# 12-A.1: Best Cybersecurity Practices

EXAM OBJECTIVES COVERED
3.3 Summarize security best practices in a Linux environment.

## Objectives of this Module

In this lesson, you will:

• Learn what the best practices are for cybersecurity in Linux, and how to implement them
• Carry out identity and access management (IAM) methods in Linux
• Learn to configure firewalls to filter network traffic
• Configure and run event and system logging services
• Learn how to back up, restore, and verify data

## Cybersecurity

Cybersecurity is procedure and strategy associated with insuring touchy information, PC frameworks, systems, and programming applications from digital assaults. Cyber assaults are general phrasing which covers an enormous number of themes, however, a portion of the famous are:

• Altering frameworks and information put away inside
• Abuse of assets
• Unapproved access to focus on framework and getting to delicate data
• Upsetting typical working of the business and its procedures
• Utilizing ransomware assaults to scramble information and coerce cash from casualties

The assaults that are equipped for disturbing security and hacking of frameworks are currently turning out to be increasingly inventive and complex. So it’s trying for each business and security expert to defeat this test and retaliate with these assaults.

Since Linux is no different from any other computer that is connected to the Internet, they are also open to attack from those same attacks. Linux does have some built in security concepts - permissions, userid, groups etc. - but that does not make them a "secure" system.

## The CIA Triad

The CIA triad of confidentiality, integrity, and availability is at the heart of information security. However, debate continues about whether or not this CIA triad is sufficient to address rapidly changing technology and business requirements. There are recommendations to consider expanding on the intersections between availability and confidentiality, as well as the relationship between security and privacy. Other principles such as "accountability" have sometimes been proposed; it has been pointed out that issues such as non-repudiation do not fit well within the three core concepts.

Confidentiality
In information security, confidentiality "is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." While similar to "privacy," the two words aren't interchangeable. Rather, confidentiality is a component of privacy that is implemented to protect our data from unauthorized viewers. Examples of confidentiality of electronic data being compromised include laptop theft, password theft, or sensitive emails being sent to the incorrect individuals.

Integrity
In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of consistency as understood in the classic ACID model of transaction processing. Information security systems typically provide message integrity alongside confidentiality.

Availability
For any information system to serve its purpose, the information must be available when it is needed. This means the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system, essentially forcing it to shut down.

In the realm of information security, availability can often be viewed as one of the most important parts of a successful information security program. Ultimately end-users need to be able to perform job functions; by ensuring availability an organization is able to perform to the standards that an organization's stakeholders expect. This can involve topics such as proxy configurations, outside web access, the ability to access shared drives and the ability to send emails. Executives oftentimes do not understand the technical side of information security and look at availability as an easy fix, but this often requires collaboration from many different organizational teams, such as network operations, development operations, incident response and policy/change management. A successful information security team involves many different key roles to mesh and align for the CIA triad to be provided effectively.

## Types of Authentication

Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe, a claim of identity. The bank teller asks to see a photo ID, so he hands the teller his driver's license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be. Similarly, by entering the correct password, the user is providing evidence that he/she is the person the username belongs to.

There are three different types of information that can be used for authentication:

Something you know: things such as a PIN, a password, or your mother's maiden name
Something you have: a driver's license or a magnetic swipe card
Something you are: biometrics, including palm prints, fingerprints, voice prints and retina (eye) scans

Strong authentication requires providing more than one type of authentication information (two-factor authentication). The username is the most common form of identification on computer systems today and the password is the most common form of authentication. Usernames and passwords have served their purpose, but they are increasingly inadequate. Usernames and passwords are slowly being replaced or supplemented with more sophisticated authentication mechanisms such as time-based One-Time Password algorithms.

There are several methods to provide authentication. We cover some of them in the table below:

Authentication Method Implementation

A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm the identity of a user. Using the terminology of the NIST Digital Identity Guidelines, the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase.
PINs

A personal identification number (PIN), or sometimes redundantly a PIN number, is a numeric or alpha-numeric passcode used in the process of authenticating a user accessing a system.

The personal identification number has been the key to flourishing the exchange of private data between different data-processing centers in computer networks for financial institutions, governments, and enterprises. PINs may be used to authenticate banking systems with cardholders, governments with citizens, enterprises with employees, and computers with users, among other uses.

One Time Password (OTP)

A one-time password (OTP), also known as one-time PIN or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN).

The most important advantage that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will no longer be valid. A second major advantage is that a user who uses the same (or similar) password for multiple systems is not made vulnerable on all of them, if the password for one of these is gained by an attacker.

Hardware Token

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.

Some tokens may store cryptographic keys that may be used to generate a digital signature, or biometric data, such as fingerprint details. Some may also store passwords. Some designs incorporate tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Connected tokens utilize a variety of interfaces including USB, near-field communication (NFC), radio-frequency identification (RFID), or Bluetooth.

Biometric devices A biometric device is a security identification and authentication device. Such devices use automated methods of verifying or recognizing the identity of a living person based on a physiological or behavioral characteristic. These characteristics include fingerprints, facial images, iris and voice recognition

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812, that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards.

RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport. Network access servers, the gateways that control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication as well.

TACACS

Terminal Access Controller Access-Control System (TACACS, /ˈtækæks/) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server.

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ have largely replaced their predecessors.

LDAP The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
Kerberos

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Kerberos in Linux

Linux has an installed version of Kerberos. In some distributions you may have to install the package to be able to use the software.

Here are a few of the more important commands for Linux Kerberos:

kinit - obtain and cache Kerberos ticket-granting ticket
kpasswd - change a user's Kerberos password
klist - list cached Kerberos tickets
kdestroy - destroy Kerberos tickets

To start Kerberos the kinit command is used:

pbmac@pbmac-server $kinit pbmac@thisdomain.com Password for pbmac@thisdomain.com: pbmac@pbmac-server$


Use the klist tool to verify that a ticket was indeed obtained:

pbmac@pbmac-server $klist -v Credentials cache: API:501:9 Principal: pbmac@thisdomain.com Cache version: 0 Server: pbmac-server/thisdomain.com@thisdomain.com Client: pbmac@thisdomain.com Ticket etype: aes128-cts-hmac-sha1-96 Ticket length: 256 Auth time: Mon Nov 2 17:04:42 2020 End time: Sat Oct 31 7:34:54 2020 Renew till: Mon Nov 9 17:04:42 2020 Ticket flags: pre-authent, initial, renewable, forwardable Addresses: addressless pbmac@pbmac-server$