Gain insights into effective security techniques including patching, cryptography, and phishing prevention. Explore practices to make systems resistant and vulnerabilities more detectable, enhancing defense against attacks.

docker.tar.gz

network-commands

node

It seems like hardly a week goes by without a high-profile computer breach. Why do these happen? How can you prevent them? This course doesn’t have all the answers, but it does outline practices that make life harder for attackers and that will help tide you over until you get a full-time security team in place.

In this course, you will learn 5 simple, yet effective, techniques for preventing attackers from getting into your system. These techniques are related to: patching, software vulnerabilities, cryptography, windows security, and phishing. Within each chapter you will learn the best practices for preventing vulnerabilities and how to make them more detectable. 

This course is based on the Pragmatic Programmers’ book, Practical Security, and is aimed at developers, admins, team leads, architects, technology generalists, and all others who stand guard against the things that disrupt the network.

Practical Security: Simple Practices for Defending Your Systems

## Active Directory as a single point of access
We need to maintain Active Directory in order to run a Windows domain. Can we leverage that investment and get any other benefits from it? It turns out that we can. One of the best of these is the ability to disable access in a single place when someone leaves our organization or we learn that their account has been compromised.

### When passwords are leaked
Consider this scenario: A popular social networking site announces that it has suffered a massive security breach, and a copy of the account names and passwords for all of its users is now floating around the internet. You happen to discuss this with one of your coworkers, who mentions that they’re a little worried because they use that site and they’ve used that same password on a number of work-related websites. How do you lock down access?

It’s hard to respond to an external breach like this if you don’t have a single place to turn off access. You’d have to work on
(number of work-related websites) x (number of people in your organization) different accounts. This is probably too many accounts to track down. But if you had all access go through a single system, you could cut off all access there and work with each user affected by the external breach to reestablish access. Active Directory can be that single system.

### When employees leave the company
Similarly, how do you disable access for employees who leave the company? If you have to wade through a large number of systems each time someone leaves the company, you leave the door open for user error that could leave accounts active long past the time when the employee left. In this case also, you’re much better off having access go through Active Directory.

## Caveats

In both of these cases, we see problems that arise from having a single, highly valuable store of hashed passwords. If that store of hashed passwords is compromised, whether through direct access to the password hashes, password reuse, or the memory of a disgruntled former employee, you have a big problem on your hands. How can we decrease the value of these credentials? One approach is to introduce two-factor authorization. We talked briefly about [2FA](https://www.educative.io/courses/practical-security-defending-your-systems/minimizing-the-cost-of-credential-loss#limiting-the-power-of-a-credential-with-2fa) back in the Crypto chapter. Let’s get into a little more detail here.

## 2FA 
When you set up a system to use 2FA for access, you split access between a password that the user remembers and a second, very short-lived password that an external device such as a smartphone app can generate on-demand. Someone who only has one of these factors can’t access the system without the other. With a system like this in place, even if a user’s password is leaked due to password reuse with third-party systems, the attacker won’t be able to log in because they won’t have access to the 2FA app, which generates the other part of the login credentials.

 What’s more, 2FA makes attempts to use stolen passwords much noisier and more noticeable. If an attacker attempts to log in with a valid username and password but doesn’t have the 2FA app, this should stand out in your logs. It is rare for a user to enter their credentials but not complete the login process by using their 2FA application. If you see this happen, especially if the attempt originates from an IP address that’s not typically used by the legitimate user, you have a very strong indication that the password has been compromised and should be rotated.



 <font size="6">  &nbsp; &nbsp;  &nbsp; &nbsp;&nbsp;  &nbsp; &nbsp;   &nbsp;  &nbsp;   &nbsp;   &nbsp; &nbsp; &nbsp; &nbsp;       &nbsp;  &nbsp;  &nbsp; &nbsp;&nbsp;   &nbsp; &nbsp; &nbsp;   &nbsp; &nbsp; &nbsp;&nbsp;  **Q U I Z**  &nbsp;   </font> 


# Active Directory as a single point of access
We need to maintain Active Directory in order to run a Windows domain. Can we leverage that investment and get any other benefits from it? It turns out that we can. One of the best of these is the ability to disable access in a single place when someone leaves our organization or we learn that their account has been compromised.

## When passwords are leaked
Consider this scenario: A popular social networking site announces that it has suffered a massive security breach, and a copy of the account names and passwords for all of its users is now floating around the internet. You happen to discuss this with one of your coworkers, who mentions that they’re a little worried because they use that site and they’ve used that same password on a number of work-related websites. How do you lock down access?

It’s hard to respond to an external breach like this if you don’t have a single place to turn off access. You’d have to work on
(number of work-related websites) x (number of people in your organization) different accounts. This is probably too many accounts to track down. But if you had all access go through a single system, you could cut off all access there and work with each user affected by the external breach to reestablish access. Active Directory can be that single system.

## When employees leave the company
Similarly, how do you disable access for employees who leave the company? If you have to wade through a large number of systems each time someone leaves the company, you leave the door open for user error that could leave accounts active long past the time when the employee left. In this case also, you’re much better off having access go through Active Directory.

# Caveats

In both of these cases, we see problems that arise from having a single, highly valuable store of hashed passwords. If that store of hashed passwords is compromised, whether through direct access to the password hashes, password reuse, or the memory of a disgruntled former employee, you have a big problem on your hands. How can we decrease the value of these credentials? One approach is to introduce two-factor authorization. We talked briefly about [2FA](https://www.educative.io/courses/practical-security-defending-your-systems/minimizing-the-cost-of-credential-loss#limiting-the-power-of-a-credential-with-2fa) back in the Crypto chapter. Let’s get into a little more detail here.

# 2FA 
When you set up a system to use 2FA for access, you split access between a password that the user remembers and a second, very short-lived password that an external device such as a smartphone app can generate on-demand. Someone who only has one of these factors can’t access the system without the other. With a system like this in place, even if a user’s password is leaked due to password reuse with third-party systems, the attacker won’t be able to log in because they won’t have access to the 2FA app, which generates the other part of the login credentials.

 What’s more, 2FA makes attempts to use stolen passwords much noisier and more noticeable. If an attacker attempts to log in with a valid username and password but doesn’t have the 2FA app, this should stand out in your logs. It is rare for a user to enter their credentials but not complete the login process by using their 2FA application. If you see this happen, especially if the attempt originates from an IP address that’s not typically used by the legitimate user, you have a very strong indication that the password has been compromised and should be rotated.



 <font size="6">  &nbsp; &nbsp;  &nbsp; &nbsp;&nbsp;  &nbsp; &nbsp;   &nbsp;  &nbsp;   &nbsp;   &nbsp; &nbsp; &nbsp; &nbsp;       &nbsp;  &nbsp;  &nbsp; &nbsp;&nbsp;   &nbsp; &nbsp; &nbsp;   &nbsp; &nbsp; &nbsp;&nbsp;  **Q U I Z**  &nbsp;   </font> 


Active Directory can be leveraged to add another layer of security. In this lesson, we'll see how.

Introduction

Patching

Vulnerabilities

Cryptography

Windows

Phishing

Active Directory: What Else Is It Good For?

Active Directory as a single point of access

When passwords are leaked