WEBVTT 1 00:00:00.160 --> 00:00:03.720 Welcome to the deep dive. Imagine your digital network is 2 00:00:03.759 --> 00:00:07.400 like a really complex fault Okay, now, picture new cracks 3 00:00:07.440 --> 00:00:11.439 forming every single day, often places you'd least expect, and 4 00:00:11.480 --> 00:00:14.279 there are unknown eyes constantly probing for weaknesses. 5 00:00:14.359 --> 00:00:16.280 Yeah, it's a constant battleground out. 6 00:00:16.120 --> 00:00:19.440 There, exactly. So today we're taking a deep dive into 7 00:00:19.480 --> 00:00:23.519 the critical world of network performance and security. Our mission, 8 00:00:23.960 --> 00:00:25.960 we want to pull out the most crucial, the most 9 00:00:26.000 --> 00:00:31.399 actionable insights from Chris Chapman's really foundational book Network Performance 10 00:00:31.399 --> 00:00:35.640 and Security, Testing and analyzing using open source and low 11 00:00:35.679 --> 00:00:36.359 cost tools. 12 00:00:36.479 --> 00:00:38.960 It's a great source packed with practical. 13 00:00:38.560 --> 00:00:41.119 Stuff, it really is. And this isn't just about theory, right. 14 00:00:41.640 --> 00:00:44.200 Our goal is to give you a practical roadmap. Think 15 00:00:44.200 --> 00:00:47.200 of it as a shortcut to understanding how to spot vulnerabilities, 16 00:00:47.240 --> 00:00:50.320 actually harden your infrastructure and even test its resilience. 17 00:00:50.399 --> 00:00:53.679 Now without getting totally overwhelmed by all the technical details. 18 00:00:53.920 --> 00:00:59.719 Precisely, we'll uncover some surprising facts and really practical steps 19 00:00:59.719 --> 00:01:02.679 that are directly relevant to you listening right now, because, 20 00:01:02.719 --> 00:01:04.959 let's face it, in a world that depends entirely on 21 00:01:05.000 --> 00:01:09.040 digital connections, your quality of experience, your productivity, even your 22 00:01:09.120 --> 00:01:11.640 data is safety. It all hinges on a network that 23 00:01:11.799 --> 00:01:13.400 secure and performs well. 24 00:01:13.680 --> 00:01:16.840 Absolutely, whether you're prepping for a big meeting, trying to 25 00:01:16.840 --> 00:01:18.480 stay current, or just curious. 26 00:01:18.599 --> 00:01:20.640 Yeah, if you fit any of those, this deep dive 27 00:01:20.680 --> 00:01:23.879 is definitely for you. Okay, So let's unpack this core truth. 28 00:01:24.120 --> 00:01:28.879 The sources really highlight our networks. They're under continuous assault, 29 00:01:29.480 --> 00:01:32.280 and not just from outside attackers, but often from within 30 00:01:32.400 --> 00:01:34.760 what we mistakenly call a trusted zone. 31 00:01:34.959 --> 00:01:37.640 That internal threat is often underestimated totally. 32 00:01:37.680 --> 00:01:40.400 And what's really unsettling is this idea of the unknown unknown. 33 00:01:40.439 --> 00:01:43.840 So those devices, those configurations we don't even realize are 34 00:01:43.920 --> 00:01:44.280 on our. 35 00:01:44.200 --> 00:01:48.599 Network lurking there, which brings up a critical point. What 36 00:01:48.920 --> 00:01:52.799 happens when those attacks or maybe just poor performance actually 37 00:01:52.840 --> 00:01:55.560 impacts you. We're all used to what the book calls 38 00:01:55.599 --> 00:01:57.840 the web dial tone expectation. 39 00:01:57.719 --> 00:02:01.439 Right, the idea that it's just always there, always on, predictable. 40 00:02:01.040 --> 00:02:03.319 Exactly, and when you hit a four h four error 41 00:02:03.359 --> 00:02:06.799 where things are just slow, it's not just annoying, it 42 00:02:06.920 --> 00:02:11.319 directly impacts productivity. Chapman points out if authentication takes more 43 00:02:11.360 --> 00:02:15.280 than four seconds, or a web page more than seven seconds. 44 00:02:14.879 --> 00:02:17.000 To load, people just leave, They click away. 45 00:02:17.159 --> 00:02:21.120 Most users just abort. Think about that loss of efficiency. 46 00:02:21.280 --> 00:02:25.120 Even voice quality like on a VOYIP call has a benchmark, 47 00:02:25.159 --> 00:02:27.520 the MOS score. You really want that at four point 48 00:02:27.520 --> 00:02:29.960 two or higher. Anything less feels off. 49 00:02:30.120 --> 00:02:32.719 Okay, and here's where it's really interesting for me, this 50 00:02:32.840 --> 00:02:36.840 whole concept of trust in security. Ah Chatman makes this 51 00:02:36.919 --> 00:02:40.919 really powerful statement. He says trust is a non controllable, 52 00:02:41.400 --> 00:02:44.560 non measurable assumption that someone will always do the right thing. 53 00:02:44.840 --> 00:02:46.639 He basically calls it soft security. 54 00:02:46.680 --> 00:02:49.599 It's intangible, isn't it. You can't configure trust exactly. 55 00:02:49.680 --> 00:02:53.039 And then there's this alarming statistic he includes sixty percent 56 00:02:53.039 --> 00:02:55.439 of employees who are fired have been found to steal data. 57 00:02:55.479 --> 00:02:56.919 Wow, sixty percent. 58 00:02:57.319 --> 00:03:01.800 Yeah, So, relying purely on trust, it's just fundamentally incompatible 59 00:03:01.800 --> 00:03:05.319 with a robust security policy. So for you listening, you 60 00:03:05.360 --> 00:03:10.039 expect your network to work flawlessly. Sure, but understanding these vulnerabilities, 61 00:03:10.039 --> 00:03:14.919 these well unrealistic expectations about trust, that's crucial for being 62 00:03:15.000 --> 00:03:17.199 proactive about your own digital safety day to day. 63 00:03:17.360 --> 00:03:18.240 Couldn't agree more. 64 00:03:18.759 --> 00:03:23.360 So, Okay, if trust is bad for security, then visibility 65 00:03:23.439 --> 00:03:24.240 must be good. Right. 66 00:03:24.439 --> 00:03:27.159 Visibility is everything, It's the foundation So the. 67 00:03:27.080 --> 00:03:30.759 First absolutely critical step is getting organized with a thorough 68 00:03:30.800 --> 00:03:33.800 network audit. Our source really drives home this point. What 69 00:03:33.879 --> 00:03:34.680 you think is on your. 70 00:03:34.520 --> 00:03:37.599 Network can be worlds apart from what's actually there, right. 71 00:03:37.599 --> 00:03:40.960 And it only takes one undocumented, maybe unpatched device, that 72 00:03:41.000 --> 00:03:43.280 old PC in the lab everyone forgot about, or a 73 00:03:43.319 --> 00:03:44.719 private server someone stuck under a. 74 00:03:44.719 --> 00:03:46.719 Desk, uh huh, the classic shadow it. 75 00:03:47.080 --> 00:03:50.400 Exactly, that becomes the perfect beachhead for malware or bot nets. 76 00:03:50.599 --> 00:03:53.680 And then you're looking at a massive, expensive cleanup job. 77 00:03:53.840 --> 00:03:56.719 And the real insight you get from doing this exhaustive audit, 78 00:03:57.319 --> 00:03:59.800 it isn't just knowing what you have, it's realizing how 79 00:03:59.879 --> 00:04:01.360 much which you didn't know you had. 80 00:04:01.719 --> 00:04:03.960 That's a great way to put it, turning those unknown 81 00:04:04.039 --> 00:04:05.080 unknowns into. 82 00:04:04.840 --> 00:04:08.120 Nones precisely, that's your first real line of defense and 83 00:04:08.199 --> 00:04:11.039 the scope of this audit, while it's pretty comprehensive, you 84 00:04:11.120 --> 00:04:14.520 need to document basically every single device that touches your network. 85 00:04:14.719 --> 00:04:16.759 Okay, break that down. What kind of devices? 86 00:04:16.879 --> 00:04:22.399 Well, first host assets, think fixed PCs, laptops, tablets, smartphones. 87 00:04:22.639 --> 00:04:26.120 You need the basics, make model, but also IP address 88 00:04:26.199 --> 00:04:29.480 and massy address, the OS version, all the installed. 89 00:04:29.040 --> 00:04:30.480 Software approved and unapproved. 90 00:04:30.519 --> 00:04:33.600 Oh absolutely, you need to know what's actually running and 91 00:04:33.720 --> 00:04:36.600 even who owns the device. Then you've got mobile assets. 92 00:04:37.040 --> 00:04:38.759 These are trickier because they come and go. 93 00:04:38.920 --> 00:04:41.360 You have laptops phones, right, The. 94 00:04:41.279 --> 00:04:44.720 Book suggests something pretty clever placing asset tags inside the 95 00:04:44.720 --> 00:04:48.120 battery case for laptops harder to remove. Helps with tracking. 96 00:04:48.279 --> 00:04:49.639 That's smart, Okay? What else? 97 00:04:49.920 --> 00:04:53.120 Virtualized servers they add another layer You need more than 98 00:04:53.160 --> 00:04:56.920 just standard server stuff. Think VM profiles, snapshot states, the 99 00:04:57.040 --> 00:04:59.680 data stores they're attached to, and the whole network functions 100 00:04:59.680 --> 00:05:03.199 of virtu ualization chain. That's NFV where network services run 101 00:05:03.240 --> 00:05:05.600 in software right up to the physical network card. 102 00:05:05.879 --> 00:05:08.720 So really deep visibility into the virtual layer. 103 00:05:08.720 --> 00:05:12.680 Two, you have to tools like HWI, NFO or just 104 00:05:12.800 --> 00:05:16.240 built in system info commands are key here and don't 105 00:05:16.240 --> 00:05:19.360 forget hypervisor admin accounts critical to document those. 106 00:05:19.240 --> 00:05:21.399 Got it? What about the network gear itself? 107 00:05:21.560 --> 00:05:28.160 Yep, network element objects, switches, routers again, make model adamin credentials, 108 00:05:28.319 --> 00:05:30.959 port types like is it one gig or ten gig? 109 00:05:31.000 --> 00:05:34.199 And what connects? Where you're basically drawing a living network 110 00:05:34.240 --> 00:05:37.240 map and you need to version control the configurations so 111 00:05:37.319 --> 00:05:39.399 you track every single change. 112 00:05:39.120 --> 00:05:41.480 Okay, that makes sense, like source control for your network. 113 00:05:41.199 --> 00:05:44.279 Configure kind of Yeah. And finally, and this is often 114 00:05:44.360 --> 00:05:50.040 overlooked information assets your data house. So most places have 115 00:05:50.120 --> 00:05:53.680 really weak rules about where data is stored. Chatman stresses 116 00:05:53.720 --> 00:05:57.399 classifying info maybe level ABC, with strict policies for each 117 00:05:57.480 --> 00:05:59.920 like level A data your most sensitive stuff. It can 118 00:06:00.040 --> 00:06:02.079 cannot be stored on a local PC, never in a 119 00:06:02.079 --> 00:06:05.079 public cloud, not accessible from the Internet period. 120 00:06:05.240 --> 00:06:08.920 That's really strict, but necessary if you're serious about protecting it. 121 00:06:09.040 --> 00:06:11.800 Yes, okay, that is a ton of information to gather 122 00:06:11.839 --> 00:06:14.240 and manage. How do you keep track of it all? Yeah, 123 00:06:14.319 --> 00:06:17.240 you definitely need a system. The book points towards needing 124 00:06:17.240 --> 00:06:20.959 a network management system in NMS. It actually recommends spice 125 00:06:20.959 --> 00:06:22.639 works is a good open source option. 126 00:06:22.839 --> 00:06:25.920 Spie works. Okay, is setting that up complicated? 127 00:06:26.040 --> 00:06:28.639 It needs to be done strategically. You need a dedicated 128 00:06:28.720 --> 00:06:32.279 server for it, pretty high end and definitely isolated, probably 129 00:06:32.279 --> 00:06:34.680 a modern Windows server machine. 130 00:06:34.240 --> 00:06:36.399 And you put that somewhere super secure. 131 00:06:36.199 --> 00:06:39.600 Absolutely in a very secure zone. But here's the counterintuitive part. 132 00:06:40.160 --> 00:06:44.199 You don't typically install firewall software directly on the NMS 133 00:06:44.240 --> 00:06:44.959 server itself. 134 00:06:45.120 --> 00:06:45.759 Really, why not? 135 00:06:46.120 --> 00:06:49.639 You want to minimize its own attack surface. Instead, you 136 00:06:50.199 --> 00:06:55.680 carefully open specific pinholes point security policies on your internal 137 00:06:55.720 --> 00:06:58.759 firewalls to let the NMS scan the network segments it 138 00:06:58.839 --> 00:06:59.199 needs to. 139 00:07:00.160 --> 00:07:03.000 So the protection is on the surrounding firewalls, letting the 140 00:07:03.079 --> 00:07:04.800 NMS do its job exactly. 141 00:07:04.920 --> 00:07:07.519 It needs tools like windp cap and a MIP installed 142 00:07:07.560 --> 00:07:10.600 two for standing. But the big takeaway from the audit 143 00:07:10.639 --> 00:07:14.360 process is this knowing what you have is the absolute 144 00:07:14.399 --> 00:07:15.959 fundamental layer of defense. 145 00:07:16.519 --> 00:07:17.839 Without it, you're just You're. 146 00:07:17.720 --> 00:07:21.000 Fighting blind and just one forgotten device can bring the 147 00:07:21.040 --> 00:07:21.879 whole thing down. 148 00:07:22.160 --> 00:07:25.399 Okay, so audit complete, you have this incredibly detailed picture 149 00:07:25.399 --> 00:07:26.839 of your network. What's next? 150 00:07:27.079 --> 00:07:30.680 Right now? You lock it down, harden the infrastructure itself. 151 00:07:31.120 --> 00:07:35.680 And this means really moving beyond that old simplistic trusted 152 00:07:35.800 --> 00:07:38.000 versus untrusted mindset. 153 00:07:38.319 --> 00:07:41.720 You mean treating everything is potentially untrusted pretty much. 154 00:07:41.839 --> 00:07:45.759 It's about internal segmentation, breaking your network into smaller, more 155 00:07:45.759 --> 00:07:47.759 defensible zones, even internally. 156 00:07:47.959 --> 00:07:49.480 So how does that look in practice? 157 00:07:49.600 --> 00:07:52.399 Well, it applies everywhere from the edge right to the core. 158 00:07:52.720 --> 00:07:55.800 For core network hardening, the rule is simple but powerful. 159 00:07:55.920 --> 00:07:59.279 If you don't absolutely need a service or protocol running, 160 00:08:00.240 --> 00:08:00.759 turn it off. 161 00:08:00.800 --> 00:08:02.360 Get rid of the unnecessary stuff. 162 00:08:02.399 --> 00:08:06.439 Exactly. Disable things like telnet old routing protocols like RIP 163 00:08:06.560 --> 00:08:10.680 if you're not using them. Unencrypted HTTP management interfaces just 164 00:08:10.720 --> 00:08:11.920 reduce the attack surface. 165 00:08:12.360 --> 00:08:13.759 What about managing the devices? 166 00:08:13.920 --> 00:08:18.480 Always always encrypt management sessions use SSH, configure it robustly, 167 00:08:18.560 --> 00:08:22.560 set session timeouts, limit log in attempts. Basic hygiene, but 168 00:08:22.680 --> 00:08:23.759 critical and logging. 169 00:08:23.800 --> 00:08:24.680 You mentioned that earlier. 170 00:08:24.759 --> 00:08:29.319 Critical logging is huge for incident response for forensics, but 171 00:08:29.439 --> 00:08:31.360 it's not just about having logs. They need to be 172 00:08:31.439 --> 00:08:33.600 time correlated across all devices. 173 00:08:33.840 --> 00:08:36.679 Ah, so you can piece together what happened when precisely. 174 00:08:36.919 --> 00:08:40.559 That means you need a dedicated, accurate NTP time source 175 00:08:40.639 --> 00:08:44.879 like a gpscinc server and a centralized cyslog server. Both 176 00:08:44.879 --> 00:08:47.399 of those need to be in a secure core zone themselves. 177 00:08:47.440 --> 00:08:51.120 Okay, what about protecting against fake traffic spoofing? 178 00:08:51.440 --> 00:08:55.480 Good question. Anti spoofing protection is vital, especially at the edge, 179 00:08:55.519 --> 00:08:59.679 but also useful internally things like unicast reverse path forwarding 180 00:09:00.360 --> 00:09:01.279 or URFP. 181 00:09:01.559 --> 00:09:02.120 What does that do? 182 00:09:02.399 --> 00:09:05.240 It basically checks if the source IP address on an 183 00:09:05.240 --> 00:09:08.799 incoming packet is actually reachable via the interface it arrived on. 184 00:09:09.320 --> 00:09:13.519 Helps block packets with forged source ips. And IP source guard, 185 00:09:13.600 --> 00:09:17.320 which uses DHCP snooping data to build dynamic access lists, 186 00:09:17.360 --> 00:09:21.120 binding ips to mday's and ports. Even just enabling basic 187 00:09:21.159 --> 00:09:24.320 port security on switches helps catch MAC spoofing attempts. 188 00:09:24.399 --> 00:09:27.480 So multiple layers there. Now, what about performance? People always 189 00:09:27.519 --> 00:09:28.679 complain about slowness. 190 00:09:28.799 --> 00:09:32.440 Right, optimizing performance with QoS quality of service. Often just 191 00:09:32.480 --> 00:09:34.519 throwing more bandwidth at a problem isn't the fix. 192 00:09:34.840 --> 00:09:36.320 Yeah, upgrades don't always help. 193 00:09:36.440 --> 00:09:41.559 Instead, classifier traffic, put services into buckets, network abmin, business critical, 194 00:09:41.639 --> 00:09:44.960 business standard, best effort, whatever makes sense for you. Then 195 00:09:45.120 --> 00:09:49.039 use QoS like diffserve markings at layer three to tell 196 00:09:49.039 --> 00:09:52.519 the network what's important. So even if some malware or 197 00:09:52.559 --> 00:09:55.120 a botnet starts hogging bandwidth. 198 00:09:54.559 --> 00:09:57.559 The network knows to prioritize the critical stuff exactly. 199 00:09:57.879 --> 00:10:00.000 Your important applications stay responsive. 200 00:10:00.240 --> 00:10:04.120 What about wide area networks connections between sites WAN security? 201 00:10:04.320 --> 00:10:06.559 This is a big one. We tend to think of 202 00:10:06.600 --> 00:10:10.279 our WAN links as inside and trusted. 203 00:10:09.960 --> 00:10:11.480 Because they connect our offices. Right. 204 00:10:11.559 --> 00:10:13.919 Yeah, but that's a dangerous assumption. The book is clear, 205 00:10:14.200 --> 00:10:17.320 treat your WAN as its own untrusted security zone. 206 00:10:17.360 --> 00:10:19.360 Okay, so encrypt everything. 207 00:10:19.679 --> 00:10:23.200 Strong encryption is non negotiable. Think AES two five six 208 00:10:23.200 --> 00:10:26.879 with robust hashing like SA five twelve using X point 209 00:10:26.879 --> 00:10:30.399 five zero nine certificates. Often this means dedicated hardware encryption 210 00:10:30.480 --> 00:10:31.559 boxes between sites. 211 00:10:31.759 --> 00:10:32.799 Right. How about wi fi? 212 00:10:33.399 --> 00:10:36.919 Always a headache organizational Wi Fi best practice? Think DMZ 213 00:10:37.039 --> 00:10:40.639 for wireless, set up two ssas one for internal trusted, 214 00:10:40.720 --> 00:10:44.399 use strong password, mixed case number symbols, and don't broadcast 215 00:10:44.399 --> 00:10:47.639 the sad name it it YEP, and then a separate 216 00:10:47.679 --> 00:10:50.480 guest network. It's okay to broadcast that one, but all 217 00:10:50.559 --> 00:10:53.360 guest traffic must be tunneled directly out to your Internet 218 00:10:53.399 --> 00:10:57.080 security zone, no access to the internal network, and make 219 00:10:57.120 --> 00:11:00.480 them accept terms. Maybe use two step authentication if possible 220 00:11:00.519 --> 00:11:01.039 for guests. 221 00:11:01.279 --> 00:11:03.720 Okay, separating those makes a lot of sense. What about 222 00:11:03.720 --> 00:11:05.480 the main Internet connection itself? 223 00:11:05.759 --> 00:11:09.600 Your external firewall and Internet connection. This is where you 224 00:11:09.639 --> 00:11:14.039 need serious hardware. The book recommends high end firewalls, the 225 00:11:14.159 --> 00:11:16.000 kind based on A six or. 226 00:11:15.919 --> 00:11:19.159 FPGA's dedicated hardware for speed, right. 227 00:11:19.000 --> 00:11:21.639 Because they need to do deep packet inspection and handle 228 00:11:21.679 --> 00:11:24.679 lots of connections without slowing down. They let you do 229 00:11:24.759 --> 00:11:28.679 really granular control too, like maybe allow Skype chat but 230 00:11:28.960 --> 00:11:30.519 block Skype file transfers. 231 00:11:30.639 --> 00:11:32.480 Ah control within the application itself. 232 00:11:32.600 --> 00:11:36.200 Yes, and use firewalls between your internal zones too to 233 00:11:36.360 --> 00:11:40.879 sandbox risk. For remote users, IPsec VPN is generally preferred 234 00:11:40.879 --> 00:11:45.600 over SSLVPN, using per user authentication and certificates and all 235 00:11:45.639 --> 00:11:48.159 that remote traffic needs to be inspected by the firewalls, 236 00:11:48.240 --> 00:11:50.200 intrusion prevention and dedoss engines. 237 00:11:50.240 --> 00:11:52.559 One last thing you mentioned, yeah printers really? 238 00:11:52.679 --> 00:11:56.519 Oh yeah, locking down printers. People forget them, but they're 239 00:11:56.519 --> 00:12:01.639 basically network connected computers with their own vulnerabilities. Interfaces, different protocols. 240 00:12:01.679 --> 00:12:02.440 Okay, so what do you do? 241 00:12:02.519 --> 00:12:07.360 Treat them seriously? Enable HTTPS only for the web management interface, 242 00:12:07.759 --> 00:12:12.159 Use strong passwords that you actually rotate. Restrict SMMP access 243 00:12:12.200 --> 00:12:15.120 so only your NMS can talk to it. Disabled telnet 244 00:12:15.159 --> 00:12:18.919 if it's somehow still enabled. Use secure printing protocols like 245 00:12:18.960 --> 00:12:20.480 IPP over TLS. 246 00:12:20.559 --> 00:12:23.919 Oh wow. Okay. The big picture here is definitely layers. 247 00:12:24.080 --> 00:12:28.120 It absolutely is a truly secure infrastructure is defense in depth. 248 00:12:28.519 --> 00:12:32.039 Every device, every protocol, every potential path for traffic needs 249 00:12:32.039 --> 00:12:35.200 scrutiny and being aggressive about disabling services you don't need. 250 00:12:35.399 --> 00:12:38.320 That drastically shrinks the area attackers can target right. 251 00:12:38.600 --> 00:12:40.679 Less surface area means fewer potential holes. 252 00:12:40.720 --> 00:12:41.200 You got it. 253 00:12:41.320 --> 00:12:44.159 Okay, let's shift focus a bit. Let's talk about the endpoint, 254 00:12:44.320 --> 00:12:47.000 the client computer. For many of us, that's a Windows machine, 255 00:12:47.559 --> 00:12:51.120 and the sources are really clear on this. The client 256 00:12:51.200 --> 00:12:53.639 is often a major point of attack, maybe even the 257 00:12:53.639 --> 00:12:54.840 weakest link in the whole chain. 258 00:12:55.039 --> 00:12:58.360 It frequently is. Unfortunately, it's where the user interacts directly, 259 00:12:58.480 --> 00:12:59.639 clicks on things. 260 00:12:59.679 --> 00:13:02.559 So hardening that client is crucial. What are the key steps. 261 00:13:02.840 --> 00:13:06.759 It's fundamentally about minimizing that attack surface and maximizing the 262 00:13:06.759 --> 00:13:11.919 built in protections. First off, software control big one. Users 263 00:13:11.919 --> 00:13:16.039 should never have administrator or even power user rights. 264 00:13:16.039 --> 00:13:18.720 Full stop, standard user accounts only. Yes. 265 00:13:19.120 --> 00:13:22.159 Instead, you use things like software restriction policies pushed out 266 00:13:22.200 --> 00:13:25.559 via group policy, maybe with w MII filtering for targeting. 267 00:13:25.960 --> 00:13:29.320 You basically whitelist only the approved applications that are allowed 268 00:13:29.360 --> 00:13:29.720 to run. 269 00:13:29.799 --> 00:13:32.240 So users literally can install random stuff they. 270 00:13:32.159 --> 00:13:36.960 Download exactly, no accidentally installing infected executables or those annoying 271 00:13:37.120 --> 00:13:40.840 browser toolbars that come bundled with things. Next, User account 272 00:13:40.879 --> 00:13:42.320 control UAC. 273 00:13:42.200 --> 00:13:43.840 That pop up everyone loves to hate. 274 00:13:43.879 --> 00:13:46.720 That's the one. Turn it up to its highest setting. Yes, 275 00:13:46.759 --> 00:13:49.039 it can be annoying, but it adds a really crucial 276 00:13:49.159 --> 00:13:53.399 layer prompting for authorization before software installs or system changes. 277 00:13:53.759 --> 00:13:56.159 It stops a lot of automated malware in its tracks. 278 00:13:56.200 --> 00:13:59.320 Okay, makes sense. What about the networking side of Windows itself? 279 00:13:59.600 --> 00:14:04.120 Yeah, Hardening Windows networking disable unnecessary stuff. If you're not 280 00:14:04.200 --> 00:14:07.120 using IPv six internally, turn it off on the clients. 281 00:14:07.480 --> 00:14:10.720 Same for things like IGMP or Universal Plug and Play 282 00:14:10.840 --> 00:14:13.559 UPMP is notoriously problematic for security. 283 00:14:13.759 --> 00:14:14.960 How do you check what's running? 284 00:14:15.039 --> 00:14:18.639 You want to minimize listening ports, run netstat ab and 285 00:14:18.759 --> 00:14:21.919 en in the command prompt that shows you which executables 286 00:14:21.960 --> 00:14:24.799 are listening on which ports. If you see something listening 287 00:14:24.799 --> 00:14:27.600 that you don't recognize, our need, investigate and remove it. 288 00:14:27.759 --> 00:14:29.960 Good tip. What about other Windows services? 289 00:14:30.080 --> 00:14:33.799 Right? Disabling unnecessary services? Windows comes with a lot of 290 00:14:33.840 --> 00:14:36.840 services running by default. There are great resources online, like 291 00:14:36.879 --> 00:14:39.679 the black Viper blog mentioned in the source that list 292 00:14:39.720 --> 00:14:43.039 services and whether they're typically safe to disable. Think about 293 00:14:43.080 --> 00:14:47.039 things like IP helper, offline files, parental controls if it's 294 00:14:47.039 --> 00:14:51.559 corporate machine, fax service, home group listeners, Bluetooth support if 295 00:14:51.600 --> 00:14:54.279 you don't use bluetooth, proper roles. If you don't need it, 296 00:14:54.440 --> 00:14:56.960 disable it again. Reducing the attack surfaces. 297 00:14:57.000 --> 00:14:59.279 Okay, browsers are obviously huge, too. 298 00:14:59.360 --> 00:15:04.600 Huge browser heartening. Ideally standardize the organization on one browser. 299 00:15:04.639 --> 00:15:07.600 The source recommends Chrome because it removed the old insecure 300 00:15:07.840 --> 00:15:12.039 NPPI plugin system, but whatever you choose, the absolute crucial 301 00:15:12.080 --> 00:15:17.240 thing is enable automatic updates, always be patched always. Then 302 00:15:17.360 --> 00:15:20.960 configure the settings tightly, for ie, set the internet zone 303 00:15:21.000 --> 00:15:25.120 to high, enable protected mode, smart screen, ActiveX filtering, tracking protection, 304 00:15:25.600 --> 00:15:29.320 turn off third party browser extensions unless explicitly. 305 00:15:28.799 --> 00:15:31.320 Approved, and for Chrome or Firefox. 306 00:15:30.919 --> 00:15:35.440 Similar principles. Configure privacy settings, aggressively block third party cookies, 307 00:15:35.559 --> 00:15:38.759 enable fishing and malware protections, and do not track requests. 308 00:15:38.840 --> 00:15:42.039 And a big one, never allow the browser to save passwords. 309 00:15:42.200 --> 00:15:44.759 Convenience versus security. Security wins here. 310 00:15:44.919 --> 00:15:47.519 Good point. What about Java still a thing? 311 00:15:47.919 --> 00:15:53.120 Still a thing, still needs attention Java security. Keep it updated, 312 00:15:53.240 --> 00:15:56.360 but only from the official Java dot com site. Make 313 00:15:56.440 --> 00:15:59.600 sure only the latest version is installed, uninstall old ones 314 00:16:00.120 --> 00:16:02.720 in the Java control panel, set the security level too 315 00:16:02.879 --> 00:16:06.720 high or very high, and be very strict about adding 316 00:16:06.759 --> 00:16:10.919 exceptions to the security prompts. Only allow internal trusted applications 317 00:16:10.960 --> 00:16:12.360 if absolutely necessary. 318 00:16:12.600 --> 00:16:15.519 Okay, so these are all really concrete steps someone listening 319 00:16:15.559 --> 00:16:17.360 can take, maybe even check on their own machine. 320 00:16:17.480 --> 00:16:21.440 Absolutely, it's about transforming that potential weak link into a 321 00:16:21.519 --> 00:16:24.279 much more robust part of the overall network defense. 322 00:16:24.440 --> 00:16:27.240 All right, so we've audited, we've hardened the infrastructure, we've 323 00:16:27.240 --> 00:16:30.320 hardened the client. Feels like we've built a pretty solid fortress. 324 00:16:30.320 --> 00:16:32.559 It's a good start, But how do you know it's solid? 325 00:16:32.639 --> 00:16:35.759 How do you know the defenses actually work against real 326 00:16:35.799 --> 00:16:36.840 world techniques? 327 00:16:37.120 --> 00:16:40.799 Ah? Right? Testing? This is where penetration testing comes. 328 00:16:40.600 --> 00:16:46.120 In, exactly, penetration testing and deep traffic analysis. Because the attackers, 329 00:16:46.639 --> 00:16:50.480 they're sophisticated, they use multi stage attacks. They might be 330 00:16:50.519 --> 00:16:54.600 after data, trying industrial espionage, even engaging in cyber warfare. 331 00:16:54.639 --> 00:16:57.240 You have to test your defenses against those kinds of threats. 332 00:16:57.360 --> 00:16:59.440 So you need to think like an attacker to defend. 333 00:16:59.200 --> 00:17:03.519 Against themsolutely do understand our techniques. The book mentions things 334 00:17:03.559 --> 00:17:07.920 like knock down attacks, finding backdoors, multi step multi host 335 00:17:07.920 --> 00:17:11.960 attacks to spread bots, reconnaissance to gather info, scanning for 336 00:17:12.039 --> 00:17:16.880 open ports, gaining access, maybe creating hidden admin accounts, maintaining 337 00:17:16.920 --> 00:17:20.640 that access, and then covering their tracks, deleting logs. 338 00:17:20.880 --> 00:17:22.319 So how do you test against that well. 339 00:17:22.319 --> 00:17:25.119 The testing philosophy is key. Security audits aren't a one 340 00:17:25.119 --> 00:17:28.200 and done thing. They're perishable. They need to be done regularly. 341 00:17:28.599 --> 00:17:31.119 The source suggests monthly, which is pretty frequent, but definitely 342 00:17:31.119 --> 00:17:33.319 trigger one after any major network change or when a 343 00:17:33.319 --> 00:17:37.440 big new vulnerability is announced. And critically, never assume the 344 00:17:37.480 --> 00:17:41.359 internal network is safe. Test from the inside too. Threats 345 00:17:41.400 --> 00:17:43.480 can absolutely originate internally. 346 00:17:43.599 --> 00:17:46.319 Okay, what tools do you use for this? The book 347 00:17:46.400 --> 00:17:47.480 mentions Colie Linux. 348 00:17:47.759 --> 00:17:50.759 Yeah, Colilinux is sort of the Swiss army knife for this. 349 00:17:51.319 --> 00:17:55.680 It's a Linux distribution packed with security and penetration testing tools. 350 00:17:56.119 --> 00:17:58.160 One of the most powerful tools within it is. 351 00:17:58.279 --> 00:18:01.720 Metasploy metasploit heard of it? What does it do? 352 00:18:02.079 --> 00:18:05.480 It's an open source framework. It contains a huge database 353 00:18:05.480 --> 00:18:09.200 of known exports. You can search for exploits targeting specific 354 00:18:09.279 --> 00:18:13.559 software like Windows versions or applications like mysequel. You set 355 00:18:13.559 --> 00:18:16.799 your target, configure any options the exploit needs, and then 356 00:18:16.839 --> 00:18:18.200 you type exploit and. 357 00:18:18.160 --> 00:18:20.119 It tries to break in ethically of. 358 00:18:20.079 --> 00:18:23.599 Course, ethically yes, It launches the attack, and if it's successful, 359 00:18:23.720 --> 00:18:26.119 metasploit can deliver a payload. Often that's the. 360 00:18:26.039 --> 00:18:27.960 Mitipriter shell and that sounds bad. 361 00:18:28.079 --> 00:18:31.000 It is. The book calls it the keys to the Kingdom. 362 00:18:31.079 --> 00:18:33.799 It gives the tester or an attacker deep control over 363 00:18:33.839 --> 00:18:37.319 the compromise machine. They can run commands, browse files, even 364 00:18:37.440 --> 00:18:40.960 enable keyloggers to capture passwords or turn on remote desktop. 365 00:18:41.079 --> 00:18:44.160 Okay, scary stuff. So how do you protect against that 366 00:18:44.279 --> 00:18:45.519 kind of penetration attack? 367 00:18:45.640 --> 00:18:48.680 Protecting your assets requires that layered defense we talked about. 368 00:18:49.559 --> 00:18:53.960 For instance, use different vendors for your IDSPS systems, maybe 369 00:18:53.960 --> 00:18:57.000 one at the main internet edge, another vendor's product protecting 370 00:18:57.039 --> 00:19:00.559 the data center zone. Diversity helps catch things one might miss. 371 00:19:01.039 --> 00:19:05.319 Configure firewall rules with really strict pinholes. Only allow the 372 00:19:05.359 --> 00:19:09.240 specific protocols and ports needed for applications to work, drop 373 00:19:09.319 --> 00:19:13.359 and log everything else, especially unauthorized outbound traffic that can 374 00:19:13.359 --> 00:19:14.440 be a sign of compromise. 375 00:19:14.759 --> 00:19:15.880 What about on the switches? 376 00:19:16.200 --> 00:19:20.359 Use access control lists ecls on your distribution layer switches. 377 00:19:21.000 --> 00:19:24.599 Enforce your intended traffic flows. For example, make a rule 378 00:19:24.599 --> 00:19:27.279 that application servers are only allowed to talk to database 379 00:19:27.319 --> 00:19:29.720 servers on the specific ports they need and nowhere else. 380 00:19:29.960 --> 00:19:32.839 On Linux servers, use iptuples or NF tables. 381 00:19:32.440 --> 00:19:35.480 Firewalls, so controlling traffic flow internally. 382 00:19:35.000 --> 00:19:39.119 Is key, hugely important. But there's another piece understanding valid traffic. 383 00:19:39.400 --> 00:19:40.559 You need a baseline. 384 00:19:40.640 --> 00:19:41.759 What does normal look like? 385 00:19:42.039 --> 00:19:44.640 Exactly? You can't spot an attack if you don't know 386 00:19:44.680 --> 00:19:48.039 what normal traffic patterns are for your network. Document the 387 00:19:48.079 --> 00:19:52.440 expected protocols, source the destination IPS port numbers for your applications. 388 00:19:53.000 --> 00:19:56.319 So if suddenly your internal only application server tries to 389 00:19:56.359 --> 00:19:58.839 connect to a random IP address on the Internet. 390 00:19:58.640 --> 00:20:01.039 Using httcs, that's a huge red flag. 391 00:20:00.839 --> 00:20:03.960 Massive red flag. That baseline is critical context. 392 00:20:04.039 --> 00:20:05.599 Okay, how do you get that baseline? How do you 393 00:20:05.640 --> 00:20:06.319 see the traffic? 394 00:20:06.480 --> 00:20:09.920 Tools like wireshark, it's a fantastic free packet sniffer. Use 395 00:20:09.960 --> 00:20:12.559 it to capture traffic at strategic points near the core, 396 00:20:12.640 --> 00:20:14.119 at zone boundaries. 397 00:20:13.720 --> 00:20:15.039 And just look at packets flying by. 398 00:20:15.240 --> 00:20:17.599 You can, but it's more powerful than that. You can 399 00:20:17.640 --> 00:20:20.920 create capture filters to only grab specific traffic, like not 400 00:20:21.160 --> 00:20:23.720 net ten point one point zero two four to see 401 00:20:23.720 --> 00:20:27.640