Cybersecurity/Hacking general

Most worms have the extension

.exe

5-Step Risk Management Process

1) Risk Identification 2) Risk Assessment 3) Identify solutions (Response planning) 4) Implement solutions 5) Monitor Results

Steps of a software security test

1. Architecture Study & Analysis: The first step is to understand whether the software is compliant with the requirements. 2. Classify Threats: All potential threats and risks factors that need to be tested should be listed. 3. Test Planning: Based on the identified threats, vulnerabilities and security risks, tests are to be run. 4. Testing Tool Identification: All software security testing tools for web applications; the developer needs to identify the relevant tools to test the software. 5. Test Case Execution: After performing a security test, the developer should fix them either manually or using any suitable open-source code. 6. Reports: A detailed test report of performed security tests should be prepared that would contain a list of the vulnerabilities, threats, and the issues resolved and the ones that are still pending.

Protocol analyzer

A hardware or software tool used to capture network traffic and analyse the individual application data, segments, packets, frames, etc. (eg Wireshark)

Backdoor

A method of bypassing normal authentication or encryption in a system Most often used for securing remote access to a system or accessing plaintext in cryptographic systems

Principle of Least Privilege

A security discipline that requires that a module (a particular user, system, or application) be given no more privilege than necessary to perform its function or job.

end-to-end encryption

A type of encryption where a message remains encrypted from its source to its final destination, such that only the device to which it is sent can decrypt Prevents eavesdropping by ISPs, hackers, etc.

User access authentication testing

Access to any part of secure software usually requires a level of user access/authentication (usually password authentication) This test checks for vulnerabilities that permit password cracking and involves: checking password complexities checking for unencrypted cookies including passwords

Active recon vs Passive recon

Active recon tools interact directly with the systems in order to gather system level information while passive recon tools rely on publicly available information.

Active scanning vs Passive scanning

Active scanners send transmissions to the network's nodes, examining the responses they receive to evaluate whether a specific node represents a weak point within the network. Active scanners may simulate attacks. Passive scanners merely monitor network traffic.

Bug

An error in a program's code, often exploited by hackers

threat

Any circumstance or event with the potential to adversely impact an organization by exploiting a vulnerability Examples include malware, cyberattacks, natural disasters, breaches, accidents

How are Christmas Tree packets used for reconnaissance?

As a method of TCP/IP stack fingerprinting, by sending the packets and analyzing the responses; they allow inferences to be made about a target's OS

Why is it a good security practice to not run an application on the default port?

Attackers who are less discriminate about who they target will often scan for just the default port of an exploitable application. This is much faster than scanning every port, though the service will be missed when running on a non-default port.

Fuzzing

Automated software testing that involves providing invalid, unexpected or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.

Best defense against ransomware

Backups

bitsquatting

Bitsquatting is a form of cybersquatting which relies on bit-flip errors that occur during the process of making a DNS request. These bit-flips may occur due to factors such as faulty hardware or cosmic rays. When such an error occurs, the user requesting the domain may be directed to a website registered under a domain name similar to a legitimate domain, except with one bit flipped in their respective binary representations.

3 methods of software testing

Black-box testing White-box testing Gray-box testing

XXS Testing

Cross term-49Site-Scripting is a software vulnerability found in web-based applications. XXS Testing involves: black box script testing IDing vulnerable software points checking code and script input fields

Risk management information system (RMIS)

Database software used to aggregate risk data and help decision makers evaluate business risks

2 main uses for Christmas tree packets

DoS, Reconnaissance

Major categories of cyber attacks Note that many of these overlap

DoS/DDoS attacks (syn flood, fork bombs, http flood, ping flood, ping of death) Man in the Middle (MITM) attacks (arp spoofing, dns spoofing, session hijacking) Malware attacks (Viruses, worms, ransomware, RATs, keyloggers, rootkits) Password attacks (Dictionary attack, Rainbow Table attack, Credential stuffing, Brute Force) Social Engineering attacks (Phishing, vishing, pretexting, spear phishing, shoulder surfing, tailgaiting/piggybacking, scareware) Web attacks (SQL Injection, Cross-Site Scripting (XSS), Drive-by download) Cryptographic attacks (Wiener's attack, Birthday attack, Van Eck phreaking) WiFi attacks (MiTM/Packet Sniffing, Rogue Access Points, Deauthentication, Jamming, War Driving) Bluetooth attacks (Bluesnarfing, Bluejacking, Location Tracking, Bluebugging) Hardware hacking

Security measure that should be taken when using company-owned devices

Enable remote wipe

TCP/OS Fingerprinting tools

Ettercap - passive TCP/IP stack fingerprinting. Nmap - comprehensive active stack fingerprinting. p0f - comprehensive passive TCP/IP stack fingerprinting. NetSleuth - free passive fingerprinting and analysis tool PacketFence- open source NAC with passive DHCP fingerprinting. Satori - passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting. SinFP - single-port active/passive fingerprinting. XProbe2 - active TCP/IP stack fingerprinting. queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems Masscan - Fast scanner that transmits 10 million packets per second

Vulnerability

Exposure to a threat; weaknesses or gaps in a system that can be exploited by threats Examples include unpatched software (vulnerable to cyber threats), users with administrative privileges (vulnerable to insider threats/malware), poor infrastructure design (vulnerable to natural disasters)

Which 2 fields of an IPv4 header and TCP segment header can be used to successfully identify an operating system (which eases the task of manual OS fingerprinting)?

IPv4 header: TTL field TCP segment header: Window size field

2. Risk Assessment

Identifying the likelihood and consequences/tolerance of those threats found in Risk Identification Results include a table of risks sorted in order of priority (likelihood and destruction)

4. Implement solutions

Implementing the strategies decided on in step 3

Black-box testing

In black-box testing, a person who is not familiar with the software code or how the program is expected to perform is asked to test and report on any inconsistencies and errors. Black-box testing is from the point of view of the novice user.

Grey-box testing

In gray-box testing, a person with knowledge of the technical expectations and programming code is asked to test the program and report on the problem areas. Gray-box testing is from the point of view of the expert user.

White-box testing

In white-box testing, a technical expert examines the code in detail, and uses software testing tools to identify code that can be corrected or edited to improve the user interactions and the program outcomes. White-box testing is from the point of view of the technical expert.

SPECIFICS OF TCP/IP FINGERPRINTING: Certain parameters within the TCP protocol definition are left up to the implementation: different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP. The TCP/IP fields (fields of packet headers, segment headers) that may vary include the following:

Initial packet size (16 bits) Initial TTL (8 bits) Window size (16 bits) Max segment size (16 bits) Window scaling value (8 bits) "don't fragment" flag (1 bit) "sackOK" flag (1 bit) "nop" flag (1 bit)

ISC

Internet Storm Center. The Internet Storm Center is a program of the SANS Technology Institute, a branch of the SANS Institute which monitors the level of malicious activity on the Internet, particularly with regard to large-scale infrastructure events.

A vulnerability assessment does 3 things:

It evaluates if the system is susceptible to any known vulnerabilities assigns severity levels to those vulnerabilities recommends remediation or mitigation, if and whenever needed

5. Monitor

Often involves using an RMIS to monitor changes in risk factors

OSINT

Open Source Intelligence. an intelligence-gathering method used to collect and analyze publicly available information and data for investigative purposes. OSINT data sources encompasses pretty much anything you can find on the internet, from an IP address to public governmental records.

3. Identify solutions (response planning)

Plans that are put in place to minimize the probability that a risk will occur or the impact if it does occur. Avoid, Transfer, Mitigate, or Accept are commonly-used strategies

The results of risk assessment may be expressed in one of two fashions

Quantitative (the amount of risks/consequences) Qualitative (the types, individual impacts of risks/consequences)

How are services/open ports exploited?

Realizing that every open port is an opportunity for compromise, attackers regularly scan targets, taking an inventory of all open ports. They compare this list of listening services with their list of favorite exploits for vulnerable software

What are some good security practices a sysadmin should take, when it comes to ports?

Regularly scan ports with a port scanner like nmap Shut down any services that aren't being used on open ports Ensure services running on open ports are fully patched Firewall rules should be added where possible, limiting access to legitimate users Hardening (instructions available on web) for most popular applications

What information does "risk data" entail?

Risk exposure Protection measures Risk management

Data Loss Prevention (DLP)

Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.

SANS

SysAdmin, Audit, Network, and Security The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing

TCP/IP stack, OS fingerprinting prevention

TBA

Risk

The potential for damage as a result of a threat exploiting a vulnerability.

OS Fingerprinting

The practice of identifying the operating system of a networked device by using passive or active techniques. Often deduced from a combination of parameters discovered during term-59TCP/IP stack fingerprinting

Information Security (infosec)

The practice of protecting information by mitigating information risks. It is part of information risk management

Attribution

The process of establishing who is behind a hack Often the most difficult part of responding to a major breach

1. Risk identification

The process of identifying and assessing threats to an organization, its operations, and its workforce that could disrupt business operations

Information risk management

The process of identifying, accessing, reducing risk to an acceptable level, and implementing the right countermeasure to maintain that level of risk

Unencrypted cookies

There are a couple of ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the Secure attribute and the HttpOnly attribute. Example: Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly Unencrypted cookies lack these attributes

Software Vulnerability Scanning

These are automated security tests used to identify known software security weaknesses, including: Scanning for open ports Network enumeration tests Injecting malware

Initial packet size (16 bits) Initial TTL (8 bits) Window size (16 bits) Max segment size (16 bits) Window scaling value (8 bits) "don't fragment" flag (1 bit) "sackOK" flag (1 bit) "nop" flag (1 bit) These values may be combined in order to form...

These values may be combined to form a 67-bit signature, or fingerprint, for the target machine http://nsscat.weebly.com/uploads/2/4/6/3/24630188/security_warrior.pdf (See page 229)

Why are RMIS used?

This software simplifies and controls the cost of risk management It provides real-time access to risk data, and ensures easier compliance requirements electronically

In many cases, an exploited application is not even used by a targeted organization. Why might this be the case?

Usually, the application was enabled by default when the machine was set up

Areas that a hacker may target

Web applications Web servers Internal Systems Wireless Networks Users (social engineering)

Types of software security testing

XXS Testing SQL Injection testing User Access Authentication Testing Vulnerability Scanning Penetration Testing Static Code Analysis/Testing Compliance testing

evil maid attack

a hack that requires physical access to a system

Static Code Analysis/Testing

a method of debugging by examining source code before a program is run. It's done by analyzing a set of code against a set (or multiple sets) of coding rules. *Actually performed before software testing begins *For organizations practicing DevOps, static code analysis takes place during the "Create" phase

Network enumeration

a process that involves gathering information about a network such as the hosts, connected devices, along with usernames, group information and related data.

Carding

a term describing the trafficking and unauthorized use of credit cards. The stolen credit cards or credit card numbers are then used to buy prepaid gift cards to cover up the tracks

Software security testing

a type of Software Testing that uncovers vulnerabilities, threats, risks in a software application and prevents malicious attacks from intruders.

Same-Origin Policy

a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model. *It is very important to remember that the same-origin policy applies only to scripts and DOES NOT apply the HTML tags

exploit

an attack that takes advantage of a bug or vulnerability

Carding website/forum

an illegal site used to share stolen credit card data, and discuss techniques for obtaining credit card data

Most remote network compromises come from...

exploiting a server application listening on a TCP or UDP port

Why is OS fingerprinting useful for hackers?

knowing the OS makes easier to find and execute an exploit against that service, because often an exploit is OS version specific REF: https://nmap.org/misc/defeat-nmap-osdetect.html

Cracker

malicious hacker

Potential threats commonly identified in Risk Identification

malware, cyberattacks, breaches, accidents, natural disasters, lawsuits, and other potentially harmful events that could disrupt business operations.

Threat Agent (actor)

party that is responsible for, or attempts to bring about, harm to an organization Maybe a person, group or thing

cybersquatting (domain squatting)

registering, selling or using a domain name with the intent of profiting from the goodwill of someone else's trademark. It generally refers to the practice of buying up domain names that use the names of existing businesses with the intent to sell the names for a profit to those businesses.

Software security helps (3)

save time and money spent on system restore procedures prevent the loss of customer data and customer trust prevent operational disruptions and revenue loss

Vulnerability Assessment

systematic review of security weaknesses in an information system.

chip-off

technique based on chip extraction from a mobile device and reading data from it.

TCP/IP stack fingerprinting

the passive collection of configuration attributes from a remote device during standard layer 4 network communications The combination of parameters may then be used to infer the remote machine's OS and other software/hardware details

Why is software security important?

to help the software stand the test of attacks over time so that it is not destabilized

Software Security Compliance Testing

verify that a software product complies with a particular standard or recommendation. addresses required compliance assessments for Federal standards, industry standards, regulations, and best practices including the following: Security Assessment and Authorization FDA/Medical Device testing standards term-59 Accessibility, Section 508 Sarbanes-Oxley (SOX) Health Insurance Portability and Accountability Act (HIPAA) FedRAMP (commercial hosting services that meet federal requirements for cloud-based security) FISMA NIST 800-171 Cybersecurity Maturity Model Certification (CMMC) Homeland Security Presidential Directive 12 (HSPD-12) ITIL v3 Service Management CMMI Development and Service