SANS SEC401

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Anti-spoofing

A method used on some routers to protect against spoofing attacks. A common implementation is to implement specific rules to block certain traffic.

Backups - best practices (common pitfalls)

1. Keep backups on separate networks 2. Use different technologies 3. Frequently verify backup systems and data 4. Cloud storage also requires backups

CIS Controls - Organizational (4)

17. Implement a Security Awareness and Training Program 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises

MAC Address Size

6 bytes (48bits) First 24 bits are the OUI (organizational unique identifier) Second 24 bits are unique identifier of the network interface

IPv4 Header

6 rows of 32 bits , 4 bytes

CIS Controls - Foundational (10)

7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols, and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control

BitLocker

A Windows feature that encrypts an entire drive. AES 128 or 256 Boot-up integrity Supports USB and thunderbolt drives Emergency recovery PIN Self encrypting hard drive

Domain Controller (DC)

A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.

snap-in

A Windows utility that can be installed in a console window by Microsoft Management Console.

LDAP (Lightweight Directory Access Protocol)

A communications protocol that defines how a client can access information, perform operations, and share directory data on a server. Used to communicate with AD.

Registry

A database that Windows uses to store hardware and software configuration information, user preferences, and setup information.

ZigBee

A form of wireless communications frequently used in security systems and heating and cooling control systems.

C2 frameworks and implants

A piece of software, often with c2 and lateral movement capabilities, which perform actions desired by the author

Variable trust

An implementation of zero trust model where the system scores a trust level based on a number of factors. If you have a high enough score, then the user is granted access. Factors include type of user access, correct username/password, geo location, device compliancy, and type of application.

Windows as a Service (WaaS)

An update process for Windows 10 in which new features are continuously published and installed to existing Windows 10 installations.

OSI Layers compared to TCP/IP layers

Application = application, presentation, session Transport (tcp) = transport Internet (ip) = network Network = data link, physical

ASIC

Application Specific Integrated Circuit

Symmetric encryption techniques

Basic - substitution - XOR - Rotation Arbitrary substitution - permutations - hybrid

VM escape

Being able to run code from inside the VM that ends up being run on the host

Fully automated malware analysis

Can analyze a lot in little time but it produces false positives Low cost Cuckoo sandbox is best free tool

Discretionary Access Control (DAC)

Control that the user can manage, such as username, password and some file permissions

Benefits of cloud computing (5)

Cost Speed Scale Productivity Security

GPU acceleration (for password cracking )

Cracking tools can split the work of hashing over several CPUs and can also use GPUs to speed it up more

Server nano

Even smaller than server core, no GUI, no command shell, run as a container , headless (managed over network, not at console)

NTFS Owner

Every folder and file has an owner that can change permissions

IAL 2

Evidence-based, verified by a credential service provider

Privileges

General capabilities a user has on a computer Not related to particular objects Managed per computer through group policy or power shell

TCP -- Closing a TCP Session

Graceful Closure 1. FIN / ACK 2. ACK , FIN / ACK 3. ACK Abrupt Closure (aka "aborting a connection") 1. RST / ACK

AGULP

How privileges and permissions should be applied ▼Accounts ▼Global Groups ▼Universal Groups Local Groups ▲Permissions & Rights

Physical Topology

How devices are physically connected together How communications are sent over the physical connection (electrical signaling, pulses of light, radio, etc.)

IaC

Infrastructure as code Virtual infrastructure

IPSec

Internet Protocol Security. A collection of protocols to provide network security services. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH (authentication header) and ESP (encapsulating security payload). AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.

IGW

Internet gateway Connects resources within VPCs with the internet

IDS

Intrusion Detection System

IPS

Intrusion Prevention System

Diffie-Hellman key exchange

Invented in the 1970s, it was the first practical method for establishing a shared secret key over an unprotected communications channel.

Data Recovery

Is a procedure in which corrupted or unreadable data is recovered from a faulty storage medium, may include the following 1. Repairing of storage medium 2. Imaging data to another medium 3. Logical data recovery (damaged file systems must be fixed first) 4. Repair damaged data

OWE

Opportunistic Wireless Encryption- wireless encryption between devices and access points, even on open , insecure networks.

Other uses for PKI

Partial or whole disk encryption Code and driver signing User authentication IPSec and VPN authentication Network access control/protection

Establishing a TCP Connection

SYN, SYN/ACK, ACK. (TCP HANDSHAKE)

Types of cloud services (3)

SaaS , software as a service PaaS , platform as service IaaS , infrastructure as a service

How to fight pre-computation attacks

Salt and pepper so that hashes cannot be similar

Salt and pepper values

Salt is a string of random characters added to a password before hashing it Pepper is a salt that is kept secret and stored securely

HIPS advantages

Same as HIDS but more timely prevention Anomaly analysis stops unknown attacks Buys more time for patch management Better defense for systems with expanding network perimeter Protects traveling laptops Application behavior monitoring

SELinux

Security-Enhanced Linux. A trusted operating system platform that prevents malicious or suspicious code from executing on both Linux and UNIX systems. It is one of the few operating systems that use the MAC model.

SSL/TLS

Secure Sockets layer / Transport Layer Security - An encryption layer of HTTP that uses public key cryptography to establish a secure connection. Port 443 Not guaranteed security

Steps to prevent data leaks

Secure data storage Intrusion detection Exfiltration detection UAM

SCA Snap-in

Security Configuration and Analysis can apply a security template and compare a computers configuration against a security template. Security Policy Verification.

SIEM

Security Information and Event Management. A security system that attempts to look at security events throughout the organization.

SAE

Simultaneous Authentication of Equals - generates unique, per client keys

Benefits of network architecture understanding

Situational awareness Prioritization of effort Reduced cost of effort Timely detection of attacks Timely detection = timely response = reduction of damage

Frequency Analysis (encryption)

A technique that is based on how frequently certain letters appear in English versus others. -this is the way to crack one-to-one substitution ciphers

Approaches to Defense-in-Depth (4)

Uniform Protection Protected Enclaves Information Centric Vector-Oriented

UAM

User activity monitoring A tool that tracks what internal end users are doing on the network

Linux user accounts and groups

Usernames and passwords are case sensitive Every username and group name has a corresponding numeric ID.

Port scanning

Using a program to remotely determine which ports on a system are open, listening (e.g., whether systems allow connections through those ports).

Goals of Cryptography

confidentiality, integrity, authentication, & Non-repudiation

Journaling File System

is one that keeps track of the information written to the hard drive in a journal for redundancy.

Linux file system security options (3)

ro, read only Nosuid , SUID/SGUID bits are ignored on all programs Nodev, special device files will not work

umask (Linux)

set the default file permissions for new files Reads existing umask setting Chmod changes existing file permissions

Cold boot attack

side-channel attack related to removing RAM from computer while it still contains encryption key, then reading it on a different computer

DNS port

TCP/UDP 53

Azure Sentinel

(SIEM + SOAR) * cloud Security Information Event Management + security orchestration automated response

WSUS

(Windows Server Update Services) is a computer program that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment

IPSec Modes

- Transport Mode (Only data encrypted) - Tunnel Mode (entire packet encrypted)

Risk treatment actions

- avoid (eliminate activities causing risk) - mitigate (reduce likelihood of negative risk) - share (insurance or outsourcing an activity) - retain (take no action, with management approval, may leave residual risk)

BOOTP/DHCP

- bootstrap protocol / dynamic host configuration protocol - Automatically configures network interfaces and load operating systems via the network when they start up. - UDP Ports 67 and 68 - consider disabling on public facing routers

Examples of c2 frameworks and implants

- empire - cobalt strike - covenant - sliver, by BishopFox

Types of Penetration Testing (7)

- external (test from outside the network, relies on OSINT and scanning) - internal (test from within the network to see what an attacker could do once inside) - web application (tests applications and databases that are exposed to the internet) - social engineering (tests the people that have access to the network) - mobile device testing - product security testing (IoT, voip, network devices, printers, etc...involves reverse engineering, fuzzing, and debugging - physical penetration testing (badge readers, elevators, security gates, biometric devices, etc)

Hypervisor risks

- hypervisor could have vulnerabilities - a DoS against a hypervisor would affect all virtual machines - Remote code execution would occur under the privilege of the hypervisor, often high privilege.

Types of cloud deployments (3)

- public - operated by 3rd party - private- built or operated by a single company or organization - hybrid- combo of public and private

Physical Segmentation and physical Inspection (virtualization risks)

- some systems need physical segmentation because the software implementation of segmentation is insufficient - when using VMs, one may not be able to see communications occurring between VMs, one loses the ability to physically inspect communications

OS Command Injection defenses

- strip OS commands and characters from input - avoid making system calls from within the app * especially based on user input - define valid characters for input

Goals of rootkits

- subvert userland and kernel security controls to avoid detection - provide on going access - use default system resources

Commonalities among successful attacks

- system visible from internet - unchecked scanning and enumeration - unpatched vulnerabilities - weak authentication

Virtualization security benefits

- the vm is isolated from the actual hardware - vm is nothing more than a collection of files interacting through a hyper visor - recovery of a VMware is as simple as copying vm files again - helps with analyzing malware and forensic analysis

Buffer overflow attack defenses

- validate and sanitize user input - run a vulnerability scanner against your application - use endpoint protection suites offering exploit mitigation - update and patch everything your software touches

SQL injection attack defenses

- validate user input - length limit on input - add an application layer between web servers and databases - use stored procedures instead of SQL queries - web account should not have rights to add/drop/modify - do not display SQL errors to web users - monitor SQL error messages

UDP Header

-8 bytes (64 bits) long, divided into four sections/fields: 1) source port 2) destination port 3) message length 4) checksum

Types of Firewalls

-Packet filtering firewall -Stateful firewall -Application gateway firewall (proxy firewall) -Network address translation (NAT) firewall

3 rules of tiered network architecture

1. Any system visible from the internet must reside in the DMZ and may not contain sensitive data. 2. Sensitive data must reside on the internal, private network and not be accessible from the public, internet 3. DMZ systems can only communicate with private systems through middleware proxies.

TCP/IP Model Layers

1. Application 2. Transport (tcp) 3. Internet (ip) 4. Network

CIS guiding principles (4)

1. Automate defenses and measure periodically or continuously using automated measurement techniques 2. Undertake a variety of specific technical activities to produce a more consistent defense against current attack. 3. Fix root cause problems to prevent or detect attacks 4. Establish guidelines for a common ground for measuring effectiveness of security implementation and a common language to communicate about risk

Password Cracking - 4 general methods

1. Brute force attack 2. Dictionary attacks 3. Hybrid attacks 4. Pre-computation attack

Access control techniques (4)

1. Discretionary Access Control, DAC 2. Mandatory Access Control, MAC 3. Role based Access Control, RBAC 4. Lattice based Access Control, LBAC

Vulnerability assessment framework (VAF)

1. Engagement planning 2. Threat modeling 3. Discovery 4. Scanning 5. Validation 6. Remediation 7. Reporting

dictionary attack (password) - 3 characteristics

1. Enumerates all entries from a dictionary or word list 2. Fastest attack 3. Only effective against weak passwords

brute force attack (password)- 3 characteristics

1. Enumerates all possible combinations 2. Slowest attack 3. 100% success, given enough time

Hybrid attack (password) - 2 characteristics

1. Extends dictionaries attack with numerals and symbols 2. Combines effectivity of brute force with speed of dictionary attack

CIS Controls - Basic (6)

1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4 Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops. Workstations and Servers 6. Maintenance, Monitoring, and Analysis of Audit Logs

Characteristics of KDF (4)

1. Irreversible hashing function 2. Input transformation, key stretching- so that keys can be in a specific format 3. Salt and pepper values, so that no two passwords can be the same before hashing 4. Difficulty factor - a value to intentionally make the hash more difficult to break, a value of 10,000 means to repeat the has 10000 times before getting to the final hashed value

4 steps for hardening routers and switches

1. Keep OS updated 2. Disable unnecessary services 3. Disable source routing support (so the source cannot dictate the route) 4. Use secure channels for remote administration (such as ssh with two-factor authentication, not telnet)

What determines the strength of a password hash (4)

1. Key derivation function (KDF) quality 2. Password and derived key length 3. Character set support 4. Difficulty factor (CPU & GPU cycles needed to compute the password hash)

Controlling access (4 steps)

1. Least privilege 2. Need to know 3. Separation of duties 4. Rotation of duties

Pentesting process

1. OSINT 2. Scanning and enumeration 3. Vulnerability identification 4. Exploitation 5. Post exploitation

Password Cracking - general approach (5 steps)

1. Obtain list of hashed passwords 2. Determine the used KDF 3. Create list of possible password guesses 4. Calculate hashes for each guess 5. Try to match the hashes.

5 critical tenets of effective cyber defense according to CIS controls

1. Offense informs defense 2. Prioritization 3. Measurements and metrics 4. Continuous diagnostics 5. Automation

Incident Handling Process

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned

PAM tools can do these 7 things

1. Provide transparency to the user 2. Policy enforcement point 3. Generates strong shared secrets 4. Securely store credentials 5. Rotate credentials 6. Monitor and log privileged access 7. Generate reports

Policy contents

1. Purpose 2. Related documents 3. Cancellation (which policy is in effect in case of policies superseding another) 4. Background 5. Scope 6. Policy statement 7. Responsibilities 8. Action

PKI certificate lifecycle

1. Registration 2. Creation 3. Distribution 4. Revocation 5. Expiration

Three purposes for communication protocols

1. Standardize the format of a communication 2. Specify the order or time of communication 3. To allow all parties to determine the meaning of the communication

Pre-computation attack (password) - 3 characteristics

1. Trades processing cycles for memory 2. Hashes for attack are pre-computed and stored in rainbow tables 3. Significantly increases cracking speed

3 security features to apply on networks

1. VLAN 2. NAC 3. 802.1X

IP (Internet Protocol) basics

1. Works on Internet layer of TCP/IP model, layer 3 of OSI model 2. The core routing protocol of the internet , finds best path, 3. Deals with transmission of packets between endpoints , but does not guarantee successful transmission 4. Defines formation of IP addresses, based on network characteristics

Ephemeral ports

1024 and above (65535) Clients must use ports in this range

IPv6 Characteristics (list 4)

128 bit address space, 340 undecillion addresses Provides authentication of endpoints Support for encryption within protocol Quality of Service provided within protocol

NetBIOS Port

137-139, 1512, 42 NetBIOS Name service TCP/UDP 137 NetBIOS data gram service TCP/UDP 138 NetBIOS session service TCP/UDP 139 WINS TCP/UDP 1512 WINS replication TCP 42

Enable password aging in Linux/Unix

2 config files /etc/login.defs /etc/default/useradd

TCP Header Size

20 bytes

Common TCP Ports

20, ftp data 21, ftp 22, ssh 23, Telnet 25, SMTP 53, DNS 80, HTTP 443, HTTPS

IPv4 Characteristics (list 4)

32 bit address space, 4.2 billion addresses No authentication Encryption provided by applications Best effort transport

Common UDP ports

53, DNS 67, 68, BOOTP/DHCP 69, TFTP 123, NTP 161, 162, SNMP 2049, NFS

Server Core

A Windows Server installation option that doesn't have a traditional GUI.

ATM Malware , ATM jackpotting

95% of ATMs run on Microsoft XP attackers gain physical access to atm, connect a peripheral to download malware Use mules with 'tokens' to dispense money, some use cell phones to dispense it

systemd

A Daemon that manages all other system daemons. It's the first daemon to start (replaced init) during the boot process and is the last daemon to stop during shutdown. Allows processes, daemons, and services to start parallel to each other and creating a faster boot process

chroot

A Linux command used to change the root directory. It is often used for sandboxing.

auditd

A Linux subsystem for access monitoring and accounting

Snort

A NIDS application based on rules for detecting anomalies and intrusions

Point-to-Point Tunneling Protocol (PPTP)

A VPN tunneling protocol with encryption. PPTP connects two nodes in a VPN by using one TCP port for negotiation and authentication and one IP protocol for data transfer. TCP 1723

Advanced Encryption Standard (AES)

A block cipher created in the late 1990s that uses a 128-bit block size and a 128-, 192-, or 256-bit key size. Practically uncrackable. Replaces DES. The only attack method is brute forcing the keys.

TPM (Trusted Platform Module)

A chip on the motherboard used with software applications for security. It can be used with Windows BitLocker Drive Encryption to provide full-disk encryption and to monitor for system tampering.

Microsoft Intune

A cloud-based management solution that allows you to manage your computers when they are not inside your corporate network.

Persistent cookies

A cookie that is recorded on the hard drive of the computer and does not expire when the browser closes. Survives reboots. Most cookies are persistent.

Meterpreter

A custom metasploit shell - Metasploit's most popular payload which enables a user to upload and download files from the system, take screenshots and collect password hashes.

Zero-Trust

A different approach to defense-in-depth in which Every request, regardless if internal or external, must be authenticated and authorized. This approach is based on two key factors, authentication and encryption. Logging inspection is essential.

AppLocker

A feature that allows you to specify which groups or users can run, or not run, a particular application in your organization

Credential guard

A feature that stores credentials, such as NTLM hashes and Kerberos tickets, and provides them to the necessary applications. To keep them secure, the credentials are stored in a secured isolated container, which uses Hyper‐V and virtualization‐based security (VBS). Protects credentials from kernel-level malware and mimikatz.

stateless packet filtering

A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base. Does not retain memory of packets that have passed through the firewall which makes it vulnerable to IP spoofing attacks. Minimal security, easily bypassed, Fast Relies on TCP flags

proxy firewall or application gateway

A firewall that stands between a connection from the outside and the inside and makes the connection on behalf of the endpoints. With a proxy firewall, there is no direct connection. - slower

IPv6 Header

A fixed size of 40 Bytes.

hidden share

A folder whose folder name ends with a $ symbol. When you share the folder, it does not appear in the Network window or My Network Places window.

WINREG

A key in the registry that control share permissions for the registry

CRL (Certificate Revocation List)

A list of certificates that are no longer valid. A client must download entire CRL after each update CRL downloads can be network intensive , so a cached CRL may exist Cached CRLs may create a time gap where a client may unknowingly rely upon a revoked cert.

Password dumps

A list of hashed passwords that attackers reference

Group Policy Object (GPO)

A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory.

Computational complexity

A measure of how economical an algorithm is with time and space.

Middleware (network section, tier)

A network segmentation to separate the DMZ from the private, internal network. An example may include a proxy, which inspects traffic coming in from the DMZ intended for a database on the private network. The middleware inspects traffic for threats. Traffic from the private network intended for the DMZ is also inspected in the proxy (reverse proxy).

Nmap

A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.

Advanced Package Tools (APT)

A package management tool that's most often used atop Debian packages, although a version for RPM also exists. APT enables package installation and updates from Internet repositories, including automatic dependency resolution.

Metasploit

A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.

Responder

A popular tool among pentesters is used to capture credentials. It's a poisoning tool that responds to Link-Local Multicast Name Resolution (LLMNR), multicast DNS (mDNS), and NetBIOS Name Service (NBT-NS), requests from systems where DNS is unavailable or fails to resolve a name.

802.1x

A port-authentication network access control (NAC) mechanism for networks. X is extensible, meaning that one can apply various forms of authentication to decide whether to grant access to a network.

Tractable problem

A problem that can be solved in polynomial time. (Quickly)

Authentication

A process in which a subject proves they possess one or more valid authenticators associated with an identity , includes three steps 1. Claimant presents authenticator to verifier 2. Verifier checks validity of authenticators 3. Verifier asserts the identity of the claimant

X.25 packet assembler / disassembler (PAD)

A service for older x.25 protocol communications -consider disabling on public facing routers

Digital Identity

A set of data that uniquely describes a person or a thing.

What is a protocol stack

A set of network protocol layers that work together to implement communications.

What is a network protocol

A set of rules dictating how computer networks communicate through network hardware and software. The protocols define the format and order of messages and actions to be taken.

Web Application Firewall

A special type of application-aware firewall that looks at the applications using HTTP.

Nftables

A subsystem of Linux kernel. Built on iptables. Another firewall option

Vulnerability assessment

A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is a potential harm. - like pentesting without actually breaking in

ASLR (Address Space Layout Randomization)

A technique for sysctl hardening, it randomizes address space for processes so that hackers will not know where to go in memory to exploit a vulnerability

site-to-site VPN

A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway.

client-to-site VPN

A type of VPN in which clients, servers, and other hosts establish tunnels with a private network using a VPN gateway at the edge of the private network. Each remote client on a client-to-site VPN must run VPN software to connect to the VPN gateway, and a tunnel is created between them to encrypt and encapsulate data. This is the type of VPN typically associated with remote access.

SSL VPN

A type of VPN that uses SSL encryption. Clients connect to the VPN server using a standard Web browser, with the traffic secured using SSL. The two most common types of SSL VPNs are SSL portal VPNs and SSL tunnel VPNs.

Mandatory Access Control (MAC)

A type of control that applies to all resources via system enforced credentials that are non transferable. MAC requires that all users have clearance and all data have classification levels.

NFC

A wireless technology (near field communication) that lets your mobile device communicate over very short distances (1-2 inch), such as when paying for goods on wireless payment devices, or Bluetooth

Authenticator Assurance Levels (3)

AA1- Single factor at least AA2- Any 2 factors plus strong crypto AA3- Selected 2 factors plus strong crypto

Domain GPOs are stored in...

AD

Active Directory (AD)

AD is like a registry for the entire network. It is a Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.

ACE

Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS.

ACL

Access control list. Routers and packet-filtering firewalls perform basic filtering using an ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols.

ARP

Address Resolution Protocol. Resolves IP addresses to MAC addresses. ARP poisoning attacks can redirect traffic through an attacker's system by sending false MAC address updates. VLAN segregation helps prevent the scope of ARP poisoning attacks within a network.

Internet Layer (TCP/IP Model)

Adds another header and includes IP information on how to route the packet to the destination

Network Layer (TCP/IP Model)

Adds another header, includes information for routers to get to the destination, puts the packet onto the wire for transmission

Error correction code (ECC) memory

Adds extra bits to each data unit to detect if data has been corrupted

AES

Advanced Encryption Standard

iptables

Allow a system administrator to alter the Linux kernel firewall. They can create rules determining whether a packet is dropped or accepted. Filters incoming, outgoing, and forwarding traffic.

Quality update

Also called patches or hot fixes. Smaller updates that occur monthly to fix security vulnerabilities and other things that the user may not notice.

Protected Enclaves

An approach to defence-in-depth that involves segmenting your network using multiple VPNs, VLAN segmentation, switches, or firewalls to separate out networks. Reducing the exposure of a system can greatly reduce risk. Restricting access to critical segments.

Authentication Header (AH)

An IPSec component that provides connectionless integrity and the authentication of data. It also provides protection versus replay attacks.

Encapsulating Security Payload (ESP)

An IPSec component that provides the same services as AH but also provides confidentiality when sending data.

.msi file

An app packaged for installation by the Windows Installer service.

Uniform Protection

An approach to defence-in-depth that treats all systems as equally important. Most common approach taken. But could also be the weakest , malicious insiders are the big threat. Firewall, VPN, antivirus, patching etc.

Information-centric

An approach to defence-in-depth that you identify critical assets and provide layered protection. Network -> Host -> Application -> Information. Thoroughly checking the data leaving your network.

Vector-Oriented

An approach to defense-in-depth in which the focus is on preventing a threat from using a vector, such as malicious usb drives (disable usb), email attachments (block or scan attachments), spoofed email (verify addresses)

Downgrade Attack

An attack in which the system is forced to abandon the current higher security mode of operation and fall back to implementing an older and less secure mode.

SQL injection attack

An attacker issues a SQL command to a web server as part of the URL or as input to a form on a company's website; web server might pass the command onto the database which then allows potentially anything to be done to the database

Block Cipher

An encryption algorithm in which data is encrypted in "chunks" of a certain length at a time. Popular in wired networks.

Symmetric Encryption

An encryption method in which the same key is used to encrypt and decrypt a message. Also known as private-key encryption or secret key.

UEFI (Unified Extensible Firmware Interface)

An interface between firmware on the motherboard and the operating system that improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads. UEFI also manages motherboard settings and secures the boot to ensure that no rogue operating system hijacks the system.

Wi-Fi Alliance

An international, nonprofit organization dedicated to ensuring the interoperability of 802.11-capable devices.

Data Encryption Standard (DES)

An older type of block cipher selected by the United States federal government back in the 1970s as its encryption standard; due to its weak key, it is now considered deprecated. 56 bit key size 64 bit block cipher 4 Modes 1. Electronic code book (ECB) 2. Cypher block chaining (CBC) 3. Output feedback (OFB) 4. Cipher feedback (CFB)

rogue access point

An unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks.

Data Loss Prevention Strategies

Backups & redundancy Access control (users cannot delete what they don't have access to)

Serverless and application security

Application security is more important with serverless, since there's less infrastructure to attack the focus shifts to the application functions Every function crosses a trust boundary, so functions need to be secured independently

ASICs

Application-specific integrated circuits: Used in layer 2 switches to make filtering decisions. The ASIC looks in the filter table of MAC addresses and determines which port the destination hardware address of a received hardware address is destined for. The frame will be allowed to traverse only that one segment. If the hardware address is unknown, the frame is forwarded out all ports.

Layer 7 (OSI Protocol Stack)

Application... This layer interacts with the application to determine which network services are required.

Input Attacks (4 examples)

Applications accept input from users at an entry point , or 'trust boundary' - OS command injection - buffer overflows - SQL injection - cross-site scripting

Linux services

Applications running in the backgrounds waiting to be used or carry out an essential task. Also called daemons, the files end in letter 'd' (sshd)

Symmetric vs. Asymmetric cryptosystem key length

Asymmetric more resource intensive and less secure at the same key length Thus asymmetric keys are typically longer Symmetric keys usually range from 40-256 bits Asymmetric keys typically over 1000 bits

Eliptic Curve Cryptography (ECC)

Asymmetric. Usage in wireless and mobile communications, where high speed, low power consumption, high security, and small keys needed. Cracking ECC means compromising poor implementations. So far the algorithm itself has not been compromised

Serverless security concerns (3)

Attack surface is 'bigger' , anyone can deploy a function making it difficult to track who is doing what Tracking who is authorized to deploy functions is difficult Compliance - how is sensitive data stored, is implementation compliant.

Side Channel Attack or timing attack

Attack that uses information (timing, power consumption) that has been gathered to uncover sensitive data or processing functions, with the goal of discovering the encryption key

Data Normalization

Attackers try to denormalize traffic to evade detection IDS normalizes for understood protocols

Password spraying

Attempting a couple common passwords on many accounts

Physical design (network architecture)

Builds upon the logical design by providing detailed aspects of the network components Details might include: versions, patch levels, hardening configurations, risk categorization, etc. Physical design also considers physical risks such as network cable location, risk of communication interception, etc. Physical security can betray logical security controls Details include OS version, patches, hardening configurations, risks, physical security

Windows Defender firewall

Built in firewall, Stateful dynamic filtering Per application and per service rules Ingress and egress filtering

Windows filesystems

CDFS (for CD-ROMs) FAT32 FAT exFAT ReFS NTFS

Attacks against switches (5 examples)

CDP Information Disclosure MAC Flooding DHCP Manipulation STP Manipulation VLAN Hopping

file integrity checking

Calculates hashes on system files as a baseline (Periodically recalculates the hashes on the files and compares them with the hashes in the baseline)

advantages of HIDS

Can see what NIDS can't, such as - pre/post encryption data - more insight into internal network, not just perimeter - identifies attacks on systems - more details about host can reduce false positives Last line of defense, all other security devices have failed to detect activities

CIS

Center for Internet Security

chgrp (Linux)

Change group ownership

chown command (Linux)

Changes file ownership and group ownership

CDP Information Disclosure

Cisco Discovery Protocol is used for switches to communicate about other devices are discoverable on the network. Exploiting this protocol would give information about types and versions of switches, OS, usernames and administrative accounts on the switches, etc.

Asset Classification

Classification levels with its own properties and security measures (unclassified, confidential, secret,etc)

CIDR

Classless inter-domain routing IP address blocks defined within a cloud

Storing passwords

Clear text password -> Key derivation function-> hashed password Compare hashed password with the stored hashed password to authenticate

Cloud-native security services

Cloud providers such as AWS, Azure, GCP can provide... Cloud management plane logging Log monitoring & dashboard Threat detection Traffic mirroring Etc...

CSA

Cloud security alliance An organization dedicated to providing best practices for the cloud

Computer management tool (windows)

CompMgmt.msc , for managing local accounts

CI/CD

Continuous integration/ continuous delivery Software changes to running applications delivered using automation, including the delivery of IaC.

CIA

Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

UDP (User Datagram Protocol)

Connectionless Protocol that operates instead of TCP in applications where delivery speed is important and quality can be sacrificed.

Router

Connects networks together and determines the path a packet will take over the network

Cryptosystem

Consists of the algorithm (cipher) and cryptovariable (key), as well as all the possible plaintexts and ciphertexts produced by the cipher and key.

Linux lxc

Creates containers in linux

VM Sprawl

Creating virtual machines and not shutting them off or deleting them after they are no longer needed. Adversaries could break into these VMs looking for sensitive data.

Cryptography vs Steganography

Crypto provides confidentiality but not secrecy - easy to detect a sent message, not easy to read it Stego hides the fact that a message was sent

DMZ (network section, tier)

Demilitarized zone - a network tier intended to be public facing, systems include web servers, email servers, DNS, etc. This tier is at greater risk of compromise because it faces the public internet at all times. Assume it will be compromised.

Traditional UDP uses

DNS requests and responses VOIP

DLP

Data Loss Prevention

Attacks Against Routers (5 examples)

Denial of Service Distributed Denial of Service Packet Sniffing Packet Misrouting Routing Table Poisoning

Layer 2 (OSI Protocol Stack)

Data link....connects the physical part of the network (cables and electrical signals) with the abstract parts (packets and data streams)

Kerboros

Default authentication protocol for AD Kerberos tickets convey user SID and group SID to target server Tickets are encrypted using user's password and keys shared only among DCs

NIPS characteristics

Deployed inline at network aggregation points Uses ASICs Uses data normalization and reassembly techniques Hierarchical rules and classification schemes identify traffic Does not risk identifying false positives, thus does not identify as many attacks as NIDS

DFIR

Digital Forensics and Investigation Response

Sysctrl hardening

Disable source routing Modify ipv4 ipv6 settings Logging attacks ASLR Exec shield Disable dynamic loading after boot

Bluetooth Protections

Disable unnecessary Bluetooth profiles Do not have it always on Install patches Upgrade when available

DACL

Discretionary Access Control List. List of Access Control Entries (ACEs) in Microsoft's NTFS. Each ACE includes a security identifier (SID) and a permission.

LINUX df

Disk free, shows currently mounted disk partitions and size

DHCP Manipulation

Dynamic Host Configuration Protocol is used to communicate the network configuration to other devices on the network. An attacker could monitor this protocol and respond to DHCP requests sooner than the intended recipient, placing the attacker's device in the middle of legitimate network traffic - a type of Machine in the Middle position.

Enforce stronger passwords and locking accounts after too many login attempts in linux

Edit the Pam files, /etc/Pam.d/system-auth

Security implications of VPNs

Encrypted tunnels may bypass security devices Encryption prevents you from reading your own network traffic

2DES

Encrypting using DES 2 times. Vulnerable to meet in the middle attack Does not significantly improve encryption

HTTPS (SSL/TLS)

Encryption for the transport layer Confidentiality with symmetric encryption Session key establishment Integrity via hashing Authentication

Asymmetric Key Cryptography

Encryption that uses two separate keys—a key pair—for secure communication. Data encrypted with one key requires the other key in the key pair for decryption.

DFIR sub disciplines

Endpoint - specialist in endpoint computer system artifacts Endpoint memory Network Threat intelligence Reverse engineer

feature update

Enhancements to the software to provide new or expanded functionality, but do not address security vulnerability. For Microsoft, this happens twice a year, these are big updates, previously called service packs

Static properties malware analysis

Examines the properties of malware without executing the code - looks for ascii strings, Unicode, encryption. Can run a hash to compare with other malware samples

Serverless computing

FaaS functions as a service -no dedicated containers - event triggered computing requests -ephemeral environment -servers managed by 3rd party

HIPS challenges

False positives still a challenge Implementation and maintenance challenges Supports limited suite of applications (little support for custom apps) Not a replacement for patching or antivirus defense Uses more system resources for in depth anomaly analysis

symmetric key cryptosystem characteristics

Fast Requires secure key distribution channel No technical non-repudiation

Foundation of defense in depth

Filtering, Network based filtering - firewalls, anti-Ddos, proxy servers, mail relays Host based filtering anti malware software, application controls

MAC Flooding

Flooding the network with fake Media Access Control (MAC) addresses may degrade the switch and force it into downgrading into a hub, giving the attackers access to the overall network.

Cryptanalytic Attacks

Focus on the mathematics of crypto algorithms, separated into the following types of attacks... - analytic — uses algorithms and math to determine key or reduce key space to search - statistical — uses stats to find weaknesses against keys - differential—analyzes differences in plaintexts using a key, best suited for symmetric block and stream ciphers - linear — focus on pairs of plaintext and ciphertext, as well as weaknesses in keys. Suited for symmetric block and stream cipher Differential linear — combo

Data classification labels (DLP policy)

For a DLP tool to work, each piece of data must have a classification. The owner of the data should assign the classification. A DLP tool could make a suggestion depending on the contents.

Switched Port Analyzer (SPAN)

For sniffing on a switch — The Cisco switch feature that allows the network engineer to configure the switch to monitor a subset of frames that the switch forwards, to copy those frames, and to send the copies out a specified destination port.

Malware analysis levels

From a high level, two stages - behavioral and code. These can be broken down further as - fully automated analysis - static properties analysis - interactive behavior analysis - manual code reversing

backup methods

Full System Imaging - everything; Differential backup - backs up files that have been modified since the last full backup; Incremental backup - backs up all files that have changed since last full or incremental; Continuous backup- backup occurs after each change

5G

Future of mobile communications Low latency, high bandwidth, multi-client support Self driving cars, IoT, home internet

GPG

GNU Privacy Guard (GPG). Free software that is based on the OpenPGP standard. It is similar to PGP but avoids any conflict with existing licensing by using open standards.

GPMC

Group Policy Management console, server tool for managing GPOs.

Session Tracking

Helps to maintain state, since HTTP is stateless. To track sessions you need a token, numeric ID,session ID or other info to be passed between client and server.

Web application authentication (2 types)

HTTP authentication- credentials sent in http header - basic mode, credentials sent in base64 encoded clear text - digest mode, sends MD5 hash of password Form based authentication, credentials entered and sent as HTML form data

Logical Topology

How communication is logically formed prior to transmission

HIPS

Host Based Intrusion Prevention System

IPv4 key fields (6 of 13 fields)

IP version, 4 bits Protocol, 8 bits Time to live TTL, 8 bits Fragmentation, 16 bits (13 bits fragment offset, 3 bits for flags, used to break up packets into smaller packets) Source address, 32 bits Destination address, 32 bits Options- minimum length of header is 20 bytes, each option increases the header by 4 bytes, options are rarely used in legitimate traffic today

ISO OSI Protocol Stack

ISO = international Standardization Organization OSI = open Systems Interconnection 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical

IAM

Identity and access management

IAL

Identity assurance level .... level of confidence regarding an identity Outlined in NIST 800-63

Process of enrollment

Identity proofing Identity assurance level Issuance of credentials

policy enforcement

If policy not enforced, then it's a guideline. compels others to comply with the laws, rules, regulations, ordinances, and policies created in conjunction with policy development.

Azure IAM

If/then rules allow the administrators to manage the system

CFA (controlled folder access)

In windows 10, it blocks apps from making changes to specified folders

Conceptual Design (network architecture)

Includes the core components of a network architecture Will consider OS platforms, server services, critical core operational functions, etc. Helps to understand the overall purpose the network ('WHY' we have it and the "WHAT' it helps us to achieve) May utilize the concept of "closed-box" diagramming

Log Monitoring

Inclusive analysis - log monitor raises alert if key words are found in logs, such as login failed or unauthorized access Exclusive analysis - list events that can be ignored, alert events not on list

Encrypting DES multiple times will...

Increase security. Because DES is not a group. If an algorithmic is a group, then encrypting multiple times will not improve security

Basics of Secure Coding

Initialize all variables before use Validate all user input before use Don't make your application require admin permissions on the server or database Handle errors and don't display errors to end users Employ least privilege/limit access Don't store secrets in your code Use tested, reliable libraries or modules for common functions (authentication, encryption, session tracking) Watch for vulnerability notifications in any utilized open-source libraries

OWASP Top Ten

Injection Security Misconfiguration Broken Authentication Cross-Site Scripting (XSS) Sensitive Data Exposure Insecure Deserialization Using Components w/ Known XML vulnerabilities External Entities (XXE) Broken Access Control Insufficient Logging and Monitoring

Log filtering (3 methods)

Input driven - log and keep everything Output driven- log only what you know you need Recommended- drop high volume logs you do not need

Application Security (4 practices)

Input validation (use allow lists and deny lists to prevent unwanted data processed by the function) Data sanitization (data sent to outside sources sanitized to prevent attack payload) Code review (developers should spend extra time debugging code) Dependency checking (check shared libraries for vulnerabilities)

Buffer overflow attack

Inputting so much data that the input buffer overflows. The overflow contains code that takes control of the computer.

stateful firewall

Inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the stateful firewall permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.

Privileged Access

Is access to a computer system with elevated access rights, such as root or administrator, or access to service accounts

JEA

Just enough admin, a setting in power shell to allow some admin tasks

KDF

Key derivation function

Rainbow Tables

Large pregenerated data sets of encrypted passwords used in password attacks.

MAC address (Media Access Control)

Layer 2 - A unique identifier assigned to network interfaces for communications on the physical network segment.

L2TP

Layer 2 Transport Protocol UDP 1701, you should never see unencrypted traffic on 1701

Strong password policy (4 do's)

Length greater than 8 Check for recognizable words or number sequences Block after x failed attempts Force change in case of suspected breach

Core components of endpoint security

Limit attack surface - patch, update services, turn off services, control access Effective security - asset inventory, configuration management, change control

Sysctl

Linux command used to modify kernel parameters at runtime

/etc/shadow

Linux file that contains the encrypted password as well as password and account expiry parameters for each user account.

AppArmor

Linux kernel module to restrict app capabilities

PAM (Pluggable Authentication Modules)

Linux system libraries (etc/Pam.d) used for authentication-related services, Authentication Passwords Sessions Accounts

LUKS

Linux unified key setup, the standard for Linux hard disk encryption

Global versus local

Local users and groups are accounts in the database of non-domain controllers . Domain users, computers, and groups have AD accounts

DLP policies

Locations - Tell DLP tools where to look for files Conditions - tell the DLP tool what to look for Actions - tell the DLP tool what to do

Syslog

Main logging system in Linux, syslogd is the daemon. Almost everything can make log entries

bridge

Maintains track of network addresses, segments traffic, breaks up collision domains, connects segments of internal networks

Protection from session attacks

Make session IDs random Store and pass session IDs between browser and server, store other session information in a database, keyed by session ID Encrypt session cookies Provide new session ID upon authentication Session IDs should timeout

GCP IAM

Managed by group permission roles, members

AWS IAM

Manages authorizations by policies, granular permissions. Can link accounts with other platforms- google or Microsoft

HIDS challenges

Managing updates Each sensor has tunnel vision A central consol needed to identify trends and wide scale events Can be more costly than NIDS Uses resources on host, can impact performance

Lattice based access control ( LBAC)

Mandatory access control that defines restrictions on the interactions between subjects and objects. A subject can access an object if the subject's security level is equal to or higher than the object.

MMC (Microsoft Management Console)

Means of managing a system, introduced by Microsoft with Windows 2000. The MMC enables an administrator to customize management tools by picking and choosing from a list of snap-ins. Available snap-ins include Device Manager, Users and Groups, and Computer Management.

MAN

Metropolitan Area Network

switch

Micro-segmentation with each port receiving traffic for the appropriate host using the MAC address

Servicing channels

Microsoft options for delaying the installing of new updates -semi annual (quality updates-30 day delay or 35 for home users, 18 months for feature updates) - windows insider (access to feature updates still in development) - long term channel (never get feature updates, only monthly quality updates available)

GPO Administrative templates

More like a custom registry view, a user friendly way to manage settings in registry. Files and in ADM, ADMX, ADML

Ethernet

Most common communication mechanism on networks worldwide Uses CSMA/CD (Carrier Sense with Multiple Access / Collision Detection) that is, it listens to ensure only one station communicates at a time and monitors the transitions to detect collisions.

Encapsulation (protocol stack)

Moving down the protocol stack with each layer doing work and adding headers.

Decapsulation (protocol stack)

Moving up the protocol stack with each layer doing work and removing headers.

NIPS

Network Based Intrusion Prevention System

Two types of IDS

Network IDS Host IDS

NIC

Network Interface Card

NAC

Network access control. Inspects clients for health and can restrict network access to unhealthy clients to a remediation network. Clients run agents and these agents report status to a NAC server. NAC is used for VPN and internal clients. MAC filtering is a form of NAC. NACs help keep potentially malicious devices from connecting to the network

OSI Model Vs. TCP/IP Model

OSI is most commonly referenced and detailed in practical application TCP/IP is most commonly used in real application Both models must do the same work , TCP/IP does more work within each layer

NIDS

Network-based intrusion detection system. IDS used to monitor a network. It can detect network-based attacks, such as smurf attacks. A NIDS cannot monitor encrypted traffic, and cannot monitor traffic on individual hosts.

Layer 3 (OSI Protocol Stack)

Network....handles the network addressing scheme and connectivity of multiple network segments. It describes how systems on different network segments find and communicate with each other

Software Defined Networking (SDN)

Networking from a virtualized concept Can visualize the network as a whole and segment accordingly Can be achieved programmatically

NTFS

New Technology File System. A file system used in Microsoft operating systems that provides security, permissions, encryption, compression,journaling, transactions oriented processing, theoretical volume size is 8PB (8,000 terabytes).

NTLM

New Technology LANMAN. Predecessor to Kerberos. Authentication protocol intended to improve LANMAN. The LANMAN protocol stores passwords using a hash of the password by first dividing the password into two seven-character blocks, and then converting all lowercase letters to uppercase. This makes LANMAN easy to crack. NTLM stores passwords in LANMAN format for backward compatibility, unless the passwords are greater than fifteen characters. NTLMv1 is older and has known vulnerabilities. NTLMv2 is newer and secure.

OS identification (nmap)

Nmap can send a number of packets to remote hosts and listens to the responses. OS's respond in slightly different ways, creating a signature, thus giving away the type of OS you are interacting with

Steganography Detection

No universal method Histograms may detect encrypted files Stego inside images may be detected by analyzing the least significant bits.

AADDS (Azure Active Directory Domain Service)

Not the same as MAAD. AADDS provides traditional domain controller services with kerboros, NTLM, group policy,LDAP, things that MAAD does not provide.

Threat Agents

Opportunistic Organized cyber crime Advanced Persistent Threats (nation states)

NIST 800-1450 and ISO/IEC 177882 define Essential characteristics of cloud computing as

On demand self service Broad network access Resource pooling Rapid elasticity Measured service Mutitenancy

Where to deploy NIPS

On perimeter in front and/or behind a firewall. Deploying between firewall and ISP routers protects firewalls and DMZ Deployment behind the firewall protects internal network from remote access VPN and helps detect infected internal hosts

Meet-in-the-middle attack

One cryptanalysis method that is used to defeat a multi-step encryption process uses both the original clear text to work forward toward an intermediate value, and the ending cipher text to work backward toward an intermediate value so that the key space that is to be defeated is smaller and more computationally manageable

AD Forest

One or more domains Inter-domain replication 2-way transitive trusts Global catalog, global catalog servers Trusts permit resource sharing and SSO across domains

OCSP

Online Certificate Status Protocol. A replacement to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

application control

Only approved apps can run Apps and files are hashed Apps only run if passes hash check

OWASP

Open Web Application Security Project - Improved security of web apps and services. They have a popular "Top Ten" list of web flaws and how to fix them. Injection flaws are the #1 web-app problem. Community driven. Software based. Discuss WebGoat!

identity management

Organizational process for identifying, authenticating, and authorizing individuals or groups of people to have access to applications, systems, or networks by associating user rights and restrictions with established identities

Program policy

Overall tone of organization's security approach

Global admin role

The all powerful role in azure over all azure assets.

PBKDF2

Password-Based Key Derivation Function 2. A key stretching technique that adds additional bits to a password as a salt. This method helps prevent brute force and rainbow table attacks. Bcrypt is a similar key stretching technique.

Five layers of defense in depth

Perimeter Network Host Application Data

PAN

Personal Area Network , such as Bluetooth and zigbee

IAL 3

Physical presence required for identity proofing

Layer 1 (OSI Protocol Stack)

Physical....handles transmission across physical media, includes electrical pulses on wires, radio waves, light pulses, connection specifications between the interface hardware and the network cable, and voltage regulation

MAAD (Microsoft Azure Active Directory)

Planetary scale user and device account database for authentication and access control to office 365, outlook, one drive, Xbox, etc. Microsoft wants every user and every device to be managed through MAAD

RPC (Remote Procedure Call)

Port 135 TCP Used extensively on windows networks (trust relationships, NetLogon secure, Outlook, etc) Typically begins with a client connection to server port 135, server then redirects to a high numbered ephemeral port RPC can go over HTTP (ports 80/443/593) and over SMB (139/445)

PSK

Pre-Shared Key

Layer 6 (OSI Protocol Stack)

Presentation...This layer makes sure that data sent from one end of the connection is received in a format that is useful to the other side. Example, if the sending end compressed data, then then the receiving end would decompress it.

System specific policy

Presents the management's decisions that are specific to the actual computers, networks, and applications

PAM

Privileged Access management

Risk level

Probability x impact x asset value

Accountability

Process of identifying who did what on the system and when

Policy types

Program , issue-specific, system-specific.

regedit.exe

Program used to edit the Windows Registry.

SUID/SGID programs

Programs in Linux that set UIDs and GIDs. Default programs come with Linux. Watch out for new programs as malicious SUID / SGID programs help attackers take over the system. To find files with SUID or SGID permissions, run- SUID - #find / -perm +4000 GUID - #find / -perm +2000

Rootkits

Programs that allow hackers to gain access to your computer and take almost complete control of it without your knowledge. These programs are designed to subvert normal login procedures to a computer and to hide their operations from normal detection methods.

Network design objectives

Protect internal network from external attacks Provide defense in depth through a tiered architecture Control flow of information between systems

PMF

Protected Management Frame , a wireless access point uses these to manage client connections, switching channels, encryption. A PMF spoof could lead to a wireless DoS attack.

NetBIOS (Network Basic Input/Output System)

Protocol that operates at the Session layer of the OSI seven-layer model. This protocol creates and manages connections based on the names of the computers involved. Can be disabled now, it's there for backward compatibility

Identd

Provides for identification of tcp sessions - consider disabling on public facing routers

Network sections

Public Semi public (DMZ) Middleware Private

PKI

Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

RSA Encryption

RSA (Rivest-Shamir-Adleman) is the most common internet encryption and authentication system. Asymmetric. Widespread support n SSL/TSL. The system used an algorithm that involves multiplying two large prime numbers to generate a public key, used to encrypt data and decrypt an authentication, and a private key, used to decrypt the data and encrypt an authentication.

Wireless DoS Attacks

Radio frequency jamming SNR signal to noise ratio

RaaS

Ransom ware as a service. Cyber criminals can create customized versions of ransomware for customers

RWX-

Read Write Execute - no permission

Strategy for fixing an infected system

Rebuild from scratch, never trust a compromised system- start with a clean slate

3 types of pentesting teams

Red team - use the TTPs of adversaries to test systems Adversary emulation- a type of red team exercise, acting like real adversaries Purple team - red and blue work together to test and improved systems

RAID

Redundant Array of Independent Disks or Redundant Array of Inexpensive Disks - a system for replicating data on disks for redundancy

Remote Registry Service

Regsvc.exe, allows one to edit the registry remotely

WPA1

Released in 2003 Uses RC4 encryption (same as WEP) for backward compatibility Introduced TKIP (temporal Key integrity protocol) to generate "better" keys Introduced MIC (message integrity check) to prevent message forget and replay attacks WPA1 and TKIP found to have large vulnerabilities Deprecated in 2009, do not use!!

WPA2

Released with 802.11i in 2004 Needed additional hardware to use AES Vulnerabilities discovered in 2017 found in the 4-way handshake process led some devices to reuse keys or resort to a key of all 0s

mstsc.exe

Remote Desktop - Microsoft's built in thin client app

hub

Replicates traffic onto all ports, minimal security

ICMP (Internet Control Message Protocol)

Reports errors or troubleshooting (destination host unreachable, TTL exceeded in transit) Provides network information (ping - is host alive and what's the latency, traceroute) Resides on network layer with IP

Logical design (network architecture)

Represents the logical functions in the system Putting the conceptional design on paper Maps the components of the conceptual design via the use of a network diagram Next parts of the architecture understanding will leverage and build upon this design step Uses icons to depict workstations servers printers routers switches and other devices connected to the network

2 root kit detectors for linux

Rkhunter Chkrootkit

Interactive behavior analysis (malware)

Run the malware in a controlled environment. See how it behaves with the system

Bastille (Linux)

Runs scripts on Linux to harden the configurations to industry standards

How to write policies

SMART and 5 W's Specific, measurable, achievable, realistic, time based Who, what, when, where, why

HIDS characteristics

Same functionality as NIDS but runs on host Can be more granular than NIDS Uses signature and anomaly analysis Can alert locally but generally sent to central location for parsing and alerting Monitors network inbound and outbound activity from host - good for identifying pivoting, reconnaissance, lateral movement, and C2

Cron

Scheduling daemon

Basic steps for exfiltration

Search for interesting files Collect and prep the files Exfiltrate the files

Segmentation (network design)

Segmentation = separation Assets should not be able to communicate unabated Concept of principle of least privilege

IAL 1

Self-asserted identity, not verified or validated

SMB

Server Message Block - protocol used by Windows to share files and printers on a network.

Privileged ports

Servers use ports 1-1023

RFID

System of tags which contain data that can be read from a distance using radio waves., such as zigbee

Layer 5 (OSI Protocol Stack)

Session....handles the establishment and maintenance of connections between systems. It negotiates the connection, sets it up, maintains it, and makes sure everything is in sync on both ends.

SGUID

Set group user Id, temporary grants user file group permissions

SUID linux

Set user ID, For security, prevent programs from running suid

Packet inspection - deep vs shallow

Shallow - fast but low fidelity, focuses on header information and limited payload data Deep - slow, requires stateful tracking, inspects all fields

Asymmetric key cryptosystem characteristics

Slow Public and private key pair Public keys widely distributed within digital certificates Used as a secure channel to exchange symmetric keys Technical non-repudiation via digital signatures

Cookies

Small text files that are sent to your computer from certain websites. They track your behaviour and transactions. Useful because HTTP is a stateless protocol and cookies help track state

Serverless security benefits (4)

Smaller attack surface No servers to patch No long-running servers that can be scanned or have malware installed Fewer compromised servers, easy to reinstall clean servers

SDN

Software defined networking Virtual network

Hypervisor

Software that runs on a physical computer and manages one or more virtual machine operating systems.

Authentication types (3)

Something you know (memorized password) Something you have (token) Something you are (fingerprint)

firewalld

Sometimes the default firewall for some Linux distributions

TCP Header

Source Port, Destination Port, Sequence Number, Acknowledgment Number, Header Number, Reserved, Code Bits, Window, Checksum, Urgent, Options, Data

STP Manipulation

Spanning Tree Protocol is used to ensure that switches do not get stuck in a switch loop. The protocol is similar to CDP and the attack is similar - the manipulation could lead a network reconfiguration to cause a DoS or a MiTM.

full disk encryption

System that encrypts all data saved to a hard disk automatically and transparently. Data is encrypted and decrypted in RAM, so attackers could see private data iN RAM.

HIPS Characteristics

Stops common attack techniques, even unknown ones Traps system calls marked as dangerous Combines file integrity monitoring, network monitoring, and application behavior monitoring Monitors and correlates activity, when it hits a threshold, it blocks the attack

Non-persistent cookies

Stored in memory. Only used during browser session. Deleted when session ends.

Two ways to represent permissions in linux

Symbolic (rwx-) Absolute (4,2,1,0) Read = 4 Write = 2 Execute = 1 No permissions = 0

3 types of cryptosystems

Symmetric Asymmetric Hash

RDP port

TCP/UDP 3389

SSL/TLS port

TCP 443

SMB Ports

TCP port 139 when using netbios TCP port 445 without netbios, sometimes called common internet file system (CIFS) protocol. All SMB/CIFS traffic should be blocked unless tunneled through IPSec or VPN File and printer sharing

LDAP (Lightweight Directory Access Protocol)

TCP port 389 - clear text TCP port 636 - SSL encrypted TCP port 3268 - for connecting to AD global catalog in clear text TCP port 3269 - for connecting to DCs in SSL encrypted LDAP is for searching and editing AD database

SSH hardening

TCP wrappers, only allow specific hosts Disable root login Set idle timeout interval Disable empty passwords Set custom ssh warning banner Block ssh brute force attacks

SQL Server port

TCP/UDP 1433 TCP/UDP 1434

TTP

Tactics Techniques Procedures

Transport layer (TCP/IP model)

Takes the packet from the application layer, adds a header and instructions for the transport layer on the receiving end on how to handle the data

Sniffers

Tcp dump, initial triage Wire shark, detailed packet and protocol analysis Snort, intrusion detection system Kismet, wireless network sniffer BetterCAP, uses MiTM to sniff

Creator Owner Group

The account that created or "owns" an object, usually a user account, or whoever owns it now.

NIC / MAC

The NIC address on Ethernet is the MAC address

Secedit.exe

The command line version of the SCA tool

Manual code reversing (malware)

The definitive way to see what the malware actually does. Requires special tools, disassembles and decompile systems. Requires a lot of time.

Configuration Management

The discipline of establishing a known baseline condition and then managing that condition

/etc/passwd

The file that contains user account information in Linux, username, userID, and password

802.11ax

The future of WLAN capability - proposed Supports aggregated bandwidth of 11 Gbps , 2 Gbps per device Frequency range below 6 GHz Support for IoT - always on always connected, always communicating Wi-Fi 6

WPA3

The future of wireless security, all devices that want Wi-Fi 6 certification must support WPA3. 192-128 bit key length Better implementation of pre-shared keys (PSK) Simultaneous authentication of equals (SAE) generates unique keys SAE dragonfly = new handshake Offline password guessing not easy Interaction with access point needed to attempt password guess Network detects password attack and takes action Opportunistic Wireless Encryption

Private (network section, tier)

The internal network of the organization, an area of higher trust and less risk, it is not connected directly to the public internet, security, such as firewalls are still present.

X.509 standard

The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU). Defines what is found in a certificate... X.509 version Unique serial number Identity information = distinguished name (DN) Owners public key and algorithm used to make it Period that key is valid Issuing CA

Authorization

The process of determining what a subject is allowed to do or access after authentication

Identity proofing

The process of proving that an applicant is who they claim to be. Includes the following three steps... 1. Resolution (traveler giving passport to border agent, answering questions about identity and purpose of travel.) 2. Validation (border agent inspection of passport to ensure it's not counterfeit) 3. Verification (border agent compares passport picture and data with the traveler)

Adaptive authentication

The requester will need to provide one or more authenticators depending on context and sensitivity of the resource they are attempting to access

ISN (Initial Sequence Number)

The sequence number in the first SYN message in a three-way handshake. The ISN appears to be random, but in reality, it is calculated by a specific, clock-based algorithm, which varies by operating system.

Application layer (TCP/IP model)

This layer takes information from an application (like a web browser) , creates a packet with the information in it (like a request for a website) and passes the packet to the transport layer.

Risk =

Threats X Vulnerabilities

3 tiered Privileged Access Management

Tier 0 - Active directory, critical and secret servers (crown jewels) Tier 1 - exchange servers, intranet servers Tier 2 - user workstations, printers, mobile devices

Digital forensic artifacts

Time stamps File downloads File, folder opening Program execution Etc

Linux Package Management

Tools to manage and maintain application packages, which include all the binaries, dependencies and other things needed to run an application . Also has download validation

TCP

Transmission Control Protocol - Works on layer 4 OSI Establishes session prior to data exchange Session leads to connection oriented communication Provides "guaranteed" (more reliable) delivery by providing recipes of successful delivery Other protocols use tcp - http, ssh,

Layer 4 (OSI Protocol Stack)

Transport....prepares data for transmission, ensures reliable connectivity from end to end, handles the sequencing of packets.

3DES

Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It was originally designed as a replacement for DES. It uses multiple keys and multiple passes and is not as efficient as AES, but is still used in some applications, such as when hardware doesn't support AES. So far it is uncrackable.

3 file integrity checking tools for linux

Tripwire Samhain OSSEC

Strong password policy (4 don't)

Truncate passwords Password hints Force specific composition rules Force periodic password changes

cross-forest trust

Trust type that allows resources to be shared between Active Directory forests. Can be 1-way or 2-way trust No AD replication across forests

Support for IPv6 over IPv4 is called what?

Tunneling

ICMP Header Fields

Type Code Checksum

Communication Flow

Understanding Who accesses data ? When (at what times) data is accessed ? How much data is accessed ? Will lead to the development of a baseline - knowing normal allows abormal to stand out. Never a 'one and done'. Continual updating is necessary.

IPSec Port

UDP 500 to negotiate sessions UDP 4500 for IPSec NAT-Traversal

Kerboros port

UDP 88, usually TCP 88, when tickets get large TCP/UDP 464 - domain controller change password Kerboros admin port (TCP 749) and kerboros demultiplexor (TCP 2053) are not used.

Linux logs of interest

UTMP WTMP BTMP DMESG MESSAGES MAILOG SECURE

Stream Cipher

Use a keystream generator and encrypt a message one bit at a time, usually implemented in hardware

digital signature characteristics

Use public key cryptography to sign document Signatures are non-repudiable They sign by encrypting a hash with a private key

Storing Sensitive Data

Use strong encryption Delete it when no longer needed

IPv6 fields (8)

Version Traffic class Flow label Payload length Next header Hop limit Source address Destination address

VLAN Hopping

Virtual Local Area Network is a way for switches to segment a network into different areas for security purposes. A VLAN hopping attack fools the VLAN into allowing packets into a prohibited VLAN segment.

VLAN

Virtual local area networks (VLANs) are creating by use of special routing or virtual switches that tag network packets with VLAN ID numbers, which are then used to divide a network space into individual and separate LAN segments. This is a useful security measure to separate parts of the network and for easier management

VPC

Virtual private cloud A virtual cloud inside a cloud

VDI

Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system.

WPA3 Attacks

WPA3 already has known vulnerabilities Downgrade attacks Password cracking DoS

WAF

Web Application Firewall

multi-master replication

When a domain has multiple domain controllers, all domain controllers are capable of making changes to the security domain database they share. The changes are replicated from one domain controller to another. Latter changes override earlier ones.

Isolation Violation

When one is able to execute code from the virtual machine that ends up being executed on the host's hardware...the VM's isolation has been violated

WINS

Windows Internet Naming Service. Matches the NetBIOS name of a particular computer to an IP address on the network; this process is also called resolving or translating a NetBIOS name to an IP address. TCP/UDP 1512 WINS replication TCP 42

UAC (User Account Control)

Windows feature that enables standard accounts to do common tasks and provides a permissions dialog box when standard and administrator accounts do certain things that could potentially harm the computer (such as attempt to install a program).

WSL

Windows subsystem for Linux, run Linux executables and scripts on windows without a virtual machine

WEP

Wired Equivalency Privacy RC4 cipher - easily cracked Officially deprecated from use in 2004 - do not use!!

IEEE 802.11

Wireless Ethernet standard Created in 1997, ratified in 1999 Over a dozen amendments since then Amendments eventually incorporated into full standard

WLAN

Wireless Local Area Network

WPA

Wireless Protected Access Created by Wi-Fi alliance Replaced WEP

802.11n

Wireless networking standard that can operate in both the 2.4-GHz and 5-GHz bands and uses multiple in/multiple out (MIMO) to achieve a theoretical maximum throughput of 100+ Mbps. Wi-Fi 4

802.11b

Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 11 Mbps.

802.11g

Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 54 Mbps and is backward compatible with 802.11b.

802.11ac

Wireless networking standard that operates in the 5-GHz band and uses multiple in/multiple out (MIMO) and multi-user MIMO (MU-MIMO) to achieve a theoretical maximum throughput of 1 Gbps. Wi-Fi 5

802.11a

Wireless networking standard that operates in the 5-GHz band with a theoretical maximum throughput of 54 Mbps.

security template

a collection of configuration settings stored as a text file with an .inf extension?

Birthday Attack

a probability method of finding a collision in a hash function In a group of 23 people, there's a 50% chance that 2 or more people share a birthday

IIS (Internet Information Services)

a set of Internet-based services for servers created by Microsoft for use with Microsoft Windows. It is the world's second most popular web server in terms of overall websites behind the industry leader Apache HTTP Server. The servers currently include FTP, SMTP, NNTP, and HTTP/HTTPS.

Security strategy

a set of guidelines and policies that allow an organisation to ensure the data in the organisation is not open to unauthorised use - policy (directive from management toward a specified objective) - standards (specific mandatory controls) - guidelines (best practices) - procedures (step-by-step instructions)

Role based access control (RBAC)

a type of discretionary or mandatory access control that assigns users to roles or groups based on organizational functions, each group has authorization to to access certain resources

Cross-Site Scripting (XSS)

a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website

Issue specific policy

address specific issues of concern to the organization- passwords, internet usage, etc...

PKI certificate

an electronic document that officially links together a user's identity with his public key Equivalent to drivers license or passport

chmod

change permission modifiers on Linux

OS Command Injection

executes system level commands through a vulnerable application Ex. An app that creates a mailbox using 'mkdir' <user input> The user input 'rm -f /' would delete the entire file system

Defense in Depth

employing multiple layers of controls to avoid a single point-of-failure

Vulnerability criticality , NVD calculator

includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vuln.s can be remediated, as well as means to score vuln.s NVD is the National Vulnerability Database

IEEE 802

is an influential set of networking standards and/or specifications. It encompasses most types of networking (MAN, LAN, WLAN) and is open-ended which allows the addition of new types of networks. A project undertaken by the IEEE in 1980 that covers Physical and Data Link layers for networking technologies in general (802.1 and 802.2), plus specific networking technologies, such as Ethernet (802.3) and wireless (802.11)

docker

is an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud. The software is in containers, to be isolated.

Business Continuity Planning (BCP) and disaster recovery (DR) planning (BCP/DR)

outlines procedures for keeping an organization operational in the event of a natural disaster or network attack, or cloud outages, may include establishing a redundant data center and testing the continuity plan.

intractable problems

problems that is practically impossible to solve — i.e., there are known algorithmic solutions, but the algorithms are too inefficient to solve the problem when the number of inputs grows large

Bluetooth profiles

profiles that govern how devices share information and specify control messages for various uses

modprobe

program to add and remove modules from the Linux Kernel

Security Governance

the collection of practices related to supporting, defining, and directing the security efforts of an organization. - executive committee (defines roadmap, budget, ambitions, deliverables) - security steering committee (steers the program, manages budget, validates tactical deliverables) - Chief Information Security Officer (CISO) (Leads, coordinates, monitors, security roadmap) - local security officers (coordinate local security projects and operations)

Support for IPv4 over IPv6 is called what?

translation

Cryptology

the science of interpreting secret writings, codes, ciphers, and the like - includes sub components of cryptography and cryptanalysis

Bluetooth attacks

wireless attack using available Bluetooth connections on bluetooth enabled devices (bluejacking, bluesnarfing, bluebugging)


Ensembles d'études connexes

NCLEX-PN Delegating/Prioritizing

View Set

Chapter 32: Assessing Older Adults (A & J)

View Set

HTML Quiz Answers-Web Development II

View Set

AP Statistics: Chapter 11 Practice Questions (Multiple Choice)

View Set

ncti 4 to 5 checkpoint questions

View Set

Psychology Ch's 13-16 Final Exam S2

View Set

Philosophy 101~ Premise & Conclusion indicators

View Set

[OB] PrepU: Genetic Assessment & Counseling: Chapter 7

View Set