component off the security posture off the organization, and it has the advantage of being simple in a taking and very effective in its impact on your network. Set Logan and file access permissions. It is always good to give the permission the same size that the same size that is needed or the same size their employees or the literate users needs, not mawr permissions. Do not give the right permission for someone who only needs to read the files or delete permissions for someone who only reads needs to read and write files. Change purpose of the fold sittings the fold Passwords for switches, routers, excess points for for the Windows devices or Lennox devices. Think off the default settings as a weak point as a vulnerability as a back door for your security and considered changing them. If they are permissive. Never leave any default setting unchanging unless it is necessity and essentially on anti virus and anti spyware on the machines. Update. Anti virus Software files These are two recommendations related once more to the anti viruses, anti virus and anti spyware are good, will protect the machines and may protect the network. Update the anti virus. Keep the art dividers updated and off course. Use license versions of the software to be able to update it. Activate the browser tools like the pop up stoppers, anti fishing, the plug in monitors. And so and so all these browsers stools may protect your host machine from being broken by confidentiality, integrity or availability from being giving away in confidential information, without your permission or without even your knowledge. Thank you.