SANS GSEC Sarah deck

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Initialization Vector (IV) Filtering

Attempt to mitigate weak IV attacks by system administrators. Really doesn't address the issue of WEP/RC4 being weak.

auditd

Auditd subsystem is maintained by RedHat and used as a logger for SELinux. Operates at the kernel level. Does not use syslog.

Template

.INF extension. Stored by default in %SystemRoot%\Security\Templates and %SystemRoot%\Inf\

Crontab file

/etc/crontab

Passd File

/etc/passd file whch lists encrypted password and GECOS info, default shell, home directory

Syslog severity levels

0 emergency and debug 7 are fairly standard. Others alert 1, critical 2, error 3, warning 4, notice 5, informational 6 are not standard across vendors.

HIPS Functions

1- Ensures files haven't been modified or had their permissions changed. 2- Monitors network activity relating to the specicific host it is installed on. 3- Checks application calls and interactions with the system and other applications.

PKI/SSL Establish Connection

1-Client web request; 2-server responds; 3-client validates cert and crypto; 4-client encrypts session key and sends session key to server; 5-optional client certificate exchcange; 6-server decrypts session key; 7-client ends key exchange; 8-server ends key exchange; 9-encrypted messages are exchanged.

Risk Management Process

1-Conduct rapid assessment of risks; 2-fully analyze risks or identify industry practice for due care; 3-setup security infrastructure; 4-design controls; 5- decide which resources are available and implement countermeasures; 6-conduct periodic reviews; 7-implement instrusion prevention and incident response.

Log Monitoring Setup

1-Firewalls, network gear; 2-other network security gear; 3-Servers (Unix, then Windows); 4-Other Server Apps (web, mail), 5-Database; 6-Applications; 7-Desktops

Password Assessment Methods

Dictionary Attack, Hybrid Attack, Brute-Force Attack, Precomputation Brute-Force Attack (Rainbow Tables). Method: find a valid user id, find the encryption algorithm used, obtain encrypted password, create a word list of possible passwords, encrypt each password in the list, determine whether there is a match.

Attack Process

Different than a pen test but similar steps

DMA

Direct Memory Access

DSSS

Direct Sequence Spread Spectrum

DRP

Disaster Recovery Plan

Configuration Management

Discipline of establishing a known baseline and managing that condition. "Risk assumed by one is shared by all." Discipline of establishing a known baseline condition and then managing that condition. Change control is critical. Partition your internal network to prevent spread of an exploit. To manage your configuration, you need 2 things: accurate baseline document; way to detect when a change occurs to that baseline (change control). For CM to be successful, we need instrumentation to detect unauthorized change, eg system scanners, network mapping, vulnerability scanners, p22. Web CM, p 172.

DACLs

Discretionary ACLs control permissions on a folder: read, write, execute, modify, full control.

DAC

Discretionary Access Control

DN

Distinguished Name

Active Defense Harbinger Distribution (ADHD)

Distro based on Ubuntu that has pre-loaded active defense tools.

DoS Attack

DoS attacks are possible against VMs and their host. A DoS attack against a host can cripple services across multiple different companies.

Router Attacks

DoS, DDoS, Packet Sniffing, Packet Misrouting, XSS, CRSF, SYN Flood, Route Table Poisoning, Malicious Insider

Policy Creation

Does this policy set the correct tone for my organization? State the issue; Identify the players; find all relevant documentation that exists; define the policy; identify penalties for noncompliance; make sure the policy is enforceable; submit the policy for review and approval.

Network Profile

Domain (only when AD is available), Public, Private. Maintain different firewall rules for each profile.

Domain GPO

Domain GPO overrides local GPO

Local GPO

Domain GPO overrides local GPO

System-level Objectives

Attackers goals and what tools they'll use to meet them. Execute unintended commands or access data without authorization? SQL or LDAP injection. Execute scripts in browser, hijack a user session, alter a website or redirect user to another site? XSS or CSRF.

Wireless Phishing

Attackers listen and steal personal info over wifi. They can infect user's browser cache.

Defense Science Board

Attacks, Defenses, Targets, Adversaries Diagram

KEYW Cyber Threat Taxonomy

Attacks, Defenses, Targets, Adversaries Diagram

Attack

Attempt to gain unauthorized access to an IS services, resources, or information, or the attempt to compromise an IS's integrity, availability or confidentiality

SSL/TLS

Encrypts, server identity verification and data integrity. Secret keys are negotiated during TLS/SSL setup, using algorithms such as RSA and DH key exchange. During initialization, server presents public key certificate to client to verify server identity. Server requests crypto key exchange. SSL/TLS is not a guarantee of security.

M$ EoL

End of Sales, End of Mainstream Support, End of Extended Support, End of Custom Support

Virtual Firewall

Ensure there's a virtual firewall between two guests running on the same host. The virtual firewall will analyze traffic between them.

IPv6 Features

Fixed header length of 40 bytes. Extended address space, autoconfiguration support, IPv6 over IPv4 tunneling, IPv4 over IPv6 translation, Flexible embedded protocol support. endpoint authentication, encryption support.

Certificate Revocation List

Flat file. Not updated in real-time

Spectre

Flaws in the computer's processor. Successful exploitation will yield kernel-level permissions and root-level file access.

VPNs

Flexible, cost-effective, fast to setup. Delay can be an issue. No dedicated bandwidth.

MAC Flooding

Flood the switch with MAC addresses. Switch starts acting like a hub which allows attacker to sniff traffic.

Active Defense

Focus on vulnerabilities in which there is a threat with a high likelihood and high impact to causing damage to critical assets. Stage 1- Identify internal critical assets; 2- Add environmental context (baselines); 3- Identify and profile most likely threat actors; 4- Conduct active defense missions. The goal is to find out as much about the adversary and slow them down.

Business Continuity Plan (BCP)

Focuses on availability of critical business processes. Long-term, strategic. Created by business.

SSH MFA

For critical services like SSH, MFA must be used. List of options: SSH keys, Google Authenticator, FreeOTP, Authy, Duo.

JEA

Just enough Admin is an optional PS remoting feature available in PS 5.0. It whitelists commands and block all others by default.

Preventive Control

Keeps a threat from coming in contact with a vulnerability

Permutation

Keeps same letters, but changes their position within text. Very easy to break. Substitution and permutation can be combined. Also known as transposition. Used in combination with substitution in modern crypto algorithms, p50.

KDC

Kerberos Distribution Center is AD Controller

Threat Assessment and Analysis

Identify existing countermeasures, threats and vulnerabilties. Support the expenditure of resources and determine the most cost-effective safeguards to offset the risks. Aid in the selection of cost-effective countermeasures that reduce existing risks to an acceptable level.

Kerberos

Kerberos explained on p33-35. Default authentication protocol for AD. Primarily uses UDP88, For large tickets, it switches to TCP88. Servers listen for password changes on UDP464, p212.

DMCrypt

Kernel module that allows hdd encryption on whole partitions. Linux distros allow at root level now (wiki)

Key Escrow

Key backup stored with third party.

Hypervisor

Key component of virtualization that allows software to emulate hardware. The hypervisor is the emulation software. Attacker owns everything if they can compromise the hypervisor.

Biometrics

Key factors in selecting: reliability, user friendliness, implementation cost, maintenance. Difficult to change credentials after compromise.

cgroups

Key feature of LXC. Made by Google. Focuses on CPU and Memory control.

namespaces

Key feature of LXC. Made by IBM. Focuses on obtaining resources that an app needs. Good for security and stability.

3DES

Key length is 168 bits. Based on key length, 3DES is not considered secure, even through there are no public reports claiming to have cracked it. 3DES is executed 48 times (rounds) whereas DES is executed 16 rounds.

LSA Secrets

Local Security Authority in Windows is designed to manage a systems security policy, auditing, logging users on to the system, and storing private data such as service account passwords. LSA secrets are stored in HKLM:\Security\Policy\Secrets key

LSA Secrets

Local Security Authority in Windows is designed to manage a systems security policy, auditing, logging users on to the system, and storing private data such as service account passwords. LSA secrets are stored in HKLM\Security\Policy\Secrets key

Account Lockout

Lockout duration 120 min; Lockout threshold 5 attempts; Reset lockout counter after 45 min

Logsurfer

Log alerting program

Logwatch

Log alerting program

Swatch

Log alerting program

OSSIM

Log analysis tool. Analyzes and correlates logs. Correlate and alert

OSSEC

Log analysis tool. Leading open-source tool for real-time log analysis. Correlate and alert.

SEC

Log analysis tool. Rule correlation and analysis of logs in near real-time. Flexible. Hard to use. Correlate and alert.

Logsentry

Log analysis tool. Use their scripts or create your own to look for specific strings in logs and then sends an email or other alert.

Swatch

Log analysis tool. Use their scripts or create your own to look for specific strings in logs and then sends an email or other alert.

Logwatch

Log analysis tool. Use their scripts or create your own to look for specific strings in logs and then sends an email or other alert. Correlate and alert.

SLCT

Log analysis tool. Uses a simple clustering technique to make sense of stored logs. Use it when you need to review large amounts of file logs.

Splunk

Log correlator, use third-party plugins to make it act like a SIEM. Difficult to deploy if you deviate from anything other than typical log aggregation.

Baseline

Log output of several commands and compare them with log changes. What's normal: type of network traffic, amount of network traffic, types of logs generated, number of logs generated, resource utilization, access times and length of access, current state and configuration.

Blue Pill

Logical attack that involves a rootkit manipulating low-lever kernel mode to provide root-level permissions to the attacker, giving attacker unlimited access to other guests. It does this by executing a false hypervisor.

Physical File System

Logical file system is made up of multiple physical disk partitions.

Type 2 Hypervisor

Logical hypervisors run internally within an OS as an application. VMWare Workstation, VMWare Player, VirtualBox

Virtual Defense

Logical separation through virtual switching and virtual firewall to provide filtering and inspection. Timely patching is key. Physical separation of VMs by security classification may be a regulatory requirement. Private VLANs are another good defense.

Information Management

Logical vs Physical Locations of data. Due to contractual, regulatory and jusidictional issues, its imperative to understand both logical and physical locations of data. Volume Storage. Volumes often use data dispersion to support resiliency and security. This includes IaaS instances typically as a virutal hdd. Object Storage is sometimes referred to as file storage. Its more like a file share accessed via APIs or web interface. Eg DropBox.

ls -l

Long listing of contents, includes attributes. Output on p172

Threat Hunting, Host

Look at startup fiels, registry changes, hidden processes.

Single Loss Expectancy (SLE)

Loss from a single event. SLE = Asset Value x Expsosure Factor

Alien Vault

Lots of prebuilt automation. Open Threat Exchange provides threat feed, identifying signatures it has created. File integrity monitoring, HIDS, NIDS and Vulnerability Scanning.

RDP Encryption levels

Low cleartext; client compatible where client determines the encryption; High server determines encryption level; FIPS compliant requires 3DES, AES, RSA and/or SHA. TLS is permitted if requested.

System Accounts

Low number UIDs. Better to disable account than to delete them. Set accounts so that no can login with them and they are audited.

M$ vs Organizational Accounts

M$ Account is for personal use like Outlook.com or OneDrive. Organizational Account is Exchange Online or O365.

Windows Defender ATP

M$ Advanced Threat Protection includes a suite of products for threat hunting and incident response.

MAAD

M$ Azure Active Directory

AADDS

M$ Azure Active Directory Domain Services

Azure ATD

M$ Azure Advanced Threat Detection

MBSA

M$ Baseline Security Analyzer

mstsc.exe

M$ Built-in Thin Client App

dir /w

M$ CLI to list contents of a directory.

dir

M$ Long listing of contents, including attributes

Office Online

M$ Office app. Free but limited. You have to save docs in OneDrive.

M$ OMS

M$ Operations Management Suite

SCCM

M$ System Center Configuration Manager used for CM of BYOD devices. Integrates with InTune

MOM

M$ System Center Operations Manager

MOM Server

M$ System Center Operations Manager watches over your servers by continuously extracting their Event Logs and other auditing data.

attrib

M$ change file attributes

copy

M$ copy files

del

M$ deletes a file

Smart Screen Filter

M$ filters known-evil URLs in M$ Edge and IE by default.

Outlook.com

M$ free email, calendar, contacts, etc. Competes with Gmail.

InTune

M$ inventory and management of BYOD. Enforces MDM security policies.

dir /a

M$ list hidden and regular files

md

M$ make directory

rd

M$ removes directory

rename

M$ rename files

dir env:\

M$ same as "set" command to see path variables in Windows

diruse.exe

M$ tool to alert you if any monitored folder exceeds a certain size

at.exe

M$ utility for scheduling tasks. Deprecated and shouldn't be used.

MAAD vs AADDS

MAAD does not support Kerberos, NTLM, Group Policy, or LDAP. It supports web-based authentication. AADDS provides traditional domain controller services. You don't have to upload your VMs for AADDS.

mbsacli.exe

MBSA cli version

M$ Authenticator

MFA on mobile devices.

M2M

Machine to Machine applications

aureport

Makese ausearch results easier to read

Internet Explorer

Manage IE using GPO Administrative Templates and Internet Explorer Maintenance.

auditpol.exe

Manage audit policies from cli

ntrights.exe

Manage privileges with scripts or free CLI tools like ntrights.exe

Data Migration Detection

Manage unapproved data moving to cloud services in two ways: Database Activity Monitorigin and File Activity Monitoring; URL filters and DLP tools

DR Planning Process

Management Awareness, Planning Committee (has at least one business stakeholder involved), Risk Assessment, Process Priority Establishment, Recovery Strategies, Testing Criteria.

Human Resources and Management Sensitive (Business Classification)

Management Proprietary Information. Personal Information (PII).

MAC

Mandatory Access Control

Incident Handlineg

Planning is key! Pre-established procedures that specify how to act during common attack situations. Six Step Process: 1-Preparation; 2-Identification; 3-Containment; 4-Eradication; 5-Recovery; 6-Lessons Learned.

PAM

Pluggable Authentication Modules

PAM

Pluggable Authentication Modules employs four management groups: Authentication, Passwords, Sessions, Accounts. Config files are stored in /etc/pam.d.

PPTP

Point-to-Point Tunneling Protocol is a VPN protcol uses IP 47, which is GRE, and TCP1723

Policy vs Procedure

Policy addresses what to do and Procedure addresses how to do it. Policy is read cover to cover and Procedure is referenced when having trouble following the policy. Policy is concisese and focused. Procedure is detailed and step-by-step. Policy is strategic and high level while Procedure is tactical.

SMART

Policy statement must be specific, measurable, achievable, realistic, time-based

NDA

Policy that covers use, control and enforcement. Protects both parties, shouldn't be one-sided. Protects sensitive information; individual receiving information agress to keep it confidential. Legal document that has certain specific requirements. Clearly written and easy to read. Should follow who NDA applies to, what NDA is, when NDA should be used, where NDA is applicable, and why NDA is important.

802.1x

Port Security feature. Provides network authentication. Its a framework that supports different authentication protocols known as Extensible Authentication Protocol (EAP) types. Standard by IEEE to authenticate to LAN and wireless LAN network devices.

Scanport

Port scan tool

Nmap

Port scan, vulnerability scanning, OS detection. Filtered means nmap can't tell if port is listening. -randomize_hosts options tells nmap to scan range of hosts in random order.

POSIX

Portable OS Interface

Shell

Portion of OS that allows users and proceses to interact. It also can act as the vehicle through which apps obtain permissions and interact with the kernel.

Ephemeral Ports

Ports that change each time the client runs. They are numbered above well-known ports ( > 1023 )

Firewalls

Preventative. Best way to protect a system is to air gap it from the network, but that's 0% functionality. 3 types of firewall: packet, stateful and proxy/NGFW. Helps with IDS if egress filtering is enabled and firewall logs traffic in both directions. Ingress is from Internet to protected network. Egress is protected network to Internet.

NIPS

Preventative. Layer 7.

NIDS Developments

Reduction in false positives with target OS identification, integrated vulnerability assessment for threat profiling/alert prioritization, NIDS integration with networking devices (eg IDS blade in switch), IDS in wifi.

OWASP

Reference to OWASP Top 10 Most Common Applicaton Attacks on Input Attacks page.

SELinux

Security Enhanced Linux is a loadable kernel module that provides mandatory access control policies. Security model is based on least privilege and starts with users having no rights at all. It doesn't replace existing Linux security, it enhances it. Good for systems that have default "allow."

SID

Security ID Numbers

SID

Security ID Numbers Everyone S-1-1-0; Authenticated Users Group S-1-5-11; Local Administrators Group S-1-5-32-544

SIEM

Security Incident & Event Monitoring

.inf

Security Template

Host: Header

The client sends the web server a Host: header that specifies which domain.

PUT

The client uses PUT to upload files to a web server, eg publishing new web pages or uploading email attachments.

Non-Persistent Cookie

They are destroyed every time the browser closes. Even though they are stored in memory, they can still be edited by user or MitM using Proxy like Paros.

Dwell Time

Threat Hunting Key Indicator. How long is the adversary in your organization?

Reinfection

Threat Hunting Key Indicator. How many times has an organization been compromised by the same adversary or the same threat?

Lateral Movement

Threat Hunting Key Indicator. How much damage is the adversary causing, in terms of number of systems compromised?

Risk

Threats x Vulnerabilities. Its impossible to completely eliminate all risk. Security deals with managing risk to your critical assets. Security professional must constantly track, manage, and mitigate risk to an organization's critical assets. Risk = Probability x Impact.

Data Protection

Three valid options: content discovery, volume storage encryption, object storage encryption

sysctl -w

To change (write) a variable until next reboot. Non-persistent file change. Great for testing before commiting to changes.

ROI

To obtain the required resources, it is ciritical to show an appropriate ROI for security. Financial benefit or return received from a given amount of money or capital invested into a product, service or line of business. aka Return on Capital Employed, Return on Network Worth, Return on Equity. ROI (%) = (gain - expenditure) / (expenditure) x 100

fsutil.exe

To see which file system is used and get its list of support features, open PowerShell and run this utility.

LogPP

Tool help conver multi-line logs to a single line format

strings -n 14 textfile.txt

Tool parses through any input file, searching for ASCII characters. -n 14 tells it to look for strings 14 characters or longer.

Artillery

Tool that can provide an early warning system. Honeypot, file system monitoring, threat intelligence feeds with optional trace-back capability.

WEPWedgie

Tool to accelerate process of collecting packets from wireless networks.

wnet/reinj

Tool to accelerate process of collecting packets from wireless networks.

hping3

Tool to craft packets. TCP version of ping. Port Scanner. Spoof IP address. See output, p20-21

StegSecret

Tool to detect stego in images.

Stegexpose

Tool to detect stego in images.

Ettercap

Tool to facilitate sniffing in a switched environment. Can sniff even in a switched environment. Relies on ARP cache poisoning.

Dsniff

Tool to facilitate sniffing in a switched environment. Sniffer that uses ARP redirection and IP forwarding

unshadow passwd shadow > unshadow.txt

Tool to merge passd and shadow files together. Preliminary step for John the Ripper.

md5deep

Tool to take forensic hash of file.

sha1deep

Tool to take forensic hash of file.

Bloover

Tool used for Bluejacking

BlueSniff

Tool used to circumvent Bluetooth security that allows attacker to locate and attack Bluetooth networks.

RedFang

Tool used to circumvent Bluetooth security that allows attacker to locate and attack Bluetooth networks.

AirSnort

Tool used to crack WEP keys.

WEPCrack

Tool used to crack WEP keys.

dwepcrack

Tool used to crack WEP keys.

Blackhole Exploit Toolkit (BET)

Toolkit installed on web servers and preconfigured to attack out-of-date code running on visitors' machines.

Content Discovery

Tools to identify sensitve info in storate. Once identified, info can be classified. Classified dat can be scanned with advanced content analysis techniques to audit.

TTPs

Tools, techniques and procedures

Classification Levels, Government

Top Secret (critical to protect), Secret (could harm national security), Confidential (could be detrimental to national security), Unclassified (data owners prefer to keep this info from being released, but it would not harm the nation if it were).

Log Deployment Challenges

Top challenge is political boundaries.

Deep Packet Inspection

Traditionally deployed with application-level firewall gateway that has deep understanding of protocol and has the logic to follow the fields inside the packet. Slow and expensive. In practice, it's used with shallow packet inspection.

NIDS Key Point

Trained staff, passive sniffer in security management console, incident response preparation, ROI calculation--better to outsource?

HTTP Protocol

Transaction-oriented. Stateless.

Station Controller

Transmits and receives frames through transceiver on Ethernet.

TLS

Transport Layer Security. Encrypts traffic between client and IIS Server

OSI Model

Transport Layer ensures reliable connectivity from end-to-end and handles sequencing of packets in a transmission. Session handles establishment and maintenance of connections between systems. Negotiates the connection, sets it up, makes sure the info exchanged across the connection is in syn on both sides. Presentation Layer makes sure data sent from one side is received in a format that is useful to the other side eg compression/decompression. Application Layer interacts with the application to determine which network services are required.

Decloak

Tries to discover attacker's true IP address. Uses flash and Java applets. Can be used as part of incident response or threat hunting activities. Could be considered hacking back.

DoublePulsar

Trojan backdoor tool that runs kernel mode, allowing for privileged access on compromised systems. Used in WannaCry attack.

IDS Alerts

True postive generates alerts; false positive generates alerts; true negative does not generate alerts; false negative does not generate alerts.

TPM

Trusted Platfom Module

IPsec Headers

Tunnel Mode encrypts IP Header and Data. Transport Mode only encrypts Data.

TTLS

Tunneled Transport Layer Security

Recovery

Two main options: install OS and apps from scratch, fix vulnerability, restore data; restore system from a trusted backup and patch the system.

Threat Hunting

Two major components of threat hunting: detection and intelligence, p176. Act of aggressively tracking and eliminating cyber adversaries from your network as early as possible, p178. Benefits: provide early and accurate detection, control and reduce impact and damage with faster response, improve defenses to make successful attacks increasingly difficult, gain better visibility into org's weaknesses, p179. Fits between active defense and intelligence, p183.

Web Authentication Methods

Two most commond are HTTP authentication and HTML form-based authentication.

syslog.conf

Two parts to entry in syslog.conf: filter and action. This is where you tell where you want syslog to store files, including if they are sent to remote server.

ICMP

Two purposes: to report errors or troubleshooting and to provide network information. It's a datagram like IP and UDP. Reports on state of a network.

Linux Security Permissions

Two ways to represent permissions: symbolic rwx and absolute 777

Linux-VServer

Type-1 Hypervisor VServer mitigates risk of escaping out of a guest by using segmented routing, chroot, extended quotas, etc.

Decoy Ports

Typically implemented at the firewall, which will always respond to a SYN with a SYN-ACK. Careful: opening decoy ports by enabling a real sevice on a server could increase attack surface and make you more vulnerable.

Data Diode

Typically references military technology that moves data into classified networks without the risk of leaking classified information. Usually a hardware appliance($$$) to control flow of traffic, only allowing unidirectional traffic flow. Input side is anode and output side is cathode.

RDP

UDP3389 media streaming. See HTTPS Tunneling RDP.

Superuser

UID0. Root. There can be multiple UID0 accounts but you can't audit them separately. Audits show UID0, that's it.

CNCI

US Comprehensive National Cybersecurity Intiative

USGCB

US DoD US Govt Configuration Baseline

Unix OS Types

Ubuntu and Kali are Debian. Fedora is RedHat. MacOS is BSD.

Ubuntu vs Fedora

Ubuntu is Debian. Fedora is Red Hat. Ubuntu uses APT and is less secure, eg firewall not enabled by default. Fedora uses RPM and Yum package manager

umask u=x

Umask with = will only allow specified permissions to be enabled.

Bluesnarfing

Unauthorized access of information via Bluetooth. Bluesnarfer is probably the most widely used tool

Resource Protection

Understanding your assets.

UEFI

Unified Extensible Firmware Interface

Ciphertext

Unintelligible message.

Cryptogram

Unintelligible message.

Distinguished Name (DN)

Unique identification used by CA to authenticate user/organization requesting a certificate.

john -format:MD5 -w:password.lst test

Use John the Ripper in wordlist mode to crack test file using password.lst wordlist.

ise .\ProcList.csv

Use PowerShell ISE to open ProcList comma delimited file.

WEP

Uses RC4.

File Integrity Checking

Uses a mathematical function called a one-way hash to create a hash-value of monitored file. Considered a HIDS feature.

Dictionary Attack

Uses a wordlist to crack passwords.

NTLMv2

Uses domain name, server challenge and other variables to randomize final hash to protect against precomputation. NTLMv2 adds username, domain name, client challenge, server challenge, and NTLM hash of the password to the hash function thereby injecting randomness or salt. This helps protect against pre-computational hash lookup attacks like Rainbow Tables. The NTLMv2 salt is not designed to protect against pass the hash attacks; other controls are needed to prevent that attack. Enforcing complex password requirements and length requirements are set in group policy/security tempaltes not by the NTLMv2 protocol.

Public Key Infrastructure

Uses for PKI, p125. Problems, p126-127.

Log Monitoring

Uses inclusive or exclusive analysis. Is considered a mechanism of host-based IDS. Powerful mechanism that offers the administrator a lot of flexibility.

Machine Learning

Uses modern computing techniques to streamline pattern recognition and aggregation, computational learning, and human-derived instruction sets to do predictive threat analysis.

Secure Simple Pairing (SSP)

Uses public key cryptography to make Bluetooth pairing more secure. Added in Bluetooth 2.1.

setarch

Utility that should be removed or not allowed to be used by any user. It tells the OS which architecture to use to run the program.

Cryptsetup

Utility to setup hdd encryption based on DMCrypt kernel module.

cut

Utility to trim output to exactly what you need, using bytes, characters, a special delimiter, etc to determine where to cut.

DaaS

VDI in the cloud. Great for BYOD. Eg O365

Cloud Infrastructure Attacks

VM Traffic sniffing eg vSwitch, insecure cryptography, API attacks, Lack of air-gapped systems, Hardware Flaws eg Spectre and Meltdown, DoS, Supply Chain Attacks, Insider Threat, Account Hijacking.

Guest OS

VM. Most common VM is an OS running on a virtual machine. Accesses virtual hardware through an emulator.

Direct Memory Access (DMA)

VMs have direct access to memory and controllers like video and NICs, which can provide a place for attackers to store and move code.

Isolation Errors

VMs need to be configured correctly so they only interact with authorized systems. If an attacker compromises one virtual system, she could also have access to all systems bridged to the compromised one.

Return on Security Investment (ROSI)

Value or perceived benefit obtained by investing resources in security--typically tied to the cost-effective method of reducing a critical risk.

Keys

Values used to intialize a particular algorithm. They permit the existence of unrestricted algorithms Strength of cryptosystem rests with the strength of its keys. The larger the keyspace the stronger the cryptosystem. Key must be protected.

Dash7

Very low frequency, well-suited to tracking moving objects or acting a wireless sensor network. No formal network structure required. Useful for peer-to-peer texts, smart advertising on posters and billboards, mobile in-store advertising.

more

View a page a time

tail

View real-time info, displaying last few lines of a file. Useful for viewing and analyzing log files.

VPS

Virtual Private Storage

/proc

Virtual file system.

Virtualization Benefits

Virtualization reduces downtime by improving failover capabilties.

Volume Storage Encryption

Volume protection from snapshot cloning, cloud service provider exposure, loss of physical drives, etc.

GFI LANguard

Vulnerability Scanner

Qualys QualysGuard

Vulnerability Scanner

Rapid7 Nexpose

Vulnerability Scanner

Tennable Nessus

Vulnerability Scanner

nCircle IP360

Vulnerability Scanner

Vulnerabiltity Analysis

Vulnerabilties are the primary focus for reducing an overall risk. Vulnerability analysis identifies weakness in the system that an attacker could exploit. Vulnerabilities are the primary focus for reducing an overall risk. Gives big picture of weaknesses in systems and apps.

802.11i

WPA2 is a security mechanism that provides encryption to wireless networks.

WannaCry

WannaCry ransomware worm was a confidentiality, integrity and availability attack that leveraged NSA Eternal Blue tool that exploited vulnerability in Windows SMBv1 protocol.

Facebook Breach

Watering Hole attack.

Captive Web Portal

Way to authenticate users. Intercepts requests for web page and substitute the page with a form that requests authentication.

Vulnerability

Weakness in a system that can be exploited.

Vulnerabilities

Weakness in a system that can be exploited. Only thing we can control

WPAD

Web Proxy Auto Discovery Protocol

WPAD

Web Proxy Auto-Discovery Protocol

Paros

Web Proxy Tool allows you to edit cookies.

Burp

Web proxy took that allows for cookie editing.

Cross-Site Request Forgery

Web-based attack for gaining control of web applications. Can be effective on routers too. Attack often comes in the form of an email with a link. Rebooting the router will nullify the attack.

Cross-Site Scripting

Web-based attack to reveal user's physical location. Attacker gets user's MAC address through the router and then uses location service to find them.

Kibana

Web-based dashboard for Logstash and elastic searches. Kibana data search engine can handle enormous amounts of data. Flexible, real--time reporting, data slicing, elastic search.

python -c 'print "A" * 100' > bof

Write 100 letter As to file named bof

Minimize Packages

XFCE is better than gnome because it uses far less space and fewer resources.

Yum

Yum package manager used by Fedora

ZPHA

Zero Power HA

802.15.14

ZigBee Wireless

su

switch user

utmp

complete picture of user logins, logouts, system events, current status of system, and system boot time. One of main log files.

messages

contains global system messages, including messages logged at startup. Mail, cron, daemon, kern and auth logged in /var/log/messages. General system activity log. Stores valuable, nondebug and noncritical messages. Great for anomaly hunting.

/var

contains logs, queues, etc. Files that change frequently

wtmp

historical data of utmp. One of mail log files.

honeyd

honey pot engine. Used by NOVA VMs.

history

last 100 commands I ran

Wmic.exe

legacy command for Windows Management Instrumentation programming

ls

list contents of directory

lsof

list of open files and the processes that opened them

ls -al

lists hidden and regular files

File Attributes

ls -ld example showing File Type, permissions, link count, etc

mkdir

make directory

inetd

manages services

xinetd

manages services. Replaced need for inetd and add-on serices. It also has embedded security features. Maintains /etc/xinetd.d directory where services reside as files. Disable the service by modifying the individual file. Modify /etc/inetd.conf.

Rc.d

manages services. if the system does not use an Internet super server or the server process is activated at system startup, then the services are managed by rc so they can operate independently. Modify /etc/rc.conf

mailog

messages from mail server eg sendmail

Unlock accounts

passwd -l <user>; usermod -L <user>, passwd -u <user>; usermod -U <user>

rmdir

removes directory

mv

rename files

Syslog message format

rfc lacks definition for syslog format standard which causes issues normalizing the data.

/

root file system

get-help invoke-command -full

rtfm!

Linux/Unix File Permissions

rwx set on File Owner, Group Owner and Everyone Else

Multi-Category Security (MCS)

s0:c0 to S0:c3.

Ctrl-R

search past typed commands

secedit

security template management. Secedit /configure /db A:\dbase.sdb as PowerShell scripte to update security template, p145.

secure

security-related messages like authentication failures, possible break-in attempts, ssh logins, failed passwords, sshd logouts, and invalid user accounts.

Hardware Abstraction Layer

see API.

get-process

see list of running processes in PS

kill -l <pid>

send the process an HUP signal

rootkit

set of binaries installed by attacker to provide a backdoor. Often disguised as OS programs in /usr/bin and /usr/sbin.

Syslog

system logging daemon, aka syslogd, normally starts at run level 1.

Tab

tab will show list of everything that matches everything typed

Brute-Force Attack

Most powerful and also the slowest.

Enterprise Admins

Most powerful group because it has full control over every domain in a forest.

MCS

Multi-Category Security

MU-MIMO

Multi-User Multiple-Input and Multiple-Output. Great for real-time communications over wifi.

MLS

Multilevel Security

Policy Statement

Must be clear, concise and SMART. Should contain the guiding principles of who, what, where, when, why. Should be consistent with law, regulations. Consistent with other levels of policy. Should be uniformly enforced, current, readily available, good version control.

Sensitive Information

Must reside on private network. Not visible from Internet.

Sefl-encrypting HDD

Must support TCG Opal 2.0 and IEEE-1667 and motherboard must support UEFI Secure Boot to use BitLocker for access control.

Network File Sharing (NFS)

NFS supports file sharing for Unix-based networks.

snort

NIDS to determine scope of compromise has built-in sniffer

NIPS Developments

NIPS can clean up garbage in network traffic. Example of server waiting to close a TCP connection with workstation. Some NIPS also support QoS.

FDCC

NIST Federal Desktop Core Configuration

john | grep mode

See list of mode in John the Ripper

Schema

Defines all possible types of objects and their attributes in the directory.

Configuration Naming Context

Defines all sites, subnets, and inter-site replication links.

Property-Level ACLs

Delegation of Authority can be controlled based on properties. Each property has its own DACL

Performance Testing

Demonstrates the architecture and resources provided are sufficient for web app's needs. Can also help determine what thresholds exist and what risks might be present of DoS attacks.

IDS Challenges

Deployment including topology and access limitations; analyzing encrypted traffic; quantity vs quality of signatures; peformance limitations with extensive analysis techniques; very costly for proper management.

Servermanagercmd.exe

Deprecated in favor of PowerShell command get-windowsfeature.

scw.exe

Deprecated. Moved into Server Manager tool in Server 2016. Not available in client OSes.

Procedure

Detailed steps to be followed. Mandatory. Explains how to carry out policy. Very detailed.

NIDS

Detective. Layer 7.

Eradication

Determinate root cause, not symptoms

Pen Test

Determine the scope

Pen Test Approach

Determine the scope, information gathering (similar to recon in attack process), scanning, enumeration, exploitation.

XFCE

Lightweight Desktop Environment. Requires fewer packages than Gnome.

LDAP

Lightweight Directory Access Protocol. Cleartext uses TCP3268. SSL-encrypted used TCP3269. LDAP uses Kerberos for authentication. LDAP is the default protocol for searching and editing the AD database.

Wireless Network Mapping Mitigation

Limit RF leakage and use strong authentication adn encryption.

Command Injection

Linux

GPG

Linux

Hashing

Linux

John the Ripper

Linux

Malicious Software

Linux

Nmap

Linux

Snort

Linux

aircrack.ng

Linux

hping3

Linux

tcpdump

Linux

Kismet

Linux and BSD Unix tool. Passive wireless sniffer, wardriving tool, vulnerability assessment tool, and IDS. Completely passive. As IDS, Kismet can identify malicious activity, including DoS, MitM and attacks against protocols. Can be deployed in client/server infrastructure, using the kismet_drone tool. Can also be integrated into Snort using Snort rules.

cd

Linux and Windows change directory

LUKS

Linux hdd encryption. Provides secure management of user passwords. LUKS volumes.

AppArmor

Linux kernel module that uses static analysis and machine learning to learn behaviors of apps, enforce security policies and detect 0-day threats. Can limit the capabilities of programs and has the features of an IPS.

Init

Linux original boot time starter service that only runs in linear. Init process starts as Process ID 1. It checks and mounts file systems and starts necessary services. Its the parent process to all other processes and adopts all orphaned processes in the user space. Using Init requires a reboot of the whole system when system changes are made. Init deals with services only during startup and shutdown.

OS Market Share

Linux runs most security appliances. Over 90% of all computers run Windows.

&

Linux. Run command background.

Security Log

List of Key Event ID Numbers

SIEM/Log Management

List of Terms, p161. Security Incident and Event Monitoring, p181 used for aggregation and correlation of logs, p181.

Windows vs Linux Cmds

List of commands

Token-Based Access Control

List of objects and their privileges (called capabilties) with each user, the opposite of list-based access control.

Active Directory

List of things stored in AD

Logical File System

Lists common conventions of directories

tcpdump --help

See most commonly used tcpdump switches on p44 of Workbook.

ps

See services running on a system and identify rogue processes. Not continuous like top. Use to establish a baseline. Good for threat hunting too.

802.11

See specs on p195

swapon -s

See swap partition current use.

whoami.exe /priv

See what privileges you have.

Protected Enclave

Segment of internal network defined by a common set of security policies. Anything you do to segment your network with switches, firewalls, routers, VPNs is part of this concept. Its a way to reduce the exposure or visibility into your network.

Cost Benefit Analysis

Select cost-effective and business appropriate countermeasures.

SDCs

Self Driving Cars

Package

Self-contained set of precompiled binaries that include all dependencies that are needed to run the software.

EnOcean

Self-powered wireless monitoring and control systems. Energy savings, flexibility.

Servicing Channels

Semi-Annual (Targeted) receives feature updates immediately. Home edition is locked into this one and cannot defer updates. Others are Semi-Annual, Windows Insider, Long-Term Channel. Semi-Annual (regular and Targeted) can defer feature udpates for up to 365 days or can apply them immediately. Semi-Annual Channel have to wait 4 montsh before automatic installation of feature updates.

hping3 -S 10.10.10.10 -p 21 -c 1

Send one SYN TCP packet to 10.10.10.10 port 21.

Bluejacking

Sending unsolicited message via Bluetooth to mobile devices.

Data Owner

Senior Management is ultimately responsible for appropriate data classification. Data Owner is in charge of data classification.

/bin/false

Setting a target module to /bin/false is a good convention for disabling it.

SMB

Sever Message Block protocol

nestat -l

Show all listening ports. Output on 176 and 184.

nestat -a

Show all ports.

nbtstat.exe -A

Shows NetBIOS connections.

ps -ef

Shows all running processes. Output on 181-182, 184, 199.

nmap --help | more

Shows some of the switches on p115. See scan techniques listed on p117. Timing options p118. Output options p119.

id

Shows your UID.

Android Oreo

Significant security changes in Oreo.

Object Storage Encryption

Similar to volume volume storage encryption. Employs Virtual Private Storage. Types of object storage encryption are: file/folder encryption, client/application encryption, proxy encryption.

Virtual Machine Software

Simple emulator for a computer created in software.

Workgroups

Since each computer is standalone, infected computer is less likely to infect others.

Snare

Singl machine Windows to syslog conversion

WSUS

Single WSUS server can handle 10,000+ computers. Can be load-balanced. Use TLS for WSUS over HTTPS, but HTTP is supported.

Tunnel VPN

Site-to-Site VPN

Clustering

Situation where plaintext message generates identical ciphertext message using same transformation algorithm, but with different crypto variables or keys.

Tcpdump

Sniffer

tcpdump

Sniffer tool for Unix-based systems, also ported to Windows as windump. Universally used and portable.

Virtualization, benefits and uses

Speeds up failover. Key components can be isolated and contained to reduce exposure. Ease of use and portability. Cheaper to scale. In 1960s, IBM created first fully virtualized systems.

Network Segmentation

Split computer network from the rest of the network with a switch, bridge, router, hub to boost performance and security.

VLAN Hopping Attack

Spoof 802.1Q tags to hop over to a different VLAN.

STP Attacks

Spoof BPDUs

IUSR

Special built-in account used by IIS Server for anonymous authentication.

SMART

Specific, Measurable, Achievable, Realistic, Time-Based.

SMART

Specificic, Measurable, Achievable, Realistic, Time-based

File Generation

Stego. Hide message by generating a new file. No host file is needed.

ESI

electronically stored information

Endscript directive

end of file in Logrotate.conf file.

find

find specific files

Shadow File

Lists username, encrypted password, password/login rules that control aging and expiration.

LKMs

Loadable kernel modules

LKMs

Loadable kernel modules. Gaining access and using LKMs is a good way to add rootkits.

Discretionary Access Control

Users manage the data they own. eg Windows workgroups and Linux file permissions.

scwcmd.exe

cli version of SCW. Used on Server OSes. Great for auditing and creating a GPO from an XML policy file.

scwcmd.exe

cli version of Security Configuration Wizard (scw.exe).

TCP Reset Attack

Attacker spoofs source IP, port, destination and sequence number in the packet and includes RST bit to terminate the session.

nodev

Device files are ignored in the file system. Files found in /dev and /devices are not allowed to communicate with the system drivers

RC4

Encryption protocol that was used in 802.11 WEP, SSL and TLS.

EFS

Encryption utility used by NTFS.

Object Auditing

First, enable Audit Object Access in computer's audit policy, Then, you configure the individual object SACL.

Gradm

Grsecurity utility to manage RBAC.

Zero Power HA (ZPHA)

HA device will reroute traffic if the IPS loses power.

HUP signal

kill -l <pid>

Permission Bits

"

Database Monitoring

"A more complete and rigorous test would involve a recurring process that logs in as a valid user, performs a transaction or query within the application, and checks to see whether the expected result is returned."

Package Manager

"APT, RPM, Yum. A Package Manager is a collection of software tools that automates the process of

Injection

Stego. Hide message within file's unused space. Increases file size. No theoretical limit on how much data can be hidden.

IDS Evasion

Attackers attempt to obfuscate traffic to get past IDS by changing characteristics of the traffic sent to exploit a particular vulnerability.

HIDS

"Uses signature and anomaly analysis with unauthorized change monitoring, log monitorign, and network monitoring. Organizations can reap significant benefit by correlating the data across multiple sensors with centralized alerting. Network monitoring uses signature analysis to identify EOI. Can monitor outbound and inbound traffic to detect pivoting, internal recon, lateral movement and C2. Can provide info NIDS can't see, eg analysis of unencrypted traffic streams, p140. Can be deployment nightmare and $$$, p141. HIDS technology now used to monitor configuration and status of network appliances, p 143.

Reverse Engineering

Technique used to reverse encrypted passwords. More commonly used for generating software license keys.

logrotate.conf

Tell log server to retain all received and local logs for at least 120 days.

Automatic Demotion

"Automatic Demotion to Guest occurs when Simple File Sharing is enabled.

IP

"Doesn't guarantee delivery or delivery in sequence. Includes fault tolerance features: TTL, checksum, ToS, fragmentation

Wireshark

"Examples of sniffers page.

Hash

"Goal is integrity. MD5, SHA, RIPEMD, HMAC. One-way transformation (no way to decrypt), irrversible. Key length is hash length. Fixed length output is often referred to as key length. Hashing proves document didn't change.

Password Cracking

"Offline process of attemping to guess passwords given password file information. Can be used to find non-compliant passwords without cracking compliant passwords.

HIPS

"One of major benefits is ability to identify and stop known and unknown attacks, p145. Uses a combination of signature analysis and anomaly analysis to identify attacks, p145. False positives are a problem, but less so on a distributed scale, limited support for protecting custom apps, additional burden, 10%-20% CPU and memory usage on hosts, p147.

Vulnerabilities

"While threats drive the risk calculation, vulnerabilities drive the risk reduction." Weaknesses in the system. They are inherent in complex systems. Always will be present. Poor coding practices and lack of error checking. Gateway by which threats are manifested. 2 categories: known and 0-day. 5 vulnerability axioms: 1 vulnerabilities are the gateways through which threats are manifested; 2 vulnerability scans without remediation have little value; 3 a little scanning and remediation is better than a lot fo scanning and less remediation; 4 prioritizing systems and vulnerabilities is critical; 5 stay on track. CNSS 4099 "weakness in an IS, system security procedures, internal controls, or implementation that could be exploited." eg Misconfigured server leaving a port service open without requiring authentication.

Boot volume

%SystemRoot% usually \Windows contains OS files. BitLocker can encrypt this volume.

NIPS Challenges

Organizations can't afford false positivees; NIPS have to keep up with traffic demands; NIPS tend to have less-extensive rule bases than IDS.

Promiscuous Mode

Tells computer NIC to accept every frame regardless of whether MAC address matches or not

Audit Privilege Use

(Failure)

Audit Account Logon Events

(Success, Failure)

Audit Account Management

(Success, Failure)

Audit Directory Service Access

(Success, Failure) On DCs, this required to log access to AD objects as defined by those individual audit settings.

Mandatory Access Control

Controls all access. Controls set by system and cannot be overwritten by sysadmin. Takes a lot of work to maintain b/c all data has classification and all users have a clearance.

missingok

Tells logrotate to continue to the next file if file doesn't exist.

Substitution

Stego. Message is hidden by substituting the least significant bits in a document. Limits to how much data can be hidden Can result in file degradation.

RoboCopy

CLI tool for copying and moving files. It does not use Volume Shaddow Copy Service, so it cannot copy files that are continually locked.

Micro-Segmentation

Concept implemented by SDN to analyze and filter traffic between endpoints.

schtasks.exe

Task Scheduler. CLI, PowerShell or MMC.

IPSec, Windows Implementation

Encrypts traffic but more importantly, it requires mutual authentication, which SSL does not. Can be managed through Group Policy or PowerShell, p227.

windump

Tcpdump ported to Windows. See tcpdump

Preparation, Incident Handling

Planning is everything. Preparation plays a vital role. Its very important to have a policy in place that covers and organization's approach to dealing with an incident.

Reconnaissance

Provides visibility into your orgnaization and insight into how the adversary will target you.

RPM

RedHat Package Manager, used by Fedora

TKIP

Temporary Key Integrity Protocol built into 802.11i WPA2. Works with CCMP . See WPA2.

Log Parsing

grep, cut, sed, awk, auditd

WPA2

Uses AES-CCMP encryption mechanisms to improve security of 802.11 networks. Requires a hardware replacement to upgrade to it.

Traceroute

Uses ICMP time exceeded to count hops as it follows a path to destination host.

Tracert

Uses ICMP time exceeded to count hops as it follows a path to destination host.

Server Nano

110MB. Server 2016 or later. No shell or desktop. Only a console to configure basic networking and firewall changes. Primary method for remote contol of Nano is PS.

Partitions

16 different partitions /hda0 through /hda7. 3 reasons to use partitions: makes it difficult for one subsystem to affect another by locking down partition to fixed size; backing up partitions is easier; you can set different security options on different partitions.

Log Size, Wrapping, and Consolidation

1MB holds 7,500 events. Recommended size is at least 50MB to start.

SSH/TLS Key Management

2 options listed: KeyBox and Puppet.

Syslog facility codes

24 facility codes. Local0-Local7 used most often. Common facilty codes are kern 0, user 1, daemon 3, auth 4, syslog 5, auth priv 10.

Bluetooth

2Mbps, up to 7 simultaneous connections, no LoS requirement. Class 1 supports 100 meters, Class 2 supports 10 meters, Class 3 supports 1 meter. Bluetooth v5 doubles the speed and quadruples the range. 2Mbps

OS Classes

3 Classes of Windows OS are Client, Server and Embedded

Network Design

3 goals: 1- any system visible from the Internet must reside in the DMZ and cannot contain sensitive information; 2- any system with sensitive information must reside on the private network and not be visible to the Internet; 3- only way a DMZ system can communicate with a private network system is through a proxy on the middleware tier, p36

Uneeded ports

3 ways to control and close unneeded ports: Comment out (#) uneeded services in /etc/inetd.conf; disable option (yes) in /etc/xinetd.d; comment out or set to NO in /etc/rc.conf.

Privilege Elevation

3 ways to elevate privileges: anonymous login with root account, which is not recommended; su command to gain superuser access, allowing normal user to switch to root; sudo command which allows normal user to run command with root privileges, which is the best for auditing and nomal user doesn't need to know root password.

dumpusers.exe

3rd party audit tool that uses null session

Authentication

4 ways to authenticate: something you know; something you have; something you are; some place you are.

Server Core

5GB size. Server 2008 or later.

Access Control Techniques

6 Common Types: Discretionary Access Control, Mandatory Access Control, Role-Based Access Control, List-Based Access Control, Token-Based Access Control.

MAC Address

6 byte value. 48-bit address. 12 hexadecimal digits. First half vendor code Cisco 00:00:0c. Hardware address.

Bitlocker TPM Operations

6 ways to implement BitLocker. Backup your Bitlocker Recovery Password!

802.11ac

6.9Gbps. MU-MIMO. Major performance boost over 802.11n.

Log Reports for SIEM

7 Top Log Reports: Authentication, Changes, Network Activity, Resource Access, Malware Activity, Failures, Analytics Reports

Super Bluetooth

802.11ad short-range < 10 meters uses ISM band 60GHz and provides 7Gbps throughput, no latency.

Sytem Call Interception

A technique used by HIPS software. It inserts its own processes between applcations accessing resources on the host and the actual OS resources.

Exclusive Analysis

A measure of log monitoring that uses a list of keywords or phrases as a white list of events. Log entries that don't match the exclusive keyword list are raised as alerts.

Inclusive Analysis

A measure of log monitoring that uses a list of keywords or phrases that define the events of interest. The keyword list is a blacklist.

Log Analysis

A measure that can be implemented by any organization at little cost. Used with HIDS reporting. See exclusive analysis and inclusive analysis.

File and Print Sharing

A network binding that should be disabled on computers directly connected to the Internet.

Decoy IPs

A network device, eg router, can be configured to respond to ping sweeps, making it appear that all IPs are active. VMs can be used to reply back on certain IPs.

Multiresolution Filtering

A technique that uses rule classification to quickly sort through traffic in order to rapidly identify malicious events. IPS will start with simple tests first. If it passes, the traffic is given more complex tests.

SQL Injection

A vulnerability that is exploited by insufficient input validation, which allows attacker to execute arbritrary SQL commands usually through an authorized web server application database account. It can also lead to OS compromise eg SQL server commadn xp_cmdshell stored procedure. Some web scripting languages like PHP with magic_quotes turned on automatically escape user-supplied data, but don't rely on that alone. Validate user input and filter special chaactures and SQL commands, eg ' and ; and : and ". Set max lengths on input. Use stored procedures instead of SQL queries. More defenses listed p149.

Multi-Master Replication

AD uses multi-master replication to share information among all controllers in the domain.

Advanced Packaging Tool

APT is a Debian packag management tool based on dpkg

Log Monitoring Strategy

Decision Tree.

VM Escape

Ability to compromise a system once and be able to access all other VMs. VM escape removes isolation between VMs and host. Guest escapes from sandbox and his able to access supervising hypervisor and its resources

Virtualization

Ability to emulate hardware using software. Allows hardware and software to decouple from each other. Key component is the ability for abstracting and emulating specific hardware components, which is done by the hypervisor.

AUP

Acceptable Use Policy

ACE

Access Control Entries

Access Control Entries (ACEs)

Access Control Entries are individual permissions stored in DACL. Manage with ICACLS.exe or in Security Tab Special Permissions. Gray-checked ACEs are inherited and solid-checked are explicitly assigned.

ACL

Access Control Lists on border router help firewall.

AGULP Model

Accounts, Global Groups, Universal Groups, Local Groups, Permissions & Rights. Unique Account is assigned to Global Group. Global Group is assigned to Universal Group. Global/Universal Groups are assigned to Local Groups. Local Groups are assigned Permissions & Rights.

Cryptanalysis

Act of obtaining plaintext or key from ciphertext. Used to pass on altered or fake messages to deceive intended recipient.

Detective Control

Action of tracking down the threat

ADHD

Active Defense Harbinger Distribution

Sprawl Management

Actively manage virtual environment. Know what's used. what's needed and what's not.

ARP

Address Resolution Protocol RFC826

ASLR

Address Space Layout Randomization prevents buffer overflows. Part of MacOS RunTime protection (p20). Use sysctl to enable ASLR for individual programs (p103). Use PaX to improve ASLR.

Known Vulnerabilities

Address with aggressive patch management.

Procedure

Addresses how to protect information in a detailed step-by-step way. Tactical.

Administrative Templates

Administrative Template settings are found under both Computer and User Configuration in the GPO. If there's a conflict, Computer Configuration setting usually wins.

Hidden Share

Administrators have full control. Registry entry listed. eg, C$

Misc ADM Settings (Adobe)

Adobe provides ADM/ADMX templates to import into GPOs

APT

Advanced Packaging Tool used in Debian (eg Ubuntu, Kali)

APT

Advanced Persistent Threat. See Advanced Persistent Threat. See Threat Agents.

QRadar

Advanced Sense Analytics Engine to detect advanced threats through network anomalies.

NMAP

Advanced host discovery, port and protocol mapping, vulnerability analysis framework.

Scanning

Advanced probing of the target for vulnerabilities that can be easily exploited. Network mapping, port mapping, vulnerability scanning, OS fingerprinting, war dialing, wireless scanning.

Incident

Adverse event in information system and/or network. Refers to harm or the significant threat of harm. Incident is composed of one or multiple events.

Tarpits

Aggressive technique that will send information to adversary's computer, causing it to use all of its resources or behave in a slow manner. Most common tarpit is manipulating TCP window size to really small or periodically setting to zero.

Security

All about understanding, managing and mitigating risk. What is the risk? Is this the highest priority risk? Is this the most cost-effective way of reducing the risk?

Forest, AD

All domains in a forest share a single Schema and Configuration Naming Context.

Trusts, Two-Way Transitive

All domains in a forest share two-way transitive trusts between them. Every domain in the forest trusts every other domain in the forest.

DAD

All for Windows to syslog logging

Source Routing

Allows IP packets to specify routing. Can be used to bypass firewall and other protections. Should be disabled by default.

Virtual Machine Introspection

Allows administrator to monitor all events within a virtual environment so any unusual behavior can be caught early. Specifically designed to have minimal effect. Eg hypervisor can check memory, system events, malware detection, especially when malware is designed to avoid antimalware detection. Can detect malware actions designed to avoid antimalware detection, since behavior is observered from outside.

Virtualization

Allows for better utilization of resources, but it could also create security concerns. Ability to emulate hardware using software.

Resource Sharing

Allows for simplified exchanges between VMs as well as their host OSes. This flexibility introduces risk. eg clipboard

Virtual Private Storage (VPS)

Allows users to access data over a shared infrastructure while protecting data, similar to a VPN. Uses encryption keys. File/folder protection, client/application encryption, proxy encryption.

Honeypots

Also known as sensors or canaries. Goal to slowdown basic host discovery. Honeypot is a single system. Research honeypots' goal to research systems with deliberate or known weaknesses. Production Honeypots: hardened systems to replicate a production system.

Hybrid Attack

Also uses wordlist and has configurable settings to account for password complexity policies.

NTFS DACLs

Always enforced, even with local users, IIS HTTP and FTP, RDP, SMB shared folders, PowerShell Remoting.

Virtual sprawl

Condition in an operating environment where number of VMs in existence reaches a point where they are no longer effectively managed or secured. Can happen through mismanagement and understaffing. Mitigated with right policies and automation.

System on a Chip (SOC)

Architecture for small Windows Server appliances

Cryptography

Art and science of inventing and refining ciphers to hide the meaning of communications. Big Picture diagram on p14. Thre core components of cryptography: 1-info is protected at rest; 2-info is protected in transit; 3-keys are properly protected and managed, p15. Goals of cryptography are confidentiality, authentication, integrity and non-repudiation.

War Dialing

Attack to find internal systems still attached to modems.

TCP Connection Spoofing

Attacker has to predict ISN the destination host will choose.

Supply Chain Attack

Attacker intercepts hardware or software and installs malicious components or publishes malicious APIs.

CDP Manipulation

Analyze packets and gain info. Leverage known vulnerabilities.

Android vs iOS

Android is open and iOS is closed. Android has more functionality and more security issues historically. Android has 2/3 market share (69%)

Annualized Loss Expectancy (ALE)

Annual expected loss based on a threat. ALE = SLE x ARO

Offensive Countermeasures

Another name for Active Defense.

Slice

Another name for partitions

Threat

Any event that can cause an undesirable outcome.

Client/Application Encryption

App is embedded with engine encryption to protect data. Eg mobile apps.

PaaS

Appeals to Devs

IaaS

Appeals to SysAdmins

SaaS

Appeals to users. Eg O365 and OneDrive.

Hardware Security Module (HSM)

Appliance to manage your encryption keys. Allows RMS and other Azure servicess to access your data in a plaintext form as necessary. In theory, M$ can't access your keys.

TCP/IP

Application OSI 5-7, Transport (TCP) OSI 4, Internet (IP) OSI 3, Network OSI 1-2. p143 shows Partial TCP/IP suite and how it maps to OSI model. IP maps to Layer 3 and is responsible for determining route to be taken between two network devices, handles flow control, segmentation/desegmentation, error control functions. See IP for more details.

API

Application Programming Interface. Hardware Abstraction Layer. Cloud APIs allow virtual plaforms to locally leverage resources of powerful remote apps. Using server-side apps, APIs can access libraries and repositories from a variety of programming languages. APIs server as building blocks of many sophisticated applications.

chroot()

Application isolation feature enabled on app-by-app basis. Containers and Virtualization. Some apps now provide preconfigured chroot() areas. Problem is that chrooted app may has to have access to dependencies placed in its chroot directory.

Service

Application that either waits in the background or carries out special tasks in the background (Linux.com). Its a process that starts on boot and provides critical functions (stackexchange)

Containers vs VMs

Applications run on the same OS with the same kernel. More scalable. Apps will run the same in all environments. They are isolated to achieve a level of security. Lightweight, fast-to-launch server that shares OS files of hosting server in a sandboxed way. It can have its own IP, MAC address and private view of the file system.

Standard

Applied to the organization as a whole. Specifies a certain way something is done or certail brand or type of equipment to use.

gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy

Apply output file as policy.

Honeytoken

Approach of creating fake protected data with labels that are set to trigger an alert from IDS if attacker attempts to exfiltrate. Easiest and most cost-effective honey deceptive technique, p215.

Defense-In-Depth (DiD), Network Design

Approach that advocates use of multiple layers of protection to guard against failure of a single security compromise. Separating systems into several network sections is one example. Configuring firewall to restrict how traffic crosses section boundaries is another. A border router is a third. Fundamental principle is that you're not relying on any single security mechanism to cause single point of failure, p38.

BCP Key Components

Assess (BIA), Evaluate, Prepare, Mitigate, Respond, Recover.

Role-Based Access Control

Assigns users to roles or groups based on their functions. Groups are assigned authorization to perform functions on certain data

NIDS Advantages

Assists in auditing.

List-Based Access Control

Associates a list of users and their privileges with each object. Each object has a default set of privileges that applies to unlisted users.

Binding, IIS

Associates each site with its certificate

Circuit Level Gateway

At Layer 5 Session. They filter TCP handshake, but not individual packets. Good for screening private network.

Permissions

Attached to a particular object, eg Read access to a file.

Honey Badger

Attack Back tool. Determines physical location of a system. Uses geolocation, wifi and IP. Pretends to be an administrator interface. Runs java applet on the local machine.

Hardening Guides

Automation of hardening can make security of systems more scalable and auditable. But, they can be dangerous if applied blindly.

Input Attacks

Avoid making system calls within web applications, especially when the system call is based on user input. Used built-in app functions or library within your programming language instead. Strip OS commands and characters from input. Define valid characters for input. Delete all others from input.

OS Command Injection

Avoid making system calls within web applications. Used built-in app functions instead. Strip OS commands and characters from input. Define valid characters for input. Delete all others from input.

Azure AD PIM

Azure AD Privileged Identity Management

Rights Management Service (RMS)

Azure Rights Management Services for O365 is a DLP feature to encrypt data files in case of file leak

Azure ASC

Azure Security Center

Maintaining Access

Backdoors, persistent processes, creating accounts, covert channels.

BITS

Background Intelligent Transfer Service

Type 1 Hypervisor

Baremetal hypervisor. Reduces attack surface b/c its a stripped down OS. Original hypervisors developed by IBM were Type 1. Common ones today are XenServer by Citrix, VMWare ESX, M$ Hyper-V.

Security as a Service

Barriers are compliance, multi-tenancy and vendor lock-in. Multi-tenancy presents concerns of data leakage between virtual instances. Providers should take extra precautions to ensure data is compartmentalized and any data shared is anonymous to protect the identity of the source.

Authorization

Based on least privilege, where entity is only given minimal access to do the job.

CIA Triad

Confidentiality (vs Disclosure); Integrity (vs Alteration); Availability (vs Destruction). Security and Functionality are inversely related.

Policy

Baseline Framework Pyramid, top down: Policy, Standards, Guidelines, Procedures. Policy is general management statement. Defines the "what" to do in order to protect information. Safeguards information while reducing personal liability for staff. You must have executive and user buy-in. Security policy statement should strongly reflect the management's beliefs that if information is not secure, the business will suffer. Policy is a mandatory directive, that indicatates a conscious decision to follow a path toward a specified objective, p71

Indicators of Compromise (IoC)

Baseline a system using ls, ps and netstat to identify and mitigate adversaries trying to install programs, run daemons/services, make outbound connections.

Anomalies Detected

Baselines help sift through noise. Visualizations help identify outliers easier.

Shell examples

Bash, sh, csh, sh, ksh, tcsh, Windows cmd.exe and powershell.exe, DOS command.com.

HTTP Authentication

Basic mode: credentials sent in cleartext Base-64 encoded, see process p177. Digest Mode: Sent in MD5 hash of password.

Threat Hunting Types

Basic, Statistical Analysis, Visualization Techniques, Simple Aggregration, Machine learning, Bayesian Probability.

Bayesian Probability

Bayesian statistics is a theoretical computation where facts about a given state are expressed by degrees of belief. It takes complex data patterns and tells you the important information about them.

Risk Management

Before you begin managing risk, you need to understand business operations and what types of risk they might be exposed to, p202. Goal of risk management is identify, measure, control, and minimize or eliminate the likelihood of an attack, p202. An understanding of how security is implemented in your organization and how security threats affect your business operations. Main focus is to reduce the risk to an acceptable level, p203.

Isolation

Being able to separate OSes and applications is one of the key benefits of virtualization.

Virtualization Security

Benefits are isolation to handle application instability, resilience and high availability, automation, data governance, forensic analysis b/c you can make an exact copy of a physical computer. Lack of air gap can be an issue p55.

Social Engineering

Best-known techniques are urgency, impersonation and third-party authorization.

Overall Security

Better visibility, reducing the attack surface, controlling the damaage, early detection. What is the risk? Is this the highest priority risk? Is this the most cost-effective way of reducing the risk?

Journald

Binary logger used by Systemd instead of syslog.

BET

Blackhole Exploit Toolkit

Hybrid Cloud

Blend of Public and Private models

Controlled Folder Access

Blocks changes to protected folders from untrusted apps. Requires Windows Defender A/V to be enabled and real-time protectection turned on.

BNEP

Bluetooth Network Encapsulation Protocol

IoT

Bluetooth v5 designed for IoT performance and functionality.

XOR

Boolean Exclusive XOR is one of the fundamental operations in cryptography. One or other is true (1), but not both (0)

Separation of Duties

Break critical task across multiple people to limit your points of exposure. No single person can make a decision.

Bridge

Bridge makes a decision about whether a frame should be sent to other port.

Equifax Breach

Confidentiality and Integrity attack on Apache Struts vulnerability that allowed for remote code execution.

wslconfig.exe

Configure WSL to run multiple distros of Linux side-by-side

Directed Broadcasts

Broadcasts sent to target sbunet without broadcasting to entire network. Used in older DoS attacks. Should be disabled or at least restricted.

SaltStack

Built for speed in the cloud. Also known for reliability, security, modularity and scalability. Uses public crypto to secure two-way communications between main configuration server and client servers. Many well-known cloud providers offer integration into Salt Cloud.

Guest Account

Built-in account. If DC or computer doesn't know account, then they may login the account as a guest. Best to assign long passphrase and disable it. Net.exe user guest <longpassphrase> /active:no /times:

Auditing

Built-in auditing, automates security checks making auditing a part of your infrastructure will simplify the review process.

IPC$

Built-in share for inter-process communications and should not be modfied. Registry setting.

IP Tables

Built-in to the Linux kernel. More than just a firewall, its a complete packet inspection system.

BCP

Business Continuity Planning

BIA

Business Impact Analysis

BRP

Business Resumption Planning

Locking User Accounts after failures

By default, most Unix systems don't lockout accounts after set number of login attempts. Use /etc/pam.d/system-auth to enforce account lockout after too many failed attempts. Set no_magic_root so that it's not applied to root account.

Virtual Ethernet Adapters

Connect virtual systems to each other or to a virtual switch. Configure them to interact with specific virtual switches.

Switch Attacks

CDP manipulation, MAC flooding, DHCP spoofing, STP attacks, VLAN Hopping Attack, Telnet Attack

Whisker

CGI Web Vulnerability Scanner Tool.

SMB vs CIFS

CIFS is SMB plus a few enhancements. Both protocols allow for folders and printers to be shared on network. Shared folder permissions are enforced by File and Print Sharing Service no NTFS filesystem driver.

Center for Internet Security (CIS)

CIS configuration benchmarks provide best practices for hardening OSes to protect endpoints. Provides security templates for OSes.

Reg.exe

CLI regedit

fc.exe

CLI to compare 2 files

wecutil.exe

CLI to manage Windows Event Collector

winrm.vbs

CLI to manage Windows Event Collector

Public Cloud

CSP owns infrastructure.

Shared Folder Permissions

Can be accessed from Network Neighborhood, Mapped Drive Letters, Run Line or Shortcuts.

DNS, bogus entries

Can be combined with other active defense methods to mislead and slow down adversary. Can redirect adversary to honeypots, jailed environments or tarpits.

Entity Relationship Diagram

Can be helpful in trying to analyze what entities must be used to implement a particular control.

Web proxy

Can be used for MitM attack. App sits between client computer and web server.

WLAN IDS

Can implement rogue AP countermeasures to DoS discovered rogue APs.

Network Obfuscation and Virtualized Anti-Reconnaissance (NOVA)

Can launch several decoy VMs and manage them with a centralized management tool. Various VMs are called haystacks. VMs run honeyd as the honeypot engine. Used as an early warning system.

Rapid VM Deployment

Can lead to virtual sprawl.

SSL VPNs

Can work in essentially any web browser. Browser must be able to handle specific types of active content (eg Java, JavaScript, Flash or ActiveX). Tunnels are usually created using a nonstandard tunnel method.

CSE

Canadian Security Establishment

Air Gap

Cannot physically isolate VMs that are hosted on same Hypervisor. Hypervisor provides a software connection between VMs it hosts.

airodump-ng wlan0

Capture wireless frames

Database Activity Monitoring (DAM) Tools

Captures and records all SQL activity in real-time and generates alerts on policy violations. Mitigates SQL injections attacks. DAM tools are usually agent based connecting to central collection server.

CSMA/CD

Carrier Sense Multiple Access with Collision Detection

CSMA/CD

Carrier Sense Multiple Access with Collision Detection. Listens before transmitting to avoid collisions.

Vector

Categories of attack. Can be internal or external. Outsider attack from network. Insider attack from local network or local system. Attack from malicious code.

ro

Causes kernel to prevent writes or updates to given file system.

Centralized logging

Central server should only receive logs from only authorized machines and firewalled from all others. Several partitions can be used for logging to segment the risk of a DOS. Aslo rotate logs quicker and/or have lots of disks to weather DOS. Only run syslog service on central server and limit logins from sysadmin IPs.

Apache2syslog

Centrlization of Apache logs via syslog

CA

Certificate Authority

CRL

Certificate Revocation List

Certificates

Certificate lifecycle, p115.

Containers vs VMs

Containers require fewer resources than VMs.

CFA

Controlled Folder Access

Enabing Password Aging

Controlled in two config files: /etc/login.defs and /etc/default/useradd. In most Unix OSes, the password-expiring and password-rotation features are disabled.

Router Hardening

Change default password, disable ip directed broadcasts, disable http configuration, block ICMP ping requests, disable ip source routing, determine and establish packet filtering, establish ingress and egress filtering policies, maintain physical security of the router, review security logs, upgrade to latest IOS.

Chgrp

Change group ownership.

Rotation of Duties

Change jobs on a regular basis to prevent anyone from being able to get comfortable and cover their tracks. Minimizes chance of collusion.

Chown

Change user ownership.

Chkrootkit

Check Rootkit looks for suspicious processes and known bad files. Common false positive is mail server Port 465. Don't rely on this alone. Script that uses grep to search for signatures and compares list of /proc filesystem with output of ps command to look for discrepancies.

Handling Errors

Check for error conditions and handle errors gracefully, even ones that should never happen.

CBC-MAC

Cipher Block Chaining Message Authentication Code

SAFER+

Cipher used by Bluetooth algorithm for encryption and authentication, usually using 128 bit keys and 4 digit PINs that users often set to easily guessed numbers. Can support 256 bit keys.

Threat

Circumstance or event with potential to adversely impact a system, p37. Any activities that could potentially affect CIA of your systems or services. Protect against most likely threats based on: intellectual property, business goals, validated data, past history. Primary Threats: malware, insider threat, APTs, natural disasters, terrorism. Threats drive the risk calulation. CNSS-4009 "any circumstance or event with a potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or DoS" p37. Two types of threats: intentional and unintentional.

Endpoint Security

Clear visibility is imperative, and organizations today are not doing a great job with detection.

cls

Clear your screen in PowerShell.

SSL/TLS

Client and Web Server use PKI asymmetric to negotiate a session key symmetric.

Group Policy

Client downloads and applies GPOs at bootup, logon and every 90-120 minutes. Enable auditing and IPSec settings here. AD Group policy will overwrite the local group policy every 90 minutes by default.

Disaster Recovery

Client should not depend on single provider and should have a DR plan in place. IaaS providers should have contractual agreements with multiple platform providers and have tools to rapidly restore systems in the event of loss.

HEAD

Client uses HEAD to retrieve information from the server. Similar to GET. Server will check if information requested is there and respond. Won't send over all information requested. Used to save bandwidth and client resources for large information reququests.

Transport VPN

Client-to-Site VPN. Between two hosts, p100.

CSP

Cloud Service Provider

Cryptosystem

Collection of all possible inputs and all possible outputs, in addition to the algorithm and keys. Humans are a part of a cryptosystem.

Snapshots

Collection of data that documents the configuration and running state of a system at a given point in time.

Rootkit

Collection of software tools that work to cloak the existence of malicious files and tools that have been installed by manipulating files, disabling AV and opening backdoors.

secedit.exe /analyze

Comapares setttings of .inf Security Templates.

Directory Traversal Attack

Combination of flawed access control and input attack.

C&C

Command and Control

C2

Command and Control

auditctl

Command used to audit system calls. See list of switches and uses of auditctl on p161 and 163.

Domain Tools

Commercial. Threat Hunting. DNS reserach and analysis tool

Endgame

Commercial. Threat Hunting. Full platform that supports detecting, mitigating and exploiting cyber vulnerabilities and attacks.

Sqrl

Commercial. Threat Hunting. Secure automated login mechanism that enforces authentication.

Carbon Black

Commerical. Threat Hunting. Detection of malicious anomalies and malware.

Malware Bytes

Commerical. Threat Hunting. Endpoint security tools for detection and remediation of malware, including rootkits.

Grsecurity

Commericially packaged set of patches for Unix kernel designed to enhance security with true role-based access control, creating full least-privilege system. Hardens file system and includes more audit logging capabilties. Includes PaX. List of features p111.

CNSS

Committee on National Security Systems

CIFS

Common Internet File System protocol

CVE

Common Vulnerabilities and Explosures

Binding, Network

Communications path between networking component like service or protocol and physical network adapter.

Private

Company's internal systems. Do not provide access to these systems from the Internet. They contain sensitive information.

OS Enhancements comparison

Compares features of grsecurity, AppArmor, SELinux

Effective Permission

Comparison of final share permission and final NTFS permission. Deny always wins.

PKI Problems

Competing/incomplete standards, certification of CAs, etc

GPO Checklist

Complete list of recommended GPO settings for best security practices. Baseline.

GPO Settings

Complete list of recommended GPO settings for best security practices. Baseline.

Stack Management

Complete stack management focuses on end-to-end connections within the virtual environment to ensure there are no gaps.

Critical Security Controls (CSC)

Controls centered on root cause analysis. You cannot manage what you cannot measure. 15 of the 20 controls can be monitored automatically or continuously. Guiding principles: Defenses should be automated and measured at regulary intervals using automatation; Undertake a variety of specific technical controls (instead of operational controls) to address current attack landscape; fix root cause problems to prevent or detect attacks in a timely fashion; establish measurements of security program effectiveness and to form a common language to talk about risk. 3 control priority families: system controls, network controls; application controls, p100. Key rules are each control has to map to actual known attack; if a known attack does not exist, it cannot be a control; "offense must inform defense."

Innocent Infringement

Copyright idea that someone may use work w/o understanding it belongs to the author, if the author doesn't display a copryight notice.

Kernel

Core component of OS, referred to as the brains, manages the hardware and executing processes. It must have a dedicated space in memory to reside.

Risk Management

Core focus is CIA Triad.

nbs

Correlate and Alert

Propietary (Business Classification)

Cost of procuring, profit margins, contact lists, etc. Contracts, financials.

CCM

Counter with CBC-MAC

CCMP

Counter-Mode/CBC-MAC Protocol. Protocol built into 802.11i WPA2. Works with TKIP. See WPA2.

Software Defined Network (SDN)

Covers network technologies that make the network as flexible and agile as a virtual machine or virtualized storage.

Disaster Recovery Plan (DRP)

Covers the restoration of critical information systems that support the business processes. Its a part of BCP, p161. DRP provides a response to disruption, wherease BCP implements the recovery, p160.

aircrack-ng SEC401_WEP.cap

Cracks WEP key found in pcap file.

New-NetIPSecRule

Create an IPSec rule

Tripwire

Creates a cryptographic hash value of a file. If file is modified, the tool can detect a change because the new hash is different than the original hash.

Take Ownership

Creator Owner is owner of file or folder. Usually the person who created it. Audit who uses this privilege. Greatest threat to least privileges principle.

Form-Based Authentication

Credentials entered and sent as HTML form data. Common to see <INPUT TYPE>= "PASSWORD"> tag. Secure form-based authentication requires a secure channel, eg SSL.

CSC

Critical Security Controls

Security Association

Critical part of IPSec. They document common services, called transforms, that are particular to an IPSec connection.

/etc/crontab

Cron daemon (crond) works way through /etc/crontab file every minute to see if there is a task for it to perform at a scheduled time.

Codes

Cryptographic transformation that operates at level of words or phrases

Cipher

Cryptographic transformation that operates on characters or bits.

Cryptology

Cryptography and cryptanalysis

Advanced Persistent Threat

Cyber espionage is more likely to use APT strategy. APTs can be multi-year, mutidimensional and are often highly targeted. Key property: Stealth. Unlike APTs, traditional threats are known for being automated, consistent and opportunistic.

STIG

DISA and NSA Security Technical Implementation Guides

Data Loss Prevention (DLP)

DLP identifies, monitors and protects data at rest, data in motion, data in use using deep content analysis. DLP enforces this in two ways: blocking data to stop a workflow and allowing data flow to proceed after data has been encrypted.

Semi-Public

DMZ. Resources that are our contributions to Internet. Must be reachable from the Internet and also need Internet access (eg DNS, email). Cannot contain sensitive information.

DNS Sinkhole

DNS server that gives out false information

Data Classification

Data Classification is the responsibility of the Data Owner, Sr Management. Data Classification Process: 1 Identify roles; 2 Identify classification and labeling criteria; 3 Owner classifies the data; 4 Identify exceptions to the classification policy; 5 Specify the controls for each classification level; 6 Identify declassification, destruction, or transference procedures; 7 Include an enterprise awareness program about data classification.

DLCI

Data Link Connection Identifier Frame Relay address with 10 bits

DLP

Data Loss Prevention

DLP

Data Loss Prevention. If you encrypt your data, you cannot use this feature.

Honeycreds

Decoy accounts to distract an attacker. Often named for wellknown default system accounts that usually have privileged access.

NTFS

Default file system. Up to 256TB max volume size

Data Fragmentation

Data fragmented and distributed acorss multiple remote servers. Used for storing long-lived data in the cloud with high assurance. Combined with encryption, its very resistant to compromise because attacker has to defeat many cloud nodes to retrieve fragments.

Steganography

Data hiding. Provides confidentiality but not secrecy. It doesn't guarantee safety. Hide data within data, eg images, Word docs, sound files, mpegs, text documents, fractals, HTML files, p44.

Encapsulating Security Payload (ESP)

Data integrity. No modification of data in transit. Confidentiality, data can be encrypted. Origin authentication, identifies where data originated.

Authentication Header (AH)

Data integrity. No modification of data in transit. No confidentiality. Origin authentication identifies where data originated.

Big Data

Data warehouses that many customers find easier to store in the cloud.

DAM Tools

Database Activity Monitoring tools

Active Defense Types

Deception, Attribution, Attack Back

Secrets

Don't build secrets into your code.

Session Tracking Mechanisms

Don't make your own. Use off-the-shelf libraries that are well-maintained and time-tested.

GPO Updates

Downloaded automatically at startup, shutdown, logon, logoff, every 90-120 minutes.

Prevention is ideal, but detection is a must.

Dr. Cole quote

libcap

Driver interface used by tcpdump

Network Access Control (NAC)

Dyanamic VLAN allocation. Isolates systems when they initially connect. Enables systems to be scanned and checked before connecting them to trusted segment.

DLL

Dynamic Link Library allows apps to share codes and procedures

Loadable dynamic modules

Dynamic loading modules are more vulnerable to rootkits than loadable kernel modules, no reboot required. They increase flexibility

EAPOL

EAP over LAN used to encapsulate frame between 802.1x supplicant and authenticator. Authenticator encapsulates EAPOL in RADIUS request to Authentication Server.

Encapsulation

Each layer of TCP/IP protocol stack adds a header as the packet moves down the stack

Decapsulation

Each layer of TCP/IP protocol stack strips off a header as the packet moves up the stack

MySQL

Easy relational database good for storing logs. Use to store logs.

Tractable Problems

Easy to solve in polynomial time

Tractable Problems

Easy to solve in polynomial time. Symmetric Encryptions. Eg, Constant problems, linear problems, quadratic problems, cubic problems. Calculation of any standard ciphertext is a tractable problem. Eg Data Encryption Standard (DES).

Low Orbit Ion Cannon

Easy to use attack tool

Metasploit

Easy to use tool

RF-Jamming

Easy way to DoS a 2.4GHz or higher wifi network. Used against 802.11, Bluetooth and other networks. Bluetooth is less susceptible b/c its on FHSS instead of DSSS/OFDM.

Wireless Top 5 Security Risks

Eavesdropping, Masquerading, DoS, Rogue APs, Wireless Phishing.

False Headers

Eg, add deceptive web server identity information to HTTP header.

ediscovery

Electronic aspect of collecting data for compliance, lawsuit or investigation. Collect ESI (electronically stored information) from web, email, social media, voicemail, video, etc.

ECC

Elliptic Curve Cryptosystems

PKI Uses

Email, hdd encryption, code and driver signing, wifi authentication, NAC/NAP, digital signatures, etc

Hidden Fields

Embedded state information in an HTML form. A little harder to implement. Info isn't displayed to user. They aren't hard to alter and can be viewed by View Source command in browser.

Process Enforcement

Enable IT-specific virtualization processes to increase in efficiency and simplify management.

airmon-ng start wlan0

Enables and disables wireless interface monitoring

modinfo

Enables you to see what modules do

autrace

Enables you to trace the process of a binary and have it bind to an ausearch

ESP

Encapsulation Security Payload

Encryption Key Management

Encryption means your data could never be created or edited using any O365 apps, which defeats the purpose. Also means you can't use keyword indexing, document/message searches, legal e-discovery, DLP filtering, Cortana calendar management, etc.

Overlap partition

Entire hdd geometry. Usually the third slice (/hda/2?) of the. Orginally had to be third because first had to be root and second had to be swap space. Do not use for file systems.

Jailed Environments

Environment, eg VDI, can be created to look like real VDI environment, but its contained and controlled with no real data.

Trust Zones

Establish trust zones for different deployed environments. Similar to security classifications or levels of sensitivity. Each VM should fall into a security category regardless of its function and this is where it should reside on the ntwork with appropriate access controls for appropriate levels of security. Don't span trust levles within a physical host is golden rule of secure virtualization design. Minimize what runs on host. Only use as host.

Security Policy

Establishes what you must do to protect information. Used to help identify, measure and evaluate how. Strategic.

Annualized Rate Occurrence (ARO)

Estimated frequency at which a threat is expected to occur.

Windows Event Collector

Event data is sent over SSL and uses Web Services Management protocol to push and/or pull data from monitored systems.

EOI

Event of Interest

Event of Interest (EOI)

Event of Interest is some activity that is flagged by the IDS, which generates an alert.

EOI

Events of Interest

Application Analysis

Exclusive-based, identifies anomalous conditions on the network after it has a complete understanding of the protocol/application and how it operates. IDS learns normal network activity. Then, any use of the protocol or application that doesn't match the IDS' understanding of normal functions is reported. Protocol activity that is unknown is flagged. Difficult to implement and expensive.

runas.exe

Execute command with elevated privileges

Metasploit

Exploitation toolkit to help identify whether vulnerability exists or its a false positive.

PFX file

Exported certificate and private key

ESR

Extended Support Release

ESR

Extended Support Release is a version of Firefox that will only get bug fixes and security patches, not new features, for at least 54 weeks.

EAP

Extensible Authentication Protocol

EAP

Extensible Authentication Protocol. EAP types are authentication protocols that are part of authentication framework 802.1x.

FIDO

Fast Identity Online, 3rd party MFA tool. Can be used in browsers for authentication.

Shallow Packet Inspection

Fast but little fidelity. In practice, its used with deep packet inspection. Eg source and destinatino address and port information from headers; specific ICMP error messages; undesirable TCP flag combinations (SYN/FIN); impossible fragmentation combinations (gaps, overlaps); packet size information (too small UDP packets)

DES

Fast encryption algorithm. Symmetric key, 64-bit block cipher. 56-bit key size. 4 DES operation modes: ECB, CBC, OFB, CFB. DES and 2DES are not secure. Since DES is not a group, multiple encryptions increase security.

Feature & Quality Updates

Feature Update 180 days. Quality Updates smaller monthly.

Reuse Attack Protector (RAP)

Feature in Grsecurity

Application Behavior Monitoring

Feature of HIPS where a manufacturer selects a supported app and records the intended functionality in normal use. Its difficult to get right because apps are constantly changing functionality with updates and new releases.

Package Management

Features listed on p236: download validation, installation of dependencies, binary format; standard locations for installation, user experience components and verification of installation.

FIPS

Federal Information Processing Standard

FIC

File Integrity Checking

OneDrive

File storage in Azure SaaS

System volume

Files needed for boot-up process

Rainbow Tables

Files produced from precomputed password hash values used by the cracking tool to quickly lookup hash values and corresponding plaintext passwords

D-Bus Interface

Firewall D-Bus allows applications to adapt firewall settings.

netfilter

Firewall replaced by nftables.

nftables

Firewall, subsystem of Linux kernel to provide classification and filtering of network packets. Replacement for netfilter.

HTTP Request

First part of HTTP conversation, initiated by client. May include Host: Header.

Gaining Access

First real milestone of an attack is gaining access or getting a shell.

ls -ld /sbin/su /etc

Forces ls to display file attributes for actual directories listed, eg /sbin/su and /etc

AD Forest and Trust

Forest is one or more AD domains. Trusts link domains together in a forest. Cross forest trusts are entire forests trusting other forests.

Baseline

Foundation for evaluating policy. Documentation Baseline for Policy, p69. Its a more specific implementation of a standard and tends to include more technical details. Usually a baseline starts as a guideline until its properly modified to meet the needs of the organization. eg hardening rules for a new server start as a guideline and become a baseline.

Azure AD Connect

Free M$ AD sync tool with SHA256 hashed and salted password protection.

Ansible

Free application that's more feature-rich and easier to manage than free Puppet. Includes software deployment, task execution and CM using a main controller machine that talks to "nodes," controlled machines with JSON protocol over SSH. Excellent choice for consistency, stability and overall security.

Wireshark

Free, Threat Hunting. Network monitoring and packet analysis tool.

Passive DNS

Free. Collect and analyze DNS for threat hunting.

Bro/Zeek

Free. Framework for network monitoring used for forensics, metrics, NIDS. Threat Hunting.

Python

Free. Threat Hunting. Script for automation.

Autoruns

Free. Threat Hunting. Windows tool that shows you what tools automatically run at startup.

FHSS

Frequency Hopping Spread Spectrum

Defense-In-Depth (DiD), Primary Section

From outer to inner: policies, procedures, awareness; physical; perimeter; internal network; host; application; data. 4 approaches to defense-in-depth: Uniform protection; protected enclaves; information-centric; threat vector analysis. Information-Centric Defense-In-Depth, outer-to-inner: Network; Host: Application: Info p17.

FVEK

Full Volume Encryption Key encrypts/decrypts all sectors of Bitlocker-protected volume. This is not needed on self-encrypting HDDs.

FTE

Full-time equivalent. Cost of one full time employee.

Enumeration

Further extension of scanning process. Identify exploitable vulnerabiltiies of the system. List file permissions, user accounts on open ports, idle ports and other system items used for entry into the system.

Global Catalog Server (GC)

GC special DC that replicates AD database in forest

GECOS

GE Compliant OS (GECOS) stores metadata. Used by John the Ripper to crack password.

GPG

GNU Privacy Guard

Grep

GNU regular expression text filter. It can match on anything except newline.

GNU

GNU's not Unix :-P

GNU Privacy Guard (GPG)

GPG provides two protections for email: confidentiality through encryption and message integrity and source identification through digital signatures. Uses a hybrid of symmetric and asymmetric encryption.

GPO

GPO can manage security settings not included in INF security template. GPOs are stored as ADM/ADMX and are more comprehensive than a local .INF security template. Settings from Computer Configuration tend to take precedence over User Configuration section of GPO Administrative Templates. GPOs

Regedit.exe

GUI regedit

windiff.exe

GUI to compare 2 files. Also works from CLI.

Threat Intelligence

Gathering and correlating inforamtion about the adversary to better understand how they work and operate. Driven by forensics, analysis and third-party sources.

Privileges

General capability that is not tied to any particular object. Manage them through GPOs.

Syslog-ng

General purpose logging, reliable delivery. Use to collect logs.

Business Resumption Planning (BRP)

Generic term used to refer to the actionable plan that coordinates efforts to restore an organization to normal working order.

NIST IR 7298

Glossary of Key Information Security Terms

Asymmetric Keys

Goal is authentication. RSA, ElGamal, ECC. Public key. Dual or 2-key encryption. Slower than symmetric. Used as a secure channel for public key exchange. Technical non-repudiation via digital signatures. Primary uses are key exchange (for symmmetric encryption), authentication and non-repudiation, p31. Employs trapdoor function, p32-33. Public key crypto proves it was the recipient who created the document.

Symmetric Keys

Goal is confidentiality, privacy. DES, 3DES, IDEA, AES, RC4, RC5. Techniques are substituion (XOR, rotation, arbitrary substitution), permutation, hybrid. Secret key. Fast. Doesn't scale well. No technical non-repudiation. Pre-shared key. Requires a secure channel.

Digital Signature

Goal is non-repudiation. Asymmetric + Hash.

Attribution Active Defense

Goal to identify and find out details about the adversary. Useful for incident response. Valuable if legal action is desired.

Egress Filtering

Good IDS technique. You can use your firewall log files to track dropped egress traffic. You're a better net citizen.

CLI commands

Good for CMD batch scripts

Recon

Google, chat rooms, dark web, company website, system documentation, theHarvester, Whois, Shodan, Host command.

GPMC

Group Policy Management Console

Rings (M$)

Group of computers assigned to a particular servicing channel with a particular update deferral period.

Domain Local

Groups that get replicated through AD and can be used on any computer

Classification Levels, Business

HR and management sensitive; Trade Secrets, manufacturing proprietary; Business Proprietary, contracts, financials; Public Releasable.

HTTP Request and Response

HTTP is stateless and transaction-oriented. Client sends a Host: header, specifying which domain the request is for. Clients use PUT to upload files. The client request includes a header stanza that follows the request and can include any piece of info Some requests include a body, which may include a POST to fill out form data (ie HTTP PUT).

Compression

Handled by the NTFS driver itself, which makes compression transparent to the user.

NTFS driver

Handles compression, which makes compression transparent to the user.

Rowhammer

Hardware exploit that manipulates physical memory to escalate user privileges and escape VM isolation.

TPM

Hardware-based crypto. Handles cryptography calculations and key storage.

Unidirectional Gateways

Has multiple NIC that handle data handoff to software controls. Layered solutions that rely on software components to gather data, and then send to an appliance with physical one-way data flow capability.

Integrity Check Value (ICV)

Hashed value to ensure integrity of packet. AH hashes every field in packet that doesn't change in transit (eg doesn't hash TTL). ESP only hashes information in ESP message.

md5sum < file1.txt

Hashes file1.txt with md5

sha1sum < file1.txt

Hashes file1.txt with sha1

Precomputation Attack

Hashes of possible passwords are precomputed and stored in a database called a rainbow table. Tthe hashes are matched with password, which take a fraction of the time it'd take to brute-force a hash.

Virtual Switches

Have several forms: embedded within the virtual software, included as firmware on the server and virtual ethernet adapters.

Issue-Specific Policies

Help clarify organization's security posture. They provide clear guidance on many topics within the company. Covers specific areas such as: authentication, monitoring, physical security, backups, disaster recovery, acceptable use, audit and assessment, incident handling, employee and contractor access, employee monitoring, and awareness training.

HTTPS Tunneling of RDP

Helps prevent MitM attacks, improves encryption and is firewall-friendly (ie helps users get around firewalls blocking 3389).

VLANs

Helps with least privilege

Elliptic Curve Cryptosystems

High security levels with low key lengths, high-speed processing, low power and storage requirements. Eg uses in resource-constrained environments: mobile phones, smart cards, wireless communications, electronic cash, ATMs. Growing popularity. Cracking only in poor implementations with small key lengths.

LogRhythm

High-end SIEM. File Integrity Monitoring agent. Provides unprecented anomaly detection.

Conceptual Design

High-level design that includes core components of network architecture

Histograms

Histograms are graphical representations of the number of occurrences of data in a given distribution. A histogram of an encrypted document shows the frequency of characters is normalized, which makes it easy to detect. High entropy indicates encryption, p49.

OSSEC

Host based IDS focused on tracking and identifying indicators of compromise. Active alerting capability when alteration is made to a key file. Generates email alerts too. Integrates with SIEM.

Samhain

Host based IDS with ability to centrally monitor logs. Rootkit detection and port monitoring.

HIDS

Host-based IDS

Trade Secrets (Business Classification)

How products are created. R&D.

kismet

IDS and wireless network sniffer

Data Normalization

IDS takes a baseline of data before before analysis.

Tripwire

IDS through integrity checking. Open-source and commercial. Creates secure db baseline of file and directory attributes. Verified with SHA.

Online Certificate Status Protcol (OCSP)

IETF recommends as a replacement for CRLs. Real-time notification of revoked certificates.

RD Web Access

IIS Server provides web portal for roaming users. Supports SSO and other features.

Passive Analysis

IPS uses passive analysis to reduce false positives. Passive analysis identify host OSes, network architecture, and vulnerabilities present in the network. This information helps IPS classify attacks to internal systems.

RFC 2401

IPSec

IPv4 vs IPv6

IPv4 no authentication, no built-in encryption, best effort transport. IPv6 provides authentication of endpoints, support encryption in protocol, QoS features provided.

IPSec Phase 1

ISAKMP channel established. Privacy. Main Mode (checks identify of endpoings) of Aggressive Mode (does not, which is fine if using PKI to setup VPN}

Azure

IaaS and PaaS. VMs and containers running Windows and Linux. Its M$'s cloud infrastructure. Azure AD can be used for SSO across a who's who of websites.

ldd

Identify app dependencies. Handy for setting up chroot directory.

Access Control

Identity, Authentication, Authorization, Accountability, p29. Least privilege, need to know, separation of duties, rotation of duties, p30. Models that deal with protecting sensitive data or assets to ensure confidentiality and integrity, p27.

Simple File Sharing

If Simple File Sharing is enabled, then all remote authentication to the computer will be treated as remote access by the Guest Account. This is called automatic demotion to Guest.

HIDS vs network firewall

If packet is allowed, then HIDS will forward packet up protocol stack and network firewall will forward it.

Copyright

If two parties agree that a written piece of work is for hire, then the rights become that of the owner. US Library of Congress interpretation is followed in slide.

Meet-in-the-Middle Attack

If you have both the cleartext and corresponding ciphertext, you can perform this attack on 2DES.

IPS

Implementing IPS behind a firewall allows you to narrow down your search of infected internal systems, p102. Deploying IPS between the firewall and ISP router ensures the firewall and DMZ servers are protected, p102. To detect the greatest number of attacks without false positives, NIPS tools use passive OS fingerprinting and vulnerability, p103. Since they're inline, IPSes have the ability to fail open.

Cost-Benefit Analysis

Important to show that high-priority risk and the solution is the most cost-effective for reducing the risk.

Data Dispersion

Improves data security without use of encryption mechanisms. Can provide HA and assurance of data stored in the cloud.

Authenticator

In 802.1x, the Authenticator either provides or prevents network access to Supplicant. It handles challenge and response, but forwards credentials to backend Authentication Server (usually RADIUS). An Authenticator is usually a switch or AP.

Supplicant

In 802.1x, the Supplicant attempts to connect to the network. Its the client device.

Rotate Directive

In logrotate, it tells how many copies of logfile to keep.

apt-get install <package-name>

Install specified software will all associated dependencies.

yum install syslog-ng

Install syslogNG package.

Core Server

Installation option that only provides command shell, nothing else. Drive footprint 2-4GB

IR

Incident Response

Law Enforcement

Incident Response--Preparation: Have a list of phone numbers for each agency you might need to involve.

Logical Design

Includes all major network components plus their relationships. For developers and security architects. Includes business services, application names, and other relevant info for development purposes. Understanding communication flow and knowing where valuable data is begins with the logical architecture.SANS401 GSEC INDEXBookPageComments

Anomaly Analysis

Inclusive-based, meaning IDS vendor identifies conditions that are anomalous through its analysis of the protocol and its expected behavior. Only those conditions identified are reported by the IDS. It requires an understanding of what "normal" is. Baseline of network is performed. Can catch 0-day exploits.

Switch

Increase security by reducing visibility.

IoC

Indicators of Compromise

Threat Agents

Individual or organization that's capable and motivated to carry out an attack. How active is each threat agent? How might a successful attack serve a particular threat agent's goals? 3 broad categories of threat agents: criminals, esponiage, hacktivists.

ISM

Industrial, Scientific, Medical radio

Infected System

Infected systesm are a giant integrity problem. Main strategy for fixing and infected system is rebuilding it from scratch.

IaaS

Infrastructure as a Service gives clients ability to rent IT infrastructure compoenents from a public cloud provider.

Upstart

Init alernative. Supports parallel booting of services. Upstart introduces jobs, events, and emitting services.

Runlevel

Init runlevels: 0 shutodwn; 1 single-user; 2 multiuser; 3 multiuser w/ networking, 5 starting w/ display manager and graphics; 6 reboot. Used on System-V, not BSD distro.

Starting Services in Linux

Init, Upstart, Systemd, Cron

ClientHello

Initial SSL/TLS message sent from client to the server. Includes list of CipherSuites client supports.

ISN

Initial Sequence Number

IV

Initialization Vector

Stegonagraphy Methods

Injection, substitution, file generation.

aireplay-ng

Injects and replays wireless frames

Intel VT Technology

Integrated some of Blue Pill functionality into the Intel VT Technology.

IP

Intellectual Property

IPC

Inter-process communication

ICV

Intergrity Check Value

IETF

Internet Engineering Task Force

IKE

Internet Key Exchange

ISAKMP

Internet Security Association and Key Management Protocol

Pivot Points

Intial point of entry gives adversary a foothold in your network.

Risk Analysis

Involves determining the risks and their impact on the infrastructure. When determining what types ot threats your enterprise could be exposed to, its vital that information security professionals spend time assessing how they might be attacked. All possible threats must be considered. After creating a list, determine if they are actually viable threats to the enterprise. "Identifying likely vectors and entities that pose a risk to the business."

Virtualizaton Benefits

Isolation of OSes and apps. Small attack surface of Type 1 Hypervisor code. HA. Quick quarantine for out-of-compliance systems. Resiliency. Can backup the whole machine, not just the data on it. Virtual appliances can be spun up quickly for one or two functions. Reduces attack surface.

Keybox

KeyBox is open-source and has 2FA integration within web interface with Google Authenticator and FreeOTP.

Intellectual Property (IP)

Know where your valuable data is.

Resource Protection

Knowing your vulnerabilities is a critical stage of resource protection

LSPP

Labeled Security Protection Profile

Multilevel Security (MLS)

Labels are an attribute of MLS systems, which are based on Bell-LaPadula Mandatory Access Model. MLS is used in Labeled Security Protection environments (LSPP).

Physical Design

Last design created before final implementation, includes known details of OSes, version numbers and relevant patches. Also includes physical constraints or limitations identified within server components, data flows or connections.

Logrotate

Later definitions overwrite earlier ones. Linux packages expect to be able to include logrotate config files in /etc/logroate.d.

Hyperjumping

Lateral compromise where attacker jumps from guest OS to another. Uses one guest OS to compromise another. Doesn't compromise the Host OS or Hypervisor.

Frame

Layer 2 data chunk transmitted by Ethernet over the wire.

Ethernet

Layer 2 protocol. Shared media. It is a CSMA/CD protocol.

Packet Firewall

Layer 3. Fastest, cheapest and weakest. Think router with ACLs (including established). Simply looks at TCP flags, but doesn't inspect them. No state inspection of ACK flag set. Vulnerable to ACK scan.

TCP

Layer 4 is responsible for transmission of data between two endpoint systems involved in communication. Issues related to reliability and cost-effective data transfter belong to this layer. p153 TCP Header.

Stateful Firewall

Layer 4. Keeps track of TCP connections in a stateful tracking table. UDP an ICMP traffic is added with a timeout duration. Stateful firewall isn't able to differentiate between legitimate Port Unreachable messages from an attacker sending tis same traffic to an internal host, so it'll blindly accept the traffic.

Proxy Firewall

Layer 7. Essentially tears down packet layer by layer on one interface and builds it back up on the opposite interface.

Protocol Stack

Layers of protocols that allow computers to communicate

List dynamic dependencies

Ldd tools identifies application's depdendencies.

gradm -F -L /etc/grsec/learning.logs

Learning mode for grsecurity

LSB

Least Signicant Bit

NetBIOS

Legacy set of connectionless and connection-oritented protocols used for name resolution. Can be disabled 90% of the time.

Client-to-Client VPN

Less common. Most secure. Doesn't scale well. See Transport VPN.

5G

Less than 1ms latency compared to 4G's 25ms. Must provide connections that are 100x faster than current speeds to accomodate IoT devices like self-driving cars, robot-aided surgeries.

Netcat

Lets you see raw connection, including header information.

XFCE

Lightweight Desktop Environment

Antivirus Software

Many vendors are calling their products endpoint security software/suites.

Critical Security Controls Standards Mapping

Maps which NIST controls map to CSC

Risk Evaluation

Match threats and known vulnerabilities, calcuate ALE. Estimate risk from unknown vulnerabilities.

Trapdoor Function

Mathematical function that are easy to calculate and hard to calculate inverse. Eg multiplication vs factorization and exponentiation vs logarithm

msf exploit show options

Metaploit framework showing Apache struts exploit that that takes advantage of XStream's failure to do input validation

NetFlow

Method of collecting IP traffic and monitoring network traffic. Using flow-based analysis, relying on algorithms and behavior rather than signatures, helps you detect 0-day attacks.

Black Box Diagramming

Method of depicting a device, system or object only in terms of inputs and output without requiring knowledge of its internal workings. Simplifies the characteristics of the network during the design phase.

Pen Testing

Method of evaluating the security posture of a computer system or network by simulating identified attacks by a malicious user, known as a hacker.

Deception Active Defense

Method that creates less legal concerns. Honeypots. Activity to mislead and slow down the adversary. Can increase time and difficulty of pen tests.

Signature Analysis

Most commond method of identifying EOI. Performs pattern-matching on packets based on rules. Rules use criteria based on protocol, address and port info, payload contents, string matching, traffic flow analysis, flags in protocol headers, any fields in the packet.

Azure Global Administrator

Most important role. Can assign, reset and delete all other roles. aka Company Administrator

Internal Threat

Most organizations focus on external threats, but internal threats often cause the most damage.

Password Policy

Minimum pw length 15 chars; Pw history 24 pws; Max age 90 days; Min Age 1 day; Max length 127 chars. No gui for custom pw policies. Use PowerShell.

Telnet Attack

Misnamed. Really a distributed SYN attack. Windows OS has an accessible telnet executable taht can setup a TCP session. Popular DOS attack with botnet operators.

Mission Statement

Mission statement is operational. States the purpose of your organization. You need an approved mission statement to move forward with policy. Mission statement is at top of policy pyramid.

DHCP Spoofing

MitM attack wher attacker listens to DHCP requests and answer them with an IP Address pretending to be default gateway.

Office Mobile

Mobile versions of M$ Office apps. Free but limited.

/etc/syslog.conf

Modify this file on host to send its log files to another server

Web App Monitoring

Monitor web content and use a file integrity checker. Integrate checks with SIEM. Build and maintain a custom monitoring tool using Perl or Python scripts.

Critical Control #2 Software Inventory

Monitor with file integrity checking tools; use app whitelisting; deploy software inventory tools; use VMs or air-gapped systems to isolate and run apps that are required for business but pose a high risk to the network.

File Activity Monitoring

Monitors and records all activitity within designated file repositories at the user lever. Generates alerts on policy violations. Requires an endpoint agent of phsyical appliance between cloud storage and cloud consumers.

Frequency Analysis

Monolithic cipers or one-to-one ciphers can be broken with this technique.

Lynis

More robust and detailed than Bastille. Good for standalone systems that need to comply with regulated frameworks like SOX, HIPAA, PCI DSS, etc. Audits for authentication methods, expired SSL certs, outdated software, patches, user accounts w/o passwords, incorrect file permissions and firewall rules.

Discretionary Access Control

Most Linux variants use DAC enabling the sysadmin and users to manage the security on files they own or manage. Its possible for a DAC system to be default deny or default allow.

Attack Back Active Defense

Most aggressive step. Has legal implications.

Uniform Protection

Most common approach to defense-in-depth and usually the starting point for most organizations. Treat all systems as equally important. All parts of the organization and intellectual property receive equal protection. Eg patching.

One-Time Passwords

Most common way to implement OTPs are token-based devices liek SecurID tokens. Good countermeasures against keyboard and network sniffing.

Eternal Blue

NSA toolkit used in WannaCry attack.

NTLMv1

NT LAN Manager LANMAN old protocol for authentication. Best to decommission.

Encryption

NTFS uses EFS and BitLocker to support encryption.

Regsvc.exe

Name of key to modify for remote registry service permissions.

winreg

Name of key to modify for remote registry service permissions. HKLM\System\CurrentControlSet\Control\Secure\PipeServers\winreg\

CNSS 4009

National Information Assurance Glossary

NIST

National Institute of Standards and Technology

IPSec Phase 2

Negotiates details of ESP and AH SAs. Primary Mode or Quick Mode.

nc.exe

Netcat ported to Windows.

nc.traditional 127.0.0.1 333

Netcat tool is a network sutility that allows you to connect to TCP Port 333 on localhost. Also connects to UDP ports, transmits files, an executes commands.

Honeynet

Nettwork of decoys designed to deceive and slowdown adversary.

NAC

Network Access Control

NFS

Network File Sharing

NLA

Network Level Authentication

NLA

Network Level Authentication for RDS prevents DoS attacks against servers by requiring the client to authenticate before server memory is allocated.

NOVA

Network Obfuscation and Virtualized Anti-Reconnaissance

nmap

Network scanner.

NBS

Never Before Seen

Advanced Application Shielding

New feature introduced in HIPS that essentially locks an app into a sandbox where its not permitted to communicate with other apps.

nft add rule ip filter output ip daddr 10.10.10.10 drop

Nftables rule to drop packets destined for 10.10.10.10.

Border Router

Placed between ISP and firewall. Can be used to filter traffic that is obviously unwanted, like invalid traffic RFC1918 sourced from Internet. Also helps protect firewall from attack by taking some of burden off it.

NOEXEC

Noexec prevents processes from making exec systems calls. They have to sudo. Part of MacOS RunTime protection. Part of Grsecurity.

System Restore Points

Not enabled by default in Windows 10. Snapshots computer's configuration. Checkpoints from 1-3 months.

Sticky Bit

Now allows for world writeable directory, but owner is the only one who can delete files in that directory. N/A to files. Only applies to directories. Real-world example is /tmp has sticky bit set so that anyone can write to it.

Autopilot

OEM-customized device that allows for the device to automagically get upgraded, joined to Azure AD.

OSI Layers Map to Network Security Devices

OSI Map Tab

at.exe

Obsolete way to see scheduled tasks

Block Cipher

Obtained by segregating plaintext into blocks of n characters or bits and applying the identical encryptiong algorithm and key to each block.

Session IDs

Often stored as a hidden form element, part of the URL query string, or in a cookie. Can be exploited by session attack. Best to use cookies.

dropmyrights.exe

Old 3rd party executable DropMyRights literally drops the rights of an application from unrestricted to normal, constrained, or untrusted.

Enum

Old standalone binaries, labeled as a hacker tool but not likely to cause vulnerabiltities.

Bluebugging

Older hardware implementations. Manipulates target phone into compromising its security. Installs a backdoor. Calls back to attacker who can eavesdrop on phone calls. Can also create call forwarding.

Bastille

Older standalone tool meant to be a tutorial for hardening your Linux system.

cfEngine

Oldest CM tool. Open source and commericial versions available. Started as local datacenter tool. Now more cloud-based. Has a monitoring and modeling compliance engine.

Ingress Filtering

On a firewall, all inbound packets are dropped if they contain a source address from within the network address space

TrueCrypt

On the fly encryption (OTFE). Deprecated.

Telnet

Plaintext. Use SSH

Threat Assessment

One input into risk analysis. Analyze the cost effectiveness of countermeasures for reducing exposure.

File System Hardening

One of features in Grsecurity

Kernel Auditing

One of features in Grsecurity

Trusted Path Execution (TPE)

One of features in Grsecurity

POST

One of two most common HTTP methods. Appends the form data inside the HTTP Request, embedded HTML Header. Better for sensitive data.

GET

One of two most common HTTP methods. Client uses GET to retrieve information from the server. Requests data from the specified source. Appends the data to the URL, so its visible in the URL. Not safe for sensitive data.

Arbitrary Subsitution

One-to-one substitution of characters. Easy to crack with frequency analysis.

Rotation Substitution

One-to-one substitution of characters. eg ROT-3 Caesar Cipher and ROT-13 appeared on Usenet. Easy to crack.

OCSP

Online Certificate Status Protocol

RSA

Only been cracked with poor implementation using too small key lengths. Used in SSL.

cut -f 2-4 data.txt

Only display fields (aka columns) 2-4

Need to Know

Only give person access when they need it. Take away access when it is no longer required.

get-winevent -logname system -maxevents 500

Only show last 500 events in System Log. Script and send files to collector (eg SIEM)

Logstash

Open source solution for log aggregation, pipelining, and storage.

PaX

Open sources memory protection utility for the kernel and other memory protections. Improves ASLR, protects against arbitrary code execution, code execution in a different order, code execution with malicious code. Best to run it with grsecurity because of tight feature integration.

Docker

Open standard single applcation LXC containers. Docker is an evolutionary enhancement of LXC that has moved away from LXC and now has its own libcontainer framework based on Go. Single process and stateless based containers.

LXC

Open standard to create containers. Has security to isolate apps using several kernel features to achieve this. Overcomes the limitatio of chroot by containing all required components. Can run on a single OS. Between chroot and full virtualization. Key features are cgroups and namespaces.

GNU Project

Open-source OS that Linus Torvalds partnered with. GNU/Linux is the real name of Linux OS. 2% of Linux kernel is still Torvald's code.

Chef

Open-source centrally-managed DevOps tool that can push and control versions of code. Adds an abstraction layer (Chef Server and Chef clients). Works onsite, in the cloud and hybrid.

Graylog2

Open-source log management and SIEM. Can normalize and correlate logs with searches you build and alert on. Easy to setup and use. No prebuilt anomaly detection rules, alerts or searches.

Process Hacker

Open-source process manager tool to analyze services, device drivers, listening TCP ports, disk activity, and other Windows internals.

LOGalyze

Open-source solution. Easy to deploy, offers a dashboard, reporting and searching capability. No prebuilt anomaly detection rules, alerts or searches.

Snort

Open-source tool, low-cost, suitable for monitoring multiple sites/sensors, efficient detect system, low effort for reporting. 5 rules: pass, log (snort.conf), alert, activate (listens for alert and then activates dyanamic rule), dynamic (inactive until another rule activates), p93.

Private Cloud

Organization owns hardware infrastructure that supports and houses the cloud systems.

Standard

Organizational, strategic. Focuses on what technology to use. Usually refers to specific hardware and software.

Puppet

Originally devops tool written in Ruby. Open Source and Commerical versions available. One of most popular.

OFDM

Orthogonal Frequency Division Multiplexing

/bin, /opt

Other places where apps may be stored

netstat

Output 174 and 184.

df command

Output of command. 5-10% of hdd is reserved, so Use% includes that unwritable percentage too.

top

Output on p186-193.

tail

Output on p194-197.

netstat -s

Output. Statistics.

netstat -at

Output. TCP

netstat -au

Output. UDP.

Windows PS vs PS Core

PS 5.0 is frozen, legacy. Core is open-source and the future of cross-platform Azure management.

set-MpPreference -EnableControlledFolderAccess Audit Mode

PS enable CFA in audit-only mode

get-WmiObject

PS equivalent of wmic.exe

get-ciminstance

PS equivalent of wmic.exe

get-service -computername keithbox

PS query list of services

Set-ItemProperty

PS regedit

Compare-Objects

PS to compare 2 files

get-ciminstance -query "select * from w32_bios*

PS to extract BIOS information from WMI

get-help -full get-windowsfeature

PS to get help with features

show-EventLog

PS to launch event viewer

import-module servermanager

PS to manage server roles

get-windowsfeature -computername Server47

PS to see features on remote server47

paxctld

PaX memory protection utility.

dpkg

Packagement mangement tool that APT is based on.

Endpoint Firewalls

Packet Filter (Stateful), Application Control and OS Control. Packet Filter looks at packets from network to PC. Application Control Firewall can screen incoming packets and keep a set of fules for applications. OS Control is most flexible and won't allow a program to run or access the Internet without approval.

Swap Partition

Page file for the virtual memory system. Originally had to be the second partition on hdd. Called a "raw disk" partition that it isn't mounted, so its not listed by df. Use swapon -s to see swap partition's current use.

sed

Parses and transforms text. One of earliest tools to support regex.

BearTrap

Part of ADHD. Opens ports to mislead, monitor, track and block connections. Simple way to open ports in a controlled and secure manner.

Intial Sequence Number (ISN)

Part of TCP three-way handshake.

Resource separation

Place systems with different security requirements into separate areas. Follow three core rules: Any system visible to Internet must reside in DMZ; any system with senstive information must reside in private network and not be visible to the Internet; only way a DMZ system can communicate with a private network is through a proxy on the middleware tier.

/etc/shadow

Password Database

Cain

Password cracking

Enforce Stronger Passwords

Password enforcement, /etc/pam.d/system-auth.

Patching

Patch maintenance and management process and schedule to ensure patches are up-to-date for both online and offline VMs.

/etc/sysctl.conf

Permanently change system variables so that they will load at boot time

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Permit inbound SSH from session taht we have intiated from this system.

Least Privilege

Person has least amount of access to do their job. Basics of secure coding: only grant account access to the resources it needs, p173

Incident Handler

Person responsible for responding to alerts. Uses the information generated by the IDS to idnentify the intent of the suspicious activity and takes some action based on the analysis.

PAN

Personal Area Network

Bluetooth PANs

Personal Area Networks are susceptible to hacking

OS Editions

Personal Editions: Starter, Home and Ultimate. Work Editions: Business, Pro and Enterprise.

PII

Personally Identifiable Information

Internet Security Association and Key Management Protocol (ISAKMP)

Phase 1 negotiation to establish privacy over a secure channel.

Cookies

Piece of data created by a web server and stored in the web browser. Often used to track user authentication and application session data. Most websites encrypt cookie's contents. A server can set optional secure flag on any cookie to notify browser that it is only to send the cookie along with SSL-encrypted requests. Users can edit their own cookies, whether Persistent or Non-Persistent.

Scanning

Ping, Nikto, Netcat, nmap.

Interim Report

Pitch project summary, asset identification and valuation report and a plan to senior management.

Session State

Prime target for attack in web connections. See Session Attack.

Defense in Depth

Principle that protections need to be layered

Intractable Problems

Problems that can't be solved in polynomial time. Asymmetric Encryption. Eg, exponential, superpolynomial, factoring large integers into primes (RSA), solving discrete logarithms over finite fields (El Gamal), computing elliptic curves in a finite field (ECC).

Software Testing

Process of executing a program or system with intent of finding errors. Its important to test how app will respond to unexpected or invalid input.

Access Management

Process of managing users, data and their relationships consists of 4 tasks: Account Administration, Maintenance, Monitoring, Revocation.

Threat Enumeration

Process of understanding threats in your system or network. List all possible threat agents. List all attack methods. List the system level objectives.

Jobs

Processes that maintain system activities that need to occur continuously. Introduced in Upstart

SHA

Produces 160-bit hash value.

Policy Types

Program Policy, which is high-level; Issue-Specific Policy, eg AUP; System-Specific Policy, eg Linux Servers vs Windows.

chkdsk.exe /?

Program that runs automatically after a (power) failure of BSOD. Use it to schedule a full volume or sector-level scan at the next reboot.

BCP-DRP Planning Lifecycle

Project Initiation, Risk Analysis, Business Impact Analysis, Build the Plan, Test and Validate the Plan, Modify and Update the Plan, Approve and Implement the Plan

File System Security

Protect OS binaries in /usr. Don't allow users to create or bring set-UID and set-GID programs on the machine. Put /var on a separate partition. Allow for unexpected growth on heavily used partitions. Goal: all systems should either be mounted ro or nosuid.

Session Attack

Protect against session attacks by making session IDs random and long. Uses an established session toolikit like Burp to test predictability of session IDs. Encrypt session information in cookies. Use new session ID immedately uppon user authentication. Have session IDs expire on logout or periodically timeout. Digitally has Session IDs.

PEAP

Protected Extensible Authentication Protocol

Security Policy

Protects organization, the people and the information. Establishes what must be done to protect information stored on computers. Protects people who are trying to do the right thing. Policies are the laws of an organization that set the boundaries of what is and is not acceptable.

Bluetooth Network Encapsulation Protocol (BNEP)

Protocol that allows Bluetooth devices to extend access to the wired network from a wireless connection, similar to 801.11.

Internet Key Exchange (IKE)

Protocol that negotiates session details of an IPSec connection and documents them as Security Associations (SAs).

IPSec

Protocols 50 for ESP and 51 for AH

IPSec

Provides data integrity, confidentiality and authentication. Besides encryption, it can also do static packet filtering.

top

Provides dynamic, real-time view of what is running on a system. Continuous output. Show processor activity. Baseline and spot anonomolies.

netstat

Provides visibility into network activity, network connections, route tables, interface statistics.

Reconnaissance

Provides visibility into your organization and insight into how the adversary will target you

PKI

Public Key Infrastructure

Vector-Oriented Defense-In-Depth

Purpose is to identify various vectors by which threats can become manifested and provide security mechanisms to shutdown, remove or mitigate the vector.

Policy Table of Contents

Purpose; related documents aka references; cancellation which explains when new policy supercedes old one; background which amplifies need for policy; scope; policy statement which identifies guiding principle of what is to be done; responsibility; action.

Risk Assessment

Quantitative and Qualitative Risks. Threat assessment is one input in risk analysis.

Industrial Scientific Medical (ISM)

Radio band 60GHz used by Super Bluetooh 801.11ad

Salt

Random value added to a password hash to protect against precomputation attacks. Each account has a different salt.

Entropy

Randomness collected by an operating system or application for use in cryptography or other uses that require random data. ... A lack of entropy can have a negative impact on performance and security (wiki)

File vs Directory

Read allows us to read file contents and get directory listings. Write allows us to modify file contents and create/remove files within a directory. Execute allows us to execute files and access files in a directory.

Logging activities

Real-time tasks (malware outbreaks, serious internal abuse, loss of service on critical assets, regulated data theft), p191. Daily Tasks (unauthorized configuration changes, disruption in other services, intrusion evidence, suspicious login failures, minor malware activity, activity summary), p192. Weekly Tasks (review inside and perimeter log trends, routine account creation/removal, host and network changes, less critical attack and probe summary), p194. Monthly Tasks (review long-term network and system log trends, minor policy violation summary, various resource usage reports, security technology performance measurement), p195. Quarterly, p196. Annual Tasks (log retention, IT budget planning), p197.

Business Continuity

Recommendations: client should review cloud service providers commitment to maintain continuity, client should conduct on-site assessment facility to verify access controls are used to maintain continuity of service; client should ensure they'll receive confirmation of BCP/DR test conducted by CSP.

Attack Process

Recon, scanning, gaining access, maintaining access, clearing tracks

Cyber Attack Methodology

Recon, scanning, gaining access, maintaining access, covering tracks

RDP

Remote Desktop Services uses TCP 3389

Remote Desktop Services (RDS)

Remote Desktop Services. See p254-255 for a list of roles.

RPC

Remote Procedure Call sessions are used by trust relationships, NetLogon, Outlook, NTLM authentication, remote administration, etc. "Trust relationships, the NetLogon secure channel, Outlook messaging, NTLM pass-through authentication, remote administration, etc all can use RPC-based sessions. RPC sessions typically begin with a client connection to TCP/135 on the server. Then, the server will redirect the client to another "ephemeral" high-numbered port for subsequent communications."

LASSO

Remote Windows to syslog mass conversion

Systemd

Replaces init daemon. Supports parallel processing, monitors after boot and support device hotplugging. Kali uses systemd. Services and daemons are managed as actions against units. Unit files are identified by .service suffix. Has better uptime. 3 core functions: integrated method for managing both systems and services; we can use to create and develop new services; provides an interface between apps and kernel, which is more secure and controlled. Not compatible with cron or other init managers.

Universal Groups

Replicated to every domain in a multi-domain forest.

IDS

Reports attacks against monitored systems/networks. Alarm System. Mature technology. Requires monitoring, alerting and reaction. Doesn't replace other security controls. High-maintenance and expensive. Requires well-trained staff to understand and correctly interpret alerts generated. Analyst needs comprehensive policies governing information security and a clear understanding of what actions are needed to protect business assets.

Noncompliance Policies

Reprimand, termination. Legal violations: criminal, civil, regulatory.

Active Directory Service Access

Required to begin logging access to AD objects, as defined by those objects' SACLs.

Reset vs Refresh

Reset sets system back to factory defaults, "remove everything." Refersh keeps your data files and personalization preferences, but not firewall rules or 3rd party apps.

ReFS

Resilient file system. Supports 35,000TB. Not bootable. Used for large storage volumes

Public

Resources on the Internet. Cannot be trusted.

Corrective Control

Response to fighting threat once they're found

Conditional Access Policies

Restrict resources by group membership, trusted device, IP address, geolocation.

find /lib/modules/'uname -r' -name *modulename*

Return all modules with the name specified in your search.

ROSI

Return on Security Investment

RAP

Reuse Attack Protector

Security Configuration Wizard (SCW)

Security Configuration Wizard gui wizard to disable uneeded services, Windows Firewall, IPSec policies, IIS web stuff, etc for selected roles on older Windows OSes. XML policy.

SCA

Security Configuration and Analysis Tool

Reversible Encryption

Reversible algorithms are not reccommended for passwords. Use irreversible algorithms or hashing.

Password Encryption

Reversible algorithms are not reccommended for passwords. Use irreversible algorithms or hashing. If attacker finds key for one password, chances are he now has the key to all the passwords in the database. See Reversible Encryption.

Password Strength

Reversible algorithms are not reccommended for passwords. Use irreversible algorithms or hashing. Its secure as long as you can keep attacker from finding the key to decyrpt the password.

/var/log/rkhunter.conf

Review this log after running complete check of system

Rhosts

Rhosts is the user equivalent of the /etc/hosts.equiv file. It contains a list of host-user combinations, rather than hosts in general. If a host-user combination is listed in this file, the specified user is granted permission to log in remotely from the specified host without having to supply a password.Rhosts is vulnerable. Eg, an attacker using echo ++> /.hosts can overwrite the file to allow any host to connect to the machine.

Risk

Risk = Threats x Vulnerabilities. The job of the security professional is to constantly track, manage, and mitigate risk to an organization's critical assets. "While threats drive the risk calculation, vulnerabilities drive the risk reduction" p13.

RBAC

Role based access control

Incident Response

Roles and responsbilities in IR must be agreed upon in the SLAs between CSP and customer. Customer won't be able to conduct forensic investigation of network components managed by CSP.

Rkhunter

Rootkit Hunter scans for rootkits, backdoors, and possible local exploits by comparing SHA-1 hashes of important files with good ones in an online database.

rkhunter -c --enable all --disable none

Rootkit Hunter to run a complete check of the system.

Rootkit Detectors

Rootkit detectors work best with file integrity checking. Work best at detecting kernel-level rootkits.

Vector of Attack

Routers and Switches are often not kept up to date and can give attackers visibility into the network.

RSBAC

Ruleset-Based Access Control

Cygwin

Run Linux packages compiled in a Linux environment (cygwin) on Windows. Its a small app that allows you to access ported libraries and programs from Linux on Windows desktop. Good for Linux development. Don't install everything! If utilies aren't ported, you can locate source code and compile them into a cygwin ported binary. Its not an emulator.

snort -c /etc/snort/snort.conf -i eth0 -A full

Run snort with the specified configuration in /etc/snort/snort.conf on int eth0 in full alerting mode.

Windows Defender App Guard (WDAG)

Runs Edge Browser inside a container, application sandbox.

S Mode vs Full Mode

S Mode is stripped down and will only allow for M$ apps and Edge Browser.

SCA

Security Configuration and Analysis Tool. Its an mmc snap-in. See secedit.exe for cli version of tool.

SCA

Security Configuration and Analysis snap-in tool. Secedit.exe cli version of tool. Compare computer policies against a template.

Netcat

classic but relevant and effective scanning tool that is often used to both steal sensitive files from a victim system and to upload malicious files.

SHA-1-SHA-2

SHA-1 output 160-bit, SHA-2 output 256-bit and 512-bit, SHA-3 output is 256-bit and 512-bit.

File Integrity Checking

SHA1

SIEM for Web

SIEM log correlation helps with timely detection of attacks by watching log files.

Service Set Identifier (SSID)

SSID is network name.

SUID/SGID

SUID allows files to execute with privileges of file's owner. /usr and /usr/local contain SUID/SGID but can be read-only. Best practice to track which programs have SUID and SGID set.

O365

SaaS and DaaS. VoIP, desktop Windows, web-hosting, etc.

WPA

Same as 801.11.i. Temporary Key Integrity Protocol (TKIP) and Counter-Mode/CBC-MAC (CCMP) provide strong encryption, replay protection, and integrity protection.

Firewalls

Same software can provide both network and host-based firewalls, allowing for centralized management and control.

Administrative Unit

Same thing as Organizational Unit, but in Azure.

Port Scan

Scans for open ports on remote host(s).

set-scheduledtask -full

Schedule a task in M$.

Cron

Scheduling daemon that starts an action in the background at a preset time. Crond syncs off system clock. Can't use systemd if using cron.

Grep

Search logs.

LogParser

Search logs.

Splunk

Search logs.

Header Stanza

Second part of HTTP client request. Headers following can include any piece of information the client wants to know. If server doesn't understand, then it drops the request.

Bitlocker

Sector-level encryption AES-128 or 256 and verification of the integrity of boot-up files and other startup data structures. It must have at least 2 volumes: boot and system. Only the boot volume is encrypted. AES-128 by default.

UEFI Secure Boot

Secure Boot requires UEFI, Windows 8 or later and a GUID Partition Table (GPT) bootable HDD partition. It doesn't require TPM or whole drive encryption. Secure boot is able to resist malware on bootup.

SKEME

Secure Key Exchange Mechanism

SSP

Secure Simple Pairing

SAT

Security Access Token

SAT

Security Access Token includes user SID, AD group SIDs, local group SIDs, privileges listed in local server's registry (32)

SCW.exe

Security Configuration Wizard

Covering Tracks

Security logs, file manipulation, creating accounts, rootkits

sed -n '1~2' license.txt

Sed will print every other line of license.txt file.

sed -n '1,5p' license.txt

Sed will print first five lines of the license.txt file and will only print them once (-n)

RFC826

See ARP

Open Threat Exchange

See Alien Vault.

Protocol Analysis

See Application Analysis

Network Adapter Binding

See Binding, Network.

Intellectual Property

See Copyright.

ISO 27002:2013 Annex A

See Critical Security Controls Standards Mapping

NIST 800-53

See Critical Security Controls Standards Mapping

NIST Core Framework 2014

See Critical Security Controls Standards Mapping

Information-Centric Defense

See Defense-In-Depth. Information-Centric defense starts with an awareness of the value of information within an organization. Identify the most valuable information and implement controls to prevent unauthorized employees from accessing it. A good starting point is to identify your organization's intellectual property, restrict it to a single, section of the network, assign a single group of sysadmins to it, mark the data, and thoroughly check for this level of data leaving your network.

URL Directory Traversal

See Directory Traversal Attack.

Domain Guest Account

See Global Guest Account

Global Guest Account

See Guest Account

NIDS Challenges

See IDS Challenges.

GPO Option Sharing and Security Model

See Local Guest Account

Sharing and Security Model GPO Option

See Local Guest Account

Log Tasks

See Logging Activities

Network Location Firewall Defaults

See Network Profile.

Session Cookie

See Non-Persistent Cookie

Stateless Packet Filter

See Packet Firewall.

Load Testing

See Performance Testing.

Rainbow Table Attack

See Precomputation Attack. Rainbow Table store precomputed hashes.

Enclave

See Protected Enclave.

Network Enclave

See Protected Enclave.

Next Gen Firewall

See Proxy Firewall.

Advanced Sense Analytics Engine

See QRadar.

Log Management Software

See SIEM for Web

DMZ

See Semi-Public.

IDS Rules and Signature Criteria

See Signature Analysis for a quick list of criteria.

Forensic Snapshots

See Snapshots.

System Snapshots

See Snapshots.

Functionality Testing

See Software Testing.

Meltdown

See Spectre

801.11ad

See Super Bluetooth.

Services

See System Services, how to disable

World Wide Web Publishing Service

See System Services, how to disable. Screenshot of WWW Publishing Service Dependencies, p204.

Crypto Key Lengths Compared

See Table on p79

Window Size

See Tarpits

Site-to-Site VPN

See Tunnel VPN

Baremetal Hypervisor

See Type 1 Hypervisor.

Blue Screen of Death (BSOD)

See chkdsk.exe

Information Dispersion

See data dispersion

Get-WindowsFeature

See installed roles and features from PS

servermanagercmd.exe -query

See installed roles and features from cli

get-scheduledtask

See list of current scheduled tasks in PS

Separation

Separate test VMs from production VMs.

Configuration Management Web

Separate, distinct workspaces and environments for different developers and different releases of same product. Version control system that tracks changes to the code, allows developers to check in/check out components, and ensures code changes do not overlap. Formal processes for use of the versioning systems and development environments.

Middleware

Separates DMZ from Private Network. Eg proxy servers that filter and block. Provides and extra layer of protection.

SMB

Server Messsage Block is a file and print sharing protocol. With NetBIOS, it uses TCP139. It uses TCP445 by itself. Sometimes called CIFS

SNI

Server Name Indication

SNI

Server Name Indication used by HTTPS to identify which website is being requested

SSL Initialization

Server presents a public key certificate to client to verify server identity. Clients can present their certs as well.

Headless

Server that does not require a video card, monitor, keyboard or mouse.

W3C

Server-side extended logging format.

Session Tracking/Maintaining State

Session state is a prime target for attack.

Bluetooth Security

Set Bluetooth devices to non-disvoverable after they're paired. But, they'll still respond to PAGE request from other Bluetooth devices, making MAC address scanning possible (BD_ADDR). Starting with Bluetooth 2.1, devices use Secure Simple Pairing (SSP) that uses public key cryptography.

Umask

Set default permissions assigned to new files and folders. Default file permissions are 666 and 777 for a directory. Umask is subtracted from default value.

Set-Cookie

Set-Cookie Header is created by server and sent to the client in response to client's request. After receiving the cookie, the client places it in a cookie header and sends it back in all subsequent requests to the server.

SDN

Software Defined Network

IP Address

Software address. 32 bits or 4 bytes in length. Net_ID and Host_ID.

Package Management Tools

Solve the issue of package maintenance by monitoring for updates and providing a way to automatically upgrade apps.

Body

Some HTTP requests have a body. Only place in the header where client will send data back to the server, eg POST or PUT methods.

Collisions

Some hash functions are vulnerable to collisions, where two different files are hashed and produce the same output. Strong hashing prevents similar items from colliding. The larger the bit length, the less likely there will be a collision.

Event

Something that happened that you witnessed or can demonstrate actually occured. Not all events are considered incidents.

External Threat

Source of most attacks.

Source Routing

Source routing allows a packet's sender to specify the route the packet takes through the network. Its a security hole. Disable it with sysctl.

Session User

Source to the Proxy/Application Gateway.

Common Vulnerabilities and Exposures (CVEs)

Standard for cataloging vulnerabilities

X.509

Standard for digital certificates that includes demographics, validity period, supported encryption, public/private key, signature of issuing CA.

Host OS

Standard installed OS that provides virtualization platform. Has direct access to the hardware, p46

Server Editions

Standard, Enterprise, Datacenter, Small Business and Server Essentials

Protocols

Standardize format of communication, specify the order or timing of communication, allow all parties to determine the meaning of a communication.

ISA SP-99

Standards refering to combination of software and hardware that allows information to flow out of a secure network unidirectionally. See IEC 62443

IEC 62443

Standards refering to combination of software and hardware that allows information to flow out of a secure network unidirectionally. See ISA SP-99

df

Stands for disk free. Used to see how much hdd space is used by mounted partitions.

systemctl start name.service

Start a service using Systemd.

gpa &

Start up Gnu Privacy Assistant (GPA) tool and run in background.

Policy and Risk Management

Start with policy because it dictates the security posture the company wants to take with respect to protecting its resources.

Nano Server

Starting with Windows 2016. Less than 110MB drive space. Can only be run as a container, not a VM. Mainly intended for web apps.

TCP Flags

Stateful Firewalls can respond intelligently to out of order packets that include malformed TCP flag combinations.

Windows Firewall

Stateful dynamic filtering. Deep integration with IPSec driver, making it easy to setup IPSec encryption with Kerberos authentication, p216. It lacks the sophisticated intrusion capabilities offered by other personal firewalls, and there's not support for automatic forwarding of log data to a central server. See Keep Blocking and Unblock, p222. Manage the firewall with Group Policy, PowerShell or netsh.exe, p 220. For Firewall-IPSec integration: secure Connection is mutual authentication and packet signing; require encryption is mutual authentication and encryption, p220.

Ack Flag

Stateless Packet Filter doesn't do TCP inspection. No state inspection ACK flag set. Vulnerable to ACK scan.

Birthday Attack

Statistical probability used for this collision attack. If an attacker can find a two messages that generate the same hash value, the can substitute one message for the other. Useful wiht a list of password hashes. If they can hash enough passwords on their own to generate a cleartext to cause a collsion, then its as good as having the original cleartext password.

Cryptographic Algorithm

Step-by-step procedure to encipher plaintext and decipher ciphertext

Persistent Cookie

Sticks around until its expiration date which could be years. Stored in a text file on client's hdd.

SSH

Still vulnerable because adversary can brute force the password, passwords lack complexity, not changed often, do not have a lockout and are the same across the organization. Only allow SSH access to router from the router's internal interface. Force everyone to VPN in first, and then SSH to the router. VPN sessions are logged and router SSH sessions usually aren't.

/var/log/syslog

Store logs in flat files here.

/dev and /devices

Stores files that talk to system devices. Good idea to set to nodev on these file

/etc/fstab

Stores info about disk partitions, mount points, and options applied to each partition

/etc/passwd

Stores username, User ID, etc

Sudo and Sudoers

Su switch users. Sudo gives more granular control. Use sudo and setup auditing and role-based control.

AllowedPaths

Subkey off winreg defines registry paths that will still be remotely readable despite your share permissions on the winreg key.

Guideline

Suggestions. Applies to security measure that might be implemented in more than one way.

AES - Advanced Encryption Standard

Supports 3 keys sizes: 128-bit, 192-bit, 256-bit. Algorithm in depth on p74-75.

MFA Azure AD

Supports SMS with a PIN, M$ Authenticator App, Phone Call with recorded message, etc.

Rsyslogd

Supports both local and remote logging, syslog.conf, regex. Located in /etc/rsyslog.conf or /etc/rsyslog.d/*.conf.

SELinux

Supports role-based access controls

Firwalld

Supports zone to define trust levels for each interface. Uses the D-Bus interface which is also used for firew configuration tools firewall-cmd, firewallctl, firewall-config. RHEL 7, CentOS 7, Fedora 18 and newer OSes use firewalld as the default management tool. Features listed on p214.

chkconfig --del syslog && chkconfig --add syslog-ng

Switch from traditional syslog to syslog-ng

SSL Encryption Keys

Symmetric. Each side randomly generates a key and uses RSA or DH to exchange them. Every request a client makes to an SSL web server generates an entirely new encryption key.

sysctl

Sysctl used to audit and modify kernel settings while the system is running. Its generally exported as part of the procfs within /proc/sys. Can be used to view and modify system setttings like source routing, adjusting rate limiting, and randomizing memory address space for processes. Modify kernel runtime parameters to tweak system performance and security (rootusers.com). Can be used to disable the loading of all new kernel modules by setting kernel-modules_disabled.

syslog security

Syslog traffic in cleartext makes it vulnerable to replay attacks. UDP so unreliable delivery and easily spoofed to get past ACLs. It can be configured to use TCP, but syslog doesn't prioritize and differentiate messages.

SACL

System ACL

SACL

System ACL that enables administrators to log attempts to access a secured object.

SOC

System On a Chip

System Services, how to disable

System Services in GPO allow you to disable any services in AD.

System Directories

System directories are installed with Linux. Some have sticky bit set like /tmp and /var/tmp

Attack Commonalities

System visible from public Internet; Unchecked scanning and enumeration; unpatched vulnerability was exploited; system had weak authentication.

SYN Flood Attack

TCP SYN packets sent by attacker to destination server. Since the server will be unable to establish a connection, the address becomes unreachable. Type of DoS attack

SQL

TCP/UDP 1433 and 1434 for queries

TPM.msc

TPM management

Cold Boot Attack

TPM only BitLocker method is vulnerable to this attack. Remove batteries and power from computer, do a live boot and read BitLocker encryption key and other sensitive data from RAM.

Evidence Integrity

Take a forensic hash. MD5 is considered most popular.

Hyperjacking

Take control of Hypervisor and gain access to all VMs. Typically launched against Type 2 Hypervisors. Fake hypervisor is installed on the host machine.

Takeown.exe

Take ownership of files recursively on local or remote computer.

MD5

Takes variable-length input and produces fixed-length output that is 128 bits. Output is referred to as hash, digest, fingerprint.

Ruleset-Based Access Control

Targets actions based on rules for subjects (entities) operating on objects (data). Its implemented in apps and OSes.

Vulnerability Scanning

Test for services, multiple ports on multiple machines, test to see whether vulnerability is present, reporting. Notify everyone of upcoming scan, provide contact info. scan when you're available in the office or by phone., heavy scan but don't DoS the network, priortize vulnerabilties based on your environment. Focus of program should be on remediation, not on the scanning. What are the highest risk systems? Scanning AND remedition of those systems should be phase 1.

gedit

Text editor.

/proc/sys

The files here represent the current state of the kernel.

Local Guest Account

The local guest account should be disabled and have a non-blank password, mainly because of the unexpected automatic logon feature. This is the recommendation for both the local guest account on all machines. "To discourage the use of local accounts in general, the recommendation is to set the "Sharing and security model" GPO option to "Guest only" so that the end result is automatic demotion to an account which has been disabled and has a non-blank password, i.e., it deliberately breaks the access when doing an over-the-network logon to access a shared folder or printer. *If* local accounts are going to be used anyway, despite the recommendation to use global account whenever possible, then the GPO option should be set to "Classic", i.e., to not require everyone to log on with their own local accounts. But even in this case the guest account should still be disabled and have a non-blank password." -Jason Fossen

awk '/^UUID/ {print $1;}' /etc/fstab

Use awk to list all UUIDs in /etc/fstab.

ls

Use ls to establish a baseline. Simple is better.

netsh advfirewall show allprofiles

Use netsh to see all Windows Firewall profiles

Exploit

Use of a specific attack against a specifically identified vulnerability of the target.

Gap Analysis

Use qualitative, quantitative, or best practice/checklist risk measurement to define the gap between our current risk status and where we want to be.

/bin/sh

Use rbash to go to restricted shell.

IPv6 Hardening in Linux

Use sysctl to harden IPv6 by doing 3 things: disable router advertisements, prevent self-assignment of IPv6 addresses, adjust rate-limiting to limit resources used.

File Integrity Checking

Use to monitor files and configuration of web server to look for defacement of website. "Monitors the file system based on the number of preset rules and generates alerts when modified, or deleted out of compliance with those rules." Monitor the web server files and web server configuration settings.

xxd snort.log

Use xxd tool to review snort.log file.

Discrete Logarithm

Used by El Gamal and DH and Schnorr signature scheme. Intractactable problem

Integer Factorization

Used by RSA. Intractable problem.

Emitting Event

Used by Upstart when jobs need to send or cause events to trigger other jobs. Ideal for jobs that have dependencies on other jobs.

Event

Used by jobs in Upstart to casue and allow activity on a system to occur. Event might be a time of day that triggers a job to start.

World-Writable Directories

Used by programs to hold intermediate results. Its extremely important to set sticky bit on world-writable directories.

Port Forwarding

Used extensively to keep unwanted traffic off networks. Intercepts traffic destined for certain IP address and port combination and redirects to different IP and/or port number to hide exactly what services are running on the network, using only IP addresses to carry out multiple tasks and dropping all unrelated traffic at the firewall.

Management Port

Used for authorized sniffing.

Port mirroring

Used for authorized sniffing.

SPAN

Used for authorized sniffing.

Compmgmt.msc

Used for local management of users and groups

ZigBee Wireless

Used for product tracking, medical device monitoring, sensor monitroing, control networks, home automation. eg Honeywell HVAC. Simple protocol requring fewer memory and processor resources than Bluetooth. 802.15.4. Uses AES-CCM key is used to encrypt MAC, Network and Application layers, but this takes more resources and is considered optional. Good for M2M applications. Zigbee mesh networks use IPv6 addressing.

SAM Database

Used for storing local accounts and passwords.

modprobe

Used to add and remove loadable kernel modules (LKMs) to the kernel. Exists in /etc/modprobe.d. Can be used to whitelist/blacklist specific modules.

python struts-pwn.py -h

Used to exploit Apache struts.

Big-O Notation

Used to give a general idea of how many operations a problem takes relative to the input size n.

GECOS

Used to guess passwords

Application Monitoring Software

Used to identify availabilty issues.

netsh.exe

Used to manage Windows firewall and network adapters from cli

Core Evaluation Test

Used to measure success of control implementation. eg did the controls find and alert within 24 hours of an installed app that's not whitelisted

WSMAN

Used to remote with PS Core

Claims

User claims is the set of attributes of that user's accounts in AD, eg military rank, security clearance level, etc.

/home, /export/home

User home directories

Ack Scan

When attacker sends packets with ACK flag set and packet firewall permits them ingress to protected network. Hosts will generate RST ACK packet in response, letting attacker know the host's ports are up and unfiltered.

TCP Sequence Prediction Attack

When spoofing a connection, ACKs do not go back to the attacker. To complete the connection, the attacker has to correctly guess the ISN. Predicting the ISN that the destination host will choose isn't trivial, but can be done. Mitigate this attack is to block source-routed traffic and traffic that has a source IP from your private network.

/usr/local

Where 3rd-party apps are typically stored

Registry

Where Windows stores configuration settings for hardware, OS, apps and user preferences. See p149 for user-friendly registry editor using GP.

audit.rules

Where auditd stores rules. Generally stored in /etc/audit/rules.d/audit.rules.

/usr/bin, /usr/sbin

Where programs packaged with OS are stored

AppLocker

Whitelists/Blacklists executables to protect against malware and unwanted apps. SHA-256 hashes app's executable file or script. Create AppLocker rule using GPO and wizard. Also supports audit-only to test out new rules.

Application Whitelisting

Whitlisted apps are on an approved list of executable files that's cryptographically hashed. Only whitelisted apps are allowed to run. Either setup in passive mode (alerting) or active mode (blocking). Blocking mode s recommended. Passive mode isn't ideal but will provide visibility to the SOC.

Long-Term Channel

Will never get feature updates. Must upgrade entire OS. Only receives monthly quality updates.

Cain & Abel

Windows

MBSA

Windows

Process Hacker

Windows

Secedit

Windows

Steganography

Windows

Wireshark

Windows

WDAG

Windows Defender App Guard

wf.msc

Windows Defender Firewall with Advanced Security

pfirewall.log

Windows Firewall logs in ASCII text with W3C Extended Format. Only dropped packets and initial packet in a successful connection are logged.

Unblock, Windows Firewall

Windows Firewall will create a rule for this program permitting it to listen on the port its currently requesting and on any other port it may request in the future.

Keep Blocking, Windows Firewall

Windows Firewall won't allow program to acquire a listening port. Train users to choose this option when there is any doubt.

WMI

Windows Management Instrumentation programming interface

WMIC

Windows Management Instrumentation service runs on RPC. Older tool.

Windows RE

Windows Recovery Environment

WinRM

Windows Remote Administration which is required for remotely connecting with PS to Nano. You can use RDP to connect to Nano, but you won't get a gui desktop.

M$ Backup Services

Windows Server Backup (WSB) is fully integrated with Volume Shadow Copy system.

WSUS

Windows Server Update Services

wsl.exe ifconfig

Windows Subsystem Linux run ifconfig

WSL

Windows Subsystem for Linux

WIDS

Wireless IDS

STA

Wireless station

John the Ripper

Wordlist is the simplest. Put common words at the beginning of the list. Single Crack mode uses username and GECOS, and is faster than wordlist and should be used first. Incremental Mode is the most powerful and most time-consuming. External Mode is when John is extended with a subset of C compiled at runtime. Configure john.ini file to perform substitutions and other transformations. MD5 hashed passwords start with $1$

Protected Enclave

Workgroups that require additional protection are segmented from the rest of the internal organization. Restrict access to critical segments. Internal firewallls, VLAN, ACLs.

Syslog-NG

Works across variety of OSes, including M$. Replaces traditional syslog. Filter by hostname and log messages using regex.

Ctrl-L

clear screen

Null User Session

aka Anonymous Access is an SMB session with a blank username and pw. net.exe use \\ipaddress\IPC$ "" /user;"" Null sessions could allow download of complte list of all user accounts and more from unfirewalled DC

Set-GID

aka SGID allows normal user special access privileges to execute privileges of file's group owner. if Set-GID on a directory, then new files inherit group ownership. eg used for lp to print.

Set-UID

aka SUID. Allows normal users special access privileges to execute privileges of file's owner. N/A for directories

utmpdump

allows you to pass utmp file info as output

Internal Threats

caused by intentional and unintentional insiders. Most common and most damaging.

chmod

change file attributes. Change permissions on a file or directory.

Absolute File Modes

chmod 755 is Owner has rwx, Group Owner has r-x and Everyone Else has r-x.

cp

copies files

sudo

delegate authority to users

rm

deletes a file

servermangercmd.exe

deprecated way to see features

dmesg

display and driver message. Used to examine or control the kernel ring buffer. Shows diagnostic info about kernel and system drivers from bootup processes. Also shows shows some info after system is booted, eg USB devices plugged. Captures only the kernel's messages of any log level.

awk

full scripting language tool

create directive

in logrotate, it gives the file permissions owner and group the permission to create the file after rotatin.

UDP

p160 UDP Header.

DH Key Exchange

p29 explains two-key algorithm.

Password Management

p50 Password protection: protect encrypted passwords, enforce strong password policy, use one time passwords or MFA, prevent precomputation attacks. p51 say use a 15 character password, change passwords every 90 days, lockouts after 3 failed attempts, passwords must contain at least 1 alpha 1 number and 1 special character, users can reuse last five passwords.

grep

perform string searches. Output on p199-200

/usr

primary OS directory, read-only

sc.exe

query and reconfigure any service or device driver on local or remote computer

Query and reconfigure any service or device driver on local or remote standalone computer. Might not be installed. You may have to download from M$.

query list of services

last -f /var/log/wtmp

reads from utmp wtmp and btmp. Shows who logged in, when they logged in, when they logged out, etc. Historical data.

lastb

reads the btmp file to show login failures that have occurred

who

reads the utmp file and shows who is currently logged in

btmp

records failed login attempts

sysctl -a

shows all variables for the system.

/var/log/message

used by message utility.

nbstat.exe -A ipAddress

used for reconnaissance

Log Files of Interest

utmp, wtmp, btmp, dmesg, messages, maillog, secure

Nikto

web server scanning tool that provides system identification and configuration analysis.

Windows Defender FW with Adv Security

wf.msc snap-in

Buffer Overflows

when poorly coded applications don't do error checking and allow memory buffer space to be overwritten by executable system commands. Defenses: keep OS, apps, languages, runtime environment, server addon up-to-date and patched; run vulnerability scanner against your site; implement IPS or Web App Firewall; Validate and Sanitize user input.

last -f

will show all last info as well as who last read from utmp or btmp file


Ensembles d'études connexes

BUS 100 Chapter 8: Managing Human Resources and Labor Relations, Chapter 9: Motivating Employees

View Set

ch 8 insurance social security test

View Set

Chapter 48: Assessment of the Gastrointestinal System Ignatavicius: Medical-Surgical Nursing, 10th Edition

View Set

Chapter 2: Transplantation 1600-1685

View Set

Ne 104 Test 3 Older adult & end of life care

View Set