Determining Security Controls in a LAN

Planning & Conceptual Understanding

LAN Threat Scenario Rotation (First thing done)

1. Which of your original hypotheses you feel most confident about and why
This was the first thing of the unit, so guessing that some device was sending out packets
misdirect other devices was kinda spot on to what a rouge DHCP server is

2. Which scenario was hardest to interpret
the device receiving a gateway that didn't match the router seemed confusing since
the context around it was hard to understand

3. How talking with another pair strengthened or changed your thinking
They helped guide through the ones struggled with

4. Patterns you started to notice across multiple scenarios
A device connects and starts doing some form of evil on the network, and the best way to prevent that is to prevent the device from connecting.

LAN Attack Path Diagram

• Why this attack succeeds when no internal security controls are present
This attack succeeds because all devices on the
network trust the ARP packets.

• Which security control introduced in today’s reading would stop this attack
Dynamic ARP inspection would block this, by
verifying that the packet is actually correct
and sent from a trusted source

• How that control prevents the attack from progressing
It would stop the attack right at step 1, as the fake
packet wouldn't be able to even get into the device

Technical & Security Development

Task A - LAN Observation

This screenshot contains a bunch of valuble information from the VM1, which emulates a regular person computer. showing the neighbors could open up new devices to attack

This screenshot contains a bunch of valuable information from the VM2, which is made after a server. seeing the MAC and IP could make this vulnerable to impersonation

If an attacker had this information, they could:

Impersonate an IP, steal information going to that IP.
Impersonate a MAC address
Impersonate a neighboring device
Impersonate a step on the route
Impersonate this device itself, steal any information going here.

Task B - Evidence-to-Threat Analysis

Task C - Threat Mini-Simulation

Unauthorized plug in device

An unauthorized plug in device is any device that is connected as a peripheral to a lan/device on a lan, that was not authirized to be done so. These can include wifi sniffers, that connect to the network and try to impersonate/fake their way into gaining valuble packets. It can act like any host on a network, and receive packets meant for the real one. A good example is impersonating a printer, which, if used to print, will simply send the PDF files away to a foreign server.

For this, theres very little an attacker would need to know. As it is connected via ethernet, it is given a level of trust that wired devices dont get, and therefore would get access to the network straight away. It could then start running scan commands (ip neigh) to see its neighbors, and with intelligent code/a command and control server could be made to do whatever.

This could target anything from a specific host to attempting to impersonate the gateway.

It would be pretty easily noticed if not hidden well, as it would both show up on the network as an unknown new device, and also be something physical plugged in, maybe not that hidden.

The device could impersonate any device, but would probably find the highest value from impersonating a server that connects to a bunch of computers.

Five Common Internal LAN Threats

• ARP Spoofing

Pretending to be the ARP table

can route packets basically wherever the device wants

• MAC Flooding

Flooding a bunch of fake MAC devices onto a router

Basically a DDOS attack, overwhelms and shuts down

• Rogue DHCP Server

Similar to the ARP spoofing

Pretends to be a router, routes packets to the wrong/malicous place

• Unauthorized Plug-In Device

Connects to a network physically

Can serve as the other 3 devices

• Lateral Movement

Not gaining higher tiers of access, but finding data within the current tier

Looks for a "weak link" or exposed endpoint

Final Reflection

The most threatening attack is probably the Unauthorized Plug-In Device. Especially for being detected, it literally becomes a game of hide and seek with the administrators to detect where its connected, and shut it off/unplug it. looking at the ip neigh command, if the device was configured to act like a standard computer, it would be impossible to tell that it was malicious. It also serves as the base for other attacks, and could be used repeatedly while shut down between strikes to conserve either power or increase concealment. Focusing on normalcy, it could hide both by being a really small device tucked into a really hard to reach corner of a lab, and on the network side pretend to be a device that only turns on for a very short amount of time during an attack, and stays idle awaiting command otherwise.

the ip addr and ip route of VM2, reveals interface and ip of the device

arping and tcpdump side by side, tcpdump on the left showing it is receiving the who-has pings

Testing, Observation & Risk Evaluation

What information does ARP reveal about devices on a LAN?
ARP reveals which mac addresses/physical devices are connected to which IPs. Since computers talk and identify eachother with IPs, this is absolutely crucial for knowing the mac of a physical device wanted, and then getting the actually usable IP address. As seen in the screenshot of TCPDUMP, im just getting random devices informing the arp table of their current IP, on top of the actual ARPINGs from the other VM.
why does ARP assume devices are trustworthy?
ARP assumes devices are trustworthy because to use ARP, the device must be connected to the network, which is usually password or physically protected.
How does this make ARP vulnerable to spoofing?
if a device manages to get onto the network, ARP can just be mass requested until an attacking device has the IP and mac correlation of the entire network. This could allow for targeted attacks, and even "poisoning" of the ARP tables to redirect traffic to devices for evil.
Why was Bridged mode required for this lab to work?
Without being in bridged mode, both VMs would (to the router) appear as the same device, and share an IP with eachother and the host device. This essentially breaks the machines wifi, as any packet
would be received as if it was meant for all 3 devices, even while its only meant for one.

Pharmaceutical Research Security Plan

4 Enterprise Physical Security Threat Analysis

Some of the physical security vulnerabilities relevant to a pharmaceutical research environment include:
Physical side:

1. Accidents
While rare, geniune attacks on the building could happen. These could be accidental, most common in some form of car/truck accidentally hitting the building. Optimally, a
barrier of some kind would surround the whole facility to prevent anything from getting too close

2. Unknown Persons
Having unknown people around the building presents a risk that they will try something. This would mostly be outside, but if someone managed to find their way inside (having
the door held for them, etc). then that presents a grave security risk. If they aren't closely monitored, they could possibly make their way into the heart of the facility.

3. Relying on Keycards
Keycards can be stolen or lost. If the door to a really important filing cabinet is secured by a keycard, then anyone with that keycard could get in, including bad actors. This
would be a risk for every door secured only by a keycard.

4. Surveillance Blindspots
If cameras have a blindspot, they loose most of their effectiveness. If a threat figured out where those blindspots are and how to abuse them, they are null. By avoiding any
surveillance, attacks could have more time to get deeper into the facility unnoticed.

5. Insiders
If the physical security is tight, the easiest way for an attack to get inside is to be hired to work there. This could affect anywhere in the facility, but its riskier for higher access
positions.

6. Environmental Weaknesses
Not directly a person planning to do something nefarious, but for a company (especially a pharmaceutical), the environment control has to be high tier. Drugs could behave
differently or even spoil, and computers could break if temps are kept too hot.

4 Physical Security Plan - Pharmaceutical Research Facility

Environmental Controls
In order to mitigate or prevent the effects of: Fire, Natural Disaster, Power Outage, Acts of God, Heatwaves, ETC, environmental controls must be put in place. At the most basic, these most regulate temperature and humidity, as well as have more extreme controls for extreme cases. If there is a fire, water cannot be used as it risks damaging equipment. Inside, Non flammable gas floods the building while oxygen is removed. This snuffs out the fire, and doesn't damage any equipment. Filters also must be used at any air intakes to prevent small dust particles from gunking up fans, and other equipment.
Access Control
Without clear controls on who can go where, Risks present themselves. By using biometric identification to pass through different security zones (and within them), these are averted. Keycards should only be used for low security places, as they can be stolen, while anything biometric is 1 of 1 to the specific user. Zones should be set up between different areas (E.G there is no path from the server room to the labs without requiring a I.D. with both server and labs access). Mantraps can also be used to catch bad actors, places where nobody but someone new to the building looking for something they shouldn't be. Google uses eye identification, and fingerprint sensors on locks are becoming common.
Surveillance and Detection
On top of automatically controlling access to regions, they also need to be monitored to make sure that access controls haven't failed. The easiest way to do this is a robust monitoring system consisting of taking logs whenever someone enters a room, tracking them as they are within it, and then logging their leaving. Combining this with a central security room that closely monitors both everyone on site and the network traffic.
Hardware Security
On top of the manned security measures, automatic measures should also happen. Automatic is being a bit flexible here, as locking the door to cages that actually contain the servers within server rooms is another "automatic" technique. Ontop of multi layered locks, the cabling between servers must also be secure, by routing them in secure channels and not just leaving them lying on the floor. Software should also be configured to dissallow random devices to be connected to open ports.
Personnel and Procedures
for managing personages on the premises, every person requires special privileges. Visitors aren't to be trusted at all until their identity can be verified. For workers, the same should be applied until they prove who they are. Visitors who can be somewhat trusted (E.G. inspectors), should be closely escorted, never being allowed alone with anything sensitive. Employees should also do their best to never be alone, always working in atleast pairs but preferably more. When entering a locked room, each employee must use their own card, even if that means one enters, the door closes and relocks, then the other unlocks and enters. They also must be trained to prevent leaks of information, including anti phishing training.

4 Physical Security Diagram

4 Risk Justification and Priority Controls

Any implementation of these suggestions will take time. Therefore, it is important to explain which ones are most necessary and how those will mitigate the most. The easiest of these is keycards/biometric unlockers to section off the facility. Using a combined keycard/biometric lock, and just replacing the locks on the important doors wouldn't take too long, and using temporary keycards until everyone's in the system wouldn't disrupt. This would heavily mitigate almost every physical attack, as if the attacker isn't there they don't present a risk of damage. This is similar to Network Segmentation on the software side, and would in tandem to make it so that in order to work with official data you have to be physically in the right place connected to the right VLAN. Additionally, aiming for camera coverage of common walkways can help security officers in their early stages figure out what part of the building someone is in, and then adding more over time until the building is fully covered without blindspots. This would allow an attacker to be found before they can attack. Finally, ensuring a proper environmental control system is put in place doesn't disrupt work, but does ensure regulatory compliance, and network/physical safety.

Security Controls to Mitigate Vulnerabilities in a Switched Lan

This was the culmination of this unit, a official writeup containing the recommended security protocols for a LAN. It contains actual evidence collected from the school's LAN, and mixes that with technical writing for easy reading and understanding, but high level enough to be exactly understood by IT

Copy of Noah Smith - 3AssessmentReport_SwitchedLAN_SecurityAssessment_ControlsRecommendation

Page updated

Report abuse