Tag: Transport Layer Security (TLS)

All major browsers drop TLS 1.0 and 1.1 in 2020

All major web browser makers announced on October 15, 2018, that the browsers that they produce will stop supporting the standards TLS 1.0 and TLS 1.1 in 2020.

The change was announced by Google, Apple, Microsoft, and Mozilla on company websites.

Transport Layer Security (TLS) is a security protocol used on the Internet to protect Internet traffic. It uses encryption to protect the data from eavesdropping.

TLS 1.0 and TLS 1.1 are old standards. TLS 1.0 turned 19 this year, a very long time on the Internet. The main issue with TLS 1.0 is not that the protocol has known security issues but that it doesn’t support modern cryptographic algorithms.

TLS

History & Development of SSL/TLS:

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP(VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

SSL and TLS are often referred to as a group – e.g. SSL/TLS

SSL which was initially invented by Netscape in 1994.

The SSL 1.0 version was never released to the public because of its serious security flaws. The SSL 2.0 was released in February 1995 and was later replaced by SSL 3.0 which is regarded as a complete redesign of the protocol performed by the American cryptographer Paul Kocher in collaboration with Netscape’s engineers in the year 1996.

Dr. Taher Elgamal, who was the chief scientist at Netscape Communications from 1995 to 1998, is considered the “Father or SSL”

Dr. Taher Elgamal

In 2014, researchers at Google disclosed the ‘POODLE’ vulnerability, which could allow attackers to decrypt encrypted connections to websites that use the SSL 3.0 protocol using a Man-in-the-Middle (MitM)attack – a popular way to intercept data.

This is where the hacker inserts a process in between the client and server through which their communication passes through, allowing the hacker to listen in on a private communication. The hacker may also be able to redirect the client to a web site controlled by the hacker where the hacker will infect the client with malware and/or commit financial fraud.

SSL 2.0 was prohibited in 2011. SSL 3.0 was also later prohibited in June 2015.

benefits-of-ssl-certificates

Image Source: ssl2buy

TLS (Transport Layer Security) is developed by the Internet Engineering Task Force (IETF) as a successor protocol to SSL.

In 1999, TLS 1.0 was designed as another protocol for SSL. Although the differences were not essential, experts stated that SSL 3.0 was less secure than TLS 1.0.

In 2006, TLS 1.1 was released. The next version TLS 1.2 released in August 2008. TLS 1.3 was released in August 2018.

TLS – a future enhancement of SSL

SSL uses the Message Authentication (MAC) algorithm; Transport Layer Security (TLS) goes a step further than this and uses keyed-Hashing Message Authentication (HMAC). What does HMAC will do? Well, it generates an identity check same as the MAC but with HMAC, it becomes tougher to break it into. TLS is a venture of Internet Engineering Task Force (IETF).

TLS protocol consists of two different layers of sub-protocols:

  • TLS Handshake Protocol: Enables the client and server to authenticate each other and select an encryption algorithm prior to sending the data
  • TLS Record Protocol: It works on top of the standard TCP protocol to ensure that the created connection is secure and reliable. It also provides data encapsulation and data encryption services.

Even though TLS 1.3 was first announced in 2014, it was released this April via OpenSSL. The distribution is still not global yet. There are millions of websites that need to upgrade to the latest version.

TLS 1.3 is currently supported in both Chrome (starting release of 66 version) and Firefox (starting with release 60), and in development for Safari and Edge browsers.

Benefits of using TLS 1.3:

  •  Faster connections

In the previous versions, two round-trips were needed to establish a secure connection. This process takes place before any actual data is transferred and lasts for hundreds of milliseconds.

With TLS 1.3 there is only one round-trip necessary to create a secure connection. This cuts the encryption latency by half!

TLS 1.3

TLS 1.3 speeds up the previously established connections even more with so-called “zero-round trip time” (0-RTT) mode. TLS 1.3 “remembers” previously shared keys and allows to send early data when resuming previous sessions.

Unfortunately, 0-RTT could be a potential threat. Attackers could access your 0-RTT communication and duplicate the flight of 0-RTT data. If your pre-shared keys are not expired, the server will accept attacker’s 0-RTT data and respond to it. This is especially dangerous for POST HTTP requests, e.g. “/buy-something”.

In order to prevent any harm, servers that allow 0-RTT should implement the anti-replay mechanism and limit 0-RTT calls to only some requests. Currently, TLS 1.3 does not provide and even cannot provide inherent replay protections for 0-RTT.

  • Improved Security

With a “less is more” approach, TLS 1.3 removed broken and vulnerable pieces of the previous protocols. Having done this, TLS 1.3 enhances security and its implementation is much simpler for developers.

Moreover, TLS 1.3 improves the safety of previous connection by securing session resumption with a PFS (Perfect Forward Secrecy) mechanism. Therefore, an attacker won’t be able to decrypt previous traffic even if he gains access to the session encryption key. In other words, all sessions and even session resumptions are individually protected.

Source: GhacksWikipediassl2buycdn77,

AIR-GAPPED Computers

AIR-GAPPED Computers

HOW DO YOU remotely hack a computer that is not connected to the internet? Most of the time you can’t, which is why so-called air-gapped computers are considered more secure than others.

Air-gap refers to computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet.

The name arises from the technique of creating a network that is physically separated (with a conceptual air gap) from all other networks.

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

A true air gap means the machine or network is physically isolated from the internet, and data can only pass to it via a USB flash drive, other removable media, or a firewire connecting two computers directly. But many companies insist that a network or system is sufficiently air-gapped even if it is only separated from other computers or networks by a software firewall. Such firewalls, however, can be breached if the code has security holes or if the firewalls are configured insecurely.

Although air-gapped systems were believed to be more secure in the past, since they required an attacker to have physical access to breach them, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief. One of the most famous cases involving the infection of an air-gapped system is Stuxnet, the virus/worm designed to sabotage centrifuges used at a uranium enrichment plant in Iran. Computer systems controlling the centrifuges were air-gapped, so the attackers designed Stuxnet to spread surreptitiously via USB flash drives. Outside contractors responsible for programming the systems in Iran were infected first and then became unwitting carriers for the malware when they brought their laptops into the plant and transferred data to the air-gapped systems with a flash drive.

MjIyMTQzMg

The techniques of hacking air gap computers include:

  • AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
  • BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;

 

 

Researchers in Israel showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. The proof-of-concept hack involves radio signals generated and transmitted by an infected machine’s video card, which are used to send passwords and other data over the air to the FM radio receiver in a mobile phone.

The method is more than just a concept, however, to the NSA. The spy agency has reportedly been using a more sophisticated version of this technique for years to siphon data from air-gapped machines in Iran and elsewhere. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the spy agency can extract data from targeted systems via RF signals and transmit it to a briefcase-sized NSA relay station up to eight miles away.

  • Stealing the secret cryptographic key from an air-gapped computer placed in another room using a Side-Channel Attack.This is the first time when such attack have successfully targeted computer running Elliptic Curve Cryptography (ECC).

Elliptic Curve Cryptography is a robust key exchange algorithm that is most widely used in everything from securing websites to messages with Transport Layer Security (TLS).

Source: thehackernews, spectrum.ieeewired.com

McAfee ePO Admin Interview Questions & Answers

Q.1  What is McAfee ePO ?

McAfee ePolicy Orchestrator (McAfee ePO) is the most advanced, extensible, and scalable centralized security management software in the industry.

A single console for all your security management.

  • Get a unified view of your security posture with drag-and-drop dashboards that provide security intelligence across endpoints, data, mobile and networks.
  • Simplify security operations with streamlined workflows for proven efficiencies.
  • Flexible security management options allow you to select either a traditional premises-based or a cloud-based management version of McAfee ePO.
  • Leverage your existing third-party IT infrastructure from a single security management console with extensible architecture.

Q.2  Which is latest version of ePO?

The latest version of McAfee products

  •   ePolicy Orchestrator Ver 5.3.1
  •   Virus Scan Enterprise VSE 8.8 Patch 6
  •   McAfee Agent 5.0.1

To determine the ePO version number when you are logged on to ePO:

ePO 5.x: The version number is shown on the left pane of the Menu screen.

You can also determine the version by checking the version information contained within the server.ini file on the ePO server. You can open this file using Notepad.
The default location for the server.ini file is as follows:

…\Program Files\McAfee\ePolicy Orchestrator\DB

Q.3  What are the benefits of ePolicy Orchestrator Software?

ePolicy Orchestrator software is an extensible management platform that enables centralized policy management and enforcement of your security policies.

Using ePolicy Orchestrator software, you can perform these network security tasks:

  • Manage and enforce network security using policy assignments and client tasks.
  • Update the detection definition (DAT) files, anti-virus engines, and other security content required by your security software to ensure that your managed systems are secure.
  • Create reports, using the built-in query system wizard, that display informative user-configured charts and tables containing your network security data.

Q.4 Explain the Important Components of ePolicy Orchestrator Software and what they do ?

These components make up ePolicy Orchestrator software.

  • McAfee ePO server — The Center of your managed environment. The server delivers security policies and tasks, controls updates, and processes events for all managed systems.
  • Database — The central storage component for all data created and used by ePolicy Orchestrator. You can choose whether to house the database on your McAfee ePO server or on a separate system, depending on the specific needs of your organization.
  • McAfee Agent — A vehicle of information and enforcement between the McAfee ePO server and each managed system. The agent retrieves updates, ensures task implementation, enforces policies, and forwards events for each managed system. It uses a separate secure data channel to transfer data to the server. A McAfee Agent can also be configured as a SuperAgent.
  • Master repository — The central location for all McAfee updates and signatures, residing on the McAfee ePO server. The master repository retrieves user-specified updates and signatures from McAfee or from user-defined source sites.
  • Distributed repositories — Local access points strategically placed throughout your environment for agents to receive signatures, product updates, and product installations with minimal bandwidth impact. Depending on how your network is configured, you can set up SuperAgent, HTTP, FTP, or UNC share distributed repositories.
  • Remote Agent Handlers — A server that you can install in various network locations to help manage agent communication, load balancing, and product updates. Remote Agent Handlers are comprised of an Apache server and an event parser. They can help you manage the needs of large or complex network infrastructures by allowing you more control over agent-server communication.
  • Registered servers — Used to register other servers with your McAfee ePO server. Registered server types include:

LDAP server — Used for Policy Assignment Rules and to enable automatic user account creation.

SNMP server — Used to receive an SNMP trap. Add the SNMP server’s information so that ePolicy Orchestrator knows where to send the trap.

Database server — Used to extend the advanced reporting tools provided with ePolicy Orchestrator software.

Q.5  How the ePO software works ?

ePolicy Orchestrator software is designed to be extremely flexible. It can be set up in many different ways, to meet your unique needs.

The software follows the classic client-server model, in which a client system (system) calls into your server for instructions. To facilitate this call to the server, a McAfee Agent is deployed to each system in your network. Once an agent is deployed to a system, the system can be managed by your McAfee ePO server. Secure communication between the server and managed system is the bond that connects all the components of your ePolicy Orchestrator software. The figure below shows an example of how your McAfee ePO server and components inter-relate in your secure network environment.

ePO server components

1 Your McAfee ePO server connects to the McAfee update server to pull down the latest security content.

2 The ePolicy Orchestrator database stores all the data about the managed systems on your network,including:

  • System properties
  • Policy information
  • Directory structure
  • All other relevant data the server needs to keep your systems up-to-date.

3 McAfee Agents are deployed to your systems to facilitate:

  • Policy enforcement
  • Product deployments and updates
  • Reporting on your managed systems

4 Agent-server secure communication (ASSC) occurs at regular intervals between your systems and server. If remote Agent Handlers are installed in your network, agents communicate with the server through their assigned Agent Handlers.

5 Users log onto the ePolicy Orchestrator console to perform security management tasks, such as running queries to report on security status or working with your managed software security policies.

6 The McAfee update server hosts the latest security content, so your ePolicy Orchestrator can pull the content at scheduled intervals.

7 Distributed repositories placed throughout your network host your security content locally, so agents can receive updates more quickly.

8 Remote Agent Handlers help to scale your network to handle more agents with a single McAfee ePO server.

9 Automatic Response notifications are sent to security administrators to notify them that an event has occurred.

Q.6  What is default Console Port of ePO?

Console-to-application server communication port 8443 ( TCP port that the ePO Application Server service uses to allow web browser UI access )

Q.7  What is the default Group policy of ePO?

Until you create additional policies, all computers are assigned the McAfee Default policy.

The McAfee Default policy is configured with settings recommended by McAfee to protect many environments and ensure that all computers can access important websites and applications until you have a chance to create a customized policy.

You cannot rename or modify the McAfee Default policy. When you add computers to your account, the McAfee Default policy is assigned to them. When you delete a policy that is assigned to one or more groups, the McAfee Default policy is assigned to those groups automatically.

The first time you create a new policy, the McAfee Default policy settings appear as a guideline. This enables you to configure only the settings you want to change without having to configure them all.

After you create one or more new policies, you can select a different default policy for your account. In the future, new policies will be prepopulated with these default settings, and the new default policy is assigned to new computers (if no other policy is selected) and groups whose policy is deleted.

Q.8  On which port ePO communicates with client agent?

Agent wake-up communication port SuperAgent repository port: 8081

(TCP port that agents use to receive agent wake-up requests from the ePO server or Agent Handler.
TCP port that the SuperAgents configured as repositories that are used to receive content from the ePO server during repository replication, and to serve content to client machines)

Q.9  What is the purpose of a SuperAgent?

The SuperAgent is an agent with the ability to contact all agents in the same subnet as the SuperAgent, using the SuperAgent wakeup call. Its use is triggered by Global Updating being enabled on the ePolicy Orchestrator (ePO) server, and it provides a bandwidth efficient method of sending agent wakeup calls.

If you operate in a Windows environment and plan to use agent wake-up calls to initiate Agent-server communication, consider converting an agent on each network broadcast segment into a SuperAgent.

SuperAgents distribute the bandwidth load of concurrent wake-up calls. Instead of sending agent wake-up calls from the server to every agent, the server sends the SuperAgent wake-up call to SuperAgents in the selected System Tree segment. When SuperAgents receive this Wake-up call, they send broadcast wake-up calls to all agents in their network broadcast segments.

The process is:

  1. Server sends a wake-up call to all SuperAgents.
  2. SuperAgents broadcast a wake-up call to all agents in the same broadcast segment.
  3. All agents (regular agents and SuperAgents) exchange data with the server.
  4. An agent without an operating SuperAgent on its broadcast segment is not prompted to communicate with the server.

To deploy enough SuperAgents to the appropriate locations, first determine the broadcast segments in your environment and select a system (preferably a server) in each segment to host a SuperAgent. Be aware that agents in broadcast segments without SuperAgents do not receive the broadcast wake-up call, so they do not call in to the server in response to a wake-up call.

Agent and SuperAgent wake-up calls use the same secure channels. Ensure that:

  • The agent wake-up communication port (8081 by default) is not blocked.
  • The agent broadcast communication port (8082 by default) is not blocked.

Q.10  What is McAfee Agent Handler?

Agent handlers are the component of ePolicy Orchestrator that handles communications between agent and server.

Multiple remote handlers can help you address scalability and topology issues in your network, and in some cases using multiple agent handlers can limit or reduce the number of ePO servers in your environment. They can provide fault tolerant and load-balanced communication with a large number of agents including geographically distributed agents.

Q.11  How agent handlers work ?

Agent handlers distribute network traffic generated by agent-to-server communication by assigning managed systems or groups of systems to report to a specific agent handler. Once assigned, a managed system performs regular ASCIs to its agent handler instead of the main ePO server. The handler provides updated site lists, policies, and policy assignment rules just as the ePO server does. The handler also caches the contents of the master repository, so that agents can pull product update packages, DATs, and other necessary information.

NOTE: When an agent checks in with its handler, if the handler does not have the updates needed, the handler retrieves them from the assigned repository and caches them, while passing the update through to the agent.

Q.12  Considerations for scalability ?

How you manage your scalability depends on whether you use multiple McAfee ePO servers, multiple remote Agent Handlers, or both.With ePolicy Orchestrator software, you can scale your network vertically or horizontally.

  • Vertical scalability — Adding and upgrading to bigger, faster hardware to manage larger and larger deployments. Scaling your McAfee ePO server infrastructure vertically is accomplished by upgrading your server hardware, and using multiple McAfee ePO servers throughout your network, each with its own database.
  • Horizontal scalability — Accomplished by increasing the deployment size that a single McAfee ePO server can manage. Scaling your server horizontally is accomplished by installing multiple remote Agent Handlers, each reporting to a single database.

Q.13  When to use multiple McAfee ePO servers ?

Depending on the size and make-up of your organization, using multiple McAfee ePO servers might be required.

Some scenarios in which you might want to use multiple servers include:

  • You want to maintain separate databases for distinct units within your organization.
  • You require separate IT infrastructures, administrative groups, or test environments.
  • Your organization is distributed over a large geographic area, and uses a network connection with relatively low bandwidth such as a WAN, VPN, or other slower connections typically found between remote sites.

Using multiple servers in your network requires that you maintain a separate database for each server.

You can roll up information from each server to your main McAfee ePO server and database.

Q.14  When to use multiple remote Agent Handlers ?

Multiple remote Agent Handlers help you manage large deployments without adding additional McAfee ePO servers to your environment.

The Agent Handler is the component of your server responsible for managing agent requests. Each McAfee ePO server installation includes an Agent Handler by default. Some scenarios in which you might want to use multiple remote Agent Handlers include:

  • You want to allow agents to choose between multiple physical devices, so they can continue to call in and receive policy, task, and product updates; even if the application server is unavailable, and you don’t want to cluster your McAfee ePO server.
  • Your existing ePolicy Orchestrator infrastructure needs to be expanded to handle more agents, more products, or a higher load due to more frequent agent-server communication intervals (ASCI).
  • You want to use your McAfee ePO server to manage disconnected network segments, such as systems that use Network Address Translation (NAT) or in an external network.

Multiple Agent Handlers can provide added scalability and lowered complexity in managing large deployments. However, because Agent Handlers require a very fast network connection, there are some scenarios in which you should not use them, including:

  • To replace distributed repositories. Distributed repositories are local file shares intended to keep agent communication traffic local. While Agent Handlers do have repository functionality built in, they require constant communication with your ePolicy Orchestrator database, and therefore consume a significantly larger amount of bandwidth.
  • To improve repository replication across a WAN connection. The constant communication back to your database required by repository replication can saturate the WAN connection.
  • To connect a disconnected network segment where there is limited or irregular connectivity to the ePolicy Orchestrator database.

Q.15  What is DLP ?

Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

Q.16  What is Endpoint Encryption for PC?

Endpoint Encryption for PC (EEPC) is a computer security system that prevents data stored on a hard drive from being read or used by an unauthorized person. With EEPC, users are forced to identify themselves to the security system when the computer is started. This is done by requiring up to three authentication methods:

  • Password
  • User ID
  • Token (Loaded on a floppy disk or any ISO 7816 smart card)

If the person accessing the computer fails to enter the correct information, EEPC prevents access to the computer as well as the encrypted data stored within. To gain access to an EEPC protected PC when using a smart card, users must insert their card into the reader when the EEPC authentication screen is displayed, then type their password and optional user ID. After the smart card verifies the password and  EEPC has established that the correct token is used, the user is then granted access to the computer.

 Q.17  Is the Event Parser service running?

On the server side, ePO consists of three separate services:

  • The ePO Server service, responsible for the direct handling of Agent-to-Server communication;
  • The Event Parser service, responsible for the insertion of new client-generated events into the ePO database;
  • The ePO Server Application Server service, where all logic takes place and which also allows you to manage ePO.

Under certain circumstances, particularly when there is a problem with the database, it is possible the Event Parser service stops working. This prevents new events from being added to the database, essentially leaving you blind. Check whether the Event Parser service is running and correct any problems if this is not the case.

 Q.18 Explain Tag and Tags functionality in McAfee ePO?

Tags allow users to create labels that can be applied to systems manually or automatically, based on the criteria assigned to the tag.

Similar to IP sorting criteria, you can use tags for automated sorting into groups. Tags are used to identify systems with similar characteristics. If you organize some of your groups by such characteristics, you can create and assign tags based on such criteria and use these tags as group sorting criteria to ensure these systems are automatically placed within the appropriate groups.

Tag functionality:
You can do the following with tags:

  • Apply one or more tags to one or more systems.
  • Apply tags manually.
  • Apply tags automatically, based on user-defined criteria, when the agent calls in.
  • Exclude systems from tag application.
  • Run queries to group systems with certain tags, then take direct actions on the resulting list of systems.
  • Base System Tree sorting criteria on tags to place systems into the appropriate System Tree groups automatically.

Types of tags

There are two types of tags:

  • Tags without criteria – These tags can be applied only to selected systems in the System Tree (manually) and systems listed in the results of a query (manually or on a scheduled basis).
  • Criteria-based tags – These tags are applied to all non-excluded systems at each agent-server communication. Such tags use criteria based on any properties sent by agent. They can also be applied to all non-excluded systems on-demand.

 Q.19  How agent-server communication works ?

McAfee Agent communicates with the McAfee ePO server periodically to send events and, ensure all settings are up-to-date.

These communications are referred to as agent-server communication. During each agent-server communication, McAfee Agent collects its current system properties, as well as events that have not yet been sent, and sends them to the server. The server sends new or changed policies and tasks to McAfee Agent, and the repository list if it has changed since the last agent-server communication. McAfee Agent enforces the new policies locally on the managed system and applies any task or repository changes.

The McAfee ePO server uses an industry-standard Transport Layer Security (TLS) network protocol for secure network transmissions.

When the McAfee Agent is first installed, it calls in to the server within few seconds. Thereafter, the McAfee Agent calls in whenever one of the following occurs:

  • The agent-server communication interval (ASCI) elapses.
  • McAfee Agent wake-up calls are sent from the McAfee ePO server or Agent Handlers.
  • A scheduled wake-up task runs on the client systems.
  • Communication is initiated manually from the managed system (using Agent Status monitor or command line).
  • McAfee Agent wake-up calls sent from the McAfee ePO server.

 Q.20 How often the McAfee Agent calls into the McAfee ePO server ?

The Agent-to-Server Communication Interval (ASCI) default setting is 60 minutes means that McAfee Agent contacts the McAfee ePO server once every hour.

 

Source: McAfee,  dearbytes