Illustration of "Data security"

Cybersecurity

Security is Confidentiality, Integrity, Availability, Authentication, Nonrepudiation.

The assets must be protected (Physical support, Files, Software). Furthermore, network must be secured too because the data must be protected during the transmission itself.

Cybersecurity

Security is Confidentiality, Integrity, Availability, Authentication, Nonrepudiation.

The assets must be protected (Physical support, Files, Software). Furthermore, network must be secured too because the data must be protected during the transmission itself.

Cybercrime

Economic and political gains. Compromised data and devices are usually used as weapon (blackmailing, Ddos, ...).

Data breach

  • attacker get access to the database, files, ...
  • the database's owner loss the data mishandling

Todays's most common issues: vulnerabilities (CVE), phishing, key protection.

Preventing data breach and loss: DLP

  • Find and control data
  • protect against data loss dynamically (when activity occurs / data is created)
  • Classify data (private, copyright, non-public, ...)
  • Protect location (end-points, network, stored data)
  • many event flagged (most false positives)

= Data Leak Protection Server bound to the usual corporate servers (content filtering, data encryption, authenticate content, log, audit)

Insider threat

very significant (inside attack or negligence)

Ben-ware is a software that analyse and profile users

Network Forensics

Investigate to find evidences (communication traces, email, messaging sessions, browser activity, packets ... = log) Find strings, files, checksum, ... in the logs

  • not possible to recover all information
  • data maybe corrupted, truncated, erased, encrypted, undocumented
  • big volume

Tools

  • libcap (tshark, ...)
  • tcpdump
  • ngrep
  • hexeditors, libpcap capture readers, ...

Protocol analysis

magic numbers, default ports, body


Data sniffing

Promiscuous mode: the computer accept ANY packet (disabled MAC address filtering).

 Remote sniffing detection

Sniffer can be detected by the presence of a NIC (Network Interface Card) in promiscuous mode (requires to look on the device to see it = can be hidden with modified binaries like ifconfig).

Mac Detection

Send ping echo request to a valid ip with a fake MAC address. A computer in promiscuous mode should respond (because no MAC filtering).

DNS Detection Background

Sniffers use reverse DNS lookup to resolve user name, etc. Send a packet with a FAKE IP. The sniffer will try to resolve it because he might capture this packet.

Load Detection Background

Sniffers use up to a lot of machine resources. Generating lots of network traffic should have incidence on it. (Round Trip Time Measuring Technique = ping, ARP Detection with fake ARP destination)

Wireless

 Architecture

  • Base stations: asymmetric connections (nodes are mobiles, stations are not)
  • Ad-hob (mesh): nodes are peers

 Technologies

  • Bluetooth
  • Wi-Fi
  • WiMAX
  • Cellular

WEP Security

symmetric encryption using RC4, CRC to integrity, keep a list of authorized MAC addresses. Very poor security

WAP Security

  • temporal keys
  • user authentication with EAP
  • RC4

WAP2 Security

  • AES 128 bits, counter mode
  • 256 bits for master key
  • 512 bits pour transient key but dicrionary attack with de-authentication

 WPS

easy setup (USB, PIN, PUSH, NFC) stupid PIN implementation (2 stages of 4 and 3 digits)