CYSA+ 003

Email headers can keep a lot of key information like

"when it's read - if it forwards - Time spend reading links visited - types of server used - OS the recipient is using "

Main tools in the wireless assessment space

* Aircrack-ng * Airmon-ng - turns monitoring on and off. * Airodump-ng captures 802.11 frames * Aireplay-ng - injects at access point

What actions do you need to execute during identification

* Audit log - need to analyze (SIEM) * Incident reporting started - date and time started or identified; apps, * Collect and Protect System Info - gather audit logs, network message traffic, back ups, IDS * Incident Severity Level Categorization * Other system analysis - similar Ips, domains something critical to infrastructure * Assign Task Force Member - people who can identify and respond to an incident

List of other frameworks related to security

* ISO paired with IEE (purchased option) * TOGAF - enterprise architecture modeling * SABSA - business needs based on risk analysis * Cobit - IT governance with security as core component commercial product w/training and certification - CISA or CISM - prescriptive * ITIL - UK gov. best practices emphasis IT service mgmt. w/business needs.

How do you defend against SQL Injection

* Limit permissions of web app when going into DB * Look at parameterizing store procedures * Server side filtering make sure it's getting rid of those bad characters * ModSecurity * Substitutes

Tips for using DNS tools

* Nslookup 2 modes - Non interactive - gives IP addresses and IPCv6 info - Interactive - shows dns server utilizing, and accepts no other commands except domain name or exit * Looks at A records, but if you want to look at non A records you can do -type some type of records like mx mail * SOA start of authority for -type and will provide that information * Can do -type=any which provides a full list. * G-suite toolbox dig (is a app in google) and will look up all your DNS dig ups

What are diff. ways to identify an incident t

- Anti-virus/IDS/Firewall - Unsuccessful login attempts - Unexpected corruption/deletion - System crashes - Audit logs

What are common techniques to hack a password

- Brute Force - all combos in a space and use # combos to initiate a brute force, they take awhile though as longer key longer it will be unlikely - Directory/Rainbow tables - good likelihood of being able to guess the password; rainbow is more advanced version users precomputed look up tables of possible passwords and their hashes □ Cloud is aiding in the use of these files - Hybrid attack - algorithms to use dictionary words and names to test it with like testing $ instead of A, effective. - Pass the Hash - if they can get the hash this happens, attacker presents the hash without cracking to authenticate.

Some issues with certification

- Can be issues for sign in, file encryption, digital signature, and encryption of messaging services like email. Client machines also have root certs from Cas. - Lots of time issuing and verifying certs and lots of tools are used. * OpenSSL - allows commands to create and manage certs, keys and testing * certutil - windows this is more likely

How do you identify threats tp POS (Point of Sale)

- Cash register to mobile device - They are networked to back end servers - SAP didn't authenticate to command so anyone connected to network could upload auth files and get access to admin functions - Again don't typically run full OS

How do you identify threats to Controller Area Network CAN

- Drones, cars and the things they control - Each system is a ECU electronic control system with a Can that is a shared Bus - These tend to have less security since the transmissions are broadcast, so injection is possible against the CAN bus

How do you identify threats of real time OS (RTOS) & common vulns

- Embedded OS - often these lack needed security features like data execution prevention - Common vuln * Remote code *Denial of service * Buffer overflows

How do you defend against a directory traversal

- Input Validation - Strict File system access controls

How do you identify threats to SoC System on Chip

- Integrated circuit that has most of the components on a single microchip - A lot of time dedicated memory, separate modem - RASBERRY PI - Best defense is to keep them update with any firmware, OS, App, SW - Do your research ahead of time and if they don't' have what you need find another solution Example - vegas hack on thermostat fish tank

Maturity Models in risk frameworks can be in what tiers

- Issues - Risk Assessments - Policies and Procedures - Oversight - Monitoring

How do you identify threats of internet of things (IoT) & common vulns

- Known for poor security - No interface so no way to get rid of default information - Pay particular attention to * Buffer overflows for snap dragon automotive * SQL injection * Syn Floods * Privileged escalation

For trending what areas should be analyzed

- Number of detections & response - Network itself - Threat awareness and training education - Compliance - Outside threat levels (key places to review threats below) --- SANS - Dark Reading - MS threat intelligence - FireEye - Alien Vault - Symantec - SecureWorks

How do you identify threats of mobile systems

- OS can determine vulnerability likelihood. - Biggest concern is installing malicious malware

How do you defend against a privileged escalation attack

- Password policies - Special users/groups - Close unused ports and limit file access - Secure Databases and sanitize inputs - Patch updates - Default creds

How do you identify threats to BAS Building automation system (smart buildings)

- Process and mem issues buffer overflows - Dedicated network protocol like BACnet or Dynet - Don't have great interface and have plaintext credentials or crypto keys which brings in code injection - Cross site script issues possible

Define FISMA

Federal Information Security Management Act identifies homeland securities role in admin and implementation of security policies for executive branch civilian agencies (similar to PCI DSS) Requirements are - Info System inventory - Risk Categorization - System Security Plan Security Controls - Certification and Accreditation

NIST 800-53 is

Federal security controls baseline - There are 20 control families - Access Control - Awareness/Training - Audit/Accountability - Assess/Authorize/Monitor - Config Mgmt - Contingency Planning -Identification/Authentication - Incident Response - Maintenance - Media Protection - Physical/Environmental Planning - Program Mgmt - Personal Security - Personally Identifiable Info (PII) processing and transparency - Risk Assessment - System/Service Acquisition - System/Comm. Protection - System/Info Integrity - Supply Chain Risk Mgmt

In the containment step in the incident process what is the focus, what are common techniques

Focus on limiting the scope, reduce the loss and damage by eliminating threat itself - Disable service - Disable account/change password - Perform back up of infected target - Shut it down - Restore sys. - Keep it on the low down - isolation - segmentation

Best Practices for Securing Code should check what areas

Goal of SW security is maintain CIA and enable successful business operations, important to understand client side controls don't provide a security benefit and security isn't a focus it's usually about does it do what's intended - input validation - output validation - authentication & password - session management - access control - Cryptography practice - error handling and logging - data protection - communication security - system configuration - Database security - File Management - memory management - general coding practice

Break down IEEE 802.1X more what is the wired v wireless

Group of protocols that provide an authentication mechanism to devices that want to attach to LAN or WANIt defines the encapsulation of Extensible Authentication Protocol (EAP) over wired(.3 ethernet, .5 token ring) and wireless (802.11) ** 3 parties involved supplicant, authenticator, authentication server ***Progression steps are INITIALIZATION - INITIATION - NEGOTIATION - AUTHENTICATION

5 functions of NIST Framework

Identify Protect Detect Respond Recover

How do you enable auto security updates in linux

In terminal select clear Dnf install dnf-automatic -y Then rpm -qi dnf-automatic Systemct1 enable --now dnf- automatic.timer Symantect list-timers *dnf-

Identify some of the common security threats to a CI/CD

Insecure 3rd Party code - Insecure 1st party code - Poisoned pipeline execution - Insufficient pipeline access controls - Insecure system config - Usage of insecure third party services - Exposure of secrets

JEA is

Just enough Administration - allows creation of constraint based environments allowing users to get ahold of certain PowerShell scripts, or time based access.

In forensics evidence gathering what is considered volatile? Why? and what tools can be used to do it?

Live acquisition The issues are to no notify the attacker, not altering anything w/the process and tampering w/the system Tools can be memoryze and f-response

Common methods of code injection

Masquerading - DLL injection - DLL sideloading - Process hallowing

Considerations for network in the cloud

May want to look at VPC (Virtual Private cloud) - customer is responsible for IP address and touring, all routing, hosted publicly but isolated from other customers May want to look at using SSH, IPSec or TLS for access to VPC ' *** May consider serverless deployments no worries about infrastructure, but open to function injection, broken auth

In REGEX which operator is an OR operator; what does the brackets [] mean and what does the + mean and what does () mean

OR is | -- () is the whole operator -- [] is anything within the operator -- + means one more instance

Define PCI-DSS & 12 requirements

Payment Card Industry - Data Security Standard - Install and maintain a firewall configuration to protect cardholder data - Do not use vendor-supplied defaults for system passwords and other security parameters - Protect stored cardholder data - Encrypt transmission of cardholder data across open, public networks - Use and regularly update anti-virus software or programs - Develop and maintain secure systems and applications - Restrict access to cardholder data by business need to know - Assign a unique ID to each person with computer access - Restrict physical access to cardholder data - Track and monitor all access to network resources and cardholder data - Regularly test security systems and processes - Maintain a policy that addresses information security for all personnel

Key Linux phrases to remember

Pipe the output of one command to the input of another command - Cntl + c gets you out of a listing - Ls lists the files - Use the output of one command as argument to another command - Send output to both Stdout and a file

Common commands for HTTP

Post - Put - Head - Get

4 phases of the incident response cycle

Preparation Detection and analysis Containment Eradication and recovery

QA what is it and what are the steps

Quality Control determined if a sys or environment is free of defects or deficiency's - Verification - meets the security requirements - Validation - system does what we want it to - Evaluation - Proves it does what we want - Assessments - subject to requirements better than before

NIST 800-63

Responsible for Digital Identification

NIST 800-37 is

Risk Management Framework (RMF) 7 steps - Categorize -Select -Implement -Assess -Authorize -Monitor -Prepare

How can you improve email security through message security

S/MIME Secure/Multipurpose Internet Mail Extensions - adds digital sig to message to confirm who the message came from with private/public key sharing.

Common/Popular fields with certificates

SAM (Subject Alternative Name) - identifies sub domains or emails this applies to, a lot of Co. use SAN as part of the cert ** wildcards - helps identify that all sub domains of the part are accepted ** Certificate Transparency (CT) Framework - logs available to public CA and can show information and log file will have entry visibility

Best practice for where to store logs and rules around the location

SIEM - Security Information and event management 2 functions - act as central local in secure way; - apply AI/ML to correlate *** Rules - can create own rules or do queries - interpret the meaning behind individual points in a query to alert (Conditions with logical expressions, full queries to extract, sting search) - allows on command to take output and return with specified info and can sort and do lots with it.

In system component monitoring what is a sinkhole?

Similar to black hole but allows you to retain, analyze and forward packets. - DNS sinkholes allow you to look at things leaving the network - can be used with honeypot/honeynet - Can be configured with routing policy

Diff. between packet sniffing and promiscuous mode

Sniffing allows tcpdumps and kind of a dump out to other things. Promiscuous mode change the config and allows the interface/adapter to pass all traffic up stack regardless of destination

What are best practices with hardware assurance?

Source authenticity and validation for supply chain - HW authenticity for DOD - trusted foundry program - root of Trust (RoT) - way to secure subsystems tadn can declare it true - TPM trusted platform module (stores digital keys, hashes, pwds) - HSM hardware security Models (store dig. certs. ident. store private keys) - Anti tamper devices (if they try to get keys it zeros them out) Trusted Firmware - UEFI unified extensive firmware interface (need TPM) - Can use Secure boot or measured boot - Effuse - HW chip works in conjunction w/FW validates that effuse has same version, single code use, and seals keys during fw process - Intel boot Guard - Self encrypting Drives - Secure Processing - ensuring mem. only accessible to authorized processes - Network architecture

The diff phases of Open Source Intelligence are

Source identification - Data harvesting - Data processing - Data analysis - Results delivery

For Linux what do you need to use to find and what criteria can you specify

Sudo Find - Criteria type, name atimne, amin, newer file

disassembly - decompiling - unpacking are what?

Theses all relate to reverse engineering loosely Disassembly is done using a disassembler and the machine code is read in memory and a text string is output Decompiling involves returning source code from compiled code unpacking is finding the packing and encryption used to obfuscate a program

How do you respond to a DoS

Try to absorb it, degrade the servers, shut it down

In VMWares vSphere Hypervisor which file contains a virtual machines main memory, BIOS, virtual hard drive and machines configuration

VMEN - a backup of virtual machine memory used to restore the virtual machines to a previous state for use in forensics - NVRAM is BIOS - VMDK is virtual hard drive VMX is the machines configuration

How do you manual patch in linux

Went to activities > Terminal Did su - Typed in standard password Did yum check-update Clear Yum update Y OR Go to Activities > SW > Updates

In syslog what is the codes 0, 1, 2, 3 mean with bite code

Where the source code came from 0 kernel 1 user level 2 messaging service 3 system dameon

Procedures are used in security to....

compensate or mitigate the lack or failure of other controls examples are continuous monitoring - control test procedures - exception procedures - evidence production

what are 4 key functions of incident handling

detection - triage - analysis - incident response

Common way to secure a device ....

digital cert that creates trust

In system component monitoring what is a blackhole?

drops traffic before it reaches destination and doesn't notify the source - common drop at the routing layer - better than FW or DNS rules Can be configured with routing policy

Reverse engineering

extracts code from binary to work out how its programmed 3 ways - Decomposing code - Obfuscating the code - Reverse engineering labs - fully isolated, hosted patch

IAM is

framework for business process to facilitate management of business identities - Initiate, capture, record and manage user identifies and their access to diff. resources - Active directory is common - Assists in managing and reducing complexity -They assist in controlling the untethered end points - Identify as a service in the cloud or combo of cloud/on-prem is pushing in

The diamond model has what

graphical representation of the attackers behavior

to search for a specified text in a file you use what in Linux

grep

In Linux what does the ifconfig, ls, and cat commands do

ifconfig configures a network interface - ls lists the contents of a file directory - cat reads data from a file

What are advantages of doing a planned standardized incident response process

protect the system - protect employees - efficient use of resources - Legal Issues

Key features of Cloud computing

repeatable business workflow - contains sub services as SOA Service Oriented architecture with microservices is key - unknown environment to user - self contained - clear input and output interface

RBAC is..

role based access control - restricting what activities user can perform & should be audited so permissions are appropriate and membership is valid

How do you use Nikto

to launch a scan from terminal select nkto -host http://192.168.0.4 and enter Do nikto -host http://192.168.0.4 -o pla.html to save it also

User is...

username is a directory structure with an identifier

How does SSO and Federations work

want to develop a trust between ID Provider and the service provider - advantage is users don't need to remember the password Core technologies around this are SAML/Oauth/Open ID

Incident investigation should use WWWWH what is that?

who is responsible what is the reason behind when did it happen where did it happen and how did we recovery AND Examine the evidence

Lots of asset categories for vulns, what are some common ones or categorizations

○ 4 common ones -Public - Private - Restricted - Confidential ○ Types of asset categorization (possible sub categories) - People - HW/SW - Data - Physical Env. -Processes - 3rd parties

ISO 27000-1

14 security control categories

List 10 well known ports and there services

15 Netstat - 20/21 FTP - 23 Telnet - 25 SMTP - 50/51 IPSec - 53 DNS - 67/68 BOOTP - 69 TFTP - 79/49 TACACS - 80 HTTP 88 Kerberos - 110 POP3 - 111 Port Map - 119 NNTP - 123 - 143 IMAP - 161 SNMP - 389 LDAP - 445 SMB - 500 IPSec/ISAKMP - 520 RIP - 546/547 DHCP - 636 SLDAP - 1512 WINS - 1701 L2TP - 1720 323 - 1723 PPTP - 1812/13 RADIUS 3389 RDP - 5004/5005 RTP - 5060/5061 SIP

How do you identify threats to PACS Physical Access Control Systems

A lot of the same issues as BAS - Also with external suppliers managing which would mean eliminate from risk and security requirements or scans

What are advantages and disadvantages of a SDLC

Advantages - easy to learn, use and clear purpose, each step has goal -- Major benefits Documentation, clear picture of what should and should be provided, great tool for maintenance and long term management - Disadvantages - no clear start/stop, scales poorly, code isn't flexible, codes doesn't' match others needs, easy to skip or ignore

Ways to mitigate or mange DLP

Alert only - Block - Quarantine - Tombstone

Authorization

Based off who you are do you have rights to this resource

For a CVSS Score what are the three groupings

Basic Metric group Temporal metric group Environmental Metric Group

Session Hijacking is and how is it performed...

Being able to take over a session without the person knowing it. ○ How - Connection to server, attacker looks for session ID and then makes a connection off the session id -- Query user to see sessions -- Do >sc to create service and initiate bin path with cmd and use terminal service for brute ways and destination -- Poof you have the session

Threats to Bluetooth

Bluejacking - unsolicited messages to another device that has a Bluetooth connection open - Bluesniping - using direction antenna to establish a connection, limited to about 1.6k - Bluesnarfing - bluejacking method to connect and gains access to address book, contact info, email and text - War Nibbling/Bluecasing - hacker tried for unsecured/unpatched Bluetooth connections to still info. Similar to War Diving used on wireless networks.

4 key pillars to intelligence gathering

CART Completeness - Accuracy - Relevance - Timeliness

Popular methods of self service password resets

Challenge question - 2 step method - alternate channel and temp pswd

What are common workflow orchestration tools/service

Chefn- Puppet - Ansible - Docker - Kubernetes - GitHub

Key Models for SDLC

Code/Fix - Waterfall - Agile - Iterative - Spiral

What are advantages of cloud vs on prem

- Security is everywhere because the cloud is every where - Boundaries are no longer an obstacle - CPs may reduce costs for some features - Pre-configured services could be a plus or minus also

key things to be aware of when you have a multiple component issue? How do you detect it? How do you respond/contain?

- Spread malicious code or use email to spread and launching of attacks once infected - Hard to identify and you need to review scenarios and have a centralized IDS to identify - Need to change thinking to ensure it's not related to something else, takes additional drive and effort and your skillset is key to the ability to identify other possible components

How do you identify threats of embedded systems

- Things like smart machines, or manufacturing embedded systems - Usually aren't as complex as computers so don't really have an full OS - Security measures can be not included or ignored

In incident recording when going through and storing what information should you capture

- Time and date of occurrence - Time and date of detection - Who reported it - Description about the incident what it looked like to user - Systems involved - Any error messages or log files "

Common IOCs are

- Unauthorized SW/Files - Suspicious emails - Suspicious registry/file system changes - Unknown port/protocol usage - Excessive bandwidth usage - Rogue hardware - Service disruption and defacement - Suspicious or unauthorized account usage

How do you identify threats of ICS and SCADA systems

- Underlying protocol is modbus * Famous example - stuxnet worm - attacks management SW and messes with pipelines and says everything is ok. - Remediation or key controls * ID connections to network and use minimum possible links disabling anything else. * Establish administrative control with proper staff to run the systems - No default settings though! * Leverage mainstream security product to help protect them * Watch out for legacy OS requirements - Of you have to use, ISOLATE and use end point security * Regular audits logical/physical

What are advantages of on prem vs cloud

- Who is security handled by - we are more on hands we have all control - Compliance is also on you - Customization is available here where not necessarily in the cloud - That also requires technical knowledge to do - Tools are costly - Security measures and resources are limited by location

Firewall logs can provide what information

Connections - permitted, denied, patterns - Port and protocol usage - bandwidth - address translations - nats (network address translations or port address translations)

3 threat model scenarios

Corporate network Websites and Cloud Internal custom apps

Cert Management lifecycle tasks

Deploy - Update - Remove

Steps to the Vuln management lifecycle

Discover - Prioritize assets - assess - report - remediate - verify

URLs can .... The action or data to submit is this a common attack vector

Encode - YES

break down a cvss v 3 score what is in base

○ AV - Attack vector - access required to exploit; higher exploits can be implemented remotely vs physical presence (N-Network, Adjacent, L-Local, P-Physical) ○ AC - Attack complexity - based on what's required outside attackers control to exploit; higher scores require additional attacker work like a shared secret key or man in the middle (low, high) ○ PR - Privileges required - based on attackers privileges required to exploit; something requiring admin control will have higher score (N-None, Low, High) ○ UI - User Interaction - varies based on if the attacker needs others willingly or not to execute; score is higher is you can attack autonomously, with no participation. (none, required) ○ S - Scope - Can the vulnerability component prorogate to other components (Unchanged, changed) ○ I - Impact - focuses on outcome you can achieve and which CIA gets compromised. -- Confidentiality - amount of data the attacker can gain access too; higher if all data on systems is accessible (high, Low, none) -- Integrity - ability of attacker to alter or change data or system; if major modification can occur score is higher (high, Low, none) --Availability - loss of availability of exploited system. Higher is system no longer accessible. (high, Low, none)

Authentication is

○ Digital authentication is usually a user name and password ○ User name is identifier (SID) that computers look at to authenticate ○ W/passwords you are looking at shared secret. ○These two items together authenticate

IAMs Lifecycle

○ Provisioning - Process of creating an account within directory/db - Adding to appropriate roles ○ Deprovisioning ○ Management of the account while it is open

2 Factor Authentication

○ Something you are ○ Something you know ○ Something you have * New and improved statement on 2 factor or multi factor -- Location -- Behaviors (but NIST doesn't totally accept this yet)

Key Activities that are part of the incident Initial response phase

○ Time to document - talk to who reported it, logs, the process that occurred, network architecture and access control list (any other attack) ○ This will determine is this real or not ○ Gather enough info for type and severity ○ Recorded actions for current and future