2.4 Attack Surfaces | Vicky's Page

Section 2.4 Attack Surfaces

As you study this section, answer the following questions:

How can organizations effectively manage their attack surfaces to minimize the risk of unauthorized access?
What is the difference between passive and edge discovery?
What are the differences between penetration testing and adversary emulation?
What are some methods used to reduce the attack surface?

In this section, you will learn to:

Set up security appliance access
Set up a captive portal
Discover vulnerable Bluetooth devices
Secure mobile devices
Configure a captive portal
Discover Bluetooth devices
Secure a mobile device
Configure a security appliance
Configure security appliance access

The key terms for this section include:

Description of the Table
Term	Definition
Attack surface	An attack surface describes all potential pathways a threat actor could use to gain unauthorized access or control. Each piece of software, service, and every enabled protocol on an endpoint offers a unique opportunity for attack.
Attack surface management	Attack surface management describes the methods used to continuously monitor an environment to identify changes to its attack surface quickly.
Passive discovery	Passive discovery can be a practical approach to managing the attack surface. Passive discovery describes the indirect methods used to identify systems, services, and protocols.
Edge discovery	Edge discovery seeks to define the "edge" of the network entirely. It is easy to assume that the edge comprises only internet-facing servers. The edge is instead composed of every device with internet connectivity.
Penetration Testing	A penetration test involves hiring a trusted offensive security expert to fill the role of an attacker, tasking them to exploit the environment and evaluate the effectiveness of existing protections.
Adversary emulation	Adversary emulation seeks to mimic the actions of known threat actor groups. The MITRE ATT&CK® framework typically forms the basis of this type of assessment.
Bug bounty	Bug bounties allow organizations to define areas of their environment they would like help to protect. The bug bounty identifies elements of the environment that are in scope for testing and the rewards available for reporting issues.

This section helps you prepare for the following certification exam objectives:

Exam	Objective
CompTIA CySA+ CS0-003	1.4 Compare and contrast threat-intelligence and threat-hunting concepts Threat hunting Active defense 2.5 Explain concepts related to vulnerability response, handling, and management Attack surface management Edge discovery Passive discovery Security controls testing Penetration testing and adversary emulation Bug bounty Attack surface reduction
TestOut CyberDefense Pro	3.1 Implement security controls to mitigate risk Implement and configure a security appliance 3.2 Implement system hardening Disable unnecessary services 3.4 Implement defensive deception methods Configure a captive portal 4.2 Manage devices Secure smartphones, tablets, and laptops

Exam

Objective

CompTIA CySA+ CS0-003

1.4 Compare and contrast threat-intelligence and threat-hunting concepts

Threat hunting
- Active defense

2.5 Explain concepts related to vulnerability response, handling, and management

Attack surface management

Edge discovery
Passive discovery
Security controls testing
Penetration testing and adversary emulation
Bug bounty
Attack surface reduction

TestOut CyberDefense Pro

3.1 Implement security controls to mitigate risk

Implement and configure a security appliance

3.2 Implement system hardening

Disable unnecessary services

3.4 Implement defensive deception methods

Configure a captive portal

4.2 Manage devices

Secure smartphones, tablets, and laptops

2.4.1 Managing Attack Surfaces

As previously described, threat models are valuable tools that allow a system to be deconstructed into its functional parts to understand better how a threat actor might exploit it. Furthermore, threat models seek to identify which threat actors will likely attempt to exploit the system. The goal of the threat model is to help determine how to improve a system's security posture, and part of this exercise often includes attack surface management and hardening.

This lesson covers the following topics:

Attack surface
Managing attack surfaces
Evaluating the attack surface
Penetration testing and adversary emulation
Reducing the attack surface

Attack Surface

An attack surface describes all potential pathways a threat actor could use to gain unauthorized access or control. Each piece of software, service, and every enabled protocol on an endpoint offers a unique opportunity for attack. Removing or disabling as many of these as possible can significantly reduce the number of (potentially) exploitable pathways into a system. Additionally, default configurations typically favor functionality and compatibility over security, so it is essential to understand how to customize a system to allow for the most secure type of operation, not necessarily the most convenient. Several hardening guides are available that outline secure configurations in precise detail. Two popular sources of best practice configuration include the Center for Internet Security (CIS) Benchmarks™ and the Department of Defense's Security Technical Implementation Guides (STIGs.) As of this writing, the CIS Benchmark for Windows 10 had over 1,000 pages of recommended configuration changes.

More information about DoD STIGs is available at https://public.cyber.mil/stigs/ , and CIS Benchmarks™ are available at https://www.cisecurity.org/cis-benchmarks/ .

An organization's attack surface is broad, and every asset is interconnected. The overall attack surface is composed of every asset's attack surface. To keep this in perspective, every on-premises device, cloud resource, external service (i.e., software as a service (SaaS), online storage, or software repository), or external network configured to access the organization is part of the attack surface. Attack surface management describes the methods used to continuously monitor an environment to identify changes to its attack surface quickly. This type of monitoring seeks to constantly locate shadow-IT and other unknown devices, weak or default passwords, misconfigurations, missing patches, and many other items of concern.

Managing Attack Surfaces

Managing the attack surface means maintaining awareness of exposed services and ensuring they operate securely per organizational policy. Maintaining awareness necessitates continuous discovery and routine evaluation of configurations to ensure they are secure and working as intended. The most attack-prone area of an organization's infrastructure is the edge, which includes any services exposed to the internet. In 2007, a University of Maryland study identified that internet-connected services experience an attack every 39 seconds, and these numbers are likely worse today ( https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds/ ). With these numbers in mind, it is critically important to quantify services exposed to the internet and quickly identify any changes to this footprint.

Two methods to maintain awareness of exposed services include:

Method	Description
Passive discovery	Passive discovery can be a practical approach to managing the attack surface. Passive discovery describes the indirect methods used to identify systems, services, and protocols. Passive discovery, such as network packet capture, can reveal information about network-connected hosts, communications channels, protocols in use, and activity patterns. Passive discovery is beneficial as it leverages careful observation to show characteristics of network-connected software and devices.
Edge discovery	Edge discovery seeks to define the "edge" of the network entirely. It is easy to assume that the edge comprises only internet-facing servers. The edge is instead composed of every device with internet connectivity. Assuming attacks will occur from the internet, anything accessible must be considered part of the edge. The US Cybersecurity & Infrastructure Security Agency (CISA) identified that 90% of successful cyberattacks start with a phishing email ( https://www.cisa.gov/shields-up/ ). This fact underscores that an organization's edge is much broader than is often assumed.

Method

Description

Passive discovery

Passive discovery can be a practical approach to managing the attack surface. Passive discovery describes the indirect methods used to identify systems, services, and protocols. Passive discovery, such as network packet capture, can reveal information about network-connected hosts, communications channels, protocols in use, and activity patterns. Passive discovery is beneficial as it leverages careful observation to show characteristics of network-connected software and devices.

Edge discovery

Edge discovery seeks to define the "edge" of the network entirely. It is easy to assume that the edge comprises only internet-facing servers. The edge is instead composed of every device with internet connectivity. Assuming attacks will occur from the internet, anything accessible must be considered part of the edge. The US Cybersecurity & Infrastructure Security Agency (CISA) identified that 90% of successful cyberattacks start with a phishing email ( https://www.cisa.gov/shields-up/ ). This fact underscores that an organization's edge is much broader than is often assumed.

## Evaluating the Attack Surface

Sometimes, security controls do not operate as expected; therefore, it is crucial to perform testing to ensure that they are working correctly. Also, security controls are often modified or disabled by support staff while working to resolve trouble tickets. For these reasons, a testing plan must be designed to validate that controls function as intended. For example, validating that firewalls only allow the right traffic to pass, that endpoint protection is operating properly on employee workstations, and that web application firewalls correctly identify and block injection attacks.

Not all control weaknesses or misconfigurations are easy to identify. In the same regard, having confidence that sufficient controls are in place is challenging. Leveraging the analytical skills of an expert practitioner is irreplaceable. Adversary emulation, penetration testing, and bug bounty programs are all designed to assess an organization's security posture as thoroughly as possible. A penetration test involves hiring a trusted offensive security expert to fill the role of an attacker, tasking them to exploit the environment and evaluate the effectiveness of existing protections. The penetration test includes a findings report detailing identified weaknesses and recommended remediations. Another type of penetration test, adversary emulation, seeks to mimic the actions of known threat actor groups. The MITRE ATT&CK® framework typically forms the basis of this type of assessment. After a threat assessment identifies threat actor groups, the ATT&CK framework details their tactics, techniques, and procedures (TTPs). Emulating these TTPs helps assess whether existing protections are sufficient to stop attacks characteristic of the threat actor.

One last assessment method involves offering rewards for responsible disclosure of vulnerabilities. Bug bounties allow organizations to define areas of their environment they would like help protecting. The bug bounty identifies elements of the environment that are in scope for testing and the rewards available for reporting issues. This approach incentivizes offensive security professionals (ethical hackers) to assess controls continuously and can also help identify unknown and undocumented vulnerabilities. Bugcrowd ( https://www.bugcrowd.com/ ) and HackerOne ( https://www.hackerone.com/ ) are popular bug bounty platforms.

Penetration Testing and Adversary Emulation

Penetration testing and adversary emulation are techniques to assess an organization's attack surface and identify vulnerabilities. Both methods supplement attack surface management and help improve an organization's security posture.

Penetration testing involves simulating an attack on an organization's network to identify vulnerabilities and weaknesses. The goal is to identify the most vulnerable components within an organization's environment and determine how an attacker could exploit them. The penetration test results are then used to prioritize risk mitigation efforts and reduce the attack surface.

Adversary emulation, on the other hand, involves simulating a real-world cyber attack by an actual adversary to assess an organization's defenses. This technique involves a more comprehensive and realistic simulation of a targeted attack. The goal is to identify gaps and weaknesses in an organization's security infrastructure that a known threat actor typically targets. Doing so helps the organization improve its ability to detect and respond to specific attacks associated with the threat actor instead of generalized attacks used in penetration testing.

Organizations can reduce their risk of a successful cyber attack by identifying and mitigating vulnerabilities before attackers exploit them. Attack surface management provides a framework for organizations to assess and manage their attack surface, and penetration testing and adversary emulation are techniques used to evaluate the effectiveness of the organization's security measures.

Reducing the Attack Surface

Some methods commonly incorporated to reduce the attack surface include the following:

Method	Description
Asset inventory	Conducting an inventory of all hardware and software assets and user accounts in the environment. Once identified, the team must determine which assets are essential for business operations and which can be removed.
Access control	Implementing strict access control measures, such as multifactor authentication, can reduce the attack surface significantly. Limiting access to sensitive data and systems reduces the risk of unauthorized access.
Patching and updating	Regularly patching and updating software and firmware can prevent attackers from exploiting known vulnerabilities. Patching should be performed via automated patch management systems.
Network segmentation	Segmenting a large network into smaller subnets can limit the damage an attacker can cause. By segmenting the network, the breaches and infections can be more effectively contained, thereby reducing the attack surface.
Removing unnecessary components	Removing hardware or software components reduces the attack surface. By removing software, the organization eliminates a pathway that attackers can exploit.
Employee training	Employee training can help reduce the attack surface by raising awareness of the potential risks and the importance of security measures. Regular training can help employees recognize and report potential security threats, reducing the likelihood of successful attacks.

2.4.2 Set Up Security Appliance Access

Click one of the buttons to take you to that part of the video.

Configuring Network Security Appliance Access 00:00-00:23 In this demonstration, we're going to secure access to our LAN and WAN interfaces and configure IP addresses to them. We're also going to work with user accounts on a network security appliance. We're using a pfSense security appliance, which has a graphical interface for configuration that's accessible through a web browser.

Sign In 00:23-00:35 I'm here at the login screen, and I'll sign in with the default username of admin. For this pfSense device, the default password is pfsense. I'll click Sign In to log on.

Configure LAN Interface 00:35-02:13 The first thing I want to do is configure the IP address on my WAN and my LAN. We'll start with the LAN settings. Go up to Interfaces > LAN, and that takes us to the LAN configuration page. If I look here, the IPv4 Configuration Type is set to Static IPv4. DHCP is the other option there. I need to change it to a different IP address. I want to change it to 10.10.10.1, so I'll do that now. Now I want to confirm that my subnet is set to the /24 subnet mask. That's all I need to do on this page. I'll scroll down and click Save.

The page refreshes and says that the LAN configuration has changed, and I need to click Apply Changes for it to take effect. It reminds me to change my DHCP server configuration if needed. Since my IP address is in the same subnet range as it was before, my DHCP configuration is still okay. Just make sure the IP you assigned is not in the scope of IPs you've configured to be leased. Click Apply Changes.

Now, if you look up at my address, you'll see that it says 10.10.10.254. When I log back in, I need to go to the new address that I configured. I've found that you sometimes get a token error if you just try to log back in, so I'm going to close my web browser and open it back up.

Now let's type in 10.10.10.1 to get back to our Sign In page. I'll put my credentials back in here and click Sign In. I'll go back to my LAN interface, and you can see that my changes are there.

Configure WAN Interface 02:13-03:12 Now let's configure our WAN settings. Once again, I'll go to Interfaces. But this time, I'll select WAN from the list. Right now, I'm getting an IP for my WAN interface via DHCP. I want to configure this with a static IP, so I'll change that to Static IPv4 from our IPv4 configuration type.

Now, for an IP address, I'll give it 192.168.25.254. Right away, you might be saying, "Hey, that's a Class C Private IP address." If so, you're absolutely correct. I'm on a test network that's connected to my regular network, which is using the 192.168 scheme. I need to set my subnet mask to /24 here. For this demo, I'm not going to configure DHCP version 6. I'm going to leave everything else set to the defaults and click Save to continue.

I get a few reminders, just like we did with the LAN configuration. I'll click Apply Changes.

Configure WAN DNS 03:12-04:43 Now I want to configure the DNS that my WAN will use. A lot of devices will have those settings right here, with the WAN settings. But with this device, we need to go up to System > General Setup.

I'm going to add a few DNS servers here. But first, let's take a look at the current status of our WAN interface. To do that, I'll go to Status > Interfaces. Here, we see that my DNS server is using the home address of 127.0.0.1. IPv4 network standards reserve the entire address block 127.0.0.0/8 for loopback purposes, so this is normal. I want to change those to a different DNS, so let's go back to System > General Setup. Beneath DNS Server Settings, I'll put in the Google DNS IP of 8.8.8.8'. Now I'll click the Add DNS Server button, and this time, I'll put in the other Google DNS IP of 8.8.4.4.

I'm going to check this box, Disable DNS Forwarder. For this demo, I don't want my local host, 127.0.0.1, to be used as my first DNS server. Checking the box will remove the local host DNS. I'm only doing this to demonstrate what happens when you check the box. I'll scroll down to save these settings.

Now let's look at the status of our interfaces. We can see our DNS settings are now set to the Google DNS servers.

That wraps up configuring IP interfaces.

Add User 04:43-06:04 Now let's add an additional user to our pfSense appliance. To add a user, we need to go up to System > User Manager. You can see here that we have just one user, the admin user. It's good practice not to use the admin account for normal maintenance. You usually want to create a separate account for each person that might mange the device, collect logs, and so on. We can also track the logon and logoff events of the users in case something happens.

I'll add the user by going over and clicking the Add User button. I'll enter in a username of Rachel McGaffey. I'll give Rachel a password, and I'll put the password in a second time to confirm it. Now, under Full Name, I'll enter in Rachel McGaffey. That's really all that's required. But if I wanted to, I could check this box to customize the GUI for Rachel's account. Let's take a look at some of those options.

After I check the box, I get some more options. I can change the theme for her account from this dropdown list. We can change the top navigation of the page here. We can change how the hostname appears in the menu and change the amount of dashboard columns. If we want things like WAN and LAN to be sorted alphabetically, we can change that too. If we have groups set up, we can change the memberships here. But we won't make any changes to these right now. Let's come down and click Save.

Session Timeout 06:04-06:40 One thing we don't want to happen with our security appliance is have someone logged in to it make configuration changes. If a user gets called away from his or her desk and doesn't sign out, anyone can sit down at their computer and start messing around. To mitigate this risk, we want to configure Session Timeout. I'll click on the Settings tab. Under Session Timeout, I'm going to change this to 10 minutes. That is actually a long time, and you might want to set this to a lower amount of time. Having no timeout is a huge security risk. You'll have to judge your circumstances and decide what session timeout settings are best.

Change Default Admin Password 06:40-07:24 The last thing I want to do in this demo is change the default admin password. Default passwords for devices are easy to find with a simple web search. It's such a problem, some US states and other governments have forced many tech manufacturers to make the devices they produce have random passwords. Even if your device comes with a random password already configured, those passwords are often printed on the device somewhere, so it's always recommended that you change it that should be the very first thing you do.

To change this password for the admin account, I'll click on the edit icon here. I'll type in my new password. Now I'll type it a second time to confirm it. Come down and click Save, and that's all there is to it.

Summary 07:24-07:48 That's it for this demonstration. In this demo, we configured a network security appliance. We configured the LAN and WAN IP addresses. We changed the WAN DNS. We created a second account on the device. We configured a session timeout. We ended the demo by changing the default admin password to something more secure.

2.4.3 Set Up a Captive Portal

Click one of the buttons to take you to that part of the video.

Configuring a Captive Portal 00:04-01:03 In this demonstration, we're going to configure a captive portal. Captive portals force a user to view and interact with them before they can access a network or the internet.

After you connect your device to the wireless or guest network, but before you can access the internet, you are redirected to a captive portal page.

You might be prompted to agree to the terms and conditions of using the network, and you might be asked to pay a fee to you gain access. Some even allow users to log in to use the network. They are used a great deal, and you've most likely used one before, especially at hotels or airports.

Today, we'll be using a captive portal that's part of pfSense. pfSense sits between the internal network and the internet, as you can see in this diagram.

We want to configure the captive portal so that any device that connects to our guest Wi-Fi will have to go through the captive portal in order to get internet access.

Add Captive Portal Zone 01:03-01:46 I have a network adaptor installed in pfSense that I'm going to use for my guest Wi-Fi. If I scroll down, you can see it listed right here. So, let's get started. I'll go to Services > Captive portal and click on the Add button. Under Add Captive Portal Zone, I want to enter in our zone name, 'Guest_WiFi'. For Zone description, I'll put in Guest Wi-Fi. By the way, for the zone name, you can only use letters, digits, and underscores, but you can use any character for the description name. Click the Save & Continue button.

Captive Portal Configuration 01:46-05:39 Now, under Captive Portal Configuration, let's check the Enable Captive Portal check box. When we do, we get a bunch of options. Under Interfaces, you'll see my Guest Wi-Fi interface that we looked at in the beginning of the demo. Depending on your network, you could have a VLAN configured for your guest Wi-Fi. My demo environment isn't set up with VLAN, but that would work really well for this. This is the one we want to pick.

Under Maximum concurrent connections, we can put in a number of concurrent connections. I'll put five in here. This is not the number of users, but rather how many connections a single IP can establish to the portal. For Idle timeout, we'll put in 60 minutes. If a client is inactive for that amount of time, they'll be disconnected. Hard timeout limits a connection no matter what. We might not want users on our guest network forever, so you can limit the time they spend. Let's put in 120 minutes. We can also give guest users a traffic quota. We might not want them streaming video for two hours, so we can put something in here to restrict that if we like. I'll just leave it blank for now.

I'm going to leave the next several set to the defaults and scroll down a bit until I see Per-user bandwidth restriction. Let's go ahead and check the box to enable it. This limits users' download and upload speeds. For Default download, I'll put in 10,000 kilobits per second, which is about 10 megabits per second. For the Default upload, I'll put in 3,000 kilobits per second, which is about 3 megabits per second.

We could use a custom captive portal page. Let's check the box. When I do, you can see that I would need a custom page to upload. I would also need an error page and logout page. I'm just going to use the default page that comes with pfSense for my captive portal page. But if I were setting this up for real use, I'd certainly want a custom page. I'll uncheck that box.

I could also upload a custom logo or a custom background for my page. For the Terms and Conditions, I can put in something like, 'Don't be bad on the internet.'

For Authentication Method, we're not going to use any authentication. We could use RADIUS if we had that set up, or we could use some other type of authentication. But for this demo, I'll select None, don't authenticate users from the dropdown.

We could Enable HTTPS login, but if I did, I'd have to configure the server to have a certificate, and I haven't done that, so I'll leave that unchecked.

Here, at the bottom, it reminds us to set up DHCP on our captive portal interface. I've already done that, so we're good to go. That is all we're going to set up here, so click on Save to continue. And here, you can see that our captive portal has been created.

Now, before we continue, let's briefly look at a few options that we skipped and aren't going to configure.

Under the MACs tab, we can get a little more granular with bandwidth control as far as limiting the upload and download. Under Allowed IP Addresses, we can do the exact same thing, but by IP instead of MAC addresses. Allowed Hostnames is the same, but by hostname.

Here, we have Vouchers. Vouchers are single-use codes used to gain internet access through a captive portal. Vouchers are commonly implemented in places where authentication is required, but where there is also a time limit on internet access.

And lastly, the File Manager tab is used to upload files that are used inside a captive portal page, such as style sheets and image files.

Now let's test out our captive portal over on our Guest Wi-Fi network.

Test the Captive Portal in a Guest Wi-Fi Network 05:39-06:05 I've switched over to our Guest Wi-Fi network. What should happen when we go to surf the web is that we should get redirected to our captive portal page. I'll open up our web browser, and we're directed to our pfSense captive portal page. Remember, I didn't configure authentication, so all I have to do is check the box to agree with the terms and conditions to proceed. I'll click Login, and after a second, I'm forwarded to my homepage.

Summary 06:05-06:21 That's it for this demo. In this demo, we configured a captive portal on pfSence to force users to agree to terms and conditions before being allowed access to the internet.

2.4.4 Discover Vulnerable Bluetooth Devices

Click one of the buttons to take you to that part of the video.

Discover Vulnerable Bluetooth Devices 00:00-00:24 Many Internet of Things devices use Bluetooth as their wireless protocol. Thanks to smartphones, tablets, and computers, many attacks target Bluetooth devices. Of course, before you can hack a Bluetooth device, you need to find it. In this demo, we're going to look at a few tools that discover Bluetooth devices.

Bluetooth Hacking and Discovery Tools 00:24-01:16 Kali Linux comes with several tools that can discover and attack Bluetooth devices.

I'm going to click on Show Application and then type ‘blue' in the search field. Three tools come up that are related to Bluetooth.

The first tool is bluelog, which is a Bluetooth site survey tool. This tool scans the area to find discoverable devices and logs them to a file.

Next, we have blueranger. This is a Python script that uses a type of ping to locate Bluetooth devices and determine their approximate distances.

The last one is bluesnarfer. This tool allows you to capture data from a Bluetooth-enabled device, including text messages, calendar data, images, and address books.

Now let's jump over to a Windows 10 system to look at a different tool and discover some Bluetooth devices.

BluetoothView Interface and Use 01:16-02:45 I'm on a Windows 10 system. I've already downloaded and unzipped the utility called BluetoothView. The utility runs in the background and monitors the activity of nearby Bluetooth devices. You don't have to install this utility; just copy the executable file to any folder you'd like and run it.

A few seconds after you run it, the utility displays all the detected Bluetooth devices near you. It organizes their information in several columns.

In the first column, there's the Device Name. It determines the name based on the device's address.

The next column is of descriptions. I can actually right-click, choose Properties, and enter in something to make this unique so it's easier to identify in the future. I'll type in ‘My Phone'. You can see that's also just another view of the information it's gathered about this device. I'll click OK.

The next few columns are the Bluetooth Address, Major Device Type (in this case, it's a phone), Minor Device Type (a smartphone), First Detection Time, Last Detection Time, and other details.

Up on top, you have some menu items that you can adjust and preferences you can set.

For example, under Edit, we have the Find option.

Under View, we can show or hide grid lines.

Under Options, you have many things you can set. In a minute, I'll discuss Display Balloon on New Device. And the last menu item is Help.

Information Gathering Uses 02:45-03:21 The detection time features do some interesting things that can come in handy during the information gathering phase. For example, if you're monitoring a target, you can use the First Detected On and Last Detected On fields to figure out a person's routine or how much time it might take to hack their device.

BluetoothView can also automatically display an alert on your taskbar so you know when someone with a device comes near you. So, if you want to play video games at work without getting caught, you could use this to let you know when someone with a device is coming near you so you can shut down the game before they arrive.

Bluetooth Modifications 03:21-03:46 I want to point out that normally, the minimum specification for Bluetooth range is 10 meters, but manufactures aren't limited to this minimum, and some devices are discoverable up to 100 meters. Adding special antennas can increase this distance even farther. Once Hackers use this utility to discover Bluetooth devices, they may be able to carry out an attack on devices coming and going as people walk by.

Summary 03:46-04:10 That's it for this demo. In this demo, we looked at some Bluetooth tools that come with Kali Linux. Then we used a utility on our Windows system to discover Bluetooth devices. We looked at some of the features with the utility and then discussed how we can use some of these features as part of our information gathering process.

2.4.5 Securing Mobile Devices

Click one of the buttons to take you to that part of the video.

Secure Mobile Devices 00:00-00:12 In this demonstration, we'll secure a mobile device. We've already logged into the device and we're in Settings.

Access Apps 00:12-00:57 On this iPad, there's the option to use a fingerprint scanner to log into the device. We'll look at those settings, the lock screen, and Touch ID settings.

Let's scroll down here to the Touch ID and password. First, it will want my passcode. We'll quickly put in the passcode.

You can see the Touch ID settings and the type of things we can use the Touch ID for.

If you don't use iTunes or Apple Pay very often, then you probably don't want Touch ID enabled for these. You might want to turn them off.

You can use a fingerprint to open these applications.

As you can see, we have several fingerprints saved. This allows you to use the fingers on both hands to authenticate.

Require Passcode 00:57-01:42 You also have options here to Turn Off Passcode and Change Passcode. We'll leave the passcode how it is because we have a secure passcode. We have the option to require a passcode, and we selected Immediately.

We'll leave it at Immediately because that's the most secure setting.

If you don't leave your device set to Immediately and it stays unlocked for a while, you might set it down somewhere, or somebody steals your device, and it could be unlocked at the time. They can get into your device and possibly steal data and information.

That's not what we want to happen. So, we're going to leave that at Immediately for better security.

You can also see that this device allows us to access certain information while it's locked. In this case, we'll leave these settings how they are.

Erase Data Feature 01:42-02:23 Another feature about the passcodes and failed logins on the device is the Erase Data feature.

This is powerful and can be problematic for a system administrator. If a user typed in the wrong password too many times, it will wipe the device and erase all the data off the device so it's unusable.

That can be good if the device falls into the wrong hands. However, if a user is not paying attention or say, maybe a child gets a hold of the device, then the device may be wiped when there wasn't a real threat.

if this feature is activated in your company or your organization, let users know and help them be aware of this setting's potential impact.

Use Location Settings 02:23-03:26 Let's look at a few other settings. We'll start with the privacy settings. Tap on Privacy. The reason we want to look at these is that the privacy settings have a location setting which allows apps to use the GPS, Bluetooth, Wi-Fi, Hotspot, and other things, to determine your location.

The GPS, or Location Services, is already doing this right now, as you can see. It's turned on. You can see that we are using or sharing the location. Let's tap Location Services. You can see some of these apps we've set to Never; some are set to While Using.

Location services can be helpful in certain applications. However, some of them might not be as useful. You might decide you don't want this application to share or know where you are.

To change the settings, you go in and toggle to the setting you want. If we come in here, you see we have it set to Never but we can choose While Using the App if we want.

The important thing is to be aware that your device is constantly sharing your location and how to change that.

Use Bluetooth Settings 03:26-04:16 Now we'll look at Bluetooth settings. We have the Bluetooth right here. You can see it's on.

This shows any devices that we connect to with frequency. The Bluetooth settings are important.

If you have Bluetooth toggled on, it means it's always on. It's always looking; it's always searching. Another way to get to this setting is to drag down. You can see the Bluetooth icon right here.

You can turn it off manually from here by clicking that button. The reason this is important is that Bluetooth has been used in past years to steal people's data.

There are several attacks that malicious users have used when in proximity to people, especially important people, or celebrities.

Attackers have used Bluetooth to get into devices and steal pictures and other information from those users. If you're not using Bluetooth, it's best to have it toggled to the off position.

Use Wi-Fi Settings 04:16-05:38 Now, we want to mention Wi-Fi settings. Let's tap on Wi-Fi. Wi-Fi settings might not seem like a big deal, but we have one specific setting toggled off.

We all use Wi-Fi on our devices; we all jump on the internet.

But, a lot of the time, we jump on networks that we maybe should not. So, this button, Ask to Join Networks, toggles the device to ask us if we want to join networks.

When you toggle that, it will turn on and you'll get prompted whenever you need Wi-Fi and you're not connected to it. So, in that case, that might sound like a good thing.

However, it's not, because sometimes users jump on networks that are unsecured or networks that aren't real networks at all. That has been a huge issue with data theft and other things from users.

If you jump on a network that you know, it might not be an actual network that's meant for surfing the internet. It may be something somebody's using maliciously to get into your system.

By jumping onto that network, you're giving access. So, you don't want to be asked to join any networks. You should join only networks that you trust and that you know are legitimate networks.

We also have Auto-Join Hotspot. We have this set to Ask to Join. Once again, we don't want to automatically join hotspots just like we need to be careful of joining networks.

Set iCloud Settings 05:38-05:58 Now we'll go to our iCloud settings. You can see iCloud is here.

You can see a few different things. You can see the information for the account, such as the email associated with it.

You can also see the password and security settings. This is what we want to look at now. We'll tap Password & Security.

Use Two-Factor Authentication 05:58-06:43 The reason we want to show you this is because this version of IOS has an option to Turn On Two-Factor Authentication.

You can change your password here and put in security questions for the account. Two-factor authentication adds an extra layer of security.

It'll prompt you from another device when logging into this account and ask you if it's okay that it logs in.

That way, if somebody tries to use your Apple account to log into something, it'll always prompt you before it allows them to log in. That's a good thing to have enabled on your mobile device.

That way, if the device falls into somebody else's hands, or somebody tries to log into your account, you can see and verify whether that's a legitimate user or if you need to change your password or it's something you need to turn off.

Summary 06:43-07:23 That's it for this demo. In this demonstration, we went over how to secure a mobile device. We looked at how to configure the lock screen and Touch ID settings. We looked at how to have your screen lock immediately.

We talked about how iCloud and multi-factor authentication can help secure your device. We talked about Wi-Fi settings and making sure you use only Wi-Fis that you're familiar with.

We also talked about Bluetooth settings, and keeping them toggled to off if not in use. We talked about location settings under the privacy settings of device.

2.4.6 Configure a Captive Portal

You are the security analyst for a small corporate network. You want to make sure that guests visiting your company have limited access to the internet. You have chosen to use pfSense's captive portal feature. Guests must pass through this portal to access the internet.

In this lab, your task is to:

Access the pfSense management console:
- Username: admin
- Password: P@ssw0rd (zero)
Add a captive portal zone named WiFi-Guest.
- Use the description Guest wireless access zone
Using the GuestWi-Fi interface, configure your portal as follows:
- Allow a maximum of 50 concurrent connections.
- Disconnect user from the internet if their connection is inactive for 15 minutes.
- Disconnect user from the internet after 45 minutes regardless of their activity.
- Limit users' downloads and uploads to 7000 and 2400 Kbit/s, respectively.
- Force to pass through your portal prior to authentication.
Allow the following MAC and IP address to pass through the portal:
- MAC: 00:00:1C:11:22:33
- IP: 198.28.1.100/16
  - Give the IP address the description of Security analyst's laptop

2.4.7 Discover Bluetooth Devices

You are the security analyst for a small corporate network. To protect your Bluetooth devices from attacks, you want to discover which Bluetooth devices are running in your company and gather information about each of them.

In this lab, your task is to use the Terminal to:

Use hciconfig to discover and enable the onboard Bluetooth adapter.
Use hcitool to find all of the Bluetooth devices.
Answer Question 1.
Use l2ping to determine if the Bluetooth device is alive and within range.
Answer Question 2.
Use sdptool to query Francisco's laptop to determine the Bluetooth services available on the device.
Answer Question 3.
Use hcitool to determine the clock offset and class for Brian's Braven Speaker device.
Answer Question 4.

2.4.8 Secure a Mobile Device

You are the security analyst for a small corporate network. The receptionist, Maggie Brown, uses an iPad to manage employee schedules and messages. You need to help her make the iPad more secure. The current simple passcode for her iPad is 3141.

In this lab, your task is to:

Set a secure passcode on the iPad as follows:
- Require a passcode: After 5 minutes
- New passcode: youwontguessthisone
Turn simple passcodes off.
Configure the iPad to erase data after 10 failed passcode attempts.