SANS GSEC Sarah deck
Initialization Vector (IV) Filtering
Attempt to mitigate weak IV attacks by system administrators. Really doesn't address the issue of WEP/RC4 being weak.
auditd
Auditd subsystem is maintained by RedHat and used as a logger for SELinux. Operates at the kernel level. Does not use syslog.
Template
.INF extension. Stored by default in %SystemRoot%\Security\Templates and %SystemRoot%\Inf\
Crontab file
/etc/crontab
Passd File
/etc/passd file whch lists encrypted password and GECOS info, default shell, home directory
Syslog severity levels
0 emergency and debug 7 are fairly standard. Others alert 1, critical 2, error 3, warning 4, notice 5, informational 6 are not standard across vendors.
HIPS Functions
1- Ensures files haven't been modified or had their permissions changed. 2- Monitors network activity relating to the specicific host it is installed on. 3- Checks application calls and interactions with the system and other applications.
PKI/SSL Establish Connection
1-Client web request; 2-server responds; 3-client validates cert and crypto; 4-client encrypts session key and sends session key to server; 5-optional client certificate exchcange; 6-server decrypts session key; 7-client ends key exchange; 8-server ends key exchange; 9-encrypted messages are exchanged.
Risk Management Process
1-Conduct rapid assessment of risks; 2-fully analyze risks or identify industry practice for due care; 3-setup security infrastructure; 4-design controls; 5- decide which resources are available and implement countermeasures; 6-conduct periodic reviews; 7-implement instrusion prevention and incident response.
Log Monitoring Setup
1-Firewalls, network gear; 2-other network security gear; 3-Servers (Unix, then Windows); 4-Other Server Apps (web, mail), 5-Database; 6-Applications; 7-Desktops
Password Assessment Methods
Dictionary Attack, Hybrid Attack, Brute-Force Attack, Precomputation Brute-Force Attack (Rainbow Tables). Method: find a valid user id, find the encryption algorithm used, obtain encrypted password, create a word list of possible passwords, encrypt each password in the list, determine whether there is a match.
Attack Process
Different than a pen test but similar steps
DMA
Direct Memory Access
DSSS
Direct Sequence Spread Spectrum
DRP
Disaster Recovery Plan
Configuration Management
Discipline of establishing a known baseline and managing that condition. "Risk assumed by one is shared by all." Discipline of establishing a known baseline condition and then managing that condition. Change control is critical. Partition your internal network to prevent spread of an exploit. To manage your configuration, you need 2 things: accurate baseline document; way to detect when a change occurs to that baseline (change control). For CM to be successful, we need instrumentation to detect unauthorized change, eg system scanners, network mapping, vulnerability scanners, p22. Web CM, p 172.
DACLs
Discretionary ACLs control permissions on a folder: read, write, execute, modify, full control.
DAC
Discretionary Access Control
DN
Distinguished Name
Active Defense Harbinger Distribution (ADHD)
Distro based on Ubuntu that has pre-loaded active defense tools.
DoS Attack
DoS attacks are possible against VMs and their host. A DoS attack against a host can cripple services across multiple different companies.
Router Attacks
DoS, DDoS, Packet Sniffing, Packet Misrouting, XSS, CRSF, SYN Flood, Route Table Poisoning, Malicious Insider
Policy Creation
Does this policy set the correct tone for my organization? State the issue; Identify the players; find all relevant documentation that exists; define the policy; identify penalties for noncompliance; make sure the policy is enforceable; submit the policy for review and approval.
Network Profile
Domain (only when AD is available), Public, Private. Maintain different firewall rules for each profile.
Domain GPO
Domain GPO overrides local GPO
Local GPO
Domain GPO overrides local GPO
System-level Objectives
Attackers goals and what tools they'll use to meet them. Execute unintended commands or access data without authorization? SQL or LDAP injection. Execute scripts in browser, hijack a user session, alter a website or redirect user to another site? XSS or CSRF.
Wireless Phishing
Attackers listen and steal personal info over wifi. They can infect user's browser cache.
Defense Science Board
Attacks, Defenses, Targets, Adversaries Diagram
KEYW Cyber Threat Taxonomy
Attacks, Defenses, Targets, Adversaries Diagram
Attack
Attempt to gain unauthorized access to an IS services, resources, or information, or the attempt to compromise an IS's integrity, availability or confidentiality
SSL/TLS
Encrypts, server identity verification and data integrity. Secret keys are negotiated during TLS/SSL setup, using algorithms such as RSA and DH key exchange. During initialization, server presents public key certificate to client to verify server identity. Server requests crypto key exchange. SSL/TLS is not a guarantee of security.
M$ EoL
End of Sales, End of Mainstream Support, End of Extended Support, End of Custom Support
Virtual Firewall
Ensure there's a virtual firewall between two guests running on the same host. The virtual firewall will analyze traffic between them.
IPv6 Features
Fixed header length of 40 bytes. Extended address space, autoconfiguration support, IPv6 over IPv4 tunneling, IPv4 over IPv6 translation, Flexible embedded protocol support. endpoint authentication, encryption support.
Certificate Revocation List
Flat file. Not updated in real-time
Spectre
Flaws in the computer's processor. Successful exploitation will yield kernel-level permissions and root-level file access.
VPNs
Flexible, cost-effective, fast to setup. Delay can be an issue. No dedicated bandwidth.
MAC Flooding
Flood the switch with MAC addresses. Switch starts acting like a hub which allows attacker to sniff traffic.
Active Defense
Focus on vulnerabilities in which there is a threat with a high likelihood and high impact to causing damage to critical assets. Stage 1- Identify internal critical assets; 2- Add environmental context (baselines); 3- Identify and profile most likely threat actors; 4- Conduct active defense missions. The goal is to find out as much about the adversary and slow them down.
Business Continuity Plan (BCP)
Focuses on availability of critical business processes. Long-term, strategic. Created by business.
SSH MFA
For critical services like SSH, MFA must be used. List of options: SSH keys, Google Authenticator, FreeOTP, Authy, Duo.
JEA
Just enough Admin is an optional PS remoting feature available in PS 5.0. It whitelists commands and block all others by default.
Preventive Control
Keeps a threat from coming in contact with a vulnerability
Permutation
Keeps same letters, but changes their position within text. Very easy to break. Substitution and permutation can be combined. Also known as transposition. Used in combination with substitution in modern crypto algorithms, p50.
KDC
Kerberos Distribution Center is AD Controller
Threat Assessment and Analysis
Identify existing countermeasures, threats and vulnerabilties. Support the expenditure of resources and determine the most cost-effective safeguards to offset the risks. Aid in the selection of cost-effective countermeasures that reduce existing risks to an acceptable level.
Kerberos
Kerberos explained on p33-35. Default authentication protocol for AD. Primarily uses UDP88, For large tickets, it switches to TCP88. Servers listen for password changes on UDP464, p212.
DMCrypt
Kernel module that allows hdd encryption on whole partitions. Linux distros allow at root level now (wiki)
Key Escrow
Key backup stored with third party.
Hypervisor
Key component of virtualization that allows software to emulate hardware. The hypervisor is the emulation software. Attacker owns everything if they can compromise the hypervisor.
Biometrics
Key factors in selecting: reliability, user friendliness, implementation cost, maintenance. Difficult to change credentials after compromise.
cgroups
Key feature of LXC. Made by Google. Focuses on CPU and Memory control.
namespaces
Key feature of LXC. Made by IBM. Focuses on obtaining resources that an app needs. Good for security and stability.
3DES
Key length is 168 bits. Based on key length, 3DES is not considered secure, even through there are no public reports claiming to have cracked it. 3DES is executed 48 times (rounds) whereas DES is executed 16 rounds.
LSA Secrets
Local Security Authority in Windows is designed to manage a systems security policy, auditing, logging users on to the system, and storing private data such as service account passwords. LSA secrets are stored in HKLM:\Security\Policy\Secrets key
LSA Secrets
Local Security Authority in Windows is designed to manage a systems security policy, auditing, logging users on to the system, and storing private data such as service account passwords. LSA secrets are stored in HKLM\Security\Policy\Secrets key
Account Lockout
Lockout duration 120 min; Lockout threshold 5 attempts; Reset lockout counter after 45 min
Logsurfer
Log alerting program
Logwatch
Log alerting program
Swatch
Log alerting program
OSSIM
Log analysis tool. Analyzes and correlates logs. Correlate and alert
OSSEC
Log analysis tool. Leading open-source tool for real-time log analysis. Correlate and alert.
SEC
Log analysis tool. Rule correlation and analysis of logs in near real-time. Flexible. Hard to use. Correlate and alert.
Logsentry
Log analysis tool. Use their scripts or create your own to look for specific strings in logs and then sends an email or other alert.
Swatch
Log analysis tool. Use their scripts or create your own to look for specific strings in logs and then sends an email or other alert.
Logwatch
Log analysis tool. Use their scripts or create your own to look for specific strings in logs and then sends an email or other alert. Correlate and alert.
SLCT
Log analysis tool. Uses a simple clustering technique to make sense of stored logs. Use it when you need to review large amounts of file logs.
Splunk
Log correlator, use third-party plugins to make it act like a SIEM. Difficult to deploy if you deviate from anything other than typical log aggregation.
Baseline
Log output of several commands and compare them with log changes. What's normal: type of network traffic, amount of network traffic, types of logs generated, number of logs generated, resource utilization, access times and length of access, current state and configuration.
Blue Pill
Logical attack that involves a rootkit manipulating low-lever kernel mode to provide root-level permissions to the attacker, giving attacker unlimited access to other guests. It does this by executing a false hypervisor.
Physical File System
Logical file system is made up of multiple physical disk partitions.
Type 2 Hypervisor
Logical hypervisors run internally within an OS as an application. VMWare Workstation, VMWare Player, VirtualBox
Virtual Defense
Logical separation through virtual switching and virtual firewall to provide filtering and inspection. Timely patching is key. Physical separation of VMs by security classification may be a regulatory requirement. Private VLANs are another good defense.
Information Management
Logical vs Physical Locations of data. Due to contractual, regulatory and jusidictional issues, its imperative to understand both logical and physical locations of data. Volume Storage. Volumes often use data dispersion to support resiliency and security. This includes IaaS instances typically as a virutal hdd. Object Storage is sometimes referred to as file storage. Its more like a file share accessed via APIs or web interface. Eg DropBox.
ls -l
Long listing of contents, includes attributes. Output on p172
Threat Hunting, Host
Look at startup fiels, registry changes, hidden processes.
Single Loss Expectancy (SLE)
Loss from a single event. SLE = Asset Value x Expsosure Factor
Alien Vault
Lots of prebuilt automation. Open Threat Exchange provides threat feed, identifying signatures it has created. File integrity monitoring, HIDS, NIDS and Vulnerability Scanning.
RDP Encryption levels
Low cleartext; client compatible where client determines the encryption; High server determines encryption level; FIPS compliant requires 3DES, AES, RSA and/or SHA. TLS is permitted if requested.
System Accounts
Low number UIDs. Better to disable account than to delete them. Set accounts so that no can login with them and they are audited.
M$ vs Organizational Accounts
M$ Account is for personal use like Outlook.com or OneDrive. Organizational Account is Exchange Online or O365.
Windows Defender ATP
M$ Advanced Threat Protection includes a suite of products for threat hunting and incident response.
MAAD
M$ Azure Active Directory
AADDS
M$ Azure Active Directory Domain Services
Azure ATD
M$ Azure Advanced Threat Detection
MBSA
M$ Baseline Security Analyzer
mstsc.exe
M$ Built-in Thin Client App
dir /w
M$ CLI to list contents of a directory.
dir
M$ Long listing of contents, including attributes
Office Online
M$ Office app. Free but limited. You have to save docs in OneDrive.
M$ OMS
M$ Operations Management Suite
SCCM
M$ System Center Configuration Manager used for CM of BYOD devices. Integrates with InTune
MOM
M$ System Center Operations Manager
MOM Server
M$ System Center Operations Manager watches over your servers by continuously extracting their Event Logs and other auditing data.
attrib
M$ change file attributes
copy
M$ copy files
del
M$ deletes a file
Smart Screen Filter
M$ filters known-evil URLs in M$ Edge and IE by default.
Outlook.com
M$ free email, calendar, contacts, etc. Competes with Gmail.
InTune
M$ inventory and management of BYOD. Enforces MDM security policies.
dir /a
M$ list hidden and regular files
md
M$ make directory
rd
M$ removes directory
rename
M$ rename files
dir env:\
M$ same as "set" command to see path variables in Windows
diruse.exe
M$ tool to alert you if any monitored folder exceeds a certain size
at.exe
M$ utility for scheduling tasks. Deprecated and shouldn't be used.
MAAD vs AADDS
MAAD does not support Kerberos, NTLM, Group Policy, or LDAP. It supports web-based authentication. AADDS provides traditional domain controller services. You don't have to upload your VMs for AADDS.
mbsacli.exe
MBSA cli version
M$ Authenticator
MFA on mobile devices.
M2M
Machine to Machine applications
aureport
Makese ausearch results easier to read
Internet Explorer
Manage IE using GPO Administrative Templates and Internet Explorer Maintenance.
auditpol.exe
Manage audit policies from cli
ntrights.exe
Manage privileges with scripts or free CLI tools like ntrights.exe
Data Migration Detection
Manage unapproved data moving to cloud services in two ways: Database Activity Monitorigin and File Activity Monitoring; URL filters and DLP tools
DR Planning Process
Management Awareness, Planning Committee (has at least one business stakeholder involved), Risk Assessment, Process Priority Establishment, Recovery Strategies, Testing Criteria.
Human Resources and Management Sensitive (Business Classification)
Management Proprietary Information. Personal Information (PII).
MAC
Mandatory Access Control
Incident Handlineg
Planning is key! Pre-established procedures that specify how to act during common attack situations. Six Step Process: 1-Preparation; 2-Identification; 3-Containment; 4-Eradication; 5-Recovery; 6-Lessons Learned.
PAM
Pluggable Authentication Modules
PAM
Pluggable Authentication Modules employs four management groups: Authentication, Passwords, Sessions, Accounts. Config files are stored in /etc/pam.d.
PPTP
Point-to-Point Tunneling Protocol is a VPN protcol uses IP 47, which is GRE, and TCP1723
Policy vs Procedure
Policy addresses what to do and Procedure addresses how to do it. Policy is read cover to cover and Procedure is referenced when having trouble following the policy. Policy is concisese and focused. Procedure is detailed and step-by-step. Policy is strategic and high level while Procedure is tactical.
SMART
Policy statement must be specific, measurable, achievable, realistic, time-based
NDA
Policy that covers use, control and enforcement. Protects both parties, shouldn't be one-sided. Protects sensitive information; individual receiving information agress to keep it confidential. Legal document that has certain specific requirements. Clearly written and easy to read. Should follow who NDA applies to, what NDA is, when NDA should be used, where NDA is applicable, and why NDA is important.
802.1x
Port Security feature. Provides network authentication. Its a framework that supports different authentication protocols known as Extensible Authentication Protocol (EAP) types. Standard by IEEE to authenticate to LAN and wireless LAN network devices.
Scanport
Port scan tool
Nmap
Port scan, vulnerability scanning, OS detection. Filtered means nmap can't tell if port is listening. -randomize_hosts options tells nmap to scan range of hosts in random order.
POSIX
Portable OS Interface
Shell
Portion of OS that allows users and proceses to interact. It also can act as the vehicle through which apps obtain permissions and interact with the kernel.
Ephemeral Ports
Ports that change each time the client runs. They are numbered above well-known ports ( > 1023 )
Firewalls
Preventative. Best way to protect a system is to air gap it from the network, but that's 0% functionality. 3 types of firewall: packet, stateful and proxy/NGFW. Helps with IDS if egress filtering is enabled and firewall logs traffic in both directions. Ingress is from Internet to protected network. Egress is protected network to Internet.
NIPS
Preventative. Layer 7.
NIDS Developments
Reduction in false positives with target OS identification, integrated vulnerability assessment for threat profiling/alert prioritization, NIDS integration with networking devices (eg IDS blade in switch), IDS in wifi.
OWASP
Reference to OWASP Top 10 Most Common Applicaton Attacks on Input Attacks page.
SELinux
Security Enhanced Linux is a loadable kernel module that provides mandatory access control policies. Security model is based on least privilege and starts with users having no rights at all. It doesn't replace existing Linux security, it enhances it. Good for systems that have default "allow."
SID
Security ID Numbers
SID
Security ID Numbers Everyone S-1-1-0; Authenticated Users Group S-1-5-11; Local Administrators Group S-1-5-32-544
SIEM
Security Incident & Event Monitoring
.inf
Security Template
Host: Header
The client sends the web server a Host: header that specifies which domain.
PUT
The client uses PUT to upload files to a web server, eg publishing new web pages or uploading email attachments.
Non-Persistent Cookie
They are destroyed every time the browser closes. Even though they are stored in memory, they can still be edited by user or MitM using Proxy like Paros.
Dwell Time
Threat Hunting Key Indicator. How long is the adversary in your organization?
Reinfection
Threat Hunting Key Indicator. How many times has an organization been compromised by the same adversary or the same threat?
Lateral Movement
Threat Hunting Key Indicator. How much damage is the adversary causing, in terms of number of systems compromised?
Risk
Threats x Vulnerabilities. Its impossible to completely eliminate all risk. Security deals with managing risk to your critical assets. Security professional must constantly track, manage, and mitigate risk to an organization's critical assets. Risk = Probability x Impact.
Data Protection
Three valid options: content discovery, volume storage encryption, object storage encryption
sysctl -w
To change (write) a variable until next reboot. Non-persistent file change. Great for testing before commiting to changes.
ROI
To obtain the required resources, it is ciritical to show an appropriate ROI for security. Financial benefit or return received from a given amount of money or capital invested into a product, service or line of business. aka Return on Capital Employed, Return on Network Worth, Return on Equity. ROI (%) = (gain - expenditure) / (expenditure) x 100
fsutil.exe
To see which file system is used and get its list of support features, open PowerShell and run this utility.
LogPP
Tool help conver multi-line logs to a single line format
strings -n 14 textfile.txt
Tool parses through any input file, searching for ASCII characters. -n 14 tells it to look for strings 14 characters or longer.
Artillery
Tool that can provide an early warning system. Honeypot, file system monitoring, threat intelligence feeds with optional trace-back capability.
WEPWedgie
Tool to accelerate process of collecting packets from wireless networks.
wnet/reinj
Tool to accelerate process of collecting packets from wireless networks.
hping3
Tool to craft packets. TCP version of ping. Port Scanner. Spoof IP address. See output, p20-21
StegSecret
Tool to detect stego in images.
Stegexpose
Tool to detect stego in images.
Ettercap
Tool to facilitate sniffing in a switched environment. Can sniff even in a switched environment. Relies on ARP cache poisoning.
Dsniff
Tool to facilitate sniffing in a switched environment. Sniffer that uses ARP redirection and IP forwarding
unshadow passwd shadow > unshadow.txt
Tool to merge passd and shadow files together. Preliminary step for John the Ripper.
md5deep
Tool to take forensic hash of file.
sha1deep
Tool to take forensic hash of file.
Bloover
Tool used for Bluejacking
BlueSniff
Tool used to circumvent Bluetooth security that allows attacker to locate and attack Bluetooth networks.
RedFang
Tool used to circumvent Bluetooth security that allows attacker to locate and attack Bluetooth networks.
AirSnort
Tool used to crack WEP keys.
WEPCrack
Tool used to crack WEP keys.
dwepcrack
Tool used to crack WEP keys.
Blackhole Exploit Toolkit (BET)
Toolkit installed on web servers and preconfigured to attack out-of-date code running on visitors' machines.
Content Discovery
Tools to identify sensitve info in storate. Once identified, info can be classified. Classified dat can be scanned with advanced content analysis techniques to audit.
TTPs
Tools, techniques and procedures
Classification Levels, Government
Top Secret (critical to protect), Secret (could harm national security), Confidential (could be detrimental to national security), Unclassified (data owners prefer to keep this info from being released, but it would not harm the nation if it were).
Log Deployment Challenges
Top challenge is political boundaries.
Deep Packet Inspection
Traditionally deployed with application-level firewall gateway that has deep understanding of protocol and has the logic to follow the fields inside the packet. Slow and expensive. In practice, it's used with shallow packet inspection.
NIDS Key Point
Trained staff, passive sniffer in security management console, incident response preparation, ROI calculation--better to outsource?
HTTP Protocol
Transaction-oriented. Stateless.
Station Controller
Transmits and receives frames through transceiver on Ethernet.
TLS
Transport Layer Security. Encrypts traffic between client and IIS Server
OSI Model
Transport Layer ensures reliable connectivity from end-to-end and handles sequencing of packets in a transmission. Session handles establishment and maintenance of connections between systems. Negotiates the connection, sets it up, makes sure the info exchanged across the connection is in syn on both sides. Presentation Layer makes sure data sent from one side is received in a format that is useful to the other side eg compression/decompression. Application Layer interacts with the application to determine which network services are required.
Decloak
Tries to discover attacker's true IP address. Uses flash and Java applets. Can be used as part of incident response or threat hunting activities. Could be considered hacking back.
DoublePulsar
Trojan backdoor tool that runs kernel mode, allowing for privileged access on compromised systems. Used in WannaCry attack.
IDS Alerts
True postive generates alerts; false positive generates alerts; true negative does not generate alerts; false negative does not generate alerts.
TPM
Trusted Platfom Module
IPsec Headers
Tunnel Mode encrypts IP Header and Data. Transport Mode only encrypts Data.
TTLS
Tunneled Transport Layer Security
Recovery
Two main options: install OS and apps from scratch, fix vulnerability, restore data; restore system from a trusted backup and patch the system.
Threat Hunting
Two major components of threat hunting: detection and intelligence, p176. Act of aggressively tracking and eliminating cyber adversaries from your network as early as possible, p178. Benefits: provide early and accurate detection, control and reduce impact and damage with faster response, improve defenses to make successful attacks increasingly difficult, gain better visibility into org's weaknesses, p179. Fits between active defense and intelligence, p183.
Web Authentication Methods
Two most commond are HTTP authentication and HTML form-based authentication.
syslog.conf
Two parts to entry in syslog.conf: filter and action. This is where you tell where you want syslog to store files, including if they are sent to remote server.
ICMP
Two purposes: to report errors or troubleshooting and to provide network information. It's a datagram like IP and UDP. Reports on state of a network.
Linux Security Permissions
Two ways to represent permissions: symbolic rwx and absolute 777
Linux-VServer
Type-1 Hypervisor VServer mitigates risk of escaping out of a guest by using segmented routing, chroot, extended quotas, etc.
Decoy Ports
Typically implemented at the firewall, which will always respond to a SYN with a SYN-ACK. Careful: opening decoy ports by enabling a real sevice on a server could increase attack surface and make you more vulnerable.
Data Diode
Typically references military technology that moves data into classified networks without the risk of leaking classified information. Usually a hardware appliance($$$) to control flow of traffic, only allowing unidirectional traffic flow. Input side is anode and output side is cathode.
RDP
UDP3389 media streaming. See HTTPS Tunneling RDP.
Superuser
UID0. Root. There can be multiple UID0 accounts but you can't audit them separately. Audits show UID0, that's it.
CNCI
US Comprehensive National Cybersecurity Intiative
USGCB
US DoD US Govt Configuration Baseline
Unix OS Types
Ubuntu and Kali are Debian. Fedora is RedHat. MacOS is BSD.
Ubuntu vs Fedora
Ubuntu is Debian. Fedora is Red Hat. Ubuntu uses APT and is less secure, eg firewall not enabled by default. Fedora uses RPM and Yum package manager
umask u=x
Umask with = will only allow specified permissions to be enabled.
Bluesnarfing
Unauthorized access of information via Bluetooth. Bluesnarfer is probably the most widely used tool
Resource Protection
Understanding your assets.
UEFI
Unified Extensible Firmware Interface
Ciphertext
Unintelligible message.
Cryptogram
Unintelligible message.
Distinguished Name (DN)
Unique identification used by CA to authenticate user/organization requesting a certificate.
john -format:MD5 -w:password.lst test
Use John the Ripper in wordlist mode to crack test file using password.lst wordlist.
ise .\ProcList.csv
Use PowerShell ISE to open ProcList comma delimited file.
WEP
Uses RC4.
File Integrity Checking
Uses a mathematical function called a one-way hash to create a hash-value of monitored file. Considered a HIDS feature.
Dictionary Attack
Uses a wordlist to crack passwords.
NTLMv2
Uses domain name, server challenge and other variables to randomize final hash to protect against precomputation. NTLMv2 adds username, domain name, client challenge, server challenge, and NTLM hash of the password to the hash function thereby injecting randomness or salt. This helps protect against pre-computational hash lookup attacks like Rainbow Tables. The NTLMv2 salt is not designed to protect against pass the hash attacks; other controls are needed to prevent that attack. Enforcing complex password requirements and length requirements are set in group policy/security tempaltes not by the NTLMv2 protocol.
Public Key Infrastructure
Uses for PKI, p125. Problems, p126-127.
Log Monitoring
Uses inclusive or exclusive analysis. Is considered a mechanism of host-based IDS. Powerful mechanism that offers the administrator a lot of flexibility.
Machine Learning
Uses modern computing techniques to streamline pattern recognition and aggregation, computational learning, and human-derived instruction sets to do predictive threat analysis.
Secure Simple Pairing (SSP)
Uses public key cryptography to make Bluetooth pairing more secure. Added in Bluetooth 2.1.
setarch
Utility that should be removed or not allowed to be used by any user. It tells the OS which architecture to use to run the program.
Cryptsetup
Utility to setup hdd encryption based on DMCrypt kernel module.
cut
Utility to trim output to exactly what you need, using bytes, characters, a special delimiter, etc to determine where to cut.
DaaS
VDI in the cloud. Great for BYOD. Eg O365
Cloud Infrastructure Attacks
VM Traffic sniffing eg vSwitch, insecure cryptography, API attacks, Lack of air-gapped systems, Hardware Flaws eg Spectre and Meltdown, DoS, Supply Chain Attacks, Insider Threat, Account Hijacking.
Guest OS
VM. Most common VM is an OS running on a virtual machine. Accesses virtual hardware through an emulator.
Direct Memory Access (DMA)
VMs have direct access to memory and controllers like video and NICs, which can provide a place for attackers to store and move code.
Isolation Errors
VMs need to be configured correctly so they only interact with authorized systems. If an attacker compromises one virtual system, she could also have access to all systems bridged to the compromised one.
Return on Security Investment (ROSI)
Value or perceived benefit obtained by investing resources in security--typically tied to the cost-effective method of reducing a critical risk.
Keys
Values used to intialize a particular algorithm. They permit the existence of unrestricted algorithms Strength of cryptosystem rests with the strength of its keys. The larger the keyspace the stronger the cryptosystem. Key must be protected.
Dash7
Very low frequency, well-suited to tracking moving objects or acting a wireless sensor network. No formal network structure required. Useful for peer-to-peer texts, smart advertising on posters and billboards, mobile in-store advertising.
more
View a page a time
tail
View real-time info, displaying last few lines of a file. Useful for viewing and analyzing log files.
VPS
Virtual Private Storage
/proc
Virtual file system.
Virtualization Benefits
Virtualization reduces downtime by improving failover capabilties.
Volume Storage Encryption
Volume protection from snapshot cloning, cloud service provider exposure, loss of physical drives, etc.
GFI LANguard
Vulnerability Scanner
Qualys QualysGuard
Vulnerability Scanner
Rapid7 Nexpose
Vulnerability Scanner
Tennable Nessus
Vulnerability Scanner
nCircle IP360
Vulnerability Scanner
Vulnerabiltity Analysis
Vulnerabilties are the primary focus for reducing an overall risk. Vulnerability analysis identifies weakness in the system that an attacker could exploit. Vulnerabilities are the primary focus for reducing an overall risk. Gives big picture of weaknesses in systems and apps.
802.11i
WPA2 is a security mechanism that provides encryption to wireless networks.
WannaCry
WannaCry ransomware worm was a confidentiality, integrity and availability attack that leveraged NSA Eternal Blue tool that exploited vulnerability in Windows SMBv1 protocol.
Facebook Breach
Watering Hole attack.
Captive Web Portal
Way to authenticate users. Intercepts requests for web page and substitute the page with a form that requests authentication.
Vulnerability
Weakness in a system that can be exploited.
Vulnerabilities
Weakness in a system that can be exploited. Only thing we can control
WPAD
Web Proxy Auto Discovery Protocol
WPAD
Web Proxy Auto-Discovery Protocol
Paros
Web Proxy Tool allows you to edit cookies.
Burp
Web proxy took that allows for cookie editing.
Cross-Site Request Forgery
Web-based attack for gaining control of web applications. Can be effective on routers too. Attack often comes in the form of an email with a link. Rebooting the router will nullify the attack.
Cross-Site Scripting
Web-based attack to reveal user's physical location. Attacker gets user's MAC address through the router and then uses location service to find them.
Kibana
Web-based dashboard for Logstash and elastic searches. Kibana data search engine can handle enormous amounts of data. Flexible, real--time reporting, data slicing, elastic search.
python -c 'print "A" * 100' > bof
Write 100 letter As to file named bof
Minimize Packages
XFCE is better than gnome because it uses far less space and fewer resources.
Yum
Yum package manager used by Fedora
ZPHA
Zero Power HA
802.15.14
ZigBee Wireless
su
switch user
utmp
complete picture of user logins, logouts, system events, current status of system, and system boot time. One of main log files.
messages
contains global system messages, including messages logged at startup. Mail, cron, daemon, kern and auth logged in /var/log/messages. General system activity log. Stores valuable, nondebug and noncritical messages. Great for anomaly hunting.
/var
contains logs, queues, etc. Files that change frequently
wtmp
historical data of utmp. One of mail log files.
honeyd
honey pot engine. Used by NOVA VMs.
history
last 100 commands I ran
Wmic.exe
legacy command for Windows Management Instrumentation programming
ls
list contents of directory
lsof
list of open files and the processes that opened them
ls -al
lists hidden and regular files
File Attributes
ls -ld example showing File Type, permissions, link count, etc
mkdir
make directory
inetd
manages services
xinetd
manages services. Replaced need for inetd and add-on serices. It also has embedded security features. Maintains /etc/xinetd.d directory where services reside as files. Disable the service by modifying the individual file. Modify /etc/inetd.conf.
Rc.d
manages services. if the system does not use an Internet super server or the server process is activated at system startup, then the services are managed by rc so they can operate independently. Modify /etc/rc.conf
mailog
messages from mail server eg sendmail
Unlock accounts
passwd -l <user>; usermod -L <user>, passwd -u <user>; usermod -U <user>
rmdir
removes directory
mv
rename files
Syslog message format
rfc lacks definition for syslog format standard which causes issues normalizing the data.
/
root file system
get-help invoke-command -full
rtfm!
Linux/Unix File Permissions
rwx set on File Owner, Group Owner and Everyone Else
Multi-Category Security (MCS)
s0:c0 to S0:c3.
Ctrl-R
search past typed commands
secedit
security template management. Secedit /configure /db A:\dbase.sdb as PowerShell scripte to update security template, p145.
secure
security-related messages like authentication failures, possible break-in attempts, ssh logins, failed passwords, sshd logouts, and invalid user accounts.
Hardware Abstraction Layer
see API.
get-process
see list of running processes in PS
kill -l <pid>
send the process an HUP signal
rootkit
set of binaries installed by attacker to provide a backdoor. Often disguised as OS programs in /usr/bin and /usr/sbin.
Syslog
system logging daemon, aka syslogd, normally starts at run level 1.
Tab
tab will show list of everything that matches everything typed
Brute-Force Attack
Most powerful and also the slowest.
Enterprise Admins
Most powerful group because it has full control over every domain in a forest.
MCS
Multi-Category Security
MU-MIMO
Multi-User Multiple-Input and Multiple-Output. Great for real-time communications over wifi.
MLS
Multilevel Security
Policy Statement
Must be clear, concise and SMART. Should contain the guiding principles of who, what, where, when, why. Should be consistent with law, regulations. Consistent with other levels of policy. Should be uniformly enforced, current, readily available, good version control.
Sensitive Information
Must reside on private network. Not visible from Internet.
Sefl-encrypting HDD
Must support TCG Opal 2.0 and IEEE-1667 and motherboard must support UEFI Secure Boot to use BitLocker for access control.
Network File Sharing (NFS)
NFS supports file sharing for Unix-based networks.
snort
NIDS to determine scope of compromise has built-in sniffer
NIPS Developments
NIPS can clean up garbage in network traffic. Example of server waiting to close a TCP connection with workstation. Some NIPS also support QoS.
FDCC
NIST Federal Desktop Core Configuration
john | grep mode
See list of mode in John the Ripper
Schema
Defines all possible types of objects and their attributes in the directory.
Configuration Naming Context
Defines all sites, subnets, and inter-site replication links.
Property-Level ACLs
Delegation of Authority can be controlled based on properties. Each property has its own DACL
Performance Testing
Demonstrates the architecture and resources provided are sufficient for web app's needs. Can also help determine what thresholds exist and what risks might be present of DoS attacks.
IDS Challenges
Deployment including topology and access limitations; analyzing encrypted traffic; quantity vs quality of signatures; peformance limitations with extensive analysis techniques; very costly for proper management.
Servermanagercmd.exe
Deprecated in favor of PowerShell command get-windowsfeature.
scw.exe
Deprecated. Moved into Server Manager tool in Server 2016. Not available in client OSes.
Procedure
Detailed steps to be followed. Mandatory. Explains how to carry out policy. Very detailed.
NIDS
Detective. Layer 7.
Eradication
Determinate root cause, not symptoms
Pen Test
Determine the scope
Pen Test Approach
Determine the scope, information gathering (similar to recon in attack process), scanning, enumeration, exploitation.
XFCE
Lightweight Desktop Environment. Requires fewer packages than Gnome.
LDAP
Lightweight Directory Access Protocol. Cleartext uses TCP3268. SSL-encrypted used TCP3269. LDAP uses Kerberos for authentication. LDAP is the default protocol for searching and editing the AD database.
Wireless Network Mapping Mitigation
Limit RF leakage and use strong authentication adn encryption.
Command Injection
Linux
GPG
Linux
Hashing
Linux
John the Ripper
Linux
Malicious Software
Linux
Nmap
Linux
Snort
Linux
aircrack.ng
Linux
hping3
Linux
tcpdump
Linux
Kismet
Linux and BSD Unix tool. Passive wireless sniffer, wardriving tool, vulnerability assessment tool, and IDS. Completely passive. As IDS, Kismet can identify malicious activity, including DoS, MitM and attacks against protocols. Can be deployed in client/server infrastructure, using the kismet_drone tool. Can also be integrated into Snort using Snort rules.
cd
Linux and Windows change directory
LUKS
Linux hdd encryption. Provides secure management of user passwords. LUKS volumes.
AppArmor
Linux kernel module that uses static analysis and machine learning to learn behaviors of apps, enforce security policies and detect 0-day threats. Can limit the capabilities of programs and has the features of an IPS.
Init
Linux original boot time starter service that only runs in linear. Init process starts as Process ID 1. It checks and mounts file systems and starts necessary services. Its the parent process to all other processes and adopts all orphaned processes in the user space. Using Init requires a reboot of the whole system when system changes are made. Init deals with services only during startup and shutdown.
OS Market Share
Linux runs most security appliances. Over 90% of all computers run Windows.
&
Linux. Run command background.
Security Log
List of Key Event ID Numbers
SIEM/Log Management
List of Terms, p161. Security Incident and Event Monitoring, p181 used for aggregation and correlation of logs, p181.
Windows vs Linux Cmds
List of commands
Token-Based Access Control
List of objects and their privileges (called capabilties) with each user, the opposite of list-based access control.
Active Directory
List of things stored in AD
Logical File System
Lists common conventions of directories
tcpdump --help
See most commonly used tcpdump switches on p44 of Workbook.
ps
See services running on a system and identify rogue processes. Not continuous like top. Use to establish a baseline. Good for threat hunting too.
802.11
See specs on p195
swapon -s
See swap partition current use.
whoami.exe /priv
See what privileges you have.
Protected Enclave
Segment of internal network defined by a common set of security policies. Anything you do to segment your network with switches, firewalls, routers, VPNs is part of this concept. Its a way to reduce the exposure or visibility into your network.
Cost Benefit Analysis
Select cost-effective and business appropriate countermeasures.
SDCs
Self Driving Cars
Package
Self-contained set of precompiled binaries that include all dependencies that are needed to run the software.
EnOcean
Self-powered wireless monitoring and control systems. Energy savings, flexibility.
Servicing Channels
Semi-Annual (Targeted) receives feature updates immediately. Home edition is locked into this one and cannot defer updates. Others are Semi-Annual, Windows Insider, Long-Term Channel. Semi-Annual (regular and Targeted) can defer feature udpates for up to 365 days or can apply them immediately. Semi-Annual Channel have to wait 4 montsh before automatic installation of feature updates.
hping3 -S 10.10.10.10 -p 21 -c 1
Send one SYN TCP packet to 10.10.10.10 port 21.
Bluejacking
Sending unsolicited message via Bluetooth to mobile devices.
Data Owner
Senior Management is ultimately responsible for appropriate data classification. Data Owner is in charge of data classification.
/bin/false
Setting a target module to /bin/false is a good convention for disabling it.
SMB
Sever Message Block protocol
nestat -l
Show all listening ports. Output on 176 and 184.
nestat -a
Show all ports.
nbtstat.exe -A
Shows NetBIOS connections.
ps -ef
Shows all running processes. Output on 181-182, 184, 199.
nmap --help | more
Shows some of the switches on p115. See scan techniques listed on p117. Timing options p118. Output options p119.
id
Shows your UID.
Android Oreo
Significant security changes in Oreo.
Object Storage Encryption
Similar to volume volume storage encryption. Employs Virtual Private Storage. Types of object storage encryption are: file/folder encryption, client/application encryption, proxy encryption.
Virtual Machine Software
Simple emulator for a computer created in software.
Workgroups
Since each computer is standalone, infected computer is less likely to infect others.
Snare
Singl machine Windows to syslog conversion
WSUS
Single WSUS server can handle 10,000+ computers. Can be load-balanced. Use TLS for WSUS over HTTPS, but HTTP is supported.
Tunnel VPN
Site-to-Site VPN
Clustering
Situation where plaintext message generates identical ciphertext message using same transformation algorithm, but with different crypto variables or keys.
Tcpdump
Sniffer
tcpdump
Sniffer tool for Unix-based systems, also ported to Windows as windump. Universally used and portable.
Virtualization, benefits and uses
Speeds up failover. Key components can be isolated and contained to reduce exposure. Ease of use and portability. Cheaper to scale. In 1960s, IBM created first fully virtualized systems.
Network Segmentation
Split computer network from the rest of the network with a switch, bridge, router, hub to boost performance and security.
VLAN Hopping Attack
Spoof 802.1Q tags to hop over to a different VLAN.
STP Attacks
Spoof BPDUs
IUSR
Special built-in account used by IIS Server for anonymous authentication.
SMART
Specific, Measurable, Achievable, Realistic, Time-Based.
SMART
Specificic, Measurable, Achievable, Realistic, Time-based
File Generation
Stego. Hide message by generating a new file. No host file is needed.
ESI
electronically stored information
Endscript directive
end of file in Logrotate.conf file.
find
find specific files
Shadow File
Lists username, encrypted password, password/login rules that control aging and expiration.
LKMs
Loadable kernel modules
LKMs
Loadable kernel modules. Gaining access and using LKMs is a good way to add rootkits.
Discretionary Access Control
Users manage the data they own. eg Windows workgroups and Linux file permissions.
scwcmd.exe
cli version of SCW. Used on Server OSes. Great for auditing and creating a GPO from an XML policy file.
scwcmd.exe
cli version of Security Configuration Wizard (scw.exe).
TCP Reset Attack
Attacker spoofs source IP, port, destination and sequence number in the packet and includes RST bit to terminate the session.
nodev
Device files are ignored in the file system. Files found in /dev and /devices are not allowed to communicate with the system drivers
RC4
Encryption protocol that was used in 802.11 WEP, SSL and TLS.
EFS
Encryption utility used by NTFS.
Object Auditing
First, enable Audit Object Access in computer's audit policy, Then, you configure the individual object SACL.
Gradm
Grsecurity utility to manage RBAC.
Zero Power HA (ZPHA)
HA device will reroute traffic if the IPS loses power.
HUP signal
kill -l <pid>
Permission Bits
"
Database Monitoring
"A more complete and rigorous test would involve a recurring process that logs in as a valid user, performs a transaction or query within the application, and checks to see whether the expected result is returned."
Package Manager
"APT, RPM, Yum. A Package Manager is a collection of software tools that automates the process of
Injection
Stego. Hide message within file's unused space. Increases file size. No theoretical limit on how much data can be hidden.
IDS Evasion
Attackers attempt to obfuscate traffic to get past IDS by changing characteristics of the traffic sent to exploit a particular vulnerability.
HIDS
"Uses signature and anomaly analysis with unauthorized change monitoring, log monitorign, and network monitoring. Organizations can reap significant benefit by correlating the data across multiple sensors with centralized alerting. Network monitoring uses signature analysis to identify EOI. Can monitor outbound and inbound traffic to detect pivoting, internal recon, lateral movement and C2. Can provide info NIDS can't see, eg analysis of unencrypted traffic streams, p140. Can be deployment nightmare and $$$, p141. HIDS technology now used to monitor configuration and status of network appliances, p 143.
Reverse Engineering
Technique used to reverse encrypted passwords. More commonly used for generating software license keys.
logrotate.conf
Tell log server to retain all received and local logs for at least 120 days.
Automatic Demotion
"Automatic Demotion to Guest occurs when Simple File Sharing is enabled.
IP
"Doesn't guarantee delivery or delivery in sequence. Includes fault tolerance features: TTL, checksum, ToS, fragmentation
Wireshark
"Examples of sniffers page.
Hash
"Goal is integrity. MD5, SHA, RIPEMD, HMAC. One-way transformation (no way to decrypt), irrversible. Key length is hash length. Fixed length output is often referred to as key length. Hashing proves document didn't change.
Password Cracking
"Offline process of attemping to guess passwords given password file information. Can be used to find non-compliant passwords without cracking compliant passwords.
HIPS
"One of major benefits is ability to identify and stop known and unknown attacks, p145. Uses a combination of signature analysis and anomaly analysis to identify attacks, p145. False positives are a problem, but less so on a distributed scale, limited support for protecting custom apps, additional burden, 10%-20% CPU and memory usage on hosts, p147.
Vulnerabilities
"While threats drive the risk calculation, vulnerabilities drive the risk reduction." Weaknesses in the system. They are inherent in complex systems. Always will be present. Poor coding practices and lack of error checking. Gateway by which threats are manifested. 2 categories: known and 0-day. 5 vulnerability axioms: 1 vulnerabilities are the gateways through which threats are manifested; 2 vulnerability scans without remediation have little value; 3 a little scanning and remediation is better than a lot fo scanning and less remediation; 4 prioritizing systems and vulnerabilities is critical; 5 stay on track. CNSS 4099 "weakness in an IS, system security procedures, internal controls, or implementation that could be exploited." eg Misconfigured server leaving a port service open without requiring authentication.
Boot volume
%SystemRoot% usually \Windows contains OS files. BitLocker can encrypt this volume.
NIPS Challenges
Organizations can't afford false positivees; NIPS have to keep up with traffic demands; NIPS tend to have less-extensive rule bases than IDS.
Promiscuous Mode
Tells computer NIC to accept every frame regardless of whether MAC address matches or not
Audit Privilege Use
(Failure)
Audit Account Logon Events
(Success, Failure)
Audit Account Management
(Success, Failure)
Audit Directory Service Access
(Success, Failure) On DCs, this required to log access to AD objects as defined by those individual audit settings.
Mandatory Access Control
Controls all access. Controls set by system and cannot be overwritten by sysadmin. Takes a lot of work to maintain b/c all data has classification and all users have a clearance.
missingok
Tells logrotate to continue to the next file if file doesn't exist.
Substitution
Stego. Message is hidden by substituting the least significant bits in a document. Limits to how much data can be hidden Can result in file degradation.
RoboCopy
CLI tool for copying and moving files. It does not use Volume Shaddow Copy Service, so it cannot copy files that are continually locked.
Micro-Segmentation
Concept implemented by SDN to analyze and filter traffic between endpoints.
schtasks.exe
Task Scheduler. CLI, PowerShell or MMC.
IPSec, Windows Implementation
Encrypts traffic but more importantly, it requires mutual authentication, which SSL does not. Can be managed through Group Policy or PowerShell, p227.
windump
Tcpdump ported to Windows. See tcpdump
Preparation, Incident Handling
Planning is everything. Preparation plays a vital role. Its very important to have a policy in place that covers and organization's approach to dealing with an incident.
Reconnaissance
Provides visibility into your orgnaization and insight into how the adversary will target you.
RPM
RedHat Package Manager, used by Fedora
TKIP
Temporary Key Integrity Protocol built into 802.11i WPA2. Works with CCMP . See WPA2.
Log Parsing
grep, cut, sed, awk, auditd
WPA2
Uses AES-CCMP encryption mechanisms to improve security of 802.11 networks. Requires a hardware replacement to upgrade to it.
Traceroute
Uses ICMP time exceeded to count hops as it follows a path to destination host.
Tracert
Uses ICMP time exceeded to count hops as it follows a path to destination host.
Server Nano
110MB. Server 2016 or later. No shell or desktop. Only a console to configure basic networking and firewall changes. Primary method for remote contol of Nano is PS.
Partitions
16 different partitions /hda0 through /hda7. 3 reasons to use partitions: makes it difficult for one subsystem to affect another by locking down partition to fixed size; backing up partitions is easier; you can set different security options on different partitions.
Log Size, Wrapping, and Consolidation
1MB holds 7,500 events. Recommended size is at least 50MB to start.
SSH/TLS Key Management
2 options listed: KeyBox and Puppet.
Syslog facility codes
24 facility codes. Local0-Local7 used most often. Common facilty codes are kern 0, user 1, daemon 3, auth 4, syslog 5, auth priv 10.
Bluetooth
2Mbps, up to 7 simultaneous connections, no LoS requirement. Class 1 supports 100 meters, Class 2 supports 10 meters, Class 3 supports 1 meter. Bluetooth v5 doubles the speed and quadruples the range. 2Mbps
OS Classes
3 Classes of Windows OS are Client, Server and Embedded
Network Design
3 goals: 1- any system visible from the Internet must reside in the DMZ and cannot contain sensitive information; 2- any system with sensitive information must reside on the private network and not be visible to the Internet; 3- only way a DMZ system can communicate with a private network system is through a proxy on the middleware tier, p36
Uneeded ports
3 ways to control and close unneeded ports: Comment out (#) uneeded services in /etc/inetd.conf; disable option (yes) in /etc/xinetd.d; comment out or set to NO in /etc/rc.conf.
Privilege Elevation
3 ways to elevate privileges: anonymous login with root account, which is not recommended; su command to gain superuser access, allowing normal user to switch to root; sudo command which allows normal user to run command with root privileges, which is the best for auditing and nomal user doesn't need to know root password.
dumpusers.exe
3rd party audit tool that uses null session
Authentication
4 ways to authenticate: something you know; something you have; something you are; some place you are.
Server Core
5GB size. Server 2008 or later.
Access Control Techniques
6 Common Types: Discretionary Access Control, Mandatory Access Control, Role-Based Access Control, List-Based Access Control, Token-Based Access Control.
MAC Address
6 byte value. 48-bit address. 12 hexadecimal digits. First half vendor code Cisco 00:00:0c. Hardware address.
Bitlocker TPM Operations
6 ways to implement BitLocker. Backup your Bitlocker Recovery Password!
802.11ac
6.9Gbps. MU-MIMO. Major performance boost over 802.11n.
Log Reports for SIEM
7 Top Log Reports: Authentication, Changes, Network Activity, Resource Access, Malware Activity, Failures, Analytics Reports
Super Bluetooth
802.11ad short-range < 10 meters uses ISM band 60GHz and provides 7Gbps throughput, no latency.
Sytem Call Interception
A technique used by HIPS software. It inserts its own processes between applcations accessing resources on the host and the actual OS resources.
Exclusive Analysis
A measure of log monitoring that uses a list of keywords or phrases as a white list of events. Log entries that don't match the exclusive keyword list are raised as alerts.
Inclusive Analysis
A measure of log monitoring that uses a list of keywords or phrases that define the events of interest. The keyword list is a blacklist.
Log Analysis
A measure that can be implemented by any organization at little cost. Used with HIDS reporting. See exclusive analysis and inclusive analysis.
File and Print Sharing
A network binding that should be disabled on computers directly connected to the Internet.
Decoy IPs
A network device, eg router, can be configured to respond to ping sweeps, making it appear that all IPs are active. VMs can be used to reply back on certain IPs.
Multiresolution Filtering
A technique that uses rule classification to quickly sort through traffic in order to rapidly identify malicious events. IPS will start with simple tests first. If it passes, the traffic is given more complex tests.
SQL Injection
A vulnerability that is exploited by insufficient input validation, which allows attacker to execute arbritrary SQL commands usually through an authorized web server application database account. It can also lead to OS compromise eg SQL server commadn xp_cmdshell stored procedure. Some web scripting languages like PHP with magic_quotes turned on automatically escape user-supplied data, but don't rely on that alone. Validate user input and filter special chaactures and SQL commands, eg ' and ; and : and ". Set max lengths on input. Use stored procedures instead of SQL queries. More defenses listed p149.
Multi-Master Replication
AD uses multi-master replication to share information among all controllers in the domain.
Advanced Packaging Tool
APT is a Debian packag management tool based on dpkg
Log Monitoring Strategy
Decision Tree.
VM Escape
Ability to compromise a system once and be able to access all other VMs. VM escape removes isolation between VMs and host. Guest escapes from sandbox and his able to access supervising hypervisor and its resources
Virtualization
Ability to emulate hardware using software. Allows hardware and software to decouple from each other. Key component is the ability for abstracting and emulating specific hardware components, which is done by the hypervisor.
AUP
Acceptable Use Policy
ACE
Access Control Entries
Access Control Entries (ACEs)
Access Control Entries are individual permissions stored in DACL. Manage with ICACLS.exe or in Security Tab Special Permissions. Gray-checked ACEs are inherited and solid-checked are explicitly assigned.
ACL
Access Control Lists on border router help firewall.
AGULP Model
Accounts, Global Groups, Universal Groups, Local Groups, Permissions & Rights. Unique Account is assigned to Global Group. Global Group is assigned to Universal Group. Global/Universal Groups are assigned to Local Groups. Local Groups are assigned Permissions & Rights.
Cryptanalysis
Act of obtaining plaintext or key from ciphertext. Used to pass on altered or fake messages to deceive intended recipient.
Detective Control
Action of tracking down the threat
ADHD
Active Defense Harbinger Distribution
Sprawl Management
Actively manage virtual environment. Know what's used. what's needed and what's not.
ARP
Address Resolution Protocol RFC826
ASLR
Address Space Layout Randomization prevents buffer overflows. Part of MacOS RunTime protection (p20). Use sysctl to enable ASLR for individual programs (p103). Use PaX to improve ASLR.
Known Vulnerabilities
Address with aggressive patch management.
Procedure
Addresses how to protect information in a detailed step-by-step way. Tactical.
Administrative Templates
Administrative Template settings are found under both Computer and User Configuration in the GPO. If there's a conflict, Computer Configuration setting usually wins.
Hidden Share
Administrators have full control. Registry entry listed. eg, C$
Misc ADM Settings (Adobe)
Adobe provides ADM/ADMX templates to import into GPOs
APT
Advanced Packaging Tool used in Debian (eg Ubuntu, Kali)
APT
Advanced Persistent Threat. See Advanced Persistent Threat. See Threat Agents.
QRadar
Advanced Sense Analytics Engine to detect advanced threats through network anomalies.
NMAP
Advanced host discovery, port and protocol mapping, vulnerability analysis framework.
Scanning
Advanced probing of the target for vulnerabilities that can be easily exploited. Network mapping, port mapping, vulnerability scanning, OS fingerprinting, war dialing, wireless scanning.
Incident
Adverse event in information system and/or network. Refers to harm or the significant threat of harm. Incident is composed of one or multiple events.
Tarpits
Aggressive technique that will send information to adversary's computer, causing it to use all of its resources or behave in a slow manner. Most common tarpit is manipulating TCP window size to really small or periodically setting to zero.
Security
All about understanding, managing and mitigating risk. What is the risk? Is this the highest priority risk? Is this the most cost-effective way of reducing the risk?
Forest, AD
All domains in a forest share a single Schema and Configuration Naming Context.
Trusts, Two-Way Transitive
All domains in a forest share two-way transitive trusts between them. Every domain in the forest trusts every other domain in the forest.
DAD
All for Windows to syslog logging
Source Routing
Allows IP packets to specify routing. Can be used to bypass firewall and other protections. Should be disabled by default.
Virtual Machine Introspection
Allows administrator to monitor all events within a virtual environment so any unusual behavior can be caught early. Specifically designed to have minimal effect. Eg hypervisor can check memory, system events, malware detection, especially when malware is designed to avoid antimalware detection. Can detect malware actions designed to avoid antimalware detection, since behavior is observered from outside.
Virtualization
Allows for better utilization of resources, but it could also create security concerns. Ability to emulate hardware using software.
Resource Sharing
Allows for simplified exchanges between VMs as well as their host OSes. This flexibility introduces risk. eg clipboard
Virtual Private Storage (VPS)
Allows users to access data over a shared infrastructure while protecting data, similar to a VPN. Uses encryption keys. File/folder protection, client/application encryption, proxy encryption.
Honeypots
Also known as sensors or canaries. Goal to slowdown basic host discovery. Honeypot is a single system. Research honeypots' goal to research systems with deliberate or known weaknesses. Production Honeypots: hardened systems to replicate a production system.
Hybrid Attack
Also uses wordlist and has configurable settings to account for password complexity policies.
NTFS DACLs
Always enforced, even with local users, IIS HTTP and FTP, RDP, SMB shared folders, PowerShell Remoting.
Virtual sprawl
Condition in an operating environment where number of VMs in existence reaches a point where they are no longer effectively managed or secured. Can happen through mismanagement and understaffing. Mitigated with right policies and automation.
System on a Chip (SOC)
Architecture for small Windows Server appliances
Cryptography
Art and science of inventing and refining ciphers to hide the meaning of communications. Big Picture diagram on p14. Thre core components of cryptography: 1-info is protected at rest; 2-info is protected in transit; 3-keys are properly protected and managed, p15. Goals of cryptography are confidentiality, authentication, integrity and non-repudiation.
War Dialing
Attack to find internal systems still attached to modems.
TCP Connection Spoofing
Attacker has to predict ISN the destination host will choose.
Supply Chain Attack
Attacker intercepts hardware or software and installs malicious components or publishes malicious APIs.
CDP Manipulation
Analyze packets and gain info. Leverage known vulnerabilities.
Android vs iOS
Android is open and iOS is closed. Android has more functionality and more security issues historically. Android has 2/3 market share (69%)
Annualized Loss Expectancy (ALE)
Annual expected loss based on a threat. ALE = SLE x ARO
Offensive Countermeasures
Another name for Active Defense.
Slice
Another name for partitions
Threat
Any event that can cause an undesirable outcome.
Client/Application Encryption
App is embedded with engine encryption to protect data. Eg mobile apps.
PaaS
Appeals to Devs
IaaS
Appeals to SysAdmins
SaaS
Appeals to users. Eg O365 and OneDrive.
Hardware Security Module (HSM)
Appliance to manage your encryption keys. Allows RMS and other Azure servicess to access your data in a plaintext form as necessary. In theory, M$ can't access your keys.
TCP/IP
Application OSI 5-7, Transport (TCP) OSI 4, Internet (IP) OSI 3, Network OSI 1-2. p143 shows Partial TCP/IP suite and how it maps to OSI model. IP maps to Layer 3 and is responsible for determining route to be taken between two network devices, handles flow control, segmentation/desegmentation, error control functions. See IP for more details.
API
Application Programming Interface. Hardware Abstraction Layer. Cloud APIs allow virtual plaforms to locally leverage resources of powerful remote apps. Using server-side apps, APIs can access libraries and repositories from a variety of programming languages. APIs server as building blocks of many sophisticated applications.
chroot()
Application isolation feature enabled on app-by-app basis. Containers and Virtualization. Some apps now provide preconfigured chroot() areas. Problem is that chrooted app may has to have access to dependencies placed in its chroot directory.
Service
Application that either waits in the background or carries out special tasks in the background (Linux.com). Its a process that starts on boot and provides critical functions (stackexchange)
Containers vs VMs
Applications run on the same OS with the same kernel. More scalable. Apps will run the same in all environments. They are isolated to achieve a level of security. Lightweight, fast-to-launch server that shares OS files of hosting server in a sandboxed way. It can have its own IP, MAC address and private view of the file system.
Standard
Applied to the organization as a whole. Specifies a certain way something is done or certail brand or type of equipment to use.
gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
Apply output file as policy.
Honeytoken
Approach of creating fake protected data with labels that are set to trigger an alert from IDS if attacker attempts to exfiltrate. Easiest and most cost-effective honey deceptive technique, p215.
Defense-In-Depth (DiD), Network Design
Approach that advocates use of multiple layers of protection to guard against failure of a single security compromise. Separating systems into several network sections is one example. Configuring firewall to restrict how traffic crosses section boundaries is another. A border router is a third. Fundamental principle is that you're not relying on any single security mechanism to cause single point of failure, p38.
BCP Key Components
Assess (BIA), Evaluate, Prepare, Mitigate, Respond, Recover.
Role-Based Access Control
Assigns users to roles or groups based on their functions. Groups are assigned authorization to perform functions on certain data
NIDS Advantages
Assists in auditing.
List-Based Access Control
Associates a list of users and their privileges with each object. Each object has a default set of privileges that applies to unlisted users.
Binding, IIS
Associates each site with its certificate
Circuit Level Gateway
At Layer 5 Session. They filter TCP handshake, but not individual packets. Good for screening private network.
Permissions
Attached to a particular object, eg Read access to a file.
Honey Badger
Attack Back tool. Determines physical location of a system. Uses geolocation, wifi and IP. Pretends to be an administrator interface. Runs java applet on the local machine.
Hardening Guides
Automation of hardening can make security of systems more scalable and auditable. But, they can be dangerous if applied blindly.
Input Attacks
Avoid making system calls within web applications, especially when the system call is based on user input. Used built-in app functions or library within your programming language instead. Strip OS commands and characters from input. Define valid characters for input. Delete all others from input.
OS Command Injection
Avoid making system calls within web applications. Used built-in app functions instead. Strip OS commands and characters from input. Define valid characters for input. Delete all others from input.
Azure AD PIM
Azure AD Privileged Identity Management
Rights Management Service (RMS)
Azure Rights Management Services for O365 is a DLP feature to encrypt data files in case of file leak
Azure ASC
Azure Security Center
Maintaining Access
Backdoors, persistent processes, creating accounts, covert channels.
BITS
Background Intelligent Transfer Service
Type 1 Hypervisor
Baremetal hypervisor. Reduces attack surface b/c its a stripped down OS. Original hypervisors developed by IBM were Type 1. Common ones today are XenServer by Citrix, VMWare ESX, M$ Hyper-V.
Security as a Service
Barriers are compliance, multi-tenancy and vendor lock-in. Multi-tenancy presents concerns of data leakage between virtual instances. Providers should take extra precautions to ensure data is compartmentalized and any data shared is anonymous to protect the identity of the source.
Authorization
Based on least privilege, where entity is only given minimal access to do the job.
CIA Triad
Confidentiality (vs Disclosure); Integrity (vs Alteration); Availability (vs Destruction). Security and Functionality are inversely related.
Policy
Baseline Framework Pyramid, top down: Policy, Standards, Guidelines, Procedures. Policy is general management statement. Defines the "what" to do in order to protect information. Safeguards information while reducing personal liability for staff. You must have executive and user buy-in. Security policy statement should strongly reflect the management's beliefs that if information is not secure, the business will suffer. Policy is a mandatory directive, that indicatates a conscious decision to follow a path toward a specified objective, p71
Indicators of Compromise (IoC)
Baseline a system using ls, ps and netstat to identify and mitigate adversaries trying to install programs, run daemons/services, make outbound connections.
Anomalies Detected
Baselines help sift through noise. Visualizations help identify outliers easier.
Shell examples
Bash, sh, csh, sh, ksh, tcsh, Windows cmd.exe and powershell.exe, DOS command.com.
HTTP Authentication
Basic mode: credentials sent in cleartext Base-64 encoded, see process p177. Digest Mode: Sent in MD5 hash of password.
Threat Hunting Types
Basic, Statistical Analysis, Visualization Techniques, Simple Aggregration, Machine learning, Bayesian Probability.
Bayesian Probability
Bayesian statistics is a theoretical computation where facts about a given state are expressed by degrees of belief. It takes complex data patterns and tells you the important information about them.
Risk Management
Before you begin managing risk, you need to understand business operations and what types of risk they might be exposed to, p202. Goal of risk management is identify, measure, control, and minimize or eliminate the likelihood of an attack, p202. An understanding of how security is implemented in your organization and how security threats affect your business operations. Main focus is to reduce the risk to an acceptable level, p203.
Isolation
Being able to separate OSes and applications is one of the key benefits of virtualization.
Virtualization Security
Benefits are isolation to handle application instability, resilience and high availability, automation, data governance, forensic analysis b/c you can make an exact copy of a physical computer. Lack of air gap can be an issue p55.
Social Engineering
Best-known techniques are urgency, impersonation and third-party authorization.
Overall Security
Better visibility, reducing the attack surface, controlling the damaage, early detection. What is the risk? Is this the highest priority risk? Is this the most cost-effective way of reducing the risk?
Journald
Binary logger used by Systemd instead of syslog.
BET
Blackhole Exploit Toolkit
Hybrid Cloud
Blend of Public and Private models
Controlled Folder Access
Blocks changes to protected folders from untrusted apps. Requires Windows Defender A/V to be enabled and real-time protectection turned on.
BNEP
Bluetooth Network Encapsulation Protocol
IoT
Bluetooth v5 designed for IoT performance and functionality.
XOR
Boolean Exclusive XOR is one of the fundamental operations in cryptography. One or other is true (1), but not both (0)
Separation of Duties
Break critical task across multiple people to limit your points of exposure. No single person can make a decision.
Bridge
Bridge makes a decision about whether a frame should be sent to other port.
Equifax Breach
Confidentiality and Integrity attack on Apache Struts vulnerability that allowed for remote code execution.
wslconfig.exe
Configure WSL to run multiple distros of Linux side-by-side
Directed Broadcasts
Broadcasts sent to target sbunet without broadcasting to entire network. Used in older DoS attacks. Should be disabled or at least restricted.
SaltStack
Built for speed in the cloud. Also known for reliability, security, modularity and scalability. Uses public crypto to secure two-way communications between main configuration server and client servers. Many well-known cloud providers offer integration into Salt Cloud.
Guest Account
Built-in account. If DC or computer doesn't know account, then they may login the account as a guest. Best to assign long passphrase and disable it. Net.exe user guest <longpassphrase> /active:no /times:
Auditing
Built-in auditing, automates security checks making auditing a part of your infrastructure will simplify the review process.
IPC$
Built-in share for inter-process communications and should not be modfied. Registry setting.
IP Tables
Built-in to the Linux kernel. More than just a firewall, its a complete packet inspection system.
BCP
Business Continuity Planning
BIA
Business Impact Analysis
BRP
Business Resumption Planning
Locking User Accounts after failures
By default, most Unix systems don't lockout accounts after set number of login attempts. Use /etc/pam.d/system-auth to enforce account lockout after too many failed attempts. Set no_magic_root so that it's not applied to root account.
Virtual Ethernet Adapters
Connect virtual systems to each other or to a virtual switch. Configure them to interact with specific virtual switches.
Switch Attacks
CDP manipulation, MAC flooding, DHCP spoofing, STP attacks, VLAN Hopping Attack, Telnet Attack
Whisker
CGI Web Vulnerability Scanner Tool.
SMB vs CIFS
CIFS is SMB plus a few enhancements. Both protocols allow for folders and printers to be shared on network. Shared folder permissions are enforced by File and Print Sharing Service no NTFS filesystem driver.
Center for Internet Security (CIS)
CIS configuration benchmarks provide best practices for hardening OSes to protect endpoints. Provides security templates for OSes.
Reg.exe
CLI regedit
fc.exe
CLI to compare 2 files
wecutil.exe
CLI to manage Windows Event Collector
winrm.vbs
CLI to manage Windows Event Collector
Public Cloud
CSP owns infrastructure.
Shared Folder Permissions
Can be accessed from Network Neighborhood, Mapped Drive Letters, Run Line or Shortcuts.
DNS, bogus entries
Can be combined with other active defense methods to mislead and slow down adversary. Can redirect adversary to honeypots, jailed environments or tarpits.
Entity Relationship Diagram
Can be helpful in trying to analyze what entities must be used to implement a particular control.
Web proxy
Can be used for MitM attack. App sits between client computer and web server.
WLAN IDS
Can implement rogue AP countermeasures to DoS discovered rogue APs.
Network Obfuscation and Virtualized Anti-Reconnaissance (NOVA)
Can launch several decoy VMs and manage them with a centralized management tool. Various VMs are called haystacks. VMs run honeyd as the honeypot engine. Used as an early warning system.
Rapid VM Deployment
Can lead to virtual sprawl.
SSL VPNs
Can work in essentially any web browser. Browser must be able to handle specific types of active content (eg Java, JavaScript, Flash or ActiveX). Tunnels are usually created using a nonstandard tunnel method.
CSE
Canadian Security Establishment
Air Gap
Cannot physically isolate VMs that are hosted on same Hypervisor. Hypervisor provides a software connection between VMs it hosts.
airodump-ng wlan0
Capture wireless frames
Database Activity Monitoring (DAM) Tools
Captures and records all SQL activity in real-time and generates alerts on policy violations. Mitigates SQL injections attacks. DAM tools are usually agent based connecting to central collection server.
CSMA/CD
Carrier Sense Multiple Access with Collision Detection
CSMA/CD
Carrier Sense Multiple Access with Collision Detection. Listens before transmitting to avoid collisions.
Vector
Categories of attack. Can be internal or external. Outsider attack from network. Insider attack from local network or local system. Attack from malicious code.
ro
Causes kernel to prevent writes or updates to given file system.
Centralized logging
Central server should only receive logs from only authorized machines and firewalled from all others. Several partitions can be used for logging to segment the risk of a DOS. Aslo rotate logs quicker and/or have lots of disks to weather DOS. Only run syslog service on central server and limit logins from sysadmin IPs.
Apache2syslog
Centrlization of Apache logs via syslog
CA
Certificate Authority
CRL
Certificate Revocation List
Certificates
Certificate lifecycle, p115.
Containers vs VMs
Containers require fewer resources than VMs.
CFA
Controlled Folder Access
Enabing Password Aging
Controlled in two config files: /etc/login.defs and /etc/default/useradd. In most Unix OSes, the password-expiring and password-rotation features are disabled.
Router Hardening
Change default password, disable ip directed broadcasts, disable http configuration, block ICMP ping requests, disable ip source routing, determine and establish packet filtering, establish ingress and egress filtering policies, maintain physical security of the router, review security logs, upgrade to latest IOS.
Chgrp
Change group ownership.
Rotation of Duties
Change jobs on a regular basis to prevent anyone from being able to get comfortable and cover their tracks. Minimizes chance of collusion.
Chown
Change user ownership.
Chkrootkit
Check Rootkit looks for suspicious processes and known bad files. Common false positive is mail server Port 465. Don't rely on this alone. Script that uses grep to search for signatures and compares list of /proc filesystem with output of ps command to look for discrepancies.
Handling Errors
Check for error conditions and handle errors gracefully, even ones that should never happen.
CBC-MAC
Cipher Block Chaining Message Authentication Code
SAFER+
Cipher used by Bluetooth algorithm for encryption and authentication, usually using 128 bit keys and 4 digit PINs that users often set to easily guessed numbers. Can support 256 bit keys.
Threat
Circumstance or event with potential to adversely impact a system, p37. Any activities that could potentially affect CIA of your systems or services. Protect against most likely threats based on: intellectual property, business goals, validated data, past history. Primary Threats: malware, insider threat, APTs, natural disasters, terrorism. Threats drive the risk calulation. CNSS-4009 "any circumstance or event with a potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or DoS" p37. Two types of threats: intentional and unintentional.
Endpoint Security
Clear visibility is imperative, and organizations today are not doing a great job with detection.
cls
Clear your screen in PowerShell.
SSL/TLS
Client and Web Server use PKI asymmetric to negotiate a session key symmetric.
Group Policy
Client downloads and applies GPOs at bootup, logon and every 90-120 minutes. Enable auditing and IPSec settings here. AD Group policy will overwrite the local group policy every 90 minutes by default.
Disaster Recovery
Client should not depend on single provider and should have a DR plan in place. IaaS providers should have contractual agreements with multiple platform providers and have tools to rapidly restore systems in the event of loss.
HEAD
Client uses HEAD to retrieve information from the server. Similar to GET. Server will check if information requested is there and respond. Won't send over all information requested. Used to save bandwidth and client resources for large information reququests.
Transport VPN
Client-to-Site VPN. Between two hosts, p100.
CSP
Cloud Service Provider
Cryptosystem
Collection of all possible inputs and all possible outputs, in addition to the algorithm and keys. Humans are a part of a cryptosystem.
Snapshots
Collection of data that documents the configuration and running state of a system at a given point in time.
Rootkit
Collection of software tools that work to cloak the existence of malicious files and tools that have been installed by manipulating files, disabling AV and opening backdoors.
secedit.exe /analyze
Comapares setttings of .inf Security Templates.
Directory Traversal Attack
Combination of flawed access control and input attack.
C&C
Command and Control
C2
Command and Control
auditctl
Command used to audit system calls. See list of switches and uses of auditctl on p161 and 163.
Domain Tools
Commercial. Threat Hunting. DNS reserach and analysis tool
Endgame
Commercial. Threat Hunting. Full platform that supports detecting, mitigating and exploiting cyber vulnerabilities and attacks.
Sqrl
Commercial. Threat Hunting. Secure automated login mechanism that enforces authentication.
Carbon Black
Commerical. Threat Hunting. Detection of malicious anomalies and malware.
Malware Bytes
Commerical. Threat Hunting. Endpoint security tools for detection and remediation of malware, including rootkits.
Grsecurity
Commericially packaged set of patches for Unix kernel designed to enhance security with true role-based access control, creating full least-privilege system. Hardens file system and includes more audit logging capabilties. Includes PaX. List of features p111.
CNSS
Committee on National Security Systems
CIFS
Common Internet File System protocol
CVE
Common Vulnerabilities and Explosures
Binding, Network
Communications path between networking component like service or protocol and physical network adapter.
Private
Company's internal systems. Do not provide access to these systems from the Internet. They contain sensitive information.
OS Enhancements comparison
Compares features of grsecurity, AppArmor, SELinux
Effective Permission
Comparison of final share permission and final NTFS permission. Deny always wins.
PKI Problems
Competing/incomplete standards, certification of CAs, etc
GPO Checklist
Complete list of recommended GPO settings for best security practices. Baseline.
GPO Settings
Complete list of recommended GPO settings for best security practices. Baseline.
Stack Management
Complete stack management focuses on end-to-end connections within the virtual environment to ensure there are no gaps.
Critical Security Controls (CSC)
Controls centered on root cause analysis. You cannot manage what you cannot measure. 15 of the 20 controls can be monitored automatically or continuously. Guiding principles: Defenses should be automated and measured at regulary intervals using automatation; Undertake a variety of specific technical controls (instead of operational controls) to address current attack landscape; fix root cause problems to prevent or detect attacks in a timely fashion; establish measurements of security program effectiveness and to form a common language to talk about risk. 3 control priority families: system controls, network controls; application controls, p100. Key rules are each control has to map to actual known attack; if a known attack does not exist, it cannot be a control; "offense must inform defense."
Innocent Infringement
Copyright idea that someone may use work w/o understanding it belongs to the author, if the author doesn't display a copryight notice.
Kernel
Core component of OS, referred to as the brains, manages the hardware and executing processes. It must have a dedicated space in memory to reside.
Risk Management
Core focus is CIA Triad.
nbs
Correlate and Alert
Propietary (Business Classification)
Cost of procuring, profit margins, contact lists, etc. Contracts, financials.
CCM
Counter with CBC-MAC
CCMP
Counter-Mode/CBC-MAC Protocol. Protocol built into 802.11i WPA2. Works with TKIP. See WPA2.
Software Defined Network (SDN)
Covers network technologies that make the network as flexible and agile as a virtual machine or virtualized storage.
Disaster Recovery Plan (DRP)
Covers the restoration of critical information systems that support the business processes. Its a part of BCP, p161. DRP provides a response to disruption, wherease BCP implements the recovery, p160.
aircrack-ng SEC401_WEP.cap
Cracks WEP key found in pcap file.
New-NetIPSecRule
Create an IPSec rule
Tripwire
Creates a cryptographic hash value of a file. If file is modified, the tool can detect a change because the new hash is different than the original hash.
Take Ownership
Creator Owner is owner of file or folder. Usually the person who created it. Audit who uses this privilege. Greatest threat to least privileges principle.
Form-Based Authentication
Credentials entered and sent as HTML form data. Common to see <INPUT TYPE>= "PASSWORD"> tag. Secure form-based authentication requires a secure channel, eg SSL.
CSC
Critical Security Controls
Security Association
Critical part of IPSec. They document common services, called transforms, that are particular to an IPSec connection.
/etc/crontab
Cron daemon (crond) works way through /etc/crontab file every minute to see if there is a task for it to perform at a scheduled time.
Codes
Cryptographic transformation that operates at level of words or phrases
Cipher
Cryptographic transformation that operates on characters or bits.
Cryptology
Cryptography and cryptanalysis
Advanced Persistent Threat
Cyber espionage is more likely to use APT strategy. APTs can be multi-year, mutidimensional and are often highly targeted. Key property: Stealth. Unlike APTs, traditional threats are known for being automated, consistent and opportunistic.
STIG
DISA and NSA Security Technical Implementation Guides
Data Loss Prevention (DLP)
DLP identifies, monitors and protects data at rest, data in motion, data in use using deep content analysis. DLP enforces this in two ways: blocking data to stop a workflow and allowing data flow to proceed after data has been encrypted.
Semi-Public
DMZ. Resources that are our contributions to Internet. Must be reachable from the Internet and also need Internet access (eg DNS, email). Cannot contain sensitive information.
DNS Sinkhole
DNS server that gives out false information
Data Classification
Data Classification is the responsibility of the Data Owner, Sr Management. Data Classification Process: 1 Identify roles; 2 Identify classification and labeling criteria; 3 Owner classifies the data; 4 Identify exceptions to the classification policy; 5 Specify the controls for each classification level; 6 Identify declassification, destruction, or transference procedures; 7 Include an enterprise awareness program about data classification.
DLCI
Data Link Connection Identifier Frame Relay address with 10 bits
DLP
Data Loss Prevention
DLP
Data Loss Prevention. If you encrypt your data, you cannot use this feature.
Honeycreds
Decoy accounts to distract an attacker. Often named for wellknown default system accounts that usually have privileged access.
NTFS
Default file system. Up to 256TB max volume size
Data Fragmentation
Data fragmented and distributed acorss multiple remote servers. Used for storing long-lived data in the cloud with high assurance. Combined with encryption, its very resistant to compromise because attacker has to defeat many cloud nodes to retrieve fragments.
Steganography
Data hiding. Provides confidentiality but not secrecy. It doesn't guarantee safety. Hide data within data, eg images, Word docs, sound files, mpegs, text documents, fractals, HTML files, p44.
Encapsulating Security Payload (ESP)
Data integrity. No modification of data in transit. Confidentiality, data can be encrypted. Origin authentication, identifies where data originated.
Authentication Header (AH)
Data integrity. No modification of data in transit. No confidentiality. Origin authentication identifies where data originated.
Big Data
Data warehouses that many customers find easier to store in the cloud.
DAM Tools
Database Activity Monitoring tools
Active Defense Types
Deception, Attribution, Attack Back
Secrets
Don't build secrets into your code.
Session Tracking Mechanisms
Don't make your own. Use off-the-shelf libraries that are well-maintained and time-tested.
GPO Updates
Downloaded automatically at startup, shutdown, logon, logoff, every 90-120 minutes.
Prevention is ideal, but detection is a must.
Dr. Cole quote
libcap
Driver interface used by tcpdump
Network Access Control (NAC)
Dyanamic VLAN allocation. Isolates systems when they initially connect. Enables systems to be scanned and checked before connecting them to trusted segment.
DLL
Dynamic Link Library allows apps to share codes and procedures
Loadable dynamic modules
Dynamic loading modules are more vulnerable to rootkits than loadable kernel modules, no reboot required. They increase flexibility
EAPOL
EAP over LAN used to encapsulate frame between 802.1x supplicant and authenticator. Authenticator encapsulates EAPOL in RADIUS request to Authentication Server.
Encapsulation
Each layer of TCP/IP protocol stack adds a header as the packet moves down the stack
Decapsulation
Each layer of TCP/IP protocol stack strips off a header as the packet moves up the stack
MySQL
Easy relational database good for storing logs. Use to store logs.
Tractable Problems
Easy to solve in polynomial time
Tractable Problems
Easy to solve in polynomial time. Symmetric Encryptions. Eg, Constant problems, linear problems, quadratic problems, cubic problems. Calculation of any standard ciphertext is a tractable problem. Eg Data Encryption Standard (DES).
Low Orbit Ion Cannon
Easy to use attack tool
Metasploit
Easy to use tool
RF-Jamming
Easy way to DoS a 2.4GHz or higher wifi network. Used against 802.11, Bluetooth and other networks. Bluetooth is less susceptible b/c its on FHSS instead of DSSS/OFDM.
Wireless Top 5 Security Risks
Eavesdropping, Masquerading, DoS, Rogue APs, Wireless Phishing.
False Headers
Eg, add deceptive web server identity information to HTTP header.
ediscovery
Electronic aspect of collecting data for compliance, lawsuit or investigation. Collect ESI (electronically stored information) from web, email, social media, voicemail, video, etc.
ECC
Elliptic Curve Cryptosystems
PKI Uses
Email, hdd encryption, code and driver signing, wifi authentication, NAC/NAP, digital signatures, etc
Hidden Fields
Embedded state information in an HTML form. A little harder to implement. Info isn't displayed to user. They aren't hard to alter and can be viewed by View Source command in browser.
Process Enforcement
Enable IT-specific virtualization processes to increase in efficiency and simplify management.
airmon-ng start wlan0
Enables and disables wireless interface monitoring
modinfo
Enables you to see what modules do
autrace
Enables you to trace the process of a binary and have it bind to an ausearch
ESP
Encapsulation Security Payload
Encryption Key Management
Encryption means your data could never be created or edited using any O365 apps, which defeats the purpose. Also means you can't use keyword indexing, document/message searches, legal e-discovery, DLP filtering, Cortana calendar management, etc.
Overlap partition
Entire hdd geometry. Usually the third slice (/hda/2?) of the. Orginally had to be third because first had to be root and second had to be swap space. Do not use for file systems.
Jailed Environments
Environment, eg VDI, can be created to look like real VDI environment, but its contained and controlled with no real data.
Trust Zones
Establish trust zones for different deployed environments. Similar to security classifications or levels of sensitivity. Each VM should fall into a security category regardless of its function and this is where it should reside on the ntwork with appropriate access controls for appropriate levels of security. Don't span trust levles within a physical host is golden rule of secure virtualization design. Minimize what runs on host. Only use as host.
Security Policy
Establishes what you must do to protect information. Used to help identify, measure and evaluate how. Strategic.
Annualized Rate Occurrence (ARO)
Estimated frequency at which a threat is expected to occur.
Windows Event Collector
Event data is sent over SSL and uses Web Services Management protocol to push and/or pull data from monitored systems.
EOI
Event of Interest
Event of Interest (EOI)
Event of Interest is some activity that is flagged by the IDS, which generates an alert.
EOI
Events of Interest
Application Analysis
Exclusive-based, identifies anomalous conditions on the network after it has a complete understanding of the protocol/application and how it operates. IDS learns normal network activity. Then, any use of the protocol or application that doesn't match the IDS' understanding of normal functions is reported. Protocol activity that is unknown is flagged. Difficult to implement and expensive.
runas.exe
Execute command with elevated privileges
Metasploit
Exploitation toolkit to help identify whether vulnerability exists or its a false positive.
PFX file
Exported certificate and private key
ESR
Extended Support Release
ESR
Extended Support Release is a version of Firefox that will only get bug fixes and security patches, not new features, for at least 54 weeks.
EAP
Extensible Authentication Protocol
EAP
Extensible Authentication Protocol. EAP types are authentication protocols that are part of authentication framework 802.1x.
FIDO
Fast Identity Online, 3rd party MFA tool. Can be used in browsers for authentication.
Shallow Packet Inspection
Fast but little fidelity. In practice, its used with deep packet inspection. Eg source and destinatino address and port information from headers; specific ICMP error messages; undesirable TCP flag combinations (SYN/FIN); impossible fragmentation combinations (gaps, overlaps); packet size information (too small UDP packets)
DES
Fast encryption algorithm. Symmetric key, 64-bit block cipher. 56-bit key size. 4 DES operation modes: ECB, CBC, OFB, CFB. DES and 2DES are not secure. Since DES is not a group, multiple encryptions increase security.
Feature & Quality Updates
Feature Update 180 days. Quality Updates smaller monthly.
Reuse Attack Protector (RAP)
Feature in Grsecurity
Application Behavior Monitoring
Feature of HIPS where a manufacturer selects a supported app and records the intended functionality in normal use. Its difficult to get right because apps are constantly changing functionality with updates and new releases.
Package Management
Features listed on p236: download validation, installation of dependencies, binary format; standard locations for installation, user experience components and verification of installation.
FIPS
Federal Information Processing Standard
FIC
File Integrity Checking
OneDrive
File storage in Azure SaaS
System volume
Files needed for boot-up process
Rainbow Tables
Files produced from precomputed password hash values used by the cracking tool to quickly lookup hash values and corresponding plaintext passwords
D-Bus Interface
Firewall D-Bus allows applications to adapt firewall settings.
netfilter
Firewall replaced by nftables.
nftables
Firewall, subsystem of Linux kernel to provide classification and filtering of network packets. Replacement for netfilter.
HTTP Request
First part of HTTP conversation, initiated by client. May include Host: Header.
Gaining Access
First real milestone of an attack is gaining access or getting a shell.
ls -ld /sbin/su /etc
Forces ls to display file attributes for actual directories listed, eg /sbin/su and /etc
AD Forest and Trust
Forest is one or more AD domains. Trusts link domains together in a forest. Cross forest trusts are entire forests trusting other forests.
Baseline
Foundation for evaluating policy. Documentation Baseline for Policy, p69. Its a more specific implementation of a standard and tends to include more technical details. Usually a baseline starts as a guideline until its properly modified to meet the needs of the organization. eg hardening rules for a new server start as a guideline and become a baseline.
Azure AD Connect
Free M$ AD sync tool with SHA256 hashed and salted password protection.
Ansible
Free application that's more feature-rich and easier to manage than free Puppet. Includes software deployment, task execution and CM using a main controller machine that talks to "nodes," controlled machines with JSON protocol over SSH. Excellent choice for consistency, stability and overall security.
Wireshark
Free, Threat Hunting. Network monitoring and packet analysis tool.
Passive DNS
Free. Collect and analyze DNS for threat hunting.
Bro/Zeek
Free. Framework for network monitoring used for forensics, metrics, NIDS. Threat Hunting.
Python
Free. Threat Hunting. Script for automation.
Autoruns
Free. Threat Hunting. Windows tool that shows you what tools automatically run at startup.
FHSS
Frequency Hopping Spread Spectrum
Defense-In-Depth (DiD), Primary Section
From outer to inner: policies, procedures, awareness; physical; perimeter; internal network; host; application; data. 4 approaches to defense-in-depth: Uniform protection; protected enclaves; information-centric; threat vector analysis. Information-Centric Defense-In-Depth, outer-to-inner: Network; Host: Application: Info p17.
FVEK
Full Volume Encryption Key encrypts/decrypts all sectors of Bitlocker-protected volume. This is not needed on self-encrypting HDDs.
FTE
Full-time equivalent. Cost of one full time employee.
Enumeration
Further extension of scanning process. Identify exploitable vulnerabiltiies of the system. List file permissions, user accounts on open ports, idle ports and other system items used for entry into the system.
Global Catalog Server (GC)
GC special DC that replicates AD database in forest
GECOS
GE Compliant OS (GECOS) stores metadata. Used by John the Ripper to crack password.
GPG
GNU Privacy Guard
Grep
GNU regular expression text filter. It can match on anything except newline.
GNU
GNU's not Unix :-P
GNU Privacy Guard (GPG)
GPG provides two protections for email: confidentiality through encryption and message integrity and source identification through digital signatures. Uses a hybrid of symmetric and asymmetric encryption.
GPO
GPO can manage security settings not included in INF security template. GPOs are stored as ADM/ADMX and are more comprehensive than a local .INF security template. Settings from Computer Configuration tend to take precedence over User Configuration section of GPO Administrative Templates. GPOs
Regedit.exe
GUI regedit
windiff.exe
GUI to compare 2 files. Also works from CLI.
Threat Intelligence
Gathering and correlating inforamtion about the adversary to better understand how they work and operate. Driven by forensics, analysis and third-party sources.
Privileges
General capability that is not tied to any particular object. Manage them through GPOs.
Syslog-ng
General purpose logging, reliable delivery. Use to collect logs.
Business Resumption Planning (BRP)
Generic term used to refer to the actionable plan that coordinates efforts to restore an organization to normal working order.
NIST IR 7298
Glossary of Key Information Security Terms
Asymmetric Keys
Goal is authentication. RSA, ElGamal, ECC. Public key. Dual or 2-key encryption. Slower than symmetric. Used as a secure channel for public key exchange. Technical non-repudiation via digital signatures. Primary uses are key exchange (for symmmetric encryption), authentication and non-repudiation, p31. Employs trapdoor function, p32-33. Public key crypto proves it was the recipient who created the document.
Symmetric Keys
Goal is confidentiality, privacy. DES, 3DES, IDEA, AES, RC4, RC5. Techniques are substituion (XOR, rotation, arbitrary substitution), permutation, hybrid. Secret key. Fast. Doesn't scale well. No technical non-repudiation. Pre-shared key. Requires a secure channel.
Digital Signature
Goal is non-repudiation. Asymmetric + Hash.
Attribution Active Defense
Goal to identify and find out details about the adversary. Useful for incident response. Valuable if legal action is desired.
Egress Filtering
Good IDS technique. You can use your firewall log files to track dropped egress traffic. You're a better net citizen.
CLI commands
Good for CMD batch scripts
Recon
Google, chat rooms, dark web, company website, system documentation, theHarvester, Whois, Shodan, Host command.
GPMC
Group Policy Management Console
Rings (M$)
Group of computers assigned to a particular servicing channel with a particular update deferral period.
Domain Local
Groups that get replicated through AD and can be used on any computer
Classification Levels, Business
HR and management sensitive; Trade Secrets, manufacturing proprietary; Business Proprietary, contracts, financials; Public Releasable.
HTTP Request and Response
HTTP is stateless and transaction-oriented. Client sends a Host: header, specifying which domain the request is for. Clients use PUT to upload files. The client request includes a header stanza that follows the request and can include any piece of info Some requests include a body, which may include a POST to fill out form data (ie HTTP PUT).
Compression
Handled by the NTFS driver itself, which makes compression transparent to the user.
NTFS driver
Handles compression, which makes compression transparent to the user.
Rowhammer
Hardware exploit that manipulates physical memory to escalate user privileges and escape VM isolation.
TPM
Hardware-based crypto. Handles cryptography calculations and key storage.
Unidirectional Gateways
Has multiple NIC that handle data handoff to software controls. Layered solutions that rely on software components to gather data, and then send to an appliance with physical one-way data flow capability.
Integrity Check Value (ICV)
Hashed value to ensure integrity of packet. AH hashes every field in packet that doesn't change in transit (eg doesn't hash TTL). ESP only hashes information in ESP message.
md5sum < file1.txt
Hashes file1.txt with md5
sha1sum < file1.txt
Hashes file1.txt with sha1
Precomputation Attack
Hashes of possible passwords are precomputed and stored in a database called a rainbow table. Tthe hashes are matched with password, which take a fraction of the time it'd take to brute-force a hash.
Virtual Switches
Have several forms: embedded within the virtual software, included as firmware on the server and virtual ethernet adapters.
Issue-Specific Policies
Help clarify organization's security posture. They provide clear guidance on many topics within the company. Covers specific areas such as: authentication, monitoring, physical security, backups, disaster recovery, acceptable use, audit and assessment, incident handling, employee and contractor access, employee monitoring, and awareness training.
HTTPS Tunneling of RDP
Helps prevent MitM attacks, improves encryption and is firewall-friendly (ie helps users get around firewalls blocking 3389).
VLANs
Helps with least privilege
Elliptic Curve Cryptosystems
High security levels with low key lengths, high-speed processing, low power and storage requirements. Eg uses in resource-constrained environments: mobile phones, smart cards, wireless communications, electronic cash, ATMs. Growing popularity. Cracking only in poor implementations with small key lengths.
LogRhythm
High-end SIEM. File Integrity Monitoring agent. Provides unprecented anomaly detection.
Conceptual Design
High-level design that includes core components of network architecture
Histograms
Histograms are graphical representations of the number of occurrences of data in a given distribution. A histogram of an encrypted document shows the frequency of characters is normalized, which makes it easy to detect. High entropy indicates encryption, p49.
OSSEC
Host based IDS focused on tracking and identifying indicators of compromise. Active alerting capability when alteration is made to a key file. Generates email alerts too. Integrates with SIEM.
Samhain
Host based IDS with ability to centrally monitor logs. Rootkit detection and port monitoring.
HIDS
Host-based IDS
Trade Secrets (Business Classification)
How products are created. R&D.
kismet
IDS and wireless network sniffer
Data Normalization
IDS takes a baseline of data before before analysis.
Tripwire
IDS through integrity checking. Open-source and commercial. Creates secure db baseline of file and directory attributes. Verified with SHA.
Online Certificate Status Protcol (OCSP)
IETF recommends as a replacement for CRLs. Real-time notification of revoked certificates.
RD Web Access
IIS Server provides web portal for roaming users. Supports SSO and other features.
Passive Analysis
IPS uses passive analysis to reduce false positives. Passive analysis identify host OSes, network architecture, and vulnerabilities present in the network. This information helps IPS classify attacks to internal systems.
RFC 2401
IPSec
IPv4 vs IPv6
IPv4 no authentication, no built-in encryption, best effort transport. IPv6 provides authentication of endpoints, support encryption in protocol, QoS features provided.
IPSec Phase 1
ISAKMP channel established. Privacy. Main Mode (checks identify of endpoings) of Aggressive Mode (does not, which is fine if using PKI to setup VPN}
Azure
IaaS and PaaS. VMs and containers running Windows and Linux. Its M$'s cloud infrastructure. Azure AD can be used for SSO across a who's who of websites.
ldd
Identify app dependencies. Handy for setting up chroot directory.
Access Control
Identity, Authentication, Authorization, Accountability, p29. Least privilege, need to know, separation of duties, rotation of duties, p30. Models that deal with protecting sensitive data or assets to ensure confidentiality and integrity, p27.
Simple File Sharing
If Simple File Sharing is enabled, then all remote authentication to the computer will be treated as remote access by the Guest Account. This is called automatic demotion to Guest.
HIDS vs network firewall
If packet is allowed, then HIDS will forward packet up protocol stack and network firewall will forward it.
Copyright
If two parties agree that a written piece of work is for hire, then the rights become that of the owner. US Library of Congress interpretation is followed in slide.
Meet-in-the-Middle Attack
If you have both the cleartext and corresponding ciphertext, you can perform this attack on 2DES.
IPS
Implementing IPS behind a firewall allows you to narrow down your search of infected internal systems, p102. Deploying IPS between the firewall and ISP router ensures the firewall and DMZ servers are protected, p102. To detect the greatest number of attacks without false positives, NIPS tools use passive OS fingerprinting and vulnerability, p103. Since they're inline, IPSes have the ability to fail open.
Cost-Benefit Analysis
Important to show that high-priority risk and the solution is the most cost-effective for reducing the risk.
Data Dispersion
Improves data security without use of encryption mechanisms. Can provide HA and assurance of data stored in the cloud.
Authenticator
In 802.1x, the Authenticator either provides or prevents network access to Supplicant. It handles challenge and response, but forwards credentials to backend Authentication Server (usually RADIUS). An Authenticator is usually a switch or AP.
Supplicant
In 802.1x, the Supplicant attempts to connect to the network. Its the client device.
Rotate Directive
In logrotate, it tells how many copies of logfile to keep.
apt-get install <package-name>
Install specified software will all associated dependencies.
yum install syslog-ng
Install syslogNG package.
Core Server
Installation option that only provides command shell, nothing else. Drive footprint 2-4GB
IR
Incident Response
Law Enforcement
Incident Response--Preparation: Have a list of phone numbers for each agency you might need to involve.
Logical Design
Includes all major network components plus their relationships. For developers and security architects. Includes business services, application names, and other relevant info for development purposes. Understanding communication flow and knowing where valuable data is begins with the logical architecture.SANS401 GSEC INDEXBookPageComments
Anomaly Analysis
Inclusive-based, meaning IDS vendor identifies conditions that are anomalous through its analysis of the protocol and its expected behavior. Only those conditions identified are reported by the IDS. It requires an understanding of what "normal" is. Baseline of network is performed. Can catch 0-day exploits.
Switch
Increase security by reducing visibility.
IoC
Indicators of Compromise
Threat Agents
Individual or organization that's capable and motivated to carry out an attack. How active is each threat agent? How might a successful attack serve a particular threat agent's goals? 3 broad categories of threat agents: criminals, esponiage, hacktivists.
ISM
Industrial, Scientific, Medical radio
Infected System
Infected systesm are a giant integrity problem. Main strategy for fixing and infected system is rebuilding it from scratch.
IaaS
Infrastructure as a Service gives clients ability to rent IT infrastructure compoenents from a public cloud provider.
Upstart
Init alernative. Supports parallel booting of services. Upstart introduces jobs, events, and emitting services.
Runlevel
Init runlevels: 0 shutodwn; 1 single-user; 2 multiuser; 3 multiuser w/ networking, 5 starting w/ display manager and graphics; 6 reboot. Used on System-V, not BSD distro.
Starting Services in Linux
Init, Upstart, Systemd, Cron
ClientHello
Initial SSL/TLS message sent from client to the server. Includes list of CipherSuites client supports.
ISN
Initial Sequence Number
IV
Initialization Vector
Stegonagraphy Methods
Injection, substitution, file generation.
aireplay-ng
Injects and replays wireless frames
Intel VT Technology
Integrated some of Blue Pill functionality into the Intel VT Technology.
IP
Intellectual Property
IPC
Inter-process communication
ICV
Intergrity Check Value
IETF
Internet Engineering Task Force
IKE
Internet Key Exchange
ISAKMP
Internet Security Association and Key Management Protocol
Pivot Points
Intial point of entry gives adversary a foothold in your network.
Risk Analysis
Involves determining the risks and their impact on the infrastructure. When determining what types ot threats your enterprise could be exposed to, its vital that information security professionals spend time assessing how they might be attacked. All possible threats must be considered. After creating a list, determine if they are actually viable threats to the enterprise. "Identifying likely vectors and entities that pose a risk to the business."
Virtualizaton Benefits
Isolation of OSes and apps. Small attack surface of Type 1 Hypervisor code. HA. Quick quarantine for out-of-compliance systems. Resiliency. Can backup the whole machine, not just the data on it. Virtual appliances can be spun up quickly for one or two functions. Reduces attack surface.
Keybox
KeyBox is open-source and has 2FA integration within web interface with Google Authenticator and FreeOTP.
Intellectual Property (IP)
Know where your valuable data is.
Resource Protection
Knowing your vulnerabilities is a critical stage of resource protection
LSPP
Labeled Security Protection Profile
Multilevel Security (MLS)
Labels are an attribute of MLS systems, which are based on Bell-LaPadula Mandatory Access Model. MLS is used in Labeled Security Protection environments (LSPP).
Physical Design
Last design created before final implementation, includes known details of OSes, version numbers and relevant patches. Also includes physical constraints or limitations identified within server components, data flows or connections.
Logrotate
Later definitions overwrite earlier ones. Linux packages expect to be able to include logrotate config files in /etc/logroate.d.
Hyperjumping
Lateral compromise where attacker jumps from guest OS to another. Uses one guest OS to compromise another. Doesn't compromise the Host OS or Hypervisor.
Frame
Layer 2 data chunk transmitted by Ethernet over the wire.
Ethernet
Layer 2 protocol. Shared media. It is a CSMA/CD protocol.
Packet Firewall
Layer 3. Fastest, cheapest and weakest. Think router with ACLs (including established). Simply looks at TCP flags, but doesn't inspect them. No state inspection of ACK flag set. Vulnerable to ACK scan.
TCP
Layer 4 is responsible for transmission of data between two endpoint systems involved in communication. Issues related to reliability and cost-effective data transfter belong to this layer. p153 TCP Header.
Stateful Firewall
Layer 4. Keeps track of TCP connections in a stateful tracking table. UDP an ICMP traffic is added with a timeout duration. Stateful firewall isn't able to differentiate between legitimate Port Unreachable messages from an attacker sending tis same traffic to an internal host, so it'll blindly accept the traffic.
Proxy Firewall
Layer 7. Essentially tears down packet layer by layer on one interface and builds it back up on the opposite interface.
Protocol Stack
Layers of protocols that allow computers to communicate
List dynamic dependencies
Ldd tools identifies application's depdendencies.
gradm -F -L /etc/grsec/learning.logs
Learning mode for grsecurity
LSB
Least Signicant Bit
NetBIOS
Legacy set of connectionless and connection-oritented protocols used for name resolution. Can be disabled 90% of the time.
Client-to-Client VPN
Less common. Most secure. Doesn't scale well. See Transport VPN.
5G
Less than 1ms latency compared to 4G's 25ms. Must provide connections that are 100x faster than current speeds to accomodate IoT devices like self-driving cars, robot-aided surgeries.
Netcat
Lets you see raw connection, including header information.
XFCE
Lightweight Desktop Environment
Antivirus Software
Many vendors are calling their products endpoint security software/suites.
Critical Security Controls Standards Mapping
Maps which NIST controls map to CSC
Risk Evaluation
Match threats and known vulnerabilities, calcuate ALE. Estimate risk from unknown vulnerabilities.
Trapdoor Function
Mathematical function that are easy to calculate and hard to calculate inverse. Eg multiplication vs factorization and exponentiation vs logarithm
msf exploit show options
Metaploit framework showing Apache struts exploit that that takes advantage of XStream's failure to do input validation
NetFlow
Method of collecting IP traffic and monitoring network traffic. Using flow-based analysis, relying on algorithms and behavior rather than signatures, helps you detect 0-day attacks.
Black Box Diagramming
Method of depicting a device, system or object only in terms of inputs and output without requiring knowledge of its internal workings. Simplifies the characteristics of the network during the design phase.
Pen Testing
Method of evaluating the security posture of a computer system or network by simulating identified attacks by a malicious user, known as a hacker.
Deception Active Defense
Method that creates less legal concerns. Honeypots. Activity to mislead and slow down the adversary. Can increase time and difficulty of pen tests.
Signature Analysis
Most commond method of identifying EOI. Performs pattern-matching on packets based on rules. Rules use criteria based on protocol, address and port info, payload contents, string matching, traffic flow analysis, flags in protocol headers, any fields in the packet.
Azure Global Administrator
Most important role. Can assign, reset and delete all other roles. aka Company Administrator
Internal Threat
Most organizations focus on external threats, but internal threats often cause the most damage.
Password Policy
Minimum pw length 15 chars; Pw history 24 pws; Max age 90 days; Min Age 1 day; Max length 127 chars. No gui for custom pw policies. Use PowerShell.
Telnet Attack
Misnamed. Really a distributed SYN attack. Windows OS has an accessible telnet executable taht can setup a TCP session. Popular DOS attack with botnet operators.
Mission Statement
Mission statement is operational. States the purpose of your organization. You need an approved mission statement to move forward with policy. Mission statement is at top of policy pyramid.
DHCP Spoofing
MitM attack wher attacker listens to DHCP requests and answer them with an IP Address pretending to be default gateway.
Office Mobile
Mobile versions of M$ Office apps. Free but limited.
/etc/syslog.conf
Modify this file on host to send its log files to another server
Web App Monitoring
Monitor web content and use a file integrity checker. Integrate checks with SIEM. Build and maintain a custom monitoring tool using Perl or Python scripts.
Critical Control #2 Software Inventory
Monitor with file integrity checking tools; use app whitelisting; deploy software inventory tools; use VMs or air-gapped systems to isolate and run apps that are required for business but pose a high risk to the network.
File Activity Monitoring
Monitors and records all activitity within designated file repositories at the user lever. Generates alerts on policy violations. Requires an endpoint agent of phsyical appliance between cloud storage and cloud consumers.
Frequency Analysis
Monolithic cipers or one-to-one ciphers can be broken with this technique.
Lynis
More robust and detailed than Bastille. Good for standalone systems that need to comply with regulated frameworks like SOX, HIPAA, PCI DSS, etc. Audits for authentication methods, expired SSL certs, outdated software, patches, user accounts w/o passwords, incorrect file permissions and firewall rules.
Discretionary Access Control
Most Linux variants use DAC enabling the sysadmin and users to manage the security on files they own or manage. Its possible for a DAC system to be default deny or default allow.
Attack Back Active Defense
Most aggressive step. Has legal implications.
Uniform Protection
Most common approach to defense-in-depth and usually the starting point for most organizations. Treat all systems as equally important. All parts of the organization and intellectual property receive equal protection. Eg patching.
One-Time Passwords
Most common way to implement OTPs are token-based devices liek SecurID tokens. Good countermeasures against keyboard and network sniffing.
Eternal Blue
NSA toolkit used in WannaCry attack.
NTLMv1
NT LAN Manager LANMAN old protocol for authentication. Best to decommission.
Encryption
NTFS uses EFS and BitLocker to support encryption.
Regsvc.exe
Name of key to modify for remote registry service permissions.
winreg
Name of key to modify for remote registry service permissions. HKLM\System\CurrentControlSet\Control\Secure\PipeServers\winreg\
CNSS 4009
National Information Assurance Glossary
NIST
National Institute of Standards and Technology
IPSec Phase 2
Negotiates details of ESP and AH SAs. Primary Mode or Quick Mode.
nc.exe
Netcat ported to Windows.
nc.traditional 127.0.0.1 333
Netcat tool is a network sutility that allows you to connect to TCP Port 333 on localhost. Also connects to UDP ports, transmits files, an executes commands.
Honeynet
Nettwork of decoys designed to deceive and slowdown adversary.
NAC
Network Access Control
NFS
Network File Sharing
NLA
Network Level Authentication
NLA
Network Level Authentication for RDS prevents DoS attacks against servers by requiring the client to authenticate before server memory is allocated.
NOVA
Network Obfuscation and Virtualized Anti-Reconnaissance
nmap
Network scanner.
NBS
Never Before Seen
Advanced Application Shielding
New feature introduced in HIPS that essentially locks an app into a sandbox where its not permitted to communicate with other apps.
nft add rule ip filter output ip daddr 10.10.10.10 drop
Nftables rule to drop packets destined for 10.10.10.10.
Border Router
Placed between ISP and firewall. Can be used to filter traffic that is obviously unwanted, like invalid traffic RFC1918 sourced from Internet. Also helps protect firewall from attack by taking some of burden off it.
NOEXEC
Noexec prevents processes from making exec systems calls. They have to sudo. Part of MacOS RunTime protection. Part of Grsecurity.
System Restore Points
Not enabled by default in Windows 10. Snapshots computer's configuration. Checkpoints from 1-3 months.
Sticky Bit
Now allows for world writeable directory, but owner is the only one who can delete files in that directory. N/A to files. Only applies to directories. Real-world example is /tmp has sticky bit set so that anyone can write to it.
Autopilot
OEM-customized device that allows for the device to automagically get upgraded, joined to Azure AD.
OSI Layers Map to Network Security Devices
OSI Map Tab
at.exe
Obsolete way to see scheduled tasks
Block Cipher
Obtained by segregating plaintext into blocks of n characters or bits and applying the identical encryptiong algorithm and key to each block.
Session IDs
Often stored as a hidden form element, part of the URL query string, or in a cookie. Can be exploited by session attack. Best to use cookies.
dropmyrights.exe
Old 3rd party executable DropMyRights literally drops the rights of an application from unrestricted to normal, constrained, or untrusted.
Enum
Old standalone binaries, labeled as a hacker tool but not likely to cause vulnerabiltities.
Bluebugging
Older hardware implementations. Manipulates target phone into compromising its security. Installs a backdoor. Calls back to attacker who can eavesdrop on phone calls. Can also create call forwarding.
Bastille
Older standalone tool meant to be a tutorial for hardening your Linux system.
cfEngine
Oldest CM tool. Open source and commericial versions available. Started as local datacenter tool. Now more cloud-based. Has a monitoring and modeling compliance engine.
Ingress Filtering
On a firewall, all inbound packets are dropped if they contain a source address from within the network address space
TrueCrypt
On the fly encryption (OTFE). Deprecated.
Telnet
Plaintext. Use SSH
Threat Assessment
One input into risk analysis. Analyze the cost effectiveness of countermeasures for reducing exposure.
File System Hardening
One of features in Grsecurity
Kernel Auditing
One of features in Grsecurity
Trusted Path Execution (TPE)
One of features in Grsecurity
POST
One of two most common HTTP methods. Appends the form data inside the HTTP Request, embedded HTML Header. Better for sensitive data.
GET
One of two most common HTTP methods. Client uses GET to retrieve information from the server. Requests data from the specified source. Appends the data to the URL, so its visible in the URL. Not safe for sensitive data.
Arbitrary Subsitution
One-to-one substitution of characters. Easy to crack with frequency analysis.
Rotation Substitution
One-to-one substitution of characters. eg ROT-3 Caesar Cipher and ROT-13 appeared on Usenet. Easy to crack.
OCSP
Online Certificate Status Protocol
RSA
Only been cracked with poor implementation using too small key lengths. Used in SSL.
cut -f 2-4 data.txt
Only display fields (aka columns) 2-4
Need to Know
Only give person access when they need it. Take away access when it is no longer required.
get-winevent -logname system -maxevents 500
Only show last 500 events in System Log. Script and send files to collector (eg SIEM)
Logstash
Open source solution for log aggregation, pipelining, and storage.
PaX
Open sources memory protection utility for the kernel and other memory protections. Improves ASLR, protects against arbitrary code execution, code execution in a different order, code execution with malicious code. Best to run it with grsecurity because of tight feature integration.
Docker
Open standard single applcation LXC containers. Docker is an evolutionary enhancement of LXC that has moved away from LXC and now has its own libcontainer framework based on Go. Single process and stateless based containers.
LXC
Open standard to create containers. Has security to isolate apps using several kernel features to achieve this. Overcomes the limitatio of chroot by containing all required components. Can run on a single OS. Between chroot and full virtualization. Key features are cgroups and namespaces.
GNU Project
Open-source OS that Linus Torvalds partnered with. GNU/Linux is the real name of Linux OS. 2% of Linux kernel is still Torvald's code.
Chef
Open-source centrally-managed DevOps tool that can push and control versions of code. Adds an abstraction layer (Chef Server and Chef clients). Works onsite, in the cloud and hybrid.
Graylog2
Open-source log management and SIEM. Can normalize and correlate logs with searches you build and alert on. Easy to setup and use. No prebuilt anomaly detection rules, alerts or searches.
Process Hacker
Open-source process manager tool to analyze services, device drivers, listening TCP ports, disk activity, and other Windows internals.
LOGalyze
Open-source solution. Easy to deploy, offers a dashboard, reporting and searching capability. No prebuilt anomaly detection rules, alerts or searches.
Snort
Open-source tool, low-cost, suitable for monitoring multiple sites/sensors, efficient detect system, low effort for reporting. 5 rules: pass, log (snort.conf), alert, activate (listens for alert and then activates dyanamic rule), dynamic (inactive until another rule activates), p93.
Private Cloud
Organization owns hardware infrastructure that supports and houses the cloud systems.
Standard
Organizational, strategic. Focuses on what technology to use. Usually refers to specific hardware and software.
Puppet
Originally devops tool written in Ruby. Open Source and Commerical versions available. One of most popular.
OFDM
Orthogonal Frequency Division Multiplexing
/bin, /opt
Other places where apps may be stored
netstat
Output 174 and 184.
df command
Output of command. 5-10% of hdd is reserved, so Use% includes that unwritable percentage too.
top
Output on p186-193.
tail
Output on p194-197.
netstat -s
Output. Statistics.
netstat -at
Output. TCP
netstat -au
Output. UDP.
Windows PS vs PS Core
PS 5.0 is frozen, legacy. Core is open-source and the future of cross-platform Azure management.
set-MpPreference -EnableControlledFolderAccess Audit Mode
PS enable CFA in audit-only mode
get-WmiObject
PS equivalent of wmic.exe
get-ciminstance
PS equivalent of wmic.exe
get-service -computername keithbox
PS query list of services
Set-ItemProperty
PS regedit
Compare-Objects
PS to compare 2 files
get-ciminstance -query "select * from w32_bios*
PS to extract BIOS information from WMI
get-help -full get-windowsfeature
PS to get help with features
show-EventLog
PS to launch event viewer
import-module servermanager
PS to manage server roles
get-windowsfeature -computername Server47
PS to see features on remote server47
paxctld
PaX memory protection utility.
dpkg
Packagement mangement tool that APT is based on.
Endpoint Firewalls
Packet Filter (Stateful), Application Control and OS Control. Packet Filter looks at packets from network to PC. Application Control Firewall can screen incoming packets and keep a set of fules for applications. OS Control is most flexible and won't allow a program to run or access the Internet without approval.
Swap Partition
Page file for the virtual memory system. Originally had to be the second partition on hdd. Called a "raw disk" partition that it isn't mounted, so its not listed by df. Use swapon -s to see swap partition's current use.
sed
Parses and transforms text. One of earliest tools to support regex.
BearTrap
Part of ADHD. Opens ports to mislead, monitor, track and block connections. Simple way to open ports in a controlled and secure manner.
Intial Sequence Number (ISN)
Part of TCP three-way handshake.
Resource separation
Place systems with different security requirements into separate areas. Follow three core rules: Any system visible to Internet must reside in DMZ; any system with senstive information must reside in private network and not be visible to the Internet; only way a DMZ system can communicate with a private network is through a proxy on the middleware tier.
/etc/shadow
Password Database
Cain
Password cracking
Enforce Stronger Passwords
Password enforcement, /etc/pam.d/system-auth.
Patching
Patch maintenance and management process and schedule to ensure patches are up-to-date for both online and offline VMs.
/etc/sysctl.conf
Permanently change system variables so that they will load at boot time
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Permit inbound SSH from session taht we have intiated from this system.
Least Privilege
Person has least amount of access to do their job. Basics of secure coding: only grant account access to the resources it needs, p173
Incident Handler
Person responsible for responding to alerts. Uses the information generated by the IDS to idnentify the intent of the suspicious activity and takes some action based on the analysis.
PAN
Personal Area Network
Bluetooth PANs
Personal Area Networks are susceptible to hacking
OS Editions
Personal Editions: Starter, Home and Ultimate. Work Editions: Business, Pro and Enterprise.
PII
Personally Identifiable Information
Internet Security Association and Key Management Protocol (ISAKMP)
Phase 1 negotiation to establish privacy over a secure channel.
Cookies
Piece of data created by a web server and stored in the web browser. Often used to track user authentication and application session data. Most websites encrypt cookie's contents. A server can set optional secure flag on any cookie to notify browser that it is only to send the cookie along with SSL-encrypted requests. Users can edit their own cookies, whether Persistent or Non-Persistent.
Scanning
Ping, Nikto, Netcat, nmap.
Interim Report
Pitch project summary, asset identification and valuation report and a plan to senior management.
Session State
Prime target for attack in web connections. See Session Attack.
Defense in Depth
Principle that protections need to be layered
Intractable Problems
Problems that can't be solved in polynomial time. Asymmetric Encryption. Eg, exponential, superpolynomial, factoring large integers into primes (RSA), solving discrete logarithms over finite fields (El Gamal), computing elliptic curves in a finite field (ECC).
Software Testing
Process of executing a program or system with intent of finding errors. Its important to test how app will respond to unexpected or invalid input.
Access Management
Process of managing users, data and their relationships consists of 4 tasks: Account Administration, Maintenance, Monitoring, Revocation.
Threat Enumeration
Process of understanding threats in your system or network. List all possible threat agents. List all attack methods. List the system level objectives.
Jobs
Processes that maintain system activities that need to occur continuously. Introduced in Upstart
SHA
Produces 160-bit hash value.
Policy Types
Program Policy, which is high-level; Issue-Specific Policy, eg AUP; System-Specific Policy, eg Linux Servers vs Windows.
chkdsk.exe /?
Program that runs automatically after a (power) failure of BSOD. Use it to schedule a full volume or sector-level scan at the next reboot.
BCP-DRP Planning Lifecycle
Project Initiation, Risk Analysis, Business Impact Analysis, Build the Plan, Test and Validate the Plan, Modify and Update the Plan, Approve and Implement the Plan
File System Security
Protect OS binaries in /usr. Don't allow users to create or bring set-UID and set-GID programs on the machine. Put /var on a separate partition. Allow for unexpected growth on heavily used partitions. Goal: all systems should either be mounted ro or nosuid.
Session Attack
Protect against session attacks by making session IDs random and long. Uses an established session toolikit like Burp to test predictability of session IDs. Encrypt session information in cookies. Use new session ID immedately uppon user authentication. Have session IDs expire on logout or periodically timeout. Digitally has Session IDs.
PEAP
Protected Extensible Authentication Protocol
Security Policy
Protects organization, the people and the information. Establishes what must be done to protect information stored on computers. Protects people who are trying to do the right thing. Policies are the laws of an organization that set the boundaries of what is and is not acceptable.
Bluetooth Network Encapsulation Protocol (BNEP)
Protocol that allows Bluetooth devices to extend access to the wired network from a wireless connection, similar to 801.11.
Internet Key Exchange (IKE)
Protocol that negotiates session details of an IPSec connection and documents them as Security Associations (SAs).
IPSec
Protocols 50 for ESP and 51 for AH
IPSec
Provides data integrity, confidentiality and authentication. Besides encryption, it can also do static packet filtering.
top
Provides dynamic, real-time view of what is running on a system. Continuous output. Show processor activity. Baseline and spot anonomolies.
netstat
Provides visibility into network activity, network connections, route tables, interface statistics.
Reconnaissance
Provides visibility into your organization and insight into how the adversary will target you
PKI
Public Key Infrastructure
Vector-Oriented Defense-In-Depth
Purpose is to identify various vectors by which threats can become manifested and provide security mechanisms to shutdown, remove or mitigate the vector.
Policy Table of Contents
Purpose; related documents aka references; cancellation which explains when new policy supercedes old one; background which amplifies need for policy; scope; policy statement which identifies guiding principle of what is to be done; responsibility; action.
Risk Assessment
Quantitative and Qualitative Risks. Threat assessment is one input in risk analysis.
Industrial Scientific Medical (ISM)
Radio band 60GHz used by Super Bluetooh 801.11ad
Salt
Random value added to a password hash to protect against precomputation attacks. Each account has a different salt.
Entropy
Randomness collected by an operating system or application for use in cryptography or other uses that require random data. ... A lack of entropy can have a negative impact on performance and security (wiki)
File vs Directory
Read allows us to read file contents and get directory listings. Write allows us to modify file contents and create/remove files within a directory. Execute allows us to execute files and access files in a directory.
Logging activities
Real-time tasks (malware outbreaks, serious internal abuse, loss of service on critical assets, regulated data theft), p191. Daily Tasks (unauthorized configuration changes, disruption in other services, intrusion evidence, suspicious login failures, minor malware activity, activity summary), p192. Weekly Tasks (review inside and perimeter log trends, routine account creation/removal, host and network changes, less critical attack and probe summary), p194. Monthly Tasks (review long-term network and system log trends, minor policy violation summary, various resource usage reports, security technology performance measurement), p195. Quarterly, p196. Annual Tasks (log retention, IT budget planning), p197.
Business Continuity
Recommendations: client should review cloud service providers commitment to maintain continuity, client should conduct on-site assessment facility to verify access controls are used to maintain continuity of service; client should ensure they'll receive confirmation of BCP/DR test conducted by CSP.
Attack Process
Recon, scanning, gaining access, maintaining access, clearing tracks
Cyber Attack Methodology
Recon, scanning, gaining access, maintaining access, covering tracks
RDP
Remote Desktop Services uses TCP 3389
Remote Desktop Services (RDS)
Remote Desktop Services. See p254-255 for a list of roles.
RPC
Remote Procedure Call sessions are used by trust relationships, NetLogon, Outlook, NTLM authentication, remote administration, etc. "Trust relationships, the NetLogon secure channel, Outlook messaging, NTLM pass-through authentication, remote administration, etc all can use RPC-based sessions. RPC sessions typically begin with a client connection to TCP/135 on the server. Then, the server will redirect the client to another "ephemeral" high-numbered port for subsequent communications."
LASSO
Remote Windows to syslog mass conversion
Systemd
Replaces init daemon. Supports parallel processing, monitors after boot and support device hotplugging. Kali uses systemd. Services and daemons are managed as actions against units. Unit files are identified by .service suffix. Has better uptime. 3 core functions: integrated method for managing both systems and services; we can use to create and develop new services; provides an interface between apps and kernel, which is more secure and controlled. Not compatible with cron or other init managers.
Universal Groups
Replicated to every domain in a multi-domain forest.
IDS
Reports attacks against monitored systems/networks. Alarm System. Mature technology. Requires monitoring, alerting and reaction. Doesn't replace other security controls. High-maintenance and expensive. Requires well-trained staff to understand and correctly interpret alerts generated. Analyst needs comprehensive policies governing information security and a clear understanding of what actions are needed to protect business assets.
Noncompliance Policies
Reprimand, termination. Legal violations: criminal, civil, regulatory.
Active Directory Service Access
Required to begin logging access to AD objects, as defined by those objects' SACLs.
Reset vs Refresh
Reset sets system back to factory defaults, "remove everything." Refersh keeps your data files and personalization preferences, but not firewall rules or 3rd party apps.
ReFS
Resilient file system. Supports 35,000TB. Not bootable. Used for large storage volumes
Public
Resources on the Internet. Cannot be trusted.
Corrective Control
Response to fighting threat once they're found
Conditional Access Policies
Restrict resources by group membership, trusted device, IP address, geolocation.
find /lib/modules/'uname -r' -name *modulename*
Return all modules with the name specified in your search.
ROSI
Return on Security Investment
RAP
Reuse Attack Protector
Security Configuration Wizard (SCW)
Security Configuration Wizard gui wizard to disable uneeded services, Windows Firewall, IPSec policies, IIS web stuff, etc for selected roles on older Windows OSes. XML policy.
SCA
Security Configuration and Analysis Tool
Reversible Encryption
Reversible algorithms are not reccommended for passwords. Use irreversible algorithms or hashing.
Password Encryption
Reversible algorithms are not reccommended for passwords. Use irreversible algorithms or hashing. If attacker finds key for one password, chances are he now has the key to all the passwords in the database. See Reversible Encryption.
Password Strength
Reversible algorithms are not reccommended for passwords. Use irreversible algorithms or hashing. Its secure as long as you can keep attacker from finding the key to decyrpt the password.
/var/log/rkhunter.conf
Review this log after running complete check of system
Rhosts
Rhosts is the user equivalent of the /etc/hosts.equiv file. It contains a list of host-user combinations, rather than hosts in general. If a host-user combination is listed in this file, the specified user is granted permission to log in remotely from the specified host without having to supply a password.Rhosts is vulnerable. Eg, an attacker using echo ++> /.hosts can overwrite the file to allow any host to connect to the machine.
Risk
Risk = Threats x Vulnerabilities. The job of the security professional is to constantly track, manage, and mitigate risk to an organization's critical assets. "While threats drive the risk calculation, vulnerabilities drive the risk reduction" p13.
RBAC
Role based access control
Incident Response
Roles and responsbilities in IR must be agreed upon in the SLAs between CSP and customer. Customer won't be able to conduct forensic investigation of network components managed by CSP.
Rkhunter
Rootkit Hunter scans for rootkits, backdoors, and possible local exploits by comparing SHA-1 hashes of important files with good ones in an online database.
rkhunter -c --enable all --disable none
Rootkit Hunter to run a complete check of the system.
Rootkit Detectors
Rootkit detectors work best with file integrity checking. Work best at detecting kernel-level rootkits.
Vector of Attack
Routers and Switches are often not kept up to date and can give attackers visibility into the network.
RSBAC
Ruleset-Based Access Control
Cygwin
Run Linux packages compiled in a Linux environment (cygwin) on Windows. Its a small app that allows you to access ported libraries and programs from Linux on Windows desktop. Good for Linux development. Don't install everything! If utilies aren't ported, you can locate source code and compile them into a cygwin ported binary. Its not an emulator.
snort -c /etc/snort/snort.conf -i eth0 -A full
Run snort with the specified configuration in /etc/snort/snort.conf on int eth0 in full alerting mode.
Windows Defender App Guard (WDAG)
Runs Edge Browser inside a container, application sandbox.
S Mode vs Full Mode
S Mode is stripped down and will only allow for M$ apps and Edge Browser.
SCA
Security Configuration and Analysis Tool. Its an mmc snap-in. See secedit.exe for cli version of tool.
SCA
Security Configuration and Analysis snap-in tool. Secedit.exe cli version of tool. Compare computer policies against a template.
Netcat
classic but relevant and effective scanning tool that is often used to both steal sensitive files from a victim system and to upload malicious files.
SHA-1-SHA-2
SHA-1 output 160-bit, SHA-2 output 256-bit and 512-bit, SHA-3 output is 256-bit and 512-bit.
File Integrity Checking
SHA1
SIEM for Web
SIEM log correlation helps with timely detection of attacks by watching log files.
Service Set Identifier (SSID)
SSID is network name.
SUID/SGID
SUID allows files to execute with privileges of file's owner. /usr and /usr/local contain SUID/SGID but can be read-only. Best practice to track which programs have SUID and SGID set.
O365
SaaS and DaaS. VoIP, desktop Windows, web-hosting, etc.
WPA
Same as 801.11.i. Temporary Key Integrity Protocol (TKIP) and Counter-Mode/CBC-MAC (CCMP) provide strong encryption, replay protection, and integrity protection.
Firewalls
Same software can provide both network and host-based firewalls, allowing for centralized management and control.
Administrative Unit
Same thing as Organizational Unit, but in Azure.
Port Scan
Scans for open ports on remote host(s).
set-scheduledtask -full
Schedule a task in M$.
Cron
Scheduling daemon that starts an action in the background at a preset time. Crond syncs off system clock. Can't use systemd if using cron.
Grep
Search logs.
LogParser
Search logs.
Splunk
Search logs.
Header Stanza
Second part of HTTP client request. Headers following can include any piece of information the client wants to know. If server doesn't understand, then it drops the request.
Bitlocker
Sector-level encryption AES-128 or 256 and verification of the integrity of boot-up files and other startup data structures. It must have at least 2 volumes: boot and system. Only the boot volume is encrypted. AES-128 by default.
UEFI Secure Boot
Secure Boot requires UEFI, Windows 8 or later and a GUID Partition Table (GPT) bootable HDD partition. It doesn't require TPM or whole drive encryption. Secure boot is able to resist malware on bootup.
SKEME
Secure Key Exchange Mechanism
SSP
Secure Simple Pairing
SAT
Security Access Token
SAT
Security Access Token includes user SID, AD group SIDs, local group SIDs, privileges listed in local server's registry (32)
SCW.exe
Security Configuration Wizard
Covering Tracks
Security logs, file manipulation, creating accounts, rootkits
sed -n '1~2' license.txt
Sed will print every other line of license.txt file.
sed -n '1,5p' license.txt
Sed will print first five lines of the license.txt file and will only print them once (-n)
RFC826
See ARP
Open Threat Exchange
See Alien Vault.
Protocol Analysis
See Application Analysis
Network Adapter Binding
See Binding, Network.
Intellectual Property
See Copyright.
ISO 27002:2013 Annex A
See Critical Security Controls Standards Mapping
NIST 800-53
See Critical Security Controls Standards Mapping
NIST Core Framework 2014
See Critical Security Controls Standards Mapping
Information-Centric Defense
See Defense-In-Depth. Information-Centric defense starts with an awareness of the value of information within an organization. Identify the most valuable information and implement controls to prevent unauthorized employees from accessing it. A good starting point is to identify your organization's intellectual property, restrict it to a single, section of the network, assign a single group of sysadmins to it, mark the data, and thoroughly check for this level of data leaving your network.
URL Directory Traversal
See Directory Traversal Attack.
Domain Guest Account
See Global Guest Account
Global Guest Account
See Guest Account
NIDS Challenges
See IDS Challenges.
GPO Option Sharing and Security Model
See Local Guest Account
Sharing and Security Model GPO Option
See Local Guest Account
Log Tasks
See Logging Activities
Network Location Firewall Defaults
See Network Profile.
Session Cookie
See Non-Persistent Cookie
Stateless Packet Filter
See Packet Firewall.
Load Testing
See Performance Testing.
Rainbow Table Attack
See Precomputation Attack. Rainbow Table store precomputed hashes.
Enclave
See Protected Enclave.
Network Enclave
See Protected Enclave.
Next Gen Firewall
See Proxy Firewall.
Advanced Sense Analytics Engine
See QRadar.
Log Management Software
See SIEM for Web
DMZ
See Semi-Public.
IDS Rules and Signature Criteria
See Signature Analysis for a quick list of criteria.
Forensic Snapshots
See Snapshots.
System Snapshots
See Snapshots.
Functionality Testing
See Software Testing.
Meltdown
See Spectre
801.11ad
See Super Bluetooth.
Services
See System Services, how to disable
World Wide Web Publishing Service
See System Services, how to disable. Screenshot of WWW Publishing Service Dependencies, p204.
Crypto Key Lengths Compared
See Table on p79
Window Size
See Tarpits
Site-to-Site VPN
See Tunnel VPN
Baremetal Hypervisor
See Type 1 Hypervisor.
Blue Screen of Death (BSOD)
See chkdsk.exe
Information Dispersion
See data dispersion
Get-WindowsFeature
See installed roles and features from PS
servermanagercmd.exe -query
See installed roles and features from cli
get-scheduledtask
See list of current scheduled tasks in PS
Separation
Separate test VMs from production VMs.
Configuration Management Web
Separate, distinct workspaces and environments for different developers and different releases of same product. Version control system that tracks changes to the code, allows developers to check in/check out components, and ensures code changes do not overlap. Formal processes for use of the versioning systems and development environments.
Middleware
Separates DMZ from Private Network. Eg proxy servers that filter and block. Provides and extra layer of protection.
SMB
Server Messsage Block is a file and print sharing protocol. With NetBIOS, it uses TCP139. It uses TCP445 by itself. Sometimes called CIFS
SNI
Server Name Indication
SNI
Server Name Indication used by HTTPS to identify which website is being requested
SSL Initialization
Server presents a public key certificate to client to verify server identity. Clients can present their certs as well.
Headless
Server that does not require a video card, monitor, keyboard or mouse.
W3C
Server-side extended logging format.
Session Tracking/Maintaining State
Session state is a prime target for attack.
Bluetooth Security
Set Bluetooth devices to non-disvoverable after they're paired. But, they'll still respond to PAGE request from other Bluetooth devices, making MAC address scanning possible (BD_ADDR). Starting with Bluetooth 2.1, devices use Secure Simple Pairing (SSP) that uses public key cryptography.
Umask
Set default permissions assigned to new files and folders. Default file permissions are 666 and 777 for a directory. Umask is subtracted from default value.
Set-Cookie
Set-Cookie Header is created by server and sent to the client in response to client's request. After receiving the cookie, the client places it in a cookie header and sends it back in all subsequent requests to the server.
SDN
Software Defined Network
IP Address
Software address. 32 bits or 4 bytes in length. Net_ID and Host_ID.
Package Management Tools
Solve the issue of package maintenance by monitoring for updates and providing a way to automatically upgrade apps.
Body
Some HTTP requests have a body. Only place in the header where client will send data back to the server, eg POST or PUT methods.
Collisions
Some hash functions are vulnerable to collisions, where two different files are hashed and produce the same output. Strong hashing prevents similar items from colliding. The larger the bit length, the less likely there will be a collision.
Event
Something that happened that you witnessed or can demonstrate actually occured. Not all events are considered incidents.
External Threat
Source of most attacks.
Source Routing
Source routing allows a packet's sender to specify the route the packet takes through the network. Its a security hole. Disable it with sysctl.
Session User
Source to the Proxy/Application Gateway.
Common Vulnerabilities and Exposures (CVEs)
Standard for cataloging vulnerabilities
X.509
Standard for digital certificates that includes demographics, validity period, supported encryption, public/private key, signature of issuing CA.
Host OS
Standard installed OS that provides virtualization platform. Has direct access to the hardware, p46
Server Editions
Standard, Enterprise, Datacenter, Small Business and Server Essentials
Protocols
Standardize format of communication, specify the order or timing of communication, allow all parties to determine the meaning of a communication.
ISA SP-99
Standards refering to combination of software and hardware that allows information to flow out of a secure network unidirectionally. See IEC 62443
IEC 62443
Standards refering to combination of software and hardware that allows information to flow out of a secure network unidirectionally. See ISA SP-99
df
Stands for disk free. Used to see how much hdd space is used by mounted partitions.
systemctl start name.service
Start a service using Systemd.
gpa &
Start up Gnu Privacy Assistant (GPA) tool and run in background.
Policy and Risk Management
Start with policy because it dictates the security posture the company wants to take with respect to protecting its resources.
Nano Server
Starting with Windows 2016. Less than 110MB drive space. Can only be run as a container, not a VM. Mainly intended for web apps.
TCP Flags
Stateful Firewalls can respond intelligently to out of order packets that include malformed TCP flag combinations.
Windows Firewall
Stateful dynamic filtering. Deep integration with IPSec driver, making it easy to setup IPSec encryption with Kerberos authentication, p216. It lacks the sophisticated intrusion capabilities offered by other personal firewalls, and there's not support for automatic forwarding of log data to a central server. See Keep Blocking and Unblock, p222. Manage the firewall with Group Policy, PowerShell or netsh.exe, p 220. For Firewall-IPSec integration: secure Connection is mutual authentication and packet signing; require encryption is mutual authentication and encryption, p220.
Ack Flag
Stateless Packet Filter doesn't do TCP inspection. No state inspection ACK flag set. Vulnerable to ACK scan.
Birthday Attack
Statistical probability used for this collision attack. If an attacker can find a two messages that generate the same hash value, the can substitute one message for the other. Useful wiht a list of password hashes. If they can hash enough passwords on their own to generate a cleartext to cause a collsion, then its as good as having the original cleartext password.
Cryptographic Algorithm
Step-by-step procedure to encipher plaintext and decipher ciphertext
Persistent Cookie
Sticks around until its expiration date which could be years. Stored in a text file on client's hdd.
SSH
Still vulnerable because adversary can brute force the password, passwords lack complexity, not changed often, do not have a lockout and are the same across the organization. Only allow SSH access to router from the router's internal interface. Force everyone to VPN in first, and then SSH to the router. VPN sessions are logged and router SSH sessions usually aren't.
/var/log/syslog
Store logs in flat files here.
/dev and /devices
Stores files that talk to system devices. Good idea to set to nodev on these file
/etc/fstab
Stores info about disk partitions, mount points, and options applied to each partition
/etc/passwd
Stores username, User ID, etc
Sudo and Sudoers
Su switch users. Sudo gives more granular control. Use sudo and setup auditing and role-based control.
AllowedPaths
Subkey off winreg defines registry paths that will still be remotely readable despite your share permissions on the winreg key.
Guideline
Suggestions. Applies to security measure that might be implemented in more than one way.
AES - Advanced Encryption Standard
Supports 3 keys sizes: 128-bit, 192-bit, 256-bit. Algorithm in depth on p74-75.
MFA Azure AD
Supports SMS with a PIN, M$ Authenticator App, Phone Call with recorded message, etc.
Rsyslogd
Supports both local and remote logging, syslog.conf, regex. Located in /etc/rsyslog.conf or /etc/rsyslog.d/*.conf.
SELinux
Supports role-based access controls
Firwalld
Supports zone to define trust levels for each interface. Uses the D-Bus interface which is also used for firew configuration tools firewall-cmd, firewallctl, firewall-config. RHEL 7, CentOS 7, Fedora 18 and newer OSes use firewalld as the default management tool. Features listed on p214.
chkconfig --del syslog && chkconfig --add syslog-ng
Switch from traditional syslog to syslog-ng
SSL Encryption Keys
Symmetric. Each side randomly generates a key and uses RSA or DH to exchange them. Every request a client makes to an SSL web server generates an entirely new encryption key.
sysctl
Sysctl used to audit and modify kernel settings while the system is running. Its generally exported as part of the procfs within /proc/sys. Can be used to view and modify system setttings like source routing, adjusting rate limiting, and randomizing memory address space for processes. Modify kernel runtime parameters to tweak system performance and security (rootusers.com). Can be used to disable the loading of all new kernel modules by setting kernel-modules_disabled.
syslog security
Syslog traffic in cleartext makes it vulnerable to replay attacks. UDP so unreliable delivery and easily spoofed to get past ACLs. It can be configured to use TCP, but syslog doesn't prioritize and differentiate messages.
SACL
System ACL
SACL
System ACL that enables administrators to log attempts to access a secured object.
SOC
System On a Chip
System Services, how to disable
System Services in GPO allow you to disable any services in AD.
System Directories
System directories are installed with Linux. Some have sticky bit set like /tmp and /var/tmp
Attack Commonalities
System visible from public Internet; Unchecked scanning and enumeration; unpatched vulnerability was exploited; system had weak authentication.
SYN Flood Attack
TCP SYN packets sent by attacker to destination server. Since the server will be unable to establish a connection, the address becomes unreachable. Type of DoS attack
SQL
TCP/UDP 1433 and 1434 for queries
TPM.msc
TPM management
Cold Boot Attack
TPM only BitLocker method is vulnerable to this attack. Remove batteries and power from computer, do a live boot and read BitLocker encryption key and other sensitive data from RAM.
Evidence Integrity
Take a forensic hash. MD5 is considered most popular.
Hyperjacking
Take control of Hypervisor and gain access to all VMs. Typically launched against Type 2 Hypervisors. Fake hypervisor is installed on the host machine.
Takeown.exe
Take ownership of files recursively on local or remote computer.
MD5
Takes variable-length input and produces fixed-length output that is 128 bits. Output is referred to as hash, digest, fingerprint.
Ruleset-Based Access Control
Targets actions based on rules for subjects (entities) operating on objects (data). Its implemented in apps and OSes.
Vulnerability Scanning
Test for services, multiple ports on multiple machines, test to see whether vulnerability is present, reporting. Notify everyone of upcoming scan, provide contact info. scan when you're available in the office or by phone., heavy scan but don't DoS the network, priortize vulnerabilties based on your environment. Focus of program should be on remediation, not on the scanning. What are the highest risk systems? Scanning AND remedition of those systems should be phase 1.
gedit
Text editor.
/proc/sys
The files here represent the current state of the kernel.
Local Guest Account
The local guest account should be disabled and have a non-blank password, mainly because of the unexpected automatic logon feature. This is the recommendation for both the local guest account on all machines. "To discourage the use of local accounts in general, the recommendation is to set the "Sharing and security model" GPO option to "Guest only" so that the end result is automatic demotion to an account which has been disabled and has a non-blank password, i.e., it deliberately breaks the access when doing an over-the-network logon to access a shared folder or printer. *If* local accounts are going to be used anyway, despite the recommendation to use global account whenever possible, then the GPO option should be set to "Classic", i.e., to not require everyone to log on with their own local accounts. But even in this case the guest account should still be disabled and have a non-blank password." -Jason Fossen
awk '/^UUID/ {print $1;}' /etc/fstab
Use awk to list all UUIDs in /etc/fstab.
ls
Use ls to establish a baseline. Simple is better.
netsh advfirewall show allprofiles
Use netsh to see all Windows Firewall profiles
Exploit
Use of a specific attack against a specifically identified vulnerability of the target.
Gap Analysis
Use qualitative, quantitative, or best practice/checklist risk measurement to define the gap between our current risk status and where we want to be.
/bin/sh
Use rbash to go to restricted shell.
IPv6 Hardening in Linux
Use sysctl to harden IPv6 by doing 3 things: disable router advertisements, prevent self-assignment of IPv6 addresses, adjust rate-limiting to limit resources used.
File Integrity Checking
Use to monitor files and configuration of web server to look for defacement of website. "Monitors the file system based on the number of preset rules and generates alerts when modified, or deleted out of compliance with those rules." Monitor the web server files and web server configuration settings.
xxd snort.log
Use xxd tool to review snort.log file.
Discrete Logarithm
Used by El Gamal and DH and Schnorr signature scheme. Intractactable problem
Integer Factorization
Used by RSA. Intractable problem.
Emitting Event
Used by Upstart when jobs need to send or cause events to trigger other jobs. Ideal for jobs that have dependencies on other jobs.
Event
Used by jobs in Upstart to casue and allow activity on a system to occur. Event might be a time of day that triggers a job to start.
World-Writable Directories
Used by programs to hold intermediate results. Its extremely important to set sticky bit on world-writable directories.
Port Forwarding
Used extensively to keep unwanted traffic off networks. Intercepts traffic destined for certain IP address and port combination and redirects to different IP and/or port number to hide exactly what services are running on the network, using only IP addresses to carry out multiple tasks and dropping all unrelated traffic at the firewall.
Management Port
Used for authorized sniffing.
Port mirroring
Used for authorized sniffing.
SPAN
Used for authorized sniffing.
Compmgmt.msc
Used for local management of users and groups
ZigBee Wireless
Used for product tracking, medical device monitoring, sensor monitroing, control networks, home automation. eg Honeywell HVAC. Simple protocol requring fewer memory and processor resources than Bluetooth. 802.15.4. Uses AES-CCM key is used to encrypt MAC, Network and Application layers, but this takes more resources and is considered optional. Good for M2M applications. Zigbee mesh networks use IPv6 addressing.
SAM Database
Used for storing local accounts and passwords.
modprobe
Used to add and remove loadable kernel modules (LKMs) to the kernel. Exists in /etc/modprobe.d. Can be used to whitelist/blacklist specific modules.
python struts-pwn.py -h
Used to exploit Apache struts.
Big-O Notation
Used to give a general idea of how many operations a problem takes relative to the input size n.
GECOS
Used to guess passwords
Application Monitoring Software
Used to identify availabilty issues.
netsh.exe
Used to manage Windows firewall and network adapters from cli
Core Evaluation Test
Used to measure success of control implementation. eg did the controls find and alert within 24 hours of an installed app that's not whitelisted
WSMAN
Used to remote with PS Core
Claims
User claims is the set of attributes of that user's accounts in AD, eg military rank, security clearance level, etc.
/home, /export/home
User home directories
Ack Scan
When attacker sends packets with ACK flag set and packet firewall permits them ingress to protected network. Hosts will generate RST ACK packet in response, letting attacker know the host's ports are up and unfiltered.
TCP Sequence Prediction Attack
When spoofing a connection, ACKs do not go back to the attacker. To complete the connection, the attacker has to correctly guess the ISN. Predicting the ISN that the destination host will choose isn't trivial, but can be done. Mitigate this attack is to block source-routed traffic and traffic that has a source IP from your private network.
/usr/local
Where 3rd-party apps are typically stored
Registry
Where Windows stores configuration settings for hardware, OS, apps and user preferences. See p149 for user-friendly registry editor using GP.
audit.rules
Where auditd stores rules. Generally stored in /etc/audit/rules.d/audit.rules.
/usr/bin, /usr/sbin
Where programs packaged with OS are stored
AppLocker
Whitelists/Blacklists executables to protect against malware and unwanted apps. SHA-256 hashes app's executable file or script. Create AppLocker rule using GPO and wizard. Also supports audit-only to test out new rules.
Application Whitelisting
Whitlisted apps are on an approved list of executable files that's cryptographically hashed. Only whitelisted apps are allowed to run. Either setup in passive mode (alerting) or active mode (blocking). Blocking mode s recommended. Passive mode isn't ideal but will provide visibility to the SOC.
Long-Term Channel
Will never get feature updates. Must upgrade entire OS. Only receives monthly quality updates.
Cain & Abel
Windows
MBSA
Windows
Process Hacker
Windows
Secedit
Windows
Steganography
Windows
Wireshark
Windows
WDAG
Windows Defender App Guard
wf.msc
Windows Defender Firewall with Advanced Security
pfirewall.log
Windows Firewall logs in ASCII text with W3C Extended Format. Only dropped packets and initial packet in a successful connection are logged.
Unblock, Windows Firewall
Windows Firewall will create a rule for this program permitting it to listen on the port its currently requesting and on any other port it may request in the future.
Keep Blocking, Windows Firewall
Windows Firewall won't allow program to acquire a listening port. Train users to choose this option when there is any doubt.
WMI
Windows Management Instrumentation programming interface
WMIC
Windows Management Instrumentation service runs on RPC. Older tool.
Windows RE
Windows Recovery Environment
WinRM
Windows Remote Administration which is required for remotely connecting with PS to Nano. You can use RDP to connect to Nano, but you won't get a gui desktop.
M$ Backup Services
Windows Server Backup (WSB) is fully integrated with Volume Shadow Copy system.
WSUS
Windows Server Update Services
wsl.exe ifconfig
Windows Subsystem Linux run ifconfig
WSL
Windows Subsystem for Linux
WIDS
Wireless IDS
STA
Wireless station
John the Ripper
Wordlist is the simplest. Put common words at the beginning of the list. Single Crack mode uses username and GECOS, and is faster than wordlist and should be used first. Incremental Mode is the most powerful and most time-consuming. External Mode is when John is extended with a subset of C compiled at runtime. Configure john.ini file to perform substitutions and other transformations. MD5 hashed passwords start with $1$
Protected Enclave
Workgroups that require additional protection are segmented from the rest of the internal organization. Restrict access to critical segments. Internal firewallls, VLAN, ACLs.
Syslog-NG
Works across variety of OSes, including M$. Replaces traditional syslog. Filter by hostname and log messages using regex.
Ctrl-L
clear screen
Null User Session
aka Anonymous Access is an SMB session with a blank username and pw. net.exe use \\ipaddress\IPC$ "" /user;"" Null sessions could allow download of complte list of all user accounts and more from unfirewalled DC
Set-GID
aka SGID allows normal user special access privileges to execute privileges of file's group owner. if Set-GID on a directory, then new files inherit group ownership. eg used for lp to print.
Set-UID
aka SUID. Allows normal users special access privileges to execute privileges of file's owner. N/A for directories
utmpdump
allows you to pass utmp file info as output
Internal Threats
caused by intentional and unintentional insiders. Most common and most damaging.
chmod
change file attributes. Change permissions on a file or directory.
Absolute File Modes
chmod 755 is Owner has rwx, Group Owner has r-x and Everyone Else has r-x.
cp
copies files
sudo
delegate authority to users
rm
deletes a file
servermangercmd.exe
deprecated way to see features
dmesg
display and driver message. Used to examine or control the kernel ring buffer. Shows diagnostic info about kernel and system drivers from bootup processes. Also shows shows some info after system is booted, eg USB devices plugged. Captures only the kernel's messages of any log level.
awk
full scripting language tool
create directive
in logrotate, it gives the file permissions owner and group the permission to create the file after rotatin.
UDP
p160 UDP Header.
DH Key Exchange
p29 explains two-key algorithm.
Password Management
p50 Password protection: protect encrypted passwords, enforce strong password policy, use one time passwords or MFA, prevent precomputation attacks. p51 say use a 15 character password, change passwords every 90 days, lockouts after 3 failed attempts, passwords must contain at least 1 alpha 1 number and 1 special character, users can reuse last five passwords.
grep
perform string searches. Output on p199-200
/usr
primary OS directory, read-only
sc.exe
query and reconfigure any service or device driver on local or remote computer
Query and reconfigure any service or device driver on local or remote standalone computer. Might not be installed. You may have to download from M$.
query list of services
last -f /var/log/wtmp
reads from utmp wtmp and btmp. Shows who logged in, when they logged in, when they logged out, etc. Historical data.
lastb
reads the btmp file to show login failures that have occurred
who
reads the utmp file and shows who is currently logged in
btmp
records failed login attempts
sysctl -a
shows all variables for the system.
/var/log/message
used by message utility.
nbstat.exe -A ipAddress
used for reconnaissance
Log Files of Interest
utmp, wtmp, btmp, dmesg, messages, maillog, secure
Nikto
web server scanning tool that provides system identification and configuration analysis.
Windows Defender FW with Adv Security
wf.msc snap-in
Buffer Overflows
when poorly coded applications don't do error checking and allow memory buffer space to be overwritten by executable system commands. Defenses: keep OS, apps, languages, runtime environment, server addon up-to-date and patched; run vulnerability scanner against your site; implement IPS or Web App Firewall; Validate and Sanitize user input.
last -f
will show all last info as well as who last read from utmp or btmp file
