SANS SEC401
Anti-spoofing
A method used on some routers to protect against spoofing attacks. A common implementation is to implement specific rules to block certain traffic.
Backups - best practices (common pitfalls)
1. Keep backups on separate networks 2. Use different technologies 3. Frequently verify backup systems and data 4. Cloud storage also requires backups
CIS Controls - Organizational (4)
17. Implement a Security Awareness and Training Program 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises
MAC Address Size
6 bytes (48bits) First 24 bits are the OUI (organizational unique identifier) Second 24 bits are unique identifier of the network interface
IPv4 Header
6 rows of 32 bits , 4 bytes
CIS Controls - Foundational (10)
7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols, and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control
BitLocker
A Windows feature that encrypts an entire drive. AES 128 or 256 Boot-up integrity Supports USB and thunderbolt drives Emergency recovery PIN Self encrypting hard drive
Domain Controller (DC)
A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.
snap-in
A Windows utility that can be installed in a console window by Microsoft Management Console.
LDAP (Lightweight Directory Access Protocol)
A communications protocol that defines how a client can access information, perform operations, and share directory data on a server. Used to communicate with AD.
Registry
A database that Windows uses to store hardware and software configuration information, user preferences, and setup information.
ZigBee
A form of wireless communications frequently used in security systems and heating and cooling control systems.
C2 frameworks and implants
A piece of software, often with c2 and lateral movement capabilities, which perform actions desired by the author
Variable trust
An implementation of zero trust model where the system scores a trust level based on a number of factors. If you have a high enough score, then the user is granted access. Factors include type of user access, correct username/password, geo location, device compliancy, and type of application.
Windows as a Service (WaaS)
An update process for Windows 10 in which new features are continuously published and installed to existing Windows 10 installations.
OSI Layers compared to TCP/IP layers
Application = application, presentation, session Transport (tcp) = transport Internet (ip) = network Network = data link, physical
ASIC
Application Specific Integrated Circuit
Symmetric encryption techniques
Basic - substitution - XOR - Rotation Arbitrary substitution - permutations - hybrid
VM escape
Being able to run code from inside the VM that ends up being run on the host
Fully automated malware analysis
Can analyze a lot in little time but it produces false positives Low cost Cuckoo sandbox is best free tool
Discretionary Access Control (DAC)
Control that the user can manage, such as username, password and some file permissions
Benefits of cloud computing (5)
Cost Speed Scale Productivity Security
GPU acceleration (for password cracking )
Cracking tools can split the work of hashing over several CPUs and can also use GPUs to speed it up more
Server nano
Even smaller than server core, no GUI, no command shell, run as a container , headless (managed over network, not at console)
NTFS Owner
Every folder and file has an owner that can change permissions
IAL 2
Evidence-based, verified by a credential service provider
Privileges
General capabilities a user has on a computer Not related to particular objects Managed per computer through group policy or power shell
TCP -- Closing a TCP Session
Graceful Closure 1. FIN / ACK 2. ACK , FIN / ACK 3. ACK Abrupt Closure (aka "aborting a connection") 1. RST / ACK
AGULP
How privileges and permissions should be applied ▼Accounts ▼Global Groups ▼Universal Groups Local Groups ▲Permissions & Rights
Physical Topology
How devices are physically connected together How communications are sent over the physical connection (electrical signaling, pulses of light, radio, etc.)
IaC
Infrastructure as code Virtual infrastructure
IPSec
Internet Protocol Security. A collection of protocols to provide network security services. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH (authentication header) and ESP (encapsulating security payload). AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.
IGW
Internet gateway Connects resources within VPCs with the internet
IDS
Intrusion Detection System
IPS
Intrusion Prevention System
Diffie-Hellman key exchange
Invented in the 1970s, it was the first practical method for establishing a shared secret key over an unprotected communications channel.
Data Recovery
Is a procedure in which corrupted or unreadable data is recovered from a faulty storage medium, may include the following 1. Repairing of storage medium 2. Imaging data to another medium 3. Logical data recovery (damaged file systems must be fixed first) 4. Repair damaged data
OWE
Opportunistic Wireless Encryption- wireless encryption between devices and access points, even on open , insecure networks.
Other uses for PKI
Partial or whole disk encryption Code and driver signing User authentication IPSec and VPN authentication Network access control/protection
Establishing a TCP Connection
SYN, SYN/ACK, ACK. (TCP HANDSHAKE)
Types of cloud services (3)
SaaS , software as a service PaaS , platform as service IaaS , infrastructure as a service
How to fight pre-computation attacks
Salt and pepper so that hashes cannot be similar
Salt and pepper values
Salt is a string of random characters added to a password before hashing it Pepper is a salt that is kept secret and stored securely
HIPS advantages
Same as HIDS but more timely prevention Anomaly analysis stops unknown attacks Buys more time for patch management Better defense for systems with expanding network perimeter Protects traveling laptops Application behavior monitoring
SELinux
Security-Enhanced Linux. A trusted operating system platform that prevents malicious or suspicious code from executing on both Linux and UNIX systems. It is one of the few operating systems that use the MAC model.
SSL/TLS
Secure Sockets layer / Transport Layer Security - An encryption layer of HTTP that uses public key cryptography to establish a secure connection. Port 443 Not guaranteed security
Steps to prevent data leaks
Secure data storage Intrusion detection Exfiltration detection UAM
SCA Snap-in
Security Configuration and Analysis can apply a security template and compare a computers configuration against a security template. Security Policy Verification.
SIEM
Security Information and Event Management. A security system that attempts to look at security events throughout the organization.
SAE
Simultaneous Authentication of Equals - generates unique, per client keys
Benefits of network architecture understanding
Situational awareness Prioritization of effort Reduced cost of effort Timely detection of attacks Timely detection = timely response = reduction of damage
Frequency Analysis (encryption)
A technique that is based on how frequently certain letters appear in English versus others. -this is the way to crack one-to-one substitution ciphers
Approaches to Defense-in-Depth (4)
Uniform Protection Protected Enclaves Information Centric Vector-Oriented
UAM
User activity monitoring A tool that tracks what internal end users are doing on the network
Linux user accounts and groups
Usernames and passwords are case sensitive Every username and group name has a corresponding numeric ID.
Port scanning
Using a program to remotely determine which ports on a system are open, listening (e.g., whether systems allow connections through those ports).
Goals of Cryptography
confidentiality, integrity, authentication, & Non-repudiation
Journaling File System
is one that keeps track of the information written to the hard drive in a journal for redundancy.
Linux file system security options (3)
ro, read only Nosuid , SUID/SGUID bits are ignored on all programs Nodev, special device files will not work
umask (Linux)
set the default file permissions for new files Reads existing umask setting Chmod changes existing file permissions
Cold boot attack
side-channel attack related to removing RAM from computer while it still contains encryption key, then reading it on a different computer
DNS port
TCP/UDP 53
Azure Sentinel
(SIEM + SOAR) * cloud Security Information Event Management + security orchestration automated response
WSUS
(Windows Server Update Services) is a computer program that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment
IPSec Modes
- Transport Mode (Only data encrypted) - Tunnel Mode (entire packet encrypted)
Risk treatment actions
- avoid (eliminate activities causing risk) - mitigate (reduce likelihood of negative risk) - share (insurance or outsourcing an activity) - retain (take no action, with management approval, may leave residual risk)
BOOTP/DHCP
- bootstrap protocol / dynamic host configuration protocol - Automatically configures network interfaces and load operating systems via the network when they start up. - UDP Ports 67 and 68 - consider disabling on public facing routers
Examples of c2 frameworks and implants
- empire - cobalt strike - covenant - sliver, by BishopFox
Types of Penetration Testing (7)
- external (test from outside the network, relies on OSINT and scanning) - internal (test from within the network to see what an attacker could do once inside) - web application (tests applications and databases that are exposed to the internet) - social engineering (tests the people that have access to the network) - mobile device testing - product security testing (IoT, voip, network devices, printers, etc...involves reverse engineering, fuzzing, and debugging - physical penetration testing (badge readers, elevators, security gates, biometric devices, etc)
Hypervisor risks
- hypervisor could have vulnerabilities - a DoS against a hypervisor would affect all virtual machines - Remote code execution would occur under the privilege of the hypervisor, often high privilege.
Types of cloud deployments (3)
- public - operated by 3rd party - private- built or operated by a single company or organization - hybrid- combo of public and private
Physical Segmentation and physical Inspection (virtualization risks)
- some systems need physical segmentation because the software implementation of segmentation is insufficient - when using VMs, one may not be able to see communications occurring between VMs, one loses the ability to physically inspect communications
OS Command Injection defenses
- strip OS commands and characters from input - avoid making system calls from within the app * especially based on user input - define valid characters for input
Goals of rootkits
- subvert userland and kernel security controls to avoid detection - provide on going access - use default system resources
Commonalities among successful attacks
- system visible from internet - unchecked scanning and enumeration - unpatched vulnerabilities - weak authentication
Virtualization security benefits
- the vm is isolated from the actual hardware - vm is nothing more than a collection of files interacting through a hyper visor - recovery of a VMware is as simple as copying vm files again - helps with analyzing malware and forensic analysis
Buffer overflow attack defenses
- validate and sanitize user input - run a vulnerability scanner against your application - use endpoint protection suites offering exploit mitigation - update and patch everything your software touches
SQL injection attack defenses
- validate user input - length limit on input - add an application layer between web servers and databases - use stored procedures instead of SQL queries - web account should not have rights to add/drop/modify - do not display SQL errors to web users - monitor SQL error messages
UDP Header
-8 bytes (64 bits) long, divided into four sections/fields: 1) source port 2) destination port 3) message length 4) checksum
Types of Firewalls
-Packet filtering firewall -Stateful firewall -Application gateway firewall (proxy firewall) -Network address translation (NAT) firewall
3 rules of tiered network architecture
1. Any system visible from the internet must reside in the DMZ and may not contain sensitive data. 2. Sensitive data must reside on the internal, private network and not be accessible from the public, internet 3. DMZ systems can only communicate with private systems through middleware proxies.
TCP/IP Model Layers
1. Application 2. Transport (tcp) 3. Internet (ip) 4. Network
CIS guiding principles (4)
1. Automate defenses and measure periodically or continuously using automated measurement techniques 2. Undertake a variety of specific technical activities to produce a more consistent defense against current attack. 3. Fix root cause problems to prevent or detect attacks 4. Establish guidelines for a common ground for measuring effectiveness of security implementation and a common language to communicate about risk
Password Cracking - 4 general methods
1. Brute force attack 2. Dictionary attacks 3. Hybrid attacks 4. Pre-computation attack
Access control techniques (4)
1. Discretionary Access Control, DAC 2. Mandatory Access Control, MAC 3. Role based Access Control, RBAC 4. Lattice based Access Control, LBAC
Vulnerability assessment framework (VAF)
1. Engagement planning 2. Threat modeling 3. Discovery 4. Scanning 5. Validation 6. Remediation 7. Reporting
dictionary attack (password) - 3 characteristics
1. Enumerates all entries from a dictionary or word list 2. Fastest attack 3. Only effective against weak passwords
brute force attack (password)- 3 characteristics
1. Enumerates all possible combinations 2. Slowest attack 3. 100% success, given enough time
Hybrid attack (password) - 2 characteristics
1. Extends dictionaries attack with numerals and symbols 2. Combines effectivity of brute force with speed of dictionary attack
CIS Controls - Basic (6)
1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4 Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops. Workstations and Servers 6. Maintenance, Monitoring, and Analysis of Audit Logs
Characteristics of KDF (4)
1. Irreversible hashing function 2. Input transformation, key stretching- so that keys can be in a specific format 3. Salt and pepper values, so that no two passwords can be the same before hashing 4. Difficulty factor - a value to intentionally make the hash more difficult to break, a value of 10,000 means to repeat the has 10000 times before getting to the final hashed value
4 steps for hardening routers and switches
1. Keep OS updated 2. Disable unnecessary services 3. Disable source routing support (so the source cannot dictate the route) 4. Use secure channels for remote administration (such as ssh with two-factor authentication, not telnet)
What determines the strength of a password hash (4)
1. Key derivation function (KDF) quality 2. Password and derived key length 3. Character set support 4. Difficulty factor (CPU & GPU cycles needed to compute the password hash)
Controlling access (4 steps)
1. Least privilege 2. Need to know 3. Separation of duties 4. Rotation of duties
Pentesting process
1. OSINT 2. Scanning and enumeration 3. Vulnerability identification 4. Exploitation 5. Post exploitation
Password Cracking - general approach (5 steps)
1. Obtain list of hashed passwords 2. Determine the used KDF 3. Create list of possible password guesses 4. Calculate hashes for each guess 5. Try to match the hashes.
5 critical tenets of effective cyber defense according to CIS controls
1. Offense informs defense 2. Prioritization 3. Measurements and metrics 4. Continuous diagnostics 5. Automation
Incident Handling Process
1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned
PAM tools can do these 7 things
1. Provide transparency to the user 2. Policy enforcement point 3. Generates strong shared secrets 4. Securely store credentials 5. Rotate credentials 6. Monitor and log privileged access 7. Generate reports
Policy contents
1. Purpose 2. Related documents 3. Cancellation (which policy is in effect in case of policies superseding another) 4. Background 5. Scope 6. Policy statement 7. Responsibilities 8. Action
PKI certificate lifecycle
1. Registration 2. Creation 3. Distribution 4. Revocation 5. Expiration
Three purposes for communication protocols
1. Standardize the format of a communication 2. Specify the order or time of communication 3. To allow all parties to determine the meaning of the communication
Pre-computation attack (password) - 3 characteristics
1. Trades processing cycles for memory 2. Hashes for attack are pre-computed and stored in rainbow tables 3. Significantly increases cracking speed
3 security features to apply on networks
1. VLAN 2. NAC 3. 802.1X
IP (Internet Protocol) basics
1. Works on Internet layer of TCP/IP model, layer 3 of OSI model 2. The core routing protocol of the internet , finds best path, 3. Deals with transmission of packets between endpoints , but does not guarantee successful transmission 4. Defines formation of IP addresses, based on network characteristics
Ephemeral ports
1024 and above (65535) Clients must use ports in this range
IPv6 Characteristics (list 4)
128 bit address space, 340 undecillion addresses Provides authentication of endpoints Support for encryption within protocol Quality of Service provided within protocol
NetBIOS Port
137-139, 1512, 42 NetBIOS Name service TCP/UDP 137 NetBIOS data gram service TCP/UDP 138 NetBIOS session service TCP/UDP 139 WINS TCP/UDP 1512 WINS replication TCP 42
Enable password aging in Linux/Unix
2 config files /etc/login.defs /etc/default/useradd
TCP Header Size
20 bytes
Common TCP Ports
20, ftp data 21, ftp 22, ssh 23, Telnet 25, SMTP 53, DNS 80, HTTP 443, HTTPS
IPv4 Characteristics (list 4)
32 bit address space, 4.2 billion addresses No authentication Encryption provided by applications Best effort transport
Common UDP ports
53, DNS 67, 68, BOOTP/DHCP 69, TFTP 123, NTP 161, 162, SNMP 2049, NFS
Server Core
A Windows Server installation option that doesn't have a traditional GUI.
ATM Malware , ATM jackpotting
95% of ATMs run on Microsoft XP attackers gain physical access to atm, connect a peripheral to download malware Use mules with 'tokens' to dispense money, some use cell phones to dispense it
systemd
A Daemon that manages all other system daemons. It's the first daemon to start (replaced init) during the boot process and is the last daemon to stop during shutdown. Allows processes, daemons, and services to start parallel to each other and creating a faster boot process
chroot
A Linux command used to change the root directory. It is often used for sandboxing.
auditd
A Linux subsystem for access monitoring and accounting
Snort
A NIDS application based on rules for detecting anomalies and intrusions
Point-to-Point Tunneling Protocol (PPTP)
A VPN tunneling protocol with encryption. PPTP connects two nodes in a VPN by using one TCP port for negotiation and authentication and one IP protocol for data transfer. TCP 1723
Advanced Encryption Standard (AES)
A block cipher created in the late 1990s that uses a 128-bit block size and a 128-, 192-, or 256-bit key size. Practically uncrackable. Replaces DES. The only attack method is brute forcing the keys.
TPM (Trusted Platform Module)
A chip on the motherboard used with software applications for security. It can be used with Windows BitLocker Drive Encryption to provide full-disk encryption and to monitor for system tampering.
Microsoft Intune
A cloud-based management solution that allows you to manage your computers when they are not inside your corporate network.
Persistent cookies
A cookie that is recorded on the hard drive of the computer and does not expire when the browser closes. Survives reboots. Most cookies are persistent.
Meterpreter
A custom metasploit shell - Metasploit's most popular payload which enables a user to upload and download files from the system, take screenshots and collect password hashes.
Zero-Trust
A different approach to defense-in-depth in which Every request, regardless if internal or external, must be authenticated and authorized. This approach is based on two key factors, authentication and encryption. Logging inspection is essential.
AppLocker
A feature that allows you to specify which groups or users can run, or not run, a particular application in your organization
Credential guard
A feature that stores credentials, such as NTLM hashes and Kerberos tickets, and provides them to the necessary applications. To keep them secure, the credentials are stored in a secured isolated container, which uses Hyper‐V and virtualization‐based security (VBS). Protects credentials from kernel-level malware and mimikatz.
stateless packet filtering
A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base. Does not retain memory of packets that have passed through the firewall which makes it vulnerable to IP spoofing attacks. Minimal security, easily bypassed, Fast Relies on TCP flags
proxy firewall or application gateway
A firewall that stands between a connection from the outside and the inside and makes the connection on behalf of the endpoints. With a proxy firewall, there is no direct connection. - slower
IPv6 Header
A fixed size of 40 Bytes.
hidden share
A folder whose folder name ends with a $ symbol. When you share the folder, it does not appear in the Network window or My Network Places window.
WINREG
A key in the registry that control share permissions for the registry
CRL (Certificate Revocation List)
A list of certificates that are no longer valid. A client must download entire CRL after each update CRL downloads can be network intensive , so a cached CRL may exist Cached CRLs may create a time gap where a client may unknowingly rely upon a revoked cert.
Password dumps
A list of hashed passwords that attackers reference
Group Policy Object (GPO)
A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory.
Computational complexity
A measure of how economical an algorithm is with time and space.
Middleware (network section, tier)
A network segmentation to separate the DMZ from the private, internal network. An example may include a proxy, which inspects traffic coming in from the DMZ intended for a database on the private network. The middleware inspects traffic for threats. Traffic from the private network intended for the DMZ is also inspected in the proxy (reverse proxy).
Nmap
A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.
Advanced Package Tools (APT)
A package management tool that's most often used atop Debian packages, although a version for RPM also exists. APT enables package installation and updates from Internet repositories, including automatic dependency resolution.
Metasploit
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.
Responder
A popular tool among pentesters is used to capture credentials. It's a poisoning tool that responds to Link-Local Multicast Name Resolution (LLMNR), multicast DNS (mDNS), and NetBIOS Name Service (NBT-NS), requests from systems where DNS is unavailable or fails to resolve a name.
802.1x
A port-authentication network access control (NAC) mechanism for networks. X is extensible, meaning that one can apply various forms of authentication to decide whether to grant access to a network.
Tractable problem
A problem that can be solved in polynomial time. (Quickly)
Authentication
A process in which a subject proves they possess one or more valid authenticators associated with an identity , includes three steps 1. Claimant presents authenticator to verifier 2. Verifier checks validity of authenticators 3. Verifier asserts the identity of the claimant
X.25 packet assembler / disassembler (PAD)
A service for older x.25 protocol communications -consider disabling on public facing routers
Digital Identity
A set of data that uniquely describes a person or a thing.
What is a protocol stack
A set of network protocol layers that work together to implement communications.
What is a network protocol
A set of rules dictating how computer networks communicate through network hardware and software. The protocols define the format and order of messages and actions to be taken.
Web Application Firewall
A special type of application-aware firewall that looks at the applications using HTTP.
Nftables
A subsystem of Linux kernel. Built on iptables. Another firewall option
Vulnerability assessment
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is a potential harm. - like pentesting without actually breaking in
ASLR (Address Space Layout Randomization)
A technique for sysctl hardening, it randomizes address space for processes so that hackers will not know where to go in memory to exploit a vulnerability
site-to-site VPN
A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway.
client-to-site VPN
A type of VPN in which clients, servers, and other hosts establish tunnels with a private network using a VPN gateway at the edge of the private network. Each remote client on a client-to-site VPN must run VPN software to connect to the VPN gateway, and a tunnel is created between them to encrypt and encapsulate data. This is the type of VPN typically associated with remote access.
SSL VPN
A type of VPN that uses SSL encryption. Clients connect to the VPN server using a standard Web browser, with the traffic secured using SSL. The two most common types of SSL VPNs are SSL portal VPNs and SSL tunnel VPNs.
Mandatory Access Control (MAC)
A type of control that applies to all resources via system enforced credentials that are non transferable. MAC requires that all users have clearance and all data have classification levels.
NFC
A wireless technology (near field communication) that lets your mobile device communicate over very short distances (1-2 inch), such as when paying for goods on wireless payment devices, or Bluetooth
Authenticator Assurance Levels (3)
AA1- Single factor at least AA2- Any 2 factors plus strong crypto AA3- Selected 2 factors plus strong crypto
Domain GPOs are stored in...
AD
Active Directory (AD)
AD is like a registry for the entire network. It is a Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.
ACE
Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS.
ACL
Access control list. Routers and packet-filtering firewalls perform basic filtering using an ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols.
ARP
Address Resolution Protocol. Resolves IP addresses to MAC addresses. ARP poisoning attacks can redirect traffic through an attacker's system by sending false MAC address updates. VLAN segregation helps prevent the scope of ARP poisoning attacks within a network.
Internet Layer (TCP/IP Model)
Adds another header and includes IP information on how to route the packet to the destination
Network Layer (TCP/IP Model)
Adds another header, includes information for routers to get to the destination, puts the packet onto the wire for transmission
Error correction code (ECC) memory
Adds extra bits to each data unit to detect if data has been corrupted
AES
Advanced Encryption Standard
iptables
Allow a system administrator to alter the Linux kernel firewall. They can create rules determining whether a packet is dropped or accepted. Filters incoming, outgoing, and forwarding traffic.
Quality update
Also called patches or hot fixes. Smaller updates that occur monthly to fix security vulnerabilities and other things that the user may not notice.
Protected Enclaves
An approach to defence-in-depth that involves segmenting your network using multiple VPNs, VLAN segmentation, switches, or firewalls to separate out networks. Reducing the exposure of a system can greatly reduce risk. Restricting access to critical segments.
Authentication Header (AH)
An IPSec component that provides connectionless integrity and the authentication of data. It also provides protection versus replay attacks.
Encapsulating Security Payload (ESP)
An IPSec component that provides the same services as AH but also provides confidentiality when sending data.
.msi file
An app packaged for installation by the Windows Installer service.
Uniform Protection
An approach to defence-in-depth that treats all systems as equally important. Most common approach taken. But could also be the weakest , malicious insiders are the big threat. Firewall, VPN, antivirus, patching etc.
Information-centric
An approach to defence-in-depth that you identify critical assets and provide layered protection. Network -> Host -> Application -> Information. Thoroughly checking the data leaving your network.
Vector-Oriented
An approach to defense-in-depth in which the focus is on preventing a threat from using a vector, such as malicious usb drives (disable usb), email attachments (block or scan attachments), spoofed email (verify addresses)
Downgrade Attack
An attack in which the system is forced to abandon the current higher security mode of operation and fall back to implementing an older and less secure mode.
SQL injection attack
An attacker issues a SQL command to a web server as part of the URL or as input to a form on a company's website; web server might pass the command onto the database which then allows potentially anything to be done to the database
Block Cipher
An encryption algorithm in which data is encrypted in "chunks" of a certain length at a time. Popular in wired networks.
Symmetric Encryption
An encryption method in which the same key is used to encrypt and decrypt a message. Also known as private-key encryption or secret key.
UEFI (Unified Extensible Firmware Interface)
An interface between firmware on the motherboard and the operating system that improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads. UEFI also manages motherboard settings and secures the boot to ensure that no rogue operating system hijacks the system.
Wi-Fi Alliance
An international, nonprofit organization dedicated to ensuring the interoperability of 802.11-capable devices.
Data Encryption Standard (DES)
An older type of block cipher selected by the United States federal government back in the 1970s as its encryption standard; due to its weak key, it is now considered deprecated. 56 bit key size 64 bit block cipher 4 Modes 1. Electronic code book (ECB) 2. Cypher block chaining (CBC) 3. Output feedback (OFB) 4. Cipher feedback (CFB)
rogue access point
An unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks.
Data Loss Prevention Strategies
Backups & redundancy Access control (users cannot delete what they don't have access to)
Serverless and application security
Application security is more important with serverless, since there's less infrastructure to attack the focus shifts to the application functions Every function crosses a trust boundary, so functions need to be secured independently
ASICs
Application-specific integrated circuits: Used in layer 2 switches to make filtering decisions. The ASIC looks in the filter table of MAC addresses and determines which port the destination hardware address of a received hardware address is destined for. The frame will be allowed to traverse only that one segment. If the hardware address is unknown, the frame is forwarded out all ports.
Layer 7 (OSI Protocol Stack)
Application... This layer interacts with the application to determine which network services are required.
Input Attacks (4 examples)
Applications accept input from users at an entry point , or 'trust boundary' - OS command injection - buffer overflows - SQL injection - cross-site scripting
Linux services
Applications running in the backgrounds waiting to be used or carry out an essential task. Also called daemons, the files end in letter 'd' (sshd)
Symmetric vs. Asymmetric cryptosystem key length
Asymmetric more resource intensive and less secure at the same key length Thus asymmetric keys are typically longer Symmetric keys usually range from 40-256 bits Asymmetric keys typically over 1000 bits
Eliptic Curve Cryptography (ECC)
Asymmetric. Usage in wireless and mobile communications, where high speed, low power consumption, high security, and small keys needed. Cracking ECC means compromising poor implementations. So far the algorithm itself has not been compromised
Serverless security concerns (3)
Attack surface is 'bigger' , anyone can deploy a function making it difficult to track who is doing what Tracking who is authorized to deploy functions is difficult Compliance - how is sensitive data stored, is implementation compliant.
Side Channel Attack or timing attack
Attack that uses information (timing, power consumption) that has been gathered to uncover sensitive data or processing functions, with the goal of discovering the encryption key
Data Normalization
Attackers try to denormalize traffic to evade detection IDS normalizes for understood protocols
Password spraying
Attempting a couple common passwords on many accounts
Physical design (network architecture)
Builds upon the logical design by providing detailed aspects of the network components Details might include: versions, patch levels, hardening configurations, risk categorization, etc. Physical design also considers physical risks such as network cable location, risk of communication interception, etc. Physical security can betray logical security controls Details include OS version, patches, hardening configurations, risks, physical security
Windows Defender firewall
Built in firewall, Stateful dynamic filtering Per application and per service rules Ingress and egress filtering
Windows filesystems
CDFS (for CD-ROMs) FAT32 FAT exFAT ReFS NTFS
Attacks against switches (5 examples)
CDP Information Disclosure MAC Flooding DHCP Manipulation STP Manipulation VLAN Hopping
file integrity checking
Calculates hashes on system files as a baseline (Periodically recalculates the hashes on the files and compares them with the hashes in the baseline)
advantages of HIDS
Can see what NIDS can't, such as - pre/post encryption data - more insight into internal network, not just perimeter - identifies attacks on systems - more details about host can reduce false positives Last line of defense, all other security devices have failed to detect activities
CIS
Center for Internet Security
chgrp (Linux)
Change group ownership
chown command (Linux)
Changes file ownership and group ownership
CDP Information Disclosure
Cisco Discovery Protocol is used for switches to communicate about other devices are discoverable on the network. Exploiting this protocol would give information about types and versions of switches, OS, usernames and administrative accounts on the switches, etc.
Asset Classification
Classification levels with its own properties and security measures (unclassified, confidential, secret,etc)
CIDR
Classless inter-domain routing IP address blocks defined within a cloud
Storing passwords
Clear text password -> Key derivation function-> hashed password Compare hashed password with the stored hashed password to authenticate
Cloud-native security services
Cloud providers such as AWS, Azure, GCP can provide... Cloud management plane logging Log monitoring & dashboard Threat detection Traffic mirroring Etc...
CSA
Cloud security alliance An organization dedicated to providing best practices for the cloud
Computer management tool (windows)
CompMgmt.msc , for managing local accounts
CI/CD
Continuous integration/ continuous delivery Software changes to running applications delivered using automation, including the delivery of IaC.
CIA
Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.
UDP (User Datagram Protocol)
Connectionless Protocol that operates instead of TCP in applications where delivery speed is important and quality can be sacrificed.
Router
Connects networks together and determines the path a packet will take over the network
Cryptosystem
Consists of the algorithm (cipher) and cryptovariable (key), as well as all the possible plaintexts and ciphertexts produced by the cipher and key.
Linux lxc
Creates containers in linux
VM Sprawl
Creating virtual machines and not shutting them off or deleting them after they are no longer needed. Adversaries could break into these VMs looking for sensitive data.
Cryptography vs Steganography
Crypto provides confidentiality but not secrecy - easy to detect a sent message, not easy to read it Stego hides the fact that a message was sent
DMZ (network section, tier)
Demilitarized zone - a network tier intended to be public facing, systems include web servers, email servers, DNS, etc. This tier is at greater risk of compromise because it faces the public internet at all times. Assume it will be compromised.
Traditional UDP uses
DNS requests and responses VOIP
DLP
Data Loss Prevention
Attacks Against Routers (5 examples)
Denial of Service Distributed Denial of Service Packet Sniffing Packet Misrouting Routing Table Poisoning
Layer 2 (OSI Protocol Stack)
Data link....connects the physical part of the network (cables and electrical signals) with the abstract parts (packets and data streams)
Kerboros
Default authentication protocol for AD Kerberos tickets convey user SID and group SID to target server Tickets are encrypted using user's password and keys shared only among DCs
NIPS characteristics
Deployed inline at network aggregation points Uses ASICs Uses data normalization and reassembly techniques Hierarchical rules and classification schemes identify traffic Does not risk identifying false positives, thus does not identify as many attacks as NIDS
DFIR
Digital Forensics and Investigation Response
Sysctrl hardening
Disable source routing Modify ipv4 ipv6 settings Logging attacks ASLR Exec shield Disable dynamic loading after boot
Bluetooth Protections
Disable unnecessary Bluetooth profiles Do not have it always on Install patches Upgrade when available
DACL
Discretionary Access Control List. List of Access Control Entries (ACEs) in Microsoft's NTFS. Each ACE includes a security identifier (SID) and a permission.
LINUX df
Disk free, shows currently mounted disk partitions and size
DHCP Manipulation
Dynamic Host Configuration Protocol is used to communicate the network configuration to other devices on the network. An attacker could monitor this protocol and respond to DHCP requests sooner than the intended recipient, placing the attacker's device in the middle of legitimate network traffic - a type of Machine in the Middle position.
Enforce stronger passwords and locking accounts after too many login attempts in linux
Edit the Pam files, /etc/Pam.d/system-auth
Security implications of VPNs
Encrypted tunnels may bypass security devices Encryption prevents you from reading your own network traffic
2DES
Encrypting using DES 2 times. Vulnerable to meet in the middle attack Does not significantly improve encryption
HTTPS (SSL/TLS)
Encryption for the transport layer Confidentiality with symmetric encryption Session key establishment Integrity via hashing Authentication
Asymmetric Key Cryptography
Encryption that uses two separate keys—a key pair—for secure communication. Data encrypted with one key requires the other key in the key pair for decryption.
DFIR sub disciplines
Endpoint - specialist in endpoint computer system artifacts Endpoint memory Network Threat intelligence Reverse engineer
feature update
Enhancements to the software to provide new or expanded functionality, but do not address security vulnerability. For Microsoft, this happens twice a year, these are big updates, previously called service packs
Static properties malware analysis
Examines the properties of malware without executing the code - looks for ascii strings, Unicode, encryption. Can run a hash to compare with other malware samples
Serverless computing
FaaS functions as a service -no dedicated containers - event triggered computing requests -ephemeral environment -servers managed by 3rd party
HIPS challenges
False positives still a challenge Implementation and maintenance challenges Supports limited suite of applications (little support for custom apps) Not a replacement for patching or antivirus defense Uses more system resources for in depth anomaly analysis
symmetric key cryptosystem characteristics
Fast Requires secure key distribution channel No technical non-repudiation
Foundation of defense in depth
Filtering, Network based filtering - firewalls, anti-Ddos, proxy servers, mail relays Host based filtering anti malware software, application controls
MAC Flooding
Flooding the network with fake Media Access Control (MAC) addresses may degrade the switch and force it into downgrading into a hub, giving the attackers access to the overall network.
Cryptanalytic Attacks
Focus on the mathematics of crypto algorithms, separated into the following types of attacks... - analytic — uses algorithms and math to determine key or reduce key space to search - statistical — uses stats to find weaknesses against keys - differential—analyzes differences in plaintexts using a key, best suited for symmetric block and stream ciphers - linear — focus on pairs of plaintext and ciphertext, as well as weaknesses in keys. Suited for symmetric block and stream cipher Differential linear — combo
Data classification labels (DLP policy)
For a DLP tool to work, each piece of data must have a classification. The owner of the data should assign the classification. A DLP tool could make a suggestion depending on the contents.
Switched Port Analyzer (SPAN)
For sniffing on a switch — The Cisco switch feature that allows the network engineer to configure the switch to monitor a subset of frames that the switch forwards, to copy those frames, and to send the copies out a specified destination port.
Malware analysis levels
From a high level, two stages - behavioral and code. These can be broken down further as - fully automated analysis - static properties analysis - interactive behavior analysis - manual code reversing
backup methods
Full System Imaging - everything; Differential backup - backs up files that have been modified since the last full backup; Incremental backup - backs up all files that have changed since last full or incremental; Continuous backup- backup occurs after each change
5G
Future of mobile communications Low latency, high bandwidth, multi-client support Self driving cars, IoT, home internet
GPG
GNU Privacy Guard (GPG). Free software that is based on the OpenPGP standard. It is similar to PGP but avoids any conflict with existing licensing by using open standards.
GPMC
Group Policy Management console, server tool for managing GPOs.
Session Tracking
Helps to maintain state, since HTTP is stateless. To track sessions you need a token, numeric ID,session ID or other info to be passed between client and server.
Web application authentication (2 types)
HTTP authentication- credentials sent in http header - basic mode, credentials sent in base64 encoded clear text - digest mode, sends MD5 hash of password Form based authentication, credentials entered and sent as HTML form data
Logical Topology
How communication is logically formed prior to transmission
HIPS
Host Based Intrusion Prevention System
IPv4 key fields (6 of 13 fields)
IP version, 4 bits Protocol, 8 bits Time to live TTL, 8 bits Fragmentation, 16 bits (13 bits fragment offset, 3 bits for flags, used to break up packets into smaller packets) Source address, 32 bits Destination address, 32 bits Options- minimum length of header is 20 bytes, each option increases the header by 4 bytes, options are rarely used in legitimate traffic today
ISO OSI Protocol Stack
ISO = international Standardization Organization OSI = open Systems Interconnection 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical
IAM
Identity and access management
IAL
Identity assurance level .... level of confidence regarding an identity Outlined in NIST 800-63
Process of enrollment
Identity proofing Identity assurance level Issuance of credentials
policy enforcement
If policy not enforced, then it's a guideline. compels others to comply with the laws, rules, regulations, ordinances, and policies created in conjunction with policy development.
Azure IAM
If/then rules allow the administrators to manage the system
CFA (controlled folder access)
In windows 10, it blocks apps from making changes to specified folders
Conceptual Design (network architecture)
Includes the core components of a network architecture Will consider OS platforms, server services, critical core operational functions, etc. Helps to understand the overall purpose the network ('WHY' we have it and the "WHAT' it helps us to achieve) May utilize the concept of "closed-box" diagramming
Log Monitoring
Inclusive analysis - log monitor raises alert if key words are found in logs, such as login failed or unauthorized access Exclusive analysis - list events that can be ignored, alert events not on list
Encrypting DES multiple times will...
Increase security. Because DES is not a group. If an algorithmic is a group, then encrypting multiple times will not improve security
Basics of Secure Coding
Initialize all variables before use Validate all user input before use Don't make your application require admin permissions on the server or database Handle errors and don't display errors to end users Employ least privilege/limit access Don't store secrets in your code Use tested, reliable libraries or modules for common functions (authentication, encryption, session tracking) Watch for vulnerability notifications in any utilized open-source libraries
OWASP Top Ten
Injection Security Misconfiguration Broken Authentication Cross-Site Scripting (XSS) Sensitive Data Exposure Insecure Deserialization Using Components w/ Known XML vulnerabilities External Entities (XXE) Broken Access Control Insufficient Logging and Monitoring
Log filtering (3 methods)
Input driven - log and keep everything Output driven- log only what you know you need Recommended- drop high volume logs you do not need
Application Security (4 practices)
Input validation (use allow lists and deny lists to prevent unwanted data processed by the function) Data sanitization (data sent to outside sources sanitized to prevent attack payload) Code review (developers should spend extra time debugging code) Dependency checking (check shared libraries for vulnerabilities)
Buffer overflow attack
Inputting so much data that the input buffer overflows. The overflow contains code that takes control of the computer.
stateful firewall
Inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the stateful firewall permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.
Privileged Access
Is access to a computer system with elevated access rights, such as root or administrator, or access to service accounts
JEA
Just enough admin, a setting in power shell to allow some admin tasks
KDF
Key derivation function
Rainbow Tables
Large pregenerated data sets of encrypted passwords used in password attacks.
MAC address (Media Access Control)
Layer 2 - A unique identifier assigned to network interfaces for communications on the physical network segment.
L2TP
Layer 2 Transport Protocol UDP 1701, you should never see unencrypted traffic on 1701
Strong password policy (4 do's)
Length greater than 8 Check for recognizable words or number sequences Block after x failed attempts Force change in case of suspected breach
Core components of endpoint security
Limit attack surface - patch, update services, turn off services, control access Effective security - asset inventory, configuration management, change control
Sysctl
Linux command used to modify kernel parameters at runtime
/etc/shadow
Linux file that contains the encrypted password as well as password and account expiry parameters for each user account.
AppArmor
Linux kernel module to restrict app capabilities
PAM (Pluggable Authentication Modules)
Linux system libraries (etc/Pam.d) used for authentication-related services, Authentication Passwords Sessions Accounts
LUKS
Linux unified key setup, the standard for Linux hard disk encryption
Global versus local
Local users and groups are accounts in the database of non-domain controllers . Domain users, computers, and groups have AD accounts
DLP policies
Locations - Tell DLP tools where to look for files Conditions - tell the DLP tool what to look for Actions - tell the DLP tool what to do
Syslog
Main logging system in Linux, syslogd is the daemon. Almost everything can make log entries
bridge
Maintains track of network addresses, segments traffic, breaks up collision domains, connects segments of internal networks
Protection from session attacks
Make session IDs random Store and pass session IDs between browser and server, store other session information in a database, keyed by session ID Encrypt session cookies Provide new session ID upon authentication Session IDs should timeout
GCP IAM
Managed by group permission roles, members
AWS IAM
Manages authorizations by policies, granular permissions. Can link accounts with other platforms- google or Microsoft
HIDS challenges
Managing updates Each sensor has tunnel vision A central consol needed to identify trends and wide scale events Can be more costly than NIDS Uses resources on host, can impact performance
Lattice based access control ( LBAC)
Mandatory access control that defines restrictions on the interactions between subjects and objects. A subject can access an object if the subject's security level is equal to or higher than the object.
MMC (Microsoft Management Console)
Means of managing a system, introduced by Microsoft with Windows 2000. The MMC enables an administrator to customize management tools by picking and choosing from a list of snap-ins. Available snap-ins include Device Manager, Users and Groups, and Computer Management.
MAN
Metropolitan Area Network
switch
Micro-segmentation with each port receiving traffic for the appropriate host using the MAC address
Servicing channels
Microsoft options for delaying the installing of new updates -semi annual (quality updates-30 day delay or 35 for home users, 18 months for feature updates) - windows insider (access to feature updates still in development) - long term channel (never get feature updates, only monthly quality updates available)
GPO Administrative templates
More like a custom registry view, a user friendly way to manage settings in registry. Files and in ADM, ADMX, ADML
Ethernet
Most common communication mechanism on networks worldwide Uses CSMA/CD (Carrier Sense with Multiple Access / Collision Detection) that is, it listens to ensure only one station communicates at a time and monitors the transitions to detect collisions.
Encapsulation (protocol stack)
Moving down the protocol stack with each layer doing work and adding headers.
Decapsulation (protocol stack)
Moving up the protocol stack with each layer doing work and removing headers.
NIPS
Network Based Intrusion Prevention System
Two types of IDS
Network IDS Host IDS
NIC
Network Interface Card
NAC
Network access control. Inspects clients for health and can restrict network access to unhealthy clients to a remediation network. Clients run agents and these agents report status to a NAC server. NAC is used for VPN and internal clients. MAC filtering is a form of NAC. NACs help keep potentially malicious devices from connecting to the network
OSI Model Vs. TCP/IP Model
OSI is most commonly referenced and detailed in practical application TCP/IP is most commonly used in real application Both models must do the same work , TCP/IP does more work within each layer
NIDS
Network-based intrusion detection system. IDS used to monitor a network. It can detect network-based attacks, such as smurf attacks. A NIDS cannot monitor encrypted traffic, and cannot monitor traffic on individual hosts.
Layer 3 (OSI Protocol Stack)
Network....handles the network addressing scheme and connectivity of multiple network segments. It describes how systems on different network segments find and communicate with each other
Software Defined Networking (SDN)
Networking from a virtualized concept Can visualize the network as a whole and segment accordingly Can be achieved programmatically
NTFS
New Technology File System. A file system used in Microsoft operating systems that provides security, permissions, encryption, compression,journaling, transactions oriented processing, theoretical volume size is 8PB (8,000 terabytes).
NTLM
New Technology LANMAN. Predecessor to Kerberos. Authentication protocol intended to improve LANMAN. The LANMAN protocol stores passwords using a hash of the password by first dividing the password into two seven-character blocks, and then converting all lowercase letters to uppercase. This makes LANMAN easy to crack. NTLM stores passwords in LANMAN format for backward compatibility, unless the passwords are greater than fifteen characters. NTLMv1 is older and has known vulnerabilities. NTLMv2 is newer and secure.
OS identification (nmap)
Nmap can send a number of packets to remote hosts and listens to the responses. OS's respond in slightly different ways, creating a signature, thus giving away the type of OS you are interacting with
Steganography Detection
No universal method Histograms may detect encrypted files Stego inside images may be detected by analyzing the least significant bits.
AADDS (Azure Active Directory Domain Service)
Not the same as MAAD. AADDS provides traditional domain controller services with kerboros, NTLM, group policy,LDAP, things that MAAD does not provide.
Threat Agents
Opportunistic Organized cyber crime Advanced Persistent Threats (nation states)
NIST 800-1450 and ISO/IEC 177882 define Essential characteristics of cloud computing as
On demand self service Broad network access Resource pooling Rapid elasticity Measured service Mutitenancy
Where to deploy NIPS
On perimeter in front and/or behind a firewall. Deploying between firewall and ISP routers protects firewalls and DMZ Deployment behind the firewall protects internal network from remote access VPN and helps detect infected internal hosts
Meet-in-the-middle attack
One cryptanalysis method that is used to defeat a multi-step encryption process uses both the original clear text to work forward toward an intermediate value, and the ending cipher text to work backward toward an intermediate value so that the key space that is to be defeated is smaller and more computationally manageable
AD Forest
One or more domains Inter-domain replication 2-way transitive trusts Global catalog, global catalog servers Trusts permit resource sharing and SSO across domains
OCSP
Online Certificate Status Protocol. A replacement to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.
application control
Only approved apps can run Apps and files are hashed Apps only run if passes hash check
OWASP
Open Web Application Security Project - Improved security of web apps and services. They have a popular "Top Ten" list of web flaws and how to fix them. Injection flaws are the #1 web-app problem. Community driven. Software based. Discuss WebGoat!
identity management
Organizational process for identifying, authenticating, and authorizing individuals or groups of people to have access to applications, systems, or networks by associating user rights and restrictions with established identities
Program policy
Overall tone of organization's security approach
Global admin role
The all powerful role in azure over all azure assets.
PBKDF2
Password-Based Key Derivation Function 2. A key stretching technique that adds additional bits to a password as a salt. This method helps prevent brute force and rainbow table attacks. Bcrypt is a similar key stretching technique.
Five layers of defense in depth
Perimeter Network Host Application Data
PAN
Personal Area Network , such as Bluetooth and zigbee
IAL 3
Physical presence required for identity proofing
Layer 1 (OSI Protocol Stack)
Physical....handles transmission across physical media, includes electrical pulses on wires, radio waves, light pulses, connection specifications between the interface hardware and the network cable, and voltage regulation
MAAD (Microsoft Azure Active Directory)
Planetary scale user and device account database for authentication and access control to office 365, outlook, one drive, Xbox, etc. Microsoft wants every user and every device to be managed through MAAD
RPC (Remote Procedure Call)
Port 135 TCP Used extensively on windows networks (trust relationships, NetLogon secure, Outlook, etc) Typically begins with a client connection to server port 135, server then redirects to a high numbered ephemeral port RPC can go over HTTP (ports 80/443/593) and over SMB (139/445)
PSK
Pre-Shared Key
Layer 6 (OSI Protocol Stack)
Presentation...This layer makes sure that data sent from one end of the connection is received in a format that is useful to the other side. Example, if the sending end compressed data, then then the receiving end would decompress it.
System specific policy
Presents the management's decisions that are specific to the actual computers, networks, and applications
PAM
Privileged Access management
Risk level
Probability x impact x asset value
Accountability
Process of identifying who did what on the system and when
Policy types
Program , issue-specific, system-specific.
regedit.exe
Program used to edit the Windows Registry.
SUID/SGID programs
Programs in Linux that set UIDs and GIDs. Default programs come with Linux. Watch out for new programs as malicious SUID / SGID programs help attackers take over the system. To find files with SUID or SGID permissions, run- SUID - #find / -perm +4000 GUID - #find / -perm +2000
Rootkits
Programs that allow hackers to gain access to your computer and take almost complete control of it without your knowledge. These programs are designed to subvert normal login procedures to a computer and to hide their operations from normal detection methods.
Network design objectives
Protect internal network from external attacks Provide defense in depth through a tiered architecture Control flow of information between systems
PMF
Protected Management Frame , a wireless access point uses these to manage client connections, switching channels, encryption. A PMF spoof could lead to a wireless DoS attack.
NetBIOS (Network Basic Input/Output System)
Protocol that operates at the Session layer of the OSI seven-layer model. This protocol creates and manages connections based on the names of the computers involved. Can be disabled now, it's there for backward compatibility
Identd
Provides for identification of tcp sessions - consider disabling on public facing routers
Network sections
Public Semi public (DMZ) Middleware Private
PKI
Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.
RSA Encryption
RSA (Rivest-Shamir-Adleman) is the most common internet encryption and authentication system. Asymmetric. Widespread support n SSL/TSL. The system used an algorithm that involves multiplying two large prime numbers to generate a public key, used to encrypt data and decrypt an authentication, and a private key, used to decrypt the data and encrypt an authentication.
Wireless DoS Attacks
Radio frequency jamming SNR signal to noise ratio
RaaS
Ransom ware as a service. Cyber criminals can create customized versions of ransomware for customers
RWX-
Read Write Execute - no permission
Strategy for fixing an infected system
Rebuild from scratch, never trust a compromised system- start with a clean slate
3 types of pentesting teams
Red team - use the TTPs of adversaries to test systems Adversary emulation- a type of red team exercise, acting like real adversaries Purple team - red and blue work together to test and improved systems
RAID
Redundant Array of Independent Disks or Redundant Array of Inexpensive Disks - a system for replicating data on disks for redundancy
Remote Registry Service
Regsvc.exe, allows one to edit the registry remotely
WPA1
Released in 2003 Uses RC4 encryption (same as WEP) for backward compatibility Introduced TKIP (temporal Key integrity protocol) to generate "better" keys Introduced MIC (message integrity check) to prevent message forget and replay attacks WPA1 and TKIP found to have large vulnerabilities Deprecated in 2009, do not use!!
WPA2
Released with 802.11i in 2004 Needed additional hardware to use AES Vulnerabilities discovered in 2017 found in the 4-way handshake process led some devices to reuse keys or resort to a key of all 0s
mstsc.exe
Remote Desktop - Microsoft's built in thin client app
hub
Replicates traffic onto all ports, minimal security
ICMP (Internet Control Message Protocol)
Reports errors or troubleshooting (destination host unreachable, TTL exceeded in transit) Provides network information (ping - is host alive and what's the latency, traceroute) Resides on network layer with IP
Logical design (network architecture)
Represents the logical functions in the system Putting the conceptional design on paper Maps the components of the conceptual design via the use of a network diagram Next parts of the architecture understanding will leverage and build upon this design step Uses icons to depict workstations servers printers routers switches and other devices connected to the network
2 root kit detectors for linux
Rkhunter Chkrootkit
Interactive behavior analysis (malware)
Run the malware in a controlled environment. See how it behaves with the system
Bastille (Linux)
Runs scripts on Linux to harden the configurations to industry standards
How to write policies
SMART and 5 W's Specific, measurable, achievable, realistic, time based Who, what, when, where, why
HIDS characteristics
Same functionality as NIDS but runs on host Can be more granular than NIDS Uses signature and anomaly analysis Can alert locally but generally sent to central location for parsing and alerting Monitors network inbound and outbound activity from host - good for identifying pivoting, reconnaissance, lateral movement, and C2
Cron
Scheduling daemon
Basic steps for exfiltration
Search for interesting files Collect and prep the files Exfiltrate the files
Segmentation (network design)
Segmentation = separation Assets should not be able to communicate unabated Concept of principle of least privilege
IAL 1
Self-asserted identity, not verified or validated
SMB
Server Message Block - protocol used by Windows to share files and printers on a network.
Privileged ports
Servers use ports 1-1023
RFID
System of tags which contain data that can be read from a distance using radio waves., such as zigbee
Layer 5 (OSI Protocol Stack)
Session....handles the establishment and maintenance of connections between systems. It negotiates the connection, sets it up, maintains it, and makes sure everything is in sync on both ends.
SGUID
Set group user Id, temporary grants user file group permissions
SUID linux
Set user ID, For security, prevent programs from running suid
Packet inspection - deep vs shallow
Shallow - fast but low fidelity, focuses on header information and limited payload data Deep - slow, requires stateful tracking, inspects all fields
Asymmetric key cryptosystem characteristics
Slow Public and private key pair Public keys widely distributed within digital certificates Used as a secure channel to exchange symmetric keys Technical non-repudiation via digital signatures
Cookies
Small text files that are sent to your computer from certain websites. They track your behaviour and transactions. Useful because HTTP is a stateless protocol and cookies help track state
Serverless security benefits (4)
Smaller attack surface No servers to patch No long-running servers that can be scanned or have malware installed Fewer compromised servers, easy to reinstall clean servers
SDN
Software defined networking Virtual network
Hypervisor
Software that runs on a physical computer and manages one or more virtual machine operating systems.
Authentication types (3)
Something you know (memorized password) Something you have (token) Something you are (fingerprint)
firewalld
Sometimes the default firewall for some Linux distributions
TCP Header
Source Port, Destination Port, Sequence Number, Acknowledgment Number, Header Number, Reserved, Code Bits, Window, Checksum, Urgent, Options, Data
STP Manipulation
Spanning Tree Protocol is used to ensure that switches do not get stuck in a switch loop. The protocol is similar to CDP and the attack is similar - the manipulation could lead a network reconfiguration to cause a DoS or a MiTM.
full disk encryption
System that encrypts all data saved to a hard disk automatically and transparently. Data is encrypted and decrypted in RAM, so attackers could see private data iN RAM.
HIPS Characteristics
Stops common attack techniques, even unknown ones Traps system calls marked as dangerous Combines file integrity monitoring, network monitoring, and application behavior monitoring Monitors and correlates activity, when it hits a threshold, it blocks the attack
Non-persistent cookies
Stored in memory. Only used during browser session. Deleted when session ends.
Two ways to represent permissions in linux
Symbolic (rwx-) Absolute (4,2,1,0) Read = 4 Write = 2 Execute = 1 No permissions = 0
3 types of cryptosystems
Symmetric Asymmetric Hash
RDP port
TCP/UDP 3389
SSL/TLS port
TCP 443
SMB Ports
TCP port 139 when using netbios TCP port 445 without netbios, sometimes called common internet file system (CIFS) protocol. All SMB/CIFS traffic should be blocked unless tunneled through IPSec or VPN File and printer sharing
LDAP (Lightweight Directory Access Protocol)
TCP port 389 - clear text TCP port 636 - SSL encrypted TCP port 3268 - for connecting to AD global catalog in clear text TCP port 3269 - for connecting to DCs in SSL encrypted LDAP is for searching and editing AD database
SSH hardening
TCP wrappers, only allow specific hosts Disable root login Set idle timeout interval Disable empty passwords Set custom ssh warning banner Block ssh brute force attacks
SQL Server port
TCP/UDP 1433 TCP/UDP 1434
TTP
Tactics Techniques Procedures
Transport layer (TCP/IP model)
Takes the packet from the application layer, adds a header and instructions for the transport layer on the receiving end on how to handle the data
Sniffers
Tcp dump, initial triage Wire shark, detailed packet and protocol analysis Snort, intrusion detection system Kismet, wireless network sniffer BetterCAP, uses MiTM to sniff
Creator Owner Group
The account that created or "owns" an object, usually a user account, or whoever owns it now.
NIC / MAC
The NIC address on Ethernet is the MAC address
Secedit.exe
The command line version of the SCA tool
Manual code reversing (malware)
The definitive way to see what the malware actually does. Requires special tools, disassembles and decompile systems. Requires a lot of time.
Configuration Management
The discipline of establishing a known baseline condition and then managing that condition
/etc/passwd
The file that contains user account information in Linux, username, userID, and password
802.11ax
The future of WLAN capability - proposed Supports aggregated bandwidth of 11 Gbps , 2 Gbps per device Frequency range below 6 GHz Support for IoT - always on always connected, always communicating Wi-Fi 6
WPA3
The future of wireless security, all devices that want Wi-Fi 6 certification must support WPA3. 192-128 bit key length Better implementation of pre-shared keys (PSK) Simultaneous authentication of equals (SAE) generates unique keys SAE dragonfly = new handshake Offline password guessing not easy Interaction with access point needed to attempt password guess Network detects password attack and takes action Opportunistic Wireless Encryption
Private (network section, tier)
The internal network of the organization, an area of higher trust and less risk, it is not connected directly to the public internet, security, such as firewalls are still present.
X.509 standard
The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU). Defines what is found in a certificate... X.509 version Unique serial number Identity information = distinguished name (DN) Owners public key and algorithm used to make it Period that key is valid Issuing CA
Authorization
The process of determining what a subject is allowed to do or access after authentication
Identity proofing
The process of proving that an applicant is who they claim to be. Includes the following three steps... 1. Resolution (traveler giving passport to border agent, answering questions about identity and purpose of travel.) 2. Validation (border agent inspection of passport to ensure it's not counterfeit) 3. Verification (border agent compares passport picture and data with the traveler)
Adaptive authentication
The requester will need to provide one or more authenticators depending on context and sensitivity of the resource they are attempting to access
ISN (Initial Sequence Number)
The sequence number in the first SYN message in a three-way handshake. The ISN appears to be random, but in reality, it is calculated by a specific, clock-based algorithm, which varies by operating system.
Application layer (TCP/IP model)
This layer takes information from an application (like a web browser) , creates a packet with the information in it (like a request for a website) and passes the packet to the transport layer.
Risk =
Threats X Vulnerabilities
3 tiered Privileged Access Management
Tier 0 - Active directory, critical and secret servers (crown jewels) Tier 1 - exchange servers, intranet servers Tier 2 - user workstations, printers, mobile devices
Digital forensic artifacts
Time stamps File downloads File, folder opening Program execution Etc
Linux Package Management
Tools to manage and maintain application packages, which include all the binaries, dependencies and other things needed to run an application . Also has download validation
TCP
Transmission Control Protocol - Works on layer 4 OSI Establishes session prior to data exchange Session leads to connection oriented communication Provides "guaranteed" (more reliable) delivery by providing recipes of successful delivery Other protocols use tcp - http, ssh,
Layer 4 (OSI Protocol Stack)
Transport....prepares data for transmission, ensures reliable connectivity from end to end, handles the sequencing of packets.
3DES
Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It was originally designed as a replacement for DES. It uses multiple keys and multiple passes and is not as efficient as AES, but is still used in some applications, such as when hardware doesn't support AES. So far it is uncrackable.
3 file integrity checking tools for linux
Tripwire Samhain OSSEC
Strong password policy (4 don't)
Truncate passwords Password hints Force specific composition rules Force periodic password changes
cross-forest trust
Trust type that allows resources to be shared between Active Directory forests. Can be 1-way or 2-way trust No AD replication across forests
Support for IPv6 over IPv4 is called what?
Tunneling
ICMP Header Fields
Type Code Checksum
Communication Flow
Understanding Who accesses data ? When (at what times) data is accessed ? How much data is accessed ? Will lead to the development of a baseline - knowing normal allows abormal to stand out. Never a 'one and done'. Continual updating is necessary.
IPSec Port
UDP 500 to negotiate sessions UDP 4500 for IPSec NAT-Traversal
Kerboros port
UDP 88, usually TCP 88, when tickets get large TCP/UDP 464 - domain controller change password Kerboros admin port (TCP 749) and kerboros demultiplexor (TCP 2053) are not used.
Linux logs of interest
UTMP WTMP BTMP DMESG MESSAGES MAILOG SECURE
Stream Cipher
Use a keystream generator and encrypt a message one bit at a time, usually implemented in hardware
digital signature characteristics
Use public key cryptography to sign document Signatures are non-repudiable They sign by encrypting a hash with a private key
Storing Sensitive Data
Use strong encryption Delete it when no longer needed
IPv6 fields (8)
Version Traffic class Flow label Payload length Next header Hop limit Source address Destination address
VLAN Hopping
Virtual Local Area Network is a way for switches to segment a network into different areas for security purposes. A VLAN hopping attack fools the VLAN into allowing packets into a prohibited VLAN segment.
VLAN
Virtual local area networks (VLANs) are creating by use of special routing or virtual switches that tag network packets with VLAN ID numbers, which are then used to divide a network space into individual and separate LAN segments. This is a useful security measure to separate parts of the network and for easier management
VPC
Virtual private cloud A virtual cloud inside a cloud
VDI
Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system.
WPA3 Attacks
WPA3 already has known vulnerabilities Downgrade attacks Password cracking DoS
WAF
Web Application Firewall
multi-master replication
When a domain has multiple domain controllers, all domain controllers are capable of making changes to the security domain database they share. The changes are replicated from one domain controller to another. Latter changes override earlier ones.
Isolation Violation
When one is able to execute code from the virtual machine that ends up being executed on the host's hardware...the VM's isolation has been violated
WINS
Windows Internet Naming Service. Matches the NetBIOS name of a particular computer to an IP address on the network; this process is also called resolving or translating a NetBIOS name to an IP address. TCP/UDP 1512 WINS replication TCP 42
UAC (User Account Control)
Windows feature that enables standard accounts to do common tasks and provides a permissions dialog box when standard and administrator accounts do certain things that could potentially harm the computer (such as attempt to install a program).
WSL
Windows subsystem for Linux, run Linux executables and scripts on windows without a virtual machine
WEP
Wired Equivalency Privacy RC4 cipher - easily cracked Officially deprecated from use in 2004 - do not use!!
IEEE 802.11
Wireless Ethernet standard Created in 1997, ratified in 1999 Over a dozen amendments since then Amendments eventually incorporated into full standard
WLAN
Wireless Local Area Network
WPA
Wireless Protected Access Created by Wi-Fi alliance Replaced WEP
802.11n
Wireless networking standard that can operate in both the 2.4-GHz and 5-GHz bands and uses multiple in/multiple out (MIMO) to achieve a theoretical maximum throughput of 100+ Mbps. Wi-Fi 4
802.11b
Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 11 Mbps.
802.11g
Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 54 Mbps and is backward compatible with 802.11b.
802.11ac
Wireless networking standard that operates in the 5-GHz band and uses multiple in/multiple out (MIMO) and multi-user MIMO (MU-MIMO) to achieve a theoretical maximum throughput of 1 Gbps. Wi-Fi 5
802.11a
Wireless networking standard that operates in the 5-GHz band with a theoretical maximum throughput of 54 Mbps.
security template
a collection of configuration settings stored as a text file with an .inf extension?
Birthday Attack
a probability method of finding a collision in a hash function In a group of 23 people, there's a 50% chance that 2 or more people share a birthday
IIS (Internet Information Services)
a set of Internet-based services for servers created by Microsoft for use with Microsoft Windows. It is the world's second most popular web server in terms of overall websites behind the industry leader Apache HTTP Server. The servers currently include FTP, SMTP, NNTP, and HTTP/HTTPS.
Security strategy
a set of guidelines and policies that allow an organisation to ensure the data in the organisation is not open to unauthorised use - policy (directive from management toward a specified objective) - standards (specific mandatory controls) - guidelines (best practices) - procedures (step-by-step instructions)
Role based access control (RBAC)
a type of discretionary or mandatory access control that assigns users to roles or groups based on organizational functions, each group has authorization to to access certain resources
Cross-Site Scripting (XSS)
a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website
Issue specific policy
address specific issues of concern to the organization- passwords, internet usage, etc...
PKI certificate
an electronic document that officially links together a user's identity with his public key Equivalent to drivers license or passport
chmod
change permission modifiers on Linux
OS Command Injection
executes system level commands through a vulnerable application Ex. An app that creates a mailbox using 'mkdir' <user input> The user input 'rm -f /' would delete the entire file system
Defense in Depth
employing multiple layers of controls to avoid a single point-of-failure
Vulnerability criticality , NVD calculator
includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vuln.s can be remediated, as well as means to score vuln.s NVD is the National Vulnerability Database
IEEE 802
is an influential set of networking standards and/or specifications. It encompasses most types of networking (MAN, LAN, WLAN) and is open-ended which allows the addition of new types of networks. A project undertaken by the IEEE in 1980 that covers Physical and Data Link layers for networking technologies in general (802.1 and 802.2), plus specific networking technologies, such as Ethernet (802.3) and wireless (802.11)
docker
is an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud. The software is in containers, to be isolated.
Business Continuity Planning (BCP) and disaster recovery (DR) planning (BCP/DR)
outlines procedures for keeping an organization operational in the event of a natural disaster or network attack, or cloud outages, may include establishing a redundant data center and testing the continuity plan.
intractable problems
problems that is practically impossible to solve — i.e., there are known algorithmic solutions, but the algorithms are too inefficient to solve the problem when the number of inputs grows large
Bluetooth profiles
profiles that govern how devices share information and specify control messages for various uses
modprobe
program to add and remove modules from the Linux Kernel
Security Governance
the collection of practices related to supporting, defining, and directing the security efforts of an organization. - executive committee (defines roadmap, budget, ambitions, deliverables) - security steering committee (steers the program, manages budget, validates tactical deliverables) - Chief Information Security Officer (CISO) (Leads, coordinates, monitors, security roadmap) - local security officers (coordinate local security projects and operations)
Support for IPv4 over IPv6 is called what?
translation
Cryptology
the science of interpreting secret writings, codes, ciphers, and the like - includes sub components of cryptography and cryptanalysis
Bluetooth attacks
wireless attack using available Bluetooth connections on bluetooth enabled devices (bluejacking, bluesnarfing, bluebugging)